services:
  n8n:
    image: docker.n8n.io/n8nio/n8n
    container_name: n8n
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.routers.n8n.rule=Host(`${SUBDOMAIN}.${DOMAIN_NAME}`)
      - traefik.http.routers.n8n.tls=true
      - traefik.http.routers.n8n.entrypoints=web,websecure
      - traefik.http.routers.n8n.tls.certresolver=cloudflare
      - traefik.http.middlewares.n8n.headers.SSLRedirect=true
      - traefik.http.middlewares.n8n.headers.STSSeconds=315360000
      - traefik.http.middlewares.n8n.headers.browserXSSFilter=true
      - traefik.http.middlewares.n8n.headers.contentTypeNosniff=true
      - traefik.http.middlewares.n8n.headers.forceSTSHeader=true
      - traefik.http.middlewares.n8n.headers.SSLHost=${DOMAIN_NAME}
      - traefik.http.middlewares.n8n.headers.STSIncludeSubdomains=true
      - traefik.http.middlewares.n8n.headers.STSPreload=true
      - traefik.http.middlewares.n8n.headers.frameDeny=true
      - traefik.http.routers.n8n.middlewares=authentik-forwardauth@docker
      - traefik.http.services.n8n.loadbalancer.server.port=5678
      - traefik.docker.network=webapp
    env_file:
      - .env
    secrets:
      - DB_PASS
    volumes:
      - n8n_data:/home/node/.n8n
      - ./local-files:/files
    networks:
      - webapp
      - backend
      - mcp
secrets:
  DB_PASS:
    file: .secrets/DB_PASS
networks:
  webapp:
    external:
      true
  backend:
    external:
      true
  mcp:
    external:
      true
volumes:
  n8n_data:
    name: n8n_data