diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index df8e5e1dd699..33d2bc3decc6 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -482,6 +482,7 @@
./services/misc/mediatomb.nix
./services/misc/metabase.nix
./services/misc/mwlib.nix
+ ./services/misc/n8n.nix
./services/misc/nix-daemon.nix
./services/misc/nix-gc.nix
./services/misc/nix-optimise.nix
diff --git a/nixos/modules/services/misc/n8n.nix b/nixos/modules/services/misc/n8n.nix
new file mode 100644
index 000000000000..516d0f70ef0b
--- /dev/null
+++ b/nixos/modules/services/misc/n8n.nix
@@ -0,0 +1,78 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+ cfg = config.services.n8n;
+ format = pkgs.formats.json {};
+ configFile = format.generate "n8n.json" cfg.settings;
+in
+{
+ options.services.n8n = {
+
+ enable = mkEnableOption "n8n server";
+
+ openFirewall = mkOption {
+ type = types.bool;
+ default = false;
+ description = "Open ports in the firewall for the n8n web interface.";
+ };
+
+ settings = mkOption {
+ type = format.type;
+ default = {};
+ description = ''
+ Configuration for n8n, see
+ for supported values.
+ '';
+ };
+
+ };
+
+ config = mkIf cfg.enable {
+ services.n8n.settings = {
+ # We use this to open the firewall, so we need to know about the default at eval time
+ port = lib.mkDefault 5678;
+ };
+
+ systemd.services.n8n = {
+ description = "N8N service";
+ after = [ "network.target" ];
+ wantedBy = [ "multi-user.target" ];
+ environment = {
+ # This folder must be writeable as the application is storing
+ # its data in it, so the StateDirectory is a good choice
+ N8N_USER_FOLDER = "/var/lib/n8n";
+ N8N_CONFIG_FILES = "${configFile}";
+ };
+ serviceConfig = {
+ Type = "simple";
+ ExecStart = "${pkgs.n8n}/bin/n8n";
+ Restart = "on-failure";
+ StateDirectory = "n8n";
+
+ # Basic Hardening
+ NoNewPrivileges = "yes";
+ PrivateTmp = "yes";
+ PrivateDevices = "yes";
+ DevicePolicy = "closed";
+ DynamicUser = "true";
+ ProtectSystem = "strict";
+ ProtectHome = "read-only";
+ ProtectControlGroups = "yes";
+ ProtectKernelModules = "yes";
+ ProtectKernelTunables = "yes";
+ RestrictAddressFamilies = "AF_UNIX AF_INET AF_INET6 AF_NETLINK";
+ RestrictNamespaces = "yes";
+ RestrictRealtime = "yes";
+ RestrictSUIDSGID = "yes";
+ MemoryDenyWriteExecute = "yes";
+ LockPersonality = "yes";
+ };
+ };
+
+ networking.firewall = mkIf cfg.openFirewall {
+ allowedTCPPorts = [ cfg.settings.port ];
+ };
+ };
+}
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 2e79a214569a..c58203cc481f 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -231,6 +231,7 @@ in
mysql-autobackup = handleTest ./mysql/mysql-autobackup.nix {};
mysql-backup = handleTest ./mysql/mysql-backup.nix {};
mysql-replication = handleTest ./mysql/mysql-replication.nix {};
+ n8n = handleTest ./n8n.nix {};
nagios = handleTest ./nagios.nix {};
nano = handleTest ./nano.nix {};
nar-serve = handleTest ./nar-serve.nix {};
diff --git a/nixos/tests/n8n.nix b/nixos/tests/n8n.nix
new file mode 100644
index 000000000000..ed93639f2a42
--- /dev/null
+++ b/nixos/tests/n8n.nix
@@ -0,0 +1,25 @@
+import ./make-test-python.nix ({ lib, ... }:
+
+with lib;
+
+let
+ port = 5678;
+in
+{
+ name = "n8n";
+ meta.maintainers = with maintainers; [ freezeboy ];
+
+ nodes.machine =
+ { pkgs, ... }:
+ {
+ services.n8n = {
+ enable = true;
+ };
+ };
+
+ testScript = ''
+ machine.wait_for_unit("n8n.service")
+ machine.wait_for_open_port("${toString port}")
+ machine.succeed("curl --fail http://localhost:${toString port}/")
+ '';
+})
diff --git a/pkgs/applications/networking/n8n/default.nix b/pkgs/applications/networking/n8n/default.nix
new file mode 100644
index 000000000000..94305a8cfeea
--- /dev/null
+++ b/pkgs/applications/networking/n8n/default.nix
@@ -0,0 +1,18 @@
+{ pkgs, nodejs, stdenv, lib, ... }:
+
+let
+ nodePackages = import ./node-composition.nix {
+ inherit pkgs nodejs;
+ inherit (stdenv.hostPlatform) system;
+ };
+in
+nodePackages.n8n.override {
+ nativeBuildInputs = with pkgs.nodePackages; [
+ node-pre-gyp
+ ];
+ meta = with lib; {
+ description = "Free and open fair-code licensed node based Workflow Automation Tool";
+ maintainers = with maintainers; [ freezeboy ];
+ license = licenses.asl20;
+ };
+}
diff --git a/pkgs/applications/networking/n8n/generate-dependencies.sh b/pkgs/applications/networking/n8n/generate-dependencies.sh
new file mode 100755
index 000000000000..292811669184
--- /dev/null
+++ b/pkgs/applications/networking/n8n/generate-dependencies.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env nix-shell
+#! nix-shell -i bash -p nodePackages.node2nix
+
+node2nix \
+ --node-env node-env.nix \
+ --input package.json \
+ --output node-packages.nix \
+ --composition node-composition.nix
diff --git a/pkgs/applications/networking/n8n/node-composition.nix b/pkgs/applications/networking/n8n/node-composition.nix
new file mode 100644
index 000000000000..c970861a86f0
--- /dev/null
+++ b/pkgs/applications/networking/n8n/node-composition.nix
@@ -0,0 +1,17 @@
+# This file has been generated by node2nix 1.8.0. Do not edit!
+
+{pkgs ? import {
+ inherit system;
+ }, system ? builtins.currentSystem, nodejs ? pkgs."nodejs-12_x"}:
+
+let
+ nodeEnv = import ./node-env.nix {
+ inherit (pkgs) stdenv python2 utillinux runCommand writeTextFile;
+ inherit nodejs;
+ libtool = if pkgs.stdenv.isDarwin then pkgs.darwin.cctools else null;
+ };
+in
+import ./node-packages.nix {
+ inherit (pkgs) fetchurl fetchgit;
+ inherit nodeEnv;
+}
\ No newline at end of file
diff --git a/pkgs/applications/networking/n8n/node-env.nix b/pkgs/applications/networking/n8n/node-env.nix
new file mode 100644
index 000000000000..e1abf5304935
--- /dev/null
+++ b/pkgs/applications/networking/n8n/node-env.nix
@@ -0,0 +1,542 @@
+# This file originates from node2nix
+
+{stdenv, nodejs, python2, utillinux, libtool, runCommand, writeTextFile}:
+
+let
+ python = if nodejs ? python then nodejs.python else python2;
+
+ # Create a tar wrapper that filters all the 'Ignoring unknown extended header keyword' noise
+ tarWrapper = runCommand "tarWrapper" {} ''
+ mkdir -p $out/bin
+
+ cat > $out/bin/tar <> $out/nix-support/hydra-build-products
+ '';
+ };
+
+ includeDependencies = {dependencies}:
+ stdenv.lib.optionalString (dependencies != [])
+ (stdenv.lib.concatMapStrings (dependency:
+ ''
+ # Bundle the dependencies of the package
+ mkdir -p node_modules
+ cd node_modules
+
+ # Only include dependencies if they don't exist. They may also be bundled in the package.
+ if [ ! -e "${dependency.name}" ]
+ then
+ ${composePackage dependency}
+ fi
+
+ cd ..
+ ''
+ ) dependencies);
+
+ # Recursively composes the dependencies of a package
+ composePackage = { name, packageName, src, dependencies ? [], ... }@args:
+ builtins.addErrorContext "while evaluating node package '${packageName}'" ''
+ DIR=$(pwd)
+ cd $TMPDIR
+
+ unpackFile ${src}
+
+ # Make the base dir in which the target dependency resides first
+ mkdir -p "$(dirname "$DIR/${packageName}")"
+
+ if [ -f "${src}" ]
+ then
+ # Figure out what directory has been unpacked
+ packageDir="$(find . -maxdepth 1 -type d | tail -1)"
+
+ # Restore write permissions to make building work
+ find "$packageDir" -type d -exec chmod u+x {} \;
+ chmod -R u+w "$packageDir"
+
+ # Move the extracted tarball into the output folder
+ mv "$packageDir" "$DIR/${packageName}"
+ elif [ -d "${src}" ]
+ then
+ # Get a stripped name (without hash) of the source directory.
+ # On old nixpkgs it's already set internally.
+ if [ -z "$strippedName" ]
+ then
+ strippedName="$(stripHash ${src})"
+ fi
+
+ # Restore write permissions to make building work
+ chmod -R u+w "$strippedName"
+
+ # Move the extracted directory into the output folder
+ mv "$strippedName" "$DIR/${packageName}"
+ fi
+
+ # Unset the stripped name to not confuse the next unpack step
+ unset strippedName
+
+ # Include the dependencies of the package
+ cd "$DIR/${packageName}"
+ ${includeDependencies { inherit dependencies; }}
+ cd ..
+ ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ '';
+
+ pinpointDependencies = {dependencies, production}:
+ let
+ pinpointDependenciesFromPackageJSON = writeTextFile {
+ name = "pinpointDependencies.js";
+ text = ''
+ var fs = require('fs');
+ var path = require('path');
+
+ function resolveDependencyVersion(location, name) {
+ if(location == process.env['NIX_STORE']) {
+ return null;
+ } else {
+ var dependencyPackageJSON = path.join(location, "node_modules", name, "package.json");
+
+ if(fs.existsSync(dependencyPackageJSON)) {
+ var dependencyPackageObj = JSON.parse(fs.readFileSync(dependencyPackageJSON));
+
+ if(dependencyPackageObj.name == name) {
+ return dependencyPackageObj.version;
+ }
+ } else {
+ return resolveDependencyVersion(path.resolve(location, ".."), name);
+ }
+ }
+ }
+
+ function replaceDependencies(dependencies) {
+ if(typeof dependencies == "object" && dependencies !== null) {
+ for(var dependency in dependencies) {
+ var resolvedVersion = resolveDependencyVersion(process.cwd(), dependency);
+
+ if(resolvedVersion === null) {
+ process.stderr.write("WARNING: cannot pinpoint dependency: "+dependency+", context: "+process.cwd()+"\n");
+ } else {
+ dependencies[dependency] = resolvedVersion;
+ }
+ }
+ }
+ }
+
+ /* Read the package.json configuration */
+ var packageObj = JSON.parse(fs.readFileSync('./package.json'));
+
+ /* Pinpoint all dependencies */
+ replaceDependencies(packageObj.dependencies);
+ if(process.argv[2] == "development") {
+ replaceDependencies(packageObj.devDependencies);
+ }
+ replaceDependencies(packageObj.optionalDependencies);
+
+ /* Write the fixed package.json file */
+ fs.writeFileSync("package.json", JSON.stringify(packageObj, null, 2));
+ '';
+ };
+ in
+ ''
+ node ${pinpointDependenciesFromPackageJSON} ${if production then "production" else "development"}
+
+ ${stdenv.lib.optionalString (dependencies != [])
+ ''
+ if [ -d node_modules ]
+ then
+ cd node_modules
+ ${stdenv.lib.concatMapStrings (dependency: pinpointDependenciesOfPackage dependency) dependencies}
+ cd ..
+ fi
+ ''}
+ '';
+
+ # Recursively traverses all dependencies of a package and pinpoints all
+ # dependencies in the package.json file to the versions that are actually
+ # being used.
+
+ pinpointDependenciesOfPackage = { packageName, dependencies ? [], production ? true, ... }@args:
+ ''
+ if [ -d "${packageName}" ]
+ then
+ cd "${packageName}"
+ ${pinpointDependencies { inherit dependencies production; }}
+ cd ..
+ ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+ fi
+ '';
+
+ # Extract the Node.js source code which is used to compile packages with
+ # native bindings
+ nodeSources = runCommand "node-sources" {} ''
+ tar --no-same-owner --no-same-permissions -xf ${nodejs.src}
+ mv node-* $out
+ '';
+
+ # Script that adds _integrity fields to all package.json files to prevent NPM from consulting the cache (that is empty)
+ addIntegrityFieldsScript = writeTextFile {
+ name = "addintegrityfields.js";
+ text = ''
+ var fs = require('fs');
+ var path = require('path');
+
+ function augmentDependencies(baseDir, dependencies) {
+ for(var dependencyName in dependencies) {
+ var dependency = dependencies[dependencyName];
+
+ // Open package.json and augment metadata fields
+ var packageJSONDir = path.join(baseDir, "node_modules", dependencyName);
+ var packageJSONPath = path.join(packageJSONDir, "package.json");
+
+ if(fs.existsSync(packageJSONPath)) { // Only augment packages that exist. Sometimes we may have production installs in which development dependencies can be ignored
+ console.log("Adding metadata fields to: "+packageJSONPath);
+ var packageObj = JSON.parse(fs.readFileSync(packageJSONPath));
+
+ if(dependency.integrity) {
+ packageObj["_integrity"] = dependency.integrity;
+ } else {
+ packageObj["_integrity"] = "sha1-000000000000000000000000000="; // When no _integrity string has been provided (e.g. by Git dependencies), add a dummy one. It does not seem to harm and it bypasses downloads.
+ }
+
+ if(dependency.resolved) {
+ packageObj["_resolved"] = dependency.resolved; // Adopt the resolved property if one has been provided
+ } else {
+ packageObj["_resolved"] = dependency.version; // Set the resolved version to the version identifier. This prevents NPM from cloning Git repositories.
+ }
+
+ if(dependency.from !== undefined) { // Adopt from property if one has been provided
+ packageObj["_from"] = dependency.from;
+ }
+
+ fs.writeFileSync(packageJSONPath, JSON.stringify(packageObj, null, 2));
+ }
+
+ // Augment transitive dependencies
+ if(dependency.dependencies !== undefined) {
+ augmentDependencies(packageJSONDir, dependency.dependencies);
+ }
+ }
+ }
+
+ if(fs.existsSync("./package-lock.json")) {
+ var packageLock = JSON.parse(fs.readFileSync("./package-lock.json"));
+
+ if(packageLock.lockfileVersion !== 1) {
+ process.stderr.write("Sorry, I only understand lock file version 1!\n");
+ process.exit(1);
+ }
+
+ if(packageLock.dependencies !== undefined) {
+ augmentDependencies(".", packageLock.dependencies);
+ }
+ }
+ '';
+ };
+
+ # Reconstructs a package-lock file from the node_modules/ folder structure and package.json files with dummy sha1 hashes
+ reconstructPackageLock = writeTextFile {
+ name = "addintegrityfields.js";
+ text = ''
+ var fs = require('fs');
+ var path = require('path');
+
+ var packageObj = JSON.parse(fs.readFileSync("package.json"));
+
+ var lockObj = {
+ name: packageObj.name,
+ version: packageObj.version,
+ lockfileVersion: 1,
+ requires: true,
+ dependencies: {}
+ };
+
+ function augmentPackageJSON(filePath, dependencies) {
+ var packageJSON = path.join(filePath, "package.json");
+ if(fs.existsSync(packageJSON)) {
+ var packageObj = JSON.parse(fs.readFileSync(packageJSON));
+ dependencies[packageObj.name] = {
+ version: packageObj.version,
+ integrity: "sha1-000000000000000000000000000=",
+ dependencies: {}
+ };
+ processDependencies(path.join(filePath, "node_modules"), dependencies[packageObj.name].dependencies);
+ }
+ }
+
+ function processDependencies(dir, dependencies) {
+ if(fs.existsSync(dir)) {
+ var files = fs.readdirSync(dir);
+
+ files.forEach(function(entry) {
+ var filePath = path.join(dir, entry);
+ var stats = fs.statSync(filePath);
+
+ if(stats.isDirectory()) {
+ if(entry.substr(0, 1) == "@") {
+ // When we encounter a namespace folder, augment all packages belonging to the scope
+ var pkgFiles = fs.readdirSync(filePath);
+
+ pkgFiles.forEach(function(entry) {
+ if(stats.isDirectory()) {
+ var pkgFilePath = path.join(filePath, entry);
+ augmentPackageJSON(pkgFilePath, dependencies);
+ }
+ });
+ } else {
+ augmentPackageJSON(filePath, dependencies);
+ }
+ }
+ });
+ }
+ }
+
+ processDependencies("node_modules", lockObj.dependencies);
+
+ fs.writeFileSync("package-lock.json", JSON.stringify(lockObj, null, 2));
+ '';
+ };
+
+ prepareAndInvokeNPM = {packageName, bypassCache, reconstructLock, npmFlags, production}:
+ let
+ forceOfflineFlag = if bypassCache then "--offline" else "--registry http://www.example.com";
+ in
+ ''
+ # Pinpoint the versions of all dependencies to the ones that are actually being used
+ echo "pinpointing versions of dependencies..."
+ source $pinpointDependenciesScriptPath
+
+ # Patch the shebangs of the bundled modules to prevent them from
+ # calling executables outside the Nix store as much as possible
+ patchShebangs .
+
+ # Deploy the Node.js package by running npm install. Since the
+ # dependencies have been provided already by ourselves, it should not
+ # attempt to install them again, which is good, because we want to make
+ # it Nix's responsibility. If it needs to install any dependencies
+ # anyway (e.g. because the dependency parameters are
+ # incomplete/incorrect), it fails.
+ #
+ # The other responsibilities of NPM are kept -- version checks, build
+ # steps, postprocessing etc.
+
+ export HOME=$TMPDIR
+ cd "${packageName}"
+ runHook preRebuild
+
+ ${stdenv.lib.optionalString bypassCache ''
+ ${stdenv.lib.optionalString reconstructLock ''
+ if [ -f package-lock.json ]
+ then
+ echo "WARNING: Reconstruct lock option enabled, but a lock file already exists!"
+ echo "This will most likely result in version mismatches! We will remove the lock file and regenerate it!"
+ rm package-lock.json
+ else
+ echo "No package-lock.json file found, reconstructing..."
+ fi
+
+ node ${reconstructPackageLock}
+ ''}
+
+ node ${addIntegrityFieldsScript}
+ ''}
+
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} rebuild
+
+ if [ "''${dontNpmInstall-}" != "1" ]
+ then
+ # NPM tries to download packages even when they already exist if npm-shrinkwrap is used.
+ rm -f npm-shrinkwrap.json
+
+ npm ${forceOfflineFlag} --nodedir=${nodeSources} ${npmFlags} ${stdenv.lib.optionalString production "--production"} install
+ fi
+ '';
+
+ # Builds and composes an NPM package including all its dependencies
+ buildNodePackage =
+ { name
+ , packageName
+ , version
+ , dependencies ? []
+ , buildInputs ? []
+ , production ? true
+ , npmFlags ? ""
+ , dontNpmInstall ? false
+ , bypassCache ? false
+ , reconstructLock ? false
+ , preRebuild ? ""
+ , dontStrip ? true
+ , unpackPhase ? "true"
+ , buildPhase ? "true"
+ , ... }@args:
+
+ let
+ extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" "dontStrip" "dontNpmInstall" "preRebuild" "unpackPhase" "buildPhase" ];
+ in
+ stdenv.mkDerivation ({
+ name = "node_${name}-${version}";
+ buildInputs = [ tarWrapper python nodejs ]
+ ++ stdenv.lib.optional (stdenv.isLinux) utillinux
+ ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+ ++ buildInputs;
+
+ inherit nodejs;
+
+ inherit dontStrip; # Stripping may fail a build for some package deployments
+ inherit dontNpmInstall preRebuild unpackPhase buildPhase;
+
+ compositionScript = composePackage args;
+ pinpointDependenciesScript = pinpointDependenciesOfPackage args;
+
+ passAsFile = [ "compositionScript" "pinpointDependenciesScript" ];
+
+ installPhase = ''
+ # Create and enter a root node_modules/ folder
+ mkdir -p $out/lib/node_modules
+ cd $out/lib/node_modules
+
+ # Compose the package and all its dependencies
+ source $compositionScriptPath
+
+ ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
+
+ # Create symlink to the deployed executable folder, if applicable
+ if [ -d "$out/lib/node_modules/.bin" ]
+ then
+ ln -s $out/lib/node_modules/.bin $out/bin
+ fi
+
+ # Create symlinks to the deployed manual page folders, if applicable
+ if [ -d "$out/lib/node_modules/${packageName}/man" ]
+ then
+ mkdir -p $out/share
+ for dir in "$out/lib/node_modules/${packageName}/man/"*
+ do
+ mkdir -p $out/share/man/$(basename "$dir")
+ for page in "$dir"/*
+ do
+ ln -s $page $out/share/man/$(basename "$dir")
+ done
+ done
+ fi
+
+ # Run post install hook, if provided
+ runHook postInstall
+ '';
+ } // extraArgs);
+
+ # Builds a development shell
+ buildNodeShell =
+ { name
+ , packageName
+ , version
+ , src
+ , dependencies ? []
+ , buildInputs ? []
+ , production ? true
+ , npmFlags ? ""
+ , dontNpmInstall ? false
+ , bypassCache ? false
+ , reconstructLock ? false
+ , dontStrip ? true
+ , unpackPhase ? "true"
+ , buildPhase ? "true"
+ , ... }@args:
+
+ let
+ extraArgs = removeAttrs args [ "name" "dependencies" "buildInputs" ];
+
+ nodeDependencies = stdenv.mkDerivation ({
+ name = "node-dependencies-${name}-${version}";
+
+ buildInputs = [ tarWrapper python nodejs ]
+ ++ stdenv.lib.optional (stdenv.isLinux) utillinux
+ ++ stdenv.lib.optional (stdenv.isDarwin) libtool
+ ++ buildInputs;
+
+ inherit dontStrip; # Stripping may fail a build for some package deployments
+ inherit dontNpmInstall unpackPhase buildPhase;
+
+ includeScript = includeDependencies { inherit dependencies; };
+ pinpointDependenciesScript = pinpointDependenciesOfPackage args;
+
+ passAsFile = [ "includeScript" "pinpointDependenciesScript" ];
+
+ installPhase = ''
+ mkdir -p $out/${packageName}
+ cd $out/${packageName}
+
+ source $includeScriptPath
+
+ # Create fake package.json to make the npm commands work properly
+ cp ${src}/package.json .
+ chmod 644 package.json
+ ${stdenv.lib.optionalString bypassCache ''
+ if [ -f ${src}/package-lock.json ]
+ then
+ cp ${src}/package-lock.json .
+ fi
+ ''}
+
+ # Go to the parent folder to make sure that all packages are pinpointed
+ cd ..
+ ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+
+ ${prepareAndInvokeNPM { inherit packageName bypassCache reconstructLock npmFlags production; }}
+
+ # Expose the executables that were installed
+ cd ..
+ ${stdenv.lib.optionalString (builtins.substring 0 1 packageName == "@") "cd .."}
+
+ mv ${packageName} lib
+ ln -s $out/lib/node_modules/.bin $out/bin
+ '';
+ } // extraArgs);
+ in
+ stdenv.mkDerivation {
+ name = "node-shell-${name}-${version}";
+
+ buildInputs = [ python nodejs ] ++ stdenv.lib.optional (stdenv.isLinux) utillinux ++ buildInputs;
+ buildCommand = ''
+ mkdir -p $out/bin
+ cat > $out/bin/shell <