stackptr · stackptr · Apr 3, 2026 · Apr 3, 2026
diff --git a/hosts/glyph/secrets/n8n-encryption-key.age b/hosts/glyph/secrets/n8n-encryption-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 rSr+rA 3Wam+tzyqvZtAii2UFkwt8puuyh8VaS4hO9N7acCUQA
+kgO1pA6wo0IZxluR16exJmTmTAN2kfXlJlkwa6LI4D8
+-> ssh-ed25519 3EWhnQ zanilw3QBMGYkhsXxMoByYNfeoj2g5b+gPULbSq/PGU
+4WP+XEH7XvQx/cIz98X1SyNtEseifek7rc91o8h9xQI
+--- GytTZNL2/8wEusnL6byCRPjgTWjlbQeA+H5+vF4Oezw
+y0Ò#ŽoðÍ²Þf#/Â²”?ÙDMÂÙÏ!Èã—ÃRÈ}ìàe—
+ÂG(•:†t\?[8å]TçgÍì¡Í!ßë…Ÿ0([MûW=lY¨)–Ò˜ÒùàÐLœ& 4áÎ
diff --git a/hosts/glyph/services/db.nix b/hosts/glyph/services/db.nix
@@ -12,7 +12,7 @@
       port = 5432;
       max_connections = 150;
     };
-    ensureDatabases = ["atticd" "grafana" "open-webui" "pocketid"];
+    ensureDatabases = ["atticd" "grafana" "n8n" "open-webui" "pocketid"];
     ensureUsers = [
       {
         name = "mu";
@@ -26,6 +26,10 @@
         name = "grafana";
         ensureDBOwnership = true;
       }
+      {
+        name = "n8n";
+        ensureDBOwnership = true;
+      }
       {
         name = "open-webui";
         ensureDBOwnership = true;
@@ -39,6 +43,6 @@
 
   services.postgresqlBackup = {
     enable = true;
-    databases = ["atticd" "grafana" "open-webui" "pocketid"];
+    databases = ["atticd" "grafana" "n8n" "open-webui" "pocketid"];
   };
 }
diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix
@@ -12,6 +12,7 @@
     ./filebrowser.nix
     ./jellyfin.nix
     ./loki.nix
+    ./n8n.nix
     ./nfs.nix
     ./open-terminal.nix
     ./open-webui.nix

diff --git a/hosts/glyph/services/n8n.nix b/hosts/glyph/services/n8n.nix
@@ -0,0 +1,28 @@
+{config, ...}: {
+  age.secrets.n8n-encryption-key.file = ./../secrets/n8n-encryption-key.age;
+
+  services.n8n = {
+    enable = true;
+    environment = {
+      N8N_PORT = 5678;
+      GENERIC_TIMEZONE = "America/Los_Angeles";
+      N8N_VERSION_NOTIFICATIONS_ENABLED = false;
+      N8N_DIAGNOSTICS_ENABLED = false;
+      WEBHOOK_URL = "https://n8n.zx.dev";
+      N8N_ENCRYPTION_KEY_FILE = config.age.secrets.n8n-encryption-key.path;
+
+      # PostgreSQL via unix socket
+      DB_TYPE = "postgresdb";
+      DB_POSTGRESDB_HOST = "/run/postgresql";
+      DB_POSTGRESDB_DATABASE = "n8n";
+      DB_POSTGRESDB_USER = "n8n";
+    };
+  };
+
+  systemd.services.n8n = {
+    after = ["postgresql.service"];
+    requires = ["postgresql.service"];
+    serviceConfig.SupplementaryGroups = ["postgres"];
+    restartTriggers = [config.age.secrets.n8n-encryption-key.file];
+  };
+}
diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix
@@ -45,6 +45,14 @@
           "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48";
         };
       };
+      "n8n.zx.dev" = {
+        forceSSL = true;
+        useACMEHost = "zx.dev";
+        locations."/" = {
+          proxyPass = "http://glyph.rove-duck.ts.net:5678";
+          proxyWebsockets = true;
+        };
+      };
       "torrents.zx.dev" = {
         forceSSL = true;
         useACMEHost = "zx.dev";

diff --git a/lib/secrets/glyph.nix b/lib/secrets/glyph.nix
@@ -12,4 +12,5 @@ in {
   "hosts/glyph/secrets/grafana-mcp-token.age".publicKeys = keys;
   "hosts/glyph/secrets/graphite-auth-token.age".publicKeys = keys;
   "hosts/glyph/secrets/attic-credentials.age".publicKeys = keys;
+  "hosts/glyph/secrets/n8n-encryption-key.age".publicKeys = keys;
 }
diff --git a/modules/base/unfree-packages.nix b/modules/base/unfree-packages.nix
@@ -12,6 +12,7 @@
       "fastscripts"
       "graphite-cli"
       "mochi"
+      "n8n"
       "open-webui"
       "roon-server"
       "soundsource"