Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only
-
Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only
- Why PostgreSQL? Because screw Mongo licensing complexities.
- As with many of my more recent guides, I'll be using environment variables.
- Do not log out of your Console/SSH session until this is complete.
Create a random password for PostgreSQL's admin user account
export DB_ROOT_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"Database name to use for application
export DB_NAME='nodebb'Database user to use for application
export DB_USER='nbbuser'Generate a random password for the database user
export DB_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"The location to install the application
export APP_PATH='/opt/nodebb'The FQDN of the application
export FQDN='community.domain.com'Path to the SSL certificates and key
export SSL_KEY_PATH='/etc/pki/tls/private/cforigin.domain.com.key' export SSL_CERT_PATH='/etc/pki/tls/certs/cforigin.domain.com.pem' export SSL_CA_CERT_PATH='/etc/pki/tls/certs/cfchain.domain.com.pem'Dump the environment variables to a file in the current directory for later reference.
cat >> setup.info << EOF PostgreSQL Database Name : $DB_NAME Database User : $DB_USER Database User Password : $DB_PASS Database Root Password : $DB_ROOT_PASS Application Path : $APP_PATH FQDN : $FQDN SSL Certificate Path : $SSL_CERT_PATH SSL Key Path : $SSL_KEY_PATH SSL CA Certificate Path : $SSL_CA_CERT_PATH EOFUpdate the Operating System
sudo dnf upgrade -y --refreshThese are tools I use on pretty much every Fedora instance
- Configuration of them, if required, is not covered here.
sudo dnf install -y nano sysstat glances htop dnf-automaticInstall the packages required for PostgreSQL backed NodeBB
sudo dnf install -y git nginx nodejs npm postgresql-server policycoreutils-python-utilsInitialize the PostgreSQL database
sudo /usr/bin/postgresql-setup initdbEnable and start the database
sudo systemctl enable --now postgresqlEnable and start Nginx to be the proxy
sudo systemctl enable --now nginxUpdate the firewall to allow the needed connections
sudo firewall-cmd --add-service=https --permanent sudo firewall-cmd --reloadTell SELinux to allow the webserver to connect to the local network
sudo setsebool -P httpd_can_network_connect onCreate user and database to be used by NodeBB
- this spews an error about changing directories, but still creates.
- Need to fix that. This is my first time scripting PostgreSQL
sudo -u postgres psql -c "create user $DB_USER with encrypted password '$DB_PASS'" sudo -u postgres psql -c "create database $DB_NAME" sudo -u postgres psql -c "grant all privileges on database $DB_NAME to $DB_USER"Set a password for the admin user (postgres)
sudo -u postgres psql -c "alter user postgres with password '$DB_ROOT_PASS'"Update PostgreSQL to use database user login information.
sudo sed -i 's/ident$/md5/g' /var/lib/pgsql/data/pg_hba.confRestart PostgreSQL
sudo systemctl restart postgresqlCreate application directory.
sudo mkdir -p $APP_PATHDownload NodeBB
- As of the creation of this guide, the current branch is v1.15.x
- Update accordingly.
sudo git clone -b v1.15.x https://github.com/NodeBB/NodeBB.git $APP_PATHCreate the user account to run the application
sudo adduser nodebb --system --create-homeSet ownership to the user that will be running the application
sudo chown -R nodebb:nodebb $APP_PATHSetup a strong Diffie-Hellman parameter
sudo mkdir -p /etc/nginx/dhparam sudo openssl dhparam -outform PEM -out /etc/nginx/dhparam/dhparam.pem -2 2048Create the SSL certificate
- You will need to prep these steps in a vscode window or something
- You do not want to mess this up, or else Nginx will not start.
sudo tee $SSL_CERT_PATH > /dev/null << EOF -----BEGIN CERTIFICATE----- Put everything from your CERTIFICATE file here... -----END CERTIFICATE----- EOFCreate the SSL private key
sudo tee $SSL_KEY_PATH > /dev/null << EOF -----BEGIN PRIVATE KEY----- Put everything from your KEY file here... -----END PRIVATE KEY----- EOFCreate the SSL CA certificate chain
sudo tee $SSL_CA_CERT_PATH > /dev/null << EOF -----BEGIN CERTIFICATE----- Put everything from your CA CERT CHAIN file here... -----END CERTIFICATE----- EOFSet the permissions of the SSL files.
sudo chmod 644 $SSL_CA_CERT_PATH sudo chmod 644 $SSL_CERT_PATH sudo chmod 600 $SSL_KEY_PATHSetup up the Nginx configuration file for the application.
sudo tee /etc/nginx/conf.d/nodebb.conf > /dev/null << EOF server { # Based on Mozilla intermediate configuration https://ssl-config.mozilla.org/ listen 443 ssl http2; listen [::]:443 ssl http2; server_name $FQDN; ssl_certificate $SSL_CERT_PATH; ssl_certificate_key $SSL_KEY_PATH; ssl_session_timeout 1d; ssl_session_cache shared:MozSSL:10m; # about 40000 sessions ssl_session_tickets off; ssl_dhparam /etc/nginx/dhparam/dhparam.pem; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; # HSTS (ngx_http_headers_module is required) (63072000 seconds) add_header Strict-Transport-Security "max-age=63072000" always; # OCSP stapling ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs ssl_trusted_certificate $SSL_CA_CERT_PATH; # replace with the IP address of your resolver resolver 1.1.1.1; location / { proxy_set_header X-Real-IP \$remote_addr; proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto \$scheme; proxy_set_header Host \$http_host; proxy_set_header X-NginX-Proxy true; proxy_pass http://127.0.0.1:4567; # no trailing slash proxy_redirect off; # Socket.IO Support proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; } } EOFRestart Nginx
sudo systemctl restart nginxShow the
setup.infofile with the Database passwords.- You will need to know the DB info, as it will be used in the setup wizard during the next step.
cat setup.infoChange to the directory that NodeBB was installed to and run the NodeBB setup wizard
- Build fails if you try to execute from your home directory with the full path
cd $APP_PATH sudo -u nodebb ./nodebb setupAfter you are all setup, you control it with the
nodebbexecutable.sudo -u nodebb /opt/nodebb/nodebb stop sudo -u nodebb /opt/nodebb/nodebb start sudo -u nodebb /opt/nodebb/nodebb log -
Once you have NodeBB up and running, you will likely want to set it up to start on boot.
The best way to handle this is to create a
systemdservice in order to manage it just like any other service on the system.The documentation pretty much nails it.
https://docs.nodebb.org/configuring/running/#systemdThis file matches this guide.
sudo tee /etc/systemd/system/nodebb.service > /dev/null << EOF [Unit] Description=NodeBB Documentation=https://docs.nodebb.org After=system.slice multi-user.target postgresql [Service] Type=forking User=nodebb StandardOutput=syslog StandardError=syslog SyslogIdentifier=nodebb WorkingDirectory=/opt/nodebb ExecStart=/usr/bin/env node loader.js Restart=always [Install] WantedBy=multi-user.target EOFNow you can control things with normal
systemdcommands.First if you manually started NodeBB, stop it.
sudo -u nodebb /opt/nodebb/nodebb stopNow control it with normal
systemctlcommandssudo systemctl start nodebb sudo systemctl stop nodebb sudo systemctl enable nodebb sudo systemctl status nodebb -
When you are done, you should have a working system.
-
As could be inferred, I am using the cloudflare origin certificate.
But Cloudflare is not a a requirement. Get your SSL however you want, just update those variables appropriately, or fix the Nginx config file manually.
-
When you execute the
psqlcommands, it complains about changing directory to the current user, but still works.
-
Updated post 2 with instructions for using
systemdto control the service
https://www.mangolassi.it/topic/22497/setup-nodebb-on-fedora-33-with-postgresql-and-nginx-with-https-only/2 -
A simplified version of this guide just got merged into the official docs.
-
@JaredBusch So... now that you've had this up and running for a while, care to report on how that is going? Inquiring minds are curious. Particularly w.r.t. resource utilization comparison, performance differences, etc. comparatively. I think you were on Mongo previously, correct? Cuz I am right there with you on the license bullshit. All it takes is one bump in the road, merger, and wham, history repeats and next major version changes license again - only this time to something closed. Have no interest in betting on community to fork and continue. Need a safer bet. It would appear that percona may have already done so w/their percona mongodb offering but I wonder if that would continue as a full fork if/when upstream became closed source.
TIA-- o/
-
@gotwf said in Setup NodeBB on Fedora 33 with PostgreSQL and Nginx with HTTPS only:
@JaredBusch So... now that you've had this up and running for a while, care to report on how that is going? Inquiring minds are curious. Particularly w.r.t. resource utilization comparison, performance differences, etc. comparatively. I think you were on Mongo previously, correct? Cuz I am right there with you on the license bullshit. All it takes is one bump in the road, merger, and wham, history repeats and next major version changes license again - only this time to something closed. Have no interest in betting on community to fork and continue. Need a safer bet. It would appear that percona may have already done so w/their percona mongodb offering but I wonder if that would continue as a full fork if/when upstream became closed source.
TIA-- o/
Well 2 years in, i do not run any NobeBB instances with heavy traffic so performance is not even something I look at. I have like 5 of these running for tiny personal projects that people I know have asked for my help with.
