<server_ip> - ip of the server the blog is being installed on - name for the server e.g. "myblog" - domain name e.g. "myblog.mycompany.com" <ghost_mysql_pw> - a password for a ghost user in mysql <ssl_email> - an email address for letsencrypt
Largely based on the following:
https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04 http://www.tecmint.com/install-mariadb-in-ubuntu-and-debian/
hostnamectl set-hostname <hostname>
hostname
vim /etc/hosts
- Add:
<server_ip> <domain> <hostname>
after localhost
adduser admin
adduser admin sudo
su admin
cd ~
mkdir .ssh
- [LOCAL]
scp ~/.ssh/id_rsa.pub admin@<server_ip>:/home/admin/.ssh/uploaded_key.pub
cat uploaded_key.pub >> ~/.ssh/authorized_keys
rm -r uploaded_key.pub
sudo apt-get update
sudo apt-get upgrade
sudo apt-get dist-upgrade
sudo adduser ghost
sudo adduser ghost sudo
@NOTE: should this really be a sudo user?!
sudo vim /etc/ssh/sshd_config
- change:
- PermitRootLogin no
- PasswordAuthentication no
- add:
- AddressFamily inet
sudo systemctl restart ssh
sudo ufw allow OpenSSH
sudo ufw enable
sudo apt-get update
curl -sL https://deb.nodesource.com/setup_6.x -o nodesource_setup.sh
sudo bash nodesource_setup.sh
sudo apt-get install nodejs
sudo apt-get install build-essential
node -v
= 6.10.2npm -v
= 3.10.10sudo apt-get install nginx
sudo ufw allow 'Nginx Full'
@NOTE: I want SSL, would like to make this SSL only, can't do this before letsencrypt setup though?
Install:
sudo apt-get install software-properties-common
sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://www.ftp.saix.net/DB/mariadb/repo/10.1/ubuntu xenial main'
sudo apt-get update
sudo apt-get install mariadb-server
Configure:
sudo mysql_secure_installation
mysql -u root -p
CREATE USER ghost@localhost identified by '<ghost_mysql_pw>';
CREATE DATABASE ghost_prod;
GRANT ALL PRIVILEGES ON ghost_prod.* to 'ghost'@'localhost' IDENTIFIED BY '<ghost_mysql_pw>';
@NOTE what are the expected steps here - I just did it all and plugged it into Ghost-CLI.
@NOTE: which user should I be here? Should it be different for installing vs running?!
su ghost
sudo npm i -g ghost-cli
cd /var/www/
sudo mkdir ghost
sudo chown ghost:ghost ghost
cd ghost
ghost install
Then fill out the prompts:
- Url:
- MySQL host: localhost
- MySQL user: ghost
- MySQL pass: <ghost_mysql_pw>
- MySQL db: ghost_prod
- SSL: yes
- SSL email: <ssl_email>
@Note: SSL setup then fails with Error code 1 if doesn't already point at <server_ip> and seems to also fail without sudo?
Ok, this must be very confusing and ghost cli doesn't behave like it is expecting a separate user for running Ghost.
Annotations to the gist:
adduser admin
fails because a group already exists. Needs to be a different username.cat uploaded_key.pub >> ~/.ssh/authorized_keys
should be followed bychmod 600 ~/.ssh/authorized_keys
to satisfy SSH permission requirements.ghost
user should in my opinion be a system user without login or shell.adduser --system --group ghost
. I'll write more about that below. It is similar to the git or mysql user.sudo ufw allow 'Nginx Full'
it is possible to configure SSL only before letsencrypt but NGINX won't respond until it is properly configured to listen for SSL connections.admin
user.Using a ghost system user:
The steps to use a separate ghost user for running would need a update to ghost cli:
sudo npm i -g ghost-cli
cd /var/www/
sudo mkdir ghost
sudo chown admin:admin ghost
cd ghost
ghost install
The creation of a ghost system user could be taken over by ghost-cli. The internal steps to make this all work would be:
ghost
userchown ghost:ghost <content directory>
sudo -u ghost node index.js
) or use the appropriate systemd method to use a different userThe outcome of this would be to run the process as
ghost
user and allow permissons to the content directory only. Everything else would be owned by the admin user.SSL config:
It feels to me like SSL setup should be a separate step? We also need to make sure that the user has set up a proper DNS name. I was also wondering if it's possible to issue a prompt when we need sudo?