Vaier
GitHub

Self-hosted infrastructure
for homelab developers.

Vaier wires together WireGuard, Traefik, Google or GitHub sign-in (via oauth2-proxy), and AWS Route53 into a single web UI. Add a Docker container on any VPN peer, pick a subdomain — Vaier handles DNS, reverse proxy, and HTTPS automatically.

Get started View on GitHub
Apache 2.0 Java 21 · Spring Boot Single Docker Compose No database
// the problem

Tired of maintaining a VPN, a reverse proxy, and a wall of DNS records?

// without vaier

Six tools, six config files, six places to mess up

You spin up a container on a homelab box. Now you need a WireGuard peer, a Route53 CNAME, a Traefik dynamic-config entry, a Let's Encrypt cert, a forward-auth rule, and a bookmark somewhere you'll actually find later. Every new service repeats the whole dance. Every drift is silent.

// with vaier

One UI. One click. One subdomain.

Vaier discovers containers on every connected peer, lets you pick a subdomain, creates the DNS record, generates the Traefik route, provisions the cert, optionally gates it behind Google or GitHub sign-in, and rolls back the entire flow if anything fails. Your homelab now feels like a PaaS.

// features

Everything your homelab needs, in one binary.

VPN peer management

Create, delete, and monitor WireGuard peers. Download QR codes, .conf files, docker-compose, or setup scripts — whichever fits the peer type.

Web terminal

Open a real SSH shell to any machine — peers, LAN servers, or the Vaier host — right from its card. Tabs survive navigation, tile into a split grid, and reconnect on their own. Credentials stay server-side; the browser never sees the secret.

One-click service publishing

Any container on any peer becomes a public HTTPS subdomain in one click — with automatic rollback if DNS or TLS fails.

Smart launchpad

A dashboard linking every published service — automatically switching to direct LAN URLs when you're on the same network.

Reverse proxy on autopilot

Traefik dynamic config is generated for you, with a per-service auth mode — public or social sign-in — and a branded offline page when a backend is down.

DNS management

Full CRUD for AWS Route53 zones and records — or skip AWS entirely and run in manual DNS mode if your domain lives elsewhere.

Access management

Every Google or GitHub identity is an access entry with a role — pending, user, or admin — and free-form per-service groups. Approve newcomers and gate services from the UI, no YAML.

Email notifications

SMTP-powered password resets, plus admin alerts when any server-type peer or LAN machine goes up or down.

Consistent branding

The oauth2-proxy sign-in and the Dex broker screens share Vaier's dark theme — the Google/GitHub hand-off feels like one app, not three.

// how it fits together

One server. WireGuard out to your peers. HTTPS in from the world.

User browser on the internet AWS Route53 resolves *.yourdomain.com Vaier server Traefik · oauth2-proxy · WireGuard Peer 1 docker container :8080 Peer 2 docker container :3000 Peer 3 phone · laptop · NAS DNS HTTPS WireGuard tunnel

Every published service resolves via DNS to the single Vaier server, terminates TLS at Traefik, optionally passes social-login authorization (Google or GitHub via oauth2-proxy, then Vaier's own access check), and is proxied over WireGuard to the container running on a peer. The peers never need a public IP.

// quick start

From bare server to first HTTPS service in five steps.

01

Bring a Linux server with a public IP

An EC2 t3.small or equivalent. Open TCP 22, 80, 443 and UDP 51820. Bring a domain you control and (optionally) AWS Route53 credentials for full DNS automation.

02

Install Docker

# run as your regular user, not root
curl -fsSL https://get.docker.com | sh
sudo usermod -aG docker $USER   # then log out and back in
03

Grab the compose file

mkdir -p vaier && cd vaier
curl -fsSL https://raw.githubusercontent.com/getvaier/vaier/main/docker-compose.yml \
     -o docker-compose.yml
04

Configure sign-in, DNS, and secrets

Register a Google (and optionally GitHub) OAuth client with the callback URL https://dex.yourdomain.com/callback, then drop the ids into .env. Set VAIER_ADMIN_EMAIL to the account that becomes the first admin. Add VAIER_AWS_KEY / VAIER_AWS_SECRET for Route53 automation, or leave them out and maintain DNS yourself.

cat > .env <<EOF
VAIER_DOMAIN=yourdomain.com
ACME_EMAIL=you@yourdomain.com
VAIER_ADMIN_EMAIL=you@gmail.com
VAIER_OIDC_GOOGLE_CLIENT_ID=...apps.googleusercontent.com
VAIER_OIDC_GOOGLE_CLIENT_SECRET=...
# optional: Route53 DNS automation
VAIER_AWS_KEY=AKIA...
VAIER_AWS_SECRET=...
EOF
chmod 600 .env

Point three records at the server: vaier, oauth2, and dex under yourdomain.com. With Route53 credentials Vaier creates them for you; otherwise add the CNAMEs yourself before first boot.

05

Start the stack and sign in

Bring everything up, open https://vaier.yourdomain.com, and sign in with the Google account you set as VAIER_ADMIN_EMAIL — Vaier seeds it as the first admin, so you land straight in the console. Anyone else who signs in lands as a pending request until you approve them on the Users page.

docker compose up -d
# then open https://vaier.yourdomain.com and sign in with Google
// who it's for

Built for the self-hosted community.

// the homelabber

One person. One server. A growing pile of containers.

You're done patching together Caddy/Traefik configs by hand every time you stand up Plex, a Git server, or yet another self-hosted toy. Vaier is the layer that makes a single Linux box behave like a tiny private cloud.

// the small team

A handful of users, real auth, real DNS.

Approve teammates by their Google or GitHub identity, gate sensitive services by access group, and let everyone find the apps via the launchpad. No spreadsheets of URLs. No passwords to hand out — no "what's the password for X" pings.