Chapter 1: Introduction, Philosophy and Preparation of the Environment↑ Home

Welcome to "The Great Book of Arch Linux." This manual is not just a tutorial so you can install an operating system and forget it; it's an architectural journey. Arch Linux is not a finished product, it is a set of tools (atoolkit) designed to build your own custom operating system. If you're here, you're probably tired of distributions that make decisions for you, that install dozens of background services that you don't use and that hide internal gears under heavy graphic interfaces.

In this founding chapter, we will explore the history of Arch, the unwavering philosophical pillars that dictate its development, the real implications of the modelRolling Releasein production environments, and how to prepare your installation means using industry best practices.

1.1 History and Birth of an Idea↑ Home

Arch Linux was conceived in March 2002 by Judd Vinet, a Canadian programmer and musician. Vinet was deeply inspired by a minimalist distribution called CRUX. Although he appreciated elegance and construction from the source code of CRUX (and of Gentoo), Vinet wanted something more pragmatic: a system that maintained that structural purity but used pre-compiled binary packages to save the user the massive hours of compilation required by Gentoo.

That's how he was born.pacman(Package Manager), originally written in C by Vinet himself. The goal was simple: to track the units with surgical precision and install prepackaged binary files incredibly quickly. Since 2007, Aaron Griffin has taken over as project leader, followed by Levente Polyak. Today, Arch Linux is a massive community-supported project, but it still keeps the original vision intact.

1.2 Philosophy: The Arch Way↑ Home

In the Arch Linux ecosystem, documentation is not a suggestion, it is the law. The whole project is governed by a number of principles known informally asThe Arch Way. Understanding them will avoid many frustrations.

1.2.1 Simplicity (KISS - Keep It Simple, Study)

In the context of Arch, "simplicity" does not mean "easy to use for your grandmother." It doesn't mean there are big, wizards that do the work for you. In fact, for Arch, those attendees addcomplexity. Simplicity is defined from a technical and internal point of view. A simple system is one that has as few modifications as possible to the original code (vanilla). Arch Linux delivers the software as its original developers (upstream) designed it. There are no massive Arch patches, no hidden configurations, and the startup scripts do not "magic." If you want a demon to run, you have to write the command to enable it. The simplicity of Arch lies in thatYou know exactly what your system is doing, because you built it..

1.2.2 Modernity (Bleeding Edge)

Arch Linux strives to keep the latest versions of the software stable. As soon as the developers of the Linux Kernel or the KDE Plasma desktop release a new version and is compiled, it lands in your repositories within days or hours. This provides you with immediate support for the newest hardware on the market and latest technologies (such as PipeWire or Wayland). The inherent disadvantage is that you are in the "bloody vanguard" (Bleeding Edge); if there is a bug in the original newly released code, you will be among the first in the world to experience it.

1.2.3 Pragmatism

While the GNU project and distributions like Trisquel have a strict moral posture that prohibits any non-open source software, Arch is deeply pragmatic. While you prefer free software for technical and ethical reasons, you will not hesitate to provide private drivers (such as NVIDIA graphics cards) or closed binary firmware if that's what the user's hardware needs to function properly. Decisions are made on the basis of technical consensus and practical usability, not political dogma.

1.2.4 User-centred (User-Centric vs User-Friendly)

Distributions like Ubuntu or Linux Mint areUse(User friendly): try to anticipate user needs, autoconfigure printers, automatically mount USB disks and install default office suites. Arch Linux isUser-Centric(User-focused): fully trust your user's intelligence and technical capacity. Assume you're willing to read the manual, investigate problems and take full control. Arch doesn't tell you which desk to use, it just provides you with Lego pieces for you to build. You're the architect.

1.3 The Rolling Release model vs. Fixed Release↑ Home

Understanding the life cycle of your operating system is crucial for its maintenance. The software industry mainly uses two models for the distribution of updates.

1.3.1 The Fixed Release Model

Used by Debian, Ubuntu, Fedora and Windows.

• Operation:Every X months or years, a version (Ej. Ubuntu 22.04) is released. During the life cycle of that version, the main software (Kernel, Desktop Environment, Base Libraries) isfezel. If Firefox launches a new feature, Ubuntu does not give it to you immediately; you will only receive security patches for the old version that came with the system.
• Advantages:Extreme stability. As nothing changes, things don't break unexpectedly. Ideal for critical servers of bank or aerospace degree.
• Disadvantages:The software becomes obsolete quickly. To get new functions, you have to perform a massive "Version Update" (Ax. move to Ubuntu 24.04), which often means that gigabytes of dependencies change at once, running a high risk of breaking the system.

1.3.2 The Rolling Release Model

Used by Arch Linux, Gentoo and openSUSE Tumbleweed.

• Operation:There are no versions like "Arch Linux 2024." Arch Linux is a constant flow of fluid updates. Install the systemonce. From that moment on, you run your package manager regularly, and each individual package is updated to its latest version.
• Advantages:You have a modern system forever ("Install once, update forever"). Performance improves with new kernel versions. You resolve security vulnerabilities (Zero-Days) instantly.
• Disadvantages:It requires active maintenance. You can't leave a team with Arch off for 8 months, turn it on, and launch an update; the accumulated changes in C or Python libraries will hit each other and the system will require manual intervention. In addition, the responsibility for proving that an update does not break a very specific workflow rests with the user.

1.4 Comparative: Where does Arch fit into the Ecosystem?↑ Home

• In front of Ubuntu / Pop!These tracks are excellent for newcomers or developers who want a ready environment in 10 minutes. However, its intensive use of Snap and PPAs (Personal Package Archives) packages often creates broken systems (Franken-Debians). Arch eliminates PPAs and unifies everything under the AUR.
• To Debian:Debian is the unremovable rock of stability. It is insurmountable for servers where uptime is measured in years. Arch is the opposite: it is alive, it moves fast and it is ideal for workstations of developers, gaming and agile web servers.
• In front of Fedora:Fedora is the middle term. It has very new software, but it follows a 6-month Fixed Release model supported by Red Hat. Arch beats Fedora in the immensity of its community repository (the AUR) and in the lightness of its base installation (Fedora tends to preinstall many corporate services such as SELinux or default firewall).
• In front of Gentoo:In Gentoo you compile everything from the source code for your specific processor. It takes days to install it. Arch gives you pre-compiled binary packages, offering 99% of the customization of Gentoo in a fraction of the installation time.

1.5 The Wiki Arch: The Oracle of Penguin↑ Home

The importance ofArch Wiki(wiki.archlinux.org). It is, by unanimous consensus in the computer community, the most comprehensive, best maintained and technically accurate documentation of GNU / Linux systems. Users of almost all other distributions end up on the Arch Wiki when they search Google for how to solve a network problem, compile a kernel or configure the Bluetooth.

Arch User's Gold Rules:

1. If you have a problem or want to install something new,Search the Wiki first.
2. If the Wiki refers you to a man page, read it (man nombredelcomando).
3. Only if the Wiki and the manual do not resolve your doubt, do you go to the forums or Reddit? The community expects you to do your homework before asking; the phrase "Read The F*cking Manual (RTFM) "is not an insult in Arch, it is a reminder of philosophy.

1.6 Preparation of the Installation Environment (Live USB)↑ Home

To begin our journey, we need to download and prepare the installation medium. The ISO of Arch Linux is a fully functional and compressed Linux system that starts from the RAM memory.

1.6.1 Download and Cryptographic Verification

Go to the official download page:https://archlinux.org/download/. It is strongly recommended to use the BitTorrent or Magnet link protocol. This not only relieves the load of the organization's servers, but the Torrent protocol automatically verifies the integrity of the fragments downloaded by SHA-1 hashes.

If you download by direct download (HTTP), you must verify the integrity and authenticity of the ISO file. A corrupt file will cause unexplained failures during installation. Worse still, an attacker could have injected malware into ISO (supply chain attack).

To verify, download the ISO and the PGP signature file (finished in.sig) in the same folder. In an existing Linux machine or macOS, it runs:

# Importar la llave pública del desarrollador de Arch (Pierre Schmitz)
gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

The output should read "Good signature from...." If it says "BAD signature," the file is corrupt or compromised. Spread it immediately.

1.6.2 Creating the USB Bootable (Low-level Flashting)

The tools that simply extract the ISO content from a FAT32 formatted USB will not work with Arch, as Arch ISO is a hybrid (it contains start sectors for UEFI and BIOS simultaneously). We have to do a bit-to-bit copy.

Method 1: From Linux systems (The dd tool)The commanddd(Data Duplicator, or jocously known as Disk Detroyer) is the most powerful and dangerous way to record images. An error in the disk letter will irrevocably erase your current system.

1. Find out the path of your USB connected usinglsblk. Suppose it is/dev/sdbor/dev/sdc(NEVER use a partition number likesdb1, use the root unitsdb).
2. Make sure it's not mounted:sudo umount /dev/sdb*
3. Record the image:

    sudo dd if=archlinux-2024.xx.xx-x86_64.iso of=/dev/sdb bs=4M status=progress oflag=sync

• if: Input File (your ISO).
• of: Output File (your raw USB).
• bs=4M: Write in 4 megabytes blocks for higher speed.
• status=progress: Show a progress bar.
• oflag=sync: Ensure that all data in the cache memory are physically written on the USB before the command is finished.

Method 2: From Windows systemsFor users coming from Windows, it is recommendedRufusorBalenaEtcher.

1. InRufus, select your USB memory.
2. Select the ISO file from Arch Linux.
3. When you give "Start," Rufus will give you a warning about the "ISOHybrid" format. It'smandatorythat selections the option "Write in Image DD mode (DD Image mode)." If you select ISO mode, the USB will not start.

Method 3: Ventoy (The standard for professionals)If you work frequently with multiple operating systems, Ventoy is a revelation. Install Ventoy on your USB only once, and create a data partition. From that moment on, you just copy and paste all the files.iso(Arch, Windows, Ubuntu, rescue tools) at that partition. When you start the USB, Ventoy will show you a menu allowing you to choose which ISO you want to boot. Arch Linux supports the start using Ventoy in a native way.

1.6.3 Base plate configuration (UEFI)

Before inserting your USB, you must prepare the target machine:

1. Turn on the computer and press repeatedly the firmware key (usually F2, F12, Supr / Del, or Esc).
2. DisableSecure Boot(Safe Start). Arch Linux, unlike Fedora or Ubuntu, does not buy cryptographic keys to Microsoft to sign its default boot manager. If the Secure Boot is active, the base plate will refuse to load the Arch USB. (In advanced chapters, you will learn to sign your own kernel and reactivate it.)
3. Disable theFast BootWindows if you do dual-boot. Fast Boot does not really turn Windows off, it hiberns it, leaving hard drives blocked and inaccessible (Read-Only) for Linux.
4. Make sure the SATA storage control mode is inAHCIand not in RAID / RST (Intel Rapid Storage Technology). The Linux kernel needs to see the raw disks through AHCI.
5. Place the USB at the top of the boot priority.

Save the changes, restart and you will be ready to enter the prompt of the black terminal. If you have come here, you have the necessary theoretical knowledge; Chapter 2 (which we have already generated) awaits you to get your hands dirty with the physical partitioning.

Chapter 2: Basic Installation - Foundations and Systems Architecture↑ Home

The installation of Arch Linux is often seen by newcomers as an insurmountable obstacle, an archaic rite of passage. However, for the system professional or the developer, it is a master class on how a GNU / Linux operating system is built from its foundations. Unlike automated installers such as Calamares or Anaconda, which abscess complexity and make architectural decisions for you, the "The Arch Way" process requires you to understand each component of the technology stack: from the base plate firmware to the package manager.

In this extensive chapter, you will not only learn the commands needed to install the system, but thetheory and whybehind each of them. At the end, you will be able not only to install Arch, but to rescue fallen Linux servers, design safe storage architectures and understand the boot process at the business level.

2.1 The Living Environment and the Initial Start Process↑ Home

When you insert your USB installation medium and turn on the computer, you enter a critical phase controlled by the firmware of your base plate. There are two main paradigms of firmware in modern computing, and understanding the difference is vital, as it will dictate how we will partition our disks later.

2.1.1 BIOS Legacy vs. UEFI

BIOS (Basic Input / Output System) and MBR

The BIOS is the firmware standard introduced in the 1980s. When a BIOS system starts, run a hardware check (POST) and then look for theMBR (Master Boot Record), which is a tiny space of 512 bytes at the beginning of your hard drive. In this very small space, the boot manager (like GRUB) must house its main code. The limitations of BIOS and MBR are severe for modern standards:

• It only supports disks of up to 2 Terabytes.
• It only allows 4 primary partitions (requiring "extended" and "logical" partitions to overcome it).
• The start is sequential and often slow.

UEFI (Unified Extensive Firmware Interface) and GPT

Massively introduced from 2012, UEFI is a mini-operating system in its own right. Instead of looking for code in a small sector of 512 bytes, UEFI looks for a specific partition on the disk formatted in FAT32, known asEFI System Partition (ESP). Within this partition, UEFI reads executable files (with extension.efi). The partition scheme that accompanies UEFI isGPT (GUID partition Table)which:

• It supports disks up to 9.4 Zettabytes.
• Allows up to 128 default partitions in Windows / Linux.
• It stores back-up of the partition table at the end of the disk for redundancy in case of corruption.

Identification of the environment in Arch Linux:When you start the Arch USB, you will reach a terminal (tty1) logged asrootwith a Zsh prompt. The first step as an administrator is to confirm how the firmware has started. Arch Linux mounts virtual EFI variables in/sys/firmware/efi/efivars. Run:

ls /sys/firmware/efi/efivars

• If the directory existsand shows hundreds of files, your system has started inUEFI mode. You must use GPT partitioning. This guide will focus on UEFI as the absolute standard.
• If you make a mistake (No such file or directory), you're inBIOS / Legacy mode. (If your equipment is modern but started in BIOS, it is recommended to restart, enter the base plate configuration and force UEFI mode "UEFI only" or disable "CSM / Compatibility Support Module").

2.1.2 The Zsh Environment of Archiso

The system you're in is ephemeral. It runs entirely in your computer's RAM (tmpfs) memory. Any change you make here (except write on physical disks) will disappear when you restart. The official ISO of Arch Linux (archiso) provides an environment rich in diagnostic tools:iproute2, vim, nano, parted, cryptsetupand data recovery benefits.

The keyboard, by default, is configured in the American distribution (US). Working with symbols like/, -or:in an incorrect distribution is frustrating. To load in Spanish:

# Para teclado de España (incluye la Ñ y símbolos correctos)
loadkeys es

# Para teclado latinoamericano
loadkeys la-latin1

Technical data: loadkeysinteracts with the subsystemkbdLinux kernel, loading a key map.map.gzstored in/usr/share/kbd/keymaps/.

2.2 Network Subsystem: Connectivity and Synchronization↑ Home

Arch Linux does not include the operating system packages in the installation ISO file (unlike Ubuntu or Debian). ISO only contains the base live environment. So,a stable Internet connection is the most important non-negotiable requirement. All binaries and dependencies will be downloaded directly from the global repositories during the phasepacstrap.

2.2.1 Network interfaces (Ethernet)

The Linux kernel, throughudev, assigns predictable names to network interfaces. Instead of the ancienteth0orwlan0You'll see names likeenp3s0(Ethernet, bus PCI 3, slot 0) orwlp2s0(Wireless).

To list your network interfaces and verify their status:

ip link

If you connect an Ethernet cable, the demonsystemd-networkdwhich runs on the Live USB will detect the link and automatically request an IP address from your router via DHCP. You can check that you have IP with:

ip -brief address show

And test DNS resolution and connectivity:

ping -c 4 archlinux.org

2.2.2 Wireless Networks (WiFi) with iwd

If you depend on Wi-Fi, the Arch ISO includesiNet Wireless Daemon (iwd), written by Intel. It is a modern and extremely fast demon that replaces the oldwpa_supplicant.

To set up the connection in an interactive way, the client invokes:

iwctl

The prompt will change to[iwd]#. The logical sequence of commands is:

1. Identify the radio adapter:

[iwd]# device listSuppose the device name (Name) iswlan0.

1. Activate the network scanner:

[iwd]# station wlan0 scan

1. List the available networks:

[iwd]# station wlan0 get-networks

1. Connect to the network (SSID):

[iwd]# station wlan0 connect "Nombre De Tu Red WiFi"If the network has spaces in the name, use quotes. You will be asked for the Passphrase. After entering it and pressing enter, leave the iwd prompt usingexitorCtrl+D.

Troubleshooting Wi-Fi:If your adapter does not appear indevice list, you are highly likely to require proprietary firmware that is not included in the ISO by default (common on certain Broadcom chips or very specific USB Realtek adapters). In that case, the only solution is to use an Ethernet cable or to anchor the internet of your mobile phone using a USB cable (Linux will detect the phone as an automatically wired network interface).

2.2.3 Temporal cryptography and synchronization (NTP)

Before you download internet packages, your system clock must be accurate. Why? Arch's package manager (pacman) verifies the GPG cryptographic signatures of each downloaded package to prevent attacksMan- in- the- Middleand ensure that the package comes legitimately from an Arch developer. If your base plate clock is months or years late, digital certificates will be evaluated as "invalid" or "expired," and pacman will strongly refuse to install anything, returning errors of "corrupt package" or "invalid PGP signature."

To synchronize the time using the Network Time Protocol (NTP):

timedatectl set-ntp true

To verify that the system has been correctly synchronized:

timedatectl status

Find the line that saysNTP service: activeandSystem clock synchronized: yes. Also, make sure the Universal Time (UTC) is correct. Linux prefers the hardware watch (RTC) on the base plate to be on UTC and calculates your local time by adding or subtracting according to your time zone.

2.3 Advanced Storage and Partitioning Architecture↑ Home

The partitioning is the design of the foundations of our house. A bad design here will limit the future flexibility of your server or workstation. Linux treats everything in the operating system as a file, and hard drives are no exception. They reside in the directory/dev/(devices).

2.3.1 Block Nomenclature (Block Devices)

Before we modify the disks, we must identify them with absolute certainty. Wrong device means unrecoverable data loss. Run the command to list block devices:

lsblk -f

(The Flag-fshows existing file systems and their UUIDs).

• SATA (mechanical hard drives and traditional SSDs):They're calledsd(SCSI disk). The first record is/dev/sdathe second/dev/sdb. The partitions are numbered:/dev/sda1, /dev/sda2.
• NVMe (modern SSDs PCIe):They have their own nomenclature to reduce the latency of the SCSI layer. They're callednvmeXnY(where X is the controller and the namespace). Example:/dev/nvme0n1. The partitions add a 'p':/dev/nvme0n1p1.
• eMMC (Common in cheap laptops or Raspberry Pi):They're called/dev/mmcblk0.
• loop (Loop devices):You'll see a lot/dev/loopX. These are ISO own files loaded on the RAM and you can completely ignore them.

From this point, we will assume that we are installing Arch Linux on the main SSD drive NVMe:/dev/nvme0n1. If you have a SATA disk, simply replace the route by/dev/sdain the relevant commands.

2.3.2 LVM, LUKS and Partitioning Schemes

There are multiple ways to divide your disk, ranging from simple to business architecture:

1. Basic outline (Recommended for beginners):

• EFI (Boot) partition - FAT32.
• Swap partition - Linux Swap.
• Root partition (/) - Ext4 or Btrfs.

1. LVM (Logical Volume Manager):

LVM introduces an abstraction layer on the physical disks. Instead of having static partitions, you group several physical disks (Physical Volumes) into a giant "pool" (Volume Group), and from there you extract "Logic Volumes" elastic. If in the future you run out of space in/home, you can buy another hard drive, add it to the Volume Group and expand the partition/homein hot, unrestarted.

1. LUKS (Linux Unified Key Setup) - Full Disk FDE:

If it is a laptop, encryption is mandatory in professional environments. LUKS creates a block-level encryption container. Without the decryption password entered in the boot manager, the data in the SSD are undecipherable random noise, protecting your SSH keys, source code and customer data in case of hardware theft.

In this manual, we will address theBasic outline with static partitionsbut adapted to current best practices.

2.3.3 Destruction of the previous table and creation of GPT

We'll usecgdisk(GPT disk-based visual interface) orfdisk. The classic and most universal standard isfdisk.

Start fdisk by pointing to your target disk:

fdisk /dev/nvme0n1

In the interactive fdisk prompt:

1. Create a new empty partition table (Total deleted):Pressg(creates a new GPT table).Attention! From this moment on, you have marked the disk to delete all previous partitions.

1. Create the EFI partition (Boot):

• Pressn(new partition).
• partition number:1(press enter).
• First sector: Press enter (use the default start).
• Last sector: Write+1Gand press enter.(Although the absolute minimum is 260MB for Windows and 512MB for Linux, 1GB is recommended today if you plan to install multiple Linux kernel simultaneously, as modern initrafs files are heavy).
• Change Type: Clickt, then1to select type "EFI System."

1. Create Swap partition:

The Swap memory acts as an overflow when your physical RAM is filled, preventing the kernel from applying OOM Killer (forced application closure). It is also essential if you want to use the Hibernation (Disk Suspend) function.

• Pressn.
• partition number:2(enter).
• First sector: enter.
• Last sector: Write+8G(Or the equivalent of your RAM memory if you plan to hibernate. For example, if you have 16GB of RAM, you can put+16G).
• Change Type: Clickt, select the partition2and writes19(Linux Swap).

1. Create Root partition (Root -/):

Here will reside the entire operating system, binary, settings and your personal files (if you don't do a separate partition for/home, which is easier for modern desktop facilities).

• Pressn.
• partition number:3(enter).
• First sector: enter.
• Last sector: enter (by not setting a limit, you will use all the remaining free space on the disk, which is ideal).
• The default type will be "Linux filesystem" (type 20), so you don't need to change it.

1. Verification and Writing:

Presspto print (print) the table you just designed. You should see:

• /dev/nvme0n1p1- 1G - EFI System
• /dev/nvme0n1p2- 8G - Linux swap
• /dev/nvme0n1p3- (Size remaining) - Linux filesyste m

If you're sure and everything's right, clickw(write) to write the changes to the disk and leave. If you were wrong, clickqto go out without saving and start again.

2.4 File Systems and Formatting↑ Home

The raw partitions are of no use until a file system is printed, which dictates the algorithmic logic of how the data is saved, indexed and read. Linux shines in the variety and specialization of its filesystems.

2.4.1 File Systems Theory: Ext4 vs Btrfs vs XFS

• Ext4 (Fourth Extended Filesystem):He's a reliable grandfather. Present since 2008, it is robust, stable as a rock and almost immune to corruption by power cuts thanks to its "journaling" design. If you want a system to install and forget, Ext4 is the default choice.
• Btrfs (B-Tree Filesystem):Developed by Oracle and SUSE, it is a "next generation" file system (Copy-on-Write). It supports snapshots (system instantaneous in milliseconds), in-flight compression (transparent zstd) and subvolumes. It is the default filesystem in Fedora and Garuda Linux. It allows an incredible level of disaster recovery (you can restore the operating system to how it was 5 minutes ago), but it requires deeper learning to manage your space, as snapshots consume disk silently.
• XFS:Created by Silicon Graphics. It is the undisputed king for handling massively large files (such as business databases or 8K video editing) due to its allocation of bandwidth and parallel capacity of I / O. It is the standard in Red Hat Enterprise Linux.

For this professional deployment manual, we will useExt4for its resilience and universality, which reduces complexity in standard production and desktop environments.

2.4.2 Formatting of Partitions

The utility for format ismkfs(Make File System).

1. The EFI partition (Boot):The UEFI specification strictly states that the EFI partition must be formatted in FAT32, a very old Microsoft file system, because it is the only one that the base plate signatures can read natively.

mkfs.fat -F 32 /dev/nvme0n1p1

(Note:-F 32specifies that FAT32, not FAT16, is used. It is a common mistake to forget it).

2. The Swap partition:Swap has its own specialized structure. It is initialized and then activated immediately so that the Live USB environment can be used if necessary.

mkswap /dev/nvme0n1p2
swapon /dev/nvme0n1p2

3. The Root partition (Ext4):We will format the bulk of the disk with Ext4. This process will build the inode table and journal.

mkfs.ext4 /dev/nvme0n1p3

If you have chosen Btrfs (for advanced users), the command would bemkfs.btrfs /dev/nvme0n1p3.

2.4.3 Assembly of the Directory Tree

To install the system, we must mount our new partitions inside the virtual file tree of our Live USB. By convention, we'll use the directory/mnt.

The order is critical. Always mount the root partition (/) first, and then create folders within it to mount subordinate partitions (such as boot or home).

Mount Root:

mount /dev/nvme0n1p3 /mnt

Prepare and mount Boot / EFI:In Arch Linux, there are several debates about where to mount the EFI partition:/mnt/efi, /mnt/boot/efior/mnt/boot. Ride it in/bootdirectly is the simplest and most recommended method if you use systemd-boot, and it works perfectly with GRUB, as it allows the kernel (vmlinuz) to be stored directly in the FAT32 partition where the UEFI firmware has direct and unrestricted access.

We create the directory in our new root and mount the partition:

mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

You can verify that your hierarchy is perfectly assembled with the command:

lsblk

You should see a hierarchical structure with/mntin your partition 3 and/mnt/bootin partition 1.

2.5 Installation of the Base Ecosystem (Pacstrap)↑ Home

At this point, we have prepared the physical and logical terrain. It's time to inject the operating system code. In other disters, the installer simply copies the ISO files to the hard drive. In Arch, we use a script calledpacstrap, which is essentially a wrapper of the package managerpacman. pacstrapdownload the most recent packages directly from the Arch Linux servers and install them (decompress and initialize) into the folder/mnt. This ensures that, at the end of the installation, the system is 100% a day with the latest version of all the software (zero-day update).

2.5.1 The Mirrors of Download

pacstrapuse the list of servers defined in/etc/pacman.d/mirrorlist. In the past, users had to manually search for the fastest servers in their country to avoid downloads at modem speeds in the 1990s. Today, the Arch ISO includes a background service calledreflectorthat automatically evaluates the world mirrors, orders the fastest 20, and updates the filemirrorlistfor you. If your connection is active, this step is already automatically optimized.

2.5.2 Selection of Nuclear Packages

The commandpacstraprequires you to pass explicitly which groups of individual packages or packages will form your operating system. Arch's minimalism requires you to think well what you need.

The key elements of a modern GNU / Linux system are:

1. base: It is an empty meta-package that indicates the minimum units required. Install the initialization systemsystemd, pacman, C (glibc) libraries, and GNU hard core (choreutile) utilities such ascp, ls, cat. Important note: Since 2019, the meta-packagebaseIt no longer includes a Kernel or a text editor or network support. You must install them explicitly.
2. The Kernel (linux): Disload the image of the kernel and its modules. If you are a server manager, you can choose right here tolinux-lts. We'll use the stablelinux.
3. Firmware (linux-firmware): The proprietary binary code that hardware manufacturers require for graphic cards, Wi-Fi adapters and Bluetooth chips to work. Without this, you could have a kernel working, but no ability to talk to your hardware.
4. Editors (vimornano): Indispensable to modify configuration files in the next step. Install the one you rule. (Nano is intuitive, Vim is powerful).
5. Network tools (networkmanagereiwd): If you do not install them right now, when you restart your new machine you will find yourself without the internet and completely unable to install the graphic environment.
6. CPU microcode (intel-ucodeoramd-ucode): Modern CPUs are so complex that they have their own internal software with bugs (remember Spectre or Meltdown). The operating system can inject patches to the CPU during boot. Depending on your physical machine processor, you must install the corresponding package. If your processor is Intel, useintel-ucode. If it's AMD, useamd-ucode.

Run the deployment with the final orchestration command (we assume an Intel and Nano CPU as editor):

pacstrap -K /mnt base linux linux-firmware nano networkmanager iwd intel-ucode

(The Flag-Kinitiates an empty and new PGP key ring in the target system, ensuring a clean cryptographic environment forpacmanin the new installation).

The process will download between 400MB and 800MB depending on the packages, verify them, and install them in/mnt. Watch the output in the terminal; it is an X-ray of the Linux building blocks passing before your eyes.

2.6 The persistence of assembly (fstab)↑ Home

If you reboot now, your new operating system will have no idea which disk represents the Root and where the Boot is. We need to generate the configuration filefstab (File System Table). The kernel reads/etc/fstabduring the start to know which partitions to mount and with which parameters (read only, enable quotas, disable cache of access times, etc.).

Historically, fstab was written using the static routes of devices (e.g./dev/sda1). This was catastrophic if you connected a USB disk and the kernel decided that the USB was nowsdaAnd your hard drive was going to besdb. To solve this architectural disaster, theUUID (Universally Unique Identifier), 128 bit chains guaranteed to be unique in the universe, physically written in the metadata of the file system when you format it.

Arch provides the toolgenfstabto automate this by detecting what is currently mounted on/mntand translating it into UUID format.

We run:

genfstab -U /mnt >> /mnt/etc/fstab

(Syntax explanation:-Uforces the use of UUIDs.>>is a shell redirection operator (bash / zsh) that takes the genfstab command output (the generated text) and adds it to the end of the file/mnt/etc/fstab, creating it if it did not exist).

Audit and Verification of Fstab:In Linux, trust is good, but control is better. Never continue without auditioning automatically generated configuration files.

cat /mnt/etc/fstab

You should see a structure similar to this:

# /dev/nvme0n1p3
UUID=3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d	/         	ext4      	rw,relatime	0 1

# /dev/nvme0n1p1
UUID=1234-ABCD      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/nvme0n1p2
UUID=9f8e7d6c-5b4a-3f2e-1d0c-b9a8f7e6d5c4	none      	swap      	defaults  	0 0

Let's quickly analyze the fields:

• Device:The partition UUID.
• Mountpoint:Where it will be mounted on the tree (/, /boot, nonefor swap).
• FSType:The file system type (ext4, vfat, swap).
• Options:Special kernel options.rw(reading / writing),relatime(a crucial optimization that prevents the disk from writing metadata every time it isReada file, saving countless life cycles in SSD).
• Dump & Pass:The last number indicates the order in which the utilityfsck(File System Check) will check the disks for errors when starting. The Root partition should always be1and other partitions2(or0to deactivate the check-up).

If the fstab file looks right and is not empty, you can give a great sigh of relief. The physical, logical and binary base of the operating system is established and consolidated in your hardware.

In the next and crucial chapter (Chapter 3), we will use the powerful concept of "Chroot" to mentally teleport within this new system and to perform the final configuration (language, time zone, users) and, above all, to install the brain that will orchestrate the ignition: the GRUB boot manager.

Chapter 3: Chroot and Internal Configuration↑ Home

After executionpacstrapin the previous chapter, we have downloaded hundreds of megabytes of binary software, depositing it to the hard drive (mounted on/mnt). However, at this moment, we are still using the RAM and the Temporary Live USB Kernel.

To set up your new system, you have to get into it. You have to fool the commands you run to believe that the hard drive is the entire universe, completely hiding the existence of the USB. This computer magic trick is calledChroot(Change Root).

3.1 The Theory and Practice of Chroot↑ Home

chrootis a Unix operating system operation that changes the apparent root directory (/) for the current process and all its subprocesses (children). Any program that runs within the chroot environment cannot view, access or modify files outside the new root directory. It is one of the first forms of "isolation" (sandboxing) that existed, a precursor to modern Docker containers.

In Arch Linux, we use a vitamin version calledarch-chroot, provided by the installation scripts package.

Why arch-chroot and not the normal bash chroot?

The commandchrootcrude requires that, before entering the environment, manually mount systems of virtual vital Kernel files (API file systems) as/dev(devices),/proc(process and kernel information),/sys(sysfs hardware devices) and/run(temporary demon files). If you came in with a normal chroot without these mounts, profits likegrub-installThey would fail to find hard drives.arch-chrootautomates the assembly of these virtual systems (bind mounts) and automatically configuresresolv.confto keep the Internet connection within the new environment.

3.1.1 Implementation

Just run:

arch-chroot /mnt

You'll notice that thepromptfrom your terminal changes slightly (usually moving from a colorful zsh prompt to a basic bash with[root@archiso /]#). Congratulations! Technically you just log in on your own operating system installed on your NVMe / SATA disk, using your own newly downloaded binaries (your own version of bash, nano, pacman, etc.). All commands from this point will be written permanently on your disk.

3.2 Time and Hardware Clock↑ Home

A computer handles time using two different watches:

1. System Time:A virtual memory watch that restarts when you turn off the computer. It is kept by the kernel while the system is on, usually synchronizing it over the Internet with NTP.
2. Hardware Clock (RTC - Real Time Clock):A physical watch powered by the CR2032 button stack on the base plate. It keeps the time when the team is unplugged.

3.2.1 Timezone configuration

The system needs to know where you are physically to add or subtract hours to the UTC universal watch. The time zone definitions are placed in the directory/usr/share/zoneinfo/.

To list the continents and regions (use the arrows to navigate, press' q 'to leave the page):

ls /usr/share/zoneinfo

To see the cities of a region (e.g. Europe):

ls /usr/share/zoneinfo/Europe

We create a symbolic link (a direct access that points to the right definition) in/etc/localtime. For example, for Madrid, Spain:

ln -sf /usr/share/zoneinfo/Europe/Madrid /etc/localtime

(For Latin America you could useAmerica/MexicoCity, America/BuenosAires,America/Bogota)

3.2.2 Synchronization of the Hardware Clock (hwclock)

Now that the system knows its time zone, we must tell you to write this information and the current time on the physical clock of the base plate, automatically generating the file/etc/adjtime.

hwclock --systohc

By default, Linux assumes that the Clock Hardware is inUTC(Universal Coordinated Time). This is the correct and standard practice on servers. Linux will read UTC from the base plate and calculate the local time based on the timezone you set up.

The Dual-Boot Problem with Windows:Windows, for historical reasons of MS-DOS compatibility, preposterously assumes that the base plate watch is onLocal time (Localtime). If you have Windows and Linux installed, they will enter a civil war: Linux will put the base plate on UTC and show your correct local time. When you restart on Windows, this will read UTC thinking it's your local time and will show you the delayed time. Windows will "correct" the base plate, and when you return to Linux, Linux will disconfigure.The professional solution:Don't force Linux to use Localtime. Open the log editor on Windows (regedit), sails aHKEYLOCALMACHINE\System\CurrentControlSet\Control\TimeZoneInformationand create a 32-bit DWORD calledRealTimeIsUniversalwith value1. So you force Windows to behave like a modern system (using UTC on the base plate).

3.3 System Localization (Locale) and Language↑ Home

The "Locale" is a cornerstone in POSIX operating systems. Not only does it dictate the language (Spanish, English), but how programs should interpret and classify characters, how to format numbers (decimal coma or point), the representation of dates and the coding of complex symbols (UTF-8). A poorly configured locale will result in typed letters appearing as question signs or foreign boxes, or Python scripts breaking when reading text files.

3.3.1 Generation of premises (locale.gen)

In Arch Linux, you compile your own premises. First, you tell the system what you want to generate by activating them in the master file.

Open the file with your editor (we assumenano):

nano /etc/locale.gen

This file contains hundreds of options discussed (preceded by the symbol)#). Search anddiscomment(removes the#) any options you need. It is recommended to always have American English as a reserve for compatibility issues for certain compilers. For a user in Spain:

• en_US.UTF-8 UTF-8
• es_ES.UTF-8 UTF-8

(If you are from another Spanish-speaking country, discomment on your corresponding version, e.g.esMX.UTF-8, esARU.TF-8).(Make sure you don't discomment the ISO-8859 versions, those are old. Always use those that end up in UTF-8).

Save the file (Ctrl+O, Enter, Ctrl+Xin nano). Now, compile the location binaries:

locale-gen

3.3.2 Environment Settings Files

Once generated, you must tell the system which should be used by default for the entire system (the environment variables).LANG).

Create the filelocale.conf:

echo "LANG=es_ES.UTF-8" > /etc/locale.conf

Optionally, for users who require precision, you can have a mixed system. For example, have the language in English (so that terminal error messages are Google-usable), but use the date, paper (A4) and currency format (€) Spanish:

# En /etc/locale.conf
LANG=en_US.UTF-8
LC_TIME=es_ES.UTF-8
LC_MONETARY=es_ES.UTF-8
LC_PAPER=es_ES.UTF-8

3.3.3 Keyboard distribution in the Console (vconsole.conf)

The commandloadkeys eswhich we use in Chapter 2 is only temporary in RAM memory. To keep your keyboard in Spanish the next time you start the PC and see the TTY console (the black screen before the graphic environment), create the filevconsole.conf:

echo "KEYMAP=es" > /etc/vconsole.conf

(Usela-latin1foresif it is a Latin American keyboard).

3.4 Network Settings: Hostname and Hosts↑ Home

The identity of your machine on local networks is defined by itshostname(host name). This is what you'll see on your router, or on SSH terminals from other computers.

Create the file/etc/hostnameand write the name you want for your PC. It must be a single word, no spaces or rare symbols. For examplearch-workstation, srv-produccionor simplyarch:

echo "arch-workstation" > /etc/hostname

3.4.1 Local DNS resolution (/ etc / hosts)

The file/etc/hostsis a primitive phone directory that consults the system before asking DNS Internet servers. It is crucial for your machine to recognize itself in its own network ofloopback(127.0.0.0 / 8). Many local network applications (such as PostgreSQL databases or local web servers) will fail with severe timeouts if this file is not properly matched to your hostname.

Open the file:

nano /etc/hosts

Add the following structure, replacingarch-workstationby the name you chose in the previous step:

127.0.0.1        localhost
::1              localhost
127.0.1.1        arch-workstation.localdomain    arch-workstation

(Note:127.0.0.1is the local IPv4 address and::1is the local IPv6 address).

3.5 Identity Management: Passwords, Users and Privileges (Sudo)↑ Home

In the hierarchy of a UNIX system,rootIt's God. It has unrestricted permissions to overwrite the RAM, format hot disks or delete the entire operating system without warning. Operate under the userrootfor daily tasks is a massive safety risk, not only against viruses (which would have no barriers), but against human errors.

3.5.1 Superuser Password (Root)

We must secure the main account.

passwd

He'll ask you for the new password and you'll repeat it. For security reasons of the systemechoing, the terminal will not show asterisks or points while writing; type with confidence.

3.5.2 Creation of your Standard User

We'll create the user you'll use 99% of the time.

useradd -m -G wheel -s /bin/bash francesc

Let's unload this crucial command:

• useradd: The binary of the system to create identities.
• -m: (Make home). Automatically create the personal start directory in/home/francesccopying the template from/etc/skel.
• -G wheel: (Group). Add the user to the additional groupwheel. In distributions based on RedHat and Arch,wheelis the administrative group with the right to scale privileges. (In Debian / Ubuntu the group is usedsudo).
• -s /bin/bash: (Shell). Define bash as the default console for the user.
• francesc: Your username (always in small cases).

Of course, set a password for your new user:

passwd francesc

3.5.3 Pricing of Privileges: Sudo Configuration

The user is in the group of administrators, but the tool that allows to "borrow" root powers temporarily (sudo) is not installed in Arch. It's a design decision, as some sysadmins preferdoas(OpenBSD) or simply usesu.

We will installsudo:

pacman -S sudo

The configuration of which users can usesudoresides in the file/etc/sudoers. Neveredit this file directly withnanoorvim. If you make a syntax error insudoers, you will permanently block your own system administrator access in the future. To edit it, the safe binary is usedvisudowhich verifies the syntax when saving and prevents writing if it detects an error.

By default,visudousevi. If you prefernano, overwrites the environmental variable:

EDITOR=nano visudo

Go down until you find the section that mentions the groupwheel. You'll see a line like this:

# %wheel ALL=(ALL:ALL) ALL

Delete the pad symbol (#) fordiscomment. Save and get out. From this moment on, any user in the groupwheel(like the one we just created) you can run administrative commands before the wordsudoand digitizing your own user password (not root password).

3.6 The Arranque Manager (Bootloader): GRUB and systemd-boot↑ Home

The final and most delicate step within the Chroot is to install the Bootloader. Without it, the base plate will not know how to inject the Linux Kernel into the RAM by turning on the computer, leaving you with a black screen or a "No Bootable Device Found" error.

There are multiple managers for UEFI systems:

1. GRUB (GRand Unified Bootloader):The weight. Extremely configurable, it supports to boot ISO images directly, graphics, decryption of LUKS disks in its early phase and complex file systems such as ZFS or Btrfs. It is the safest option for its universality.
2. Systemd-boot:A minimalist manager directly included in the system base system. It is ridiculously fast, configured with 3-line flat text files and is beautiful in its simplicity. However, it requires that the kernel reside physically in the FAT32 partition of the EFI and is less flexible in complex dual-boot configurations.

Since we are building a comprehensive, bulletproof manual,We will use GRUB, since its maturity ensures success in 99% of hardware scenarios.

3.6.1 Installation of GRUB Packages

First, we install GRUB software and tools to manipulate UEFI variables (efibootmgr):

pacman -S grub efibootmgr

(Note to Dual-Boot: If you have Windows installed on another disk and want GRUB to show you a menu to choose between Arch and Windows, you must also install the packageos-proberand mount the EFI partition of Windows, although this is detailed in advanced configurations. For recent safety, os-prober is deactivated by default in GRUB).

3.6.2 UEFI binary deployment (grub- install)

The next command compiles a small file.efiand implanted it in your partition/boot(which is the FAT32 partition we created in Chapter 2). In addition, useefibootmgrto speak directly with the NVRAM chip on your base plate and insert a boot input into the BIOS menu.

Run carefully:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

• --target=x86_64-efi: Strength the compilation for modern 64-bit architectures.
• --efi-directory=/boot: The route where we ride our FAT32 partition.
• --bootloader-id=GRUB: This is the name you will see listed in the F12 menu on your base plate. You can put "ArchLinux" or whatever you want.

If the command is successfully executed, it should return a message confirming that "No error was reported."

3.6.3 Configuration File generation (grub.cfg)

grub-installJust install the engine. Now we must generate the map (menu) that tells the engine where to find the Kernel (vmlinuz-linux) and the initial file system in RAM (initramfs-linux.img). GRUB has a self-generating utility that tracks your disks and creates this menu:

grub-mkconfig -o /boot/grub/grub.cfg

At the terminal output, you will see how the script detects the Linux images, the Intel / AMD microcode you installed inpacstrap, and create the appropriate menu entries.

3.6.4 (Optional) Microcode optimization in GRUB

If you installedintel-ucodeoramd-ucode, the scriptgrub-mkconfigyou should automatically inject them as ainitrdPrimary. This means that before loading your operating system, the boot manager will inject microscopic security patches into your processor to protect you from hardware vulnerabilities. This highlights the power and importance of a well-configured Bootloader.

3.7 Enabling Network and Closing Manager↑ Home

If we reboot the PC right now, we would have a 100% functional Arch Linux system. GRUB would start, the Kernel would be loaded and we would see a login asking for user and password. However,We wouldn't have the Internet.. The devilsystemd-networkdof ISO Live does not exist magically in our permanent installation unless we confess it. In Chapter 2 we installnetworkmanager. It is time to order the initialization system to start it on each ignition.

systemctl enable NetworkManager

(Important note: Eye with capital letters inNetworkManager. It is one of the few services in Linux that uses them).

This ensures that, in reboot, we will have a robust network service, capable of connecting by cable or managing complex WiFi networks in the future (which will be covered in Chapter 4).

3.7.1 The Elegant Exit

Your work as a system surgeon in the chroot environment is over. It's time to close the patient, clean the instruments and wake up the machine.

1. Get out of the chroot:

    exit

(Alternatively,Ctrl+D. You will notice that the prompt returns to the red ISO / zsh).

1. Dismount partitions (Gold Practice):

Although the reboot would force it, manually dismount ensures that all RAM memory buffers are physically written on the SSD before cutting power.

    umount -R /mnt

(-Rmeans recursive, disassembling first/mnt/bootand then/mntin the right order).

1. Reboot the machine:

    reboot

Disconnect your installation USB immediately!If you have followed the instructions at the foot of the letter, your base plate will process the firmware, call the UEFI file of GRUB that you have just implemented, and the glorious GRUB selection screen will appear for the first time, opening the doors to your new, pristine and ultra-optimized Arch Linux system. In the next chapters we will leave behind the tyranny of the installation to master system management and the graphic environment.

Chapter 4: Advanced Networks and Audio Architecture↑ Home

Welcome to your new Arch Linux installation. You have an operating kernel and a privileged user, but your system is isolated from the world. In friendly operating systems, the network and sound "just work." In Arch, you must build and understand these bridges of communication. This chapter discourages network routing and the complex evolution of audio in Linux.

4.1 Network Architecture in Linux and NetworkManager↑ Home

Historically, the Linux network was manually configured by editing/etc/network/interfacesand using monolithic commands likeifconfig. Today, connectivity in desktop and portable environments requires a dynamism that the classic method cannot offer (change from a coffee-shop Wi-Fi network to a corporate VPN, and then to an Ethernet cable within seconds). This is where it comes in.NetworkManager, a RedHat-supported demon that has become the industry standard.

4.1.1 The Command Line Tool: nmcli

Although NetworkManager has graphic interfaces, a system manager dominatesnmcli. This command allows you to do anything you would do in a visual interface, in a programmatic way.

To see the general state of all your interfaces:

nmcli device status

Wi-Fi Network Management from the terminal:NetworkManager abstracts the use ofwpa_supplicantoriwdUnder the hood. To search for networks and connect:

1. Activate the scanner and display networks:

   nmcli device wifi list

1. Connect to a new network (NetworkManager will save profile and password in low encrypted flat text/etc/NetworkManager/system-connections/):

   nmcli device wifi connect "SSID_DE_LA_RED" password "Tu_Contraseña"

Profiles Management (Connections):In NetworkManager, you do not interact with the "network card" directly to configure it, you interact with "Connections" (Profiles) that apply to devices. To see your saved profiles:

nmcli connection show

To force a static IP (useful on servers) instead of DHCP:

nmcli connection modify "Nombre_Perfil" ipv4.addresses "192.168.1.50/24"
nmcli connection modify "Nombre_Perfil" ipv4.gateway "192.168.1.1"
nmcli connection modify "Nombre_Perfil" ipv4.method manual
nmcli connection up "Nombre_Perfil"

4.1.2 DNS and system resolution - resolved

When you writegoogle.com, your system must translate that name into an IP address. By default, NetworkManager uses the DNS provided by the router. However, in advanced environments, you will want to useSystemd-resolvedto implement DNS on TLS (DoT) or local DNS cache, preventing your Internet provider (ISP) from tracking your queries.

To activate the local system resolver:

sudo systemctl enable --now systemd-resolved.service

Then we must link the classic Unix file/etc/resolv.confto point to the demon of systemd:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

From this moment on, you can audit your DNS requests using:

resolvectl status

To force the use of Cloudflare DNS (1.1.1.1) with encryption, you can edit/etc/systemd/resolved.confand add:

[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes

Reset service (systemctl restart systemd-resolved) and your navigation will be protected from listening (snifing) at DNS level.

4.2 The Bluetooth Stack (BlueZ)↑ Home

The Bluetooth ecosystem in Linux is based on a colossal project calledBlueZ, sponsored by companies like Intel. BlueZ provides the kernel-level protocol stack and user tools to communicate with wireless devices (Low Energy, A2DP audio, HID peripherals).

4.2.1 Installation and Demons

sudo pacman -S bluez bluez-utils

The main package contains the demonbluetoothd. You must enable it in the start system:

sudo systemctl enable --now bluetooth.service

4.2.2 Interaction with bluetoothctl

Likenmcli, BlueZ provides an interactive customer to match devices from the console, essential before installing a graphic environment (or for "headless" servers).

Run the client:

bluetoothctl

You'll get into the interactive prompt. The professional workflow to connect headphones or a keyboard is:

1. Turn on the local adapter: [bluetooth]# power on
2. Activate the temporary scanning: [bluetooth]# scan on

(You'll see a rain of MAC addresses and names. When you see your device, copy your MAC address, e.g.00:1D:43:XX:YY:ZZ).

1. Pairing: [bluetooth]# pair 00:1D:43:XX:YY:ZZ

(This changes the cryptographic matching keys).

1. Trusting: [bluetooth]# trust 00:1D:43:XX:YY:ZZ

(Crucial: This allows the device to automatically reconnect in the future without asking for permission).

1. Connecting: [bluetooth]# connect 00:1D:43:XX:YY:ZZ

If at any time the Bluetooth audio mysteriously fails or is intertwined, administrators use the integrated Bluetooth monitor to inspect the HCI (Host Controller Interface) packages in crude:

sudo btmon

4.3 Audio Architecture: The PipeWire Revolution↑ Home

During the last decade, the audio in Linux was a source of memes and frustrations. There were three parallel subsystems that often collided with each other:

1. ALSA (Advanced Linux Sound Architecture):The lowest level, integrated into the kernel. He's in charge of electrically talking to your sound card. (Problem: Only one application could use ALSA at a time).
2. PulseAudio:A sound server above ALSA. He mixed audio flows so you could listen to YouTube and Spotify simultaneously. (Problem: Added unacceptable latency for professional music production).
3. JACK:Created for strict low latency in advanced music production and ruteo. (Problem: Impossible to use for normal desktop user; blocked web browsers).

The Solution: PipeWireOriginally developed by Wim Taymans in Red Hat, PipeWire is a next-generation multimedia server. Not only does it replace PulseAudio and JACK, combining the ease of use of the former with the low latency of the latter, it also links video flows (essential to capture the screen in modern Wayland-based environments).

4.3.1 Installation of PipeWire and its Wrappers

In Arch Linux, we want to install the main server and the support layers (wrappers) that deceive old programs to believe they are talking to PulseAudio or JACK.

sudo pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack

(If the system asks you if you want to removepulseaudiodue to conflict, you must answer yes. This is intentional).

4.3.2 WirePlumber: The Audio Brain

PipeWire is just the "pipes" where the multimedia information travels. So that the pipes know where to go (Ej. "If I connect a Bluetooth headset, rotate the audio automatically to them"), we need aSession Manager(Sessions Manager). The de facto standard, supported by Collabora, iswireplumber.

sudo pacman -S wireplumber

4.3.3 Activation and the User Space (systemd --user)

Unlike the network or the bluetooth, which are system demons executed by the almightyroot, audio and video in modern Linux runper user(User space). This is a vital security measure: you don't want a global system demon to have access to the microphone and send audio without the active user knowing.

Therefore, PipeWire's services are activated using the flag--userde systemd.ATTENTION: Do not usesudoto run the following commands, you must run them as your standard user:

systemctl --user enable --now pipewire.service
systemctl --user enable --now pipewire-pulse.service
systemctl --user enable --now wireplumber.service

To verify that the architecture is standing and that the wrappers work properly, it runs an information command of the old PulseAudio server. If PipeWire intercepts the call, you'll see his name:

pactl info

Find the "Server Name" line. I should sayPulseAudio (on PipeWire). Magic!

4.3.4 Control and Diagnosis with wpctl

wireplumberincludes a powerful command line tool to handle audio nodes, volume and default devices:wpctl(WirePlumber Control).

To list all "sinks" (speakers / outputs) and "sources" (microphones / inputs) detected by the system:

wpctl status

The output will show numerical identifiers. The device with an asterisk*next to it is the current default device (Default Node).

To modify the volume from a bash script or keyboard shortcut in a window manager (Window Manager), you can use relative syntax. Up the volume to the default device by 5%:

wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+

Lower volume by 5%:

wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-

Silent (Mute) the default microphone (useful for a dedicated mute key on your keyboard):

wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle

With a solid network base, encrypted DNS profiles, Bluetooth connectivity for peripherals and the most advanced multimedia stack on the market, your base core is operationally finished. You've transformed an inert console into an underlying workstation. The next big step in our architectural journey (Chapter 5) is to master the life flow of the software: the sacred management of packages.

4.4 Advanced Networks: VLans, Bonding and QoS↑ Home

Once you tame the basic connectivity with NetworkManager, the next architectural level, especially critical in servers or workstations in corporate environments, is the manipulation of the logical layers of network.

4.4.1 VLans (802.1Q)

Virtual Local Area Networks (VLAN) allow to divide a physical switch (or your network card) into multiple logical subnetworks that cannot be seen among themselves (e.g. a network for security cameras, a network for guests and a network for administration). In Arch Linux, NetworkManager handles this impeccably.

If your office network sends traffic tagged with VLAN 10 to your Ethernet port (e.g.enp3s0), you can capture and virtualize that interface on your PC:

# Crear la interfaz virtual etiquetada como VLAN 10
nmcli connection add type vlan con-name VLAN10 dev enp3s0 id 10
# Asignarle una IP estática en el segmento correcto
nmcli connection modify VLAN10 ipv4.addresses 10.0.10.5/24 ipv4.method manual
nmcli connection up VLAN10

You will now have a virtual interfaceenp3s0.10inip linkthat works like a different physical cable.

4.4.2 Link Attachments

What do you do if you have two Gigabit Ethernet network cards on your base plate and your file server is drowned by transferring to 1 Gbps? The Unes. TheNetwork Bonding(or Teaming) allows to add the bandwidth or provide fault tolerance (if you disconnect one cable, the other is still alive without the streaming being cut).

Mode 4 (LACP - Link Aggregation Control Protocol) is the most professional, assuming that your network switch supports it:

# Crear la interfaz maestra de tipo bond
nmcli connection add type bond con-name MiBond ifname bond0 bond.options "mode=802.3ad,miimon=100"
# Añadir los dos cables físicos como esclavos del bond
nmcli connection add type ethernet slave-type bond con-name MiBond-Esclavo1 ifname enp3s0 master bond0
nmcli connection add type ethernet slave-type bond con-name MiBond-Esclavo2 ifname enp4s0 master bond0

4.4.3 Bufferblat mitigation (QoS with fq _ code)

The "Bufferblat" occurs when you download a massive file (putting your bandwidth to 100%) and the ping of your video game is fired from 20ms to 300ms because the small packages of the game are trapped behind the download in the modem buffer. The Linux Kernel introduced a mathematical miracle calledfq _ code(Fair Queueing Controlled Delay) that reorders packages in real time, prioritizing small and agile flows over heavy downloads.

To activate it, we instruct the kernel to be the default algorithm (sysctl):

sudo nano /etc/sysctl.d/99-network.conf

We add:

net.core.default_qdisc=fq_codel

After restart (or apply withsudo sysctl --system), you can saturate your network connection with torrents and your ping in League of Legends or Zoom calls will remain identical as if you were not downloading anything.

4.5 Professional Audio: Mastering PipeWire↑ Home

PipeWire is not limited to playing YouTube audio; it is a Swiss knife that undraws the line between an end-user's audio and the routing of a professional recording studio.

4.5.1 Latency, RTirq and Crackling Mitigation

If you use MIDI synthesizers or DJ software (like Mixxx) and crunchy notes (Crackling / Xruns) when playing the piano, it is because the size of the PipeWire buffer (Buffer Size) is too small and your CPU does not have time to process the sound.

Quantum adjustment (Buffer):We can force latency in execution time. The "Quantum" is the number of samples (samples) per block. 1024 is safe but has lag; 128 has very low latency but requires CPU. To force an ultra-fast buffer on a sound card running at 48000 Hz:

PIPEWIRE_LATENCY="128/48000" mixxx

To avoid crunching at such low latences, the PipeWire demon needs system permission to interrupt all other programs (RealTime Priority). Installrtirq:

sudo pacman -S rtirq
sudo systemctl enable --now rtirq.service

This reorganizes the IRQ interruptions on the base plate, giving your USB / PCIe sound card top of your graphics card or hard drives the highest hardware priority.

4.5.2 Systemic Parametric Equalization (EasyEffects)

Instead of relying on the individual equalizers of each program (Spotify, Firefox), in Arch you can install an interceptor layer that processes mathematically all the sound of the operating system by convolution.

sudo pacman -S easyeffects lsp-plugins

EasyEffects uses the PipeWire graphics nature to put in between (Proxy) all audio outputs. You can apply:

• Auto- Gain:Normalize the volume of YouTube videos, so you never get scared with a 3 times higher ad than the video.
• Convolir:You can download pulse response (IR) files from $10,000 acoustic studies, load them here, and make your $30 headphones sound acoustically like a professional sonar-corrected study (AutoEQ technology).
• Noise Reduction (RNNoise):An IA filter for your microphone. Intercept the noise of the mechanical keys or fans on your PC, sending Discord / Teams a clean voice.

4.5.3 Audio Distributed by Network Audio

You have some amazing speakers connected to your desktop PC, but you're cooking on the other end of the house with your laptop and you want Spotify to sound on the desktop? PipeWire includes TCP protocol modules for network routing. You don't need any wires.

In the PC Server (Desktop), activate the native module:

pactl load-module module-native-protocol-tcp listen=0.0.0.0 auth-anonymous=1

In your Portable (Customer), you order him not to reproduce locally, but to send the IP raw signal to the server:

PULSE_SERVER=tcp:192.168.1.50 spotify

The audio will be transported bit-perfect without compression by your home WiFi. With this level of modularity, Arch Linux gives you the own control of a commercial broadcasting chain in the palm of the terminal.

Chapter 5: Package Management, Pacman and the AUR Revolution↑ Home

If the Kernel is the heart of Arch Linux, the package manager is its circulatory system. Unlike Windows, where you browse the web to download installers.exefrom dubious origins, in Linux you trust centralized and cryptographic signed repositories. Arch Linux shines in an exceptional way in this aspect thanks to two legendary components:Pacman(the official manager) and theAUR(Arch User Repository, the world's largest community-driven software library).

In this chapter, we will learn to master these tools not as simple users who copy and paste commands, but as system administrators who understand how the software is packed, compiled and deployed.

5.1 Pacman Anatomy and Architecture↑ Home

pacmanis a manager written in C. Unlike the oldapt(Ubuntu / Debian) that abstractsdpkg, pacman handles both the resolution of dependencies from remote servers and the installation of local files.

5.1.1 The Package Format (.pkg.tar.zst)

In Arch Linux, a compiled (binary) software package is not black magic. It is simply a compressed file using the very advanced algorithmzstd(Zstandard, created by Facebook for maximum decompression speed). If you download a package likefirefox-125.0-1-x86_64.pkg.tar.zstand decompress it (usingtar -I zstd -xf), you will see that it contains only two things:

1. The actual directories structure:(e.g. a folderusr/bin/firefox).
2. Metadata Files (MTREE):Hidden Text Files (.PKGINFO, .INSTALL) that pacman reads to know what version it is, who built it and what scripts to run when installing it or disinstalling it.

When pacman "installs" a package, literally remove this folder structure from the root of your hard drive and scores in your database (/var/lib/pacman/local/) which files belong to which program.

5.1.2 Optimizing pacman. conf

Pacman's behavior is strictly dictated by the file/etc/pacman.conf. Let's set it up as a professional. Open the file:

sudo nano /etc/pacman.conf

Search and modify the following options in the section[options]:

• Parallel Downloads:Discomment the lineParallelDownloads = 5. By default, pacman download the packages one by one. By activating this, you will download 5 files at a time, which will multiply the update speed in fiber optic connections by 5.
• Visual color:DiscommentColor. The terminal output will be infinitely more legible.
• Easter Egg:Right belowColor, write a new line with the wordILoveCandy. This will transform the pacman progress bar (which are usually scripts)#) in a Pac@-@ Man who eats pills (c-o-o-o).

5.1.3 The Multilib Repository

Arch Linux today is a strictly 64 bit distribution (x86_64). There are no longer base repositories for 32-bit old processors. However, a lot of proprietary software, such as Steam, Wine and emulated Windows games, are still programmed in 32 bits. To run this software, you must enable the repository[multilib]containing libraries (such aslib32-glibc) which allow a 64-bit system to run 32-bit binaries in a native way. In itpacman.confgo down to the end and discomment these two lines:

[multilib]
Include = /etc/pacman.d/mirrorlist

Save the file and update the repository database so that the changes take effect:

sudo pacman -Sy

(Note: Alone-Syupdate the database of which packages exist on the servers, do not update your local software).

5.2 Dominating the Pacman Commands (S, Q, R)↑ Home

Pacman uses main lags in capital to define the operation, and sublags in small to refine it.

1. Synchronization operations (-S):

• sudo pacman -Syu: The holy grail of Arch.S(Sync),y(Refresh repositories),u(sysUpgrade). This command synchronizes local databases with servers and immediately updates all packages installed to their latest version. Run this at least weekly.Never use-Syfollowed by a loose undone installation-Syu, you could cause a partial update state that will break your system.
• sudo pacman -S paquete: Install a new program from the official repos.
• pacman -Ss palabra: Search for packages in remote repositories that match the keyword.

2. Local consultation operations (-Q):

• pacman -Q: List all packages installed in your system and its version.
• pacman -Qe: List only the packages installed "Explicitly" by you (ignoring the units that were installed automatically). Useful to make a backup of what you've installed.
• pacman -Qo /ruta/al/archivo: You see a rare file in your system and you don't know what program it comes from? This command interviews the pacman database to tell you who the file belongs to.

3. Disposal operations (-R):

• sudo pacman -R paquete: (Danger!) Eliminates the package, butleaves all units installedthat he brought with him, accumulating garbage on your hard drive (orphans).
• sudo pacman -Rs paquete: (The right way). Remove the package and, recursively, remove any dependence on you that is not being used by any other program in your system.
• sudo pacman -Rns paquete: It does the same thing as-Rsbut also (nfrom No-save) erases global configuration files (.pacsave) that the programme could leave in/etc/.

5.3 The AUR (Arch User Repository) and the Compilation Process (Makepkg)↑ Home

If a software is legally owned (e.g. Google Chrome), niche (e.g. a dark dark theme for a window manager) or very new, it will not be in Arch's official repositories. However, it is guaranteed to 99.9% that will be in theAUR.

The AURdoes not contain software. No pre-compiled binaries. The AUR is a giant collection of recipes, calledPKGBUILD, written by users like you. A PKGBUILD is a Bash script that contains the exact instructions: from where to download the source code, how to park it, how to compile it and how to pack it in a.pkg.tar.zstso that pacman can install it.

5.3.1 Manual Compilation: The Arch Way

Every Arch user must manually install an AUR package at least once in his life to understand the mechanics and security risks (if someone puts a malicious command on the PKGBUILD, it will run on your machine).

To compile, you need the group of development tools (C / C + + compilers, Make, automake, patch) and Git:

sudo pacman -S base-devel git

Manual example: Install browsergoogle-chrome(which is closed and unofficial).

1. Lone of the AUR repository:

You must do it as your normal user,NUNCA as root.

    git clone https://aur.archlinux.org/google-chrome.git
    cd google-chrome

1. Inspection (Security Mandatory):

Open the filePKGBUILDwithnanoorcat. Read the URLs you download (source=()). Make sure they point todl.google.comand not a strange Russian server.

1. Construction and Installation (makepkg):

We run Arch's building tool.

    makepkg -si

• -s(Sync dependencies): If the PKGBUILD requires other things to compile, you will call pacman to install them first.
• -i(Install): After spending minutes or hours compiling and generating the.pkg.tar.zst, run pacman automatically to install the final result.

5.4 Automation of the AUR: The AUR Helpers (Yay / Paru)↑ Home

Do the previous manual clone process, read the PKGBUILD and runmakepkgevery time you want to update a package of AUR or look for a new one is torture. To solve this, the community created theAUR Helpers. These programs involve pacman, adding the ability to search, clone and update automatically from the AUR.

The two dominant in the market areYay(Yet Another Yogurt, written in Go) andParu(written in Rust, developed by the original creator of Yay). Install the one you prefer; your commands are identical. We'll installyay.

Sinceyayis an AUR tool, paradoxically, the only way to install it for the first time is by using the manual method.

cd ~
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

5.4.1 Dominating Yay

From now on,yayHe's your best friend. In fact, you can stop usingpacmanalmost completely, sinceyaypass all the commands of the official repositories directly to pacman, and handle the AUR in the background. Do not usesudowith yay, he will ask for the password to install the package when he has finished compiling it.

• Search and install from both worlds (Official + AUR):

    yay -S spotify

(Yay will download the PKGBUILD, read it, solve the dependencies and install it for you.)

• Update the complete system:

The Arch master maintenance command now is:

    yay -Syu

Or even more minimalist, just writeyayand press Enter runs the total update. Yay will first update the official Arch packages, and then check for updates to the programs compiled in the AUR.

5.4.2 Cache cleaning and maintenance (Paccache)

Arch Linux never erases a package downloaded from the cache. Every time you update the kernel, the old file.pkg.tar.zstremains in/var/cache/pacman/pkg/. Over the years, this can occupy tens of gigabytes in your SSD, stealing precious space from you. This cache is useful to do "download" if an update fails, but you don't need to keep the previous 40 versions of Firefox.

Install the contributed profit package:

sudo pacman -S pacman-contrib

The toolpaccacheclean all the old packages, by default only the 3 latest versions of each program installed, giving you a safety net without spending useless space:

sudo paccache -r

To automate and forget about it, enable the timer of systemd (the modern cron, which we will see in detail in Chapter 10) that comes included:

sudo systemctl enable --now paccache.timer

You've conquered the package system. You understand how pacman manages the binary, and how the AUR expands the software to infinity by compilation. With these tools, your TTY is ready to evolve; in the next chapter we will jump to the visual layer: the Desktop Environments and the Graphic Server.

5.5 Local Repositories: Hospeda tu Propio AUR↑ Home

The vast majority of users consume the AUR, but few understand thatpacmanis designed to be completely decentralized. You don't have to rely on third-party repositories to install packages; if in your company or in your server cluster (Home Lab) you need to distribute an internal program, you must forge your own repository.

5.5.1 Forging the database with rest-add

Imagine you've compiled the custom corelinux-tkgor a self-management software, generating the filemi-software-1.0-1-x86_64.pkg.tar.zst. For pacman to accept it through the network, you must index it.

1. Create a directory that will act as your server:

    mkdir -p /var/www/html/mi_repo
    # Copia el paquete binario a la carpeta
    cp mi-software-1.0-1-x86_64.pkg.tar.zst /var/www/html/mi_repo/

1. It generates the Pacman database. The commandrepo-addCreate a file.db.tar.gzthat pacman reads to understand the dependencies:

    cd /var/www/html/mi_repo
    repo-add mi_repo.db.tar.gz mi-software-1.0-1-x86_64.pkg.tar.zst

1. Slide your repository. You can use Nginx (Chapter 14) or for a fast LAN, Python's internal HTTP module:

    python -m http.server 8080

5.5.2 Modifying Customers

Now, on your laptop (or on any machine that should install corporate software), edits/etc/pacman.confand add at the end of the file:

[mi_repo]
SigLevel = Optional TrustAll
Server = http://192.168.1.150:8080

Executionssudo pacman -Syand you'll see that you download your database and now you can installmi-softwarewith a simplepacman -S mi-software. This is the secret of Manjaro, EndeavourOS and BlackArch: they are simply Arch Linux with extra repositories added to thepacman.conf.

5.6 Surgical packaging (Chroot with devtools)↑ Home

When you write aPKGBUILDand executedmakepkgIn your development machine, there is a catastrophic risk, colloquially called "It works on my machine." If your PKGBUILD compiles correctly, it may be because three months ago you installed a C + + library calledboostfor another project. As it is installed in your system, today's compilation finds and triumphs. But you forgot to scoreboostin the PKGBUILD dependencies. When you upload your package to the AUR, thousands of users will try to compile it and fail a "not found bookstore" error because they don't haveboostinstalled.

Arch's official team usesdevtoolsto solve this by ensuring the purity of the environment.

5.6.1 Construction in Isolation (extra-x86 _ 64-build)

Instead of compiling in your contaminated environment,devtoolsautomatically create a clean "chroot" with the most primitive base Arch Linux (without bookstores, without your settings, without your themes), put the PKGBUILD inside and compile it. If you lack a dependence on your script, you will fail dramatically, allowing you to hunt the error.

1. Install the package maintenance kit:

    sudo pacman -S devtools

1. Go to your PKGBUILD folder, but don't runmakepkg. Instead, it launches the container builder:

    extra-x86_64-build

This tool will raise an immaculate chroot environment in/var/lib/archbuild/, will synchronize pacman, resolve declared dependencies and try to build. The resulting package is mathematically predictable and pure, guaranteed to operate on any other user's machine.

5.6.2 Cryptographic Signatures (GPG) in Pacman

To avoid Man-In-The-Middle (MITM) attacks, where a malicious ISP injects malware into packages that download from an HTTP mirror, pacman verifies that each package is cryptatically signed by an Arch Linux "Master Keyholder."

The "Keyring" is updated autonomously, but if a developer renews his key, your pacman will fail to update with a signature error (PGP Signature Error). This is terribly common. The emergency protocol to restore the ring of trust and purge expired keys (resurrecting a broken pacman) is:

sudo rm -rf /etc/pacman.d/gnupg/
sudo pacman-key --init
sudo pacman-key --populate archlinux
sudo pacman -Sy archlinux-keyring

With this level of depth, your relationship with the software in Arch Linux has evolved: you are no longer a simple binary consumer, you have become an orchestrator capable of building, verifying, signing and distributing software on a network scale.

Chapter 6: Desktop Environments and Graphic Server↑ Home

In commercial operating systems such as Windows or macOS, the graphical interface is welded to the operating system core. If the window explorer fails, the entire operating system often collapses (the famous Blue Screen of Death). In Linux, design philosophy is radically modular. The graphical user interface (GUI) is simply another application (or set of applications) that runs in the user space (User Space). You can stop it, change it for a completely different one, or not use it at all, and your server will continue to work undisturbed.

In this chapter, we will build the Graphics Stack from the foundations (the drivers) to the roof (the interactive desktop environment).

6.1 The Base Layer: Graphic Drivers and Table↑ Home

Before we can draw pixels on the screen, the operating system needs to know how to talk to the graphic processor (GPU). Graphic cards are complex mathematical calculators that do not understand the system's standard commands.

The Linux Kernel includes modules (low-level drivers) for the vast majority of hardware. However, to translate the 3D instructions (such as OpenGL or Vulkan) from the programs to the network card, we useGeneral Committee. Mesa is a colossal free software project that provides Open Source implementations of graphic APIs. If you have an AMD (Radeon) or Intel integrated, Table is the absolute gold standard; it offers extraordinary performance and native stability.

Install the table pile:

sudo pacman -S mesa

(Note on NVIDIA: If you have a discreet NVIDIA graphics card, your official driver is owner and closed. He doesn't use a table for OpenGL. The detailed installation of NVIDIA drivers and their configuration is fully covered in Chapter 8: Gaming. For now, Mesa will give you basic graphics if you use Nouveau, the NVIDIA free driver).

6.2 The Screen Server: Xorg vs Wayland↑ Home

Once we can communicate with the GPU, we need a master program that manages the physical screen, keyboards, mice and offers a blank canvas for applications to draw their windows.

6.2.1 The Old King: X Window System (X11 / Xorg)

Developed in 1984 in the MIT, X11 has been the standard for almost 40 years. It is a network system (client-server architecture) in which programs (customers) send instructions to the X server to draw.

• Pros:It works everywhere. Thousands of old programs assume their existence. It's highly stable.
• Contra:Its base code is gigantic, archaic and inflated. It lacks basic security insulation (any X11 program can spy on the keys you press (keylogger) on another X11 program). The "Screen Tearing" is an intrinsic problem due to its design, unless you use a powerful external composer.

6.2.2 The New Paradigma: Wayland

Wayland is not a server, it is a modern "protocol" that defines how the screen should be drawn. In the Wayland paradigm, the Desktop Environment (e.g. GNOME or KDE) acts as the Composer and Server at the same time.

• Pros:It's ridiculously fast and soft. It completely removes the "Screen Tearing" by forcing each frame to be perfect before sending it to the screen. It is safe by design (a Wayland program cannot see the window of another program without asking the user for permission through security portals). It handles different monitors with different rates of refreshment (e.g. one at 144Hz and one at 60Hz) and different climates (DPI) without clearing, something that breaks X11 completely.
• Contra:Some very specific or old applications (such as screen capture software designed only for X11) still require compatibility through a bridge called Xwayland.

The Verdict in Arch Linux:Wayland is the present and the future. All the modern desktop environments we are going to explore support Wayland by default.

6.3 The Display Manager↑ Home

A Display Manager (DM), also known as a login manager, is the first graphic interface you see when you start your machine. Your job is to show you a pretty screen, ask for your password, authenticate you through the PAM modules (Pluggable Authentication Modules) and, if the login is successful, start the Desktop Environment with your user permissions.

Although technically you could log in from the black console and writestartxor start Wayland by hand, a DM is indispensable for a modern desktop experience. The most professional DM are:

1. SDDM (Simple Desktop Display Manager):The one recommended for KDE Plasma. Modern, Qt-based and with complete experimental support for native running under Wayland.
2. GDM (GNOME Display Manager):The GNOME standard. Extremely polished, integrated into the GNOME suite, but heavy.
3. LightDM:The historical standard for light desks (such as XFCE). Use X11 under the hood and it's incredibly fast.

The Display Manager is installed simultaneously with the desktop environment, as each environment usually requires yours for optimal screen lock integration.

6.4 Desktop Environments: Installation and Architecture↑ Home

A Desktop Environment (DE) is a massive set of software (the window manager, control panel, file explorer, calculators, image viewers) designed to function in harmony. In Arch, we install metappackets (packages that do not contain software itself, but contain lists of dependencies to download the entire ecosystem at once). Choose only one for your initial installation.

6.4.1 KDE Plasma (The Customizable Colossus)

Developed in C + + using the Qt framework, KDE Plasma is famous for being the most customizable desktop in the Linux world. Ironically, despite being visually dazzling, recent versions have optimized memory use (RAM) at levels that rival traditional light desks. Plasma leads the adoption of Wayland.

Installation:

# Instalamos Plasma, el gestor SDDM y las aplicaciones base de KDE (Dolphin, Konsole)
sudo pacman -S plasma-meta kde-applications-meta sddm

Enabling:We must tell systemd to start the login screen (SDDM) in the next boot:

sudo systemctl enable sddm.service

6.4.2 GNOME (The Modern Paradigma)

GNOME (developed in C using GTK) takes a different route. Inspired by macOS, it eliminates the traditional task bar, the concept of minimizing windows and the icon desktop in favour of a workflow based on dynamic workspaces (Workspaces) and a central business board. It's the default desk at Fedora and Ubuntu Enterprise. GNOME is intentionally rigid: its developers believe that a carefully cured design should not be indiscriminately altered.

Installation:

sudo pacman -S gnome gnome-extra gdm

Enabling:

sudo systemctl enable gdm.service

6.4.3 XFCE (The Immortal Classic)

XFCE is the king of stability and low consumption. If you are reliving a 2012 laptop or just want your environment to never change, XFCE (GTK based) is your choice. You keep using X11 and you don't support Wayland.

Installation:

sudo pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter

Enabling:

sudo systemctl enable lightdm.service

6.5 Typography and Renderization of Sources (Fontconfig)↑ Home

An extremely common error in Arch Linux novices is to install a desktop and note that the web pages look "square," broken, or that the applications look like the 1990s. Why is this happening? Ubuntu or Manjaro install hundreds of default sources. Arch Linux does not installno sourceby default (KISS). If a web browser tries to render the Arial letter and your system does not have Arial (not a set-up replacement equivalent), the screen will display illegible boxes or the most basic source found by the kernel.

6.5.1 Installation of Base Sources

The Linux source rendering engine consists of Freetype2 and Fontconfig. To power this engine, we must install a robust typographic library:

# Fuentes libres, soporte emoji, y fuentes coreanas/japonesas/chinas (cjk) para evitar caracteres rotos en la web
sudo pacman -S ttf-dejavu ttf-liberation noto-fonts noto-fonts-emoji noto-fonts-cjk

6.5.2 Microsoft Sources (Core Fonts)

Regardless of your ideological stance on free software, the modern web was built assuming that users have Windows sources (Arial, Times New Roman, Comic Sans, Trebuchet). Many PDF documents from companies or universities are deformed in Linux if you open the file in LibreOffice and the system does not find "Times New Roman." Since these sources have Microsoft license, they cannot be in the official Arch repositories, but you can (and must) install them through the AUR:

yay -S ttf-ms-fonts

Once installed, you can refresh the source cache manually (although the package manager usually does) with the command:

fc-cache -fv

6.5.3 Topic of Cursors and Icons

Finally, to give the desktop cohesion (especially outside of GNOME, which brings its heavily integrated ones), it is recommended to install complete icon packages. The modern gold standard ispapirus-icon-theme.

sudo pacman -S papirus-icon-theme

Your machine is ready. A simple order,rebootIt will take you for the first time out of the abyss of the pure terminal. You will be received by your DM's login screen. When you enter your password, the magic will happen, and your Arch Linux graphic workstation will come to life with a performance that users of generic operating systems rarely experience.

6.6 Underlying infrastructure: DBus and XDG Desktop Portels↑ Home

When we passed from archaic X11 (where any program had permission from implicit administrator on the screen) to Wayland (where everything is isolated or sandboxed), a massive engineering problem arose: How does a program like OBS Studio do to record your screen if the Wayland composer (the head of security) explicitly forbid it?

The answer is:XDG Desktop Portals. These portals are standardized API interfaces (independent of whether you use GNOME, KDE or Hyprland) that applications use to "ask for permission" the user via the system bus (DBus).

6.6.1 Screen Sharing Architecture

So that you can share screen on Google Meet or Discord using Wayland, the web application uses the standardWebRTC. WebRTC sends a DBus signal asking for access to the screen. The "Portal" intercepts it and draws a native window from your desktop asking:"Firefox is asking to record Monitor 1. Do you accept?"

If you have a pre-built desk like GNOME, this is installed. But if you built your manual system, you must install the backend of your environment portal:

# Para KDE Plasma:
sudo pacman -S xdg-desktop-portal-kde
# Para Hyprland:
sudo pacman -S xdg-desktop-portal-hyprland

In addition, you need the "base" portal that serves as a router and the compatibility layer for GTK applications (like Firefox):

sudo pacman -S xdg-desktop-portal xdg-desktop-portal-gtk

Once installed, if you run OBS Studio and add a source of capture, you will not choose "XSHM Capture," butScreen capture (PipeWire). PipeWire, as we saw in Chapter 4, not only links audio, but on the road the raw video flow directly from the Composer to OBS to 60 FPS without loss of quality or latency.

6.6.2 DBus: The Desktop Nervous System

DBus is the system's message bus. If your laptop runs out of battery (10%), the kernel sends a signal. DBus collects it, seeks out which program is listening to energy events (your desktop environment) and gives you the message to paint a red notice on your screen. You can inspect this alien traffic in real time using audit tools:

# Instalar herramienta visual de DBus
sudo pacman -S d-spy

You will see that each program (Spotify, Firefox, the network manager) publishes objects on the DBus network. An advanced hacker or sysadmin can send false messages by DBus using the commanddbus-sendto pause the music, block the screen or force the system to sleep without using the graphic interface.

6.7 Video Acceleration by Hardware (VA-API)↑ Home

One of the most silent and destructive failures of a bad installation of Arch Linux is software rendering in browsers. If you play a 4K video on YouTube and notes that your laptop is heated as an oven and fans turn to the maximum, your browser is not using your GPU's dedicated video decoder. You are using the gross CPU (Renderized by Software) to calculate each pixel of the video.

The standard Linux API to decode H.264, VP9 or AV1 videos using the graphics card is calledVA-API (Video Acceleration API).

6.7.1 Enabling GPus Intel and AMD

# Para procesadores Intel modernos (Broadwell o superior)
sudo pacman -S intel-media-driver
# Para AMD Radeon
sudo pacman -S libva-mesa-driver

To check if your hardware can decode, install the libva utilities:

sudo pacman -S libva-utils
vainfo

The output will spout dozens of profiles (e.g.VAProfileVP9Profile0). If it saysVAEntrypointVLD, means the hardware supports perfect decoding.

6.7.2 Forming Acceleration in Firefox and Chromium

Despite having the drivers, Linux browsers deactivate them by default for fear of causing collisions (crashes) on defective hardware.

• In Firefox:Writeabout:configin the address bar. Look.media.ffmpeg.vaapi.enabledand change it totrue. Look alsogfx.webrender.alland put it intrue.
• In Chromium / Chrome:Open up.chrome://flags. Look.Hardware-accelerated video decodeand go toEnabled.

Play a 4K video. The load of your CPU will go from 80% to 3%, and your battery will last 4 hours longer.

6.8 Color Management and ICC Profiles (Colord)↑ Home

If you are a photographer, graphic designer (using Darktable or GIMP) or video editor in DaVinci Resolve, you know that the monitor lies. A red on your screen is not the standard red printing. To correct this, hardware colormeters (such as the X-Rite i1Display) are used to generate color profile calibration files.icc.

Linux has a central demon for color management calledcolor.

sudo pacman -S colord

In environments like GNOME, color management is natively integrated into the control panel. Select your monitor, load your file.iccand GNOME automatically adjusts the gamma curves of the GPU (Lut).

In Wayland, the implementation of color management is an extremely aggressive developing protocol. Professional composers (such as those designed for Wayland Color Management Protocol) ensure that the 10-bit HDR (High Dynamic Range) color is not modified by XWayland or altered on the way to the monitor, allowing for a more accurate film-grade edition on Arch Linux.

Chapter 7: Window Advanced Managers and the Art of Rancing↑ Home

While KDE and GNOME (Chapter 6) provide the comfort of an all-inclusive hotel, many advanced users, programmers and UNIX enthusiasts find the traditional Desktop Environments slow and limiting. The radical alternative is to use aWindow Managerindependent.

In traditional desks the windows are "floating" (Stacking); you can drag them, change their size with the mouse and hide them one after the other. Advanced Window Managers use philosophyTiling (Mosaic). In the tiling, the window manager mathematically calculates the space of your monitor and divides the windows into a perfect mosaic that occupies 100% of the useful space without overlaps. Sail, close and move the windowsonly with keyboard shortcuts. The mouse becomes optional. At first the learning curve is severe, but once your muscle memory assimilates shortcuts, productivity is triggered (and the consumption of low gigabytes RAM to a few 200MB).

7.1 Tiling Managers in X11 (The Old School)↑ Home

If you want to maintain maximum compatibility with old software or if your hardware suffers under the new Wayland protocol, the Tiling WMs in X11 are your playing field.

7.1.1 i3wm: The Binary Tree

i3(and his successori3-gaps) is the most famous Tiling WM in Linux history. Its mental structure is based on a tree. When you open a terminal, it occupies the whole screen. If you open a browser, the screen is divided into two (50% and 50%). The genius ofi3is that your configuration file is incredibly legible flat text, without requiring programming knowledge.

Installation:

sudo pacman -S xorg-server xorg-xinit i3-wm i3status dmenu alacritty

• xinitallows to start the graphic environment without using a heavy display manager (SDDM).
• dmenuis a minimalist search engine to launch programs by writing his name.
• alacrittyis a modern and ultra-fast terminal emulator (written in Rust and accelerated by GPU).

Initial i3 configuration:To start it, create a hidden file in your user's directory called.xinitrc.

echo "exec i3" > ~/.xinitrc

From the TTY, you writestartx. In the first boot, i3 will generate your master configuration file in~/.config/i3/config. You will be asked to choose the modifier key (ModKey), which is usually the "Windows / Super" or "Alt" key. From there,Mod+Enteropens terminals;Mod+dopen the menu;Mod+Shift+qClose windows.

7.1.2 bspwm: The Paradigma of the Empty Containers

While i3 handles the divisions for you based on the active approach,bspwm(Binary Space Partitioning Window Manager) separates the window manager from the keyboard shortcuts.bspwmonly manage the windows; you use a separate demon calledsxhkdto capture your keys and send you commands. It is the preferred option for extreme "Riers" in X11 for their programmatic malleability by bash scripts.

7.2 Wayland Composers: Hyprland (The Immersive Future)↑ Home

In X11 you usedpicom(a separate demon) to add shadows, transparences and round edges toi3wm. This often generated lag and screen tear. In Wayland, the window manageristhe graphic composer (all in one), which allows animations as fluid as those of a high-end smartphone (real 120Hz).

Hyprlandis the dynamic Wayland Composer who has revolutionized the community. It's based onwlroots(the backend created by the authors of the composer Sway) but severely modified in C + + to prioritize visual aesthetics (Glassmorphism effect, customizable animations with Bézier curves, rich shadows and gausian defocus of the terminal in real time).

7.2.1 Installation of the Hyprland Pile

Unlike i3, installing Hyprland requires specific components designed for Wayland (sincedmenuor the X11 wallpaper managers will not work).

sudo pacman -S hyprland kitty waybar wofi hyprpaper dunst

• kitty: GPU-accelerated terminal emulator with excellent support for Wayland (Alacritty also works).
• waybar: The highly customizable upper state bar.
• wofi: Wayland's native application launcher.
• hyprpaper: Utility to render hyper- fast wallpapers.
• dunst: The notification demon that draws the pop-ups on the screen.

The Hyprland Arranque:As in i3, you do not need a session manager (SDDM). From the terminal (TTY), just say:

Hyprland

And you will be received by a glass environment, elastic animations and instant integration with Wayland.

7.3 The Art of "Rancing" and the Dotfiles Configuration↑ Home

The act of taking a minimalist operating system (i3wm or Hyprland) and meticulously configuring each text, source, space bar and hexadecimal color file to create a unified and spectacular thematic desktop is called"Rancing"(a jargon derived from extreme visual modification of cars). A "rich" system is a reflection of the technical soul of its user.

The files you handle for this art are known asDosfiles(Point files), as in Linux any folder or file that starts with a point (.) is hidden (e.g.,.config/).

7.3.1 Hyprland Anatomy. conf

In Hyprland, your life revolves around~/.config/hypr/hyprland.conf. Unlike XML or JSON, it is a sequential text file that the composer reads on the go (you can edit the file and see the changes instantly reflected without recharging).

Example of how a "Rier" would adjust the general aesthetic:

general {
    gaps_in = 5               # Espacio interior entre ventanas
    gaps_out = 20             # Espacio exterior a los bordes del monitor
    border_size = 2
    col.active_border = rgba(33ccffee) rgba(00ff99ee) 45deg # Borde gradiente arcoíris
    col.inactive_border = rgba(595959aa)
}

decoration {
    rounding = 10             # Bordes redondeados de Apple/Windows 11
    blur {
        enabled = true        # Efecto cristal translúcido detrás de las ventanas
        size = 8
        passes = 3            # Desenfoque gausiano profundo y pesado
    }
    drop_shadow = yes
    shadow_range = 4
}

7.3.2 Nerd Fonts (Icons in Text)

If you openwaybaror look at the configuration of advanced user terminals, you will see that they use climate icons, hard drives and WiFi logos directly embedded in the text of the programming code. How do they do it without using images? The answer is:Nerd Founts. They are popular typographic sources (such as JetBrains Mono, Fira Code or Hack) that have been parched by injecting thousands of vectorial icons from FontAwesome, Material Design and DevIcons.

To have a spectacular terminal and state bars, you must install Nerd Fits packages (many moved to official repositories recently):

sudo pacman -S ttf-nerd-fonts-symbols ttf-jetbrains-mono-nerd ttf-fira-code-nerd

Then you tell your terminal (~/.config/kitty/kitty.conf) using that source:

font_family      JetBrainsMono Nerd Font
bold_font        auto
italic_font      auto
font_size        12.0

7.3.3 Waybar: The Programmable Toolbar

Waybar is the standard in Wayland. It is configured using JSON syntax (~/.config/waybar/config) for the provision of modules (watch, use of RAM, battery, Hyprland workspaces) and is designed (stylized) usingCSS (~/.config/waybar/style.css). This allows web developers to create bars identical to those of macOS or futuristic interfaces without learning new languages.

You can create "Custom Modules" that run a bash script every 10 seconds to search for information on the Internet (e.g. price of the Bitcoin or temperature of your city) and print on the bar, giving the system unlimited versatility.

7.4 Versions Control for Dotfiles (GNU Stow)↑ Home

Once you've spent three weeks designing the perfect desk and youhyprland.conf, your scripts fromwaybarand keyboard shortcuts ofkittyare a unified work of art, you face a problem: If your hard drive dies, you will lose months of microadjustments. Professionals use GitHub to make public backup of their Dotfiles (it is enough to search for "Hyprland dotfiles" in GitHub to find thousands).

But how do you sync an isolated folder like~/.config/hypr/and another as~/.config/waybar/to a unique Git repository without dragging secret settings (such as browser passwords that also live in.config)?

The hacker solution par excellence isGNU Stow(a symbol manager).

1. Stow Instals:sudo pacman -S stow
2. You create a central repository folder, e.g.~/MisDotfiles.
3. Inside, you replicate the structure:~/MisDotfiles/hyprland/.config/hypr/hyprland.conf
4. From your Home directory, you runstow hyprland -t ~ -d ~/MisDotfiles.

Stow will create a symbolic link (a tunnel) from your actual directory to the git repository. Now you can initializegit initin~/MisDotfiles, upload your files to the cloud, and when you install Arch Linux on a new laptop, just clone the repo and runstow *so your entire hyperconfigured visual environment can be assembled in only 3 seconds.

This is the real power of Arch Linux: the operating system is not a black box; it is flat text at your service.

7.5 Inter-Process Communication (IPC) and Absolute Control↑ Home

The ultimate feature that separates a Window Manager tiling (such as Hyprland or bspwm) from a monolithic environment (such as Windows) is the IPC (Inter-Process Communication). The window manager opens a socket (an internal network tunnel) through which any script on your PC can send you instant orders.

7.5.1 Dominating hyprctl

In Hyprland, the command tool ishyprctl. From any terminal, you can order the graphic composer to perform physical actions.

• Move to work space 5:hyprctl dispatch workspace 5
• Floating the current window:hyprctl dispatch togglefloating
• Launch a specific application by ignoring rules:hyprctl dispatch exec firefox

Real magic happens when you ask for information (telemetry). If you run:

hyprctl clients -j

Hyprland will spit out an immense and structured JSON block with the exact X / Y coordinates, the PID, the size and status of each window on your screen. A base or python developer can stop this JSON (usingjq) and write a script that, for example, detects if Spotify is open and automatically moves it to Monitor 2, redimensioning it to 30% wide.

7.5.2 Event Hooks

Instead of asking "what's going on," you can connect a cable directly to the composer's brain for him to report to you in real time (Event-Driven). Hyprland transmits all its events to the UNIX socket located in/tmp/hypr/$HYPRLANDINSTANCESIGNATURE/.socket2.sock.

We can usesocatto hear this constant data flow:

sudo pacman -S socat
socat -U - UNIX-CONNECT:/tmp/hypr/$HYPRLAND_INSTANCE_SIGNATURE/.socket2.sock

When you leave this running, if you change window or close a program, you will see text appearing live (e.g.activewindow>>Firefox). The "Ricers" use this to make your top bar (waybar) reacts to the millisecond, changing the colors of the icons when the user moves between screens.

7.5.3 Demonization (Systemd User Services in WMs)

In a traditional DE, the self-system -starts your notification demon and your wallpaper. In a pure WM tiling, you must start them. The rookie error is to write linesexec-once = dunst &in the configuration file. If the program hangs, it won't start again.

The expert way is to delegate the start of the desktop tools to your system user (Chapter 10). Create units~/.config/systemd/user/waybar.serviceand~/.config/systemd/user/hyprpaper.service. The Window Manager only loads the screen; Systemd is in charge of monitoring, restarting and logging every piece of your Rice, ensuring industrial stability.

7.6 The HIDPI Fisheries and Multimonitor Solutions↑ Home

If you have a 1080p monitor and a 4K monitor together, you have entered the territory where Windows and macOS traditionally suffer, and where X11 fails catastrophic. In X11, the entire attached screen (the two physical screens) is considered a single "X Screen." You can't tell X11 that the 4K monitor is up to 200% and 1080p is up to 100%. The 4K windows will look tiny, or the 1080p windows will look giant.

Wayland, thanks to its modern architecture (drm / KMS), treats each screen as an absolutely independent canvas with an isolated memory buffer.

7.6.1 Fractional climbing in Wayland

If you have a 1440p (2K) monitor, a 100% scalate makes the text small, and 200% makes it stupidly large. You need 150% (Fractional Scaling). In the configuration of your composer (Ej. Hyprland inhyprland.conf):

# Monitor 1 (4K) a 144Hz escalado al 200%
monitor=DP-1,3840x2160@144,0x0,2

# Monitor 2 (1440p) a 60Hz a la derecha, escalado al 150%
monitor=HDMI-A-1,2560x1440@60,1920x0,1.5

XWayland's warning:Old applications that don't understand Wayland (like some games or old Electron) run over XWayland. When Wayland scale fractional (1.5), what it does with XWayland is tell the program "draw to normal resolution," and then Wayland stretches the image by 150% as if it were a blurriness. To avoid this, you must force all your applications (Firefox, VSCode, Discord) to use Wayland's native backends.

For Electron applications (VSCode, Discord), ejecutals by adding the magic flags:

code --enable-features=UseOzonePlatform --ozone-platform=wayland

Automatically the text will stop being blurred and will be clearly rendered by your GPU vectors.

7.6.2 Headless Virtual monitors (KVMs per Software)

An advanced manager trick: if you have a powerful laptop with a broken screen or an Arch server in a closet, you can use Wayland to create a monitor that does not exist physically. Using IPC commands (e.g.hyprctl output create headless), the composer generates a 4K video buffer in the RAM.

Then you can use an advanced remote desktop protocol (likeSunshine / Moonlightor WayVNC) to capture that invisible buffer and send it over the local network to your iPad, Smart TV or light laptop. You will be using 100% of the power of the computer's graphic card server (playing Triple A games in ultra quality) while you receive the video compressed in real time on a low power device in the living room.

This architecture turns any Arch Linux machine into a server in the private visual computer cloud.

Chapter 8: Gaming and Extreme Graphic Performance↑ Home

In the last decade, Linux has gone from being a desolate moor for the game to becoming the base platform of the most successful portable console (Steam Deck). Arch Linux, thanks to its Rolling Release model, is unquestionably the best distribution for games: you have access to the latest kernel and the latest graphics drivers at the same time as hardware manufacturers release them, providing massive FPS (Frames Per Second) improvements for recent release titles (Day-1).

In this chapter we will analyze the entrails of the graphic drivers, the Proton translation layer and the performance utilities that can make a game work better on Arch than on Windows.

8.1 Kernel-level Graphic Drivers (KMS / DRM)↑ Home

To play seriously, open source driversmesabasic are not always enough or require adjustments to take advantage of total hardware acceleration.

8.1.1 AMD Architecture (Radeon)

If you have an AMD card, you're in Linux paradise. AMD keeps the open source of its drivers and invests heavily in the Kernel. There are two kernel modules for AMD: the obsoleteradeonand the modernamdgpu. Make sure the repository[multilib]is activated (as we saw in Chapter 5) and installs the implementation of specific AMD Vulkan (RADV) provided by Table:

sudo pacman -S mesa lib32-mesa vulkan-radeon lib32-vulkan-radeon

Technical data:RADV (Radeon Vulkan) is the open source implementation that Valve sponsors. There's another AMD officer calledamdvlkbut RADV consistently offers better performance and less latency in games.

8.1.2 NVIDIA Architecture (Owners and DKMS)

NVIDIA has historically provided poor open source support (the free driver)nouveauis useless for modern gaming because NVIDIA blocked clock frequencies). In Arch, you are forced to install the private and closed NVIDIA driver.

The problem of Kernel updates:When you install the standard packagenvidiaThis one's pre-compiled.only and exclusivelyfor the latest version of the official kernel (linux). If you use a custom kernel likelinux-zenor the LTS kernel, and pacman updates that kernel, your NVIDIA driver will break, leaving you on a black screen when you restart.The professional solution: DKMS (Dynamic Kernel Module Support)DKMS will automatically recover the NVIDIA graphics card module every time pacman detects a kernel update, no matter which kernel you use.

Install the owner battery with DKMS:

sudo pacman -S nvidia-dkms nvidia-utils lib32-nvidia-utils

Enable DRM Modeseting (Critics for Wayland and Anti-Tearing):For NVIDIA to function properly under modern composers such as Hyprland or GNOME Wayland, and to avoid screen breakages in X11, you must enable the KMS parameter in the Kernel. Open up./etc/default/gruband look for the lineGRUBCMDLINELINUX_DEFAULT. Addnvidia-drm.modeset=1:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet nvidia-drm.modeset=1"

Reconstructs GRUB:sudo grub-mkconfig -o /boot/grub/grub.cfgand restart.

8.2 The Proton Revolution and the Translation APIs (DXVK / VKD3D)↑ Home

The vast majority of high-budget commercial games are programmed forDirectX, an exclusive and closed graphical API of Microsoft Windows. A DirectX game doesn't know how to talk to Linux or its native API,Vulkan.

Here it comes.Proton, a massively modified Wine fork funded by Valve. Proton intercepts the direct X calls of the game in real time and translates them to Vulkan instructions by translators:

• DXVK:Translate DirectX 9, 10 and 11 to Vulkan.
• VKD3D-Proton:Translate the very complex DirectX 12 to Vulkan.

Thanks to the extreme efficiency of Vulkan and because Linux has less background processes than Windows (lower "overhead"), translation often happens with a 0% performance penalty, and in many cases, the translated game yieldsbetterthan the original on Windows.

8.2.1 Steam installation and Proton configuration

Steam in Linux is a native application, but most games are not.

sudo pacman -S steam ttf-liberation

Start Steam, loosen up and go toParameters > Compatibility. Mark the boxes:

1. Enable Steam Play for supported titles.
2. Enable Steam Play for all other titles.(Allows you to run ANY Windows game).
3. Select "Experimental Proton" or the latest stable numerical version as your default global tool.

Steam will ask you to restart. Now the "Install" button will appear enabled for each game in your library, regardless of the original operating system.

8.2.2 Games outside Steam: Lutris and Heroic

For games of Epic Games, GOG, Amazon Games or installers.exeSteam's no use to you.

• Lutris:He's the final manager of Linux video games. Manage scripts created by the community that self-download dark Windows dependencies (like old C + + bookstores or sources) to make a game work perfectly with a click.

    sudo pacman -S lutris

• Heroic Games Launcher:The unofficial (and very superior) Open Source client for Epic Games and GOG. Download and install the games and allow you to inject custom versions of Proton (such as Proton-GE, maintained by GloriousEggrol, which includes video codecs from average Windows that Valve cannot include for legal topics).

    yay -S heroic-games-launcher-bin

8.3 Maximizing Performance (FPS) and Tool Injection↑ Home

In Linux you have absolute control of your hardware resources. The community has developed tools (used intensively in the Steam Deck) to encapsulate games, deceive them and squeeze them up to the last hertz of the CPU.

8.3.1 Feral GameMode

GameMode is a system demon that, when it starts a game, requests permission from systemd to raise the priority of the game process, changes the CPU Governor (CPU Governor) to the "Performance" state (so that the cores don't lower their frequency to save battery), disables the screen protectors and can even run custom scripts (such as turning off the X11 graphic composer). When you close the game, return the system to your normal state.

Installation:

sudo pacman -S gamemode lib32-gamemode

To use it in a Steam game, right-click on the game > Properties > Launch Options, and add:

gamemoderun %command%

8.3.2 Gamescope (The Micro- Composer)

A common problem when playing Linux is that the game tries to change the resolution of the entire monitor (by ruining the desktop) or that the mouse escapes to a second monitor in full combat. Gamescope creates an isolated window (a nested Wayland server) that makes the game believe that he is the only one that exists. Gamescope is brilliant becauseincludes FSR (FidelityFX Super Resolution) at system level. You can tell Gamescope to give up a very bad game at internal 720p, and climb it by means of IA to 1440p (or 4K) on your monitor. The game will think it's running at 720p and give you the triple FPS, while you see it to almost native resolution.

Installation:

sudo pacman -S gamescope

Use in Steam Launch Options (Internal Renderization 1080p, output climbing 1440p using FSR):

gamescope -h 1080 -H 1440 -U -f -- %command%

(-Uactive FSR,-ffull screen force).

8.3.3 Real-time Telemetry (MangoHud)

You see those YouTube videos comparing graphic cards where a detailed graph appears in the upper left corner with the temperature, use of VRAM and an FPS graph? That's MSI Afterburner on Windows. In Linux, we use the infinitely higherMangoHud, which is injected directly into the Vulkan / OpenGL call.

Installation:

sudo pacman -S mangohud lib32-mangohud

To activate it in a Steam game, you put it in launch options:

mangohud %command%

(And yes, you can chain the commands:mangohud gamemoderun %command%).

8.4 The Last Bastion: Anti-Cheats↑ Home

All this sounds like technological magic, and it is. Today, Cyberpunk 2077, Elden Ring, Red Dead Redemption 2 or Baldur's Gate 3 will work on Arch Linux in Ultra at 60 + FPS without you having to open a single terminal.The only real problem for Linux gaming is the Competitive Multiplayer games.

To prevent players from cheating, companies like Riot Games (Valorant, League of Legends) or Activation (Call of Duty) use anti-Cheats programs (such as Vanguard or Ricochet) thatare installed at the level of the Windows Kernel (Ring 0). They work as legal Rootkits. When trying to run them through Proton in Linux, the Anti-Cheat panics because it can't find the files from the Windows core and bankes or blocks the user immediately. These games areunplayablein Linux.

However, the most popular anti-Cheats in the industry,EasyAntiCheat (EAC)andBattlEye, announced official and native support for Linux and Proton. Competitive games like Apex Legends, The Finals or Counter-Strike 2 (native) work impeccable on Arch Linux.

The mandatory reference website for any Arch gamer isProtonDB (protondb.com). Before buying or downloading a game, find it there; the community will tell you if it works as a box (Platinum / Gold level) or if the developer has the Anti-Cheat blocked on purpose (Borked level).

8.5 Thermal and Energy Control: Overclocking and Undervolting↑ Home

An enthusiastic system manager or gamer does not accept the factory's pre-determined clock and voltage frequencies. Reduce the voltage (Undervolting) of a graphic card can lower temperatures by 10 degrees Celsius and reduce the noise of fans to zero while maintaining exactly the same performance.

8.5.1 AMD environment (AMDGPU Sysfs and CoreCtrl)

The open source driveramdgpuexposes almost all of its telemetry and control levers through the virtual file system (/sys/class/drm/card0/device/). You can make overclocking simply by writing numbers in text files, but it's dangerous and tedious. To do it safely and intuitively, we installCoreCtrl, the Linux equivalent to MSI Afterburner.

sudo pacman -S corectrl

For CoreCtrl to touch the voltages, we must start the kernel by passing an explicit parameter to relax the safety restrictions of the AMD driver. Open up./etc/default/gruband adds toGRUBCMDLINELINUX_DEFAULT:

amdgpu.ppfeaturemask=0xffffffff

Regenerate GRUB and restart. When you open CoreCtrl, you will see adjustable fan curves using graphic nodes, 3D profiles and the ability to set the maximum watt limit (Power Limit) of your 200W to 150W card, achieving drastic energy efficiency without losing FPS.

8.5.2 NVIDIA environment (Coolbits and GreenWithEnvy)

NVIDIA blocks the overclocking in Linux unless you enable a secret hidden flag in the X11 configuration file (or its Wayland equivalent). This "God" mode is calledCoolbits.

To activate it in X11, the NVIDIA configuration file is generated and the value 31 is injected (which adds up to overclocking permissions, fans and voltages):

sudo nvidia-xconfig --cool-bits=31

Then an AUR application calledGreenWithEnvy (GWE):

yay -S gwe

With GWE, you can alter the core (Core Clock Offset) and VRAM (Memory Offset) watches. An increase of + 500MHz in VRAM of the 3000 or 4000 series graphics usually gives between 5% and 10% of extra FPS without additional heat effort.

8.6 Understanding the Sub- Wine Architecture↑ Home

Not everything in life is playing through Steam (Proton). Many Arch Linux users depend on hyper- specialized Windows software (music production DAWS such as FL Studio / Ableton, CAD modeling tools, or Adobe suites). To run these monsters, we don't use generic Wine. We manipulated thePrefix(Prefixes).

8.6.1 The Concept of Isolated WINEPREFIX

A Wine prefix is a folder of your hard drive that simulates being the diskC:\of a machine with Windows. By default, if you runwine programa.exe, it will all be installed in~/.wine/. This is a tick mistake. If you install 10 programs in the same prefix, DLs will begin to overwrite and create insurmountable conflicts.

The iron law:Each heavy application must have its own isolated prefix.

# Crear un prefijo "C:\ limpio" específicamente para FL Studio
WINEPREFIX=~/.wine-flstudio winecfg

This command will open a Windows 10 configuration window, and generate a diskC:\virgin in that hidden folder.

8.6.2 Winetricks and DLs Handling

When you install FL Studio, when you try to boot, it is likely to crashee in silence. Why? Because FL Studio expects your "Windows" to have Microsoft's C + + Redeployable bookstores and certain native typographs that the installer assumes come from the factory. As Wine is legal reverse engineering, it does not include patented Microsoft code. To inject it, we useWinetricksA magic script.

sudo pacman -S winetricks

To quietly download and inject the Framework .NET 4.8, DirectX 9 and Microsoft typographs (Arial, etc.) into our FL Studio container:

WINEPREFIX=~/.wine-flstudio winetricks dotnet48 d3dcompiler_47 corefonts vcrun2015

The script will download the official installers.exefrom Microsoft servers, will extract files.dlland will overwrite them within the prefix, indicating to the record (user.reg) you should use them (Override) instead of using Wine's free implementations.

8.6.3 Windows Registry Edition

As in a real system, you can inject keys into the simulated machine log to solve bugs (e.g., scale the interface if it looks too small on 4K monitors).

WINEPREFIX=~/.wine-flstudio wine regedit

This isolated architecture, reproducible and controlled by environment variables, allows SysAdmins to pack closed Windows applications in executable bash scripts with double click, making the hostile proprietary software run domesticated in your free environment.

Chapter 9: System Maintenance, Monitoring and Rescue↑ Home

One of the most persistent (and unfair) myths about Arch Linux is that it "breaks alone" with each update. This is demonstrably false. Arch Linux is not broken alone; users break it by not reading, by making partial updates, or by ignoring the alerts of configuration maintenance. In a Rolling Release model, you're the SysAdmin. You have total control, and with it, responsibility. This chapter will teach you the tools and habits to keep an Arch machine running without reinstalling for a whole decade.

9.1 Change Management (.pacnew files)↑ Home

When the Arch (or upstream) developer team decides to change the default behavior of a program, they modify your configuration file. But imagine the disaster if you spent 3 hours modifying your SSH server's configuration file (/etc/ssh/sshd_config) and suddenly, a routine update overwrites your file with the new default file.

To protect your work, Pacman does the following: If you detect that you have modified a configuration file,don't overwrite it.. Instead, install the new configuration version to one side and name it with the extension.pacnew(e.g.,/etc/ssh/sshd_config.pacnew). The program will continue to use your original file.

The danger:If you ignore the files.pacnewFor months or years, there will be a point where the new binary program code will require a variable in the configuration file that only exists in the.pacnew, and as you continue to use the old one, the program (or even your boot system) will fail quietly.

9.1.1 Professional resolution with pacdiff

Never look for them by hand. Install system utility toolpacutils(containingpacdiff) and a visual file combination program (Diffing) asmeld(useful if you are in a graphic environment) or just usevimdiff(included in Vim).

sudo pacman -S pacutils meld

To search, compare and merge your configuration files regularly (recommended once a month):

sudo DIFFPROG=meld pacdiff

The script will scan the entire system in a second and, if you find a.pacnewHe will offer you:

• See (View) differences.
• Overwrite your old file (if you realize you haven't changed anything important).
• Delete the new file (if you prefer to keep yours forever, at your own risk).
• Fusion (Merge) lines usingmeld, opening a window with two columns highlighting the changes so you can drag the new necessary code without deleting your customizations.

9.2 The Intelligence Center: Log and Dmesg Reading↑ Home

When something fails on Windows, you often get an incomprehensible hexadecimal code (Ej. 0x80004005). In Linux, the system records each event in text format. Understanding where to read is 90% of the diagnostic work.

9.2.1 The Kernel Buffer (dmesg)

During the start, and as the system works, the Kernel speaks to itself and to the drivers before even the log demons can start. This is the hardware level record (Ring 0). If you have a hard drive about to die from mechanical I / O failures, or if you connect a corrupt USB, this is where the alarms jump in red.

To see the kernel messages, use the diagnostic ring:

sudo dmesg -H

(The Flag-HIt makes it humanly legible, paying the exit and adding dates. Press down,qto leave).To view live messages while connecting physical devices:sudo dmesg -w.

9.2.2 Systemd Journal (journalctl)

For all software at the user level (the web server, the graphical interface, network failures), systemd collects the logs in an ultra-fast centralized binary file. It is consulted through the Swiss knifejournalctl.

• See the record of your current machine start (Boot):

    journalctl -b

• See the errors of the Boot ANTERIOR (-1) to the current:(Critic when your PC was completely frozen and you had to reboot it by force; this will tell you what was the last thing that happened before the pants.)

    journalctl -b -1

• Filter only high priority and catastrophic errors (prio 3 = err):

This is the magic command if your PC goes wrong and you don't know why. Clean the trash (information messages) and give you the raw crashes:

    journalctl -p 3 -xb

• Real-time monitoring of a problem service:(Ax. try to connect the bluetooth and fail on the top panel; open a terminal and watch the live log).

    journalctl -u bluetooth.service -f

9.3 Versions Control: The Art of the Downgrade↑ Home

In a Bleeding Edge model like Arch's, external developers will occasionally release code with regressions (bugs that break previously stable functionalities). If after doing apacman -Syuyou discover that your browser (e.g. Firefox) launches a "Segmentation Fault" and does not open, panic or try to reinstall Arch. Solving it literally requires a 5-second command.

9.3.1 Return to a local version of the Cache

As we saw in Chapter 5, pacman keeps all the packages.pkg.tar.zstin/var/cache/pacman/pkg/unless you explicitly delete them. If your Firefox broke when installing the version126.0, simply install the old version (e.g.125.0) that you still have stored locally:

# Usa la tecla Tab para autocompletar el nombre largo del archivo
sudo pacman -U /var/cache/pacman/pkg/firefox-125.0-1-x86_64.pkg.tar.zst

This will uninstall the new version and put the old one. But there's a problem: tomorrow, when you dopacman -SyuPacman will see you have an old version and try to update it again. To temporarily avoid it, edit/etc/pacman.confand addsfirefoxto the lineIgnorePkg = firefox. (Remember to remove it weeks later when the official bug has been solved.)

9.3.2 The AUR 'download' Tool

If you cleaned your cache yesterday, or the package got corrupted, pacman won't help you. For this scenario there is the wonder calleddowngrade(available in the AUR). This tool interferes with the A.L.A. (Arch Linux Archive) servers where the organization keeps massive copies of each Arch package in recent years.

yay -S downgrade
sudo downgrade firefox

A menu will appear by listing the last 20 versions of Firefox along with the dates. You write the number of the version that worked, the script the download of the Historical File, installs it, and most importantly,you ask if you want to automatically add the program to IgnorePkg.

9.4 The Chroot of Rescue (Resurrection of a fallen system)↑ Home

Even with best practices, you can make a human error (e.g., turn off the PC by pulling the cable in the middle of the Linux Kernel update or during a GRUB regeneration). When you turn on the computer, you will see the horrific black menu of GRUB Rescue, or a "Kernel Panic," and no key will answer. The operating system is "broken" and cannot start.

Golden Rule:A Linux system with data intact on the hard drive is never irreparably broken. If you can access the files, you can cure it.

The surgical rescue protocol uses your Arch Linux installation USB:

1. Phase 1: The Bypass.Insert your Arch USB (the one you used in Chapter 1) and turn the PC off from it. You are using the USB Kernel, dodging the broken kernel of your disk.
2. Phase 2: Connection.Connect to the Internet (iwctlor cable), is indispensable.
3. Phase 3: The Forensic Assembly.Set up your damaged disks exactly as you did in the first installation:

    mount /dev/nvme0n1p3 /mnt
    mount /dev/nvme0n1p1 /mnt/boot

1. Phase 4: Injection (Chroot).Come in like a parasite in your broken system.

    arch-chroot /mnt

1. Phase 5: Operation.You are now as a Root user within your damaged system, and you have the Internet, but the machine is breathing thanks to USB. Here you repair the disaster:

• The Kernel got half-corrupted by a blackout? Reinstate it:pacman -S linux
• You updated packages but the system froze in the middle? Forces a total resynchronization with the repair of cross-dependencies:pacman -Syu
• Did you damage the GRUB boot charger? Reinstall the UEFI binary (as we saw in Cap. 3):grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUBand thengrub-mkconfig -o /boot/grub/grub.cfg.
• Did you forget your Root or User password? Executionspasswd tu_usuario, you put a new and ready (that's why the LUKS disk encryption is so important; anyone with a USB can do this chroot process and change your password if they steal your PC).

1. Phase 6: The Departure.Close the chroot (exit), disassembled (umount -R /mnt) and reboot.

Your system will rise from its ashes, perfectly functional, without losing a single byte of data. This is the real power of system control at The Arch Way.

9.5 The Definitive Safety Network: Btrfs and Snapshots (Snapper)↑ Home

Everything you read in this manual about how to fix the system with a rescue USB (Chapter 9.4) assumes you have time and desire. But what if you're about to give a presentation to investors, you do apacman -Syu, the graphic server is broken, and the meeting starts in 2 minutes? You don't have time to make Chroot coroner.

Yeah, during Chapter 2, you formatted your root partition./using the modern file systemBtrfs, you possess the superpower of theAtomic Snapshot.

Btrfs does not overwrite files when you change them (Copy-on-Write). If you install a package, Btrfs saves new data blocks elsewhere. A "Snapshot" in Btrfs is a simple instant photograph (it takes milliseconds and occupies an additional 0 kilobytes) of the exact state of your system.

9.5.1 Snapper installation and configuration

The tool created by SUSE to manage this magic issnapper.

sudo pacman -S snapper

We create the root configuration file (/):

sudo snapper -c root create-config /

From this moment on, you can tell the operating system: "Photography of the whole C partition: right now":

sudo snapper -c root create --description "Antes de la locura"

9.5.2 Automation with Pacman Hooks

No one remembers taking pictures before updating. We'll set it up so thatpacmanI'll do it alone. We set up the hook:

yay -S snap-pac

Next time you writesudo pacman -Syubefore downloading a single package, the system will freeze a "Pre" snapshot. At the end of the installation, you will freeze a "Post" snapshot. You can usesnapper diffto see exactly which disk blocks changed the update.

9.5.3 Time Journey (Rollback at the Arranque)

If your update breaks the PC, you reboot. Thanks to advanced integrations (such asgrub-btrfs), your GRUB's own black menu will have a new section called "Arch Linux Snapshots." You select yesterday afternoon's snapshot, and the system startsexactlylike I was yesterday. To make that temporary journey permanent, you use a restorative script (or manual commands in Btrfs subvolumes) to promote the old photo to the main disk.

Your Arch Linux has just become literally immortal to software errors.

9.6 Complete Hardware Monitoring and Disaster Prevention↑ Home

To keep a server or a high-performance team alive, you can't wait for the Kernel to throw red alerts indmesg. You must inspect the physical stress in a preventive manner.

9.6.1 Charging (htop / top)

UNIX administrators despise the graphic "Task Managers" of desktop environments for their inefficiency and mathematical inaccuracy with CPU threads.

• htop:The timeless classic. It accurately shows the process states (Rrunning,Ssleeping,Zzombie), memory page failures, and allows you to shoot signs of death (SIGKILL -9) instantly to naughty processes.
• top:The successor in C + +. It has a spectacular C-IU (Character-IU) interface in the terminal, drawing continuous graphics of network bandwidth, disk operations (I / O) and temperatures per core, with an update latency of less than 100 milliseconds.

sudo pacman -S btop

9.6.2 Thermodynamics (lm _ sensors)

The base plates contain dozens of temperature sensors (chipsets, north / south bridges, vrm, CPU cores). Linux must map them.

sudo pacman -S lm_sensors

Run the detection assistant (answers YES to everything, will analyze the i2c buses of your hardware looking for chips):

sudo sensors-detect

From then on, writesensorsat the terminal will throw the exact thermal state of your machine.

9.6.3 Health of the Hard Disk and Damaged Sectors (SMART)

The SSDs and NVMe do not fail "little by little" with mechanical clicking. When they die, they do so in a fraction of a second, permanently blocking their controller in just reading mode or deleting everything. The S.M.A.R.T (Self-Monitoring, Analysis and Reporting Technology) technology is within each disk to alert you months before the catastrophic failure.

sudo pacman -S smartmontools

Check the status of your NVMe disk (e.g./dev/nvme0n1):

sudo smartctl -a /dev/nvme0n1

Pay colossal attention to the "Percentage Used" and "Critical Warning." If the system detects reassigned sectors (Spare blocks falling), it is an imminent signal to buy a new disk and clone the system.

9.6.4 Purging the Registration Journal (Journald Limits)

Paradoxically, the tool that monitors the PC (systemd journalctl) can end up suffocating it. If your Wi-Fi card is throwing an irrelevant error 1000 times per second because its driver is vertically, the binary file of the newspaper will grow gigabytes in size in a month, devouring SSD space from small laptops. Limit the maximum historical size in/etc/systemd/journald.conf:

[Journal]
SystemMaxUse=500M

Reboot the demonsudo systemctl restart systemd-journald. So, Arch will always keep only the most recent half gigabyte of clinical history, automatically destroying the looms of months ago.

Chapter 10: Systemd - Orchestra, Timers and Advanced Automation↑ Home

At the heart of almost all modern Linux distributions there is a software suite that awakens passion loves and deep hatred in the UNIX community:systemd. Originally developed by Lennart Poettering, systemd replaced the old and sequential SysVinit system. Systemd is not a simple boot program; it is a colossal platform that manages from network creation and disk assembly to log records, energy management (suspension / hibernation) and DNS resolution. It is the Process ID 1 (PID 1), the supreme father of all the programs that run on your machine.

Dominating systemd is separating the casual user from the system engineer.

10.1 Architecture and Base Command (Systemctl)↑ Home

The master command to interact with the start system issystemctl. Everything in systemd is organized in "Units." A unit can be a service (a program in the background,.service), a zocalo (a port of listening,.socket), or a timer (such as an alarm clock,.timer).

10.1.1 Services Management

Traditional daemon (daemon) such as SSHD, Nginx, or NetworkManager are files of completed units in.service.

Essential commands (assuming that we operate onbluetooth.service):

• Start:Turn it on right now. It won't persist if you reboot the PC.sudo systemctl start bluetooth.service
• Stop:Turn it off (send a SIGTERM or SIGKILL signal).sudo systemctl stop bluetooth.service
• Enable:Modifies the system by creating a symbolic link for the service to startautomatically in the next restart. It doesn't turn it on now.sudo systemctl enable bluetooth.service
• Disable:Break the link. It won't start with the system anymore.sudo systemctl disable bluetooth.service
• The Master shortcut (Enable --now):Combine "able" and "start." It turns it on now and marks it for the future start.sudo systemctl enable --now bluetooth.service
• Restart:Turn off and turn on. Mandatory after changing a service configuration file (e.g. in Nginx or SSH).sudo systemctl restart bluetooth.service

10.1.2 Targets (The Old Runlevels)

In old systems, you used "runlevels" (running levels, 1 to 6) to tell the PC if it should start in rescue mode (without graphics) or in full mode. Systemd uses the much more flexible concept of "Targets."

• multi-user.target: Equivalent to TTY console level (server without graphical interface). Group all network and console services.
• graphical.target: Equivalent to your desktop environment. Depends onmulti-userbut add screen managers (GDM / SDDM).
• rescue.target: Initiates a root console without network or extra mounted discs (to repair disasters).

If for any reason you want your PC to start by default in pure console without starting your heavy graphic environment (to convert a laptop into a server or save battery), you order the default target to be the text:

sudo systemctl set-default multi-user.target

(To reverse to the graphic mode:sudo systemctl set-default graphical.target).

10.2 Creation of your own Service Units (Unit Files)↑ Home

The real power comes when you learn that a file.serviceit is not a complex program in C; it is simply a text file of 10 lines of easy reading. As a developer or sysadmin, you will want your Python script (a Discord bot, a backup or a web app on Node.js) to run permanently in the background, reboot if the bot fails by a code error and boot alone.

Create a file calledmibot.servicein the sacred directory of the administrators:

sudo nano /etc/systemd/system/mibot.service

Professional structure of a service in Node.js, for example:

[Unit]
Description=Mi Bot de Discord en Node.js
Documentation=https://mi-wiki-interna.com
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=francesc
Group=francesc
WorkingDirectory=/home/francesc/proyectos/mi_bot/
ExecStart=/usr/bin/node index.js
Restart=on-failure
RestartSec=5s
Environment="NODE_ENV=production"
Environment="PORT=8080"

[Install]
WantedBy=multi-user.target

In-depth analysis:

• After=network-online.target: (Start order). This is vital. He tells Systemd that if he tries to boot the bot in the second 2 of the boot, but the network (Wi-Fi / Ethernet) is not available until the second 5, put the boot on hold. If you don't put it on, the bot will fail immediately for lack of internet and will not start again.
• User=francesc: Minimized privileges (Drop privileges). A NUNCA web server must run like Root. If someone hacks the bot on Node.js, you will only have access to my user's files, not the whole PC.
• Restart=on-failure: Pure Resilience. If the Node.js code suffers a failure or the PC is left without RAM (OOM Killer), systemd will wait 5 seconds and launch a new clean process, maintaining an infinite (uptime) activity time without your intervention.

After creating or editing any file in/etc/systemd/, the main demon must reread the directories to integrate the changes before you can usesystemctl start:

sudo systemctl daemon-reload

10.3 Systemd Timers: The End of the Cron Age↑ Home

For decades, UNIX administrators used the demoncronto schedule regular tasks. You were editing a file.crontaband added cryptographic lines of asterisks ( *). Cron had horrible limitations: he didn't generate good login if the script failed, and if you programmed a backup on Saturdays at 4 AM and your laptop was off, the task was just lost (unless you addedanacron).

Systemd solved this with theTimers. A Timer is a watch that, when the alarm rings, automatically fires a file.servicewith the same name. It requires more lines to be written, but control, visibility of the log (going to journalctl) and reliability are infinitely higher.

The Practical Case: Daily SupportWe create the service that runs the backup (/etc/systemd/system/respaldo.service):

[Unit]
Description=Ejecuta script Rsync de respaldo de documentos

[Service]
Type=oneshot
ExecStart=/usr/bin/bash /home/francesc/scripts/hacer_backup.sh
User=francesc

(Note: Typeoneshotindicates that the service starts, runs the order, and stops and marks as successful. He does not run permanently).

We created the Timer with the same exact name (/etc/systemd/system/respaldo.timer):

[Unit]
Description=Timer para respaldo diario

[Timer]
# Se ejecuta todos los días a las 3:00 de la madrugada
OnCalendar=*-*-* 03:00:00
# Si el PC estaba apagado a las 3AM, hazlo inmediatamente al encenderlo
Persistent=true
# Espera de forma aleatoria hasta 15 minutos (para evitar picos de I/O en servidores)
RandomizedDelaySec=15m

[Install]
WantedBy=timers.target

Recharge the demon, and start and enable THE TIMER (never the service, the timer will be in charge of launching the service):

sudo systemctl daemon-reload
sudo systemctl enable --now respaldo.timer

To view the star calendar of your system and check the millimetric countdown of all automated tasks:

systemctl list-timers --all

10.4 Performance audit: systemd-analyze↑ Home

Systemd knows exactly what millisecond he started the kernel in and what millisecond he finished loading the graphic environment. It offers amazing performance profiling utilities for administrators obsessed with optimization.

To see how long your PC took from pressing the ignition button until the system was operational:

systemd-analyze

Example output:Startup finished in 3.123s (kernel) + 2.456s (userspace) = 5.579s.

If your system takes 30 seconds (in an SSD) and you feel something is wrong, Systemd allows you to generate a blame list of each service ordered for time of impact on the boot:

systemd-analyze blame

When you read the list, you will often find useless services, such as an old record tester or the infamousNetworkManager-wait-online.service(which blocks the start until it detects a valid real IP and usually takes 5 to 10 seconds). If you don't have web services that need to start knowing that the network is statically ready, you can safely disable it:

sudo systemctl disable NetworkManager-wait-online.service

For the visual engineer, systemd can generate a vector graph (SVG) that draws an exquisite Gantt diagram showing parallelism, threads and blockages in the boot:

systemd-analyze plot > arranque_pc.svg

Open it with your Firefox or Chrome browser and marvel about orchestrated engineering that happens in the first three seconds of your Linux Arch.

10.5 Control of CPU and Memory Resources (cgroups in Systemd)↑ Home

Systemd is not just a boot initiator; it is a powerful graphical interface (in text) for theControl Groups (cgroups)the Linux Kernel. Cgroups are the technology that makes Docker containers possible, and systemd allows you to use them directly to tame any problem program.

Imagine this scenario: You have an Arch Linux server with 16 GB of RAM. He's running a vital database and, simultaneously, you tell him to process the encoding of a 4K video. The video program will instinctively use 100% of your CPU cores and devour the 16 GB of RAM. The server will freeze (OOM - Out of Memory) and the web pages of your database will stop loading for your customers.

You can use systemd to "tie with chains" that service. Open your unitary file (e.g.video-encoder.service):

[Unit]
Description=Proceso pesado de video

[Service]
ExecStart=/usr/bin/ffmpeg -i video.mkv salida.mp4
# Limita brutalmente la RAM máxima. Si el proceso pide 2.1G, el kernel lo asesina instantáneamente.
MemoryMax=2G
# Le otorga el derecho a usar un núcleo y medio de CPU, y ni un 1% más, sin importar cuán libre esté el PC.
CPUQuota=150%
# Baja la prioridad del disco duro; si la base de datos quiere leer, el video se pone en pausa.
IOWeight=10

When recharge (systemctl daemon-reload), this simple bash script will be subject to the restrictive physical laws of the Linux kernel. The program will think it's running on a computer in 2005. This is the basic architecture of Cloud servers that sell you small virtual machines.

10.5.1 Modification of rapid injection (Drop-in files)

What if the program that devours the RAM is Firefox, which you didn't install by hand, but pacman? If you edit the/usr/lib/systemd/system/firefox.serviceOfficer, pacman will overwrite it in the next update and delete yourMemoryMax. The solution is the Drop-in files. Executions:

sudo systemctl edit firefox.service

A blank editor will be opened. You only write your injection variables:

[Service]
MemoryMax=8G

Systemd will automatically create a sub- folder/etc/systemd/system/firefox.service.d/override.conf. When you start, you will read the official file and merge your rules without destroying it, keeping yourself safe from updates.

10.6 Systemd-Nspawn: Integrated Containers (The Chroot with Steroids)↑ Home

If you read Chapter 15 (Docker) and Chapter 9.4 (Arch-chroot), you will have realized that sometimes you need a parallel operating system, but Docker is too complex and add the Docker demon spends extra RAM memory.

The best kept secret of Linux distributions is that they already come with an ultra-light factory container system embedded in systemd:systemd-nspawn. It is described as a "Chroot with namespaces and network isolation." It is used massively by Arch engineers to compile packages in different architectures or to test virus / malware in a closed environment without the nightmares of a Virtual Machine.

10.6.1 Lifting a pure Debian Container inside Arch

Imagine that a client forces you to compile an old program, but the necessary bookstores only exist in the old Debian or Ubuntu repositories. We will install the Debian boot tool (debutstrap) in Arch:

sudo pacman -S debootstrap

1. Installation of the alien SO:

We create a directory that will act as the "C: hard drive" of our container, and we install the Debian 12 operating system (bookWorm) on it.

    mkdir ~/mi_debian
    sudo debootstrap bookworm ~/mi_debian http://deb.debian.org/debian

In 30 seconds, debootstrap will have downloaded a full Debian base core (~300MB).

1. Nspawn Container launch:

To "light" the machine, we do not use chroot (because I would share your host processes, something unsafe). We use nspawn by passing the root directory (D = Directory).

    sudo systemd-nspawn -D ~/mi_debian

In half a second, the prompt will change from[francesc@archlinux]aroot@archlinux:~#. But it's not Arch. If you runapt updateYou'll see the Debian package manager working. If you runhtopYou'll see that the container is isolated:cannot see the processes of your Arch Linux. You're in a sealed capsule. You're typing.exit.

10.6.2 Machinectl: Orquing Containers

To manage dozens of these nspawns as a professional (just like you would manage Dockers), we use the administrative commandmachinectl.

If you move your Debian container to the official container folder (/var/lib/machines/mi_debian), you can order the Arch Systemd core to treat it as a dependent operating system:

• Start in the background:sudo machinectl start mi_debian
• List containers on:sudo machinectl list
• Inject (open terminal) into a container on:sudo machinectl shell mi_debian
• Autostart (for Debian to start as a service along with your Arch Linux when you turn on your PC):sudo machinectl enable mi_debian

Domaincgroupsandnspawnis to possess divine power over the atoms and processes of distributed computing, all using tools that have always been hidden, by default, in your base installation of Arch Linux.

Chapter 11: Extreme Optimization and Hardware Performance↑ Home

The goal of installing Arch Linux is often not just minimalism, but the unpitiful extraction of every drop of your processor's performance (CPU), memory (RAM) and storage (SSD / NVMe). By avoiding the swelling (blat) of other distributions, Arch gives you a clean base, but there are kernel and compiler levers that remain in conservative positions by default to ensure compatibility with hardware 15 years ago.

In this chapter, we will break that retroactive compatibility in favor of pure speed, optimizing the generic operating system in a custom suit for your current silicon.

11.1 Memory Management and Flight Compression (Zram and Zswap)↑ Home

Historically, when the RAM memory was filled, the kernel "paid" (moved) static memory blocks to the hard drive (Swap partition). In the age of mechanical disks, this slowed the machine to inoperable levels. In the SSD age, it is faster, but writing gigabytes of memory in the SSD constantly destroys your memory cells (limited writing cycles / Terabytes Written).

The modern solution, born in Android and ChromeOS systems, is to use compression in RAM.

11.1.1 Zswap (For systems with physical Swap partition)

Zswap is a kernel module that acts as a compression cache. When the system decides to drive a memory page to the SSD disk, Zswap intercepts it, compress it (30% of its original size using fast algorithms such as zstd or lz4) andthe guard in the RAM itselfin a reserved space. If Zswap is full, then he overflows and sends things to the record. Zswap is ideal because it takes advantage of your existing Swap partition by drastically reducing SSD wear.

To activate it in the boot, we edit the kernel parameters in GRUB:

sudo nano /etc/default/grub

On the lineGRUBCMDLINELINUX_DEFAULT, adds:

zswap.enabled=1 zswap.compressor=zstd zswap.zpool=z3fold zswap.max_pool_percent=20

• compressor=zstd: Algorithm of very high efficiency and decent speed.
• zpool=z3fold: Allows to pack up to 3 compressed pages on a single physical page.
• maxpoolpercent=20: It tells Zswap that it can use up to 20% of your total RAM for this emergency compression.

Update GRUB:sudo grub-mkconfig -o /boot/grub/grub.cfgand restart.

11.1.2 Zram (For systems WITHOUT Swap partition on disk)

If you decided to be bold and not do Swap partition on your SSD, Zram is mandatory. Zram deceives the system by creating an unreal hard drive (Block Device) that resides entirely in the RAM, and applies continuous compression. It is the fastest and most modern form, strongly recommended by Fedora.

Installation using the system generator:

sudo pacman -S zram-generator

Create the configuration file:

sudo nano /etc/systemd/zram-generator.conf

Add the following:

[zram0]
# Crea un bloque de Zram equivalente al 50% de la RAM total disponible
zram-size = ram / 2
compression-algorithm = zstd
# Úsalo como el Swap de mayor prioridad en el sistema
swap-priority = 100
fs-type = swap

Systemd reload and hot-acting it:

sudo systemctl daemon-reload
sudo systemctl start systemd-zram-setup@zram0.service

Use the commandzramctlto monitor in real time how many megabytes you are saving by compression.

11.2 I / O Schedulers and CPU Governors↑ Home

The Linux kernel acts as an orchestra director. Decides which program you have the right to talk to the disk and how long, and at what speed the processor should vibrate.

11.2.1 The Entry / Exit Programmer (I / O Scheduler)

Not all the records are the same. A mechanical disk (HDD) needs a planner that reads the physically close data on the disk to avoid spending time moving the magnetic needle (bfq- Budget Fair Queueing). NVMe SSD disks have no mobile parts, so the bottle neck is simply how many concurrent commands can process the memory chip. For modern SSDs and NVMe, the scheduler is strongly recommendedmq-deadlineorkyber.

Check what you are using on your disk (e.g. nvme0n1):

cat /sys/block/nvme0n1/queue/scheduler

The selected option will be in square brackets, e.g.[none] mq-deadline kyber bfq(On very fast NVMe disks,nonedelegate all work to the physical controller of the disk, being the optimal option).

To force the use ofbfq(if you have a slow HDD disk and notes that the PC is stuck when you download a large file), create a udev rule:

sudo nano /etc/udev/rules.d/60-ioschedulers.rules

Add:

ACTION=="add|change", KERNEL=="sd[a-z]|mmcblk[0-9]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"

11.2.2 CPU Governors (cpupower)

Modern CPU climbing technology (P-State in Intel, CPPC in AMD) allows your base plate to control the voltage. By default, Arch uses the governorpowersaveorschedutilto save energy by lowering the CPU clock to 800 MHz when you do nothing, and shooting it at 4.5 GHz when opening a program.

On desktop computers (no battery to care for), this causes milliseconds of latency that thegamerspurists despise. You can force the perpetual performance mode usingcpupower.

sudo pacman -S cpupower

Edit the base configuration (/etc/default/cpupower) and seeks the variable of the governor:

governor='performance'

Enable the demon:

sudo systemctl enable --now cpupower.service

(Note: Your PC will be consuming about 15W or 20W more of inactive energy and will generate more heat, but the system reactivity by clicking or opening windows will be absolute).

11.3 The Binary Forge (Optimizing makepkg.conf)↑ Home

As an Arch Linux user, you will install dozens of programs from the AUR throughout your life. By doing this, you download flat source code (language C, C + +, Rust) and usemakepkg(the wrapped compiler) to translate it into binary code on your own computer.

By default, Arch developers set up the GCC compiler flags (GNU Compeller Collection) in a very generic way: they assume that you want to build a binary compatible with any CPU (from a 2004 Intel Pentium 4 to a 2024 Ryzen 9). To achieve that retrocompatibility, GCCdisablethe use of advanced mathematical vectorization instructions (such as AVX2, AVX-512) that are physically in your modern CPU and could calculate physical, compression or cryptography 10 times faster.

Let's tell GCC:"Know the hardware you're running on and compile code that only works here, but that runs faster than light".

Open the master file of the compiler:

sudo nano /etc/makepkg.conf

11.3.1 Native Architecture (CFLAGS and CXXFLAGS)

Find the line that starts withCFLAGS=. It will be preconfigured with-march=x86-64 -mtune=generic. Change it for-march=native. This only word activates all the specific silicones in your chip. We will also add an additional flag-O3(Optimization level 3) that asks GCC to unroll mathematical loops into the source code, consuming more time and RAM during the compilation, but generating a final program that runs incredibly fast.

CFLAGS="-march=native -O3 -pipe -fno-plt -fexceptions ..."
CXXFLAGS="$CFLAGS" # C++ copia las mismas banderas que C

11.3.2 LTO (Link Time Optimization)

In a C program, the code is divided into hundreds of small files. Traditionally, the compiler translates them separately and in the end the "hits" (Linker). If you activate the LTO, the compiler reads absolutely all the files at a stroke, and is able to see that a function in the A file calls a function in the B file that really does nothing, and removes them or restructure them together. The LTO reduces the size of the program (RAM) and greatly increases the speed.

Find the lineOPTIONS=()at the end of the file. Contains options like(strip docs !libtool !staticlibs...). Addltowithout the exclamation sign to activate it:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug lto)

11.3.3 Paralelism in Compilation (MAKEFLAGS)

If your CPU has 16 strings (threats) and you compile a browser like Chromium (which takes 4 hours), by defaultmakepkgIt will use a single core, and it will take... three days. We have to tell the program.makethat throw as many "workers" as logical cores has your CPU. You can find out how many logical nuclei you have using the commandnproc(Let's say you have an 8-core logical processor).

Find the variableMAKEFLAGSand disable the comment:

MAKEFLAGS="-j8"

(Professional Tip: Put-j9or the number of your + 1 cores. Thus, if one kernel gets stuck waiting for disk reading, the other thread takes the job).

11.3.4 Farewell to the Final Compression

When the compilation of a huge software ends successfully, the final step ofmakepkgis to take all the generated files and compress them in a file.pkg.tar.zstso thatpacmanI set it up or you can give it to a friend. This mass compression (in something like Firefox or Chrome) requires your processor to work 100% for long minutes.

If you're never gonna share your packages compiled with other computers over the network and you're just gonna install them on your PC, compressing them is a waste of time and stupid energy. Find the variablesPKGEXTtowards the end of the file and tell makepkg to use the humble uncompression tar format:

PKGEXT='.pkg.tar'

By applying all these changes, you will have forged an unmatched software construction system. Your AUR packages will be compiled in minutes using 100% of the processor, generate assembly code perfectly adapted to your chip's mathematical uniquarities (AVX-512, SSE4), and dispense with useless compression at the end of the process.

You've tuned your Arch Linux as a Formula 1 single.

11.4 Acceleration of Sublying Memory (HugePages and PGO)↑ Home

The Linux standard operating system handles the RAM memory by dividing it into 4 Kilobytes "Pages." If a program like a virtual machine, a 20GB database or a modern open world game needs 8 Gigabytes of RAM, the processor has to search, track and map 2 million separate pages. This causes a phenomenon called "TLB Miss" (Fault in the Translation Lookside Buffer) within your CPU, generating micro- pull and massive latency bottlenecks.

11.4.1 Transparent HugePages (THP)

The architectural solution is to use HugePages (Giant Pages). The kernel allows to group the memory into blocks of 2 Megabytes, and even 1 Gigabyte.

By default, Arch Linux has THP in statusmadvise(are activated only if a program explicitly pleads to the kernel). For heavy loads, we can force the kernel to always try to group the memory into large blocks in a transparent way.

We will create a rule to inject this behavior by turning on the machine. Usesystemd-tmpfiles:

sudo nano /etc/tmpfiles.d/thp.conf

Add the following system order:

w /sys/kernel/mm/transparent_hugepage/enabled - - - - always
w /sys/kernel/mm/transparent_hugepage/defrag - - - - defer+madvise

When restart, the kernel will map giant blocks. In console emulators (RPCS3, Yuzu / Ryujinx) or in Reis databases, the performance improvement can exceed 15% immediately.

11.4.2 Profile-Guided Optimization (PGO)

We mention-O3in the previous chapter for the compiler. But GCC is not a fortune teller. He doesn't know how you use a show. The PGO (Profiles-led Optimization) is the definitive witchcraft of the compilers. The process works as follows:

1. You complete your C / C + + code by adding an instrumented flag (-fprofile-generate).
2. The compiler generates a "spy" program (very slow).
3. You use that program for a few minutes, making it more demanding (opening windows, calculating routes). The program keeps statistical files (profiles).
4. You recompile the original source code, but this time with the flag-fprofile-use, feeding him the files from step 3.

The compiler now knows statistically that mathematical function A is called 1 million times per second, and function B is never called. GCC will reorder the binary code, placing function A right in the front line of your CPU L1 cache. Browsers like Firefox and the Kernel Linux itself can be compiled with PGO and LTO simultaneously (through the AUR using packages likefirefox-pgo), achieving an agility that shirks the absurd.

11.5 Optimizing TCP / IP Network Pile (Ring 0)↑ Home

Although your Internet provider (ISP) promises you "1 Gigabit," it is very likely that your downloads and response times are being strangled on your machine's own base plate. The Linux Kernel by default uses network congestion control algorithms designed in the 1980s for unreliable analog networks (such as TCP CUBIC).

If we use Arch Linux, we can activate the algorithms designed by Google for their own YouTube servers (TCP BBR), created explicitly to maximize bandwidth and sink latency.

11.5.1 TCP BBR (Bottleneck Bandwidth and RTT)

BBR does not try to guess if the network is congested by counting the packages that are lost (as does the old algorithm). BBR continuously measures at what speed the pipe can send data and pumps them at an exact mathematical rate to never fill the buffer (avoiding the internal bufferblock).

To enable BBR persistently, we will inject kernel parameters by modifying sysctl:

sudo nano /etc/sysctl.d/99-bbr.conf

Add the following network engineering lines:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

(It is mandatory to use the plannerfqstrict instead offq_codelfor BBR to function to its maximum potential).

11.5.2 TCP Fast Open

When you visit a secure web (HTTPS), your PC and server do a three-step "dance" (SYN, SYN-ACK, ACK) before sending you a single image. TCP Fast Open (TFO) allows your PC to save a cryptographic cookie after the first visit, so in subsequent visits you send the "glued" web request to the very greeting (SYN), skipping the dance. Add to the same sysctl file:

net.ipv4.tcp_fastopen = 3

(The value 3 activates TFO for both outgoing and incoming connections, vital if you use local Nginx).

11.5.3 Explicit Congestion Notification (ECN)

Finally, we will enable ECN. This allows the intermediate routers (from your phone company) to mark the packages with a bit of "Watch out, I'm collapsed," instead of just throwing them in the trash, which would force your Arch Linux to send them back from scratch causing lag in games.

net.ipv4.tcp_ecn = 1

After writing everything, order the kernel to assimilate hot changes without reboot:

sudo sysctl --system

Your network stack has evolved three decades in five lines of text. Your upload performance to distant servers (e.g. upload files from Spain to Japan) will see an exponential increase in stability and sustained MB / s.

Chapter 12: Customized Kernels and Modular Architecture↑ Home

In its strictest definition, "Linux" is not the operating system you are using (your complete operating system is Arch, or more technically, a GNU / Linux variant). Linux is exclusively the Kernel: a built-in code megabyte that has absolute privileges (Ring 0) over CPU and memory. Manage the processes and translate the mouse or hard drive commands to electric impulses that can be understood by the hardware.

Arch Linux uses a Linux Kernel typeModular monolithic. This means that it is a single huge code block that is loaded at the start, but it has the magic ability to insert or extract "modules" (network drivers, Bluetooth) hot while the PC works (modprobe), without requiring reinitiations.

Understand, manage and even compile your own Kernels instead of accepting the default mark the final transition to mastery in UNIX systems.

12.1 The Four Horsemen: Arch's Official Kernels↑ Home

The organization of Arch Linux pre-compiles and officially distributes four flavors (flavors) of the Linux kernel. Living with several of them at once on your hard drive is not only possible, it's the official recommendation. If a critical software update introduces a panic kernel bug, in the next boot (from GRUB) you select your booking kernel and return to work instantly.

12.1.1 linux (The Rolling Release Vanilla)

sudo pacman -S linux linux-headers

It's the package installed by default. Follow directly the stable tree branch of Linus Torvalds. It contains a conservative balance in its patches. It's your daily battle horse.(Technical note: The package-headersIt's mandatory. It contains the files in C code and the interfaces that programs like VirtualBox or DKMS from NVIDIA require to compile their own modules against your kernel version).

12.1.2 linux-sts (Long Term Support - The Lifeguard)

sudo pacman -S linux-lts linux-lts-headers

The development of Linux is progressing rapidly. Each ~10 weeks a larger version (e.g. 6.8 to 6.9) is released. If you use the kernellinuxYou'll be subject to those massive jumps. If an update of Intel's network code in 6.9 breaks your Wi-Fi card, your life will be miserable. Once a year, Torvalds and Greg Kroah-Hartman name a version as LTS. This version (e.g. 6.6) freezes and receives only safety patches for 2 to 6 years.Install the LTS kernel is mandatory as backup.If you use Arch as a server (VPS), this is the only kernel you should start.

12.1.3 linux-zen (Real-time and Latency Response)

sudo pacman -S linux-zen linux-zen-headers

Developed in a community form (based on the historic Liquorix project),zenis strongly patched with a clear objective in mind: extreme interactivity on the desktop and playing. While a standard server kernel (LTS) is designed to process massive data blocks (e.g. a database server) by giving a single process hundreds of uninterrupted milliseconds in the processor (High Through / Batching), the Zen kernel is hyperactive and anxious. It uses low latency planners that cut CPU times into very small slices (Time Slices). The result? If you put your CPU 100% by rendering a 4K video, and you move the mouse, the Zen kernel will interrupt the rendering during a microsecond medium to process your mouse and draw the graphic interface. Your PC feels smooth as silk, even under overwhelming stress.

12.1.4 linux-hardened (For Safety Paranoics)

sudo pacman -S linux-hardened linux-hardened-headers

This kernel includes a massive external security patch (from high-security Android projects like GrapheneOS). Close a hundred theoretical back doors, prevent user-level RAM from accidentally accessing kernel spaces (strengthening KASLR), and restrict BPF functions to unprivileged users.The disadvantage:The performance of the equipment will be reduced by 3 to 10%, and programs like VirtualBox will often not work properly. Ideal if you're going to talk at hacker conventions like DEFCON or use unreliable public WiFi networks.

12.2 Internal Management: Initrafs and Pacman Hooks↑ Home

When you bought the packagelinux-zenAnd you installed 200 megas of data, a silent magic occurred under the hood of which you are fully responsible. A Kernel cannot boot only from a complex hard drive (such as a NVMe disk formatted in Btrfs or encrypted with LUKS) because the Kernel needs the "Btrfs" driver to read the disk... but the driver is inside the disk. A vicious circle.

The solution is theInitrafs(Initial RAM File System). It is a mini-compressed operating system (15MB size) that the boot manager (GRUB) loads into the RAM memory along with the Kernel. It contains disk decryption tools, LVM support and basic bash commands. From there, the Kernel rises to itself and transfers control to your main hard drive.

12.2.1 The Generator: mkinitcpio

Arch uses the program by defaultmkinitcpio(a pure bash script) to generate these initrafs files. (Fedora usesdracut, which is also supported in Arch).

When pacman installs a new Kernel (e.g. an update oflinux-lts), you will notice that he throws a "Hook" (an automatic hook). This hole callsmkinitcpiowhich analyzes your current hardware (detect if you use Ext4, USB keyboards, graphics cards) and immediately build and compress a fileinitramfs-linux-lts.imgperfect for your machine, releasing it in/boot.

12.2.2 Adding Early Modules (Early KMS)

One of the mandatory optimizations for modern users is to achieve a clean visual transition (without black screen flashes) from the GRUB menu to your desktop, enabling high-resolution graphics from the second zero. This is achieved by instill the huge driver of your graphic card (which normally resides in/lib/modules/on your disk) directly on the initrafs on RAM.

Open the building configuration file:

sudo nano /etc/mkinitcpio.conf

Find the matrixMODULES=(). If you have Intel integrated graphics, addi915. If you use AMD, addamdgpu. If you use NVIDIA, addnvidia nvidiamodeset nvidiauvm nvidia_drm.

MODULES=(amdgpu)

As we have altered the recipe for how the inittramfs is built, we must manually regenerate all pre-compiled images of all our kernel. Executs the mass order:

sudo mkinitcpio -P

12.3 The Master Degree: Compiling a Personalized Kernel (linux-tkg)↑ Home

If you are a purist, you can download Linus Torvalds' C source code from kernel and use the fearsome commandsmake menuconfig(a blue text menu in the MS-DOS style of the 1990s with more than 10,000 cryptic kernel parameters) followed by a brutalmake -j16.

However, compiling a kernel by hand and packing it for pacman in a clean and uninstallable way requires writing PKGBUILDs of hundreds of lines. The contemporary "Arch" way to compile ultra-optimized artisanal kernel (especially for Gaming and low latency) is to use community orchestrating tools, beingFrogging-Family / linux-tkgThe most reverent.

12.3.1 Deployment of TKG

The projectlinux-tkgoffers you a wrapper script that download the Kernel code, applies dozens of exclusive patches that are not in the official Torvalds kernel (extreme and experimental optimizations that the official team considers too aggressive or unstable) and automates the compilation withmakepkg.

1. Clone the repository from GitHub (never as root):

    git clone https://github.com/Frogging-Family/linux-tkg.git
    cd linux-tkg

1. Open the filecustomization.cfgand read the options with astonishment. Here you can choose the processor planning algorithm (BORE, PDS, BMQ, CacULE). BORE, for example, is a schemer that massively prioritizes video games over system processes in the background. You can also enable LTO cross-compilation and deactivate all the kernel debug hardware (debug symbols) to speed up boot.
2. Run the Arch builder (which will call the tkg script):

    makepkg -si

The Amazing Power oflocalmodconfig:During the interactive tkg installer, the script will ask you if you want to uselocalmodconfig. If you say yes (YES), the compiler will look at the status of your hardware in this EXACTE MOTATION. You'll see that you have a Logitech mouse, a Ducky keyboard and Wi-Fi Intel. You will ignore the Razer mouse code, Xbox controllers, 1999 Chinese web cameras and IBM server satellite antennas. The giant Kernel (Vainilla) 150 MB will be compiled into a concentrated, tiny and pure core of just 20 MB that understands only the hardware universe of your own room, and nothing more. It will start in fractions of second and consume a misery of RAM.

(Final warning: If you compile your kernel withlocalmodconfigAnd tomorrow you buy a Wi-Fi card from another brand or a PS5 control and you plug it in by USB, your microscopic core will not know what they are, it will not have the modules, and the devices will not work. You will have to reconstruct the kernel by connecting them before starting).

At the end of the compilation and update your GRUB (grub-mkconfig -o /boot/grub/grub.cfg), you will restart the machine and you will be running a system where even the lower fibers of the metal and silicone are curved to exactly your needs.

12.4 Crossing the Border: eBPF (Extended Berkeley Package Filter)↑ Home

Imagine your Arch Linux Kernel is failing. A mysterious process is writing on the hard drive at 100 MB / s, and user tools likehtopThey can't tell you who he is or what exact file he is writing because the process is born and dies in a millisecond (e.g. a corrupt cronJob). Playing or purifying the Ring 0 is terrifying: if the Kernel stops, the PC panics (Kernel Panic).

The modern technology that has revolutionized the analysis of Kernels is calledeBPF. It is an ultra-secure Virtual Machine (and sandboxing) embedded in the very heart of the Kernel Linux. It allows sysadmins to inject C-written microprograms that "hook" (Hook) to internal functions of the Kernel in hot. If the program you inject has a bug (an infinite loop or trying to steal other memory), the eBPF virtual machine stops it before it runs, ensuring that the server never collapses.

12.4.1 Installation of eBPF Audit Tools

You don't need to be a core programmer to use eBPF. You can install the collection of BCC and bpftrace tools, which bring in dozens of pre-compiled scripts.

sudo pacman -S bcc-tools bpftrace

12.4.2 Clinical Diagnosis of Syscalls

For example, if you suspect that mysterious process by devouring the disk, we will use the scriptbiosnoopbased on eBPF. It is attached directly to the I / O instructions of the disk controller:

sudo /usr/share/bcc/tools/biosnoop

By pressing enter, the terminal will be on hold, ignoring user programs, printing every millisecond the PID, the name of the application, the physical sector of the disk and the exact amount of bytes that are being written.

You want to see if anyone on the server is running the commandrm -rf(delete everything) in secret?

sudo /usr/share/bcc/tools/execsnoop

You will be listed in real-time CADA command (even the half-second-life hidden ones) executed by any user. eBPF gives an omnipresent power over the machine, a divine control over the structure of the code in the core.

12.5 Industrial Compilation: cacche and distcc (Serving Degree)↑ Home

As we saw when generating hyper- optimized kernel (Chapter 12.3) with the flag-march=native, the compilation of millions of C / C + + lines (either a Custom Kernel, the Chromium browser, or an entire base operating system) requires 100% of the processor for hours. If you own a light laptop and make it compile the Kernel, it is likely to turn off by overheating.

To overcome the physical limitations of silicon, we use two fundamental tools of business development.

12.5.1 The Compilation Cache (cache)

If you compile the kernel today (version 6.10.1), and tomorrow the security update 6.10.2 comes out, 99.9% of the C files have not changed. It would be stupid thatmakepkgre-translate those files again.Cacheis a program that wraps GCC. When you compile a file, cache saves the result in a hidden secret database (~/.ccache/). If you compile a file with the same exact content tomorrow, cache throws the order into the trash, goes to your database, extracts the pre-calculated file and injects it into milliseconds.

sudo pacman -S ccache

To forcemakepkgto use it, edit/etc/makepkg.conf: Find the variableBUILDENV=()and remove the cache exclamation sign to enable it:

BUILDENV=(!distcc color ccache check !sign)

The first compilation of a TKG kernel will take 30 minutes. The second time (tomorrow's update) will take 45 seconds.

12.5.2 Network-based Compilation (distcc)

Imagine the stage: You are in an office (or at your home) with your 4-core (weak) laptop. But on the same local network you have a massive 16-core (powerful) Gamer desktop computer that is inactive, and maybe an 8-core old file server.Distccallows you to do compilation clustering.

When you writemakepkgon your laptop, your laptop will delegate the TCP files to the other computers. The giant desktop computer will compile 16 files at a time, the old server another 8, and they will be reassembled. Your laptop will barely sweat, finishing colossal compilations in record times.

1. In slave machines (Powerful PC):

    sudo pacman -S distcc
    # Les decimos qué IPs de tu portátil tienen permiso para mandarles trabajo
    sudo nano /etc/conf.d/distccd
    # Añade: DISTCC_ARGS="--allow 192.168.1.0/24"
    sudo systemctl enable --now distccd.service

1. In the master machine (Your laptop):

    sudo pacman -S distcc

Tell your machine where their servants are editing~/.distcc/hosts:

    # IP del PC de escritorio (16 hilos) y el servidor viejo (8 hilos)
    192.168.1.50/16 192.168.1.60/8

1. Final integration in makepkg:

Edit again/etc/makepkg.conf. EnabledistccinBUILDENVand alters theMAKEFLAGSto unleash the fury of the 24 cores combined throughout your house:

    BUILDENV=(distcc color ccache check !sign)
    MAKEFLAGS="-j25"

You've turned your home network into a unified supercomputer cluster of Arch Linux.

Chapter 13: System Cryptography and Advanced Security↑ Home

Linux is intrinsically secure from its conception due to its UNIX multi-tilient file design (all requires the blessedsudo), but Arch Linux follows its doctrine of doing nothing by default. Your newly installed system is an open port canvas. If you connect the laptop to an airport's Wi-Fi network, other infected machines can call your ports (Nmap scans). If you leave your physical PC in a cafe, anyone with a USB can start in a chroot environment and remove your passwords from the browser.

This chapter elevates the technical and cryptographic security of the "careless consumer" system to "inexpugnable architecture."

13.1 The Kernel Firewall (Netfilter and UFW)↑ Home

The magic that blocks malicious network requests lives very deep in the Kernel, in a historically called subsystemnetfilter(and in their evolutions)iptablesand the modernnftables). Write the mathematical cryptographic rules fornftablesby hand is a suicide of sanity and productivity. We use front-end programs. The two great in the industry arefirewalld(complex, standard in Red Hat) andUFW(Uncomplicated Firewall, a clean design created by Canonical for Ubuntu, perfect for personal equipment).

Firewall Manager Installation:

sudo pacman -S ufw

13.1.1 Configuring Defense Policies (Drop and Deny)

The standard paranoid policy (Default Policy) of a computer is simple: "I can call the outside and no one can call me from the outside."

# Rechazar silenciosamente todas las conexiones que intentan entrar a mi PC
sudo ufw default deny incoming

# Permitir que los navegadores y juegos en mi PC llamen al exterior (Internet)
sudo ufw default allow outgoing

Opening Ports for Need (Whitelisting):If you are a website developer (Node.js / React / Apache), you may want to see on your mobile how the website is temporarily hosted on your local PC (port 80 for HTTP or 3000 for Node).

sudo ufw allow 80/tcp
sudo ufw allow 3000/tcp

To see a visual and detailed breakdown of how the rules are set at this time:

sudo ufw status verbose

And finally, order the system to put a permanent shield (persistent between rebeginnings):

sudo ufw enable
sudo systemctl enable --now ufw.service

13.2 Blinding the Devil SSH (Secure Shell)↑ Home

If you rent a VPS (Virtual Private Server) with Arch Linux in the cloud (e.g. Digital Ocean, AWS), you depend entirely onsshdto control it remotely from your PC. The OpenSSH demon factory configuration is criminally naive and weak for the modern internet, because it accepts "Password Authentication."

Any PC open to the Internet with port 22 receives approximately 5,000 to 10,000 attacks daily fromGross Forcefrom world bots farms that test infinite dictionaries (root, admin123, password) in an automated way until you get yours.

13.2.1 The Asymmetric Cryptographic Key Ecosystem

The only form 100% invulnerable to the brute force is to disable the classic passwords and use elliptical curve cryptography. You create a couple of random-generated mathematical keys, you keep the private key on your home USB (never leave your physical PC), and you copy the public key on the server. The SSH server will send a monstrous mathematical puzzle and only your PC (using the private key) can solve it. No text, no "riddle."

1. Key generation on your PC Client:Use the Ed25519 format (ultra-safe and fast modern algorithm, never use the old RSA):

ssh-keygen -t ed25519 -C "llave_servidor_arch"

(Save in~/.ssh/id_ed25519. Put a passing sentence to encrypted the key's own file in case you get hacked by your client computer).

2. Copy the Remove Machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub tu_usuario@192.168.1.100

(You will need to insert the password by text last time, this installs the key in the remote server~/.ssh/authorized_keys).

13.2.2 Hardening of the Server Configuration

On your remote server or Arch machine, access and drastically modify SSH's master rules:

sudo nano /etc/ssh/sshd_config

Search and modify (discommenting) necessarily:

• PasswordAuthentication noThe bots attack just died 100%. No one can digest text keys.
• PermitRootLogin no: If an attacker enters using the key he stole from you, he will enter a normal user account. You forbid the direct remote login of God's account (Root).
• Port 2244(Optional): If you change the classic port 22 to a dark port, 90% of Russia / China's massive (nmap-zmap bots) bots will not even find your entrance door. (Don't forget that your Firewall UFW must be modified to admit the new port.)

Reboot system lock:sudo systemctl restart sshd.service.

13.3 Functional Isolation of the Kernel with AppArmor↑ Home

Suppose you have the best firewall in the world (UFW), but one day you enter a web and your Firefox browser quietly download a malicious script. The script is executed locally, with your permissions, and as Firefox has the right to read the photos of your folderMis Imágenesor the SSH keys (~/.ssh), the virus will pack it and steal everything from you. UFW network cannot protect you from yourself; you need a local software prison (Sandboxing).

In the Linux ecosystem there is SELinux (absolute complexity, used in Red Hat) andAppArmor(used by Ubuntu and SuSE, very intuitive).

AppArmor adds Mandatory Access Control (MAC) to Zero Ring (Ring 0 of the Kernel). Assign "Profiles" strict to software applications, forcing them at the beginning of the "Minimum Principle." A Firefox profile will say: "Firefox alone has permission, by order of the machine's military Kernel, to touch the folder ~/ Downloads. It has refused by hardware the access of reading to ~/ .ssh or ~/ .gnupg. "The attack has been neutralized in an underlying way.

13.3.1 Activation in the Arranque (Grub Parameters)

Install AppArmor and the huge profile set created by the Ubuntu and Debian Foundation community:

sudo pacman -S apparmor

AppArmor is not a program that starts alone. It is an LSM (Linux Security Module) that must be injected into the Kernel in the number 1 millisecond. Open the GRUB start manager:

sudo nano /etc/default/grub

On the lineGRUBCMDLINELINUX_DEFAULT, add at the end of the line these massive parameters:

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

(We are activating a full battery of Kernel security modules: yama, integrity... AppArmor is one of them).

Update the UEFI table on the base plate:sudo grub-mkconfig -o /boot/grub/grub.cfg.

13.3.2 Demon Activation and Audit

When you reboot the PC, the Kernel will be listening to the profile application. Start the user space load demon that will inject the files into the Kernel in each boot:

sudo systemctl enable --now apparmor.service

You can monitor the underlying magic using a diagnostic utility likeaa-status. You'll see that hundreds of profiles (e.g.libreoffice, evince, tcpdump) are marked as[enforce]mode. You're protected. Any system violation will generate a severe red warning in your master logdmesg.

13.4 Recipe Cryptography: The LUKS Mandate↑ Home

The firewall repels cyber intrusions; AppArmor neutralizes internal exploits. But if you close your laptop in a cafe, get up for napkins and someone's running it, you've lost the war. Linux (and Windows Local) passwords logically live in a file (/etc/shadow). An attacker will remove the SSD from your laptop with a screwdriver, connect it to your computer, mount the file by ignoring your operating system and read each photo, document and mail session as a simple text file (Cleartext).

The absolute defense of computing is theComplete Disk Cryptography (FDE). In Linux, the subsystem is calleddm-cryptand the format of the container is calledLUKS(Linux Unified Key Setup).

The encryption takes the millions of bits (zeros and some) structured from your Ext4 partition, Btrfs or/homeand, passing through a brutal mathematical block of your processor core (256 or 512 bit AES-XTS), converts your photos and the entire operating system into radioactive random white noise (High Entropy). If you extract your hard drive, the scientific police, a thief or an intelligence agency will find thousands of gigabytes of useless static. The only way to reverse the noise to pure data is by means of the Unlocking Master Password (Passphrase) written in the GRUB start-up manager before starting.

13.4.1 The Pragmatic Reality of Implementing LUKS

Unlike Firewall or AppArmor that you can install on any Tuesday,LUKS acts directly as a destructive level below the disk format.

Install LUKS on an Ext4 disk that has been working for a year is unrealistic. It would require compressing all your data, decrypt in- place with extremely slow tools, and if light is cut 1 millisecond during the 8-hour process, you will lose the entire disk forever. The deep technical implementation of LUKS requires architectural planning during the installation (Chapter 2 of this manual). After usecfdiskIt's calledcryptsetup luksFormat /dev/nvme0n1p3, the mathematical container is temporarily unlocked (cryptsetup open); andinsidethe unlocked container just applies the Ext4 format withmkfs.ext4 /dev/mapper/root_encriptado.

If you read this with a laptop full of corporate secrets and you don't have LUKS, the official high security recommendation is: save your folder~/.configand critical documents on a USB, makes a clean installation from scratch (The Arch Way with Cryptography), and lives in an ecosystem where a stolen unit is just a piece of plastic and harmless aluminium.

13.4.2 Final Audit (Lynis)

The system is now impenetrable at network level, process level and physical disk level. To confirm this superhuman effort of SysAdmin, download the Lynis moral hacking suite.

sudo pacman -S lynis
sudo lynis audit system

The script will scan all your demons and files, and print a report (Harding Index) with recommendations (Ej. Disable compilers for unprivileged users). Your Arch Linux now operates under military type certification (DoD) standards.

13.5 Security Hardware: FIDO2 Authentication (YubiKey)↑ Home

Even with LUKS passwords, SSH Ed25519 keys or encrypted on the Kernel, the weak link will always be the keyboard. If your computer is on, your hard drive decrypt and someone plant a spy software (keylogger), will capture the root password every time you runsudo pacman -Syu.

In an ecosystem "Zero Trust," no keyboard-written key is considered safe. Maximum security requires protocolU2F / FIDO2(Universal 2nd Factor). It is implemented by buying a USB cryptographic hardware (like a YubiKey).

This USB chip stores a private key impossible to physically extract (your circuit is self-destructed if you try to open it).

13.5.1 Integrating YubiKey with Sudo (PAM)

In Arch Linux, we can rewrite the authentication modules of the entire operating system (PAM - Pluggable Authentication Modules). We'll tell the system:"When I try to do asudo, ask me for my password, but if I don't get the gold USB sensor inserted into the machine, retrace the access ". A Russian hacker who controls your PC at a distance will not be able to touch the physical USB in your living room; their destruction commands will fail.

1. Install Yubico's official PAM units and module:

    sudo pacman -S yubico-pam libfido2

1. Mapping your key to the current user:

Insert your YubiKey. Generate an association file in your home directory:

    mkdir -p ~/.yubico
    # Este comando genera un desafío FIDO que la llave resolverá (tócala cuando parpadee)
    pamu2fcfg > ~/.yubico/u2f_keys

1. Forming Sudo Behavior:

This is a critical step. If you do it wrong, you can block your own access to root. Open (with extreme caution) the Sudo PAM control file:

    sudo nano /etc/pam.d/sudo

Right below the line that says#%PAM-1.0the following instruction is added:

    auth required pam_u2f.so

Open anew terminalwithout closing the current one. Writesudo ls. He won't ask for a password; the console will be frozen. Your YubiKey will be blinking furiously in green. The moment your finger makes human contact with the capacitive metal of the key, the commandlsshall be executed. If the USB is not inserted, access is mathematically denied.

13.6 Active Defenses: Intrusion Audit (IDS) and Fail2Ban Expandido↑ Home

A system exposed to the Internet is like a castle besieged in a chronic way. The passive walls (UFW Firewall, Chapter 13.1) block closed ports. But what about legitimate ports? If you host a Nextcloud server, Jellyfin, or a simple web application in an open port, the attacker will try to blow the login screen of that application.

13.6.1 Fail2Ban Gross Expansion

Fail2Ban is a demon written in Python that monitors Log's (journald) files. When you see too many errors followed from the same IP, you inject a dynamically rule into the Firewall (UFW) to "banear" that attacker for X hours.

sudo pacman -S fail2ban
sudo systemctl enable --now fail2ban.service

By default, Fail2Ban only cares about the SSH port. But we can teach you how to defend any service, using Regular Returns (Regex) in files.local.

Personalized Protection (The Nextcloud case):Imagine a server in the cloud (/var/log/nextcloud/nextcloud.log). You create the logical filter (the lock mask):

sudo nano /etc/fail2ban/filter.d/nextcloud.conf

Add:

[Definition]
failregex = ^.*Login failed: .* \(Remote IP: '<HOST>'\).*$
ignoreregex =

Then they activate "the prison" (Jail) by adding it to the local cages file:

sudo nano /etc/fail2ban/jail.local

[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime = 86400 # Si te equivocas 3 veces, bloqueado 24 horas (86400 segundos).

Reboot the demon (sudo systemctl restart fail2ban). You now have a security guard who continuously patrols the records, strangling whole botnets from the Kernel network layer.

13.6.2 Post-Brecha Audit: Search for Rootkits

Despite AppArmor and LUKS, we must be humble in front of state-sponsored actors or Zero-Day vulnerabilities of CPU (such as Spectre or Meltdown). If the gap has occurred, the attacker will install a "Rootkit": a set of code that changes the standard tools (ls, ps) of your own operating system to become invisible. If a Rootkit is installed, when you dohtopto see the processes, thehtophas been maliciously reprogrammed not to show the virus.

The cure is external and independent auditors:rkhunter(Rootkit Hunter) andchkrootkit.

sudo pacman -S rkhunter chkrootkit

As a mental health precaution for an Arch Linux server, you can schedule a system timer (Cap. 10) that runs these tools in the morning.sudo rkhunter --check

The tool will download a database of cryptographic signatures. It will analyze if the binaries in your/usr/bin/They match the ones Pacman originally installed, or if they have been overwritten by an attacker.

With this arsenal of U2F physical keys, reactive network cages and unchanging binary auditors, you have turned your Arch Linux server into a highly available paranoid fortress, able to sustain its sovereignty in the hostile core of the Internet.

Chapter 14: Web Server Architecture (Full LMP Pilla)↑ Home

Since Arch Linux always owns binary packages in its latest version (e.g. the latest compilations of PHP 8.x or Nginx 1.25 +), mounting a web server environment here results in one of the fastest platforms on the market. Many administrators avoid Arch in production for fear of the Rolling Release model, but if you skip the packages of the graphic environment and manage your "headless" server (only console), its stability and agility are formidable for a SysAdmin that knows what it does.

We'll deploy an architectureLEMP(Linux, Nginx, MariaDB, PHP), the standard that moves to the old LAMP (used by Apache).

14.1 Nginx: The Inverse Proxy and Asynchronous Web Server↑ Home

While Apache (the standard during the 2000's) created a new process / thread of RAM consumption for each user visiting your website (limiting the number of visits your PC could take), Nginx (pronounced Engineer-X) was designed by Russian Igor Sysoev with an asynchronous architecture (Event-driven). A single Nginx process can handle more than 10,000 simultaneous connections using almost zero extra RAM, and works insuperably as proxy inverse (putting it in front of a Node.js or Python server).

14.1.1 Initial Installation and Optimization

sudo pacman -S nginx

Before we even start the service, we'll adjust the main engine. Open the Nginx configuration:

sudo nano /etc/nginx/nginx.conf

In the first lines, the behavior of "Workers." Changeworker_processes 1;by:

worker_processes  auto;
worker_rlimit_nofile 100000;

(This tells Nginx that you deploy as many workers as CPU cores you have available, and it raises the file limit that the Linux core allows you to keep open simultaneously).

In the sectionevents:

events {
    worker_connections  4096;
    multi_accept on;
}

(Multi-accept allows the worker to accept all new connections at the same time, reducing latency massively when your server has a peak of visits - "Slashdot effect").

Enable and start the beast:

sudo systemctl enable --now nginx.service

(Firewall note: If you followed UFW Cap. 13, you must runsudo ufw allow 80/tcpandsudo ufw allow 443/tcp).

14.2 Relational Engines (MariaDB) and Storage↑ Home

The relational database engine is the heart of the status of your applications (where users, passwords, and articles are saved). Oracle bought MySQL and partially closed it; the original creator made a fork of his own code and called it MariaDB, ensuring that it would always be Open Source. In Arch, they are 100% interchangeable command per command.

14.2.1 Initialization of Cluster in Arch

A critical technical detail: install the MariaDB package in Arch Linux does NOT create the scaffolding of the file system where InnoDB tables or B-Tree trees live. This is intentional for security (in Ubuntu it is done hidden in a de-post-install script).

1. Install the engine:

   sudo pacman -S mariadb

1. Start the data cluster with the usermysql:

   sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql

1. The demon is running:

   sudo systemctl enable --now mariadb.service

14.2.2 Hardening of the Database

A newly installed database server is a clock pump (any anonymous user can log in). MariaDB includes a script to patch these holes. Run:

sudo mariadb-secure-installation

• Root Password (MariaDB):You will be asked if you want to configure authentication withunix_socket. In Arch it is highly recommended, as it prevents someone from trying to loosen up likerootto the database unless the userrootyour computer's physical in Linux.
• Tell him "Y" (Yes) to delete anonymous users.
• Tell him "Y" to disable the remote access to the Root user.
• Tell him "Y" to delete the test database.
• Say "Y" to recharge board privileges.

14.3 The Server Process Manager: PHP-FPM↑ Home

Nginx, for its hyperefficient design, does not include a code processor (does not understand PHP, Python or Ruby). It is purely an HTTP servant and static file dispatcher (images, CSS). To run a dynamic website (like WordPress), we need to install a processor that runs in parallel. For PHP, the standard is FastCGI Process Manager (PHP-FPM).

14.3.1 Installation and Sockets UNIX

sudo pacman -S php php-fpm

PHP-FPM and Nginx need to communicate with each other furiously quickly (thousands of times per second). They could talk by sending internal network packages (TCP to port 127.0.0.1: 9000), but in the same physical machine, this spends resources from the kernel's TCP / IP cell. The professional solution is to use aSocket UNIX, a physical file (usually/run/php-fpm/php-fpm.sock) which acts as a direct tunnel of memory.

We enable the service of PHP-FPM:

sudo systemctl enable --now php-fpm.service

14.3.2 Rounding Nginx to PHP

Opens Nginx's "Server Block" configuration/etc/nginx/nginx.conf. Find the block that starts withserver { listen 80; ... }.

Modify it to catch all requests completed in.phpand pass them to the Socket UNIX of php-fpm:

server {
    listen       80;
    server_name  mi-sitio-web.com www.mi-sitio-web.com;
    root   /usr/share/nginx/html;
    index  index.php index.html;

    location / {
        # Si el archivo no existe físicamente, mándaselo al enrutador (index.php)
        try_files $uri $uri/ /index.php?$args;
    }

    # Bloque FastCGI
    location ~ \.php$ {
        # Intercepta archivos php
        fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        include        fastcgi.conf;
    }

    # Bloque de seguridad extra
    location ~ /\.ht {
        deny  all;
    }
}

Create a test file in/usr/share/nginx/html/info.phpcontaining<?php phpinfo(); ?>, recharge nginx (sudo systemctl restart nginx.service) and visit your IP in the browser.

14.4 SSL / TLS cryptography: EFF Certbot↑ Home

Staying a web in HTTP (port 80) in the 21st century is unacceptable; all data (including your WordPress users' passwords) travel in flat text along the submarine cable network, and modern web browsers (Chrome / Firefox) will penalize your SEO or directly block access to your site by showing a red security alert screen ("The connection is not private"). Previously the SSL / TLS certificates (for the address bar to go green with the "Candidate") cost hundreds of dollars a year. Today, the Electronic Frontier Foundation (EFF) manages Let's Encrypt, which offers free, encrypted, powerful and automated certificates.

14.4.1 The Total Automation of Certbot

For this to work, your Arch server must have a real domain (Ej.www.tu-web.com) pointing to your public IP from your domain recorder (Cloudflare, Namecheap), and ports 80 and 443 open in your home router / VPS.

We install the EFF (Certbot) command line tool and its special module to talk to Nginx:

sudo pacman -S certbot certbot-nginx

The deployment is brutally simple:

sudo certbot --nginx

The Certbot script will do the following:

1. He'll read your file./etc/nginx/nginx.conflooking for the blocksserver_name.
2. You will raise a mini-web server to solve an HTTP-01 cryptographic challenge with Let's Encrypt servers to show you own the physical machine.
3. He'll unload your certificate..pemand the private key.key.
4. Magic:Certbot will automatically modify (write code) in your filenginx.conf, closing the block of port 80, forcing a redirection 301 to port 443 (HTTPS), and injecting the routes of your SSL certificates.
5. It will recarge Nginx in an elegant way without interrupting visits.

14.4.2 Automated Renewal (Systemd Timer)

Let's Encrypt certificates expire within 90 exact days to mitigate damage in case of cryptographic theft. To avoid entering SSH every three months, the Arch package already includes a timer (certbot.timer) which checks the certificates twice a day and renews them if less than 30 days remain for their expiry.

sudo systemctl enable --now certbot.timer

You have built a full pile of business grade, safe, hyperrapid, asynchronous, and fully self-renewable. Your infrastructure is ready to accommodate whatever you think.

14.5 Storage in RAM Cache (Reis)↑ Home

If you have a WordPress blog receiving 1,000 visits per hour, your MariaDB database will have to read the articles on the hard drive (SSD) and recalculate the SQL 1,000 times. This will melt your CPU. The industry solution for high-traffic websites is not to improve MariaDB, but to place a database in hyper- fast RAM (Key-Value Store) right in front of it. The undisputed king of this isReis.

Reis stores the most requested data in the RAM. The RAM is 100 times faster than a NVMe SSD. If the page exists in Reis, the user is served in microseconds, skipping to MariaDB completely.

14.5.1 Kernel installation and optimization for Reis

sudo pacman -S redis

Reis is extremely demanding with the way the Linux Kernel manages the memory. If you start Reis without changing your kernel, it will throw alerts (Warnings) in its log that its performance is paralyzed.

We must solve two problems in sysctl (/etc/sysctl.d/99-redis.conf):

# Redis necesita permiso para sobredemandar memoria (Overcommit)
vm.overcommit_memory = 1
# Redis necesita que desactivemos THP (Transparent HugePages) dinámico para evitar latencias de purga

To disable THP (If you activated THP in Chapter 11, you must create an exception for the Reis service in systemdExecStartPre=/usr/bin/echo never > /sys/kernel/mm/transparent_hugepage/enabled).

Enable and start Reis:

sudo systemctl enable --now redis.service

14.5.2 Integration (Object Cache)

If you use PHP, you must install the communication module:

sudo pacman -S php-redis

In your web application (e.g. WordPress), you install an Object Cache plugin and tell him to point to127.0.0.1:6379(the default port of Reis). From that moment on, the loading times of your website will fall from 800ms to 40ms.

Reis also requires an Eviction Policy. If you have 2GB of RAM for Reis and it's full, what does it do? Edita/etc/redis/redis.confand configures:

maxmemory 2gb
maxmemory-policy allkeys-lru

(LRU = Least recently Used. You will delete the data that you have been visiting longer than anyone, keeping the cache always fresh and without hanging the server).

14.6 Proxy Advanced Inverse and Load Balancing↑ Home

As we explore in Chapter 14.1, Nginx is capable of routing requests to PHP-FPM, but its real corporate power is to act as aProxy Inverse. Imagine you have an application on Node.js running in the port3000, an API in Python (FastAPI) running on the8000, and three Docker containers running database servers. You don't want to open all those ports to the world. You want Nginx to intercept everything in port 443 (HTTPS sure) and distribute traffic logically.

14.6.1 Proxy Pass Configuration

Open the server block configuration (/etc/nginx/nginx.conf):

server {
    listen 443 ssl http2;
    server_name api.mi-sitio-web.com;

    # Certificados gestionados por Certbot (Capítulo 14.4)
    ssl_certificate /etc/letsencrypt/live/api.mi-sitio-web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.mi-sitio-web.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        
        # Estas cabeceras son CRÍTICAS. Sin ellas, la app Node.js pensará que la visita viene
        # del propio servidor (127.0.0.1) en lugar de la IP real del usuario de internet.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

14.6.2 Load Balancing

If your Node.js application in port 3000 is satured, you can lift three copies of the same application in ports 3001, 3002 and 3003. Nginx can mathematically distribute the traffic between the three (Algortimo Round- Robin) so that your server can handle the triple load.

Add the blockupstreamOUTER of the blockserver:

upstream mi_app_node {
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;
    server 127.0.0.1:3003;
}

And then, instead of routing a fixed IP, you frame the group:

proxy_pass http://mi_app_node;

14.6.3 Military Security Heads (Security Leaders)

A poorly configured web server allows injection attacks (XSS) and Iframe-Hijacking. In Nginx, always inject these headers into your main block:

# HSTS: Fuerza a los navegadores a recordar que tu sitio SÓLO funciona con HTTPS.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Impide que otras webs incrusten tu página dentro de las suyas (Anti-Clickjacking).
add_header X-Frame-Options "SAMEORIGIN";
# Bloquea que los navegadores adivinen el tipo de archivo, mitigando ataques de scripts ocultos.
add_header X-Content-Type-Options "nosniff";

With these additions, your LEMP infrastructure (Linux, Nginx, MariaDB, PHP / Node / Reis) will pass any bank security audit or modern Pentesting stress tests, turning your Arch machine into an unwavering web production bunker.

Chapter 15: Virtualization, Passthurgh and Containers↑ Home

Modern computing is the science of lying to hardware. We lie to an operating system, making him believe that he has a physical machine (Virtualization), or we lie to an application, making him believe that she is the only inhabitant of memory (Containers). As an advanced Arch user, you will rarely compile code in your host system (host) for fear of dirty your precious installation with thousands of orphan dependencies. For dangerous tests, web deployments or crazy compilations, isolated environments are used.

15.1 The Age of the Type 1 Hyper: KVM and libvirt↑ Home

There are Type 2 Hypervisors, such as VirtualBox or VMware Player. These are run as a normal program (just like the web browser) in the user space, adding a massive layer of delay in the interpretation of the disk and CPU commands.

In Linux, we use a Type 1 Hyper calledKVM (Kernel-based Virtual Machine). As it is physically embedded in the core of the system, KVM makes the Arch Linux itself a Hypervisor (Bare-Metal) with just 2% performance degradation. We useQEMUto emulate base, net and peripheral plates, and the APIlibvirtto orchestrate this chaos.

15.1.1 Installation of the Virtualization Ecosystem

sudo pacman -S qemu-desktop libvirt edk2-ovmf virt-manager dnsmasq

• edk2-ovmf: It is the firmware Open Source UEFI. Without this, your virtual machines would not be able to use GPT discs and would be trapped simulating to be 2005 machines.
• virt-manager: A GTK graphical interface tool that hinders all of libvirt's painful XML commands, offering you an experience "to the VirtualBox" but with steroids.

Add your user to the grouplibvirtso as not to type passwords every 2 minutes and start the central demon:

sudo usermod -aG libvirt francesc
sudo systemctl enable --now libvirtd.service

15.1.2 VFIO PCI Passthurgh (The Holy Grail of Gaming in VM)

(Advanced Theorical)One of KVM's most impressive technical achievements is thePCI Passthurgh. If you have two graphic cards on your desktop PC (for example, an integrated Intel and a discrete RTX NVIDIA), you can isolate (bind) the NVIDIA card through the IOMMU group of your base plate and physically inject it into your Windows 11 virtual machine. The result is an Arch Linux operating system running on the integrated monitor 1, and a virtual Windows machine running on monitor 2, using the official Windows NVIDIA drivers, achieving a native video game performance of 99%. Windows 11 has no way of knowing that it is virtualized and believes it is the legal owner of the RTX silicon. (This process requires the modification of the IOMMU boot parameters and complex VFIO insulation kernel).

15.2 The Architecture of Containers: Docker↑ Home

Virtual Machines (VM) simulate the base plate, install their own Kernel (e.g. 2GB Windows), start their own hard drive, etc. They consume a lot of RAM and take 30 seconds to start. TheContainersare an exclusive Linux Kernel technology. They usecgroups(CPU / RAM group control) andnamespaces(network isolation, users) to deceive the process. A container running a web server (Nginx) and the database (PostgreSQL) shares EXACTLY the KERNEL MISMO of your Linux Arch. The container weighs only 30 megabytes (because it does not contain an operating system, only binary and system bookstores), starts in 0.2 seconds (because the kernel is already on), and consumes the same RAM that would consume a normal process. It's alien efficient engineering.

15.2.1 The Docker Ecosystem and the Devil

sudo pacman -S docker docker-compose

Docker uses a Customer-Server architecture. The client is the command of the terminal, but the Server is a gigantic process (dockerd) that runs as root in the background to orchestrate the magic of network and storage.

sudo systemctl enable --now docker.service
sudo usermod -aG docker francesc

(closes session and comes back in. IMPORTANT: In Linux, be in the groupdockeris technical equivalent to having unrestricted Root permits. A malicious user could create a container and mount the disk/dev/nvmecomplete inside it).

15.2.2 Images, Containers and Components

In Docker, the single reading template is calledImage(Image), you download a global repository (Docker Hub). When you tell Docker to "run" that image, Docker clone the template and create a volatile scribable layer on top, calling itContainer(Container).

A quick command to run Ubuntu clean inside your Arch Linux without installing Ubuntu:

docker run -it ubuntu /bin/bash

The real infrastructure (Docker Composition):In a real development environment, we don't use very long loose commands. We describe the infrastructure in a declarative YAML file and the computer lifts it. For example, if you need to test the new version of Ghost CMS (a WordPress competitor) and you don't want to dirty your system with strange Node.js or MariaDB packages, create a filedocker-compose.ymlin an empty folder:

version: '3.1'
services:
  ghost:
    image: ghost:latest
    ports:
      - "8080:2368" # Mapea tu puerto 8080 local al puerto 2368 del contenedor
    environment:
      database__client: mysql
      database__connection__host: db
      database__connection__user: root
      database__connection__password: contraseña_secreta
      database__connection__database: ghost
  db:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: contraseña_secreta

Run from the folder:

docker-compose up -d

Within 5 seconds, Docker download both images, create a virtual isolated network, lift the MySQL, wait for it to respond, lift the CMS manager and map your port. You're going tolocalhost:8080in your browser, and your complex web server is alive. When you're done, you rundocker-compose downand the system, databases and configurations are evaporated in the vacuum, leaving your Arch Linux completely pristine.

15.3 Secure Evolution: Podman (Daemonless and Rootless)↑ Home

Red Hat identified three severe vulnerabilities in Docker's architecture (and replaced them in OpenShift, its business orchestrator Kubernetes):

1. Demon Unit (SPOF - Single Point of Failure):If the processdockerd(the central server) is stuck and crashes, ALL your thousands of containers are shut down simultaneously, destroying the server.
2. Root Security:The demon must always run as a superuser, opening a huge fan of exploits (escapes from the container to the host machine).
3. Not Systemd friendly:By not being able to interact well with the start system, handle containers to start when the PC is turned on in a native way.

The answer isPodman. Podman has no central server (Daemonless). And most importantly, Podman allows your standard user (francesc) run, download and build complex containers within the normal user space without using NINGUN superuser permission (Rootless Containers). If a malware breaks the Podman container, you will only find standard user permissions.

15.3.1 Installation and Migration

sudo pacman -S podman podman-compose

The transition from Docker to Podman is designed to be imperceptible. The engineers cloned exactly the same commands. In fact, the official manual suggests a trick in your shell (~/.bashrc):

alias docker=podman
alias docker-compose=podman-compose

In writing this, your old automated work scripts fordocker run ...They will subreptitiously invoke Podman.

Podman also has the superpower to export the state of a container to the native language of systemd (.service), allowing you to inject your infrastructure directly into the runlevels of the operating system without third-party demons disturbing in the middle, achieving the absolute stability of the Arch Linux system you built.

15.4 Light Virtualization (LXC / LXD)↑ Home

While Docker and Podman (Chapter 15.2) are designed under the philosophy "One Container Process" (i.e. you raise a Docker only to run Nginx, and another Docker only to run the database), there is another paradigm: System Containers.

Linux Containers (LXC) and its hyper- advanced LXD / Incus manager allow you to create containers that behave exactly like Virtual Machines (have their own system, their own start process, install cronjobs and multiple applications inside), but using the core of your underlying Arch Linux. There is no emulation of CPU (KVM) or hypervisor.

15.4.1 Initiating the Incus Ecosystem

LXD was maintained by Canonical (Ubuntu), but after a closed license change, the Linux community made a fork (Incus) which is the current standard adopted by Arch Linux.

sudo pacman -S incus
sudo systemctl enable --now incus.service

You must add your user to the groupincus-adminand configure the demon by responding to interactive questions (assign a ZFS or Btrfs disk block, and create a virtual network bridge):

sudo usermod -aG incus-admin francesc
sudo incus admin init

15.4.2 Launch of Complete Systems

To launch a container with Alpine Linux, Debian or even another copy of Arch Linux within your host in less than 1 second:

incus launch images:archlinux/current maquina-arch-2

To enter that machine as root (which will have its own internal IP, its own firewall and its own demons):

incus exec maquina-arch-2 -- bash

This architecture is used by hosting companies (VPS) to rent you "Dedicated Servers" cheap. They're renting you an LXC container that, for you, is indistinguishable from a physical machine.

15.5 Grand Scale Orchestra: Kubernetes (K3s)↑ Home

When you have 100 Docker containers distributed among 5 different physical servers, Docker Composition is short. If Server 1 is physically burned, Docker does not know how to turn on the lost containers in Server 2 automatically.

Kubernetes (K8s)is the absolute standard of cloud orchestration (invented by Google). It is an operational intelligence system that ensures that the desired state of your applications is kept alive no matter the physical chaos of the hardware. Install pure Kubernetes "K8s The Hard Way" requires an entire book, but Rancher Labs createdK3s, a hyperlight certified distribution that eliminates old code, perfect for installation in a single Linux Arch node or a Raspberry Pis cluster.

15.5.1 K3s (Master Node) installation

K3s uses containerd (Docker's sub- engine) and comes in a single binary. In Arch, we can install it from the AUR:

yay -S k3s-bin

We enable service as Nodo Server (Master / Control Plan):

sudo systemctl enable --now k3s.service

To use the client tool (kubectl) without being root, we copy the cryptographic configuration file of the cluster:

mkdir ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown francesc:francesc ~/.kube/config

15.5.2 K8s concepts: Pods and Ingress

With K3s working, you don't talk to loose containers anymore. You speak in "Statements." You send a YAML file to the master server.

A filedespliegue.yamlclassic in K8s:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mi-web-escalable
spec:
  replicas: 3 # ¡Magia! K8s levantará 3 copias y las mantendrá vivas
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: nginx-contenedor
        image: nginx:latest
        ports:
        - containerPort: 80

You apply the infrastructure:

kubectl apply -f despliegue.yaml

You will see 3 "Pods" (capsules containing your Dockers) born. If you use the commandkubectl delete pod [nombre], emulating a catastrophic failure, you will see that the K3s orchestrator, in less than a second, realizes that replicas are missing, and starts a new container to make up for it automatically.

K3s also includesTraefik, an Ingress controller (an intelligent router that does the same work of Proxy Inverse as Nginx, Chapter 14, but dynamically and automatically as the containers are born and die).

With K3s running on your local machine, your Arch Linux computer becomes a Cloud- Native development platform. You write code, pack it in a container, and deploy it in your local Kubernetes, ensuring that when you upload it to the massive clusters of Amazon AWS or Google Cloud, it will work mathematically the same.

Chapter 16: The Art of Software Development (The Developer's Arch)↑ Home

You've climbed a huge technical mountain. Installing and hardening Arch Linux is a unique training process that not many professionals assume, and if you have completed it, you have a hyperagile system under your command. Arch Linux is, without fear of wrong, the perfect machine for software engineer, programmer and data scientist.

In a friendly distribution like Ubuntu, if you need the versionv20.xFrom NodeJS, or the C + + 20 compiler, you depend on third-party PPA repositories held by doubtful Launchpad accounts. In Arch, everything is in your repositories at the same time as the code of those companies matures. In this chapter we will armored our environments to program healthy and uncorrupted the underlying system.

16.1 The Philosophy of Isolated Environments (Logic Sandboxing)↑ Home

The first rule of system developmentRolling Release: Never install libraries or global language dependencies using external managers likepip(Python),npm(Node); orcargo(Rust) by ordersudo. If you do, the generic package manager (pipe) will overwrite files in/usr/lib/withoutpacmanI know. Months later, pacman will try to install something there and collapse the system with an irreconcilable conflict error. Environment Managers are always used.

16.1.1 Python Ecosystem (Venv and PEP-668)

Python is very closely tied to the Arch Linux itself (many native AUR tools use it). If you try to dosudo pip install requestsArch will expel you with a red alert from the PEP-668 protocol informing you that the environment is "Exterally Managed" (managed by pacman).

To program in Python safely:

1. Instala VirtualEnv:

    sudo pacman -S python-pip python-virtualenv

1. Create the microclimate of your project:

When you start a project, believe your own environment contained locally in the project folder.

    mkdir mi_proyecto_backend && cd mi_proyecto_backend
    python -m venv .venv

1. Activates the Environment (The Source):

    source .venv/bin/activate

Your prompt will change. From now on, everything you install (e.g.pip install Django) will be trapped in the hidden folder.venvand will be ignored by the general system.

16.1.2 JavaScript / TypeScript Ecosystem (NVM and Node)

Frontend development changes brutally quickly. Multiple old projects in which hives will require historical versions (e.g. NodeJS v14 for a legacy project, NodeJS v22 for your modern app). Install the static packagenodejswith pacman will ruin your life by limiting you to one version.

The business standard is to use theNode Version Manager (NVM). As an external script, it lives in the AUR:

yay -S nvm

You must inject the NVM environment into the start of your interactive console (e.g.~/.bashrcor~/.zshrc).

echo 'source /usr/share/nvm/init-nvm.sh' >> ~/.bashrc
source ~/.bashrc

Control the time:

• To download the latest LTS version recommended for production:nvm install --lts
• To download the old version 16:nvm install 16
• To change instantly version:nvm use 16
• All global NPM facilities (e.g.npm install -g yarn) will be sanely isolated within a local hidden folder (~/.nvm/).

16.1.3 Ecosystem C / C + + and Rust (The Fashion Language)

Rust is fundamental because an immense number of Arch's native tools are being rewritten in Rust (even parts of the modern Linux kernel). Like NVM and Node, Rust hasRustup.

sudo pacman -S rustup
rustup default stable

(This download and initialize the binaries of the compilerrustcand the amazing unit managercargoin the folder~/.cargo/).

To program in C / C + +, you should already have the essential installer package to compile things from the AUR, which provides you with the glorious GCC and Make compiler:

# Ya los tienes si seguiste la guía, añadimos las herramientas de debug.
sudo pacman -S base-devel gdb clang cmake

Clang and CMake are the winning couple to compile C + + in modern IDEs instantly.

16.2 Versions Control: Git to SysAdmin Level↑ Home

You're a programmer. You need Git as much as you need oxygen.

sudo pacman -S git

Asymmetrical Authentication (Adios Tokens Web):Cloning private repositories from GitHub / GitLab using HTTPS requires you to type cumbersome Tokens personal access that expire. The hacker approach is to use the SSH key you generated in Chapter 13. Go to GitHub on the web - > Settings - > SSH and GPG keys - > New SSH Key. Here is the public content of your terminal-generated key:

cat ~/.ssh/id_ed25519.pub

You can now clone code magically without passwords using the SSH protocol URL of the repositories:git clone git@github.com:torvalds/linux.git

Improvements (Dotfile Aliases .gitconfig):The git configuration is saved in your home. Use these commands to paint the color interface and force the log command to draw an ascii graph of the version tree:

git config --global user.name "Tu Apellido"
git config --global user.email "developer@empresa.com"
git config --global color.ui auto
git config --global init.defaultBranch main
git config --global core.editor "nano"

# El super-alias de visualización de ramas:
git config --global alias.tree "log --graph --decorate --pretty=oneline --abbrev-commit"

Now when you writegit treeYou'll see the whole ramified history of the repository in glorious colors.

16.3 Integrated Editing Environments (IDE and Editors)↑ Home

A carpenter master respects his tools. Choosing an editor in Linux (and Arch) is almost a religion. You have two predominant philosophies: The extensive usability based on graphic interface (VSCode) and the relentless minimalism of the keyboard-dominated terminal (Neovim).

16.3.1 Visual Studio Code: Care with Telemetry

It is undeniable that VS Code is the current champion. However, the binary file distributed by Microsoft contains silent Telemetry (collection of metric uses of yours) and closed proprietary licenses.

As a user of Arch Linux, you have access toCode OSS(Open Source Software), which is exactly the same program, built directly from the source code by the Arch community, without the invasive privacy insertions of Microsoft (Deleted Telemetry).

# La versión pura y libre en los repos oficiales
sudo pacman -S code

• Practical problem:As this free version does not pay licenses to Microsoft, by legal policy, Microsoft forbids you to connect to your official "Marketing" extension, forcing you to use the free marketing (OpenVSX).
• Solution (If you need private Microsoft extensions, e.g. Remote-SSH or Pylance):You have to install the official owner compilation available in the AUR:

    yay -S visual-studio-code-bin

16.3.2 Neovim: The UNIX Developer Editor (Terminal)

Neovim is not just an update ofvim. It is a massive rewriting of its core that allows it to function asynchronically and, above all, use the LUA language to write ultra-fast configurations, achieving to have static code analyzers (LSP - Language Server Protocols, the engine behind VSCode) directly integrated into your console.

sudo pacman -S neovim

If you runnvim, the learning curve is monumental (you can't even move through the text without knowing that the 'j' goes down, the 'k' goes up, and leaving requires the command:wq). To enjoy the power of an IDE without setting it up for a month, it installs a community-maintained neovim distribution, which turns the sterile console into a spectacular visual editor in 30 seconds, injecting hundreds of lua scripts (Ricing extreme).

Neovim Distribution Example: NvChadMake sure your Nerd Fonts typographs are properly installed (Chapter 7) and run:

# Haz una copia de seguridad por si tenías config previa
mv ~/.config/nvim ~/.config/nvim.bak
# Descarga el framework ultra rápido NvChad
git clone https://github.com/NvChad/starter ~/.config/nvim
# Ábrelo por primera vez para que él mismo compile sus plugins:
nvim

You will be surprised to see that within your old black terminal lives a fluid IDE with self-completed milliseconds, syntactic analysis of C + + and tree-style file explorer, using 2% of the RAM that would require VS Code.

16.4 End of Trayecto (System Conclusion)↑ Home

It has been a long journey through the corners of hardware and software. We started at a black terminal with a blinking UEFI boot error. We form blocks, we mount blind partitions, we chrooteour consciousness in the brain of the system and we build the base universe withpacstrap.

Then we raise the skeleton by providing it with muscles (Kernel custom TKG, Optimization Flags C + + -march = native), nervous system (NetworkManager and PipeWire) and an unbreakable titanium frame (AppArmor, LUKS and UFW). Finally, we give you vision and life with Wayland, composing crystal and fluid art thanks to Hyprland and our obsessive work of Ricing, culminating in the forging of isolated environments Docker and Python to transform the machine into the production station dreamed of by any engineer.

You have mastered the fundamental architecture of the world's most malleable operating system, learned commands that technical manuals give for knowledge and understood the theory of why things sometimes break. The distribution will not fail alone. You have total power over each package. Arch Linux does not assume that you are an idiot; assume that you are, or will become, an elite software professional.

Welcome. The manual never ends. The manual, in fact, is always updated in the Arch Wiki. Good luck.

16.4 Modern Compilated and Debugging Languages (Go and Rust)↑ Home

Beyond C / C + + and the languages interpreted as Python, Arch Linux is the paradise for modern system developers (Backend and CLI), where languages like Go (Golang) and Rust dominate the Cloud Computing market.

16.4.1 The Golang Ecosystem

Unlike NodeJS or Python, the Go compiler is incredibly static and generates autonomous monolithic binaries. You can install the latest version directly with pacman, without fear of breaking the system (Go does not use shared dependencies C).

sudo pacman -S go

Historically, Go required a strict hierarchy of folders calledGOPATH(typically~/go). Today, thanks to the "Go Modules," you can start a project in any corner of your hard drive:

mkdir mi_api_go && cd mi_api_go
# Inicializa el rastreador de módulos apuntando a tu futuro repositorio
go mod init github.com/francesc/mi_api_go

To compile a Go program on Arch Linux and order the compiler to cross it (Cross-Compile) to work on an old 32-bit Windows server, the command is absurdly simple thanks to the native toolchain:

GOOS=windows GOARCH=386 go build -o mi_programa.exe

16.4.2 Depth Depuration (GDB and Delve)

Write code withprint()to find mistakes is amateurs. Software engineers use Debuggers. A debugger freezes the program in the RAM memory at the exact time a failure occurs (or a "Breakpoint" set by you), allowing you to inspect the variables inside.

• For C / C + + and Rust, it is usedGDB(GNU Debugger) orLLDB(from the LLVM project).

    sudo pacman -S gdb lldb

• For Go, the compiler applies so many optimizations that GDB is tidy. The standard of the Google-funded industry isDelve:

    sudo pacman -S delve

To hunt a bug on your Go program, instead of runninggo run, start the debugger:

dlv debug main.go

On Delve's console, you can typebreak main.go:25(stop on line 25), thencontinue. The code will advance at the speed of light and be magically paused on line 25. You can writeprint miVariableto see their live content, discovering why your software failed.

16.4.3 Extreme Performance (Perf)

If your program doesn't have bugs, but it works slow, and you don't know what function your code is slowing the execution, you use the Kernel profile:Perf. Perf reads hardware counters (Hardware Performance Counters) inside your processor's silicon (Intel / AMD).

sudo pacman -S perf
# Perfila el programa durante 10 segundos
sudo perf record -g ./mi_programa_lento
# Lee el reporte
sudo perf report

The terminal will show a hierarchical tree revealing that, for example, 45% of your program's CPU time is lost in a cycleforspecific to line 104, due to L1 cache (L1 Cache Misses) failure. It's an atomic-level X-ray of your software.

16.5 Continuous Local Integration (CI / CD) and Git Hooks↑ Home

The professional development dictates that no code should be sent to the production server (GitLab / GitHub) if it has not previously passed through a battery of automated testing and static analysis (Lining). In a company, these processes (CI / CD) run in the cloud and spend expensive server minutes.

In your Arch Linux, you can emulate the entire cloud infrastructure locally, avoiding uploading broken code.

16.5.1 Git Hooks

The Git Hooks are hidden bash scripts inside your repository (.git/hooks/) that Git automatically runs when trying to make actions. The most important is thepre-commit. If the script returns an error (Exit Code 1), Git will abort your commandgit commitAnd it will forbid you to keep the code, forcing you to fix it.

In modern projects (e.g. Python or JavaScript), instead of writing the scripts in bash by hand, the manager is usedpre-commit(written in Python):

sudo pacman -S pre-commit

At the root of your project, create a file.pre-commit-config.yaml:

repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
    -   id: trailing-whitespace # Elimina espacios vacíos al final
    -   id: end-of-file-fixer   # Asegura un salto de línea al final
    -   id: check-yaml          # Asegura que tus archivos YAML no estén rotos

You install the barriers with the command:pre-commit install. Next time you writegit commit -m "Mi cambio", the system will stop the clock, run the local tests, fix the code if it's dirty, and only if everything approves, will it create the version.

16.5.2 GitHub Actions in Local (Act)

If you set GitHub Actions (.github/workflows/main.yml) to launch Docker containers and test your database every time you push, you usually have to upload the code, wait 5 minutes on the GitHub website, and see if it fails. If it fails, you run a coma, go back up, and wait another 5 minutes.

The toolActRead your YAML file from GitHub, and using your local Docker demon (Chapter 15), upload the virtual Ubuntu images from GitHubinside your own Arch Linux computer, running all the tests in seconds.

It is installed through the AUR (as it is programmed in Go):

yay -S act

If you are in your project folder and simply writeact, the program will download a 3GB size Ubuntu container that simulates being the Microsoft / GitHub server, inject your code, and run the tests (e.g.npm run testorpytest). If the test fails inactlocally, it will fail in the cloud. When usingact, speed up the feedback loop from hours to minutes, developing at a fierce speed.

16.6 Final reflection↑ Home

You've completed the master's degree. Your Arch Linux is not just an operating system where you consume content; it is a cybersecurity laboratory, a server cluster, a cryptographic assembly station, and a cloud orchestrating platform. You are the undisputed architect of your own computer domains. That the code always competes in the first past, and that your system never suffers a "Kernel Panic."