diff --git a/traefik.md b/traefik.md
new file mode 100644
index 0000000..d7848e8
--- /dev/null
+++ b/traefik.md
@@ -0,0 +1,121 @@
+---
+title: Traefik
+description: Hypercharged reverse proxy with Docker autodiscovery and other goodies
+published: true
+date: 2019-07-01T15:21:53.482Z
+tags: 
+---
+
+# What is this?
+
+Traefik hogs your ports `80` and `443` (and others), will intercept HTTP requests to your server and forward them to different endpoints.
+
+It allows you to run multiple web services on the same IP address and access them on a domain name basis.
+
+We use both the Docker backend and a manual routing backend.
+
+# Requirements
+To make it easier to have multiple `docker-compose.yml` without having to specify networks by hand, we use Traefik natively installed on the host, rather than the usual Docker install.
+
+This allows it to access all Docker networks by default. 
+
+On NixOS:
+
+```
+    traefik = {
+      enable = true;
+      group = "docker";
+      configFile = "/var/lib/traefik/traefik.toml";
+    };
+```
+
+# Configuration
+`traefik.toml`
+```
+logLevel = "INFO"
+
+defaultEntryPoints = ["http", "https"]
+
+[accessLog]
+  filePath = "/var/lib/traefik/access.log"
+    format = "json"
+
+[entryPoints]
+  [entryPoints.http]
+  address = ":80"
+    [entryPoints.http.redirect]
+    entryPoint = "https"
+
+  [entryPoints.https]
+  address = ":443"
+    [entryPoints.https.tls]
+    sniStrict = true
+    minVersion = "VersionTLS12"
+     cipherSuites = [
+      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
+      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"
+    ]
+
+  [entryPoints.bitwarden]
+  address = ":3012"
+
+  [entryPoints.traefik]
+  address = ":8080"
+#  [entryPoints.traefik.auth]
+#     [entryPoints.traefik.auth.basic]
+#       users = [
+#         "Enter your magic apache htaccess basic auth string here"
+#       ]
+
+[api]
+  dashboard = true
+  entryPoint = "traefik"
+
+[file]
+  watch = true
+  filename = "/var/lib/traefik/rules.toml"
+
+ # Let's encrypt configuration
+[acme]
+email = "fosc@fosc.space"
+storage = "/var/lib/traefik/acme/acme.json"
+entryPoint = "https"
+acmeLogging = true
+onDemand = false
+onHostRule = true
+  [acme.tlsChallenge]
+
+[docker]
+```
+
+# Manual routes 
+`rules.toml`
+```
+[frontends]
+  [frontends.netdata]
+  backend = "b_netdata"
+    [frontends.netdata.routes.r1]
+    rule = "Host: netdata.fosc.space"
+  [frontends.transmission]
+  backend = "b_transmission"
+    [frontends.transmission.routes.r1]
+    rule = "Host: transmission.fosc.space"
+  [frontends.router]
+  backend = "b_router"
+    [frontends.router.routes.r1]
+    rule = "Host: router.fosc.space"
+
+[backends]
+  [backends.b_netdata]
+    [backends.b_netdata.servers.localhost]
+    url = "http://fosc.lan:19999"
+    weight = 1
+  [backends.b_transmission]
+    [backends.b_transmission.servers.localhost]
+    url = "http://fosc.lan:9091"
+  [backends.b_router]
+    [backends.b_router.servers.router]
+    url = "http://openwrt.lan:19999"
+```