LAMP Stack on Arch

This is how I did it – there may be better ways, but this one is mine.

ln -s /usr/bin/vim /usr/bin/vi
vi /etc/pacman.conf #Enable Parallel downloads
pacman -Sy
pacman -Su

Lockdown:
iptables -N my-ips
iptables -A my-ips -s IP/32 -p tcp -j ACCEPT
iptables -A my-ips -j RETURN
iptables -A INPUT -p tcp -j my-ips
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
iptables -A INPUT -j DROP
iptables -A OUTPUT -j my-ips
iptables -A OUTPUT -o lo -j ACCEPT

pacman -S --needed base-devel apache mariadb mariadb-clients php php-fpm php-gd php-intl imagemagick php-imagick git wget

Uncomment lines from /etc/php/php.ini:
extension=exif
extension=gd
extension=iconv
extension=intl

Uncomment line from /etc/php/conf.d/imagick.ini:
extension = imagick

https://wiki.archlinux.org/title/Apache_HTTP_Server
1, 2.4, 3.1, 3.1.3
tested phpinfo, and worked

More lockdown!
pacman -S logwatch fail2ban
config fail2ban, enable, start
setup iptables-save timer and service, enable and start timer
setup wordpress update bash script, execute parts needed for now

mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql
systemctl enable mariadb
systemctl start mariadb
mysql_secure_installation

https://wiki.archlinux.org/title/PHP
4.1, 4.2, 4.5
systemctl restart php-fpm

pacman -S certbot certbot-apache

https://wiki.archlinux.org/title/Apache_HTTP_Server
2.3 except the Include

Setup backup user:
mysql -u root -p
MariaDB> GRANT SELECT, LOCK TABLES ON . TO 'backup_user'@'localhost' IDENTIFIED BY '###';
MariaDB> FLUSH PRIVILEGES;

MariaDB> EXIT

Make swap a last resort:
sysctl vm.swappiness=1

For each site:
Restore from backups
create database and grant privileges for wp_user
mysql -u root -p
MariaDB> CREATE DATABASE wordpress;
MariaDB> GRANT ALL PRIVILEGES ON wordpress.* TO "wp-user"@"localhost" IDENTIFIED BY "choose_db_password";
MariaDB> FLUSH PRIVILEGES;
MariaDB> EXIT
cp -R /backups/uncomp*/www/site /srv/http/
chown -R http:http /srv/http/site
mysql -u wp_user -p database < backup.sql
create new section in /etc/httpd/conf/extra/httpd-vhosts.conf
systemctl restart httpd

Open ports 80, 443 for usage:
iptables -I INPUT 3 -p tcp -m tcp –dport 80 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT
iptables -I INPUT 4 -p tcp -m tcp –dport 443 -m conntrack –ctstate NEW,ESTABLISHED -j ACCEPT

Setup SSL:
certbot

Final touches:
setup wordpress update script, timer, and service
setup webbackups script, timer, and service
setup certbot renewal timer and service

My notes for future me