nixos/hosts/fw/modules/web/n8n.nix

{ config, pkgs, lib, ... }:

{
  # PostgreSQL database setup
  services.postgresql = {
    enable = true;
    ensureDatabases = [ "n8n" ];
    ensureUsers = [{
      name = "n8n";
    }];
  };

  # n8n service configuration
  services.n8n = {
    enable = true;
    settings = {
      database.type = "postgresdb";
      database.postgresdb.host = "/run/postgresql";
      database.postgresdb.database = "n8n";
      database.postgresdb.user = "n8n";
      executions.pruneData = true;
      executions.pruneDataMaxAge = 168; # 7 days
    };
  };

  # Configure git integration via environment variables
  systemd.services.n8n = {
    environment = lib.mkForce {
      N8N_ENCRYPTION_KEY = ""; # Will be set via environmentFile
      N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
      N8N_DIAGNOSTICS_ENABLED = "false";
      N8N_PERSONALIZATION_ENABLED = "false";
      WEBHOOK_URL = "https://n8n.cloonar.com";
      N8N_HOST = "n8n.cloonar.com";
      N8N_PROTOCOL = "https";
      N8N_PORT = "5678";
    };
    serviceConfig = {
      # Secret is mounted from fw host at /run/secrets-host/n8n-env
      EnvironmentFile = "/run/secrets-host/n8n-env";
    };
    preStart = lib.mkAfter ''
      # Setup git SSH key if provided
      if [ -n "$N8N_GIT_SSH_KEY_PATH" ] && [ -f "$N8N_GIT_SSH_KEY_PATH" ]; then
        mkdir -p /var/lib/n8n/.ssh
        chmod 700 /var/lib/n8n/.ssh
        cp "$N8N_GIT_SSH_KEY_PATH" /var/lib/n8n/.ssh/id_ed25519
        chmod 600 /var/lib/n8n/.ssh/id_ed25519
        chown -R n8n:n8n /var/lib/n8n/.ssh
      fi
    '';
  };

  # PostgreSQL backup
  services.postgresqlBackup.enable = true;
  services.postgresqlBackup.databases = [ "n8n" ];

  # Nginx reverse proxy
  services.nginx.virtualHosts."n8n.cloonar.com" = {
    forceSSL = true;
    enableACME = true;
    acmeRoot = null;

    # Restrict to internal LAN only
    extraConfig = ''
      allow ${config.networkPrefix}.96.0/24;
      deny all;
    '';

    locations."/" = {
      proxyPass = "http://127.0.0.1:5678";
      proxyWebsockets = true;
      extraConfig = ''
        proxy_set_header Connection "";
        proxy_http_version 1.1;
        chunked_transfer_encoding off;
        proxy_buffering off;
        proxy_cache off;
      '';
    };
  };
}