Hosting a Ghost blog on AWS

· 5 min read

I decided to switch to only using Home Assistant OS for running servers, I have an Intel NUC (development) and Home Assistant Blue (production), they run Home Assistant and do some file sharing and DSMR smartmeter energy readings.
Also VS Studio, TimeScaleDB (Postgres)

But I also run a personal blog (the one you are looking at now) at home for years on my home Linux server, I could port Ghost over to Home Assistant add-on but I wanted to experiment with AWS cloud as well.. If this can be done cheap. I know you can also run Ghost on GitHub Pages but then you always need an installation to write posts on and push pages to GitHub as commits, extra steps.

I opted for the smallest version of a AWS Lightsail instance, still a full blown Linux installation with limited resources. Added Route53 for DNS (switched from Version) to have one source.

Here the steps to get it going using Docker, Ghost and Caddy as proxy and Lets Encrypt client.

Create AWS account

Select billing with Creditcard for first Month, after first payment you can add a bank account if you want. (not tested yet)

Select a zone near you (Frankfurt for me)

Create Lightsail instance

I created a full blown Linux distro image to work in (not free, see below)

OS Only
Linux Debian 10.5
Frankfurt / eu-central-1

Create new SSH keypair (not free, see below) or use existing one.

Choose 512 MB RAM, 1 vCPU, 20 GB SSD plan.

Instance name (must be unique)

BTW: You can always upgrade to a bigger instance by restoring a snapshot, but you cannot go backup smaller without a re-install.

Connect with web terminal
If you want to connect with local SSH client and/or WinSCP import the key you created.

Update OS


sudo apt-get update
sudo apt-get upgrade
sudo apt-get autoclean
sudo apt-get clean
sudo apt-get autoremove
history -c

chmod +x

Install Docker

curl -fsSL -o
sudo sh

[this can takes some time]

sudo usermod -aG docker admin

Now disconnect and reconnect to get new group membership

Caddy and Ghost installation

I choose /home/admin/docker as docker base directory.

mkdir -p ~/docker/caddy/data
mkdir -p ~/docker/caddy/config
cd ~/docker

vi Caddyfile

    # Global options block. Entirely optional, https is on by default
    # Optional email key for lets encrypt
    email your@email.address
    # Optional staging lets encrypt for testing. Comment out for production.
    # acme_ca
} {
    reverse_proxy ghost:2368
} {

vi docker-compose.yaml

                image: caddy:2-alpine
                restart: always
                container_name: caddy
                        - 443:443
                        - ./caddy/Caddyfile:/etc/caddy/Caddyfile
                        - ./caddy/data:/data
                        - ./caddy/config:/config
                        - com.centurylinklabs.watchtower.enable=true

                image: ghost:3-alpine
                restart: always
                container_name: ghost
                        - 2368:2368
                        - ./ghost/data:/var/lib/ghost/content
                        - NODE_ENV=production
                        - url=
                        - com.centurylinklabs.watchtower.enable=true

                container_name: watchtower
                restart: always
                image: v2tec/watchtower
                        - /var/run/docker.sock:/var/run/docker.sock
                        - com.centurylinklabs.watchtower.enable=true
                command: --schedule "0 0 4 * * *" --cleanup --label-enable

As you can see I also install and run Watchtower to keep the images up to date.

Now you can start them with

docker-compose run -d

Check for succesful startups in the logs

docker logs caddy
docker logs ghost


You need a static IP address, you can have 5 of them for free, so create one.

Link it to your instance, and setup the firewall, do this by clicking on the three dots on the instance and choose Manage, then Networking tab.

I removed port 80, I don't need it since Route53 does proper Lets Encrypt authentication, and add your home IP address as restricted IP to SSH rule.

Setup your Domain

You need to create and set up your domain if you don't have any. You have two options either register new domain with AWS Route 53 (not free, see below) or some third party domains such as Google Domains or GoDaddy etc.

I moved my domain from Versio to Route53, was done in an hour, then created the records needed.

Next make sure the A-record of your domain points to this public IP address, I use Route53 as registrar and for DNS management, but this is not important.

After the record is propagated you should be able to visit your URL.

Later you can make your domain more secure, enable DNSSEC and test it, define a CAA record so you only allow Lets Encrypt to give out certs for your domain.
I also use it for e-mail, so I configured DMARC, DKIM and SPF. (out of scope)

Anyway you should see a virgin Ghost website now, create a admin account, and wipe the data. (Labs -> Delete all content)

If you are moving from another Ghost instance like I was, import the exported theme first, then imported the posts in JSON format, and restored the backup of my Ghost images directory.


I use AWS snapshots to create a full snapshot to keep. (not free, see below) And I have a script to make backups of my volumes and data from inside the instance.

vi ~/

cd "${BASH_SOURCE%/*}" || exit
rm -rf $backup_path
mkdir -p $backup_path

for i in `docker inspect --format='{{.Name}}' $(docker ps -qa) | cut -f2 -d\/`
  do container_name=$i
  mkdir -p $backup_path/$container_name
  echo -n "$container_name - "
  docker run --rm \
    --volumes-from $container_name \
    -v $backup_path:/backup \
    -e TAR_OPTS="$tar_opts" \
    piscue/docker-backup \
    backup "$container_name/$container_name-volume.tar.xz"
  echo "OK"

tar -czvf ./backup-server.tar.gz --exclude=".[^/]*" .
rm -rf $backup_path

chmod +x ./

It uses "piscue/docker-backup" repo to make backups of Docker containers.


Now the most fussy part of this story. (same for all Cloud providers)

Registrar costs for domain $ 10.00 = € 8.23

Lightsail Instance = $ 3.50
Snapshot 20GB * $ 0.05 = $ 1.00
Key management (CMK for DNSSEC) = $0.52
Route53 per hosted zone (for first 25) * 1 = $0.50
Route53 for 1.000.000 queries $ 0.50 = $ 0.02

Total per Month: $ 5.54 = € 4.56