data/skills/n8n-self-hosting/SKILL.md
This skill takes a fresh Linux VM (Ubuntu/Debian, root or sudo SSH) to a running, HTTPS, production n8n via Docker Compose behind Caddy (automatic Let's Encrypt TLS). It is for self-hosted n8n on Docker — not n8n Cloud, and not for building workflows (that's the rest of this pack).
Two deployment modes. The architectures differ, so pick the mode before doing anything.
You drive this end-to-end over SSH: preflight → install Docker → lay down the project →
generate secrets → launch → verify TLS → hand off. The template files live in assets/;
the per-mode and security depth live in the reference files named below.
Do not guess. Ask, then commit to one:
| Single / regular | Queue | |
|---|---|---|
| Processes | one n8n | main + N workers |
| Extra services | none (SQLite) | Redis (queue) + Postgres (DB) |
| Executes workflows | in the main process | on workers, in parallel |
| Good for | 1 user, light/moderate load, simplest ops | high volume, heavy/long executions, horizontal scale |
| Compose | assets/docker-compose.single.yml | assets/docker-compose.queue.yml |
| Deep dive | SINGLE_MODE.md | QUEUE_MODE.md |
If unsure, start single — it's the simplest correct thing and covers most needs. Moving to queue later means swapping the compose file and migrating SQLite→Postgres, so if the user already expects real volume, start queue.
A misstep here leaks client credentials. Be diligent:
.env from another n8n instance into this one. See SECURITY.md for the
openssl commands..env (mode 600), referenced by the compose as ${VAR}. Never
inline a secret into docker-compose.yml, the Caddyfile, or anything you commit.N8N_ENCRYPTION_KEY is sacred. It encrypts every stored credential. If it's lost
or changes, all saved credentials become undecryptable. Set it explicitly, and tell the
user to back it up off the box. Don't echo it into long-lived logs or chat history
beyond what's needed to hand it over..env and Caddy's caddy_data volume (the issued certs + ACME account key) are not
artifacts to share. If you're working inside a git repo, confirm .env is git-ignored
before any commit.user@host and how you authenticate (key path or the user confirms the agent already has access). Root or a sudo user.n8n.example.com (→ SUBDOMAIN=n8n, DOMAIN_NAME=example.com). The user must control its DNS.SSL_EMAIL).Europe/Warsaw), else Etc/UTC.Work through these in order. SINGLE_MODE.md / QUEUE_MODE.md give the mode-specific command
detail; SECURITY.md covers secret generation and hardening; DAY2.md covers update/backup/restore.
. /etc/os-release).curl -s ifconfig.me)
with dig +short <fqdn> (run it from the box AND ideally your laptop). If they don't match,
stop — Caddy's ACME challenge will fail. Have the user create the A record, wait for it
to propagate, then continue.docker --version and docker compose version. If missing, install Docker Engine +
the Compose plugin (Docker's official get.docker.com script on Ubuntu/Debian is fine).
Re-check docker compose version before proceeding.DATA_FOLDER — an absolute path, e.g. /opt/n8n. The DATA_FOLDER value in .env
must equal this exact directory (the compose mounts ${DATA_FOLDER}/caddy_config/Caddyfile,
and init-data.sh is mounted via a relative ./ path), so always run docker compose from
here. Create it, plus caddy_config/ and local_files/ inside.assets/ on your machine,
not on the server — transfer each one. Either scp them up, or (no local copy needed) write
each file's contents over SSH, e.g.
ssh <target> 'cat > <DATA_FOLDER>/docker-compose.yml' < assets/docker-compose.single.yml.
Land them with these exact names:
<DATA_FOLDER>/docker-compose.yml (rename it to exactly this)Caddyfile → <DATA_FOLDER>/caddy_config/Caddyfileinit-data.sh → <DATA_FOLDER>/init-data.sh, then chmod +x it.env.*.example → <DATA_FOLDER>/.env.env + generate secretsDATA_FOLDER, DOMAIN_NAME, SUBDOMAIN, SSL_EMAIL, GENERIC_TIMEZONE.openssl (SECURITY.md has the commands) and write
it into .env, replacing the matching REPLACE_WITH_… placeholder: N8N_ENCRYPTION_KEY;
queue also POSTGRES_PASSWORD + POSTGRES_NON_ROOT_PASSWORD.grep REPLACE_WITH_ .env must return nothing
— a leftover placeholder becomes the literal password and Postgres/n8n fail to connect.chmod 600 .env. Record the encryption key so the user can back it up off-box.ufw: allow OpenSSH + 80 + 443, then enable. Do not open 5678/5432/6379.cd <DATA_FOLDER> && docker compose up -d.replicas). To add
capacity: docker compose up -d --scale n8n-worker=N.docker compose ps — every service Up/healthy (queue: postgres & redis healthy first).docker compose exec n8n wget -qO- http://localhost:5678/healthz
→ {"status":"ok"}. This separates "n8n is running" from "TLS isn't ready yet."docker compose logs caddy | grep -i 'certificate obtained'. First-boot ACME
can take a minute or two; until it finishes, a public https:// request fails TLS — that means
the cert is still pending, not that n8n is down.curl -fsS --retry 5 --retry-delay 10 https://<fqdn>/healthz
→ {"status":"ok"}.https://<fqdn> → the owner setup screen. The first visitor to an un-owned instance
becomes the owner — create the owner account immediately, before sharing the URL. Enable 2FA.DAY2.md..env. Fresh secrets per box.docker-compose.yml or the Caddyfile. .env only.:latest blindly. Pin N8N_IMAGE_TAG; update deliberately (DAY2.md).SINGLE_MODE.md — single-instance specifics, SQLite vs Postgres, when to graduate to queue.QUEUE_MODE.md — queue architecture, workers/concurrency/scaling, shared encryption key, binary data (filesystem vs S3), webhook processors.SECURITY.md — generating secrets, the encryption-key rules, the full hardening checklist (telemetry off, env-access block, public API, firewall, secure cookies).DAY2.md — updating the image, backing up (encryption key + volume + Postgres), and restoring.assets/ — the templates: docker-compose.single.yml, docker-compose.queue.yml, Caddyfile, .env.single.example, .env.queue.example, init-data.sh.