Applications AWS

Mealie on AWS User Guide

| Product: Mealie

Mealie on AWS User Guide

Mealie is an open source, self-hosted recipe manager, meal planner and shopping list for the whole family. It imports recipes from any URL and automatically extracts the ingredients and instructions, organises recipes into cookbooks and categories, plans meals on a calendar, and generates consolidated shopping lists — all through a clean reactive web interface backed by a REST API.

This cloudimg Amazon Machine Image ships Mealie 3.19 fully installed and managed by systemd, served through an nginx reverse proxy on port 80, and secure by default: a unique administrator password is generated for every instance on first boot, replacing Mealie's well known default credentials.

Mealie sign-in

What you get

  • Mealie 3.19.2, run from the official upstream container image (ghcr.io/mealie-recipes/mealie:v3.19.2) and managed as a systemd service.
  • nginx reverse proxy on port 80, forwarding to the application on loopback 127.0.0.1:9925 (container port 9000) — the application is never exposed directly.
  • Secure first boot — a fresh administrator password is generated per instance and written to a root-only file.
  • Dedicated data volume — the SQLite database, recipe images and the token-signing key live on a separate, independently resizable EBS volume mounted at /var/lib/mealie, kept off the operating-system disk.
  • 24/7 cloudimg support.

Architecture at a glance

Mealie is officially a Docker-first deployment: the FastAPI backend serves the bundled prebuilt Vue frontend from a single official container image, and upstream does not support bare-metal installs. This image therefore runs that official, version-pinned image as a systemd-managed container — you operate it entirely through systemctl and the standard configuration file, exactly like any other service on the instance.

Component Where
Application (container) 127.0.0.1:9925 → container port 9000
Reverse proxy nginx on port 80
Configuration /etc/mealie/mealie.env
Data (SQLite DB, recipe images, token secret) /var/lib/mealie (own EBS volume)
Service units mealie.service, nginx.service
Generated credentials /root/mealie-credentials.txt (root only)

Connecting to your instance

SSH in as the default login user for your image's operating system:

OS variant SSH login user
Ubuntu 24.04 ubuntu 
ssh ubuntu@<instance-public-ip>

Open the web interface in a browser at:

http://<instance-public-ip>/

First sign-in

The administrator password is generated uniquely on first boot. Retrieve it over SSH:

sudo cat /root/mealie-credentials.txt

MEALIE_URL=http://<instance-public-ip>/
MEALIE_ADMIN_EMAIL=admin@cloudimg.local
MEALIE_ADMIN_PASSWORD=<generated-on-first-boot>

Browse to http://<instance-public-ip>/, then sign in with the email and password shown. We recommend creating your own user and changing the administrator password from Settings → Users after your first sign-in.

Mealie recipe library

Importing your first recipe

The fastest way to fill your library is to import a recipe from a URL:

  1. Click Create in the sidebar, then Import with URL.
  2. Paste a recipe URL from any supported recipe site and submit.
  3. Mealie scrapes the page and extracts the title, ingredients, instructions, image and metadata into a new recipe.

You can also add a family recipe by hand with the editor, or bulk-import from a Nextcloud Recipes / Paprika / other export under Settings → Data Management.

A Mealie recipe

Planning meals and shopping lists

Use Meal Planner in the sidebar to schedule recipes onto a calendar across the week. From a meal plan you can generate a consolidated Shopping List that aggregates the ingredients of the planned recipes, ready to take to the shops.

Mealie meal planner

Service management

The application and the proxy are ordinary systemd units:

# status
systemctl status mealie.service
systemctl status nginx.service

# restart the application (recreates the container)
sudo systemctl restart mealie.service

# follow application logs
sudo journalctl -u mealie.service -f
# or the container's own logs
sudo docker logs -f mealie

Confirm both services are running with a quick scriptable check:

systemctl is-active mealie.service nginx.service

A quick health check, served unauthenticated through nginx, returns the running version:

curl -s http://localhost/api/app/about

{"production":true,"version":"v3.19.2","demoStatus":false,"allowSignup":false,...}

Configuration

Application configuration lives in /etc/mealie/mealie.env. After editing it, restart the service so the container picks up the new values:

sudo nano /etc/mealie/mealie.env
sudo systemctl restart mealie.service

Common settings include the timezone (TZ), the public base URL used for notifications (BASE_URL) and whether self-registration is allowed (ALLOW_SIGNUP, off by default). The full reference is in the Mealie backend configuration docs.

Backups

Mealie has a built-in backup feature under Settings → Site Settings → Backups that snapshots the database and recipe data into an archive you can download or restore. For infrastructure-level backups, the data volume mounted at /var/lib/mealie holds everything stateful — snapshot that EBS volume to capture the full application state.

Switching to PostgreSQL (optional)

SQLite is the default and is ample for a household or small team. For higher concurrency, point Mealie at PostgreSQL by editing /etc/mealie/mealie.env:

DB_ENGINE=postgres
POSTGRES_USER=mealie
POSTGRES_PASSWORD=<your-password>
POSTGRES_SERVER=<db-host>
POSTGRES_PORT=5432
POSTGRES_DB=mealie

Then restart: sudo systemctl restart mealie.service. Migrate your existing data with Mealie's backup/restore feature before switching engines.

Enabling HTTPS

The image serves plain HTTP on port 80 so it works behind your own TLS terminator. For production, terminate TLS at an AWS Application Load Balancer or CloudFront in front of the instance, or obtain a Let's Encrypt certificate directly on the box:

sudo apt-get update
sudo apt-get install -y certbot python3-certbot-nginx
sudo certbot --nginx -d your-domain.example.com

Point a DNS record at the instance's public IP first, and make sure your security group allows inbound TCP 443.

Security notes

  • The application binds to loopback only (127.0.0.1:9925) and is reachable solely through the nginx reverse proxy on port 80.
  • The administrator password is generated per instance on first boot; no shared or default credentials ship in the image. The well known default (changeme@example.com / MyPassword) is rotated away before the instance is ready.
  • Restrict the instance's security group to the networks that need it, and put the instance behind TLS for any internet-facing deployment.

Support

This image is backed by 24/7 cloudimg technical support by email and chat — deployment, importing recipes, meal-plan configuration, backups, switching to PostgreSQL, TLS termination and scaling. Contact us at support@cloudimg.co.uk.

All product and company names are trademarks or registered trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.