Setting up a self-hosted Ghost blog on Digitalocean - PART 1

In my earlier post I described why I decided to set up this blog. In this post, I would like to share some of the key aspects around setting up a self-hosted Ghost blog on Digitalocean.

(Photo by Anete Lūsiņa)

This article is part of a series

• Part 1 - Setting up a self-hosted Ghost blog on Digitalocean
• Part 2 - Secure HTTPS setup with Cloudflare
• Part 3 - Infrastructure as Code with Terraform and Cloudflare

Step 1 - Register a domain

For my blog, I used a domain (paolotagliaferri.com) that I already owned. You don't really need a domain to get started - it's up to you. I think having your own domain is much cooler, and it allows to set up proper secure certificates and mail validation DNS records. In my case, I simply updated my registrar and moved it to Cloudflare.

I already used Cloudflare for other websites in the past, and I can say it really simplifies setting up a "state of the art" configuration, with global caching and other neat features which I will probably discuss in a future post.

Given that most of the services they provide are for free, I thought at least to give them back something by moving the domain with them. On top of that, the domain renewal price was quite low and inclusive of the old registrar's expiration date. Finally, they now offer full redaction of personal data on WHOIS requests which helps with avoiding your registrant personal data being available to anyone anywhere on the globe.

Step 2 - Set up Droplet and one-click Ghost installation

Next, I went Ghost one-click installer page on Digitalocean and subscribe the smallest size droplet: this is more than sufficient for me to bootstrap the blog and the cost of 5$ per month is more than reasonable. Should I ever become an internet sensation overnight, I can always revisit this with either a beefier configuration, or a multi droplet set up with load balancers and all that good stuff.

One could go for a more resilient set up from the get go - in my case this was weighted with the fact that my blogging activities are still pretty much an experiment in progress at this stage. Therefore, setting up a fault-tolerant, high-availability blog is outside of the scope of this article (and definitely not in scope for my pockets 😎).

Next, pick a region that works for you and your readership. As I am based in Europe, I chose the London region for my droplet.

For 1$ extra per month (the backup price is 20% of the Droplet cost - so 20% of 5$ is 1$ in my case) you can also configure automated weekly backups with a retention period of a month. This will help you should you have any issues with your installation. Normally I'd say a daily frequency for the backup would be better, but again for now this is more than sufficient for my needs this just gives me some extra reassurance should I ever need to restore the system. Head here for more complete documentation about this backup method.

I also strongly recommend to create an SSH key pair, so that you will be able to connect to your droplet using your chosen key, rather than using a password. If you don't know how to do this, see the following articles for creating a keypair with OpenSSH and connecting to your droplet using SSH.

Once you Droplet is up and running, you can SSH in it and perform the initial setup of your Ghost blog. The following article will guide you through the key steps.  Make sure that you go through the Ghost installation process as soon as possible, then you can point your domain to the Droplet with appropriate DNS rules.

🚨 Please also note that I am assuming you will follow general best practices set up your VM with a separate user with the appropriate permissions, and not just being lazy and using the root user to do everything. It's up to you how far you want to go down the rabbit hole at this point.

Step 3 - Update and secure your Droplet

As you have bravely decided for self-hosting, you are responsible for deploying regular updates and security patches everything, and in particular to:

• Ghost blog installation
• Underlying Droplet software
• OS/kernel

In general, you are fully responsible for the security posture of your VM and all that it contains, as well as the services you will make available externally (such as the nginx web server that is used to serve the blog pages)

Updating Ghost

Ghost currently does not support automatic updates, so you will have to check it manually on a regular basis. SSH into your Droplet then just use the ghost-cli

cd /var/www/ghost (assuming that's your ghost installation folder)
ghost --version (to verify which version your are running)
ghost ls (alternative to above)
ghost update

Updating Droplet software / OS

For the Droplet itself, assuming you are running on Ubuntu, then you would have to regularly update your system packages and clean unnecessary old ones. You can do this manually with the following commands

apt update && apt upgrade && apt autoremove

That said, there is a way to automate this by installing the unattended-upgrades package and configuring automated actions (you should do this at least for security updates): the following article describes this in detail. You will notice that the article also describes a way to get notified about the outcome of each unattended upgrade attempt by sending an e-mail to a predefined address.

However you will realise that the e-mails coming from your Droplet are ending up (at best) in your Spam folder. I'll leave solving this to a future article: in a nutshell, you will have to set up e-mail encryption, SPF and DKIM

Of course, you are encouraged to further harden your VM setup. I've found the following articles very useful to achieve this without spending too much time:

1. Securing your Linux VPS: ufw should be already configured (you can confirm that by typing ufw status in your console)
2. Set up MFA for SSH: this is very good to further enhance the protection of the system, in particular that of the users with administrative capabilities. In short, you will be able to use a multi-factor authenticator app (such as the Authy app) so that a one time numeric code will be required every time to log in your Droplet in addition to the other secret (your private key / or password if you didn't follow the recommended approach)
3. Set up Fail2Ban: this utility will automatically ban clients that fail too many attempts at connecting via ssh in a specified amount of time.

That's it! This should give you a decent starter set up, so you can actually focus your time on writing something. I tend to like this hands-on approach especially when I want to learn some new tricks. If this scares you, you can always use the managed version Ghost(Pro) which will abstract away pretty much all the above tasks.

In the next article I will be focusing on the benefits of using Cloudflare and having a robust SSL set up. Stay tuned!

This article is part of a series

• Part 1 - Setting up a self-hosted Ghost blog on Digitalocean
• Part 2 - Secure HTTPS setup with Cloudflare
• Part 3 - Infrastructure as Code with Terraform and Cloudflare