This is how I did it – there may be better ways, but this one is mine.
ln -s /usr/bin/vim /usr/bin/vi
vi /etc/pacman.conf #Enable Parallel downloads
pacman -Sy
pacman -Su
Lockdown:iptables -N my-ips
iptables -A my-ips -s IP/32 -p tcp -j ACCEPT
iptables -A my-ips -j RETURN
iptables -A INPUT -p tcp -j my-ips
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j my-ips
iptables -A OUTPUT -o lo -j ACCEPT
pacman -S --needed base-devel apache mariadb mariadb-clients php php-fpm php-gd php-intl imagemagick php-imagick git wget
Uncomment lines from /etc/php/php.ini:extension=exif
extension=gd
extension=iconv
extension=intl
Uncomment line from /etc/php/conf.d/imagick.ini:extension = imagick
https://wiki.archlinux.org/title/Apache_HTTP_Server
1, 2.4, 3.1, 3.1.3
tested phpinfo, and worked
More lockdown!pacman -S logwatch fail2ban
config fail2ban, enable, start
setup iptables-save timer and service, enable and start timer
setup wordpress update bash script, execute parts needed for now
mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation
https://wiki.archlinux.org/title/PHP
4.1, 4.2, 4.5systemctl restart php-fpm
pacman -S certbot certbot-apache
https://wiki.archlinux.org/title/Apache_HTTP_Server
2.3 except the Include
Setup backup user:mysql -u root -p
MariaDB> GRANT SELECT, LOCK TABLES ON . TO 'backup_user'@'localhost' IDENTIFIED BY '###';MariaDB> FLUSH PRIVILEGES;MariaDB> EXIT
Make swap a last resort:sysctl vm.swappiness=1
For each site:
Restore from backups
create database and grant privileges for wp_usermysql -u root -p
MariaDB> CREATE DATABASE wordpress;
MariaDB> GRANT ALL PRIVILEGES ON wordpress.* TO "wp-user"@"localhost" IDENTIFIED BY "choose_db_password";
MariaDB> FLUSH PRIVILEGES;
MariaDB> EXIT
cp -R /backups/uncomp*/www/site /srv/http/
chown -R http:http /srv/http/site
mysql -u wp_user -p database < backup.sql
create new section in /etc/httpd/conf/extra/httpd-vhosts.conf
systemctl restart httpd
Open ports 80, 443 for usage:
iptables -I INPUT 3 -p tcp -m tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -p tcp -m tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
Setup SSL:
certbot
Final touches:
setup wordpress update script, timer, and service
setup webbackups script, timer, and service
setup certbot renewal timer and service