n8n is a fair-code workflow automation tool — think Zapier or Make, but self-hosted and far more flexible. You can run it as a single container for personal use, but a production deployment that handles real webhook traffic needs a proper database, persistent encryption keys, and ideally queue mode. This guide covers a robust setup.
Why not just run the single container?
The quickstart docker run n8nio/n8n uses SQLite and stores everything in a local volume. That's fine on your laptop. In a stateless cloud container it breaks two ways: the SQLite database disappears on redeploy, and — more dangerously — the encryption key regenerates, which makes all your saved credentials undecryptable. The two non-negotiables for production are an external database and a fixed encryption key.
Step 1: External database and the encryption key
n8n supports PostgreSQL as an external store. Set these environment variables:
DB_TYPE=postgresdb
DB_POSTGRESDB_HOST=<host>
DB_POSTGRESDB_PORT=5432
DB_POSTGRESDB_DATABASE=n8n
DB_POSTGRESDB_USER=<user>
DB_POSTGRESDB_PASSWORD=<password>
# THE most important variable — pin it once and never change it
N8N_ENCRYPTION_KEY=<a long random string>Generate the key with openssl rand -hex 32. Store it in your platform's secret manager. If you lose or change it, every stored credential becomes garbage.
Step 2: Core runtime configuration
N8N_HOST=automation.yourdomain.com
N8N_PORT=5678
N8N_PROTOCOL=https
WEBHOOK_URL=https://automation.yourdomain.com/
GENERIC_TIMEZONE=Europe/BerlinWEBHOOK_URL matters: n8n generates webhook URLs from it. If it's wrong, external services can't call your workflows.
Step 3: Deploy the main instance
n8n publishes an official Docker image, so this is a clean container deploy. On PandaStack:
- 1Provision a managed PostgreSQL database.
- 2Create a container app using
docker.n8n.io/n8nio/n8nas the image. - 3Link the database and set the
DB_POSTGRESDB_*variables (or map the injected connection details). - 4Add
N8N_ENCRYPTION_KEYand the runtime config. - 5Expose port 5678 (bind to the platform-injected port).
With automatic SSL and a custom domain, your n8n editor is reachable over HTTPS immediately.
Step 4: Enable queue mode (for scale)
In the default (regular) mode, the single n8n process executes workflows inline. Under heavy webhook load or with long-running workflows, that becomes a bottleneck. Queue mode uses Redis to distribute executions across separate worker processes.
The topology:
| Role | What it does |
|---|---|
| Main instance | Serves the editor UI, receives webhooks, enqueues jobs |
| Worker(s) | Pull jobs from Redis and execute workflows |
| Redis | The job queue (Bull) |
| PostgreSQL | Shared execution + workflow data |
Enable it with:
EXECUTIONS_MODE=queue
QUEUE_BULL_REDIS_HOST=<redis-host>
QUEUE_BULL_REDIS_PORT=6379Then deploy a second container app from the same image with the start command n8n worker. Give it the same database, Redis, and encryption key. Add more worker replicas as load grows — that's the payoff of queue mode.
Step 5: Persisting binary data
Workflows that handle files (PDFs, images) can store binary data. By default it uses the filesystem, which doesn't persist across container restarts. For production, configure S3-compatible storage:
N8N_DEFAULT_BINARY_DATA_MODE=s3
N8N_EXTERNAL_STORAGE_S3_HOST=<s3-endpoint>
N8N_EXTERNAL_STORAGE_S3_BUCKET_NAME=n8n
N8N_EXTERNAL_STORAGE_S3_ACCESS_KEY=<key>
N8N_EXTERNAL_STORAGE_S3_ACCESS_SECRET=<secret>A self-hosted MinIO instance works here.
Security hardening
- Enable user management / SSO so the editor isn't open to the world. n8n supports owner accounts and, in enterprise, SSO.
- Restrict the webhook surface — only expose the paths you need.
- Keep n8n updated; it moves fast and security fixes land regularly.
- Set
N8N_SECURE_COOKIE=truebehind HTTPS.
Honest caveats
n8n is fair-code, not pure open source — there are licensing terms around offering it as a hosted commercial service. For internal/team use, self-hosting is fully supported and free. Read the license before building a SaaS on top of it. Also, queue mode adds operational complexity; only adopt it when single-process mode actually becomes your bottleneck.
Wrapping up
A durable n8n deployment comes down to three things: external PostgreSQL, a pinned N8N_ENCRYPTION_KEY, and — once you outgrow a single process — queue mode backed by Redis. Get those right and n8n becomes a rock-solid automation backbone.
PandaStack gives you managed PostgreSQL and Redis plus first-class Docker image support, so wiring up main + worker + queue is straightforward. The free tier is enough to run a personal n8n instance — start at https://dashboard.pandastack.io.
References
- n8n self-hosting docs: https://docs.n8n.io/hosting/
- n8n environment variables: https://docs.n8n.io/hosting/configuration/environment-variables/
- n8n queue mode (scaling): https://docs.n8n.io/hosting/scaling/queue-mode/
- n8n external storage (S3): https://docs.n8n.io/hosting/scaling/external-secrets/
- n8n Sustainable Use License: https://docs.n8n.io/sustainable-use-license/