services:
  n8n:
    # TODO (Codex, erster Deploy): Digest am Container per `docker inspect` auslesen
    # und Tag durch `docker.n8n.io/n8nio/n8n:2.22.6@sha256:<digest>` ersetzen.
    image: docker.n8n.io/n8nio/n8n:2.22.6
    container_name: n8n
    restart: unless-stopped

    security_opt:
      - no-new-privileges:true

    dns:
      - 1.1.1.1
      - 8.8.8.8

    environment:
      TZ: Europe/Berlin
      GENERIC_TIMEZONE: Europe/Berlin

      N8N_HOST: n8n.kaleschke.info
      N8N_PORT: "5678"
      N8N_PROTOCOL: https
      N8N_EDITOR_BASE_URL: https://n8n.kaleschke.info/
      WEBHOOK_URL: https://n8n.kaleschke.info/
      N8N_PROXY_HOPS: "1"

      N8N_ENCRYPTION_KEY: ${N8N_ENCRYPTION_KEY}

      N8N_DIAGNOSTICS_ENABLED: "false"
      N8N_PERSONALIZATION_ENABLED: "false"
      N8N_HIRING_BANNER_ENABLED: "false"
      N8N_RUNNERS_ENABLED: "true"
      N8N_BLOCK_ENV_ACCESS_IN_NODE: "true"

    volumes:
      - /mnt/user/appdata/n8n/data:/home/node/.n8n

    networks:
      - frontend_net

    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=frontend_net"
      - "traefik.http.routers.n8n.rule=Host(`n8n.kaleschke.info`)"
      - "traefik.http.routers.n8n.entrypoints=websecure"
      - "traefik.http.routers.n8n.tls=true"
      - "traefik.http.routers.n8n.tls.certresolver=le"
      - "traefik.http.routers.n8n.middlewares=secure-headers@file"
      - "traefik.http.services.n8n.loadbalancer.server.port=5678"

networks:
  frontend_net:
    external: true