61
I have been wanting to set this up for a while, but didn't know what I was doing, so this tutorial helps a lot and I will give it a go, thanks!
Looks like they introduce the use Traefik with NixOS here:
How does Traefik compare to a reverse proxy like Caddy?
In terms of setup, Caddy is a lot simpler in syntax, but you will find more tutorials for Traefik and it has better integration with Docker. You can add labels to a container and Traefik uses that as config, whereas in Caddy, you need to set up both the container and the config file. If you want to drop a service, then it is easier in Traefik for this reason. But with decent Nix code, you can basically replicate this in Caddy. Once you set them up, they're pretty much the same. I've seen some people saying Traefik is faster, but realistically, I don't think it's meaningful.
Note that its also possible to set up service auto discovery with traefik, the only traefik related config I do on new containers is
Traefik.enabled=true
Shit there is? How do I set up auto discovery?
I can share my traefik setup - note I am doing this on my phone at work, so I might miss something
compose.yaml
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.middlewares=authwares@file"
GNU nano 7.2 /config/traefik/dynamic/middlewares.yaml
http:
middlewares:
limit:
buffering:
memRequestBodyBytes: 5000000000
memResponseBodyBytes: 5000000000
maxRequestBodyBytes: 5000000000
maxResponseBodyBytes: 5000000000
authwares:
chain:
middlewares:
- default-headers
- authelia
- limit
default-headers:
headers:
accessControlAllowHeaders: "content-type,authorization"
accessControlAllowMethods:
- GET
- OPTIONS
- PUT
- POST
- DELETE
frameDeny: true
accessControlAllowOriginList: "*"
accessControlMaxAge: 100
addVaryHeader: true
browserXssFilter: true
contentTypeNosniff: true
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 15552000
customFrameOptionsValue: SAMEORIGIN
referrerPolicy: "strict-origin-when-cross-origin"
customRequestHeaders:
X-Forwarded-Proto: https
customResponseHeaders:
X-Robots-Tag: "none,noarchive,nosnippet,notranslate,noimageindex"
server: ""
X-Forwarded-Proto: "https,wss"
hostsProxyHeaders:
- "X-Forwarded-Host"
authelia:
forwardAuth:
address: http://auth/api/verify?rd=https%3A%2F%2Fauth.example.com%2F
trustForwardHeader: true
authResponseHeaders:
- "Remote-User"
- "Remote-Groups"
- "Remote-Email"
- "Remote-Name"
GNU nano 7.2 /config/traefik/traefik.yaml
global:
checkNewVersion: false
sendAnonymousUsage: false
entryPoints:
web:
address: :80
proxyProtocol:
insecure: false
trustedIPs:
- 172.32.0.0/16
- 192.168.1.0/24
forwardedHeaders:
insecure: false
trustedIPs:
- 172.32.0.0/16
- 192.168.1.0/24
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: :443
proxyProtocol:
insecure: false
trustedIPs:
- 172.32.0.0/16
- 192.168.1.0/24
forwardedHeaders:
insecure: false
trustedIPs:
- 172.32.0.0/16
- 192.168.1.0/24
http:
tls:
options: modern@file
certResolver: letsencrypt
domains:
- main: "example.com"
sans:
- "*.example.com"
providers:
docker:
exposedByDefault: false
network: compose_proxied
allowEmptyServices: true
endpoint: "http://socket:2375/"
defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\"}}.example.com`)"
file:
directory: /config/dynamic
watch: true
api:
insecure: false
dashboard: true
certificatesResolvers:
letsencrypt:
acme:
email: [email protected]
storage: /certificates/acme.json
dnsChallenge:
provider: cloudflare
resolvers:
- "1.1.1.1:53"
- "1.0.0.1:53"
log:
level: DEBUG
filePath: /config/logs/traefik.log
format: json
accesslog:
filepath: /config/logs/access.log
bufferingSize: 100
format: json
this post was submitted on 10 Jul 2025
61 points (94.2% liked)
Selfhosted
49359 readers
514 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (donโt cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS