To follow up on my original problem on my Ghost-CLI install using Ghost’s hosted ActivityPub, the missing piece for me after sorting out the nginx bits above was that I have my admin dashboard on a separate subdomain from the main site, which means that I needed to add a redirect from not-admin-site.tld/ghost/* over to actual-admin-site.tld/ghost/
If this redirect doesn’t occur (or is blocked in some way), Ghost’s ActivityPub instance can’t get configuration information from your Ghost install that it needs to allow you to use it.
The clearest symptom for this problem is a message when Ghost first starts up webhook secrets:
ERROR Could not get webhook secret for ActivityPub FetchError: invalid json response body at …
I added a redirect with Cloudflare since I already had some rewrite rules in place.
A member of the Ghost Foundation dev team has a PR open that fixes this behavior, so hopefully when 6.0.1 comes out, that’ll get the problem resolved (by Ghost handling the redirect) without needing the extra redirect.