Setup steps for installing Ghost on a fresh Ubuntu 16.04 server

setup.md

Variables:

<server_ip> - ip of the server the blog is being installed on - name for the server e.g. "myblog" - domain name e.g. "myblog.mycompany.com" <ghost_mysql_pw> - a password for a ghost user in mysql <ssl_email> - an email address for letsencrypt

Steps to get from Ubuntu 16.04 fresh install to Ghost

Largely based on the following:

https://www.digitalocean.com/community/tutorials/initial-server-setup-with-ubuntu-16-04 https://www.digitalocean.com/community/tutorials/how-to-install-nginx-on-ubuntu-16-04 https://www.digitalocean.com/community/tutorials/how-to-install-node-js-on-ubuntu-16-04 http://www.tecmint.com/install-mariadb-in-ubuntu-and-debian/

Networking

• hostnamectl set-hostname <hostname>
• hostname
• vim /etc/hosts
• Add: <server_ip> <domain> <hostname> after localhost

Create admin user (can login)

• adduser admin
• adduser admin sudo

Setup SSH key

• su admin
• cd ~
• mkdir .ssh
• [LOCAL] scp ~/.ssh/id_rsa.pub admin@<server_ip>:/home/admin/.ssh/uploaded_key.pub
• cat uploaded_key.pub >> ~/.ssh/authorized_keys
• rm -r uploaded_key.pub

Update base software

• sudo apt-get update
• sudo apt-get upgrade
• sudo apt-get dist-upgrade

Create ghost user (runs ghost)

• sudo adduser ghost
• sudo adduser ghost sudo @NOTE: should this really be a sudo user?!

Lockdown SSH

• sudo vim /etc/ssh/sshd_config
• change:
  • PermitRootLogin no
  • PasswordAuthentication no
• add:

  • Limit logins to IPv4 only

  • AddressFamily inet
• sudo systemctl restart ssh
• sudo ufw allow OpenSSH
• sudo ufw enable

Install Node, npm, ghost-cli, nginx

• sudo apt-get update
• curl -sL https://deb.nodesource.com/setup_6.x -o nodesource_setup.sh
• sudo bash nodesource_setup.sh
• sudo apt-get install nodejs
• sudo apt-get install build-essential
• node -v = 6.10.2
• npm -v = 3.10.10
• sudo apt-get install nginx
• sudo ufw allow 'Nginx Full' @NOTE: I want SSL, would like to make this SSL only, can't do this before letsencrypt setup though?

mariadb

Install:

• sudo apt-get install software-properties-common
• sudo apt-key adv --recv-keys --keyserver hkp://keyserver.ubuntu.com:80 0xF1656F24C74CD1D8
• sudo add-apt-repository 'deb [arch=amd64,i386,ppc64el] http://www.ftp.saix.net/DB/mariadb/repo/10.1/ubuntu xenial main'
• sudo apt-get update
• sudo apt-get install mariadb-server

Configure:

• sudo mysql_secure_installation
• mysql -u root -p
• CREATE USER ghost@localhost identified by '<ghost_mysql_pw>';
• CREATE DATABASE ghost_prod;
• GRANT ALL PRIVILEGES ON ghost_prod.* to 'ghost'@'localhost' IDENTIFIED BY '<ghost_mysql_pw>'; @NOTE what are the expected steps here - I just did it all and plugged it into Ghost-CLI.

Install Ghost

@NOTE: which user should I be here? Should it be different for installing vs running?!

• su ghost
• sudo npm i -g ghost-cli
• cd /var/www/
• sudo mkdir ghost
• sudo chown ghost:ghost ghost
• cd ghost
• ghost install

Then fill out the prompts:

• Url:
• MySQL host: localhost
• MySQL user: ghost
• MySQL pass: <ghost_mysql_pw>
• MySQL db: ghost_prod
• SSL: yes
• SSL email: <ssl_email>

@Note: SSL setup then fails with Error code 1 if doesn't already point at <server_ip> and seems to also fail without sudo?

I was testing on Linode, rather than digital ocean. All the tutorials & playbooks I found for both included updating network settings & I didn't run into any problems with the admin username. I guess DO must set that up?!

it is possible to configure SSL only before letsencrypt but NGINX won't respond until it is properly configured to listen for SSL connections

I didn't quite follow this, and this was the part that I had the most problem with. Could you go into more detail about what the correct sequence of steps are?

MariaDB: what are the expected steps here - I just did it all and plugged it into Ghost-CLI. -> Nothing more to add.

Hmm, if I'm confused by this, I think other people will be too. I'll write more about this on the main issue in reply to Austin as well.

I didn't run into any problems with the admin username. I guess DO must set that up?!

No idea who sets it up but I get an error when trying to do adduser admin on DO.

# adduser admin
adduser: The group `admin' already exists.

This shouldn't be a big issue as the main reason for doing that is to not use root and not to use an account called admin.

I didn't quite follow this, and this was the part that I had the most problem with. Could you go into more detail about what the correct sequence of steps are?

You said: sudo ufw allow 'Nginx Full' @note: I want SSL, would like to make this SSL only, can't do this before letsencrypt setup though?

My response was that it is possible to configure the firewall to SSL only but if you do that you won't be able to reach Nginx anymore. Nginx will still listen on port 80 with the default config and the firewall would block that port.

After a bit of research about letsencrypt it seems like port 80 is needed to generate/renew certificates which means that Nginx Full is the correct profile. In addition to that, you will probably want to redirect from HTTP to HTTPS which also needs the port to be open.

• correct sequence imo:
  • install Nginx
  • sudo ufw allow "Nginx Full"
  • set up DNS -- needed to get a certificate for the correct domain
  • generate certificate using letsencrypt with ghost-cli
  • ghost-cli updates Nginx config

Hmm, if I'm confused by this, I think other people will be too.

There are many different ways to do this. What is outlined above works and is an acceptable way of doing it. We certainly can think about reducing the steps if required.

Is there no way to do it manually by entering details in a config file and just uploading the files to your server?