n8n self-hosted on VPS: complete step-by-step installation (2026)

n8n has become the go-to open-source automation tool for businesses that refuse to compromise on flexibility and ownership. When you choose an n8n self-hosted VPS deployment, you guarantee full data sovereignty, total cost control, and the freedom to integrate any service without vendor lock-in. Unlike cloud-hosted alternatives that charge per workflow execution, a self-hosted n8n instance on your own VPS means predictable monthly costs regardless of how many automations you run. This guide will walk you through the complete step-by-step n8n installation 2026 on a VPS running Debian 12, with Traefik SSL, PostgreSQL, and automatic backups. Whether you are a solo developer, a growing startup, or a mid-sized company looking for self-hosted automation, this tutorial covers every detail you need to go from a bare server to a fully production-ready n8n instance.

Prerequisites

Before diving into the n8n installation 2026 process, make sure you have all the following components ready. Skipping any of these prerequisites is the number one cause of failed deployments, so take a few minutes to verify each item on this list before proceeding.

• A VPS with a minimum of 2 vCPU and 4 GB RAM (recommended: 4 vCPU / 8 GB RAM). Providers like OVHcloud, Hetzner, or DigitalOcean all offer suitable plans starting around 10-20 EUR/month. For production workloads handling more than 50 workflows, consider 4 vCPU and 8 GB RAM to ensure smooth execution of parallel automations.
• Freshly installed Debian 12 (Bookworm). Debian remains the gold standard for server stability and long-term security support, making it the ideal foundation for any n8n self-hosted VPS deployment.
• A domain name pointing to the VPS IP (e.g., automator.your-domain.be). You will need an A record in your DNS configuration pointing to the public IP address of your VPS. DNS propagation can take up to 24 hours, so configure this well in advance.
• Root SSH access to the server. Ideally, you should already have your SSH key pair set up and tested. We will disable password authentication in the security phase.
• Basic knowledge of Linux administration. You should be comfortable navigating directories, editing files with nano or vim, and understanding file permissions.

Phase 1: Server Preparation

The first phase of your n8n self-hosted VPS setup focuses on hardening and preparing the operating system. A well-secured server is the foundation on which everything else depends. Start by updating all packages to their latest versions and installing the essential tools you will need throughout this guide:

apt update && apt upgrade -y
apt install -y curl wget gnupg2 software-properties-common ufw fail2ban

Configure the firewall using UFW (Uncomplicated Firewall). This ensures that only the ports required for SSH access and web traffic are open, reducing your attack surface significantly:

ufw allow 22/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable

Configure fail2ban to protect SSH against brute force attacks. Create the file /etc/fail2ban/jail.local with parameters adapted to your usage. A good starting point is to set maxretry = 3 and bantime = 3600, which bans any IP that fails three login attempts for one hour. This single configuration step blocks the vast majority of automated SSH attacks that target VPS instances within minutes of being provisioned.

Phase 2: Node.js Installation

n8n is built on Node.js, and selecting the correct version is critical for stability and performance. As of 2026, n8n requires Node.js 18 or higher, and the recommended version for production is Node.js 20 LTS. Install it via the official NodeSource repository to ensure you receive proper security updates:

curl -fsSL https://deb.nodesource.com/setup_20.x | bash -
apt install -y nodejs
node --version  # Should display v20.x

After installation, verify that both node and npm are properly available in your PATH. You can also optionally install pm2 as an alternative process manager, though in this guide we will use systemd for maximum reliability and native integration with the operating system.

Phase 3: PostgreSQL Configuration

By default, n8n uses SQLite, which works fine for testing and light workloads. However, for any serious self-hosted automation deployment, PostgreSQL is the strongly recommended database backend. PostgreSQL handles concurrent workflow executions far more reliably, supports proper transaction isolation, and provides the robust data integrity guarantees that production workloads demand. Install and configure it as follows:

apt install -y postgresql postgresql-contrib
sudo -u postgres createuser n8n
sudo -u postgres createdb n8n_db -O n8n
sudo -u postgres psql -c "ALTER USER n8n WITH PASSWORD 'your_secure_password';"

Make sure to replace your_secure_password with a strong, randomly generated password of at least 24 characters. Store this password securely in a password manager, as you will need it in the next phase for the n8n environment configuration. You should also verify that PostgreSQL is running and accepting connections by running systemctl status postgresql before moving on.

Phase 4: n8n Installation and Configuration

With Node.js and PostgreSQL in place, you are now ready to install n8n itself. The n8n installation 2026 process is straightforward when using npm for a global install on your VPS:

npm install -g n8n

Create the environment configuration file /etc/n8n.env. This file contains every critical setting that controls how your n8n self-hosted VPS instance behaves, from database connectivity to webhook URLs and authentication:

N8N_HOST=automator.your-domain.be
N8N_PORT=5678
N8N_PROTOCOL=https
WEBHOOK_URL=https://automator.your-domain.be/
N8N_ENCRYPTION_KEY=your_unique_encryption_key
DB_TYPE=postgresdb
DB_POSTGRESDB_HOST=localhost
DB_POSTGRESDB_PORT=5432
DB_POSTGRESDB_DATABASE=n8n_db
DB_POSTGRESDB_USER=n8n
DB_POSTGRESDB_PASSWORD=your_secure_password
N8N_BASIC_AUTH_ACTIVE=true
N8N_BASIC_AUTH_USER=admin
N8N_BASIC_AUTH_PASSWORD=your_admin_password
EXECUTIONS_DATA_PRUNE=true
EXECUTIONS_DATA_MAX_AGE=168

Pay special attention to the N8N_ENCRYPTION_KEY value. This key encrypts all stored credentials within n8n. Generate it using openssl rand -hex 32 and store it safely. If you ever lose this key, all credentials saved in your workflows will become unrecoverable. The EXECUTIONS_DATA_MAX_AGE setting of 168 hours (7 days) keeps your database lean while retaining enough history for debugging purposes.

Phase 5: Traefik SSL Configuration

Traefik v3 acts as a reverse proxy with automatic Let’s Encrypt SSL certificates, eliminating the need for manual certificate management. This is one of the most valuable components in the entire n8n self-hosted VPS stack, as it ensures your webhooks and admin panel are always served over a valid HTTPS connection without any manual renewal effort:

wget https://github.com/traefik/traefik/releases/download/v3.0.0/traefik_v3.0.0_linux_amd64.tar.gz
tar xzf traefik_v3.0.0_linux_amd64.tar.gz
mv traefik /usr/local/bin/

Create the Traefik configuration in /etc/traefik/traefik.yml with HTTP (80) and HTTPS (443) entrypoints, the Let’s Encrypt resolver with your email, and routing to n8n on port 5678. Make sure to include an HTTP-to-HTTPS redirect so that all traffic is automatically encrypted.

Create the dynamic configuration in /etc/traefik/dynamic.yml with the router for your domain and the service pointing to http://localhost:5678. It is also highly recommended to add security headers in the Traefik middleware configuration, including X-Content-Type-Options: nosniff, X-Frame-Options: DENY, and a strict Content-Security-Policy to protect your n8n admin panel against common web attacks.

Phase 6: systemd Services

Using systemd to manage your n8n process is the standard approach for any production n8n self-hosted VPS deployment. It ensures automatic restarts on failure, proper startup ordering after PostgreSQL, and clean logging integration with the system journal. Create the systemd service for n8n in /etc/systemd/system/n8n.service:

[Unit]
Description=n8n Workflow Automation
After=network.target postgresql.service

[Service]
Type=simple
User=n8n
EnvironmentFile=/etc/n8n.env
ExecStart=/usr/bin/n8n start
Restart=always
RestartSec=5

[Install]
WantedBy=multi-user.target

Also create a systemd service for Traefik following the same pattern. Note the Restart=always and RestartSec=5 directives, which ensure that if n8n crashes for any reason, systemd will automatically bring it back within five seconds. This level of resilience is essential for production self-hosted automation workflows that handle webhooks and scheduled triggers around the clock. Then enable and start both services:

systemctl daemon-reload
systemctl enable n8n traefik
systemctl start traefik
systemctl start n8n

Phase 7: Verification

With all components installed and services running, it is time to thoroughly verify your n8n installation 2026 deployment. Do not skip any of these checks, as catching a misconfiguration now will save you hours of debugging later when workflows fail silently in production:

1. Verify that n8n is running: systemctl status n8n. Look for “active (running)” in the output.
2. Verify that Traefik is running: systemctl status traefik. Same check for “active (running)”.
3. Access https://automator.your-domain.be in your browser. The page should load without any certificate warnings.
4. Verify the SSL certificate (green padlock). Click on the padlock icon to confirm the certificate was issued by Let’s Encrypt and is valid.
5. Log in with your credentials and confirm that the n8n editor loads correctly.
6. Create a simple test workflow (Cron > HTTP Request) to verify that both scheduling and outbound network access work as expected. Trigger the workflow manually first, then let the cron fire once to confirm that scheduled execution is also functional.

Phase 8: Advanced Security

Security is not optional for any internet-facing service. A self-hosted automation platform like n8n handles sensitive API credentials, customer data, and integration tokens, making it a high-value target. Take the following measures to harden your n8n self-hosted VPS deployment well beyond the default configuration:

• Disable root SSH access: create a dedicated user with adduser deploy, add it to the sudo group, and set PermitRootLogin no in /etc/ssh/sshd_config. Restart the SSH service and test the new user login before closing your current root session.
• SSH keys only: disable password authentication by setting PasswordAuthentication no in the SSH configuration. This eliminates the possibility of brute-force password attacks entirely.
• Rate limiting: configure rate limiting middleware in Traefik to protect webhooks from abuse. A good starting point is 100 requests per second per IP, which prevents DDoS while allowing legitimate webhook traffic.
• Automatic updates: enable unattended-upgrades for security patches to ensure your Debian system stays patched against known vulnerabilities without manual intervention.
• Monitoring: install Uptime Kuma or a similar tool to monitor availability and receive instant alerts when your n8n instance goes down. Configure alerts via email, Slack, or Telegram for maximum responsiveness.

Phase 9: Automatic Backup

No production deployment is complete without a solid backup strategy. Your n8n self-hosted VPS contains workflow definitions, execution history, and encrypted credentials that would be extremely time-consuming to recreate from scratch. Create a backup script in /opt/backup-n8n.sh that dumps the PostgreSQL database and compresses it for efficient storage:

#!/bin/bash
BACKUP_DIR="/opt/backups/n8n"
DATE=$(date +%Y%m%d_%H%M%S)
mkdir -p $BACKUP_DIR

# PostgreSQL Backup
pg_dump -U n8n n8n_db | gzip > "$BACKUP_DIR/n8n_db_$DATE.sql.gz"

# Rotation: keep the last 30 backups
ls -t $BACKUP_DIR/n8n_db_*.sql.gz | tail -n +31 | xargs rm -f

echo "Backup completed: $DATE"

Schedule daily execution via cron so that backups happen automatically every night during low-traffic hours:

chmod +x /opt/backup-n8n.sh
crontab -e
# Add: 0 2 * * * /opt/backup-n8n.sh >> /var/log/n8n-backup.log 2>&1

For an additional layer of protection, consider copying your backups off-server using rsync or rclone to an external storage provider. This way, even if your entire VPS is compromised or the hosting provider experiences a catastrophic failure, your workflow data remains safe and recoverable.

Final Result

You now have a fully production-ready n8n self-hosted VPS instance with everything you need to run enterprise-grade self-hosted automation:

• Automatic SSL via Let’s Encrypt, renewed transparently by Traefik
• Robust PostgreSQL database optimized for concurrent workflow execution
• systemd services with automatic restart and proper dependency ordering
• Comprehensive SSH and firewall security with fail2ban protection
• Automatic daily backups with 30-day rotation and optional off-server replication

This is exactly the setup we use at Agile Minds on automator.agile-minds.be to orchestrate our automation workflows and AI agents. The combination of Debian 12, Traefik v3, PostgreSQL, and n8n has proven extremely reliable in production, handling hundreds of workflow executions daily with minimal maintenance overhead. If you are evaluating self-hosted automation platforms in 2026, this n8n installation guide gives you everything you need to get up and running on your own infrastructure with confidence.

---

---

Patrick Impens · CEO Agile Minds SRL · agile-minds.be

Marketing automation with n8n for your SME.

Maintenance and support for your n8n infrastructure.