Project Minato
Deployment

Reverse Proxy

Put Minato behind Traefik, Caddy, or nginx Proxy Manager for HTTPS and a custom domain.

Minato listens on port 7271. To serve it on a domain with HTTPS, put it behind a reverse proxy. The proxy handles TLS termination and forwards traffic to the container.

Minato infers its public URL from X-Forwarded-Host and X-Forwarded-Proto headers automatically, so no extra environment variables are needed to put it behind a reverse proxy.

Traefik

The most common setup for homelab Docker environments.

Assumptions:

  • Traefik is already running with a web-public Docker network
  • A letsencrypt certificate resolver is configured
  • You have a DNS A record pointing minato.example.com at your server

Add a networks block to your docker-compose.yaml and update the minato service to join Traefik's network. The services (postgres, redis, meilisearch) stay on the default network and are never reachable from outside.

services:
  minato:
    image: gergogyulai/minato:latest
    container_name: minato
    restart: unless-stopped
    # No ports: block — Traefik connects directly to the container
    networks:
      - default
      - web-public
    environment:
      BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
      DATABASE_URL: postgresql://minato:${POSTGRES_PASSWORD}@postgres:5432/minato
      MEILISEARCH_MASTER_KEY: ${MEILISEARCH_MASTER_KEY}
      TMDB_READ_ACCESS_TOKEN: ${TMDB_READ_ACCESS_TOKEN}
      OPENROUTER_API_KEY: ${OPENROUTER_API_KEY:-}
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:7271/api/v1/health"]
      interval: 10s
      timeout: 5s
      retries: 5
      start_period: 10s
    volumes:
      - minato_config:/config
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.minato.rule=Host(`minato.example.com`)"
      - "traefik.http.routers.minato.entrypoints=websecure"
      - "traefik.http.routers.minato.tls.certresolver=letsencrypt"
      - "traefik.http.services.minato.loadbalancer.server.port=7271"
    depends_on:
      postgres:
        condition: service_healthy
      redis:
        condition: service_healthy
      meilisearch:
        condition: service_healthy

  # postgres, redis, meilisearch — unchanged from the base compose file

networks:
  web-public:
    external: true

The default network entry keeps connectivity to the backing services. Remove the ports block so port 7271 is not published to the host — Traefik routes directly to the container over the shared network.

Caddy

If you run Caddy as a reverse proxy:

Caddyfile:

minato.example.com {
    reverse_proxy minato:7271
}

With Caddy's automatic HTTPS, this is all you need. Make sure the Caddy container and the minato container share a Docker network.

nginx Proxy Manager

If you're using nginx Proxy Manager (NPM):

  1. Add a new Proxy Host in the NPM UI
  2. Domain: minato.example.com
  3. Forward Hostname/IP: minato (if NPM shares a Docker network with the container) or your server's local IP
  4. Forward Port: 7271
  5. Enable SSL and request a Let's Encrypt certificate

Make sure the minato container and the NPM container are on the same Docker network, or expose port 7271 to the host and use the host IP.

Path-based proxying

Minato is NOT designed to run on a subpath (e.g. example.com/minato/). Use a subdomain instead.

Configuration

Environment variables, volumes, and ports reference for Minato.

Managing scrapers

Install, configure, update, and remove scrapers from your Minato instance.

On this page

TraefikCaddynginx Proxy ManagerPath-based proxying