diff --git a/roles/nodered/defaults/main.yml b/roles/nodered/defaults/main.yml
new file mode 100644
index 0000000..bf68f6d
--- /dev/null
+++ b/roles/nodered/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+nodered_version: latest
diff --git a/roles/nodered/handlers/main.yml b/roles/nodered/handlers/main.yml
new file mode 100644
index 0000000..073db56
--- /dev/null
+++ b/roles/nodered/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: Restart nodered
+  ansible.builtin.systemd_service:
+    name: nodered-container
+    state: restarted
+    daemon_reload: true
diff --git a/roles/nodered/meta/main.yml b/roles/nodered/meta/main.yml
new file mode 100644
index 0000000..305b1b2
--- /dev/null
+++ b/roles/nodered/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - {role: nginx}
+  - {role: podman}
diff --git a/roles/nodered/tasks/main.yml b/roles/nodered/tasks/main.yml
new file mode 100644
index 0000000..77ee8f0
--- /dev/null
+++ b/roles/nodered/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: Create group
+  ansible.builtin.group:
+    name: nodered
+
+- name: Create user
+  ansible.builtin.user:
+    name: nodered
+    comment: Podman NodeRed
+    group: nodered
+    shell: /sbin/nologin
+
+- name: Enable user lingering
+  ansible.builtin.command:
+    argv:
+      - loginctl
+      - enable-linger
+      - nodered
+    creates: /var/lib/systemd/linger/nodered
+
+- name: Fix SELinux contexts from config directory
+  community.general.sefcontext:
+    path: /export/nodered(/.*)?
+    setype: container_file_t
+  when: ansible_selinux_python_present
+
+- name: Get subgid number
+  ansible.builtin.command:
+    argv:
+      - awk
+      - "-F:"
+      - '{ if ($1 == "nodered") print $2 + 999 }'
+      - /etc/subgid
+  register: subgid
+
+- name: Create config directory
+  ansible.builtin.file:
+    path: /export/nodered
+    state: directory
+    mode: "0770"
+    owner: root
+    group: "{{ subgid.stdout }}"
+    setype: _default
+
+- name: Link config directory
+  ansible.builtin.file:
+    dest: /srv/nodered
+    src: /export/nodered
+    state: link
+    owner: root
+    group: "{{ ansible_wheel }}"
+    follow: false
+
+- name: Create service file
+  ansible.builtin.template:
+    dest: /etc/systemd/system/nodered-container.service
+    src: nodered-container.service.j2
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart nodered
+
+- name: Enable service
+  ansible.builtin.service:
+    name: nodered-container
+    state: started
+    enabled: true
+
+- name: Copy nginx config
+  ansible.builtin.copy:
+    dest: "/etc/nginx/conf.d/{{ inventory_hostname }}/nodered.conf"
+    content: |
+      location /nodered/ {
+        proxy_pass http://127.0.0.1:8012;
+      }
+    mode: "0644"
+    owner: root
+    group: "{{ ansible_wheel }}"
+  notify: Restart nginx
diff --git a/roles/nodered/templates/nodered-container.service.j2 b/roles/nodered/templates/nodered-container.service.j2
new file mode 100644
index 0000000..fa188a7
--- /dev/null
+++ b/roles/nodered/templates/nodered-container.service.j2
@@ -0,0 +1,18 @@
+[Unit]
+Description=NodeRed Container
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+User=nodered
+ExecStart=/usr/bin/podman run \
+    --rm -p 127.0.0.1:8012:1880 \
+    --name nodered \
+    --env TZ=Europe/Helsinki \
+    --volume /srv/nodered:/data:rw \
+    docker.io/nodered/node-red:{{ nodered_version }}
+ExecStop=/usr/bin/podman stop --ignore nodered
+ExecStopPost=/usr/bin/podman rm -f --ignore nodered
+
+[Install]
+WantedBy=multi-user.target