feat: add n8n

2025-11-02 00:29:43 +01:00
parent b73bc3e80a
commit df5c89f071
3 changed files with 157 additions and 48 deletions
--- a/hosts/fw/modules/web/default.nix
+++ b/hosts/fw/modules/web/default.nix
@@ -11,6 +11,9 @@ in {
            # needed for matrix
            "olm-3.2.16"
          ];
+          allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+            "n8n"
+          ];
        };
      };
      config = {
@@ -30,6 +33,18 @@ in {
              tag = "persist";
              proto = "virtiofs";
            }
+            {
+              source = "/run/secrets/n8n-env";
+              mountPoint = "/run/secrets-host/n8n-env";
+              tag = "n8n-secret";
+              proto = "virtiofs";
+            }
+            {
+              source = "/run/secrets/n8n-git-key";
+              mountPoint = "/run/secrets-host/n8n-git-key";
+              tag = "n8n-git-key";
+              proto = "virtiofs";
+            }
          ];
          volumes = [
            {
@@ -58,6 +73,7 @@ in {
          ./zammad.nix
          ./proxies.nix
          ./matrix.nix
+          ./n8n.nix
        ];

        networkPrefix = config.networkPrefix;
@@ -79,6 +95,7 @@ in {
          directories = [
            "/var/lib/zammad"
            "/var/lib/postgresql"
+            "/var/lib/n8n"
            "/var/log"
            "/var/lib/systemd/coredump"
          ];
@@ -130,4 +147,12 @@ in {
      };
    };
  };
+
+  # Secrets defined at fw host level, mounted into microvm
+  sops.secrets.n8n-env = {
+    mode = "0400";
+  };
+  sops.secrets.n8n-git-key = {
+    mode = "0400";
+  };
 }
--- a/hosts/fw/modules/web/n8n.nix
+++ b/hosts/fw/modules/web/n8n.nix
@@ -0,0 +1,82 @@
+{ config, pkgs, lib, ... }:
+
+{
+  # PostgreSQL database setup
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "n8n" ];
+    ensureUsers = [{
+      name = "n8n";
+    }];
+  };
+
+  # n8n service configuration
+  services.n8n = {
+    enable = true;
+    settings = {
+      database.type = "postgresdb";
+      database.postgresdb.host = "/run/postgresql";
+      database.postgresdb.database = "n8n";
+      database.postgresdb.user = "n8n";
+      executions.pruneData = true;
+      executions.pruneDataMaxAge = 168; # 7 days
+    };
+  };
+
+  # Configure git integration via environment variables
+  systemd.services.n8n = {
+    environment = lib.mkForce {
+      N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
+      N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
+      N8N_DIAGNOSTICS_ENABLED = "false";
+      N8N_PERSONALIZATION_ENABLED = "false";
+      WEBHOOK_URL = "https://n8n.cloonar.com";
+      N8N_HOST = "n8n.cloonar.com";
+      N8N_PROTOCOL = "https";
+      N8N_PORT = "5678";
+    };
+    serviceConfig = {
+      # Secret is mounted from fw host at /run/secrets-host/n8n-env
+      EnvironmentFile = "/run/secrets-host/n8n-env";
+    };
+    preStart = lib.mkAfter ''
+      # Setup git SSH key if provided
+      if [ -n "$N8N_GIT_SSH_KEY_PATH" ] && [ -f "$N8N_GIT_SSH_KEY_PATH" ]; then
+        mkdir -p /var/lib/n8n/.ssh
+        chmod 700 /var/lib/n8n/.ssh
+        cp "$N8N_GIT_SSH_KEY_PATH" /var/lib/n8n/.ssh/id_ed25519
+        chmod 600 /var/lib/n8n/.ssh/id_ed25519
+        chown -R n8n:n8n /var/lib/n8n/.ssh
+      fi
+    '';
+  };
+
+  # PostgreSQL backup
+  services.postgresqlBackup.enable = true;
+  services.postgresqlBackup.databases = [ "n8n" ];
+
+  # Nginx reverse proxy
+  services.nginx.virtualHosts."n8n.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    # Restrict to internal LAN only
+    extraConfig = ''
+      allow ${config.networkPrefix}.96.0/24;
+      deny all;
+    '';
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:5678";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Connection "";
+        proxy_http_version 1.1;
+        chunked_transfer_encoding off;
+        proxy_buffering off;
+        proxy_cache off;
+      '';
+    };
+  };
+}