Skip to content

Instantly share code, notes, and snippets.

@mnem

mnem/00-setting-up-a-scaleway-ghost-server.md

Last active May 17, 2021 00:08
Show Gist options
  • Save mnem/3afb99f9f7ef903aee57205157df6805 to your computer and use it in GitHub Desktop.
Save mnem/3afb99f9f7ef903aee57205157df6805 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up ghost on scaleway because the app image they have is really rather old.
Raw
00-setting-up-a-scaleway-ghost-server.md

Server image

I use Ubuntu 16.04/Ubuntu Xenial.

Setup server

Add a new user who isn't root, but who can sudo:

  1. Update all the things: apt-get update && apt-get dist-upgrade && apt-get autoremove
  2. Reboot, just in case: shutdown -r now
  3. Delete the perplexing plaintext root password file: rm /root/.pw
  4. Change the root password to a STRONG password: passwd
  5. Add a user rather than working as root: adduser foo
    1. Give them a nice strong password.
  6. usermod -aG sudo foo
  7. Login as the new user: su - foo
  8. Setup the authorized_keys for the new user. From your local machine:
    1. ssh-keygen -o -a 100 -t ed25519
    2. Copy the public key into the authorized_keys
  9. Check that you can login as the new user from your local machine.
  10. The rest of the guide assume you have logged in as the user you created above.
  11. Secure the sshd config:
    1. sudo nano /etc/ssh/sshd_config
    2. Port 22 => Port <something random above 1024>
    3. PermitRootLogin without-password => PermitRootLogin no
    4. ChallengeResponseAuthentication yes => ChallengeResponseAuthentication no
    5. #PasswordAuthentication yes => PasswordAuthentication no
    6. Save and exit
    7. Restart sshd: sudo service ssh restart
    8. BEFORE LOGING OUT OF THE CURRENT SESSION: check you can log in from your local machine with the new settings.
  12. Install postfix for local mail:
    1. sudo apt-get install mailutils postfix
    2. Select local only configuration
  13. Send a test mail: echo 'Test message' | mail -s 'This is a test message' root
  14. Install mutt for reading the mail: sudo apt-get install mutt
  15. Check the test mail was delivered: sudo mutt
  16. Install archivemail so that we can regularly archive all the cron mails we'll now get: sudo apt-get install archivemail
    1. Test archive mail works: sudo /usr/bin/archivemail -nd 28 /var/mail/root
    2. Install it as a cron job:
      1. sudo crontab -e
      2. @daily /usr/bin/archivemail -d 28 /var/mail/root
  17. Install a firewall:
    1. sudo apt-get install ufw
    2. The next instructions are from: https://community.online.net/t/how-to-configures-iptables-with-input-rules-with-dynamic-nbd/303/22
    3. sudo nano /etc/default/ufw
      1. Set the default INPUT policy to ACCEPT: DEFAULT_INPUT_POLICY="ACCEPT"
    4. Append a drop-all rule to the INPUT chain: sudo nano /etc/ufw/after.rules, add this line just before the final COMMIT line: -A ufw-reject-input -j DROP
    5. Disable UFW logging (this seems to cause issuses with Scaleway's default kernel): sudo ufw logging off
    6. Allow OpenSSH access: sudo ufw allow <the new SSH port number you set above>
    7. Enable the firewall: sudo ufw enable

Setup ghost

Based on https://docs.ghost.org/docs/install

  1. Make sure everything is up to date: sudo apt-get update && sudo apt-get upgrade
  2. Add the tools to add PPAs, if not already there: sudo apt-get install software-properties-common
  3. Install nginx: sudo apt-get install nginx
  4. Allow nginx through the firewall: sudo ufw allow 'Nginx Full'
  5. Disable the default nginx website:
    1. sudo rm /etc/nginx/sites-enabled/default
    2. sudo nginx -s reload
  6. Install MySQL: sudo apt-get install mysql-server
    1. Use a strong root password
  7. Add the nodesource apt repo: curl -sL https://deb.nodesource.com/setup_6.x | sudo -E bash
  8. Install node: sudo apt-get install nodejs
  9. Install ghost-cli: sudo npm i -g ghost-cli
  10. Create the base documents folder: sudo mkdir -p /var/www/ghost
  11. Chown it: sudo chown foo:foo /var/www/ghost
  12. Move to that folder: cd /var/www/ghost
  13. Install ghost: ghost install
    1. Full guide to the installer questions: https://docs.ghost.org/docs/cli-install#section-prompts

Setting up tarsnap

Backups are important, m'kay? I like to use tarsnap because it can be set up in such a way that you can lose control of your server but the backups remain unreadable to the intruder.

  1. TODO
Raw
10-lets-encrypt-setup.md

It turns out Ghost can setup letsencrypt for you, so I'm storing the summary I wrote here in case it's of use to me at some point in the future.

Setup letsencrypt

Summarised from https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-16-04

  1. Add the tools to add PPAs, if not already there: sudo apt-get install software-properties-common
  2. Add the letsencrypt certbot repo: sudo add-apt-repository ppa:certbot/certbot
  3. Update apt: sudo apt-get update
  4. Install certbot: sudo apt-get install python-certbot-nginx
  5. Add the domain(s) you want, e.g. sudo certbot --nginx -d foo.noiseandheat.com

The letsencrypt account details are stored at:

/etc/letsencrypt

So regularly back this up. One way is to tar it:

sudo tar -cvzf ~/letsencrypt.tgz /etc/letsencrypt

And then from your own machine grab the archive:

scp myhost:~/letsencrypt.tgz .
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment