Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
ada9db79424e1d9244e80e6b90afe62de01c40cd
nixos/hosts/fw/modules/web/n8n.nix

95 lines
2.4 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }:
{
# Create static user instead of using DynamicUser
users.users.n8n = {
isSystemUser = true;
group = "n8n";
home = "/var/lib/n8n";
};
users.groups.n8n = {};
# PostgreSQL database setup
services.postgresql = {
enable = true;
ensureDatabases = [ "n8n" ];
ensureUsers = [{
name = "n8n";
}];
};
# n8n service configuration
services.n8n.enable = true;
# Configure n8n via environment variables
systemd.services.n8n = {
environment = lib.mkForce {
# Database configuration (migrated from services.n8n.settings)
DB_TYPE = "postgresdb";
DB_POSTGRESDB_HOST = "/run/postgresql";
DB_POSTGRESDB_DATABASE = "n8n";
DB_POSTGRESDB_USER = "n8n";
EXECUTIONS_DATA_PRUNE = "true";
EXECUTIONS_DATA_MAX_AGE = "168"; # 7 days
# Other settings
N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_PERSONALIZATION_ENABLED = "false";
WEBHOOK_URL = "https://n8n.cloonar.com";
N8N_HOST = "n8n.cloonar.com";
N8N_PROTOCOL = "https";
N8N_PORT = "5678";
};
serviceConfig = {
DynamicUser = lib.mkForce false;
User = "n8n";
Group = "n8n";
EnvironmentFile = config.sops.secrets.n8n-env.path;
};
preStart = lib.mkAfter ''
# Setup git SSH key if provided
if [ -n "$N8N_GIT_SSH_KEY_PATH" ] && [ -f "$N8N_GIT_SSH_KEY_PATH" ]; then
mkdir -p /var/lib/n8n/.ssh
chmod 700 /var/lib/n8n/.ssh
cp "$N8N_GIT_SSH_KEY_PATH" /var/lib/n8n/.ssh/id_ed25519
chmod 600 /var/lib/n8n/.ssh/id_ed25519
chown -R n8n:n8n /var/lib/n8n/.ssh
fi
'';
};
# SOPS secrets (managed within the web microvm)
sops.secrets.n8n-env = {
owner = "n8n";
mode = "0400";
};
sops.secrets.n8n-git-key = {
owner = "n8n";
mode = "0400";
};
# PostgreSQL backup
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "n8n" ];
# Nginx reverse proxy
services.nginx.virtualHosts."n8n.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
# Restrict to internal LAN only
extraConfig = ''
allow ${config.networkPrefix}.96.0/24;
allow ${config.networkPrefix}.98.0/24;
deny all;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:5678";
proxyWebsockets = true;
};
};
}
Reference in New Issue View Git Blame Copy Permalink