I've just seen a Ghost!

I've just seen a Ghost!

Time to resurrect the fantasmagorical Ghost

And wow - things have moved on - thank you Ghost-Bunch, lots of work has happened since 2016 when I last looked at Ghost - it was great then, and much goodness has been done on simplifying set-up.

I used this as my base: https://docs.ghost.org/docs/install#section-server-setup

Debian - in a stretch

Nowadays I'm on Debian stable aks Stretch - Ghost seems targeted at Ubuntu Server LTS - which is fine, as that's a downstream and Canonical feed their fixes and updates back into Debian - shout-out to all you Canonicals!

MySQL aka MariaDB

We need mysql... apt-get install mysql hmmm - installed MariaDB - how very Google! New authentication weirdness?? uses UID via socket to auth root, ignoring any password I set... discovered: https://mariadb.com/kb/en/library/authentication-plugin-unix-socket/, and decided to go with the Debian flow.

I buy the comment that MariaDB has to trust the OS - if I had root-OS I could easily get into MariaDB.

Ummm - they didn't mention this, but you do need to apt-get install curl to follow the instructions /blush.

Node6 recommended

curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash - yes, I did read it first before executing as root... there is a lot in there to check though

apt-get install -y nodejs
npm i -g ghost-cli

And on to the Haunting...


  • ghost install must be run as a non-root user (aka normus)
  • install folder must be owned by non-root user

Somewhere to stash our stuff

sudo mysql
create database ghost_normus;
create user 'ghost_normus'@'localhost' identified by '********';
grant all on ghost_normus.* to 'ghost_normus'@'localhost';

Something to dish it up

sudo mkdir -p /var/www/normus.totahi.com
sudo chown normus.normus !$
cd !$
ghost install
# blog url: http//normus.totahi.com 
# skip setting up ghost-mysql user - done above because of root auth
# nginx -> yes please, creates conf files
# SSL -> NO - use stretch-backports certbot instead
# asks for a password, not sure why?
# it's doesnt create the web-root folder, not sure why
sudo mkdir system/nginx-root
sudo chown ghost.ghost !$

Something Authal this way comes...

sudo certbot --authenticator webroot --installer nginx
# select normus.totahi.com
# root-folder: /var/www/normus.totahi.com/system/nginx-root
# redirect to SSL only

There are a few things to note with the /etc/nginx/sites-enabled config files:

  • The redirect-to-SSL section should be moved to the top of the file
  • Failure to restart Nginx can happen because of the ipv6only clause on one of the listen 443 lines - just remove this extra option.

The HTTPS redirect can also cause an issue for certbot so test that your renewal will work by running:

certbot renew --dry-run

To do...

  • blog something interesting for a change
  • set up the crons for certbot renewal
  • set up the backups - uh-oh, last time that was a PITA...
  • reboot the server and confirm that blog-dabirds are go!