Arch Linux

Post-Install configuration suggestions

01 pacman & mirrors

Rank mirrors by speed before doing anything else. Stale or slow mirrors are the most common cause of slow installs.

# Install reflector
pacman -S reflector

# Write the 10 fastest HTTPS mirrors synced within 12 h
reflector --latest 20 --sort rate --protocol https \
  --save /etc/pacman.d/mirrorlist

Enable useful pacman.conf options:

# /etc/pacman.conf
Color
ParallelDownloads = 5
VerbosePkgLists

Enable multilib for 32-bit support (required for Steam, Wine):

# Uncomment in /etc/pacman.conf:
[multilib]
Include = /etc/pacman.d/mirrorlist

pacman -Syu

02 AUR helper

paru is the current recommended helper. It wraps pacman syntax and supports split packages and .SRCINFO review.

pacman -S --needed git base-devel
git clone https://aur.archlinux.org/paru.git /tmp/paru
cd /tmp/paru && makepkg -si

Never build AUR packages as root. Use a regular user with sudo.

Configure paru to skip confirmation on diffs you've already reviewed:

# /etc/paru.conf
SkipReview
BottomUp

03 Networking

NetworkManager (recommended)

pacman -S networkmanager
systemctl enable --now NetworkManager

For Wi-Fi, install iwd as the NetworkManager backend for better WPA3 support:

pacman -S iwd
# /etc/NetworkManager/conf.d/wifi_backend.conf
[device]
wifi.backend=iwd

DNS

Use systemd-resolved with stub resolver:

systemctl enable --now systemd-resolved
ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Set encrypted DNS in /etc/systemd/resolved.conf:

DNS=1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
DNSOverTLS=yes
DNSSEC=yes

Firewall

pacman -S nftables
systemctl enable --now nftables

The default ruleset in /etc/nftables.conf blocks all unsolicited inbound traffic. Review it before enabling on a server.

04 Users & sudo

pacman -S sudo
useradd -m -G wheel -s /bin/bash <username>
passwd <username>

Uncomment the wheel line in visudo:

EDITOR=nvim visudo
# Uncomment:
%wheel ALL=(ALL:ALL) ALL

Prefer %wheel ALL=(ALL:ALL) ALL over NOPASSWD unless you have a specific automation need.

Shell

Shell	Package	Notes
bash	(base)	Default; pair with `bash-completion`
zsh	zsh	Better completion; use `zsh-autosuggestions`, `zsh-syntax-highlighting`
fish	fish	Out-of-box UX; non-POSIX

chsh -s /usr/bin/zsh <username>

05 Audio

PipeWire replaces both ALSA userspace and PulseAudio. Install the full stack:

pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack wireplumber
systemctl --user enable --now pipewire pipewire-pulse wireplumber

Do not install pulseaudio. It conflicts with pipewire-pulse.

Verify:

pactl info | grep "Server Name"
# Should output: PulseAudio (on PipeWire ...)

Bluetooth audio:

pacman -S bluez bluez-utils
systemctl enable --now bluetooth
# pipewire-pulse handles A2DP automatically via wireplumber

06 GPU drivers

Vendor	Packages	Notes
Intel (iGPU)	`mesa intel-media-driver`	Xe / Arc: add `linux-firmware`
AMD (RDNA+)	`mesa vulkan-radeon libva-mesa-driver`	GCN < 4: use `xf86-video-amdgpu`
NVIDIA (proprietary)	`nvidia nvidia-utils nvidia-settings`	Pair with kernel: `linux` or `linux-lts`
NVIDIA (open)	`nvidia-open`	Turing (RTX 20xx) and newer only

For NVIDIA, regenerate initramfs and add the DRM hook:

# /etc/mkinitcpio.conf — add to MODULES:
MODULES=(nvidia nvidia_modeset nvidia_uvm nvidia_drm)

# /etc/modprobe.d/nvidia.conf
options nvidia_drm modeset=1 fbdev=1

mkinitcpio -P

Do not use xf86-video-nouveau alongside the proprietary driver.

Vulkan support (all vendors):

pacman -S vulkan-icd-loader lib32-vulkan-icd-loader

07 Display server

Wayland (recommended)

Most compositors ship their own Wayland support. Sway (tiling), Hyprland (tiling + animations), GNOME, KDE Plasma all run Wayland natively.

# Sway example
pacman -S sway swaybg swaylock swayidle waybar foot xdg-user-dirs

# Screen sharing / portals
pacman -S xdg-desktop-portal xdg-desktop-portal-wlr

X11 fallback

pacman -S xorg-server xorg-xinit xorg-xrandr

For NVIDIA on Wayland, set GBM_BACKEND=nvidia-drm and __GLX_VENDOR_LIBRARY_NAME=nvidia in your session environment.

Display manager (optional)

DM	Package	Backend
greetd + tuigreet	`greetd greetd-tuigreet`	Both
SDDM	`sddm`	Both (Qt)
GDM	`gdm`	Wayland-first

08 Fonts

Arch ships no fonts beyond the TTY bitmap. Install at minimum:

pacman -S \
  noto-fonts noto-fonts-cjk noto-fonts-emoji \
  ttf-liberation ttf-dejavu \
  ttf-jetbrains-mono-nerd          # terminal / coding

Enable subpixel rendering and hinting:

# /etc/fonts/local.conf (create if absent)
<?xml version="1.0"?>
<!DOCTYPE fontconfig SYSTEM "urn:fontconfig:fonts.dtd">
<fontconfig>
  <match target="font">
    <edit name="antialias" mode="assign"><bool>true</bool></edit>
    <edit name="hinting"   mode="assign"><bool>true</bool></edit>
    <edit name="hintstyle" mode="assign"><const>hintfull</const></edit>
    <edit name="rgba"      mode="assign"><const>rgb</const></edit>
    <edit name="lcdfilter" mode="assign"><const>lcddefault</const></edit>
  </match>
</fontconfig>

fc-cache -fv

09 Security hardening

Kernel parameters

# /etc/sysctl.d/99-hardening.conf
kernel.dmesg_restrict = 1
kernel.kptr_restrict = 2
net.core.bpf_jit_harden = 2
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.rp_filter = 1
net.ipv6.conf.all.accept_ra = 0     # disable if not using RA
vm.mmap_rnd_bits = 32

sysctl --system

PAM / faillock

# /etc/security/faillock.conf
deny = 5
unlock_time = 300
fail_interval = 900

SSH (if exposed)

# /etc/ssh/sshd_config.d/hardening.conf
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey
AllowUsers <username>
LoginGraceTime 20
MaxAuthTries 3

AppArmor (optional)

pacman -S apparmor
# Add to kernel cmdline (bootloader config):
apparmor=1 security=apparmor
systemctl enable --now apparmor

AppArmor on Arch requires manual profile management. CLIP OS profiles from apparmor-profiles-extra (AUR) provide a reasonable baseline.

10 System maintenance

Pacman cache cleanup

pacman -S pacman-contrib
# Remove all but the 2 most recent versions of each package
paccache -rk2

# Automate weekly
systemctl enable paccache.timer

Failed units

systemctl --failed
journalctl -p 3 -b          # errors from current boot

Orphaned packages

pacman -Qtdq | pacman -Rns -      # remove orphans

Reflector timer

# /etc/xdg/reflector/reflector.conf
--latest 20
--sort rate
--protocol https
--save /etc/pacman.d/mirrorlist

systemctl enable reflector.timer

mkinitcpio hooks order

Common correct order for encrypted root with systemd:

HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole block sd-encrypt filesystems fsck)

Run mkinitcpio -P any time you modify /etc/mkinitcpio.conf or install a new kernel.

Microcode

# Intel
pacman -S intel-ucode

# AMD
pacman -S amd-ucode

# Both are loaded automatically if the systemd hook is in HOOKS.
# On GRUB, run: grub-mkconfig -o /boot/grub/grub.cfg

Useful diagnostic packages

btop — resource monitor
lsof — open files / sockets
strace — syscall tracing
perf — CPU profiling (linux-tools)
smartmontools — disk health
nvme-cli — NVMe diagnostics
dmidecode — hardware info from DMI