services:
  n8n:
    image: n8nio/n8n:latest
    container_name: n8n
    restart: unless-stopped
    networks: [internal]
    # Native cloudflared on Mac reaches Docker via loopback (not http://n8n from host).
    # Docker-only cloudflared can use service name n8n:5678 on the internal network instead.
    ports:
      - "127.0.0.1:5678:5678"
    env_file:
      - .env
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_HOST=${N8N_HOST}
      - N8N_PORT=5678
      - N8N_PROTOCOL=${N8N_PROTOCOL}
      - N8N_PROXY_HOPS=${N8N_PROXY_HOPS:-1}
      - N8N_SECURE_COOKIE=${N8N_SECURE_COOKIE}
      - NODE_FUNCTION_ALLOW_BUILTIN=fs
    volumes:
      - n8n_data:/home/node/.n8n
      - ./local-files:/files

  # Public HTTPS via Cloudflare Tunnel (no open ports 80/443 on your router)
  cloudflared:
    image: cloudflare/cloudflared:latest
    container_name: n8n-cloudflared
    restart: unless-stopped
    networks: [internal]
    profiles: [cloudflare]
    depends_on:
      - n8n
    environment:
      - TUNNEL_TOKEN=${CLOUDFLARE_TUNNEL_TOKEN}
    command: tunnel run

  # Local HTTPS only (https://localhost/) — optional; do not run with Cloudflare on same machine unless you know why
  caddy:
    image: caddy:2-alpine
    container_name: n8n-caddy
    restart: unless-stopped
    networks: [internal]
    profiles: [local]
    ports:
      - "80:80"
      - "443:443"
      - "443:443/udp"
    volumes:
      - ./Caddyfile:/etc/caddy/Caddyfile:ro
      - caddy_data:/data
      - caddy_config:/config
    depends_on:
      - n8n

networks:
  internal:

volumes:
  n8n_data:
  caddy_data:
  caddy_config: