Complete ZSH Setup for Arch Linux with Security Tools

Table of Contents#

Introduction#

This guide provides a complete automated script for setting up ZSH (Z Shell) on Arch Linux with Oh My Zsh, essential plugins, security tools, and modern CLI enhancements. The script is designed with security professionals in mind, including tools for system auditing, vulnerability scanning, and secure configurations.

Features#

The script includes:

Oh My Zsh installation with optimized configuration
Essential ZSH plugins for productivity
Security-focused tools and aliases
Modern CLI replacements (exa, bat, fd, ripgrep)
Automatic security checks and configurations
Optional Rust installation with security tools
Firewall setup with UFW
System auditing tools (lynis, rkhunter)

The Complete Setup Script#

Here’s the full script that automates the entire setup process:

1
#!/bin/bash
2
# Complete ZSH Setup Script for Arch Linux
3
# This script will set up a fully configured ZSH environment with security-focused settings
4

5
# Exit on error
6
set -e
7

8
# Step 1: Update system and install required packages
9
echo "Updating system and installing required packages..."
10
sudo pacman -Syu --noconfirm
11
sudo pacman -S --needed --noconfirm zsh git curl wget unzip
12

13
# Step 2: Install Oh My Zsh
14
echo "Installing Oh My Zsh..."
15
sh -c "$(curl -fsSL https://raw.githubusercontent.com/ohmyzsh/ohmyzsh/master/tools/install.sh)" "" --unattended
16

17
# Step 3: Install zsh plugins
18
echo "Installing ZSH plugins..."
19
git clone https://github.com/zsh-users/zsh-autosuggestions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-autosuggestions
20
git clone https://github.com/zsh-users/zsh-syntax-highlighting.git ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-syntax-highlighting
21
git clone https://github.com/zsh-users/zsh-completions ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/zsh-completions
22
git clone https://github.com/zdharma-continuum/history-search-multi-word ${ZSH_CUSTOM:-~/.oh-my-zsh/custom}/plugins/history-search-multi-word
23

24
# Step 4: Create a new .zshrc file with optimized configuration
25
echo "Configuring .zshrc..."
26
cat > ~/.zshrc << 'EOL'
27
# Path to your oh-my-zsh installation
28
export ZSH="$HOME/.oh-my-zsh"
29

30
# Set theme
31
ZSH_THEME="robbyrussell"
32

33
# Set plugins
34
plugins=(
35
  git
36
  archlinux
37
  zsh-autosuggestions
38
  zsh-syntax-highlighting
39
  zsh-completions
40
  history-search-multi-word
41
  sudo
42
  systemd
43
  rust
44
)
45

46
# Load Oh My Zsh
47
source $ZSH/oh-my-zsh.sh
48

49
# Load auto-completion
50
autoload -Uz compinit
51
compinit
52

53
# Enhanced completion configuration
54
zstyle ':completion:*' menu select
55
zstyle ':completion:*' completer _expand _complete _ignored _approximate
56
zstyle ':completion:*' matcher-list 'm:{a-z}={A-Z}'
57
zstyle ':completion:*' list-colors "${(s.:.)LS_COLORS}"
58
zstyle ':completion:*' verbose yes
59
zstyle ':completion:*:descriptions' format '%B%d%b'
60
zstyle ':completion:*:messages' format '%d'
61
zstyle ':completion:*:warnings' format 'No matches for: %d'
62
zstyle ':completion:*:corrections' format '%B%d (errors: %e)%b'
63
zstyle ':completion:*' group-name ''
64

65
# Command auto-correction
66
setopt correct
67

68
# Security-focused history configuration
69
HISTSIZE=10000
70
SAVEHIST=10000
71
HISTFILE=~/.zsh_history
72
setopt appendhistory
73
setopt sharehistory
74
setopt incappendhistory
75
setopt hist_ignore_all_dups
76
setopt hist_save_no_dups
77
setopt hist_ignore_space  # Don't save commands starting with space
78
setopt hist_verify        # Show command with history expansion before executing
79

80
# Autosuggestion settings
81
ZSH_AUTOSUGGEST_STRATEGY=(history completion)
82
ZSH_AUTOSUGGEST_BUFFER_MAX_SIZE=20
83
ZSH_AUTOSUGGEST_HIGHLIGHT_STYLE="fg=8"
84
bindkey '^ ' autosuggest-accept  # Ctrl+Space to accept suggestion
85

86
# Security-focused aliases
87
alias checkrootkits="sudo rkhunter --check"
88
alias listports="sudo ss -tulpn"
89
alias psall="ps auxf"
90
alias sctl="sudo systemctl"
91
alias jctl="sudo journalctl"
92
alias firewall="sudo ufw status verbose"
93
alias updatesystem="sudo pacman -Syu"
94
alias orphans="pacman -Qtdq"
95
alias clearpkgcache="sudo pacman -Sc"
96

97
# Enhanced path completion
98
zstyle ':completion:*' special-dirs true
99

100
# Case-insensitive completion
101
zstyle ':completion:*' matcher-list 'm:{a-zA-Z}={A-Za-z}'
102

103
# Fix slow paste in zsh
104
pasteinit() {
105
  OLD_SELF_INSERT=${${(s.:.)widgets[self-insert]}[2,3]}
106
  zle -N self-insert url-quote-magic
107
}
108
pastefinish() {
109
  zle -N self-insert $OLD_SELF_INSERT
110
}
111
zstyle :bracketed-paste-magic paste-init pasteinit
112
zstyle :bracketed-paste-magic paste-finish pastefinish
113

114
# Secure file permissions for sensitive files
115
chmod 700 ~/.ssh 2>/dev/null || true
116
chmod 600 ~/.ssh/id_* 2>/dev/null || true
117
chmod 644 ~/.ssh/*.pub 2>/dev/null || true
118
chmod 600 ~/.netrc 2>/dev/null || true
119

120
# Rust cargo bin path
121
if [ -d "$HOME/.cargo/bin" ]; then
122
  export PATH="$HOME/.cargo/bin:$PATH"
123
fi
124

125
# Enable GPG agent for SSH if available
126
if [ -f "${HOME}/.gnupg/gpg-agent.conf" ]; then
127
  export SSH_AUTH_SOCK=$(gpgconf --list-dirs agent-ssh-socket)
128
  gpgconf --launch gpg-agent
129
fi
130
EOL
131

132
# Step 5: Install additional helpful tools
133
echo "Installing additional tools..."
134
sudo pacman -S --needed --noconfirm exa bat fd ripgrep fzf htop lynis rkhunter ufw base-devel
135

136
# Step 6: Add additional tool configurations to .zshrc
137
cat >> ~/.zshrc << 'EOL'
138

139
# Modern command line tools
140
if command -v exa > /dev/null; then
141
  alias ls="exa"
142
  alias ll="exa -l"
143
  alias la="exa -la"
144
  alias lt="exa -la --tree --level=2"
145
fi
146

147
if command -v bat > /dev/null; then
148
  alias cat="bat"
149
fi
150

151
if command -v fd > /dev/null; then
152
  alias find="fd"
153
fi
154

155
if command -v rg > /dev/null; then
156
  alias grep="rg"
157
fi
158

159
# Enable fzf keybindings and completion
160
if [ -f /usr/share/fzf/key-bindings.zsh ]; then
161
  source /usr/share/fzf/key-bindings.zsh
162
fi
163

164
if [ -f /usr/share/fzf/completion.zsh ]; then
165
  source /usr/share/fzf/completion.zsh
166
fi
167

168
# Useful shortcuts
169
alias ..="cd .."
170
alias ...="cd ../.."
171
alias ....="cd ../../.."
172

173
# Security checks
174
alias checksec="lynis audit system"
175
alias vulnerabilities="~/security-check.sh"
176

177
# Show network connections
178
alias netstat="netstat -tulanp"
179

180
# Check for ssh brute force attempts
181
alias sshbrutecheck="grep 'Failed password' /var/log/auth.log | awk '{print \$11}' | sort | uniq -c | sort -nr"
182

183
# Set up UFW firewall if installed
184
if command -v ufw > /dev/null; then
185
  # Check if UFW is active
186
  if ! systemctl is-active --quiet ufw; then
187
    echo "Firewall (UFW) is not active. Consider enabling it with: sudo ufw enable"
188
  fi
189
fi
190

191
# Warn if running as root
192
if [[ $EUID -eq 0 ]]; then
193
  echo "WARNING: You are running as root. This is not recommended."
194
fi
195
EOL
196

197
# Step 7: Install alternative security tools instead of arch-audit
198
echo "Installing alternative security tools..."
199
sudo pacman -S --needed --noconfirm arch-audit-gtk pacutils
200

201
# Create a security checking script
202
cat > ~/security-check.sh << 'EOL'
203
#!/bin/bash
204
# Security check script for Arch Linux
205

206
echo "===== Running security checks ====="
207
echo
208
echo "1. Checking for out-of-date packages..."
209
pacman -Qu
210
echo
211
echo "2. Checking for orphaned packages..."
212
pacman -Qtdq
213
echo
214
echo "3. Checking running services..."
215
systemctl list-units --type=service --state=running
216
echo
217
echo "4. Checking open ports..."
218
ss -tuln
219
echo
220
echo "5. Checking recent authentication failures..."
221
journalctl -u sshd --since "24 hours ago" | grep "Failed password"
222
echo
223
echo "6. Running lynis quick scan..."
224
sudo lynis audit system --quick
225
EOL
226

227
chmod +x ~/security-check.sh
228

229
# Step 8: Configure basic UFW rules
230
if command -v ufw > /dev/null; then
231
  echo "Setting up basic UFW firewall rules..."
232
  sudo ufw default deny incoming
233
  sudo ufw default allow outgoing
234
  sudo ufw allow ssh
235
  echo "You may want to enable the firewall with: sudo ufw enable"
236
fi
237

238
# Step 9: Install Rust if requested
239
read -p "Do you want to install Rust? (y/n) " install_rust
240
if [[ $install_rust =~ ^[Yy]$ ]]; then
241
  echo "Installing Rust..."
242
  curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y
243
  source $HOME/.cargo/env
244

245
  # Install some useful Rust security tools
246
  cargo install cargo-audit
247
  cargo install cargo-crev
248
  cargo install cargo-outdated
249

250
  # Add Rust security aliases
251
  cat >> ~/.zshrc << 'EOL'
252

253
# Rust security aliases
254
alias rust-audit="cargo audit"
255
alias rust-outdated="cargo outdated"
256
alias rust-update="cargo update"
257
alias rust-crev="cargo crev"
258
EOL
259
fi
260

261
# Step 10: Make ZSH the default shell
262
if [[ $SHELL != *"zsh"* ]]; then
263
  echo "Setting ZSH as the default shell..."
264
  chsh -s $(which zsh)
265
fi
266

267
# Step 11: Final instructions instead of sourcing
268
echo "Configuration created successfully!"
269
echo "To apply the new configuration, either:"
270
echo "1. Start a new terminal session, or"
271
echo "2. Run the command: exec zsh"
272

273
echo "✅ ZSH setup complete!"
274
echo "Your terminal has been configured with security-focused settings."
275
echo "If you don't see the changes immediately, please restart your terminal."
276
echo ""
277
echo "Security Tools Installed:"
278
echo "- rkhunter: Rootkit detection"
279
echo "- lynis: Security auditing"
280
echo "- ufw: Uncomplicated Firewall"
281
echo "- security-check.sh: Custom security checking script"
282
if [[ $install_rust =~ ^[Yy]$ ]]; then
283
  echo "- cargo-audit: Audit Rust dependencies for vulnerabilities"
284
  echo "- cargo-crev: Rust code review system"
285
fi
286
echo ""
287
echo "Type 'checksec' to run a security audit of your system"

Key Features Explained#

Oh My Zsh Plugins#

The script installs and configures several essential plugins:

zsh-autosuggestions: Suggests commands as you type based on history
zsh-syntax-highlighting: Provides syntax highlighting for commands
zsh-completions: Additional completion definitions
history-search-multi-word: Multi-word history searching

Security Tools#

The script includes several security-focused tools:

lynis: System security auditing tool
rkhunter: Rootkit scanner
ufw: Uncomplicated Firewall for easy firewall management
Custom security script: Automated security checks

Modern CLI Tools#

Replaces traditional Unix commands with modern alternatives:

exa: A modern replacement for ls
bat: A cat clone with syntax highlighting
fd: A simple, fast alternative to find
ripgrep: A faster alternative to grep
fzf: Fuzzy finder for command-line

Security Aliases#

The script creates useful security-focused aliases:

1
alias checkrootkits="sudo rkhunter --check"
2
alias listports="sudo ss -tulpn"
3
alias firewall="sudo ufw status verbose"
4
alias checksec="lynis audit system"

Usage Instructions#

Save the script to a file (e.g., setup-zsh.sh)
Make it executable: chmod +x setup-zsh.sh
Run the script: ./setup-zsh.sh
Restart your terminal or run exec zsh

Post-Installation#

After running the script:

Enable the firewall: sudo ufw enable
Run a security audit: checksec
Check for vulnerabilities: ~/security-check.sh
Configure additional firewall rules as needed

Customization#

You can customize the script by:

Changing the ZSH theme in the .zshrc file
Adding more plugins to the plugins array
Installing additional security tools
Modifying aliases to suit your workflow

Troubleshooting#

If you encounter issues:

ZSH not loading: Ensure ZSH is set as your default shell with chsh -s $(which zsh)
Plugins not working: Check if they were cloned correctly in ~/.oh-my-zsh/custom/plugins/
Permission issues: Run the script with proper user permissions (not as root unless necessary)

Security Considerations#

The script implements several security best practices:

Secure file permissions for SSH keys and sensitive files
History configuration that ignores commands starting with space
GPG agent integration for SSH if available
Warning when running as root
Automatic security tool installation and configuration

Conclusion#

This automated setup provides a powerful, security-focused ZSH environment on Arch Linux. It combines productivity enhancements with security tools, making it ideal for developers, system administrators, and security professionals. The modern CLI tools and comprehensive plugin setup ensure an efficient and enjoyable command-line experience.