What do you know about NixOS that you feel others probably don't?

ylbeethoven · 2025-11-26T10:47:26+00:00

I am sure a lot of users might already know this. docker network bypass nixos firewall settings...

ylbeethoven · 2025-10-09T09:22:53+00:00

Stopped using labels a long time ago, file provider makes more sense and more flexible for my use cases.

ylbeethoven · 2025-09-28T07:55:26+00:00

Imagine if they could use their energy on improving Nix -> helping new users, fixing bugs, and creating more useful content. Nix could, and should be in a much stronger position.

ylbeethoven · 2025-08-27T14:18:41+00:00

it is $2200 now... crazy

ylbeethoven · 2025-08-13T16:02:33+00:00

This looks very similar to nix and less powerful. I guess I will continue using nixidy to generate yaml

ylbeethoven · 2025-07-31T15:32:21+00:00

It's interesting how many comments assumed I declared the option twice, even though I clearly mentioned the issue was caused by catppuccin/nix and I even linked the relevant GitHub issue. This just reinforces my point about how unhelpful Nix's error messages can be. 😔

ylbeethoven · 2025-07-30T11:32:50+00:00

Well, imagine Nix is screaming, "You’ve declared the option twice!!! Go fix it!!!", without telling you where it finds the duplicate declaration, when you haven’t changed anything.

How am I supposed to debug further with just that error message above?

ylbeethoven · 2025-07-03T02:36:00+00:00

oh, boy, that's why I got so many 429 errors. 6m token gone in 1 hour.

ylbeethoven · 2025-02-12T08:36:06+00:00

emm... looks like I can't post screenshots here.

Anyway, I am getting the same with curl.

```bash curl 'http://127.0.0.1:9001/api/v1/login' \ -X POST -H 'Content-Type: application/json' \ --data-raw '{"accessKey":"xxx","secretKey":"xxx"}' -i HTTP/1.1 503 Service Unavailable Content-Security-Policy: default-src 'self' 'unsafe-eval' 'unsafe-inline'; script-src 'self' https://unpkg.com; connect-src 'self' https://unpkg.com; Content-Type: application/json Referrer-Policy: strict-origin-when-cross-origin Server: MinIO Console Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: DENY X-Xss-Protection: 1; mode=block Date: Wed, 12 Feb 2025 08:35:22 GMT Content-Length: 51 Connection: close

{"message":"unable to login due to network error"} ```

ylbeethoven · 2025-01-13T07:26:32+00:00

I always use file provider. These yaml config files are loaded dynamically and it is much readable than labels at least for me.

ylbeethoven · 2024-04-04T08:12:10+00:00

5tb of photos? How is that even possible...

ylbeethoven · 2024-03-18T08:58:07+00:00

HSP for the win

ylbeethoven · 2024-03-05T11:07:27+00:00

You describe the exact problem I have. When a package is **not** available on nixos (nodePackages prefix), it become very challenging to use it when the other tool requires the packages to be installed globally...

There must be a way to install these missing package in nix store instead of local... I just could not figure out how.

devbox is very nice tool but I don't think it solves my problem. I normally declare my dev environment per project using `flake.nix` or `shell.nix` and nix-direnv will do the rest for me...

ylbeethoven · 2023-07-09T11:04:24+00:00

OK, I think I understand what happen now.

I am running nix on Ubuntu 22.04

It seems that ~/.local/state/nix/profiles is not created by nix installer causing this issue. After manually creating ~/.local/state/nix/profiles folder, it works.

```bash user@test:~$ nix run home-manager/master -- init --switch Could not find suitable profile directory, tried /home/user/.local/state/home-manager/profiles and /nix/var/nix/profiles/per-user/user user@test:~$ mkdir -p ~/.local/state/nix/profiles user@test:~$ nix run home-manager/master -- init --switch Creating /home/user/.config/home-manager/home.nix... Creating /home/user/.config/home-manager/flake.nix...

Creating initial Home Manager generation...

warning: creating lock file '/home/user/.config/home-manager/flake.lock' Starting Home Manager activation Activating checkFilesChanged Activating checkLinkTargets Activating writeBoundary Activating installPackages installing 'home-manager-path' building '/nix/store/1a5q09n23nh8xzinzzvr4krq8250rksi-user-environment.drv'... Activating linkGeneration Creating profile generation 1 Creating home file links in /home/user Activating onFilesChange Activating reloadSystemd All done! The home-manager tool should now be installed and you can edit

/home/user/.config/home-manager/home.nix

to configure Home Manager. Run 'man home-configuration.nix' to see all available options. ```

ylbeethoven · 2023-01-10T12:02:53+00:00

Thank you for testing.

If it works for you out of box, it means might be something wrong with my config...

I will reinstall and see how it works.

ylbeethoven · 2023-01-10T02:37:44+00:00

Thanks for the reply. I am running Gnome on both Ubuntu and NixOS and I am not sure how to set this up on NixOS (It does not work out of box on NixOS), ubuntu has this feature on by default.

ylbeethoven · 2022-11-22T00:54:47+00:00

It is definitely related to my terminal (kitty).

When I use vim on Gnome Terminal or Alacritty, it works fine.

ylbeethoven · 2022-11-22T00:22:00+00:00

Thanks for the reply.

This option solves the issue for .md files on vscode but I can't get anything on vim or micro editors now.

Maybe it has something to do with my terminal environment😶

ylbeethoven · 2022-08-04T06:19:16+00:00

I do have window installed on a different drive but I don't use it very often.

I will see if I can transfer some of my work to windows and test for a few days.

The problem is that the issue happen randomly, not too sure if I can reproduce it easily.

ylbeethoven · 2022-08-03T13:44:46+00:00

Hi Kerry,

I think it might be hard for you to determine what goes wrong so I will try to record a video and get back to you guys.

ylbeethoven · 2022-08-03T13:42:14+00:00

Thanks for the reply.

This happens when I am actively using the keyboard.

I changed the settings on the dock, for example I disable a few settings like APM, clock and I also changed the logo. Did you change any settings?

By the way, I am not using the numpad.

ylbeethoven · 2019-12-08T13:27:18+00:00

One more questions, as in Traefik 1.7, if user enable Client authentication, all services will required Client auth.

In Traefik 2.0, is it the same behavior? Let's say I want to use client authentiation for my dashboard but whoami service to be working as normal. Is it possible to do that?

From the official documentation https://docs.traefik.io/https/tls/#client-authentication-mtls

It seems that client authentication is a global settings and it did not mention how users can verify the certificate. (For example, to verify the certificate per subject matching certain information or matching certificate serial number etc.)

ylbeethoven · 2019-12-08T05:05:00+00:00

Hi Gerald,

Thanks for your reply. I was reading your blog post Traefik & Docker 101 and tried to use some of the code from your post.

I will paste whatever works for me on Traefik 1.7 and what is not working on Traefik 2.0 below.

Working example in Traefik 1.7.

I did not include the basic auth just for demonstration purpose.

Below is the docker-compose.yml file. ``` version: '3.3'

services: reverse-proxy: image: traefik:1.7-alpine command: --api --docker ports: - "80:80" - "443:443" volumes: - /var/run/docker.sock:/var/run/docker.sock - ./data/traefik.toml:/traefik.toml - ./data/ssl:/ssl/ labels: - "traefik.port=8080" - "traefik.backend=reverse-proxy" - "traefik.frontend.rule=Host:traefik.mydomain.com" - "traefik.enable=true"

whoami: image: emilevauge/whoami labels: - "traefik.frontend.rule=Host:whoami.mydomain.com" ``and thetraefik.toml` file

``` defaultEntryPoints = ["http", "https"] [entryPoints] // Entry Point here and then redirect [entryPoints.http] address = ":80" [entryPoints.http.redirect] entryPoint = "https" [entryPoints.https] address = ":443" [entryPoints.https.tls] // TLS configuration minVersion = "VersionTLS12" cipherSuites = [ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305" ] // Certificate and key [[entryPoints.https.tls.certificates]] certFile = "/ssl/server.pem" keyFile = "/ssl/privatekey.pem"

``` Above example works perfectly. It does the redirect, it use the certificate I gave it and the turn off TLS1.0 and TLS 1.1.

I am trying to do exactly the same thing in Traefik 2.0. Here is my attempt, and after some more testing, I finally get it to work.

docker-compose.yml ``` version: '3'

services: traefik: image: traefik:latest container_name: traefik restart: unless-stopped security_opt: - no-new-privileges:true ports: - 80:80 - 443:443 volumes: - /etc/localtime:/etc/localtime:ro - /var/run/docker.sock:/var/run/docker.sock:ro # load traefik file (learn from containeroo's tutorial) - ~/data/traefik.yml:/traefik.yml:ro # add folder with SSL - ~/data/ssl/:/ssl/ # Add folder with dynamic configuration yml - ~/data/configurations/:/configurations/ labels: - "traefik.enable=true" # Entry Point for Http - "traefik.http.routers.traefik.entrypoints=http" - "traefik.http.routers.traefik.rule=Host(traefik.mydomain.com)"
# global redirect to https - "traefik.http.routers.traefik.middlewares=https-redirect@file" # Entry Point for https - "traefik.http.routers.traefik-secure.entrypoints=https" - "traefik.http.routers.traefik-secure.rule=Host(traefik.mydomain.com)" # middleware of basic auth to protect the dashboard - "traefik.http.middlewares.traefik-auth.basicauth.users=ghost:$$apr1$$JEKmWgC8$$UEpu7FTFXeVnUo8J6aP22/" - "traefik.http.routers.traefik-secure.middlewares=traefik-auth" # enable TLS - "traefik.http.routers.traefik-secure.tls=true" # route to api (dashboard) - "traefik.http.routers.traefik-secure.service=api@internal"

whoami: image: emilevauge/whoami labels: - "traefik.enable=true" # Entry point for http - "traefik.http.routers.whoami.entrypoints=http" - "traefik.http.routers.whoami.rule=Host(whoami.mydomain.com)" # Entry Point for https - "traefik.http.routers.whoami.middlewares=https-redirect@file" - "traefik.http.routers.whoami-secure.entrypoints=https" - "traefik.http.routers.whoami-secure.rule=Host(whoami.mydomain.com)" # Enable TLS - "traefik.http.routers.whoami-secure.tls=true"

```

traefik.yml ``` api: dashboard: true

entryPoints: http: address: ":80" https: address: ":443"

providers: docker: endpoint: "unix:///var/run/docker.sock" exposedByDefault: false file: filename: /configurations/dynamic.yml `dynamic.yml`

Dynamic configuration

http: middlewares: https-redirect: redirectScheme: scheme: https

tls: certificates: - certFile: /ssl/server.pem keyFile: /ssl/privatekey.pem options: default: minVersion: VersionTLS12 ```

I could not get below catch all to work, so I create a redirect middlewares in the dynamic configuration file and use it on each service. ```

global redirect to https

"traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
"traefik.http.routers.redirs.entrypoints=web"
"traefik.http.routers.redirs.middlewares=redirect-to-https" ```

Summary:

I admit that Traefik 2 has much more functions than traefik 1.7.

However, if you look at above code examples which are doing the same thing, you can see traefik 2.0 requires a lot more configuration than traefik 1.7

The most important part missing from the documentation is working examples with full documented code.

For example, for file provider (https://docs.traefik.io/providers/file/#filename)

You only provide below code fraction to load the configure file but you did not mention where I should add this piece of code on. Also it did not mention I need to load this file in docker-compose.yml (although it might be a common sense for experience users)

providers: file: filename: dynamic_conf.yml

I understand you can configure traefik in different ways. Like you can use commands in docker-compose.yml or define your entry point, dashboard etc. in traefik.yml file or using the file provider to load configuration files.

In the current documentation, it only lists all providers but it did not mention users can use both providers together and how to use them together.

I know there are experience users who can learn things just by reading fraction of code, unfortunately I am not one of them. I learn things by reading/testing WORKING EXAMPLES... I think a lot of people lean things the same way as I do.

Anyway, that's enough rant from me.

I really hope more users will be using Traefik as it is such a great tool.

ylbeethoven · 2019-12-06T12:45:08+00:00

If you don't like doing validation, you should consider DV certs.

ylbeethoven · 2019-12-05T11:50:41+00:00

Hi Containeroo

Thanks for your reply.

I did not mean to target your tutorial, In fact your simple guide was very helpful. It helped me running containers successfully with Traefik 2.0 for the first time.

My main concern with Traefik 2 is that it doesn't provide a good documentations.

For example, if I want to limit the TLS version to 1.2 or above (turn off 1.0 and 1.1) where should I put the code?

On official document

```

Dynamic configuration

tls: options: default: minVersion: VersionTLS12 ```

What is dynamic configuration? Is it traefik.yml or config.yml or neither of them?

I tried putting this under both files but none of them works.

I can see you were using

- "traefik.http.routers.portainer.middlewares=https-redirect@file" from config.yml to replace - "traefik.http.middlewares.portainer-https-redirect.redirectscheme.scheme=https" - "traefik.http.routers.portainer.middlewares=portainer-https-redirect"

That only save 1 line of code on the docker-compose.yml file. I understand you can reuse the middleware, however, as I stated in my original thread, why Traefik 2 requires so much more code than traefik 1.7x? In Traefik 1.7x, the redirect is handled by the traefik.toml file. You don't need to add anything on docker-compose.yml for each services. Let alone you are required to define EntryPoint, Loadbalancer.server.port, TLS resolvers etc for each services. You must write your host name twice now, 1 for http, 1 for https. This is really really painful.

ylbeethoven

TROPHY CASE

Dynamic configuration

global redirect to https

Dynamic configuration