From 92d2c845d8832013d6bff48848a75350426f33fb Mon Sep 17 00:00:00 2001
From: jack <jack@csrx.ru>
Date: Sun, 22 Mar 2026 06:19:39 +0700
Subject: [PATCH] feat: add n8n, outline routes, remove syncthing, fix backup
 awscli
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add n8n to tools server (n8n.csrx.ru)
- Add cross-server Traefik routes: wiki.csrx.ru + n8n.csrx.ru → tools
- Remove Syncthing (replaced by Outline wiki)
- Fix awscli install: download static binary (apt/pip broken on Ubuntu 24.04)
- Add n8n secrets to vault (encryption key + JWT secret)
- Improve CI/CD workflow: syntax-check both playbooks, deploy both servers
- Update site.yml: unified single-command deploy for all servers

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .forgejo/workflows/deploy.yml                 |  28 ++-
 inventory/group_vars/all/main.yml             |   3 +
 inventory/group_vars/all/vault.yml            | 201 +++++++++---------
 playbooks/site.yml                            |  21 +-
 roles/backup/tasks/main.yml                   |  20 +-
 .../services/templates/docker-compose.yml.j2  |  28 ---
 .../templates/traefik/dynamic/routes.yml.j2   |  46 ++--
 roles/tools/defaults/main.yml                 |   1 +
 roles/tools/tasks/main.yml                    |   1 +
 roles/tools/templates/docker-compose.yml.j2   |  40 ++++
 roles/tools/templates/env.j2                  |   4 +
 11 files changed, 234 insertions(+), 159 deletions(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index dccc2c6..e9f9cf2 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -7,6 +7,7 @@ on:
     branches: [master]
 
 jobs:
+  # ── Syntax check (every PR + push) ─────────────────────────────────────────
   syntax-check:
     runs-on: ubuntu-latest
     steps:
@@ -15,14 +16,23 @@ jobs:
       - name: Install ansible
         run: pip3 install ansible --quiet --break-system-packages
 
+      - name: Install collections
+        run: |
+          ansible-galaxy collection install \
+            community.general community.docker ansible.posix --force
+
       - name: Write vault password
         run: |
           echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file
           chmod 600 ~/.vault-password-file
 
-      - name: Syntax check
-        run: ansible-playbook playbooks/deploy.yml --syntax-check -i inventory/
+      - name: Syntax check — main
+        run: ansible-playbook playbooks/deploy.yml --syntax-check
 
+      - name: Syntax check — tools
+        run: ansible-playbook playbooks/tools.yml --syntax-check
+
+  # ── Deploy (push to master only, after syntax-check passes) ────────────────
   deploy:
     needs: syntax-check
     if: github.ref == 'refs/heads/master' && github.event_name == 'push'
@@ -33,14 +43,17 @@ jobs:
       - name: Install dependencies
         run: |
           pip3 install ansible --quiet --break-system-packages
-          ansible-galaxy collection install ansible.posix community.general community.docker
+          ansible-galaxy collection install \
+            ansible.posix community.general community.docker --force
 
       - name: Configure SSH
         run: |
           mkdir -p ~/.ssh
           printf '%s' "${{ secrets.SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
           chmod 600 ~/.ssh/id_ed25519
-          printf '%s' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
+          # Scan host keys directly (no need for SSH_KNOWN_HOSTS secret)
+          ssh-keyscan -p 22 87.249.49.32 >> ~/.ssh/known_hosts
+          ssh-keyscan -p 22 85.193.83.9  >> ~/.ssh/known_hosts
           chmod 600 ~/.ssh/known_hosts
 
       - name: Write vault password
@@ -48,5 +61,8 @@ jobs:
           echo "${{ secrets.VAULT_PASSWORD }}" > ~/.vault-password-file
           chmod 600 ~/.vault-password-file
 
-      - name: Deploy
-        run: ansible-playbook playbooks/deploy.yml -i inventory/
+      - name: Deploy main server
+        run: ansible-playbook playbooks/deploy.yml -l main
+
+      - name: Deploy tools server
+        run: ansible-playbook playbooks/tools.yml -l tools
diff --git a/inventory/group_vars/all/main.yml b/inventory/group_vars/all/main.yml
index 4a57e32..6a94246 100644
--- a/inventory/group_vars/all/main.yml
+++ b/inventory/group_vars/all/main.yml
@@ -12,6 +12,7 @@ domain_dashboard:  "dash.{{ domain_base }}"
 domain_auth:       "auth.{{ domain_base }}"
 domain_status:     "status.{{ domain_base }}"
 domain_wiki:       "wiki.{{ domain_base }}"
+domain_n8n:        "n8n.{{ domain_base }}"
 domain_mon:        "mon.{{ domain_base }}"
 
 # Service paths
@@ -44,6 +45,8 @@ cloudflare_zone_id:               "0935215d596a24a10866a81409ed8332"
 outline_secret_key:               "{{ vault_outline_secret_key }}"
 outline_utils_secret:             "{{ vault_outline_utils_secret }}"
 outline_db_password:              "{{ vault_outline_db_password }}"
+n8n_encryption_key:               "{{ vault_n8n_encryption_key }}"
+n8n_jwt_secret:                   "{{ vault_n8n_jwt_secret }}"
 # Server IPs (used for cross-server Traefik routing)
 ip_main:  "87.249.49.32"
 ip_tools: "85.193.83.9"
diff --git a/inventory/group_vars/all/vault.yml b/inventory/group_vars/all/vault.yml
index 1f80970..f6d5fb0 100644
--- a/inventory/group_vars/all/vault.yml
+++ b/inventory/group_vars/all/vault.yml
@@ -1,97 +1,106 @@
 $ANSIBLE_VAULT;1.1;AES256
-63363435626336383432346332393565356632663561623435303461623337623538383765336663
-6532306464653361333766353164343936323530366234380a373733323161353231656235353463
-61646565346263633836313962363933663862373435376364366265303736626339386233396537
-3365323338333736330a636535356635333235393436666535633562313938353831666335366630
-30613031613237343565643637333664663536353762626666663862633032633938626632613039
-61346133343665383762303365623731303363396533643434633539636532306130366435653834
-31646363353833633261666138323836316335373538646161376363653764636335373765336432
-31633438306266326638643534313665313830326334663431383461306161336165613133383832
-33663463646131363938366132343535663732666461353631626161623562666530663536306662
-37323063316133373732303435383563333736316661343266343231383731306666626335626438
-64363133666230653136363237376631653038623836366238346461383761356232376433386165
-37323733663036326534386137343766353464343938393737346534333764333539636139653639
-62353539326463303366396231656135643634393730633863343133363162616665366630316663
-64353239326138323661343939633938633030366364393431366230626463656464653633633464
-35346439343031373832333262373830376237306661623636633439353537333833623638396330
-36633437333562323330386230616136336466396239663430643738623637656236316638313062
-35666166373965616661386339323865326664623836383138353664666538643433346565623138
-33613233393833623832343763623634343332353261353865356530366362333962623538393838
-32663934653565393961303566313536643661313862326632633830363235393064363037333162
-38323237633066343536653161343761373763383861616531373935326335306130386637313664
-66393062623433333364373863393665393838633863656430643833316331623363653539663839
-32356564616665363961396132623033303337363035323838343133633861396334313564346564
-37353231656464306233393935396562366261336161356263323463346634366438366235356466
-36333464336666383739663765636130663332383635346361386435616561356235313061343133
-33623335656566613466303832623963613861656361316235353562653365626666366230393639
-64356265656432363635666238363235303965663266633833613063623832356262623638653265
-64303530636662626137356130643033666362663663323165363632353031373866393233373365
-32363432613035643266323631326535366232356132303664633739373536356338353032633564
-39656131663532393165303536613134333261333931643738336133323866383830633430376665
-31383266343838643332373664383835323264623034636434336263383964646334613633353437
-30393962633232333133653234656163326633643634353937653431623737363161643732613130
-61376665373466663434616166303866366565366166323436353564326363373665316331303432
-32633038386665623465393633373735333864646439613139626630383637363763383364383831
-61636231383434373330383530613138663832316437373731313065333136666264386532373639
-33366162656634643637343637336233646638373834376564653664633536353963323238646264
-61353065663161323937383238616661656239363963333166323032323732326336343437313564
-32633639616236356633393237363165333965373266343736633437363534306239313430353236
-34363166383866336262623661386132333031366435646230393465363931623039363736633533
-39333235666531333936636163393863333862623437333362363935633937383164633463616163
-61393930306139633434633330623334393633363736666664303433666536316632323564383438
-66316338663866303061323236363061636339623130363639326266356531353366626336303164
-39633861653262313165306562653939353637323133663566663164303638663033656636396636
-66323232313839376136656632306335313231376466373238346131383062643337376238336232
-66333764646162383466613935303434626435316131383130323431653961326634366437313030
-31316238346566663037616263333834336335616537373935336165323564386166653232373534
-64313634616332333231313962356236313236393336653334626630343263373863373266613864
-35396662656563396633313563626661306262383461326435346536666661343562336334313535
-36303433646466333132646535303933343237636131336665396661393039363861393236656133
-62313539663663343263656564356438336431653565623766613033306664633638393739326461
-32633636663764393662373836313738653632653730386133396162633138643663313565343533
-34323066303663653732363333343532636434356430393532666134396263373638313533346161
-31373935316662366565326139303766383161396638366436356537626336396466626339343536
-37396562656339646365653336396636376163653536666463616365626136326530313634333031
-35393237656664343133353134383762623330336266376461313731646436346530376133656532
-61323931653136663265306531343930316561353034613264623166333664363136643132626163
-66333663356562643132303034643735346166326335613637303735626162633261623734313531
-38636531643637356635346435303763613034313065306466306261363939616136633562316231
-62633239653931623562353936656361663934303464656665366333323062666264336436383834
-37353537333364626336353733303766636463313536313331343639636366393966336361373039
-62333431366536353236623161633833656664666334313833346433343565613336303538623366
-37613930316135363331656635326330653239636336626334353337353665656331356364333734
-37376534623739313838383664613639356535353731626164623465666330386136373262663664
-39626362623936616563333234343062386466323738316236313630313566643739323131376339
-38346365336264613032373966636561626238633735663266376665316161636166363366656563
-61396662666463376434633733333265333534656466623932353836616561616536353334653236
-35313465393438313835373563323538613961303231616435393131373737333738376637663763
-31373230326265386636383065343536393363326539383437313264313463633462353964633764
-30306436643039623230626237323535306538363831373063373861663139646661636132383263
-63353834663530656564386435376237356332303438343332316434636339363037616264356464
-66616630343734346533393563393337613537376636396632343930396130643937316139653034
-38653463343065363231626365633330313463633535353431623938646534303161346238346536
-30353032333834383735376163396537646132623635346138386132656561333437313161326336
-36393564323430623030313736646131313864346566343937613561303964333161616566633764
-66623333366634306563303566383930663965666133353865646438303961313635306535366635
-31663339343564343266303961616439613039616263303931663234666537326638353038613331
-36396633646137353132333362323634613062353237616666333835396330633863306233333565
-38343634666536326361316531643231356539323834346139363139613561306330363438623561
-39633432653930373731313739353637636537623536306135313733386639363566363463333132
-31636261333435663966653066336362653232626635663663326434386437333732383530373132
-62323063656131396534633335363537393431373935366233643932666331653662373762323966
-34323131613861613936623230316162653434646565643432386161646231356432613837646634
-66643561353034393435306239333032356535373238636534343666383432653866306566326661
-37356432363561646564613362353537636132316363323735613332353334316330373732366230
-38643339386164356666363565623333376136626533363630333562613331323937623939363238
-34663030323665333034656332313663336336373937316564313966313034366163616337613133
-39323338626137373930626436383433366233393136653862636539306333356538303235346633
-32656134333333623766323232616633616636306138653666663661333561303966343764623139
-66333164616536326461396632353665633731393263313037386464623430386130353039353264
-31343333613530343634363132346332646331653635333665323033396437656536646431663862
-37376363653165346433633038396132656339373438646536326534663434366361326637663466
-34666565623730323334346330396166626462386637613538303065333036623366333036633739
-37383066306462303334333063653161386330373661626162373836353834653966613938666237
-61353565363533376666316234333933383437393730633235306362373133323532653337626534
-30363434333463616637386131663962396130353133353266326332343631356337626635353532
-66393031363238333735633563343231366562653162346637303833386138313037643862663362
-37346636663033663361
+31636461643831333531333865363466633066313930383165643866653465326136373363643830
+3133373732303438613337353435333764643761356534300a376331636161373664393634376265
+66373962303534383636663137306531346564303533613235613935613632373338343630306339
+6133633166396138360a356463323462643266336132303365313363343062346265343961363431
+32373838326536396630643636356461663539313131376538656261376166363062343133666262
+36386430353963323435343937613539326537333463326538613464356631616362396636366166
+34373333363232326639303563343965373733646264383263666266393265313732303036613538
+31356633376631303533613462643836323462333930306331666563326536303166336339356633
+39393563346139666533376535633166643336646166663962623730346430663363653537623931
+38663466616661393532326136636230633363363164626239616438353737353830653730613936
+31373037656331356563333031393861633435333364653165633237323532353962383066636462
+64646666323235323432336135333466613265363738643630346539636465383833366139303634
+66373961663139396464393764353130666331623836386338343862323732346432643030626238
+34336563356266333434353035363034363532656532303730363432633435383034393666393439
+38626235646365366536303231633635353937666535666630323938303039323666653730383731
+36313434616466353538626236333965323861376665383836343136376365303730336130313134
+63613335633837313130626339626136646334333931666364376535356163363864656265336433
+39333934333637323534343236366432333337373135333762333036343365383438326636613033
+33373562373661616237323636343064623831363637313338343631343739363230623164656466
+64323761383533643136393539613331353261396663316236613336663738636463633132653534
+38653634393965383765656431343830386163333433323961353764316565326638303434656161
+31383735356238643761323733353138313934386137633530636430643934363136373666653862
+32383634396263326563656364313461636530366336336264326538643830396262326364633437
+32656566363763396532316334333331353334316662636330396134613363663034303162323133
+62363235303532663536383236326263646366333732333638363631326131306233623035306663
+62333035623566636235663963316430303932313166313439396135373033653364376263633937
+33616233663333316438333834313831383232666531636336666634316361386538323364366532
+62343335333836646231386164333533366638626437333531303263656262356566363462363561
+39326430366363623139393461366265613833393638626337636632376364326461313934653939
+37336136633161393439383238666537643530616535333861323635386433356463646266326666
+36343735316464306238376439663035356331366433326134633631386531313638663265363532
+63336366646533333662323739316561393537383033346538363763303333643538363264656230
+32653335643039613166386463326662393336363532313064633862313761623265333665356132
+33646131336561393333363562653566663062353064383834663430613365323234306336343636
+64383661323761326534326564313465323333623631643962313163316533343361323836346461
+62623839343530366236323338626134613761396638303230336134303537306338623364376234
+35653162376533623636616538336337646330373765366133326134653334313032343733336436
+37636462333239326632643830643463623534306337333531646462376434343163353030643430
+61343933373339376639316330363139653234636635303739633239613566613634666339643832
+62616266346232353737376139626233363335363432323338353935343737663938656630653238
+66313231353438346431333533366664313661663330623466316663366337373531636663643632
+30353863383635353764633436613964646631373730313232346664343463653163323030643266
+66646634373862633361656464646539313433613363313861376462653731383663386662643062
+64333164623130666233366536363761343138633935363164653066373837666339323165333362
+34616239373062623332383562653961343963386431643665306230656664613766333733353834
+62396430616564303830326531643336363631363234626635636133313435626539646433613361
+64653437363036363461626364393336323336323634393239626631353430646466343164623465
+35623130346663376336336530366161623361663034373433313430636236616661316666346665
+64303137323362313938363530316462363666396138663764306561393434636331653137343063
+32306136313263373432336162363737306166663666646264666438363537346363613030653733
+32653866306134623366616231393234653338653265636137343136356430633236623063306333
+61373437393831323830393663663832653939616437373963383934336266373434323133336239
+62626334323266343739643932663961616130386435636230613165366232343138346435353739
+65393464326531323034333864646661346465633537373632613431663035643536623965336334
+65363431343362613639353361313365643438376230353934646466643239316435396266326231
+37633362326637323265343437356138633461303031323533613963396536323164666461353034
+65373763626362313766623030316164303964633830613337613139613163396439373430633738
+38663839646361663164343261656536356337613531393136636134383363333366633866623664
+65373364363734666366393462323362326564333431393131303264646536663539363066373938
+62643162346661643333313134623865666666643736313235346638353363346435656439353335
+36326534656338383666316537303734343462303136653264393538303038373131616664363434
+38376131333734303039396232343265303239333330623361666462363261366365626461613034
+35616361373631366233623464666261626135353064323635363766356331303864396433323865
+32366365623730353033373039626235306166323035393331363839356162323363326366613065
+31303630363763663561326238663533633537376561303935363734306234343063393863353738
+38346365373331383963643430633164313632323133323838643436646137313361653631376430
+38323964383264653237343334386638366463393461653239303734656537616261383361376464
+32666266363039316365303563346133356632653366303661626331313763306538386533336137
+62373336366466306634323539623439336632333036313361346164316666396333623832393732
+32393261393865353362383434326137633963613265343136663834666366633136646335653064
+64306162656131636439316636353463383638323938306662336134323035656262386462616339
+65373431616332613234353230653365313935646430363435616166323238643533313932356134
+38376535373739616338303065623863303030613464633330316337313238623234643862356537
+33313630663163626331623862373861613435393566633735636436643939323436616366353633
+36623235386434613163303430366366633830376565383632613565393931326531323566353531
+65653032383139666538373063383337306235393334383164626337623564663939653933363830
+35663630636565636639653662633362643562356638643864383030316565636564306362336539
+34376435353434393034613365613533346339353935353233663231623235623863623665616135
+65313263643965343833373063616238313465373534613330613035346337343832386136343736
+61333637393065653331353737663737376630383036646531353432653434363436323866663331
+35656463663830343864643064313931633763373762613233663038653835643932616137646163
+31356631346530653461343262303836306463393838666236613834623737666666643035653433
+30366138663935613336303931396439343762663566366563303834306465323132363831306337
+31363134383263663832383838356332326663663562646536313538653961623233636663336665
+66373663356335333161336231313564633834353137643763616261333564656561346130623339
+31366435303636646362653034633634636433353032353338373166316336653132373934313630
+62656362303631636435303139383766383931626133336565633262323361326337666362353538
+66343532353532313964343330323666633231313765336535376431653836343866633334336437
+62343538623663373039343134326235613130313534613537386466353130653764653435663666
+34363532613635316538363964643435653062643736396362626534363064386536653963383633
+32326335613336363332313036353338303738363865346362316339356166333131626339303663
+39613531653763613638343839313162636239383030643134373035616361313936386333656633
+36646238316566386238333033636439373633393034663466653635616237616566383466613465
+39383461663131633461313261613339613633303935636639303337313965306637306538643036
+33643665616135643234393739333532356462303263363065613461623631643030666331316562
+36313739356339623465353564363537666335313132663464346665383936346362643565326237
+66336239343735336433636466313163353332333061646638616534656131313437383561653561
+31613861386363326136303833343966313862353234373762356630623335613866666534376533
+63303034333630623164373064383730356136373961646465663766303031303932343664396163
+32646335303562313565386434353036646463343336646665333334336339303465613530373234
+31663461643664313136396633613532363766363635363132323432643161373130333635646335
+33376438323132656335633862653630356534396339303739303538383837343031386232346137
+63366530313661313731326664363936373163383066656635616137653132613134636635346531
+36353130333461323230626239636234326236643366383265626535356130363538653735626337
+30386633373366383339346431656239383136313838363032333663366238623835
diff --git a/playbooks/site.yml b/playbooks/site.yml
index e1ea088..65d4e8f 100644
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -1,10 +1,17 @@
 ---
-# Master playbook — for reference only.
-# Do NOT run this directly: bootstrap.yml requires `-u root`,
-# deploy.yml runs as the deploy user. Run them separately:
+# ── Master playbook: deploys all servers ────────────────────────────────────
 #
-#   ansible-playbook playbooks/bootstrap.yml -u root   # first time only
-#   ansible-playbook playbooks/deploy.yml              # all subsequent runs
+# FIRST TIME (new servers, run as root):
+#   ansible-playbook playbooks/bootstrap.yml -u root
 #
-# - import_playbook: bootstrap.yml
-# - import_playbook: deploy.yml
+# ALL SUBSEQUENT DEPLOYS (idempotent, run as deploy user):
+#   ansible-playbook playbooks/site.yml
+#
+# Per-server:
+#   ansible-playbook playbooks/deploy.yml   # main server only
+#   ansible-playbook playbooks/tools.yml    # tools server only (Outline + n8n)
+#
+# Secrets required in ~/.vault-password-file (see CLAUDE.md)
+
+- import_playbook: deploy.yml
+- import_playbook: tools.yml
diff --git a/roles/backup/tasks/main.yml b/roles/backup/tasks/main.yml
index 4ced10d..f1e2255 100644
--- a/roles/backup/tasks/main.yml
+++ b/roles/backup/tasks/main.yml
@@ -1,8 +1,20 @@
 ---
-- name: Install awscli for S3 uploads
-  ansible.builtin.apt:
-    name: awscli
-    state: present
+- name: Install awscli (download static binary — works on Ubuntu 24.04)
+  ansible.builtin.shell: |
+    set -e
+    ARCH=$(uname -m)
+    if [ "$ARCH" = "x86_64" ]; then
+      URL="https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip"
+    else
+      URL="https://awscli.amazonaws.com/awscli-exe-linux-aarch64.zip"
+    fi
+    cd /tmp
+    curl -fsSL "$URL" -o awscliv2.zip
+    unzip -q -o awscliv2.zip
+    ./aws/install --update -i /usr/local/aws-cli -b /usr/local/bin
+    rm -rf awscliv2.zip aws/
+  args:
+    creates: /usr/local/bin/aws
 
 - name: Create backup directory
   ansible.builtin.file:
diff --git a/roles/services/templates/docker-compose.yml.j2 b/roles/services/templates/docker-compose.yml.j2
index 6fe9feb..a26b919 100644
--- a/roles/services/templates/docker-compose.yml.j2
+++ b/roles/services/templates/docker-compose.yml.j2
@@ -38,8 +38,6 @@ volumes:
   plane_redis_data:
   plane_minio_data:
   plane_media:
-  syncthing_config:
-  syncthing_data:
   act_runner_data:
   prometheus_data:
   grafana_data:
@@ -380,32 +378,6 @@ services:
       timeout: 20s
       retries: 3
 
-  # ── Syncthing ──────────────────────────────────────────────────────────────
-  # Порты 22000 и 21027 нужны для синхронизации между устройствами (не только UI).
-  # backend — internal: true, но Syncthing на published ports выходит наружу через host.
-  syncthing:
-    image: {{ syncthing_image }}
-    container_name: syncthing
-    restart: unless-stopped
-    networks:
-      - backend
-    ports:
-      - "22000:22000/tcp"
-      - "22000:22000/udp"
-      - "21027:21027/udp"
-    volumes:
-      - syncthing_config:/var/syncthing/config
-      - syncthing_data:/var/syncthing/data
-    environment:
-      - PUID=1000
-      - PGID=1000
-      - TZ=UTC
-    healthcheck:
-      test: ["CMD", "curl", "-sf", "http://localhost:8384/rest/noauth/health"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-
   # ── Forgejo Actions Runner ─────────────────────────────────────────────────
   # backend — для связи с Forgejo по внутренней сети (http://forgejo:3000)
   # runner-jobs — сеть с интернет-доступом для job-контейнеров
diff --git a/roles/services/templates/traefik/dynamic/routes.yml.j2 b/roles/services/templates/traefik/dynamic/routes.yml.j2
index bc4e491..4550de1 100644
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@@ -73,14 +73,6 @@ http:
       middlewares: [rate-limit-default]
       priority: 10
 
-    syncthing:
-      rule: "Host(`{{ domain_sync }}`)"
-      entrypoints: [websecure]
-      tls:
-        certresolver: letsencrypt
-      service: syncthing
-      middlewares: [authelia@docker, rate-limit-strict]
-
     grafana:
       rule: "Host(`{{ domain_dashboard }}`)"
       entrypoints: [websecure]
@@ -105,6 +97,23 @@ http:
       service: uptime-kuma
       middlewares: [rate-limit-default]
 
+    # ── Cross-server: tools ({{ ip_tools }}) ─────────────────────────────────
+    wiki:
+      rule: "Host(`{{ domain_wiki }}`)"
+      entrypoints: [websecure]
+      tls:
+        certresolver: letsencrypt
+      service: wiki
+      middlewares: [rate-limit-default]
+
+    n8n:
+      rule: "Host(`{{ domain_n8n }}`)"
+      entrypoints: [websecure]
+      tls:
+        certresolver: letsencrypt
+      service: n8n
+      middlewares: [rate-limit-strict]
+
   services:
     vaultwarden:
       loadBalancer:
@@ -136,11 +145,6 @@ http:
         servers:
           - url: "http://plane-space:3000"
 
-    syncthing:
-      loadBalancer:
-        servers:
-          - url: "http://syncthing:8384"
-
     grafana:
       loadBalancer:
         servers:
@@ -156,6 +160,17 @@ http:
         servers:
           - url: "http://uptime-kuma:3001"
 
+    # ── Cross-server services ─────────────────────────────────────────────────
+    wiki:
+      loadBalancer:
+        servers:
+          - url: "http://{{ ip_tools }}:3000"
+
+    n8n:
+      loadBalancer:
+        servers:
+          - url: "http://{{ ip_tools }}:5678"
+
   middlewares:
     # ── Security Headers (applied globally via entrypoint) ─────────────────
     security-headers:
@@ -201,11 +216,6 @@ http:
         users:
           - "{{ traefik_dashboard_htpasswd }}"
 
-    syncthing-auth:
-      basicAuth:
-        users:
-          - "{{ syncthing_basic_auth_htpasswd }}"
-
     # ── Authelia ForwardAuth ───────────────────────────────────────────────
     authelia:
       forwardAuth:
diff --git a/roles/tools/defaults/main.yml b/roles/tools/defaults/main.yml
index 2758857..63b0bc9 100644
--- a/roles/tools/defaults/main.yml
+++ b/roles/tools/defaults/main.yml
@@ -3,3 +3,4 @@ tools_root: /opt/tools
 outline_image: "outlinewiki/outline:0.80.2"
 outline_db_image: "postgres:15-alpine"
 outline_redis_image: "redis:7-alpine"
+n8n_image: "n8nio/n8n:1.89.2"              # https://hub.docker.com/r/n8nio/n8n/tags
diff --git a/roles/tools/tasks/main.yml b/roles/tools/tasks/main.yml
index 986cda3..21120d8 100644
--- a/roles/tools/tasks/main.yml
+++ b/roles/tools/tasks/main.yml
@@ -31,6 +31,7 @@
     - "{{ outline_image }}"
     - "{{ outline_db_image }}"
     - "{{ outline_redis_image }}"
+    - "{{ n8n_image }}"
 
 - name: Start tools stack
   community.docker.docker_compose_v2:
diff --git a/roles/tools/templates/docker-compose.yml.j2 b/roles/tools/templates/docker-compose.yml.j2
index bdfb64c..f91aeb1 100644
--- a/roles/tools/templates/docker-compose.yml.j2
+++ b/roles/tools/templates/docker-compose.yml.j2
@@ -5,10 +5,14 @@ networks:
   outline-internal:
     driver: bridge
     internal: true
+  n8n-internal:
+    driver: bridge
+    internal: true
 
 volumes:
   outline_db_data:
   outline_redis_data:
+  n8n_data:
 
 services:
 
@@ -80,3 +84,39 @@ services:
       options:
         max-size: "10m"
         max-file: "3"
+
+  # ── n8n workflow automation ──────────────────────────────────────────────────
+  n8n:
+    image: {{ n8n_image }}
+    container_name: n8n
+    restart: unless-stopped
+    networks:
+      - n8n-internal
+    ports:
+      # Exposed only to main Traefik (access controlled by UFW)
+      - "{{ ip_tools }}:5678:5678"
+    volumes:
+      - n8n_data:/home/node/.n8n
+    environment:
+      - N8N_HOST={{ domain_n8n }}
+      - N8N_PORT=5678
+      - N8N_PROTOCOL=https
+      - WEBHOOK_URL=https://{{ domain_n8n }}/
+      - N8N_ENCRYPTION_KEY=${N8N_ENCRYPTION_KEY}
+      - N8N_USER_MANAGEMENT_JWT_SECRET=${N8N_JWT_SECRET}
+      - GENERIC_TIMEZONE=Europe/Moscow
+      - TZ=Europe/Moscow
+      - N8N_METRICS=false
+      - N8N_LOG_LEVEL=warn
+      - EXECUTIONS_DATA_PRUNE=true
+      - EXECUTIONS_DATA_MAX_AGE=336
+    healthcheck:
+      test: ["CMD", "wget", "-qO-", "http://localhost:5678/healthz"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+    logging:
+      driver: json-file
+      options:
+        max-size: "10m"
+        max-file: "3"
diff --git a/roles/tools/templates/env.j2 b/roles/tools/templates/env.j2
index 45a67cf..9b5f2d1 100644
--- a/roles/tools/templates/env.j2
+++ b/roles/tools/templates/env.j2
@@ -34,3 +34,7 @@ OUTLINE_DB_PASSWORD={{ outline_db_password }}
 DEFAULT_LANGUAGE=ru_RU
 RATE_LIMITER_ENABLED=true
 ENABLE_UPDATES=false
+
+# n8n secrets
+N8N_ENCRYPTION_KEY={{ n8n_encryption_key }}
+N8N_JWT_SECRET={{ n8n_jwt_secret }}