When I realized that I wanted to throw together a personal blog site again I started looking at my hosting options. Dreamhost has been providing me with cheap hosting for a long time, but I’m a lot pickier than I used to be about what I want to do with my host. I’d been running my role-playing blog on their DreamCompute platform, but I realized that I really should be moving to AWS. Prices are comparable, and I’m getting a year free from Amazon .
Setting up wasn’t too much of a problem although AWS is such a professional tool that there is a lot that would be intimidating for an inexperienced user. If you’re not familiar with AWS there is lots of documentation out there .
The free tier gives you a VM with 1 cpu and 1GB of RAM, which is more than enough to run a couple of instances of Ghost blog and Nginx . I signed up and configured a EC2 instance to run Ubuntu 16.04. I configured the security group to allow SSH, MOSH, HTTP, and HTTPS connections, then made sure my SSH keys were configured to allow access.
After getting shell access I installed letsencrypt, nginx, mosh, nodejs, npm, and python3.
apt-get install letsencrypt mosh nginx nodejs python3 npm
ln -s /usr/bin/nodejs /usr/bin/node
I register my domains with Hover , so I logging into their control panel to update my DNS entries to my new IP. Once the DNS had been updated I could use the letsencrypt client to get ssl certificates for both of my domains
letsencrypt certonly -d codemichael.net -d rpgames.org
I started a new github repo
for the configs and such. I had to create a virtual host for both rpgames.org
and codemichael.net
, which I put into /etc/nginx/sites-available
. Notice a couple of items that I specified:
- port 80 redirects to 443 automatically - all SSL all the time.
- I set the GNU Terry Pratchett header . Keep his name alive.
- I set the http strict transport security (HSTS) header. Once SSL always SSL.
- Nginx I pretty much just passing the requests to the nodejs ghost instance.
# Default server configuration
#
server {
listen 80;
listen [::]:80;
server_name rpgames.org;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443;
listen [::]:443;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
add_header X-Clacks-Overhead "GNU Terry Pratchett";
ssl on;
ssl_certificate /etc/letsencrypt/live/codemichael.net/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/codemichael.net/privkey.pem;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name rpgames.org;
location / {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:2369;
}
}
After getting Nginx configured I had to get the 2 instances of ghost ready to go. I unpacked the ghost software into /var/www/codemichael
(new install) and /var/www/rpgames
(backup from other server). I had to run npm install --production
for both. I configured systemd service files for both.
[Unit]
Description=Run codemichael ghost blog nodejs software
After=network-online.target
[Service]
ExecStart=/usr/bin/node /var/www/codemichael/index.js
Restart=always
StandardOutput=syslog
StandardError=syslog
SyslogIdentifier=codemichael-ghost
User=ghost
Group=www-data
Environment=NODE_ENV=production
[Install]
WantedBy=multi-user.target
Simple an effective way to get things running. Then to make sure they start on system reboot
systemctl enable nginx.service
systemctl enable codemichael-ghost.service
systemctl enable rpgames-ghost.service
Now that things were working, it’s time for some maintenance work, we gotta make sure things are nice and automated. I wrote some python to manage config and install backups, then some systemd timers to run the backups and another timer to refresh my ssl certs. That takes care of most of of the necessary maintenance, I’ll still have to log in once in a while to update and reboot the OS, but that’s fine, I don’t actually want to automate OS patching.
I also have site monitoring via letsmonitor.org . Now I have a nice pair of markdown blogs.