Learning Arch
As I revisit my 10th Arch build and go to create what I always wanted 15 years ago. I am excited to share my experiences and what I have learned as I create this masterpiece.\
Browser
I installed Librewolf, a privacy-focused web browser. I have a few extensions to emphasize what I want out of it. I have a Password Manager to manage all of my passwords. I have Night Owl to keep me in dark theme on websites. I have LocalCDN to protect against CDN tracking. I have temporary Containers to spin up every browser tab in isolation. I have uBlock, which comes native with Librewolf, and I also have Unhook, which is an incredible extension for YouTube.
I visited some great articles to give me a better perspective.
10 Things MUST DO after installing ArchLinux
Pacman
This taught me how to use commands like reflector to speed up my pacman connection. This time around i understand what a package manager is and how each component is different in my system. i have been saving all of my dot-file configs to my GitHub repo to save them and keep updating all the important features i learn about.
Waybar
One of my favorite things to work on in my spare time is the waybar. I love being able to work on it. I have an external IP, an internal IP, and established connections. I have added many things, including establishing all connections to my machine, so I can easily see if the latest download I have created a connection. That is only if UFW didn’t stop it first.
UFW
To further enhance security, I configured UFW on my machine. While I have a physical firewall at the network level, setting up a software firewall lets me control outgoing communications. Restricting outgoing ports is smart. Most people only think about blocking incoming connections, but limiting outgoing ports can block attacks like those attempting to use Metasploit. Enforcing this adds a valuable layer of protection. If you download the latest cracked game and that skid tries to use Metasploit beacon out on 4444 it is blocked by ufw. This is a great solution to daily problems that help you to better stay secure.
resolved.conf
Next we will explore /etc/systemd/resolved.conf. This file to where DNS is resolved. I choose to use 1.1.1.3 for the blocking of malware and adult content. I have the default cloudflare of 1.1.1.1 as the fallbacks if those fail. I wanted to have DNSSEC and DNSOverTLS set to yes, but after cafreful consideration I found out it was difficult on most websites to have that. after careful consideration I went with DNSSEC=allow-downgrade to allow if it is not available and DNSOverTLS=opportunistic to resolve when able. Using encrypted DNS over port 853 and enabling DNSSEC gives me validation and integrity. Disabling LLMNR and mDNS reduces unnecessary exposure on the local network and tightens the attack surface. Keeping caching enabled improves performance while still maintaining control. Understanding the stub listener at 127.0.0.53 makes it clear how systemd-resolved handles queries internally and how everything is routed before leaving the machine.
/etc/systemd/resolved.conf
1
2
3
4
5
6
7
8
9
[Resolve]
DNS=1.1.1.3 1.0.0.3 # Primary DNS servers (Cloudflare Family Protection - blocks malware + adult content)
FallbackDNS=1.1.1.1 1.0.0.1 # Backup DNS servers (DNS if primary fails)
DNSSEC=allow-downgrade # Enable DNSSEC validation, but allow fallback if the server/network breaks it
DNSOverTLS=opportunistic # Use encrypted DNS (DoT) when available, but don’t break if the server doesn't support it
MulticastDNS=no # Disable mDNS (no .local network discovery; reduces attack surface)
LLMNR=no # Disable Link-Local Multicast Name Resolution (prevents spoofing attacks)
Cache=yes # Enable local DNS caching (faster repeat lookups, less external queries)
DNSStubListener=yes # Enable local stub resolver at 127.0.0.53 so the system resolves through systemd-resolved
Hyprland
I chose Hyprland because I want control over how my workspace behaves. A dynamic tiling compositor changes how you think about windows. Everything is intentional. Workspaces are structured. Keybinds are muscle memory. Animations are smooth but not distracting. I configure it directly in ~/.config/hypr/ and I know exactly what each bind and rule does. This is not a desktop environment that hides behavior behind menus. This is deliberate layout control. It is minimal, fast, and built around workflow instead of aesthetics, even though it looks clean.
Wayland
Running on Wayland instead of X11 matters. It is a more modern display protocol with better isolation between applications. Input handling is cleaner. Screen capture is permission based. Applications cannot just snoop globally the way they could under X. Security and architecture are improved at the protocol level. This aligns with how I am building the rest of the system. Intentional. Reduced attack surface. Modern stack.
SDDM
SDDM is my display manager. It handles login and session initialization before Hyprland loads. This is the bridge between boot and user space. I like having a clean graphical login instead of dropping straight into TTY. It keeps startup organized and allows session selection. Understanding where SDDM hands off to the compositor helped me understand how the boot process flows from systemd to graphical session.
Wofi
Wofi is my application launcher. It replaces the traditional application menu and keeps everything keyboard driven. Fast, minimal, no clutter. I can launch programs, run commands, and switch tasks without touching the mouse. It fits the tiling workflow and reinforces efficiency. Small tool, big impact on daily use.
Neovim
Neovim is my editor of choice for basic files.
Terminal
My terminal is kitty. This is where I run commands, build projects, and monitor the system. The terminal is critical because it is the interface to everything I do on Arch. Performance, fonts, and GPU acceleration matter.
I dont see myself ever being “done” with working on my Arch setup. I am very happy though right now with how it is setup and I will add little things as I go.