n8n — Setup
Workflow automation platform. Runs as a Docker container on LXC 120 (automation). Workflows are managed via IaC — the Ansible playbook clears and reimports all workflows from
services/n8n/workflows/on every deploy.
Infrastructure
| Host | Internal | URL |
|---|---|---|
| Docker (LXC 120) | 192.168.1.120:5678 | https://n8n.eva-00.network |
Observability
Logs
n8n logs are collected via Grafana Alloy Docker discovery and shipped to Loki.
| Metric | Loki Query | Purpose |
|---|---|---|
| n8n container logs | {container="n8n"} |
All container output (stdout/stderr) |
| n8n errors | {container="n8n"} \|= "error" |
Find error-level messages |
| n8n webhook calls | {container="n8n"} \|= "webhook" |
Trace webhook requests |
Access: Grafana → Explore → Loki → Enter query above
Metrics
n8n does not export Prometheus metrics by default. Use Loki log queries to diagnose issues.
IaC
| Artifact | Path |
|---|---|
| Playbook | ansible/playbooks/n8n.yml |
| Workflow | .forgejo/workflows/n8n.yml |
| Workflow definitions | services/n8n/workflows/ |
Webhook authentication
All webhooks exposed through the public n8n.eva-00.network domain require a shared token passed as the X-Webhook-Token request header. The token is stored in Vault at secret/homelab-sso under n8n_webhook_token.
Why: --skip-auth-regex=^/webhook in the n8n oauth2-proxy sidecar bypasses PocketID SSO for all /webhook/* paths — meaning they are publicly reachable without a browser session. Header auth closes this gap by requiring callers to present a secret.
Setting up on a fresh deploy:
1. Run pocketid-setup workflow — it generates the token and stores it in Vault
2. In the n8n UI: Credentials → New → Header Auth → Name: Glance Webhook Token, Header: X-Webhook-Token, Value: (copy from vault kv get secret/homelab-sso)
3. Apply the credential to the charlotte-weather and anime-seasonal webhook nodes
Alerting webhook
The Service Alerts → Matrix workflow listens at:
https://n8n.eva-00.network/webhook/uptime-kuma-alert