Running Node-RED under FreeBSD

Quick and dirty guide how to run Node-RED in FreeBSD jail. It will work without jail too.

Steps

1. Create a jail using your favorite method and login to it as root.
2. Install packages

    pkg install node16 npm sudo
   

3. Create a user to run Node-RED. I’m creating just a normal user, if you not using jail you should invent better way to handle Node-RED. In my case all Node-RED related stuff will sits under home directory of that user, use it for your advantages.

    nodered:/root@[17:08] # adduser
    Username: nodered
    Full name: Node The Red
    Uid (Leave empty for default):
    Login group [nodered]:
    Login group is nodered. Invite nodered into other groups? []:
    Login class [default]:
    Shell (sh csh tcsh nologin) [sh]: nologin
    Home directory [/home/nodered]:
    Home directory permissions (Leave empty for default):
    Use password-based authentication? [yes]: no
    Lock out the account after creation? [no]:
    Username   : nodered
    Password   : <disabled>
    Full Name  : Node The Red
    Uid        : 1001
    Class      :
    Groups     : nodered
    Home       : /home/nodered
    Home Mode  :
    Shell      : /usr/sbin/nologin
    Locked     : no
    OK? (yes/no): yes
    adduser: INFO: Successfully added (nodered) to the user database.
    Add another user? (yes/no): no
    Goodbye!
    nodered:/root@[17:09] #
   

4. Install Node-RED. Do not run npm with -g flag as guide on Node-RED site recommends. You do not want to install it globally.

   cd /home/nodered
   sudo -u nodered /bin/sh
   npm install --unsafe-perm node-red
   

5. Let’s start it in first time. Ctrl-C it after it stops booting

   npm exec node-red
   

   It will create /home/nodered/.node-red directory and populate it with some files.

6. Get you SSL certs and put them in /home/nodered/.certs directory. Files should be owned by “nodered:nodered”

    nodered@nodered ~> touch /home/nodered/.certs/privkey.pem
    nodered@nodered ~> touch /home/nodered/.certs/fullchain.pem
    chmod  og-rwx /home/nodered/.certs/privkey.pem
   

7. Generate password hash for admin user

    nodered@nodered ~> npm exec node-red admin hash-pw
    Password:
    $2b$10$QdmOxOgjumnRfs7A4cQ2H.lwu5ZdcbNgtBPczdt/BpZC02mB3duv2
   

   Copy that $2b$ string aside, and do not forgot password

8. Update config.

   vi .node-red/settings.js
   

   • If you want to Node-RED to listen on LAN interface instead of loopback - un-comment and change

       uiHost: "10.x.y.z",
     

     Other option will be keep it listening on loopback and reverse-proxy it from LAN

   • Configure SSL. Un-comment and change

       /** Option 1: static object */
       https: {
         key: require("fs").readFileSync('/home/nodered/.certs/privkey.pem'),
         cert: require("fs").readFileSync('/home/nodered/.certs/fullchain.pem')
       },
     
       requireHttps: true
     

   • Configure admin user

       adminAuth: {
           type: "credentials",
           users: [{
               username: "nodered",
               password: "$2b$10$QdmOxOgjumnRfs7A4cQ2H.lwu5ZdcbNgtBPczdt/BpZC02mB3duv2",
               permissions: "*"
           }]
       },
     

     Value for password: is hash generated on step 7

   • I do not remember why it is required but it will not hurt. Uncomment and change

      userDir: '/home/nodered/.node-red',  
     

   • Remove that pesky startup warning. Uncomment and replace “a-secret-key” with some good long random string

      credentialSecret: "a-secret-key",
     

9. Setup startup script.

   Ctrl-D to be back to root prompt

   • Create /usr/local/etc/rc.d if it does not exist

       nodered:/root@[18:52] # mkdir /usr/local/etc/rc.d
     

   • Create startup script

       nodered:/root@[18:52] # cat > /usr/local/etc/rc.d/nodered
     

     Populate content

       #!/bin/sh
       #
       # $FreeBSD:                 
       #
     
       # PROVIDE: nodered
       # REQUIRE: LOGIN
       # KEYWORD: shutdown
     
       # Add the following line to /etc/rc.conf to enable `node-RED':
       #
       #nodered_enable="YES"
       #
     
       . /etc/rc.subr
     
       name="nodered"
       rcvar=`set_rcvar`
       pidfile="/var/run/${name}.pid"
       procname="node"
     
       nodered_chdir="/home/nodered"
       HOME=/home/nodered
     
       command="/usr/sbin/daemon"
       command_args="-f -S -H -p /var/run/nodered.pid -u nodered /usr/local/bin/npm exec -- node-red -s /home/nodered/.node-red/settings.js"
       # stop_precmd="kill `cat /var/run/nodered.pid`"
     
       # read configuration and set defaults
       load_rc_config "$name"
     
       nodered_enable=${nodered_enable:-"NO"}
       run_rc_command "$1"
     

   • make it executable

     chmod a+x /usr/local/etc/rc.d/nodered
     

10. Add Node-RED to startup

     vi /etc/rc.conf
    

    add

     nodered_enable="YES"
    

11. Start it

     /usr/local/etc/rc.d/nodered start
    

    Check /var/log/daemon for startup logs.

12. Node-RED should be available via HTTPS on IP/Port you specified in step 8. Login to it using username/passwords from step 7
13. Do not forget to setup backup for /home/nodered or at least for /home/nodered/.node-red