add n8n workflow automation and fix cloud backup rsync

- Add n8n container (n8nio/n8n:2.11.3) with Caddy reverse proxy at n8n.debyl.io
- Add --exclude .ssh to cloud backup rsync to prevent overwriting
  authorized_keys on TrueNAS backup targets

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

ansible/roles/podman/defaults/main.yml

@@ -7,6 +7,7 @@ debyltech_path: "{{ podman_volumes }}/debyltech"
 # drone_path: removed - Drone CI decommissioned
 factorio_path: "{{ podman_volumes }}/factorio"
 fulfillr_path: "{{ podman_volumes }}/fulfillr"
+n8n_path: "{{ podman_volumes }}/n8n"
 gregtime_path: "{{ podman_volumes }}/gregtime"
 searxng_path: "{{ podman_volumes }}/searxng"
 hass_path: "{{ podman_volumes }}/hass"
@@ -77,6 +78,7 @@ bookstack_server_name: wiki.skudakrennsport.com
 cloud_server_name: cloud.bdebyl.net
 cloud_skudak_server_name: cloud.skudakrennsport.com
 fulfillr_server_name: fulfillr.debyltech.com
+n8n_server_name: n8n.debyl.io
 home_server_name: home.debyl.io
 uptime_kuma_server_name: uptime.debyltech.com
 uptime_kuma_personal_server_name: uptime.debyl.io
@@ -155,6 +157,7 @@ caddy_log_names:
   - gitea-debyl
   - gitea-skudak
   - fulfillr
+  - n8n
 
 # GeoIP configuration for Graylog
 # Requires free MaxMind account: https://dev.maxmind.com/geoip/geolite2-free-geolocation-data

ansible/roles/podman/tasks/containers/debyltech/n8n.yml

@@ -0,0 +1,54 @@
+---
+- name: create n8n host directory volumes
+  become: true
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ podman_user }}"
+    group: "{{ podman_user }}"
+    mode: 0755
+  notify: restorecon podman
+  loop:
+    - "{{ n8n_path }}"
+
+- name: set n8n volume ownership for node user
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.command:
+    cmd: podman unshare chown -R 1000:1000 {{ n8n_path }}
+  changed_when: false
+
+- name: flush handlers
+  ansible.builtin.meta: flush_handlers
+
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: n8n
+    container_image: "{{ image }}"
+
+- name: create n8n container
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: n8n
+    image: "{{ image }}"
+    image_strict: true
+    restart_policy: on-failure:3
+    log_driver: journald
+    network: shared
+    volumes:
+      - "{{ n8n_path }}:/home/node/.n8n"
+    ports:
+      - 5678:5678/tcp
+    env:
+      N8N_HOST: "{{ n8n_server_name }}"
+      N8N_PORT: "5678"
+      N8N_PROTOCOL: https
+      WEBHOOK_URL: "https://{{ n8n_server_name }}/"
+      N8N_SECURE_COOKIE: "true"
+      GENERIC_TIMEZONE: America/New_York
+
+- name: create systemd startup job for n8n
+  include_tasks: podman/systemd-generate.yml
+  vars:
+    container_name: n8n

ansible/roles/podman/tasks/main.yml

@@ -76,6 +76,11 @@
     image: git.debyl.io/debyltech/fulfillr:20260124.0411
   tags: debyltech, fulfillr
 
+- import_tasks: containers/debyltech/n8n.yml
+  vars:
+    image: docker.io/n8nio/n8n:2.11.3
+  tags: debyltech, n8n
+
 - import_tasks: containers/debyltech/uptime-kuma.yml
   vars:
     image: docker.io/louislam/uptime-kuma:2.0.2

ansible/roles/podman/templates/caddy/Caddyfile.j2

@@ -332,6 +332,23 @@
 	}
 }
 
+# N8N Workflow Automation - {{ n8n_server_name }}
+{{ n8n_server_name }} {
+{{ ip_restricted_site() }}
+
+	handle @local {
+		import common_headers
+		reverse_proxy localhost:5678 {
+			flush_interval -1
+		}
+	}
+
+	log {
+		output file {{ caddy_log_path }}/n8n.log
+		format {{ caddy_log_format }}
+	}
+}
+
 # Fulfillr - {{ fulfillr_server_name }} (Static + API with IP restrictions)
 {{ fulfillr_server_name }} {
 {{ ip_restricted_site() }}

ansible/roles/podman/templates/nextcloud/cloud-backup.sh.j2

@@ -1,4 +1,4 @@
 #!/bin/bash
 set -euo pipefail
-rsync -az -e "ssh -i {{ ssh_key_path }} -o StrictHostKeyChecking=accept-new" \
+rsync -az --exclude .ssh -e "ssh -i {{ ssh_key_path }} -o StrictHostKeyChecking=accept-new" \
   {{ data_path }}/ {{ ssh_user }}@truenas.localdomain:{{ remote_path }}/