Setup NodeBB with PostgrSQL on Fedora 33 with Nginx and HTTPS only
- Why PostgreSQL? Because Mongo licensing complexities.
- As with many of my more recent guides, I'll be using environment variables.
- Do not log out of your Console/SSH session until this is complete.
Create a random password for PostgreSQL's admin user account
export DB_ROOT_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
Database name to use for application
export DB_NAME='nodebb'
Database user to use for application
export DB_USER='nbbuser'
Generate a random password for the database user
export DB_PASS="$(head /dev/urandom | tr -dc A-Za-z0-9 | head -c 24)"
The location to install the application
export APP_PATH='/opt/nodebb'
The FQDN of the application
export FQDN='community.domain.com'
Path to the SSL certificates and key
export SSL_KEY_PATH='/etc/pki/tls/private/cforigin.domain.com.key'
export SSL_CERT_PATH='/etc/pki/tls/certs/cforigin.domain.com.pem'
export SSL_CA_CERT_PATH='/etc/pki/tls/certs/cfchain.domain.com.pem'
Dump the environment variables to a file in the current directory for later reference.
cat >> setup.info << EOF
PostgreSQL Database Name : $DB_NAME
Database User : $DB_USER
Database User Password : $DB_PASS
Database Root Password : $DB_ROOT_PASS
Application Path : $APP_PATH
FQDN : $FQDN
SSL Certificate Path : $SSL_CERT_PATH
SSL Key Path : $SSL_KEY_PATH
SSL CA Certificate Path : $SSL_CA_CERT_PATH
EOF
Update the Operating System
sudo dnf upgrade -y --refresh
These are tools I use on pretty much every Fedora instance
- Configuration of them, if required, is not covered here.
sudo dnf install -y nano sysstat glances htop dnf-automatic
Install the packages required for PostgreSQL backed NodeBB
sudo dnf install -y git nginx nodejs postgresql-server policycoreutils-python-utils
Initialize the PostgreSQL database
sudo /usr/bin/postgresql-setup initdb
Enable and start the database
sudo systemctl enable --now postgresql
Enable and start Nginx to be the proxy
sudo systemctl enable --now nginx
Update the firewall to allow the needed connections
sudo firewall-cmd --add-service=https --permanent
sudo firewall-cmd --reload
Tell SELinux to allow the webserver to connect to the local network
sudo setsebool -P httpd_can_network_connect on
Create user and database to be used by NodeBB
- this spews an error about changing directories, but still creates.
- Need to fix that. This is my first time scripting PostgreSQL
sudo -u postgres psql -c "create user $DB_USER with encrypted password '$DB_PASS'"
sudo -u postgres psql -c "create database $DB_NAME"
sudo -u postgres psql -c "grant all privileges on database $DB_NAME to $DB_USER"
Set a password for the admin user (postgres)
sudo -u postgres psql -c "alter user postgres with password '$DB_ROOT_PASS'"
Update PostgreSQL to use database user login information.
sudo sed -i 's/ident$/md5/g' /var/lib/pgsql/data/pg_hba.conf
Restart PostgreSQL
sudo systemctl restart postgresql
Create application directory.
sudo mkdir -p $APP_PATH
Download NodeBB
- As of the creation of this guide, the current branch is v1.15.x
- Update accordingly.
sudo git clone -b v1.15.x https://github.com/NodeBB/NodeBB.git $APP_PATH
Create the user account to run the application
sudo adduser nodebb --system --create-home
Set ownership to the user that will be running the application
sudo chown -R nodebb:nodebb $APP_PATH
Setup a strong Diffie-Hellman parameter
sudo mkdir -p /etc/nginx/dhparam
sudo openssl dhparam -outform PEM -out /etc/nginx/dhparam/dhparam.pem -2 2048
Create the SSL certificate
- You will need to prep these steps in a vscode window or something
- You do not want to mess this up, or else Nginx will not start.
sudo tee $SSL_CERT_PATH > /dev/null << EOF
-----BEGIN CERTIFICATE-----
Put everything from your CERTIFICATE file here...
-----END CERTIFICATE-----
EOF
Create the SSL private key
sudo tee $SSL_KEY_PATH > /dev/null << EOF
-----BEGIN PRIVATE KEY-----
Put everything from your KEY file here...
-----END PRIVATE KEY-----
EOF
Create the SSL CA certificate chain
sudo tee $SSL_CA_CERT_PATH > /dev/null << EOF
-----BEGIN CERTIFICATE-----
Put everything from your CA CERT CHAIN file here...
-----END CERTIFICATE-----
EOF
Set the permissions of the SSL files.
sudo chmod 644 $SSL_CA_CERT_PATH
sudo chmod 644 $SSL_CERT_PATH
sudo chmod 600 $SSL_KEY_PATH
Setup up the Nginx configuration file for the application.
sudo tee /etc/nginx/conf.d/nodebb.conf > /dev/null << EOF
server {
# Based on Mozilla intermediate configuration https://ssl-config.mozilla.org/
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name $FQDN;
ssl_certificate $SSL_CERT_PATH;
ssl_certificate_key $SSL_KEY_PATH;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate $SSL_CA_CERT_PATH;
# replace with the IP address of your resolver
resolver 1.1.1.1;
location / {
proxy_set_header X-Real-IP \$remote_addr;
proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto \$scheme;
proxy_set_header Host \$http_host;
proxy_set_header X-NginX-Proxy true;
proxy_pass http://127.0.0.1:4567; # no trailing slash
proxy_redirect off;
# Socket.IO Support
proxy_http_version 1.1;
proxy_set_header Upgrade \$http_upgrade;
proxy_set_header Connection "upgrade";
}
}
EOF
Restart Nginx
sudo systemctl restart nginx
Show the setup.info file with the Database passwords.
- You will need to know the DB info, as it will be used in the setup wizard during the next step.
cat setup.info
Change to the directory that NodeBB was installed to and run the NodeBB setup wizard
- Build fails if you try to execute from your home directory with the full path
cd $APP_PATH
sudo -u nodebb ./nodebb setup
