fix: n8n

hosts/fw/modules/web/n8n.nix

@@ -1,6 +1,14 @@
 { config, pkgs, lib, ... }:
 
 {
+  # Create static user instead of using DynamicUser
+  users.users.n8n = {
+    isSystemUser = true;
+    group = "n8n";
+    home = "/var/lib/n8n";
+  };
+  users.groups.n8n = {};
+
   # PostgreSQL database setup
   services.postgresql = {
     enable = true;
@@ -36,8 +44,10 @@
       N8N_PORT = "5678";
     };
     serviceConfig = {
-      # Secret is mounted from fw host at /run/secrets-host/n8n-env
-      EnvironmentFile = "/run/secrets-host/n8n-env";
+      DynamicUser = lib.mkForce false;
+      User = "n8n";
+      Group = "n8n";
+      EnvironmentFile = config.sops.secrets.n8n-env.path;
     };
     preStart = lib.mkAfter ''
       # Setup git SSH key if provided
@@ -51,6 +61,16 @@
     '';
   };
 
+  # SOPS secrets (managed within the web microvm)
+  sops.secrets.n8n-env = {
+    owner = "n8n";
+    mode = "0400";
+  };
+  sops.secrets.n8n-git-key = {
+    owner = "n8n";
+    mode = "0400";
+  };
+
   # PostgreSQL backup
   services.postgresqlBackup.enable = true;
   services.postgresqlBackup.databases = [ "n8n" ];
@@ -64,19 +84,13 @@
     # Restrict to internal LAN only
     extraConfig = ''
       allow ${config.networkPrefix}.96.0/24;
+      allow ${config.networkPrefix}.98.0/24;
       deny all;
     '';
 
     locations."/" = {
       proxyPass = "http://127.0.0.1:5678";
       proxyWebsockets = true;
-      extraConfig = ''
-        proxy_set_header Connection "";
-        proxy_http_version 1.1;
-        chunked_transfer_encoding off;
-        proxy_buffering off;
-        proxy_cache off;
-      '';
     };
   };
 }