Basic config for a secure Arch Linux server on Linode

linode-base-arch.bash

# Start by creating a new Linode
# https://cloud.linode.com/linodes/create

# Update all packages and install important packages
pacman -Syu ntp sudo ufw

# Configure ntp
systemctl enable ntpd.service
timedatectl set-ntp 1

# Set hostname
HOSTNAME='galileo'
echo $HOSTNAME >/etc/hostname
hostname -F /etc/hostname

# Edit /etc/locale.gen if not using en_US.UTF-8
locale-gen

# Create new user with superpowers
USERNAME='jungaretti'
USERPASS='nicetry!'
useradd -m -G wheel $USERNAME
echo "$USERNAME:$USERPASS" | chpasswd
sed -i 's/# %wheel ALL=(ALL) ALL/%wheel ALL=(ALL) ALL/' /etc/sudoers

# Force SSH2 protocol
sed -i 's/^[# ]*Protocol \([0-9],\?\)\+/Protocol 2/' /etc/ssh/sshd_config

# Disable root login
sed -i 's/^[# ]*PermitRootLogin \(yes\|no\)/PermitRootLogin no/' /etc/ssh/sshd_config

# Allow user login
echo "AllowUsers $USERNAME" >>/etc/ssh/sshd_config

USERPUBKEY=''
if [ -n "$USERPUBKEY" ]; then
    # Add authorized key
    sed -i 's/^[# ]*PubkeyAuthentication \(yes\|no\)/PubkeyAuthentication yes/' /etc/ssh/sshd_config
    mkdir -p /home/$USERNAME/.ssh
    echo "$USERPUBKEY" >>/home/$USERNAME/.ssh/authorized_keys
    chown -R "$USERNAME" /home/$USERNAME/.ssh
    # Disable password authentication
    sed -i 's/^[# ]*PasswordAuthentication \(yes\|no\)/PasswordAuthentication no/' /etc/ssh/sshd_config
fi
systemctl restart sshd

# Reboot the server
reboot now

# Configure firewall (from user account)
sudo systemctl enable ufw.service
sudo ufw default deny
sudo ufw allow ssh
sudo ufw enable
sudo ufw status