Nauris
LEMP Setup

Install LEMP Stack on Arch Linux

Install Nginx, MariaDB, PHP 8, PHP-FPM, and phpMyAdmin on Arch Linux with Nginx virtual hosts and a dedicated PHP-FPM pool.

This guide walks through a full LEMP stack setup on Arch Linux using Nginx, MariaDB, PHP 8, PHP-FPM, and phpMyAdmin.

By the end, you will have:

  • an updated Arch Linux server
  • a non-root sudo user
  • SSH on a custom port
  • UFW enabled
  • systemd-resolved configured
  • Nginx, MariaDB, PHP, and phpMyAdmin installed
  • a dedicated PHP-FPM pool and Nginx virtual host for a site

Update Packages

Update package metadata, upgrade installed packages, and install a few basic tools:

pacman -Syyu && pacman -S sudo vim

Create a New User

Create a regular user and add it to the users and wheel groups:

sudo useradd -m -G users,wheel -s /bin/bash username

Set a password for the new user:

sudo passwd username

Open the sudoers file:

EDITOR=vim sudo visudo

Uncomment this line:

%wheel ALL=(ALL:ALL) ALL

Switch to the new user and verify sudo access:

su - newuser
sudo whoami

If the command returns root, sudo is configured correctly.

Change the SSH Port

Open the SSH server configuration:

sudo vim /etc/ssh/sshd_config

Set a custom SSH port and disable root login:

Port 52225
PermitRootLogin no

Reload the service:

sudo systemctl daemon-reload
sudo systemctl restart sshd

Enable the Firewall

Install UFW:

sudo pacman -S ufw

Allow HTTP, HTTPS, and your custom SSH port:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 52225/tcp

Enable the firewall:

sudo ufw enable

Check the active rules:

sudo ufw status

Use the new SSH port when connecting:

ssh -p 52225 user@your_server_ip

Starting the firewall can interrupt the current SSH session. Reconnect using the new port if needed.

Configure DNS Resolver

Enable systemd-resolved and make sure it starts automatically:

sudo systemctl enable systemd-resolved --now
sudo systemctl status systemd-resolved

Edit the resolver config:

sudo vim /etc/systemd/resolved.conf

Use Cloudflare and Quad9:

[Resolve]
DNS=1.1.1.1 1.0.0.1 2606:4700:4700::1111 2606:4700:4700::1001
FallbackDNS=9.9.9.9 149.112.112.112 2620:fe::fe 2620:fe::9
DNSOverTLS=opportunistic

Recreate resolv.conf and restart the resolver:

sudo rm -f /etc/resolv.conf
sudo ln -sf /run/systemd/resolve/stub-resolv.conf /etc/resolv.conf
sudo systemctl restart systemd-resolved

Check resolver status:

resolvectl status

Generate an SSL Certificate

Create a self-signed certificate for local testing or internal use:

sudo openssl req -x509 -newkey rsa:2048 -nodes -keyout /etc/ssl/private/default.key -out /etc/ssl/certs/default.crt -days 3650

Install PHP 8 and PHP-FPM

Install PHP, PHP-FPM, and the GD extension:

sudo pacman -S php php-fpm php-gd

Open the main PHP config:

sudo vim /etc/php/php.ini

Uncomment the required extensions:

sudo sed -i 's/;extension=\(bcmath\|bz2\|curl\|exif\|gd\|gmp\|mysqli\|pdo_mysql\|zip\)/extension=\1/' /etc/php/php.ini
sudo sed -i 's/;zend_extension=\(opcache\)/zend_extension=\1/' /etc/php/php.ini

Verify the changes:

grep -E '^(;)?extension=' /etc/php/php.ini | grep -E 'bcmath|bz2|curl|exif|gd|gmp|mysqli|pdo_mysql|zip'
grep -E '^(;)?zend_extension=' /etc/php/php.ini | grep -E 'opcache'

If you prefer to edit the file manually, enable:

extension=bcmath
extension=bz2
extension=curl
extension=exif
extension=gd
extension=gmp
extension=mysqli
extension=pdo_mysql
extension=zip
zend_extension=opcache

Configure the default PHP-FPM pool:

sudo vim /etc/php/php-fpm.d/www.conf

Use these values:

[www]
user = http
group = http

listen = /run/php-fpm/php-fpm.sock

listen.owner = http
listen.group = http
listen.mode = 0660

Restart PHP-FPM:

sudo systemctl restart php-fpm

Disable commonly abused functions:

sudo vim /etc/php/php.ini

Set:

disable_functions = exec,passthru,shell_exec,system,proc_open,popen

Enable OPcache:

[opcache]
opcache.enable=1
opcache.memory_consumption=128
opcache.interned_strings_buffer=8
opcache.max_accelerated_files=10000
opcache.use_cwd=1
opcache.validate_timestamps=1
opcache.revalidate_freq=60
opcache.save_comments=1

Restart PHP-FPM again:

sudo systemctl restart php-fpm

Install Nginx

Install Nginx:

sudo pacman -S nginx

Enable and start the service:

sudo systemctl enable nginx --now
sudo systemctl status nginx

Prepare the site config directories:

sudo mkdir -p /etc/nginx/sites-enabled
sudo mkdir -p /etc/nginx/sites-available

Back up the current config:

sudo cp /etc/nginx/nginx.conf /etc/nginx/nginx.conf.bak

Edit the main config:

sudo vim /etc/nginx/nginx.conf

Replace it with:

user http;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
  worker_connections 1024;
}

http {
  sendfile on;
  tcp_nopush on;
  keepalive_timeout 65;
  types_hash_max_size 4096;
  types_hash_bucket_size 128;

  access_log off;

  include /etc/nginx/mime.types;
  default_type application/octet-stream;

  gzip on;
  gzip_vary on;
  gzip_comp_level 5;
  gzip_min_length 512;
  gzip_buffers 8 64k;
  gzip_types text/plain text/css application/json application/javascript application/x-javascript text/xml application/xml+rss application/x-font-ttf image/svg+xml font/opentype;
  gzip_proxied any;
  gzip_disable "msie6";

  ssl_session_cache shared:SSL:10m;
  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_prefer_server_ciphers on;
  ssl_ciphers HIGH:!aNULL:!MD5;

  proxy_cache_path /var/cache/nginx levels=2 keys_zone=cache:10m inactive=60m max_size=1024m;
  proxy_cache_key "$host$request_uri";
  proxy_temp_path /var/cache/nginx/temp;
  proxy_ignore_headers Expires Cache-Control;
  proxy_cache_use_stale error timeout invalid_header http_502;
  proxy_cache_valid any 1d;

  open_file_cache max=10000 inactive=30s;
  open_file_cache_valid 60s;
  open_file_cache_min_uses 2;
  open_file_cache_errors off;

  map $http_cookie $no_cache {
    default 0;
    ~SESS 1;
    ~wordpress_logged_in 1;
  }

  include /etc/nginx/sites-enabled/*;
}

Create the default virtual host:

sudo vim /etc/nginx/sites-available/default

Use:

server {
  listen 80 default_server;
  listen [::]:80 default_server;
  listen 443 ssl default_server;
  listen [::]:443 ssl default_server;
  server_name _;

  ssl_certificate /etc/ssl/certs/default.crt;
  ssl_certificate_key /etc/ssl/private/default.key;

  root /usr/share/nginx/html;
  index index.html index.htm index.php;

  location / {
    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
      root /usr/share/nginx/html;
      fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }
  }

  location ~ /\.ht {
    deny all;
  }

  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/html;
  }
}

Enable the default site:

sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default

Test and restart Nginx:

sudo nginx -t
sudo systemctl restart nginx

Confirm the default page loads:

http://server_ip

Create a temporary PHP test file:

echo "<?php phpinfo(); ?>" | sudo tee /usr/share/nginx/html/info.php

Open the test page:

http://server_ip/info.php

Remove the test file when finished:

sudo rm /usr/share/nginx/html/info.php

Install MariaDB

Install MariaDB:

sudo pacman -S mariadb

Initialize the database:

sudo mariadb-install-db --user=mysql --basedir=/usr --datadir=/var/lib/mysql

Enable the service:

sudo systemctl enable mariadb --now
sudo systemctl status mariadb

Verify MariaDB is listening:

sudo netstat -tulnp | grep mariadb

Secure the installation:

sudo mariadb-secure-installation

Recommended answers:

  • press Enter to leave the root password empty if you want local-only development first
  • answer Y to switch to Unix socket authentication
  • answer Y to remove anonymous users
  • answer Y to disallow remote root login
  • answer Y to remove the test database
  • answer Y to reload privilege tables

The main server config is here:

sudo vim /etc/my.cnf.d/mariadb-server.cnf

Install phpMyAdmin

Install phpMyAdmin:

sudo pacman -S phpmyadmin

Create the phpMyAdmin database and control user:

sudo mariadb

Run:

CREATE DATABASE phpmyadmin;
CREATE USER 'pma'@'localhost' IDENTIFIED BY 'strong_password_here';
GRANT SELECT, INSERT, UPDATE, DELETE ON phpmyadmin.* TO 'pma'@'localhost';
FLUSH PRIVILEGES;
exit

Generate a random blowfish secret:

openssl rand -base64 24

Edit the phpMyAdmin config:

sudo vim /etc/webapps/phpmyadmin/config.inc.php

Set the generated secret:

$cfg['blowfish_secret'] = 'your_code';

Add a temp directory and hide system databases:

$cfg['TempDir'] = '/tmp/phpmyadmin';
$cfg['Servers'][$i]['hide_db'] = '^information_schema|mysql|phpmyadmin|performance_schema|sys$';

Configure the control user:

$cfg['Servers'][$i]['controluser'] = 'pma';
$cfg['Servers'][$i]['controlpass'] = 'strong_password_here';

Enable the storage tables:

$cfg['Servers'][$i]['pmadb'] = 'phpmyadmin';
$cfg['Servers'][$i]['bookmarktable'] = 'pma__bookmark';
$cfg['Servers'][$i]['relation'] = 'pma__relation';
$cfg['Servers'][$i]['table_info'] = 'pma__table_info';
$cfg['Servers'][$i]['table_coords'] = 'pma__table_coords';
$cfg['Servers'][$i]['pdf_pages'] = 'pma__pdf_pages';
$cfg['Servers'][$i]['column_info'] = 'pma__column_info';
$cfg['Servers'][$i]['history'] = 'pma__history';
$cfg['Servers'][$i]['table_uiprefs'] = 'pma__table_uiprefs';
$cfg['Servers'][$i]['tracking'] = 'pma__tracking';
$cfg['Servers'][$i]['userconfig'] = 'pma__userconfig';
$cfg['Servers'][$i]['recent'] = 'pma__recent';
$cfg['Servers'][$i]['favorite'] = 'pma__favorite';
$cfg['Servers'][$i]['users'] = 'pma__users';
$cfg['Servers'][$i]['usergroups'] = 'pma__usergroups';
$cfg['Servers'][$i]['navigationhiding'] = 'pma__navigationhiding';
$cfg['Servers'][$i]['savedsearches'] = 'pma__savedsearches';
$cfg['Servers'][$i]['central_columns'] = 'pma__central_columns';
$cfg['Servers'][$i]['designer_settings'] = 'pma__designer_settings';
$cfg['Servers'][$i]['export_templates'] = 'pma__export_templates';

Create the phpMyAdmin tables:

sudo mariadb -u root -p phpmyadmin < /usr/share/webapps/phpMyAdmin/sql/create_tables.sql

Create a password hash:

openssl passwd

Create the Nginx basic auth file:

sudo vim /etc/nginx/pma_pass

Use:

pma:password_hash

Create the phpMyAdmin site config:

sudo vim /etc/nginx/sites-available/phpmyadmin

Use:

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name pma.example.com;

  ssl_certificate /etc/ssl/certs/default.crt;
  ssl_certificate_key /etc/ssl/private/default.key;

  access_log off;
  error_log /var/log/nginx/pma.example.com.error.log error;

  root /usr/share/webapps/phpMyAdmin;
  index index.php;

  location / {
    try_files $uri $uri/ /index.php?$args;
    auth_basic "Admin Login";
    auth_basic_user_file /etc/nginx/pma_pass;

    location ~ \.php$ {
      root /usr/share/webapps/phpMyAdmin;
      fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }
  }

  location ~ /\.ht {
    deny all;
  }

  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/html;
  }
}

Replace pma.example.com with your actual subdomain.

Enable the site:

sudo ln -s /etc/nginx/sites-available/phpmyadmin /etc/nginx/sites-enabled/phpmyadmin

Test and restart Nginx:

sudo nginx -t
sudo systemctl restart nginx

Create a database and user for your application:

sudo mariadb

Run:

CREATE USER 'example_user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE example_db;
GRANT ALL PRIVILEGES ON example_db.* TO 'example_user'@'localhost';
FLUSH PRIVILEGES;
exit

You should now be able to sign in to phpMyAdmin at https://pma.example.com.

Create a Dedicated Site User

Create a separate user for the hosted application:

sudo useradd -m -s /bin/bash -p '!' dolphin

Create the site directory and fix ownership:

sudo mkdir -p /srv/http/dolphin/example.com
sudo chown -R dolphin:dolphin /srv/http/dolphin
sudo chmod 711 /srv/http/dolphin
sudo chmod -R 755 /srv/http/dolphin/example.com

Copy the PHP-FPM pool config:

sudo cp /etc/php/php-fpm.d/www.conf /etc/php/php-fpm.d/dolphin.conf
sudo vim /etc/php/php-fpm.d/dolphin.conf

Set:

[dolphin]
user = dolphin
group = dolphin

listen = /run/php-fpm/php-fpm-dolphin.sock

listen.owner = http
listen.group = http
listen.mode = 0660

Restart PHP-FPM:

sudo systemctl restart php-fpm

Create the site virtual host:

sudo vim /etc/nginx/sites-available/example.com

Use:

server {
  listen 80;
  listen [::]:80;
  listen 443 ssl;
  listen [::]:443 ssl;
  server_name example.com www.example.com;

  ssl_certificate /etc/ssl/certs/default.crt;
  ssl_certificate_key /etc/ssl/private/default.key;

  access_log off;
  error_log /var/log/nginx/example.com.error.log error;

  root /srv/http/dolphin/example.com;
  index index.html index.htm index.php;

  location / {
    try_files $uri $uri/ /index.php?$args;

    location ~ \.php$ {
      root /srv/http/dolphin/example.com;
      fastcgi_pass unix:/run/php-fpm/php-fpm-dolphin.sock;
      fastcgi_index index.php;
      fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
      include fastcgi_params;
    }
  }

  location ~ /\.ht {
    deny all;
  }

  error_page 500 502 503 504 /50x.html;
  location = /50x.html {
    root /usr/share/nginx/html;
  }
}

Enable the site:

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com

Test and restart Nginx:

sudo nginx -t
sudo systemctl restart nginx

Install WordPress

Switch to the site user:

sudo su - dolphin

Download and extract WordPress:

cd /srv/http/dolphin/example.com
curl -O https://wordpress.org/latest.tar.gz
tar -xvzf latest.tar.gz
mv wordpress/* .
rm latest.tar.gz && rm -fr wordpress

Open https://example.com in your browser to continue the WordPress installer.

Server Tutorials

Terminal-first setup guides for Linux and BSD servers, web stacks, and self-hosted tooling.

AlmaLinux 9

Install Nginx, MariaDB, PHP 8, PHP-FPM, and phpMyAdmin on AlmaLinux 9 with FirewallD, Nginx virtual hosts, and a dedicated PHP-FPM pool.

On this page

Update PackagesCreate a New UserChange the SSH PortEnable the FirewallConfigure DNS ResolverGenerate an SSL CertificateInstall PHP 8 and PHP-FPMInstall NginxInstall MariaDBInstall phpMyAdminCreate a Dedicated Site UserInstall WordPress