Johnny n8n Install Plan (VPS, Docker, Security, Backups)

For: James / AgentsOPS / FreshFlip Date: 2026-02-05 Status: DRAFT v0 (approve infra choices before provisioning)

Goal: a production-safe self-hosted n8n that’s easy to upgrade, backed up, and locked down.

1) VPS baseline (recommended)

• 2 vCPU / 4–8 GB RAM / 50–100 GB SSD
• Ubuntu 22.04/24.04 LTS
• Domain: automations.agentsops.net (or similar)

Optional (later): separate VPS for Postgres if workloads grow.

2) Core components

• n8n (Docker container)
• Postgres (Docker container, persistent volume)
• Reverse proxy with TLS (Caddy or Traefik)
• Backups (DB dumps + volume snapshots)

3) Security checklist (do these on day 1)

3.1 Secrets

Must set: - N8N_ENCRYPTION_KEY (32+ chars; do not lose) - N8N_USER_MANAGEMENT_DISABLED=false (use built-in users)

Store in .env with strict permissions or a secret manager.

3.2 Network

• Only expose 443 (and optionally 80 for redirect)
• Firewall (UFW): allow 22 (restricted IP), 80, 443
• SSH hardening: disable password auth; keys only

3.3 n8n hardening

• Require login (user management)
• Set a canonical public URL:
  • N8N_HOST=automations.agentsops.net
  • N8N_PROTOCOL=https
  • WEBHOOK_URL=https://automations.agentsops.net/
• Limit executions retained:
  • EXECUTIONS_DATA_PRUNE=true
  • EXECUTIONS_DATA_MAX_AGE=168 (hours) (adjust)

3.4 Webhook hygiene

• Use “secret” webhook paths for public forms.
• Validate required fields and rate-limit at proxy if needed.

4) Docker Compose (example)

Note: This is a starting template. Confirm proxy choice (Caddy vs Traefik) before using.

Create a folder: /opt/n8n with: - docker-compose.yml - .env - caddy/Caddyfile (if using Caddy)

4.1 .env (example)

# n8n
N8N_HOST=automations.agentsops.net
N8N_PROTOCOL=https
WEBHOOK_URL=https://automations.agentsops.net/
N8N_ENCRYPTION_KEY=REPLACE_WITH_LONG_RANDOM_SECRET
GENERIC_TIMEZONE=America/New_York

# postgres
POSTGRES_DB=n8n
POSTGRES_USER=n8n
POSTGRES_PASSWORD=REPLACE_WITH_STRONG_PASSWORD

4.2 docker-compose.yml (example)

services:
  postgres:
    image: postgres:16
    restart: unless-stopped
    environment:
      POSTGRES_DB: ${POSTGRES_DB}
      POSTGRES_USER: ${POSTGRES_USER}
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
    volumes:
      - postgres_data:/var/lib/postgresql/data

  n8n:
    image: n8nio/n8n:latest
    restart: unless-stopped
    depends_on:
      - postgres
    environment:
      DB_TYPE: postgresdb
      DB_POSTGRESDB_HOST: postgres
      DB_POSTGRESDB_DATABASE: ${POSTGRES_DB}
      DB_POSTGRESDB_USER: ${POSTGRES_USER}
      DB_POSTGRESDB_PASSWORD: ${POSTGRES_PASSWORD}

      N8N_HOST: ${N8N_HOST}
      N8N_PROTOCOL: ${N8N_PROTOCOL}
      WEBHOOK_URL: ${WEBHOOK_URL}
      N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY}
      GENERIC_TIMEZONE: ${GENERIC_TIMEZONE}

      # retention / hygiene
      EXECUTIONS_DATA_PRUNE: "true"
      EXECUTIONS_DATA_MAX_AGE: "168"

    volumes:
      - n8n_data:/home/node/.n8n

  caddy:
    image: caddy:2
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ./caddy/Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      - n8n

volumes:
  postgres_data:
  n8n_data:
  caddy_data:
  caddy_config:

4.3 caddy/Caddyfile (example)

automations.agentsops.net {
  reverse_proxy n8n:5678
}

5) Backups (minimum viable, but real)

5.1 What to back up

• Postgres database (credentials + workflow definitions)
• n8n user data volume (/home/node/.n8n) (encryption key must be preserved too)

5.2 Backup approach

• Nightly Postgres dump:
  • pg_dump to a dated file
• Weekly full volume snapshot (if VPS provider supports)
• Copy backups off-server (S3-compatible bucket / Google Drive) encrypted

5.3 Restore test (required)

Once per month: - Restore DB dump to a staging instance - Verify at least 1 workflow executes successfully

6) Upgrade plan

• Pin major versions when stable (avoid surprise breaking changes).
• Upgrade cadence: monthly.
• Before upgrade:
  • Take backup
  • Export critical workflows
  • Confirm N8N_ENCRYPTION_KEY is stored safely

7) Monitoring / alerts (simple but effective)

• Configure Error Trigger workflow inside n8n:
  • send alert to James (email/Slack)
  • include execution URL + last node error
• Optional: uptime monitor (Healthcheck endpoint or simple curl from cron)

8) Decisions needed from James

1. Domain/subdomain to dedicate to n8n.
2. Proxy preference: Caddy (simple) vs Traefik (more flexible).
3. Backup destination (S3 bucket, Drive, etc.).
4. Whether we want a second instance for staging.