n8n¶
Visual workflow automation at
n8n.448.global. The self-hosted Zapier — chains of "when X happens, do Y" nodes connecting our internal apps. May be running production-critical glue logic.
| Field | Value |
|---|---|
| Public URL | https://n8n.448.global |
| Audience | engineers, ops, possibly business users |
| Criticality | [INFO NEEDED] (depends entirely on what workflows are running) |
| Maturity | [INFO NEEDED] |
| Owner | [INFO NEEDED] |
| Last reviewed | 2026-05-05 |
1. At a glance¶
n8n is a visual workflow tool — drag-and-drop nodes that connect to APIs and databases. We use it as the CI/CD pipeline runner for things like the SQLcl-driven database deployments, alongside ad-hoc business automations. Lives on O1. Critical operational coupling: the n8n pipelines connect to the custom SQLcl container by Docker IP — when that IP changes, the pipelines break (see KI-002).
2. Business purpose¶
- Replace bespoke integration scripts with maintainable visual workflows.
- Empower non-engineers to build automations.
- Connect siloed apps (CRMs, WordPress, Workforce, Parallax, AI services).
3. Audience¶
Engineers and any builder-leaning staff.
4. Hosting & cloud infrastructure¶
- Server: O1 ORA448Global VPS
- Reverse proxy: Caddy on the same O1 host
- Co-located with: Vault, Authentik, MinIO, Beszel, Gotify, Coder, Open WebUI, Draw.io, IT Tools, PE Tube, Wireguard, Portainer, Watchtower, SQLcl image — and they all share resources.
Infrastructure map¶
| Item | Value | Notes |
|---|---|---|
| Public hostname | n8n.448.global | |
| Backend host | O1 | |
| Open ports | 443 | |
| TLS cert | [INFO NEEDED] |
Caddy auto-LE |
| Reverse proxy | Caddy on O1 | |
| Container image / version | n8nio/n8n:[INFO NEEDED] |
|
| Host server name | O1 | |
| Database | [INFO NEEDED] (PostgreSQL recommended for prod) |
|
| Worker mode | [INFO NEEDED] |
|
| Active workflows | [INFO NEEDED] (production CI/CD pipelines among them) |
Credentials in Vault¶
| Secret type | Vault path / link | Last rotated |
|---|---|---|
| n8n admin login | [INFO NEEDED] |
|
| Database password | [INFO NEEDED] |
|
Encryption key (N8N_ENCRYPTION_KEY) |
[INFO NEEDED] |
without this, all stored credentials are unrecoverable |
| Per-workflow third-party credentials | [INFO NEEDED] |
n8n stores these encrypted in its DB |
5. Technology behind it¶
- Type: off-the-shelf
- Product: n8n (open-source, n8n.io)
- Stack: Node.js + Postgres (or SQLite)
6. Data it handles¶
- Workflow definitions (may include sensitive logic).
- Credentials for every external service connected (Stripe, GitLab, CRM, AI providers, etc.) — encrypted but recoverable with the encryption key.
- Execution history (may contain payload data — including PII).
7. External dependencies¶
- Every API/service the workflows call out to. n8n's failure cascades into "this integration stopped working" silently.
8. Authentication & access¶
- End-user login: n8n local accounts
[CONFIRM] - OIDC / Authentik?
[INFO NEEDED](n8n supports SAML/OIDC in licensed editions) - MFA?
[INFO NEEDED]
9. Maturity assessment¶
| Dimension | Status | Evidence |
|---|---|---|
| Backups | [INFO NEEDED] |
DB + encryption key |
| Workflow versioning | [INFO NEEDED] |
n8n has a Git integration in newer versions |
| Monitoring | [INFO NEEDED] |
Beszel + workflow-failure alerts |
| Alerting | [INFO NEEDED] |
failed-execution → Gotify? |
| Inventory | [INFO NEEDED] |
which workflows are mission-critical vs experimental? |
| Patching cadence | [INFO NEEDED] |
10. Known risks & vulnerabilities¶
- CI/CD pipelines coupled to ephemeral SQLcl IP — see KI-002. Pipelines break silently on container restart.
[CONFIRM]Hidden production dependencies — workflows quietly become load-bearing without documentation. A failed workflow = a broken integration somewhere.[CONFIRM]Encryption key loss — withoutN8N_ENCRYPTION_KEY, every stored credential in n8n is a dead string. Must be in Vault.[INFO NEEDED]Public dashboard — the n8n UI on the internet is a brute-force target; should be Wireguard or SSO-only.[INFO NEEDED]Workflow secrets in plain text — careless workflows hard-code API keys in node parameters.[INFO NEEDED]Webhook abuse — public n8n webhook URLs are unauthenticated by default; with the URL alone, an attacker can fire workflows.[INFO NEEDED]Patch lag — n8n has had several auth/IDOR CVEs.- Workflow definitions not in Git —
[INFO NEEDED]confirm workflows are exported / version-controlled. Same risk class as the Caddyfile-on-host issue.
11. Impact if it goes down¶
- Cascading "things stopped working" across the integration map.
- May not be obvious for hours/days because no one knows what's wired through n8n.
12. Owner & on-call¶
[INFO NEEDED]
13. References & links¶
- Public URL: https://n8n.448.global
- Vendor docs: https://docs.n8n.io
- Local workflow archive:
/home/coder/parallax/n8n workflows/(referenced; not part of this repo) - Domain: see domains.md