Vaier wires together WireGuard, Traefik, Google or GitHub sign-in (via oauth2-proxy), and AWS Route53 into a single web UI. Add a Docker container on any VPN peer, pick a subdomain — Vaier handles DNS, reverse proxy, and HTTPS automatically.
You spin up a container on a homelab box. Now you need a WireGuard peer, a Route53 CNAME, a Traefik dynamic-config entry, a Let's Encrypt cert, a forward-auth rule, and a bookmark somewhere you'll actually find later. Every new service repeats the whole dance. Every drift is silent.
Vaier discovers containers on every connected peer, lets you pick a subdomain, creates the DNS record, generates the Traefik route, provisions the cert, optionally gates it behind Google or GitHub sign-in, and rolls back the entire flow if anything fails. Your homelab now feels like a PaaS.
Create, delete, and monitor WireGuard peers. Download QR codes, .conf files, docker-compose, or setup scripts — whichever fits the peer type.
Open a real SSH shell to any machine — peers, LAN servers, or the Vaier host — right from its card. Tabs survive navigation, tile into a split grid, and reconnect on their own. Credentials stay server-side; the browser never sees the secret.
Any container on any peer becomes a public HTTPS subdomain in one click — with automatic rollback if DNS or TLS fails.
A dashboard linking every published service — automatically switching to direct LAN URLs when you're on the same network.
Traefik dynamic config is generated for you, with a per-service auth mode — public or social sign-in — and a branded offline page when a backend is down.
Full CRUD for AWS Route53 zones and records — or skip AWS entirely and run in manual DNS mode if your domain lives elsewhere.
Every Google or GitHub identity is an access entry with a role — pending, user, or admin — and free-form per-service groups. Approve newcomers and gate services from the UI, no YAML.
SMTP-powered password resets, plus admin alerts when any server-type peer or LAN machine goes up or down.
The oauth2-proxy sign-in and the Dex broker screens share Vaier's dark theme — the Google/GitHub hand-off feels like one app, not three.
Every published service resolves via DNS to the single Vaier server, terminates TLS at Traefik, optionally passes social-login authorization (Google or GitHub via oauth2-proxy, then Vaier's own access check), and is proxied over WireGuard to the container running on a peer. The peers never need a public IP.
An EC2 t3.small or equivalent. Open TCP 22, 80, 443 and UDP 51820. Bring a domain you control and (optionally) AWS Route53 credentials for full DNS automation.
# run as your regular user, not root curl -fsSL https://get.docker.com | sh sudo usermod -aG docker $USER # then log out and back in
mkdir -p vaier && cd vaier curl -fsSL https://raw.githubusercontent.com/getvaier/vaier/main/docker-compose.yml \ -o docker-compose.yml
Register a Google (and optionally GitHub) OAuth client with the callback URL https://dex.yourdomain.com/callback, then drop the ids into .env. Set VAIER_ADMIN_EMAIL to the account that becomes the first admin. Add VAIER_AWS_KEY / VAIER_AWS_SECRET for Route53 automation, or leave them out and maintain DNS yourself.
cat > .env <<EOF VAIER_DOMAIN=yourdomain.com ACME_EMAIL=you@yourdomain.com VAIER_ADMIN_EMAIL=you@gmail.com VAIER_OIDC_GOOGLE_CLIENT_ID=...apps.googleusercontent.com VAIER_OIDC_GOOGLE_CLIENT_SECRET=... # optional: Route53 DNS automation VAIER_AWS_KEY=AKIA... VAIER_AWS_SECRET=... EOF chmod 600 .env
Point three records at the server: vaier, oauth2, and dex under yourdomain.com. With Route53 credentials Vaier creates them for you; otherwise add the CNAMEs yourself before first boot.
Bring everything up, open https://vaier.yourdomain.com, and sign in with the Google account you set as VAIER_ADMIN_EMAIL — Vaier seeds it as the first admin, so you land straight in the console. Anyone else who signs in lands as a pending request until you approve them on the Users page.
docker compose up -d # then open https://vaier.yourdomain.com and sign in with Google
You're done patching together Caddy/Traefik configs by hand every time you stand up Plex, a Git server, or yet another self-hosted toy. Vaier is the layer that makes a single Linux box behave like a tiny private cloud.
Approve teammates by their Google or GitHub identity, gate sensitive services by access group, and let everyone find the apps via the launchpad. No spreadsheets of URLs. No passwords to hand out — no "what's the password for X" pings.