Installing Ghost on FreeBSD 11.1

Last Updated 2/25/2018

This is a guide to install Ghost 1.x on FreeBSD 11.1 inside of a jail. I will be using Percona's MySQL, but you can easily substitute for MySQL or MariaDB. Email will be handled via SSMTP, a mail forwarding agent that uses a SMTP account (gmail) to send mail, since the required functions do not necessitate a full mail server. The aim is to install a production environment for Ghost on FreeBSD.

This assumes you start with a fresh install of FreeBSD 11.1 with a ZFS zpool of some sorts, and that Nginx is being run on the host machine which proxies requests to the jail(s) where node and MySQL (Percona MySQL in this case) are running. This will seem to be really long, but it includes a lot command output and covers everything from start to finish.

The virtual machine I am using in this guide is a Xen Server VM with 4GB of RAM and 80GB SSD disk. Previously I ran Ghost with sqlite3 on a 2GB VM and it was fine, but your results may vary.

Since we're dealing with a jail inside of FreeBSD, it is crucial to pay attention to the command prompts in the examples. root@dev:~ # is the host, root@ghost-prod:~ # or ghost@ghost-prod:~ $ is the jail. It may be simpler to think that Nginx is the only daemon we need to be concerned with on the host, everything else is inside of the jail.

First thing we're going to do is make sure our operating system is up to date with freebsd-update fetch, then install:

root@dev:~ # freebsd-update fetch
src component not installed, skipped
Looking up update.FreeBSD.org mirrors... 3 mirrors found.
Fetching public key from update6.freebsd.org... done.
Fetching metadata signature for 11.1-RELEASE from update6.freebsd.org... done.
Fetching metadata index... done.
Fetching 2 metadata files... done.
Inspecting system... done.
Preparing to download files... done.
Fetching 44 patches.....10....20....30....40.. done.
Applying patches... done.

The following files will be updated as part of updating to 11.1-RELEASE-p6:
/bin/freebsd-version
/boot/kernel/kernel
----- snip -----

root@dev:~ #
root@dev:~ # freebsd-update install
src component not installed, skipped
Installing updates... done.

Next we need to install some packages on the host. Feel free to build from ports if you want, this guide will not be covering that.

root@dev:~ # pkg install ezjail nginx-devel rsync screen sudo wget
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
Bootstrapping pkg from pkg+http://pkg.FreeBSD.org/FreeBSD:11:amd64/quarterly, please wait...

---- snip ----

The following 14 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        ezjail: 3.4.2
        nginx-devel: 1.13.7_3
        rsync: 3.1.3
        screen: 4.6.2
        sudo: 1.8.21p2_1
        wget: 1.19.2
        pcre: 8.40_1
        libiconv: 1.14_11
        indexinfo: 0.3.1
        gettext-runtime: 0.19.8.1_1
        libidn2: 2.0.4
        libunistring: 0.9.8
        zfsnap: 1.11.1
        zxfer: 1.1.6

Number of packages to be installed: 14

The process will require 21 MiB more space.
5 MiB to be downloaded.

Proceed with this action? [y/N]: y
[1/14] Fetching ezjail-3.4.2.txz: 100%   43 KiB  43.8kB/s    00:01
----- snip -----

ZFS Setup

Before we set anything up we need to create a the space where we want our zpools and where additional datasets will be created as new jails are created. This makes them super simple to snapshot and backup.

First let's look at our disk setup to determine our zpool name so we can create our dataset. Run:

root@dev:~ # zfs list
NAME                 USED  AVAIL  REFER  MOUNTPOINT
zroot               1.13G  74.0G    88K  /zroot
zroot/ROOT           489M  74.0G    88K  none
zroot/ROOT/default   489M  74.0G   489M  /
zroot/tmp             88K  74.0G    88K  /tmp
zroot/usr            663M  74.0G    88K  /usr
zroot/usr/home       128K  74.0G   128K  /usr/home
zroot/usr/ports      663M  74.0G   663M  /usr/ports
zroot/usr/src         88K  74.0G    88K  /usr/src
zroot/var            592K  74.0G    88K  /var
zroot/var/audit       88K  74.0G    88K  /var/audit
zroot/var/crash       88K  74.0G    88K  /var/crash
zroot/var/log        144K  74.0G   144K  /var/log
zroot/var/mail        88K  74.0G    88K  /var/mail
zroot/var/tmp         96K  74.0G    96K  /var/tmp

Here my zpool is named zroot (the default for FreeBSD installer). I want to keep the jails in /usr/jails/ so I'm going to create my dataset on zroot and verify it was created and mounted properly

root@dev:~ # zfs create -o mountpoint=/usr/jails zroot/usr/jails
root@dev:~ # zfs list zroot/usr/jails
NAME              USED  AVAIL  REFER  MOUNTPOINT
zroot/usr/jails    88K  74.0G    88K  /usr/jails

Setup the firewall with PF

We are going to use PF as a firewall on the host FreeBSD machine and use PF to provide our jail with network access since it only has access to a local-only lo1 network adapter. We are going to be enabling connections to port 22 for SSH, 80 for HTTP and 443 for SSL/HTTPS.

First we need to enable PF in /etc/rc.d by adding the following lines:

# PF
pf_enable="YES"
pf_flags=""
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
pflog_flags=""

Then we need to create a table for bad hosts, this is a list of blocked I.P. addresses. It is a table that is only read when PF starts, if you need to add other I.P. addresses add them to the file, then to the current pf tables with pfctl -t blocklist -T add 11.22.33.44. To create the table:

root@dev::~ # touch /etc/pf.blocklist

Now we copy over out pf config to /etc/pf.conf:

## /etc/pf.conf for FreeBSD

ext_if="xn0"             ## CHANGE ME
public_ip="192.168.1.28" ## CHANGE ME
loop_if="lo1" # jail loopback device

set skip on lo
set skip on $loop_if
set debug urgent

set timeout { tcp.closing 60, tcp.established 7200 }

scrub in on $ext_if all

table <jailnet> { 10.0.0.0/24 }
table <blocklist> persist file "/etc/pf.blocklist"
#table <whitelist> persist file "/etc/pf.whitelist"

# NAT rules
nat pass on $ext_if from <jailnet> to any -> $public_ip
nat on $ext_if from <jailnet> to any -> ($ext_if)  ## permits outoging traffic from the jails

#set block-policy return
block in all
pass out all
block on $ext_if from <blocklist> to any

pass inet proto tcp from any to port 22 flags S/SA keep state
#pass inet proto tcp from <whitelist> to port 22 flags S/SA keep state
pass inet proto tcp from any to port 80 flags S/SA keep state
pass inet proto tcp from any to port 443 flags S/SA keep state

## icmp settings
icmp_types = "{ echoreq, unreach }"   ## needed for traceroute and ping
pass inet proto icmp all icmp-type $icmp_types keep state

Let's make sure we don't have any syntax errors by checking the configuration file with pfctl like this:

root@dev:~ # pfctl -vnf /etc/pf.conf
ext_if = "xn0"
public_ip = "192.168.1.28"
loop_if = "lo1"
set skip on { lo }
set skip on { lo1 }
set debug urgent
set timeout tcp.closing 60
set timeout tcp.established 7200
table <jailnet> { 10.0.0.0/24 }
table <blocklist> persist file "/etc/pf.blocklist"
icmp_types = "{ echoreq, unreach }"
scrub in on xn0 all fragment reassemble
nat pass on xn0 inet from <jailnet> to any -> 192.168.1.28
nat on xn0 from <jailnet> to any -> (xn0) round-robin
block drop in all
pass out all flags S/SA keep state
block drop on xn0 from <blocklist> to any
pass inet proto tcp from any to any port = ssh flags S/SA keep state
pass inet proto tcp from any to any port = http flags S/SA keep state
pass inet proto tcp from any to any port = https flags S/SA keep state
pass inet proto icmp all icmp-type echoreq keep state
pass inet proto icmp all icmp-type unreach keep state

Everything is good. Now to enable PF. If you are connected via SSH you will be disconnected, don't freak out. If you are working on a remote machine set a cron job as root to disable PF in 15 minutes if you are worried about locking yourself out. You can do that by editing root's crontab crontab -e and adding in
*/4 * * * * /sbin/pfctl -d. If you do this make sure you disable it after verifying connectivity or your jail will not have network access.

Now enable pf

service pf start

Reconnect and we're good. If you set up that crontab be sure to disable it!

SSL Self Signed Certificate

This can also be done with Let's Encrypt but doing so on FreeBSD is a rather lengthy task and can introduce vulnerabilities if not done properly. Building it requires using LibreSSL which is incompatible with OpenSSL, which is needed for Nginx. Nginx can use LibreSSL but it has a lot of other compatibility issues that need to be worked around and is outside of the scope of this tutorial. If you need an SSL certificate to be signed by a Certificate Authority such as Comodo, Digicert, Thawte, etc., they will have a guide for you to follow so you can send the CA your CSR and they will sign and send you your cert. The rest of this section is based off of my self-signed SSL certificate. This will create a self-signed cert good for 10 years.

First we need to create our SSL directory and make it readable only by root, to do that run:

root@dev:~ # mkdir /usr/local/etc/nginx/ssl
root@dev:~ # chmod 600 /usr/local/etc/nginx/ssl

Then we create our self-signed certificate and private key. Since it is self signed fill in the requested info with whatever you like, the only important one is the Common Name (e.g. server FQDN or YOUR name), make sure you enter in your domain name you plan on using.

root@dev:~ # openssl req -new -x509 -nodes -out /usr/local/etc/nginx/ssl/dev.idontwatch.tv.crt \
-keyout /usr/local/etc/nginx/dev.idontwatch.tv.key
Generating a 2048 bit RSA private key
.......................+++
......................................+++
writing new private key to '/usr/local/etc/nginx/ssl/dev.idontwatch.tv.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New California Republic
Locality Name (eg, city) []:Dayglow
Organization Name (eg, company) [Internet Widgits Pty Ltd]:idontwatchtv
Organizational Unit Name (eg, section) []:dev
Common Name (e.g. server FQDN or YOUR name) []:dev.idontwatch.tv
Email Address []:devnull@idontwatch.tv
root@dev:~ # ls -al /usr/local/etc/nginx/ssl
total 18
drw-------  2 root  wheel     4 Feb 22 11:42 .
drwxr-xr-x  5 root  wheel    18 Feb 22 10:18 ..
-rw-r--r--  1 root  wheel  1497 Feb 22 11:41 dev.idontwatch.tv.crt
-rw-r--r--  1 root  wheel  1704 Feb 22 11:41 dev.idontwatch.tv.key

Configure Nginx

First let's enable nginx:

root@dev:~ # echo 'nginx_enable="YES"' >> /etc/rc.conf

Create Nginx directories where we will store our per-site config files. This is the way Nginx works on Debian, the FreeBSD port stuffs it all into one big configuration file in /usr/local/etc/nginx/nginx.conf which becomes difficult to maintain. Using these subdirectories we can just symlink the vhost configs that we want to use in /usr/local/etc/nginx/sites-enabled rather than commenting out dozens of lines. So create those directories:

root@dev:~ # mkdir /usr/local/etc/nginx/{sites-available,sites-enabled}

/usr/local/etc/nginx/nginx.conf is already backed up as nginx.conf-dist so just replace the entire nginx.conf with the following:
nginx.conf

worker_processes  1;

#pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    server_tokens off;
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    include /usr/local/etc/nginx/sites-enabled/*;

}

And then create the vhost for ghost. This is going to force SSL, set up logging to /var/log/nginx/, and proxy all connections to our ghost jail. In /usr/local/etc/nginx/sites-available/ghost paste the following:

server {
    # Listen on 80, redirect to https
    listen 80;
    listen [::]:80;
    server_name dev.idontwatch.tv;
    return 301 https://dev.idontwatch.tv$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name dev.idontwatch.tv;
        
    #SSL certs we just created
    ssl_certificate     /usr/local/etc/nginx/ssl/dev.idontwatch.tv.crt;
    ssl_certificate_key /usr/local/etc/nginx/ssl/dev.idontwatch.tv.key;

    ssl on;
    
    access_log /var/log/nginx/ghost-access.log;
    error_log  /var/log/nginx/ghost-error.log;

    root /usr/local/www/nginx; #This doesn't matter, we're proxying connections
    index index.html index.txt;

    rewrite ^/index.php/(.*) /$1  permanent;

    location / {
        proxy_set_header        X-Forwarded-Proto https;
        proxy_set_header        X-Real-IP $remote_addr;
        proxy_set_header        Host $http_host;
        proxy_pass              http://10.0.0.80:2368;
    }

    location ~ /\.ht {
        deny all;
    }
}

Then to activate the vhost, symlink from sites-available to sites-enabled:

root@dev:~ # ln -s /usr/local/etc/nginx/sites-available/ghost /usr/local/etc/nginx/sites-enabled/

Check our configuration to make sure there aren't any problems:

root@dev:~ # service nginx configtest
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful

Now we can start nginx, it will try to proxy to a jail that will be created shortly

root@dev:~ # service nginx start
Performing sanity check on nginx configuration:
nginx: the configuration file /usr/local/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /usr/local/etc/nginx/nginx.conf test is successful
Starting nginx

To finish up, let's setup newsyslog to rotate our http logs every week on Sunday at midnight, and make them only readable by root. You may want to change this to a different user so that your logs can be fetched remotely from wherever you store your logs, consult man newsyslog.conf to understand the different options. This also requires that we send a SIG1 to Nginx's pid when the log is being rotated. To do this:

echo '/var/log/nginx/*.log root:root 600 * * $W0D0 GZ /var/run/nginx.pid 1' >> /etc/newsyslog.conf.d/nginx

ezjail configuration

For jail management we're going to use ezjail and we need to enable the ZFS options so we can create backups.

In /usr/local/etc/ezjail.conf under "ZFS Options" uncomment ezjail_use_zfs="YES", ezjail_use_zfs_for_jails="YES", and uncomment and change ezjail_jailzfs="tank/ezjail" to ezjail_jailzfs="zroot/usr/jails" so that it reflects the correct zpool and dataset. Use your favorite text editor and change those three lines or run these sed lines:

root@dev:~ # sed -ie '/^#.* ezjail_use_zfs/s/^# //g' /usr/local/etc/ezjail.conf
root@dev:~ # sed -ie '/^#.* ezjail_jailzfs/s/^# //g' /usr/local/etc/ezjail.conf
root@dev:~ # sed -ie 's/ezjail_jailzfs="tank\/ezjail"/ezjail_jailzfs="zroot\/usr\/jails"/g' /usr/local/etc/ezjail.conf

We need to create a loopback for our jails and we're going give them IP addresses so we can route traffic to it and connect it to the internet. I am going to be using addresses for jails in the 10.0.0.0/24 range on that loopback adapter. To do that, add the following to /etc/rc.conf

# loopback for jails
cloned_interfaces="lo1"
ipv4_addrs_lo1="10.0.0.0 netmask 255.255.255.0"

Then to get that interface up run:

root@dev:~ # service netif cloneup
Created clone interfaces: lo1.

And to verify everything was done correctly we'll make sure we can see the adapter

root@dev:~ # ifconfig lo1
lo1: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=600003<RXCSUM,TXCSUM,RXCSUM_IPV6,TXCSUM_IPV6>
        inet 10.0.0.0 netmask 0xff000000
        inet 255.255.255.0 netmask 0xffffff00
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        groups: lo

No we can enable ezjail in /etc/rc.conf and start it

root@dev:~ # echo 'ezjail_enable="YES"' >> /etc/rc.conf
root@dev:~ # service ezjail start
 ezjailroot@dev:~ #

Now we create a basejail. A basejail is an isolated jail that holds shared operating system and ports files so we don't have to re-create and maintain it over several jails. To create the basejail, run:

root@dev:~ # ezjail-admin install -p

Now we're ready to create our jail for ghost. To create the jail with an IP address of 10.0.0.80 and verify that it is running correctly run:

root@dev:~ # ezjail-admin create ghost-prod 'lo1|10.0.0.80'
Warning: Some services already seem to be listening on all IP, (including 10.0.0.80)
  This may cause some confusion, here they are:
root     ntpd       557   20 udp6   *:123                 *:*
root     ntpd       557   21 udp4   *:123                 *:*
root     ntpd       557   27 udp4   *:123                 *:*
root     ntpd       557   28 udp4   *:123                 *:*
root     syslogd    399   6  udp6   *:514                 *:*
root     syslogd    399   7  udp4   *:514                 *:*
root@dev:~ # ezjail-admin start ghost-prod
Starting jails: ghost-prod.
/etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables  is obsolete.  Please consider migrating to /etc/jail.conf.
root@dev:~ # ezjail-admin list
STA JID  IP              Hostname                       Root Directory
--- ---- --------------- ------------------------------ ------------------------
ZR  1    10.0.0.80       ghost-prod                     /usr/jails/ghost-prod

Now we log into the jail. NOTE: Notice the different prompts with the commands being run, anything in the jail will have the hostname ghost-prod

root@dev:~ # ezjail-admin console ghost-prod
FreeBSD 11.1-RELEASE (GENERIC) #0 r321309: Fri Jul 21 02:08:28 UTC 2017

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
root@ghost-prod:~ #

Configure the jail

The first things we need to do in the jail are set a root password and add a dns resolver so we can resolve domain names. To set a root pass run passwd

root@ghost-prod:~ # passwd
Changing local password for root
New Password:
Retype New Password:

And set a DNS resolver. For this example we're just going to use google's resolvers, feel free to use others. Set resolvers by putting them in /etc/resolv.conf and then test by running a DNS query

root@ghost-prod:~ # echo "nameserver 8.8.8.8" >> /etc/resolv.conf
root@ghost-prod:~ # echo "nameserver 8.8.4.4" >> /etc/resolv.conf
root@ghost-prod:~ # host google.com
google.com has address 172.217.14.78
google.com has IPv6 address 2607:f8b0:4007:808::200e
google.com mail is handled by 50 alt4.aspmx.l.google.com.
google.com mail is handled by 10 aspmx.l.google.com.
google.com mail is handled by 40 alt3.aspmx.l.google.com.
google.com mail is handled by 30 alt2.aspmx.l.google.com.
google.com mail is handled by 20 alt1.aspmx.l.google.com.

Install packages in the jail

Now we need to install our packages. This is where package versions become extremely important, otherwise we will be running into issues later. This is where this information is important. We will be using node8 and npm for node8.

root@ghost-prod:~ # pkg install node8 npm-node8 percona57-server bash ssmtp python3 sudo
The package management tool is not yet installed on your system.
Do you want to fetch and install it now? [y/N]: y
----- snip -----
The following 26 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
        node8: 8.9.3
        npm-node8: 5.6.0_2
        percona57-server: 5.7.20.18
        bash: 4.4.12_3
        ssmtp: 2.64_3
        ca_root_nss: 3.35
        c-ares: 1.12.0_2
        libuv: 1.18.0
        icu: 60.2_1,1
        python27: 2.7.14_1
        readline: 7.0.3_1
        indexinfo: 0.3.1
        libffi: 3.2.1_2
        gettext-runtime: 0.19.8.1_1
        gmake: 4.2.1_1
        perl5: 5.24.3
        curl: 7.58.0
        libnghttp2: 1.29.0
        libevent: 2.1.8_1
        libedit: 3.1.20170329_2,1
        percona57-client: 5.7.20.18_1
        cyrus-sasl: 2.1.26_12
        liblz4: 1.8.0,1
        python3: 3_3
        python36: 3.6.4
        sudo: 1.8.21p2_1

Number of packages to be installed: 26

The process will require 531 MiB more space.
79 MiB to be downloaded.

Proceed with this action? [y/N]: y
[ghost-prod] [1/26] Fetching node8-8.9.3.txz: 100%    4 MiB   2.3MB/s    00:02
----- snip -----

===========================================================================
Message from percona57-server-5.7.20.18:

************************************************************************

Remember to run mysql_upgrade the first time you start the MySQL server
after an upgrade from an earlier version.

Initial password for first time use of MySQL is saved in $HOME/.mysql_secret
ie. when you want to use "mysql -u root -p" first you should see password
in /root/.mysql_secret

************************************************************************
Message from ssmtp-2.64_3:

sSMTP has been installed successfully.

To replace sendmail with ssmtp type "make replace" or change
your /etc/mail/mailer.conf to:

sendmail        /usr/local/sbin/ssmtp
send-mail       /usr/local/sbin/ssmtp
mailq           /usr/local/sbin/ssmtp
newaliases      /usr/local/sbin/ssmtp
hoststat        /usr/bin/true
purgestat       /usr/bin/true


However, before you can use the program, you should copy the files
"revaliases.sample" and "ssmtp.conf.sample" in /usr/local/etc/ssmtp
to "revaliases" and "ssmtp.conf" respectively and edit them to suit
your needs.

SSMTP

Next lets setup and configure ssmtp to use a Gmail account so our welcome emails and password reset tools work. There are many ways to configure this but I am going to set an email address to receive all emails that are GUID < 1000 (emails that go to root) which will be the same account that email is sent FROM. There are sample ssmtp.conf and revalises in the /usr/local/etc/ssmtp folder for reference, but rather than going through the config we're just going to create new files, the samples will remain as a reference. Create /usr/local/etc/ssmtp/ssmtp.conf and paste in this information, changing it to use your Gmail account, or other SMTP account.

root=My.Gmail.Account@gmail.com
mailhub=smtp.gmail.com:587
rewriteDomain=gmail.com
hostname=dev.idontwatch.tv
FromLineOverride=YES
UseTLS=YES
UseSTARTTLS=YES
AuthUser=My.Gmail.Account@gmail.com
AuthPass=CHANGEME
#Debug=YES

And configure /usr/local/etc/revaliases

echo "root:My.Gmail.Account@gmail.com:smtp.gmail.com:587">> /usr/local/etc/ssmtp/revaliases

And the last part we need to configure /etc/mail/mailer.conf with the settings shown above. Empty that file out or comment out the lines and then paste:

sendmail        /usr/local/sbin/ssmtp
send-mail       /usr/local/sbin/ssmtp
mailq           /usr/local/sbin/ssmtp
newaliases      /usr/local/sbin/ssmtp
hoststat        /usr/bin/true
purgestat       /usr/bin/true

And then send off a test email:

root@ghost-prod:~ # echo "testing from ghostdev" | mail -s "dev.idontwatch test" devnull@idontwatch.tv

NOTE: If you start receiving errors such as

send-mail: Authorization failed (534 5.7.14 https://support.google.com/mail/bin/answer.py?answer=78754 n3908366pbc.83 - gsmtp)
Can't send mail: sendmail process failed with error code 1

You may need to log into gmail then go to https://www.google.com/settings/security/lesssecureapps and enable that feature (credit to ServerFault user: masegaloeh Source). If you still aren't seeing your emails enable Debugging in ssmtp.conf by uncommenting the Debug=YES line at the bottom. Check spam filters, and whitelist your sending email account if necessary. If you are running into problems with this you may also get throttled for trying to send too many emails that are bouncing which looks suspicious to spam filters.

Configure Percona MySQL

First we need to enable it and start it

root@ghost-prod:~ # echo 'mysql_enable="YES"' >> /etc/rc.conf
root@ghost-prod:~ # service mysql-server start
Starting mysql.

Now we need to login to MySQL, change root's password and create an account for Ghost. The default password for root's login to MySQL is in /root/.mysql_secret

root@ghost-prod:~ # cat .mysql_secret
# Password set for user 'root@localhost' at 2018-02-22 13:00:16
)Jk_Nh8WG<dN
root@ghost-prod:~ # mysql -u root -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3
Server version: 5.7.20-18

Copyright (c) 2009-2017 Percona LLC and/or its affiliates
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

Now at the mysql> prompt, the first thing we have to change root's password, it won't let us do anything else until we do.

mysql> SET PASSWORD=PASSWORD('CHANGEME');
Query OK, 0 rows affected, 1 warning (0.00 sec)

Now we need to create a database for ghost (ghost_prod), a mysql user for ghost, then grant that user full access to the database ghost_prod. To accomplish this run:

mysql> CREATE DATABASE ghost_prod;
Query OK, 1 row affected (0.00 sec)

mysql> CREATE USER 'ghost'@'%' IDENTIFIED BY 'CHANGEME';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON ghost_prod.* TO 'ghost'@'%';
Query OK, 0 rows affected (0.00 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.00 sec)

To verify we have everything setup properly, exit the mysql> prompt (type exit and press enter) and login as user ghost to make sure we can see our database.

root@ghost-prod:~ # mysql -u ghost -p
Enter password:
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 16
Server version: 5.7.20-18 Source distribution

Copyright (c) 2009-2017 Percona LLC and/or its affiliates
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> SHOW DATABASES;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| ghost_prod         |
+--------------------+
2 rows in set (0.00 sec)

mysql> exit
Bye
root@ghost-prod:~ #

Create a system user account for ghost

Next we need to create a ghost user so node isn't running as root. Note: It is important to note that a MySQL user and a system user are two different accounts. To create the user account run adduser and press enter through the responses until you have to enter a password and then confirm your account creation, then if everything is fine accept, then select no and leave. In this example I am creating user ghost with a bash shell:

root@ghost-prod:~ # adduser
Username: ghost
Full name:
Uid (Leave empty for default):
Login group [ghost]:
Login group is ghost. Invite ghost into other groups? []:
Login class [default]:
Shell (sh csh tcsh bash rbash nologin) [sh]: bash
Home directory [/home/ghost]:
Home directory permissions (Leave empty for default):
Use password-based authentication? [yes]:
Use an empty password? (yes/no) [no]:
Use a random password? (yes/no) [no]:
Enter password:
Enter password again:
Lock out the account after creation? [no]:
Username   : ghost
Password   : *****
Full Name  :
Uid        : 1001
Class      :
Groups     : ghost
Home       : /home/ghost
Home Mode  :
Shell      : /usr/local/bin/bash
Locked     : no
OK? (yes/no): yes
adduser: INFO: Successfully added (ghost) to the user database.
Add another user? (yes/no): no
Goodbye!

Install the ghost-cli package

To install Ghost we're going to use npm to install ghost-cli as root. The account ghost does not have permissions to install system wide packages, so we will be installing it as root, but Ghost will be run with the privileges of the user ghost for security purposes, there is no reason it needs to run as root. To install ghost run:

root@ghost-prod:~ # npm i -g ghost-cli
npm WARN deprecated yarn@1.3.2: It is recommended to install Yarn using the native installation method for your environment. See https://yarnpkg.com/en/docs/install
npm WARN deprecated fs-promise@0.5.0: Use mz or fs-extra^3.0 with Promise Support
/usr/local/bin/ghost -> /usr/local/lib/node_modules/ghost-cli/bin/ghost
+ ghost-cli@1.5.2
updated 1 package in 7.459s

Setting up our Ghost install

Now we need to change users to our system user ghost. From there we are going to create a directory called www and install ghost via ghost-cli in that directory. It is going to prompt several questions

[ghost@ghost-prod /usr/home/ghost]$ mkdir www
[ghost@ghost-prod /usr/home/ghost]$ cd www
[ghost@ghost-prod /usr/home/ghost/www]$ ghost install
✔ Checking system Node.js version
✔ Checking current folder permissions
System checks failed with message: 'Operating system is not Linux'
Some features of Ghost-CLI may not work without additional configuration.
For local installs we recommend using `ghost install local` instead.

Yes we want to continue

? Continue anyway? Yes
ℹ Checking operating system compatibility [skipped]
Local MySQL install not found. You can ignore this if you are using a remote MySQL host.
Alternatively you could:
a) install MySQL locally
b) run `ghost install --db=sqlite3` to use sqlite
c) run `ghost install local` to get a development install using sqlite3.
? Continue anyway? Yes

Yes, still want to continue

ℹ Checking for a MySQL installation [skipped]
✔ Checking for latest Ghost version
✔ Setting up install directory
✔ Downloading and installing Ghost v1.21.3
✔ Finishing install process

Here we give it our https url then database information. Remember to use the MySQL user information that was created from the MySQL CLI, and don't use root!

? Enter your blog URL: https://dev.idontwatch.tv
? Enter your MySQL hostname: localhost
? Enter your MySQL username: ghost
? Enter your MySQL password: [hidden]
? Enter your Ghost database name: ghost_prod
✔ Configuring Ghost
✔ Setting up instance

This next part it would want to create a user if we entered in root, we didn't and don't want to, so No.

? Do you wish to set up "ghost" mysql user? No
ℹ Setting up "ghost" mysql user [skipped]

Nginx is running on the host so we can create multiple jails and vhosts, so no, don't need that

? Do you wish to set up Nginx? No
ℹ Setting up Nginx [skipped]
Task ssl depends on the 'nginx' stage, which was skipped.
ℹ Setting up SSL [skipped]

Since we're using FreeBSD and not Linux we don't have systemd as part of our operating system and we will have to setup an rc script to start, stop, and restart ghost, so select No.

? Do you wish to set up Systemd? No
ℹ Setting up Systemd [skipped]
✔ Running database migrations
? Do you want to start Ghost? Yes
Process manager 'systemd' will not run on this system, defaulting to 'local'
✔ Checking current folder permissions
✔ Validating config
✔ Checking folder permissions
✔ Checking file permissions
✔ Starting Ghost
You can access your blog at https://dev.idontwatch.tv

Ghost uses direct mail by default
To set up an alternative email method read our docs at https://docs.ghost.org/docs/mail-config

Finishing Touches

Now everything should be working but we need to make a a change in the config file for ghost /home/ghost/www/config.production.json to change our mail transport to use ssmtp which is masquerading as sendmail.

In the jail, as user ghost, we need to change the mail transport from "Direct" to "sendmail", to do that run this sed command then restart ghost:

[ghost@ghost-prod ~]$ sed -ie 's/Direct/sendmail/g' /home/ghost/www/config.production.json
[ghost@ghost-prod ~]$ cd www
[ghost@ghost-prod ~/www]$ ghost restart
Process manager 'systemd' will not run on this system, defaulting to 'local'
✔ Restarting Ghost

rc script for Ghost

In order to have Ghost start on boot I wrote an rc script for it. It needs to be placed in /usr/local/etc/rc.d/ inside the jail. You will need to download it (local mirror) to the correct location and make it executable, then edit rc.conf so that it starts at boot. Example below:

root@ghost-prod:~ # fetch -o /usr/local/etc/rc.d/ghost https://idontwatch.tv/static/ghost.sh
/usr/local/etc/rc.d/ghost                     100% of  675  B 9533 kBps 00m00s
root@ghost-prod:~ # chmod +x /usr/local/etc/rc.d/ghost

Then update /etc/rc.conf to enable ghost and set the path where ghost is installed

root@ghost-prod:~ # echo 'ghost_enable="YES"' >> /etc/rc.conf
root@ghost-prod:~ # echo 'ghost_path="/home/ghost/www" >> /etc/rc.conf

Do your Ghost thing

Now to setup your Ghost install go to the URL, the same one you made an SSL cert for, and add /ghost to it in order to create your account on Ghost so you can admin the blog. In my case, I would go to https://dev.idontwatch.tv/ghost/ (don't click)

TODO

  • Short tutorial on ZFS backups

Resources

Show Comments