Skip to content

Instantly share code, notes, and snippets.

@Raphx Raphx/
Last active Aug 15, 2019

What would you like to do?
Arch Linux on MBP Early 2015

Table of Contents

Arch Linux on MBP Early 2015 i5 2.7GHz


For systemd-boot, ensure the file /boot/loader/entries/archlinux.conf has the content:

title Arch Linux
linux /vmlinuz-linux
initrd /intel-ucode.img
initrd /initramfs-linux.img
options root=/dev/sdXx rw

In /boot/loader/loader.conf:

default archlinux



Install bluez and bluez-utils.

Start Bluetooth service:

systemctl start bluetooth.service

Use the utility tool bluetoothctl to pair with Bluetooth devices.

After paired, obexftp can be used to exchange files with the devices.

If Bluetooth is not used, it can be disabled for more power saving. Create a file in /etc/modprobe.d/bluetooth.conf with the content:

blacklist btusb
blacklist bluetooth


Install mbpfan-git.

Edit the configuration /etc/mbpfan.conf with:

low_temp = 55
high_temp = 60

Enable the systemd service:

systemctl enable mbpfan.service


First, change the default sound card in /etc/modprobe.d/alsa-base.conf:

options snd_hda_intel index=1,0

Install utility tool to configure alsa, alsa-utils.

The above two changes require system reboot.

Control the master volume, the value 75% here is an example of volume output:

amixer sset Master 75%

To store the configurations, run once alsactl store.

Alternatively, pulseaudio can be used as the userspace mixer, along with pulseaudio-alsa.

Facetime HD webcam

Install facetimehd-firmware and bcwc-pcie-git from AUR.

Unload bdc_pci:

modprobe -r bdc_pci


To use function keys without pressing the Fn key:

echo "options hid_apple fnmode=2" | sudo tee /etc/modprobe.d/hid-apple.conf

Modify the FILES variable in /etc/mkinitcpio.conf to include the modprobe configuration file:



Install mesa.

For hardware video encoding and decoding, install intel-media-driver, and configure to use iHD driver for VAAPI:


Verify the installation with libva-utils:



Mask lvm2-monitor.service if LVM is not used.


Install cups and start org.cups.cupsd.service.

Install the necessary drivers for the printer, e.g. hplip for HP printers.

Add a queue for the printer.

lpadmin -p <queue_name> -E -v <uri> -m <model>

<queue_name> can be anything, serves as a label for the printer.

<uri> can be retrieved via sudo lpinfo -v.

<model> can be retrieved via lpinfo -m. This should match the printer's brand and product series.

Print the file with lpr -P <queue_name> <file>.

Android device

Install android-tools and android-udev, add current user to the group plugdev, then relog.



Create chains for tcp and udp:

iptables -N TCP
iptables -N UDP

Configure default chain:

iptables -P FORWARD DROP
iptables -P INPUT DROP

Add rules:

iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
iptables -A INPUT -j REJECT --reject icmp-port-unreachable

Enable systemd iptables service:

systemctl enable iptables.service


DNS can be configured manually, or using systemd-resolved.

For manual, add public DNS resolvers to /etc/resolv.conf:

# Cloudflare
# Quad9
# Google

Also prevent programs from dynamically updating the file:

chattr +i /etc/resolv.conf

chattr's change can be verified using the lsattr command.

Alternatively using systemd-resolved, first enable the service:

systemctl enable systemd-resolved.service

Symlink systemd-resolved's resolv.conf:

ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

Then install systemd-resolvconf to replace openresolv.

The file /etc/hosts can be trimmed by removing static configurations for localhost, since systemd-resolved handles localhost lookup natively. Note that this setup uses the nameservers from the gateway for domain name queries, hence nameserver configurations should be setup up appropriately at the gateway.

By default, systemd-resolved uses DNSSEC, hence there might be a noticeable increase in DNS lookup time. To disable DNSSEC, create /etc/systemd/resolved.conf.d/dnssec.conf with the content:


Then restart systemd-resolved service.

Time synchronization

Enable systemd-timesyncd:

timedatectl set-ntp true

Wireless regulatory

Install crda. For Malaysia country, uncomment WIRELESS_REGDOM=MY in /etc/conf.d/wireless-regdom. Reboot after the change.

Network management

Using netctl, for wireless networking, save this profile to /etc/netctl/a_wpa_profile:

Description='A wpa psk profile'
    'ssid="ssid goes here"'
    'psk=psk goes here'

The PSK for WPAConfigSection can be retrieved from the command:

wpa_passphrase <ssid> <passphrase>

Once the profile is ready, establish the connection:

netctl start a_wpa_profile

Using netctl, for wired networking, in /etc/netctl/eth:

Description='Wired network'

Using systemd-networkd, for wireless, prepare the network file in /etc/systemd/network/



Enable the service:

systemctl enable systemd-networkd.service

Configure wpa_supplicant in a configuration file, /etc/wpa_supplicant/wpa_supplicant-wlp3s0.conf:

ctrl_interface=DIR=/run/wpa_supplicant GROUP=network




Add current user to the network group, so that the user can invoke wpa_cli without root privilege:

usermod -G network <user>

Enable the wpa_supplicant service:

systemctl enable wpa_supplicant@wlp3s0.service

Account management

Add the current user to sudo. Edit sudoer file using visudo, with the following content:

username ALL=(ALL) ALL

username is to be substituted.

Make sudo always prompt for password. Run visudo -f /etc/sudoers.d/10-timestamp-timeout, then add:

Defaults:username timestamp_timeout=0

username is also to be substituted here.

With current user added to sudo, consider disabling root account login:

passwd -l root

Log management

journald can be configured to use only volatile storage. Create a file in /etc/systemd/journald.conf.d/storage.conf with the content:


Vacuum to clear old logs, example:

journalctl --vacuum-time=1d

Package management

Use HTTPS mirror to download packages from Arch repositories. The list can be found at Install the package pacman-contrib, and use rankmirrors command to select the best mirror by download speed.

Add a hook to update systemd-boot boot manager whenever systemd is upgraded. In the file /etc/pacman.d/hooks/100-systemd-boot.hook, add the following:

Type = Package
Operation = Upgrade
Target = systemd

Description = Updating systemd-boot...
When = PostTransaction
Exec = /usr/bin/bootctl update

Power management

Install tlp.

Enable tlp.service and tlp-sleep.service.

Mask system-rfkill.service and system-rfkill.socket.



Optionally disable recent file history for more privacy:

cd $HOME/.local/share
echo > recently-used.xbel
chattr +i recently-used.xbel


Install noto-fonts and noto-fonts-cjk.

Input method framework

Install fcitx, fcitx-configtool, and fcitx-gtk3. Configure input method by executing:


Add a new input method. For Chinese, choose Pinyin. To switch between traditional and simplified Chinese, use the hotkey Ctrl-Shift-f while in Pinyin input mode.


In /etc/ssh/sshd_config:

  • Change the default port of SSH server

  • Set PermitRootLogin to no

  • Set PasswordAuthentication to no

GUI shell


Install X server and initialization software, xorg-server and xorg-init. Then, use i3 as a minimal window manager.

Configure display to use Intel DDX driver, add in /etc/X11/xorg.conf.d/20-intel.conf:

Section "Device"
  Identifier "Intel Graphics"
  Driver "Intel"
  Option "TearFree" "true" 

Alternatively, without installing and configuring X server to use Intel DDX driver, it will fallback to use KMS, which is recommended for lower output latency, since Intel DDX with TearFree increases the latency and memory usage. However, using KMS introduces screen tearing. Installing a compositor, like compton resolves this.

For touchpad configuration, add in /etc/X11/xorg.conf.d/30-touchpad.conf:

Section "InputClass"
  Identifier "bcm5974"
  Driver "libinput"
  MatchIsTouchpad "on"
  Option "Tapping" "on"
  Option "Natural Scrolling" "on"

For keyboard, add in /etc/X11/xorg.conf.d/31-keyboard.conf:

Section "InputClass"
  Identifier "Apple Inc. Apple Internal Keyboard / Trackpad"
  MatchIsKeyboard "on"
  Option "XkbOptions" "caps:escape"

For proper DPI setting, add in /etc/X11/xorg.conf.d/90-monitor.conf:

Section "Monitor"
  Identifier "<default monitor>"
  DisplaySize 286 179

Adjust typematic delay and rate by starting Xserver with additional argument, in $HOME/.xserverrc:

exec /usr/bin/X -nolisten tcp -ardelay 200 -arinterval 33 "$@"


Install sway and optionally xorg-server-xwayland for compatibility with X programs. With XWayland, the Xresources file has to be renamed to Xdefaults to be used.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.