ADR-001: Two Independent Traefik Instances¶
Status: Accepted Date: 2026-05-12 Phase: 4
Context¶
The homelab needs reverse proxy and TLS termination for services. Saltbox
(on saltierpoop) already runs its own Traefik instance that is deeply
integrated into its Docker Compose stack — it manages all *.realemail.app
services including Plex, Authentik, the *arr stack, and ~30 others.
Phase 4 introduces new non-Saltbox services on a separate VM
(infra-services at 192.168.6.17): Komodo, ARA, Homepage, and future
additions.
Decision Drivers¶
- Saltbox explicitly manages its own Traefik; relocating or replacing it would break the Saltbox deployment model
- A single reverse proxy would create a cross-VM dependency and a single point of failure spanning two hosts
- Caddy was considered as an alternative for the new VM but adds unnecessary technology diversity without clear benefit
Options Considered¶
- Move Traefik from saltierpoop to infra-services — rejected because Saltbox depends on Traefik being co-located with its containers
- Caddy on infra-services, proxy to Saltbox Traefik — rejected because chaining two reverse proxies adds latency and complexity for no gain
- Two independent Traefik instances — accepted
Decision¶
Run two completely independent Traefik instances:
| Instance | Host | Manages | Subdomain pattern |
|---|---|---|---|
| Saltbox Traefik | saltierpoop (192.168.6.243) |
All Saltbox services | *.realemail.app |
| Infra Traefik | infra-services (192.168.6.17) |
Komodo, ARA, Homepage, future infra services | *.infra.realemail.app |
DNS routes traffic to the correct host by IP. No chaining, no shared state, no cross-VM dependency.
Consequences¶
- Each VM is self-contained for its own TLS termination
- Two sets of Let's Encrypt certificates to manage (both via Cloudflare DNS-01)
- Subdomain convention (
*.infra.realemail.app) makes it obvious which proxy handles a given service - If a third host joins the lab, the same pattern extends naturally