Ghost user creation (for systemd)

[acburdine]

One of the current weird parts of the ghost-cli setup is its needed privileges, both for setting up a new Ghost blog (via the CLI itself) and for actually running the Ghost node process. To ensure transparency as well as security, there needs to be a bit of additional handling done in the CLI where system users are concerned. The first part of this is to ensure that whoever actually runs ghost install knows what things the CLI needs to run as sudo. There is an issue open currently to track this: #164.

However, the part this issue covers is configuring and then running the actual persistent node process as a user without any type of sudo permissions, made simpler thanks to systemd, which allows the ghost process to be run under another user. So, what Ghost-CLI in the end needs to do is create a new user on setup (similar to what a mysql installation does), and then run Ghost as that user via the configured systemd service. This user would be named ghost, and have the login shell set to /bin/false to prevent actually logging in as that user. For multiple blogs setup on one system, the same ghost user would be re-used for both of them (but could potentially be changed via a command line option?). The user would also need to be made owner of the ghost install directory.

The only really tricky bit with this arises when one-click/automatic updates are implemented in the future. The way the current, manual ghost update command works, the new version is downloaded, dependencies are installed, and then ghost is stopped & restarted using ghost stop and ghost start, both of which require sudo due to the interaction with systemd. However, the actual download & dependency installation steps don't require sudo, so that should be possible with the non-sudo ghost user, which would need to be done with automatic updates since the update request would be triggered from the running Ghost process. During said automatic update, the actual ghost process would kill itself after installing the updated version, relying on systemd to restart the node process with the new updated version. (see TryGhost/Ghost#8005) for a little bit more context on automatic/one-click updates).

We need to prompt the user creation. See #177.

--

A user without sudo access won't be able to use systemd regardless. Will fallback to local process manager. So I think what really needs to happen is just better documentation on how to not use systemd e.g. ghost install --process local

Systemd will restart Ghost if ghost stops for whatever reason - it also will restart Ghost on server reboot - whereas the local one won't

Local process manager can't be run as a separate user either - you have to run ghost start as the user you intend to run Ghost with

e.g. if you run ghost install and we prompt you to create the user ghost, but it doesn't work we fallback to local process manager.