chore(deps): update shaanmajid/unbound:1.25.1 docker digest to 513c389

displayMode: hidden ist in dieser Grafana-Version fuer Timeseries ungueltig
und liess die Panels (Solarstrahlung, Luftdruck, Wallbox-Ladeleistung) leer.
Auf legend.showLegend=false umgestellt.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>

HOMELAB_ARCHITECTURE_MASTER_V2.md

@@ -3,7 +3,7 @@
 > **Single Source of Truth** für Docker-Netzwerkarchitektur, Sicherheitsregeln, Zielbild und Migration des Kallilabcore-Homelabs.
 > **Arbeitsregel für KI-Assistenten:** Dieses Dokument immer zuerst lesen, bevor Fragen zu Containern, Netzwerken, Traefik, Tailscale, Migration oder Security beantwortet werden.
 
-**Stand:** 2026-06-11 | **Aktueller Schwerpunkt:** GitOps / Doku-Synchronisierung / Reproduzierbare Deployments
+**Stand:** 2026-06-13 | **Aktueller Schwerpunkt:** Home Assistant Tibber / Energie-Kosten
 
 ---
 
@@ -264,7 +264,7 @@ Legende Status:
 | `immich_redis` | ⏳ | `immich_default` | intern | intern-only | anonymes Volume → named volume |
 | `nextcloud-postgres` | ✅ | `nextcloud_internal` | intern | app-eigene Nextcloud-Datenbank mit `_FILE`-Secret | — |
 | `nextcloud-redis` | ✅ | `nextcloud_internal` | intern | app-eigener Cache fuer File Locking / Sessions | — |
-| `smarthome-mosquitto` | ✅ vorbereitet | `smarthome_net` | intern `1883`, kein Host-Port in Phase 1 | MQTT-Datenbus fuer Home Assistant, spaeter ESPHome und Zigbee2MQTT; Passwortdatei und ACLs in `/mnt/user/appdata/mosquitto/config` | LAN-Port erst in ESPHome-Phase mit ACLs/per-Device-Usern |
+| `smarthome-mosquitto` | ✅ | `smarthome_net` | intern `1883`, kein Host-Port in Phase 1 | MQTT-Datenbus fuer Home Assistant, spaeter ESPHome und Zigbee2MQTT; Passwortdatei und ACLs in `/mnt/user/appdata/mosquitto/config`; MQTT-Smoke und HA-MQTT-Integration am 2026-06-13 erfolgreich | LAN-Port erst in ESPHome-Phase mit ACLs/per-Device-Usern |
 
 ### 7.4 Produktive Apps
 
@@ -278,7 +278,7 @@ Legende Status:
 | `immich_server` | ✅ | `immich_default`, `frontend_net` | Traefik | aktiv via `immich.kaleschke.info` | — |
 | `immich_machine_learning` | ✅ | `immich_default` | intern | bleibt intern | — |
 | `nextcloud` | ✅ | `frontend_net`, `nextcloud_internal` | Traefik | aktiv via `cloud.kaleschke.info`, nativer Nextcloud-Login, WebDAV/CardDAV faehig | CalDAV/CardDAV-Redirect via Traefik-Labels |
-| `homeassistant` | ✅ vorbereitet | `frontend_net`, `smarthome_net` | Traefik via `home.kaleschke.info`, native HA-Auth | Home Assistant Container im GitOps-Stack `smart-home/`; kein HAOS, kein Supervised; Fach-YAML kommt aus `smart-home-kalli`, `.storage` bleibt in `/mnt/user/appdata/homeassistant` | Deploy, Onboarding, Restore-Probe, Cloud-Integrationen |
+| `homeassistant` | ✅ | `frontend_net`, `smarthome_net` | Traefik via `home.kaleschke.info`, native HA-Auth | Home Assistant Container im GitOps-Stack `smart-home/`; kein HAOS, kein Supervised; Fach-YAML kommt aus `smart-home-kalli`, `.storage` bleibt in `/mnt/user/appdata/homeassistant`; Komodo-Stack und Gitea-Webhook aktiv; HA-native Backup-Erzeugung, Restore-Probe, HA-MQTT-Integration, SolarEdge Local und Energy Dashboard am 2026-06-13 erfolgreich | Tibber, Energie-Kosten, spaeter Energie-Automationen |
 | `plex` | ✅ | `host` | Traefik via `plex.kaleschke.info` + Plex native Auth; LAN direkt `:32400` | Compose-Stack unter `host-services/plex/`; Host-Netz bleibt fuer Discovery / Plex GDM dokumentierte Ausnahme; Traefik routet per File-Provider-Ausnahme auf `http://192.168.178.58:32400`, weil Docker-Labels Host-Netz-Container aus Traefik heraus auf `127.0.0.1` routen wuerden; kein direkter WAN-Port 32400 und Plex Remote Access bleibt aus; Server geclaimt von `Xeridos`; Smart-TVs (Schlafzimmer, Wohnzimmer) ueber WLAN-LAN per mDNS | — |
 | `super-productivity` | ✅ vorbereitet | `frontend_net` | Traefik + Middleware | Persoenliche Task-PWA des Operators; Issues kommen aus Gitea `Micha/mails` via n8n-Mail-Workflow | Deploy + Webhook + DNS-Eintrag offen |
 | `n8n` | ✅ vorbereitet | `frontend_net` | Traefik, native Auth (keine pauschale Authelia) | Workflow-Automation; erster Workflow: GMX-Mail -> OpenAI-Extraktion -> Gitea-Issue in `Micha/mails`; `N8N_ENCRYPTION_KEY` ist Stack-ENV-Pflichtsecret | Deploy + Webhook + Owner-Setup offen |
@@ -399,7 +399,8 @@ Die Blockmigration aus der Portainer-/Dockerman-Phase ist abgeschlossen: Traefik
 | `n8n` | keine pauschale Authelia-Middleware | Webhook-Endpunkte (`/webhook/*`, `/webhook-test/*`) muessen ohne ForwardAuth erreichbar bleiben; n8n bringt eigene Owner-/Login-Auth mit (analog Komodo/Nextcloud) |
 | `plex` | Traefik ohne Authelia, File-Provider-Ausnahme trotz Host-Netz | Plex bringt native Konto-/Client-Auth mit; vorgeschaltete ForwardAuth wuerde Plex Web, Apps und Client-Flows stoeren. Docker-Labels sind fuer diesen Host-Netz-Container ungeeignet, weil Traefik sonst `127.0.0.1:32400` nutzt; daher `traefik/dynamic/plex.yml` mit Ziel `192.168.178.58:32400`. Route nur ueber Traefik/443 (`plex.kaleschke.info`), direkter Plex-WAN-Port 32400 und Plex Remote Access bleiben deaktiviert. |
 | `homeassistant` | Traefik ohne Authelia, Fach-YAML aus separatem Repo | Home Assistant bringt eigene Auth, mobile Apps, Webhooks und Integrationsfluesse mit. Der Container haengt in `frontend_net` fuer Traefik und in `smarthome_net` fuer MQTT/Zigbee2MQTT/ESPHome. `.storage` und Secrets bleiben in Appdata und werden per Borg gesichert, nicht versioniert. |
-| `Ecowitt` | spaetere HTTP-Ausnahme offen | Ecowitt kann nur HTTP. Wegen globalem Traefik-HTTP-Redirect wird in Phase 2 entschieden, ob Traefik eine selektive Webhook-Ausnahme bekommt oder ob ein LAN-only HA-Port `8123` als dokumentierte Host-Port-Ausnahme noetig wird. |
+| `homeassistant` (Ecowitt) | LAN-only Host-Port `8123` auf `192.168.178.58` | Ecowitt-GW3000 kann kein HTTPS und pusht per HTTP an den HA-Webhook. HA bekommt einen Host-Bind nur auf der LAN-IP (`192.168.178.58:8123:8123`, nicht `0.0.0.0`/WAN), analog InfluxDB 8181. Kein Traefik-Umbau des globalen HTTP-Redirects noetig, da Ecowitt rein im LAN pusht. Webhook nicht `local_only`, geschuetzt durch 128-bit-Zufalls-ID. Siehe `docs/DECISIONS.md` (2026-06-13). |
+| `homeassistant` (SolarEdge Local) | HACS/Custom-Integration `solaredge_modbus_multi` | Lokaler SolarEdge-Zugriff laeuft ueber Modbus TCP `192.168.178.111:1502`, Device-ID `1`. Das ist bewusst lokal statt Cloud-API, weil kein SolarEdge-API-Key verfuegbar ist und der Wechselrichter Modbus-Daten fuer Inverter, Smart Meter und Batterie liefert. Custom-Integration-Warnungen bei HA-Core-Upgrades beachten. |
 
 ---
 

apps/mealie/docker-compose.yml

@@ -54,7 +54,7 @@ services:
       - traefik.http.services.mealie.loadbalancer.server.port=9000
 
   mealie-postgres:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
     container_name: mealie-postgres
     restart: unless-stopped
 

apps/nextcloud/docker-compose.yml

@@ -46,7 +46,7 @@ services:
       - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
 
   nextcloud-postgres:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
     container_name: nextcloud-postgres
     restart: unless-stopped
     environment:

apps/unbound/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   unbound:
-    image: shaanmajid/unbound:1.25.1@sha256:f140db02a005904802bf5840093e95e675321aa060a00426fdffc2a3ac2eeb6b
+    image: shaanmajid/unbound:1.25.1@sha256:513c3893bd3dbe7230100c998970f0ef26e899e1c5d7695813da82bf646c85ea
     container_name: unbound
     restart: unless-stopped
     volumes:

docs/DECISIONS.md

@@ -11,6 +11,100 @@ in `HOMELAB_ARCHITECTURE_MASTER_V2.md` §13, `docs/MASTER_TODO.md` (Geparkt),
 
 ---
 
+## 2026-06-13 - Wetter-/Langzeitarchiv: HA schreibt nach InfluxDB 3 Core
+
+**Entscheidung:** Home Assistant schreibt die Ecowitt-Sensoren
+(`sensor.gw3000a_*`) dauerhaft nach InfluxDB 3 Core (DB `homeassistant`),
+visualisiert im Grafana-Dashboard `ha-weather-archive` ("Wetterarchiv
+KalliHome"). HA wurde dem bestehenden `monitoring_net` als zusaetzliches Netz
+hinzugefuegt und schreibt intern an `monitoring-influxdb3-core:8181`
+(v2-Write-API) - kein Host-Port, keine LAN-Exposition. Das war die im
+Ecowitt-Eintrag offen gelassene Reachability-Entscheidung (Alternative:
+LAN-Bind 8181).
+
+**Kontext:** Gewuenscht war ein echtes Langzeit-Wetterarchiv unabhaengig von
+HAs kurzer SQLite-Historie. HAs eingebaute Langzeit-Statistiken decken den Fall
+stuendlich bereits ab; InfluxDB liefert volle Aufloesung und eigene Grafana-
+Dashboards. InfluxDB 3 Core kennt nur Admin-Tokens (keine feingranularen
+Scopes), daher hat der HA-Schreibtoken vollen Admin-Zugriff auf die
+Monitoring-InfluxDB - bewusst akzeptiert (Operator-Freigabe), unabhaengig
+widerrufbar, Token nur in Appdata-Secrets (`ha_influxdb_token` + HA
+`secrets.yaml`).
+
+**Betriebsstand 2026-06-13:** HA im `monitoring_net`, Writer aktiv (Daten in
+Measurements `°C`, `%`, `hPa`, `km/h`, `W/m²`, `mm`, `lx`, `°`), zweite
+Grafana-Datasource `ha-weather-influx` (DB `homeassistant`) und Dashboard
+provisioniert. Glance zeigt zusaetzlich eine Live-Wetterkachel direkt aus der
+HA-API (`GLANCE_HA_TOKEN`).
+
+**Review-Trigger:** InfluxDB-3-Enterprise mit Token-Scopes (dann HA-Token
+einschraenken), Wegfall des Monitoring-Stacks, oder Neubewertung der
+HA-Internet-Exposition (HA haengt jetzt auch im Observability-Netz).
+
+## 2026-06-13 - SolarEdge lokal ueber Modbus TCP angebunden
+
+**Entscheidung:** SolarEdge wird in Home Assistant lokal ueber
+`solaredge_modbus_multi` angebunden, nicht ueber die SolarEdge-Cloud-API. Der
+Wechselrichter ist im LAN als `192.168.178.111` erreichbar, MAC-OUI
+`84:D6:C5` gehoert zu SolarEdge, Modbus TCP laeuft auf Port `1502`, Device-ID
+`1`. Die Integration liefert Inverter-, Smart-Meter- und Batterie-Entitaeten.
+
+**Kontext:** Der Operator kann im SolarEdge-Portal keinen API-Key erzeugen; das
+fruehere Setup lief bereits lokal. Der alte in der Doku genannte VONETS-Adapter
+`192.168.178.71` ist nicht erreichbar und bleibt kein verlaesslicher Zielpfad.
+Die native HA-Core-Integration `solaredge` waere Cloud-Polling mit Site-ID/API-
+Key; `solaredge_local` erwartet dagegen die lokale HTTP-SetApp-API unter
+`/web/v1/status`, die am Wechselrichter nicht offen ist. Der vorhandene
+HACS-/Custom-Component-Pfad `solaredge_modbus_multi` v3.2.5 passt zur realen
+Schnittstelle und wurde ohne neue Downloads wiederverwendet.
+
+**Betriebsstand 2026-06-13:** Config-Entry `SolarEdge Local` ist `loaded`,
+Polling alle 60 Sekunden, Meter- und Batterie-Erkennung aktiv, Extras und
+Power-Control-Schreibfunktionen deaktiviert. Relevante Energy-Dashboard-
+Kandidaten:
+`sensor.solaredge_local_i1_ac_energy`,
+`sensor.solaredge_local_i1_m1_ac_energy_imported`,
+`sensor.solaredge_local_i1_m1_ac_energy_exported`,
+`sensor.solaredge_local_i1_b1_energy_import`,
+`sensor.solaredge_local_i1_b1_energy_export`. Nach der Integration wurde ein
+HA-native Backup erzeugt:
+`/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`.
+Das HA Energy Dashboard wurde anschliessend mit Netz, PV und Speicher aus
+SolarEdge Local konfiguriert und per `energy/validate` ohne Issues geprueft.
+Kosten/Preise bleiben bis zur Tibber-Anbindung leer. Nach dieser UI-State-
+Aenderung wurde ein weiteres HA-native Backup erzeugt:
+`/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`.
+
+**Trade-off:** Die lokale Modbus-Integration passt zum Prinzip "lokal vor
+Cloud" und liefert deutlich bessere Betriebsdaten als die Cloud-API, ist aber
+eine HACS-/Custom-Integration und damit nicht durch HA-Core getestet. Bei
+Problemen zuerst Integration deaktivieren oder auf HA-Core-Cloud-Polling
+zurueckfallen, sobald Site-ID/API-Key verfuegbar sind.
+
+**Review-Trigger:** HA-Core-Upgrade mit Custom-Integration-Warnungen,
+Ausfaelle von `192.168.178.111:1502`, Wechselrichtertausch/IP-Aenderung,
+oder wenn Energie-Automationen schreibende Power-Control-Funktionen brauchen.
+
+## 2026-06-13 - Ecowitt-Ingress: LAN-only Host-Bind 8123 umgesetzt
+
+**Entscheidung:** Home Assistant bekommt einen LAN-only Host-Bind
+`192.168.178.58:8123:8123` (nur LAN-IP, nicht `0.0.0.0`/WAN). Das Ecowitt-GW3000
+pusht per HTTP direkt an den HA-Webhook. Damit ist die offene
+Phase-2-Entscheidung (Eintrag 2026-06-12) zugunsten des LAN-Bind-Fallbacks
+entschieden; ein Umbau des globalen Traefik HTTP-zu-HTTPS-Redirects entfaellt,
+weil Ecowitt rein im LAN pusht und Traefik gar nicht braucht.
+
+**Kontext:** Der globale `web`->`websecure`-Redirect auf EntryPoint-Ebene laesst
+sich nicht sauber selektiv aushebeln. Der LAN-Bind ist analog zur dokumentierten
+InfluxDB-8181-Ausnahme, WAN-sicher (FRITZ!Box forwardet nur 443 auf Traefik) und
+ohne Traefik-Umbau. Der HA-Webhook ist nicht `local_only`; Schutz ist die
+128-bit-Zufalls-Webhook-ID. Restrisiko: der Pfad ist theoretisch auch ueber
+Traefik/443 erreichbar, praktisch aber unratbar.
+
+**Review-Trigger:** Wenn der Webhook haerter abgesichert werden soll
+(Traefik-IPAllowList auf `/api/webhook/` oder `local_only`), oder bei Ausbau
+auf Ecowitt-Langzeitspeicherung in InfluxDB.
+
 ## 2026-06-12 - Home Assistant als Container im GitOps-Stack
 
 **Entscheidung:** Home Assistant laeuft neu als `homeassistant` Container im
@@ -30,6 +124,22 @@ kein Zielpfad mehr; HAOS bleibt die Alternative, falls Add-on-Komfort,
 Matter/Thread/HomeKit-Discovery oder Host-nahe HA-Funktionen wichtiger werden
 als GitOps-Konformitaet.
 
+**Betriebsstand 2026-06-13:** Owner-Onboarding ist abgeschlossen, die
+temporaere Authelia-Onboarding-Guard-Middleware ist entfernt, `smart-home`
+existiert als Komodo-Stack mit Gitea-Webhook, HA-native `backup.create` erzeugt
+ein lesbares Backup-Artefakt, und der Mosquitto-Broker besteht einen
+authentifizierten Publish/Subscribe-Smoke. Die Restore-Probe wurde am
+2026-06-13 erfolgreich abgeschlossen: HA-native Backup + Mosquitto-Appdata +
+Fachrepo-Clone wurden isoliert gestartet, HA HTTP/API/check_config waren gruen,
+MQTT Publish/Subscribe und retained Topic nach Broker-Restart waren gruen.
+Report: `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`.
+Die HA-MQTT-Integration wurde anschliessend am 2026-06-13 ueber den
+Home-Assistant-Config-Flow verbunden; Config-Entry `smarthome-mosquitto` ist
+`loaded`, Mosquitto sieht den HA-Client mit User `homeassistant`, und
+`check_config` ist gruen. Damit ist die Foundation abgeschlossen. Naechster
+Produktivschritt ist Tibber, danach SolarEdge mit bewusster Entscheidung
+zwischen schneller Cloud-Integration und lokalem Modbus-TCP.
+
 **Review-Trigger:** Viele mDNS-/SSDP-abhaengige lokale Integrationen
 (HomeKit, Cast, Matter/Thread), Bedarf an HA-Add-ons als Betriebsstandard,
 oder wiederholte Probleme durch Bridge-Netzwerkbetrieb.

docs/MASTER_TODO.md

@@ -25,7 +25,7 @@ Host-Reports (`/mnt/user/backups/restore-reports/`) und in der Git-Historie.
 | Restore-Test Tailscale | Operator | State-Validierung + Reconnect nur auf Wegwerf-Host/VM, danach Geraet in Tailscale-Admin entfernen | `ops/restore-tests/tailscale-runbook.md` |
 | Authelia OIDC fuer Apps | Operator/Claude | Live: Grafana + Mealie (verifiziert), Paperless deployed (Login-Test offen). Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` |
 | Glance-v2-Widgets: Tokens setzen | Operator | In Komodo Stack-ENV fuer `ops-glance` setzen: `GLANCE_KOMODO_API_KEY`/`_SECRET` (Komodo read-only API-Key), `GLANCE_GITEA_TOKEN` (read-only, scope `read:repository`), `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`; bis dahin zeigen die neuen Widgets Fehler/leer. Speedtest-Widget: falls weiter 0.0, API-Response pruefen | `ops/glance/config/` |
-| Home Assistant Foundation-Abnahme | Operator/Codex | Sofort: Owner-Onboarding abschliessen. Danach temporaere Authelia-Middleware von der HA-Route entfernen, Komodo-Stack-Eintrag + Webhook sauber anlegen/verifizieren, HA-MQTT-Smoke-Test und HA-native `backup.create` testen, Restore-Probe fuer HA/Mosquitto dokumentieren | `docs/runbooks/smart-home-bootstrap.md`, `docs/RESTORE_MATRIX.md` |
+| Home Assistant Tibber | Operator/Codex | Tibber per HA-UI-Config-Flow verbinden. Danach Energy-Dashboard um echte Kosten/Preisquelle ergaenzen; SolarEdge-PV, Netz und Speicher sind bereits konfiguriert und validiert | `docs/runbooks/smart-home-bootstrap.md`, `docs/DECISIONS.md` |
 | Audit-PDF aus `docs/` entfernen | Operator | `docs/KalliLab_CORE_Audit_2026-06-06.pdf` (untracked) extern ablegen (H:/ oder Documents-Share) und lokal loeschen; Binaerdateien gehoeren nicht ins GitOps-Repo | Doku-Regeln `docs/REPO_MAP.md` |
 
 ---
@@ -71,11 +71,11 @@ Bewusst nicht jetzt - Begruendungen in `docs/DECISIONS.md`, hier nur Thema und T
 
 ## Zuletzt erledigt (Kurzlog, max. 5 Eintraege)
 
-- **2026-06-12** Komodo-Stack-Hygiene-Check aktiv: `services/posture-check/komodo-stack-hygiene.sh` + Unraid User Script `komodo-stack-hygiene-weekly` (Sonntag 05:00). Faengt die `immich_new`-Klasse (Stack ohne Repo, `project_missing`, Compose ohne Stack, Hash-Drift). Erster Lauf: 6 Warnings, 0 Critical.
-- **2026-06-12** Immich Komodo-Stack bereinigt: `immich_new` auf `immich` korrigiert, Gitea-Account `Micha` gesetzt, per Komodo aus `apps/immich/docker-compose.yml` neu deployed. Verifiziert: `deployed_hash == latest_hash`, `immich_new_count=0`, alle vier Container healthy, HTTP 200, DB-Smoke `11983` Assets, Drift-Alert resolved.
-- **2026-06-11** Host-DNS-Fallback aktiv: `eth0` DNS2 = `192.168.178.1` (FRITZ!Box) zusaetzlich zu AdGuard. AdGuard-SPOF fuer Image-Pulls entschaerft; der dokumentierte Bulk-Deploy-Vorfall kann strukturell nicht wiederkommen.
-- **2026-06-11** Hetzner Storage Box: automatische Snapshots aktiv (taeglich 05:30 UTC, 7 Tage Retention). Schliesst das Ransomware-/Fehlbedienungs-Risiko gegen das Off-site-Backup. Siehe `docs/DECISIONS.md`.
-- **2026-06-11** Immich Image-Tags von `release` auf `v2.7.5` gepinnt (Server + ML, Digests unveraendert): Renovate-PRs zeigen ab jetzt sichtbare Versionsspruenge statt stiller Digest-Bumps.
+- **2026-06-13** Home Assistant MQTT-Integration produktiv verbunden: Config-Entry `smarthome-mosquitto` ist `loaded`, Mosquitto sieht den HA-Client `homeassistant`; `check_config` gruen.
+- **2026-06-13** HA Energy Dashboard konfiguriert: Netz, PV und Speicher aus SolarEdge Local gesetzt, `energy/validate` ohne Issues; HA-Backup danach erzeugt.
+- **2026-06-13** SolarEdge lokal angebunden: `solaredge_modbus_multi` v3.2.5 ueber `192.168.178.111:1502`, Device-ID `1`; 68 Entitaeten inkl. Inverter, Smart Meter und Batterie; HA-Backup danach erzeugt.
+- **2026-06-13** Home Assistant Restore-Probe erfolgreich: isolierter Test aus HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone, HA HTTP/API/check_config gruen, MQTT Publish/Subscribe und retained Topic nach Broker-Restart gruen. Report: `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`.
+- **2026-06-13** Home Assistant Foundation live: `smart-home` in Komodo angelegt, Gitea-Webhook aktiv, Authelia-Onboarding-Guard entfernt, HA-native Auth + Login-Ban aktiv, HA-Backup erzeugt/geprueft und MQTT-Broker-Smoke erfolgreich.
 
 ---
 

docs/RESTORE_MATRIX.md

@@ -60,8 +60,8 @@ Sie ist die fachliche Ergaenzung zu `docs/DISASTER_RECOVERY.md`.
 | Glance | Git / Borg-Repo | Repo-Konfiguration unter `ops/glance/config/glance.yml`; keine kritische Datenpersistenz | keine | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY` | Traefik, Authelia, optional interne API-Ziele | Dashboard startet, Widgets laden, Docker-Status laeuft nur ueber `glance-docker-socket-proxy` |
 | ntfy | Borg / Share | `/mnt/user/appdata/ntfy` | keine | keine besonderen Secret-Dateien dokumentiert | Traefik | UI und Push-Endpunkt erreichbar |
 | Paperless-GPT | Borg / Share | `/mnt/user/appdata/paperless-gpt` | keine eigene DB | `PAPERLESS_API_TOKEN`, `OPENAI_API_KEY` | Traefik, Paperless, OpenAI API | UI startet, Konfiguration vorhanden; LLM-Provider zeigt `openai` / `gpt-5.4-mini` |
-| Home Assistant | Borg + HA-native Backups + Fachrepo | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml`; Fach-YAML aus `/mnt/user/services/smart-home-kalli/home-assistant` | HA-native Backup-Artefakte unter `/mnt/user/appdata/homeassistant/backups` falls vorhanden; keine externe DB in Phase 1 | HA-Secrets in `secrets.yaml`, Integrations-Tokens in `.storage`, MQTT-Credentials, spaeter InfluxDB-Token | Traefik, `frontend_net`, `smarthome_net`, Mosquitto, Fachrepo-Clone | `https://home.kaleschke.info` zeigt Login, MQTT-Integration verbindet sich, `backup.create` funktioniert, Energy-Dashboard-Konfiguration bleibt erhalten |
-| Smart-Home MQTT / Mosquitto | Borg / Share | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Mosquitto persistiert retained messages/subscriptions dateibasiert | `passwordfile`, `aclfile`, spaeter per-Device-User | `smarthome_net`, Home Assistant, spaeter ESPHome/Zigbee2MQTT | Container startet, HA kann sich authentifiziert verbinden, retained Testtopic bleibt nach Restart erhalten |
+| Home Assistant | Borg + HA-native Backups + Fachrepo | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml`, `custom_components` (HACS, `solaredge_modbus_multi`); Fach-YAML aus `/mnt/user/services/smart-home-kalli/home-assistant` | HA-native Backup-Artefakte unter `/mnt/user/appdata/homeassistant/backups`; erstes Artefakt 2026-06-13 erzeugt und tar-lesbar (`backup.json`, `homeassistant.tar.gz`); Backup nach SolarEdge-Integration: `Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`; Backup nach Energy-Dashboard-Konfiguration: `Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`; keine externe DB in Phase 1 | HA-Secrets in `secrets.yaml`, Integrations-Tokens in `.storage`, MQTT-Credentials, Agent-API-Tokens als Host-Secrets `ha_token_codex`/`ha_token_claude` (nur mit erhaltenem `.storage`-Auth-State nutzbar), spaeter Tibber/InfluxDB-Tokens | Traefik, `frontend_net`, `smarthome_net`, Mosquitto, Fachrepo-Clone, SolarEdge-Wechselrichter `192.168.178.111:1502` | Restore-Test am 2026-06-13 erfolgreich: HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone isoliert gestartet, HA HTTP/API/check_config gruen; produktiv danach HA-MQTT-Config-Entry `smarthome-mosquitto` geladen, SolarEdge Local `solaredge_modbus_multi` loaded mit 68 Entitaeten und Energy Dashboard fuer Netz/PV/Speicher per `energy/validate` ohne Issues; Report `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md` |
+| Smart-Home MQTT / Mosquitto | Borg / Share | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Mosquitto persistiert retained messages/subscriptions dateibasiert | `passwordfile`, `aclfile`, spaeter per-Device-User | `smarthome_net`, Home Assistant, spaeter ESPHome/Zigbee2MQTT | Restore-Test am 2026-06-13 erfolgreich: authentifizierter Publish/Subscribe-Smoke mit `homeassistant`-User und retained Topic nach Broker-Restart gruen; produktiv verbindet sich HA als User `homeassistant` |
 | Smart-Home Fachrepo | Gitea + Borg-Repo-Clone | `/mnt/user/services/smart-home-kalli` | keine | keine echten Secrets im Repo; `secrets-template/` nur Beispiele | Gitea, Home Assistant Mounts | `git status` sauber, HA liest `configuration.yaml` und `packages/` aus dem Clone |
 
 ---
@@ -165,6 +165,7 @@ Stand 2026-06-06. Pro Dienst auf einen Blick: Wurde der Restore schon einmal rea
 | Borg UI | 3 | - | rebuildbar | - |
 | Filebrowser | 3 | - | rebuildbar | - |
 | baerchen Windows Image | Workstation | 2026-06-06 | Full-Backup geschrieben; Recovery-USB-Boot, SMB-Mount und Restore-Point-Sichtpruefung erfolgreich; vor echtem Restore abgebrochen | nach Image-Aenderungen oder quartalsweise |
+| Home Assistant + Mosquitto | 2 | 2026-06-13 | HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone, isolierte Testcontainer, HA HTTP/API/check_config, MQTT Publish/Subscribe + retained Topic nach Broker-Restart | vor groesseren Smart-Home-Aenderungen oder nach relevanten HA/Mosquitto-Architekturaenderungen |
 
 ---
 

docs/SECRETS_MAP.md

@@ -40,7 +40,7 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Komodo Mongo | Root Password | `/mnt/user/appdata/secrets/komodo_mongo_password.txt` -> `MONGO_INITDB_ROOT_PASSWORD_FILE` | aktiv |
 | Komodo Core | App Secrets | Stack ENV `${KOMODO_SECRET_KEY}`, `${KOMODO_WEBHOOK_SECRET}`, `${KOMODO_JWT_SECRET}`, `${KOMODO_MONGO_PASSWORD}`, `${KOMODO_PERIPHERY_PASSKEY}` | aktiv |
 | Gitea Push Mirror | GitHub fine-grained PAT fuer `michaelkaleschke-spec/homelab-infra` | Gitea Repository Mirror Settings, persistent in `/mnt/user/services/gitea/data`; kein Datei-Secret im Repo | aktiv |
-| Glance | Community Widget API Tokens | Stack ENV `${GLANCE_IMMICH_API_KEY}`, `${GLANCE_ADGUARD_USERNAME}`, `${GLANCE_ADGUARD_PASSWORD}`, `${GLANCE_SPEEDTEST_API_KEY}`, `${GLANCE_KOMODO_API_KEY}`, `${GLANCE_KOMODO_API_SECRET}`, `${GLANCE_GITEA_TOKEN}`, `${GLANCE_PAPERLESS_TOKEN}`, `${GLANCE_MEALIE_TOKEN}` (alle read-only anlegen) | aktiv |
+| Glance | Community Widget API Tokens | Stack ENV `${GLANCE_IMMICH_API_KEY}`, `${GLANCE_ADGUARD_USERNAME}`, `${GLANCE_ADGUARD_PASSWORD}`, `${GLANCE_SPEEDTEST_API_KEY}`, `${GLANCE_KOMODO_API_KEY}`, `${GLANCE_KOMODO_API_SECRET}`, `${GLANCE_GITEA_TOKEN}`, `${GLANCE_PAPERLESS_TOKEN}`, `${GLANCE_MEALIE_TOKEN}` (alle read-only anlegen), `${GLANCE_HA_TOKEN}` (HA Long-Lived Access Token; Glance nutzt nur `GET /api/states`) | aktiv |
 | speedtest-tracker | App Key / Admin-Zugang | Stack ENV `${APP_KEY}`, `${ADMIN_PASSWORD}` | aktiv |
 | Nextcloud | Admin User | `/mnt/user/appdata/secrets/nextcloud_admin_user.txt` -> `NEXTCLOUD_ADMIN_USER_FILE` | neu |
 | Nextcloud | Admin Password | `/mnt/user/appdata/secrets/nextcloud_admin_password.txt` -> `NEXTCLOUD_ADMIN_PASSWORD_FILE` | neu |
@@ -51,6 +51,8 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 | Hermes Agent | Provider-Keys, Bot-Tokens, API-Server-Key | `/mnt/user/appdata/hermes-agent/data/.env` | VM-seitig offen |
 | Hermes Agent | SSH-Runner Private Key | `/mnt/user/appdata/secrets/hermes_runner_id_ed25519` -> `/root/.ssh/id_ed25519` | VM-seitig offen |
 | InfluxDB 3 Core | Admin Token JSON | `/mnt/user/appdata/secrets/influxdb3_admin_token.json` -> Docker Secret `/run/secrets/influxdb3_admin_token` | aktiv |
+| Home Assistant -> InfluxDB | Write Token (Wetterarchiv) | `/mnt/user/appdata/secrets/ha_influxdb_token` + HA `/config/secrets.yaml` Key `influxdb_ha_token`; InfluxDB-3-Core Named-Admin-Token (voller Zugriff, da Core keine Scopes kennt) | aktiv |
+| Home Assistant | Agent API Tokens | `/mnt/user/appdata/secrets/ha_token_claude`, `ha_token_codex` (Long-Lived Access Tokens fuer read-only API-Zugriff durch KI-Agenten) | aktiv |
 | Monitoring Grafana | Admin Password | `/mnt/user/appdata/secrets/monitoring_grafana_admin_password.txt` -> Docker Secret `/run/secrets/monitoring_grafana_admin_password` -> `GF_SECURITY_ADMIN_PASSWORD__FILE` | aktiv |
 | Monitoring Grafana -> InfluxDB | Datasource Token | `/mnt/user/appdata/secrets/monitoring_grafana_influxdb_token.txt` -> Docker Secret `/run/secrets/monitoring_grafana_influxdb_token` | aktiv |
 | Grafana OIDC (Authelia) | Client Secret | `/mnt/user/appdata/secrets/grafana_oidc_client_secret` (Klartext, chmod 600) -> Docker Secret `/run/secrets/grafana_oidc_client_secret` -> `GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET__FILE`. Zugehoeriger pbkdf2-Hash liegt im Authelia-Host-Config-Client `grafana` (kein Wert im Repo) | aktiv (2026-06-06) |
@@ -98,6 +100,9 @@ Dieses Dokument listet sensible Daten, deren Ablageorte und die vorgesehene Einb
 |-- redis_password.txt
 |-- borg_repo_passphrase.txt
 |-- influxdb3_admin_token.json
+|-- ha_influxdb_token
+|-- ha_token_claude
+|-- ha_token_codex
 |-- filebrowser_admin_password.txt
 |-- homelab_smtp_password.txt
 `-- vaultwarden_admin_token.txt
@@ -141,7 +146,7 @@ Einige Secrets liegen bewusst nur als Komodo Stack Environment Variables vor, we
 | `speedtest-tracker` | `APP_KEY`, `ADMIN_PASSWORD` | Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | `APP_KEY` ist verschluesselungsrelevant; bei echtem Verlust App-State frisch initialisieren |
 | `komodo-core` | `KOMODO_SECRET_KEY`, `KOMODO_WEBHOOK_SECRET`, `KOMODO_JWT_SECRET`, `KOMODO_MONGO_PASSWORD`, `KOMODO_PERIPHERY_PASSKEY` | Vaultwarden -> externe Notiz (Henne-Ei: Komodo-Mongo-Dump ist hier **nicht** Restore-Quelle, weil Komodo dafuer schon laufen muesste) | siehe `docs/SERVICES_RECOVERY.md` Komodo-Bootstrap; ohne diese Werte ist der Self-Stack nicht reproduzierbar |
 | `hermes-agent` | `HERMES_DASHBOARD_HOST` plus Provider-/API-/Home-Assistant-Tokens in Host-`.env` | Vaultwarden -> externe Notiz | Stack ist aktuell geparkt (Review 2026-07-25); ohne Werte bleibt der Stack deaktiviert, kein Schaden am Rest |
-| `glance` | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY`, `GLANCE_KOMODO_API_KEY`, `GLANCE_KOMODO_API_SECRET`, `GLANCE_GITEA_TOKEN`, `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN` | Provider-UIs (Immich, AdGuard, Speedtest-Tracker, Komodo, Gitea, Paperless, Mealie) neu erzeugen | rebuildbar; alle read-only; Widgets bleiben leer bis Tokens neu erzeugt sind, kein kritischer Datentopf |
+| `glance` | `GLANCE_IMMICH_API_KEY`, `GLANCE_ADGUARD_USERNAME`, `GLANCE_ADGUARD_PASSWORD`, `GLANCE_SPEEDTEST_API_KEY`, `GLANCE_KOMODO_API_KEY`, `GLANCE_KOMODO_API_SECRET`, `GLANCE_GITEA_TOKEN`, `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`, `GLANCE_HA_TOKEN` | Provider-UIs (Immich, AdGuard, Speedtest-Tracker, Komodo, Gitea, Paperless, Mealie, Home Assistant) neu erzeugen | rebuildbar; Widgets bleiben leer bis Tokens neu erzeugt sind, kein kritischer Datentopf; `GLANCE_HA_TOKEN` muss zusaetzlich in `ops/glance/docker-compose.yml` durchgereicht werden |
 | `n8n` | `N8N_ENCRYPTION_KEY` | Host-Secret-Datei `/mnt/user/appdata/secrets/n8n_encryption_key.txt` -> Komodo-Mongo-Dump -> Vaultwarden -> externe Notiz | Bei Verlust aller Quellen: n8n startet, aber **alle gespeicherten Credentials sind unbrauchbar** (Re-Eingabe noetig: GMX IMAP, OpenAI, Gitea PAT). Workflows bleiben strukturell erhalten. |
 
 ### Komodo-Sonderfall

docs/SERVICE_CATALOG.md

@@ -1,6 +1,6 @@
 # Service Catalog
 
-Stand: 2026-06-02
+Stand: 2026-06-13
 
 Dieser Katalog beschreibt produktive und repo-vorbereitete Dienste aus Sicht von Betrieb, Restore und KI-Kontext. Er basiert auf dem Repo-Sollzustand. Vor produktiven Eingriffen immer den Live-Zustand in Komodo/Docker pruefen.
 
@@ -84,8 +84,8 @@ Secret-Werte sind nicht enthalten. Es werden nur Secret-Namen, Env-Key-Namen und
 
 | Service | Zweck | Autoritativer Pfad | URL / Zugang | Abhaengigkeiten | Datenpfade | Backup / Restore | Traefik | Besonderheiten / TODOs |
 |---|---|---|---|---|---|---|---|---|
-| `homeassistant` | Zentrale Smart-Home-Steuerung, Energy Dashboard, Integrations-Hub | Runtime: `smart-home/docker-compose.yml`; Fachkonfiguration: Repo `smart-home-kalli` | `https://home.kaleschke.info`; kein direkter Host-Port in Phase 1 | Traefik, `frontend_net`, `smarthome_net`, `smarthome-mosquitto`, Fachrepo unter `/mnt/user/services/smart-home-kalli` | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml`; YAML-Fachdateien read-only aus `/mnt/user/services/smart-home-kalli/home-assistant` | Tier 2, Borg + HA-native Backups; Restore-Probe Pflicht vor produktiven Energie-Automationen | ja, native HA-Auth | HA Container statt HAOS-VM; keine Add-ons, keine Supervised-Installation. `configuration.yaml` kommt aus dem Fachrepo, `.storage` wird nicht versioniert. `http.use_x_forwarded_for` und `trusted_proxies` muessen zur Traefik-Route passen. Ecowitt-HTTP bleibt Phase-2-Entscheidung wegen globalem Traefik-Redirect. |
-| `smarthome-mosquitto` | MQTT-Broker fuer HA, spaeter ESPHome und Zigbee2MQTT | `smart-home/docker-compose.yml`, `smart-home/mosquitto/config/mosquitto.conf` | intern `smarthome_net:1883`; kein LAN-Port in Phase 1 | `smarthome_net`, Passwort-/ACL-Dateien in Appdata | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Tier 2, Borg; Passwortdatei, ACLs und persistente Broker-Daten relevant | nein | LAN-Port `1883` erst in ESPHome-Phase mit ACLs und per-Device-Usern. |
+| `homeassistant` | Zentrale Smart-Home-Steuerung, Energy Dashboard, Integrations-Hub | Runtime: `smart-home/docker-compose.yml`; Fachkonfiguration: Repo `smart-home-kalli` | `https://home.kaleschke.info`; zusaetzlich LAN-only Host-Bind `192.168.178.58:8123` nur fuer den Ecowitt-HTTP-Push | Traefik, `frontend_net`, `smarthome_net`, `smarthome-mosquitto`, SolarEdge-Wechselrichter `192.168.178.111:1502`, Fachrepo unter `/mnt/user/services/smart-home-kalli` | `/mnt/user/appdata/homeassistant` inkl. `.storage`, `secrets.yaml`, `trusted_proxies.yaml` und `custom_components` (HACS, `solaredge_modbus_multi`); YAML-Fachdateien read-only aus `/mnt/user/services/smart-home-kalli/home-assistant`; Agent-API-Tokens als Host-Secrets `ha_token_codex`/`ha_token_claude` | Tier 2, Borg + HA-native Backups; erstes HA-Backup am 2026-06-13 erzeugt/geprueft; Restore-Probe am 2026-06-13 erfolgreich, Report `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`; Backup nach SolarEdge-Integration: `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`; Backup nach Energy-Dashboard-Konfiguration: `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar` | ja, native HA-Auth | HA Container statt HAOS-VM; keine Add-ons, keine Supervised-Installation. `configuration.yaml` kommt aus dem Fachrepo, `.storage` wird nicht versioniert. `http.use_x_forwarded_for`, `trusted_proxies` und `ip_ban_enabled` sind aktiv. HA-MQTT-Integration `smarthome-mosquitto` ist seit 2026-06-13 geladen. SolarEdge ist seit 2026-06-13 lokal ueber `solaredge_modbus_multi` v3.2.5 angebunden: `SolarEdge Local`, `192.168.178.111:1502`, Device-ID `1`, Meter+Batterie-Erkennung an, Power-Control aus. Energy Dashboard ist fuer Netz, PV und Speicher konfiguriert; Kosten folgen mit Tibber. Komodo-Stack und Gitea-Webhook sind aktiv. Ecowitt-Ingress seit 2026-06-13 ueber LAN-only Host-Bind `192.168.178.58:8123` geloest; offen ist nur die GW3000-Customized-Server-Konfiguration. Naechster Produktivschritt: Tibber. |
+| `smarthome-mosquitto` | MQTT-Broker fuer HA, spaeter ESPHome und Zigbee2MQTT | `smart-home/docker-compose.yml`, `smart-home/mosquitto/config/mosquitto.conf` | intern `smarthome_net:1883`; kein LAN-Port in Phase 1 | `smarthome_net`, Passwort-/ACL-Dateien in Appdata | `/mnt/user/appdata/mosquitto/config`, `/mnt/user/appdata/mosquitto/data`, `/mnt/user/appdata/mosquitto/log` | Tier 2, Borg; Passwortdatei, ACLs und persistente Broker-Daten relevant; Restore-Probe am 2026-06-13 erfolgreich | nein | Authentifizierter Publish/Subscribe-Smoke und retained Topic nach Broker-Restart am 2026-06-13 erfolgreich. Home Assistant verbindet sich als User `homeassistant`. LAN-Port `1883` erst in ESPHome-Phase mit ACLs und per-Device-Usern. |
 
 ## Host Operations
 

docs/runbooks/smart-home-bootstrap.md

@@ -61,6 +61,8 @@ Komodo-Stack:
 - Repo: `homelab-infra`
 - Pfad: `smart-home/docker-compose.yml`
 - Branch: nach Review `master`
+- Status 2026-06-13: Stack `smart-home` existiert in Komodo, Gitea-Webhook ist
+  aktiv, `deployed_hash == latest_hash`.
 
 Nach dem Start pruefen:
 
@@ -74,9 +76,23 @@ docker logs --tail=100 smarthome-mosquitto
 ## 5. Smoke-Test
 
 - `https://home.kaleschke.info` zeigt die Home-Assistant-Oberflaeche.
+- Nach Owner-Onboarding: keine Authelia-ForwardAuth mehr vor HA; HA nutzt native
+  Auth plus `http.ip_ban_enabled`.
+- `trusted_proxies.yaml` deckt das `frontend_net` ab; damit wertet HA die echte
+  Client-IP aus `X-Forwarded-For` aus.
 - Keine Trusted-Proxy-Fehler im HA-Log.
-- MQTT-Integration verbindet sich mit Host `smarthome-mosquitto`, Port `1883`.
-- HA-native Backup-Erstellung funktioniert.
+- MQTT-Broker-Smoke: `homeassistant`-User aus `secrets.yaml` kann gegen
+  `smarthome-mosquitto:1883` publish/subscriben.
+- HA-MQTT-Integration ist verbunden: Config-Entry `smarthome-mosquitto` ist
+  `loaded`, Mosquitto sieht einen HA-Client mit User `homeassistant`.
+- HA-native Backup-Erstellung funktioniert; Beispielartefakt:
+  `/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_08.25_38034438.tar`.
+- Backup-Artefakt ist lesbar (`backup.json`, `homeassistant.tar.gz`).
+- Agent-API-Tokens liegen als Host-Secrets unter
+  `/mnt/user/appdata/secrets/ha_token_codex` und
+  `/mnt/user/appdata/secrets/ha_token_claude`; Werte nie ausgeben oder in Git
+  schreiben. Die Tokens sind nur mit erhaltenem HA-Auth-State in `.storage`
+  brauchbar und bei Verdacht in HA zu widerrufen.
 
 ## 6. Fachrepo-Update
 
@@ -86,12 +102,14 @@ Komodo-Stack. Aenderungen wirken erst nach diesem Host-Ablauf:
 ```sh
 cd /mnt/user/services/smart-home-kalli
 git pull --ff-only origin main
-docker restart homeassistant
+docker compose -f /mnt/user/services/stacks/smart-home/smart-home/docker-compose.yml \
+  up -d --force-recreate homeassistant
 ```
 
-Der Restart ist Pflicht, weil `configuration.yaml`, `automations.yaml`,
+Der Force-Recreate ist Pflicht, weil `configuration.yaml`, `automations.yaml`,
 `scripts.yaml` und `scenes.yaml` als Einzeldateien in den Container gemountet
-werden. Nach einem `git pull` kann Docker sonst noch den alten Datei-Inode sehen.
+werden. Nach einem `git pull` kann Docker sonst noch den alten Datei-Inode sehen
+(`Stale file handle`).
 
 ## 7. UI-Editor-Politik
 
@@ -105,3 +123,102 @@ und Integrations-State bleiben in `.storage` und werden per Borg gesichert.
 Vor produktiven Energie-Automationen muss ein Restore-Test fuer
 `/mnt/user/appdata/homeassistant`, `/mnt/user/appdata/mosquitto` und den Clone
 `/mnt/user/services/smart-home-kalli` dokumentiert sein.
+
+Wichtig: Ein erfolgreich erzeugtes HA-Backup ist nur die Voraussetzung. Das Gate
+ist erst geschlossen, wenn eine Restore-Probe in einem isolierten Testpfad
+dokumentiert ist.
+
+Status 2026-06-13: Gate geschlossen. Die isolierte Restore-Probe war
+erfolgreich:
+
+- Report: `/mnt/user/backups/restore-reports/homeassistant-2026-06-13.md`
+- Test: HA-native Backup + Mosquitto-Appdata + Fachrepo-Clone
+- Ergebnis: HA HTTP/API/check_config gruen, MQTT Publish/Subscribe und retained
+  Topic nach Broker-Restart gruen
+
+Status 2026-06-13: HA-MQTT-Integration ist produktiv verbunden.
+
+Verifikation:
+
+```sh
+TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
+curl -ksS -H "Authorization: Bearer $TOKEN" \
+  https://home.kaleschke.info/api/config/config_entries/entry
+docker logs --tail=120 smarthome-mosquitto
+docker exec homeassistant python -m homeassistant --script check_config --config /config
+```
+
+Erwartung: Ein MQTT-Config-Entry `smarthome-mosquitto` mit Status `loaded`, ein
+Mosquitto-Client mit User `homeassistant`, und `check_config` ohne Fehler.
+
+## 9. SolarEdge lokal
+
+Status 2026-06-13: SolarEdge ist lokal per Modbus TCP angebunden.
+
+- Integration: HACS/Custom `solaredge_modbus_multi` v3.2.5
+- HA-Config-Entry: `SolarEdge Local`, Status `loaded`
+- Wechselrichter: `192.168.178.111:1502`
+- Modbus Device-ID: `1`
+- Optionen: Polling 60 Sekunden, Meter-Erkennung aktiv, Batterie-Erkennung
+  aktiv, Extras aus, Power-Control aus
+
+Verifikation:
+
+```sh
+TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
+curl -ksS -H "Authorization: Bearer $TOKEN" \
+  https://home.kaleschke.info/api/config/config_entries/entry
+curl -ksS -H "Authorization: Bearer $TOKEN" \
+  https://home.kaleschke.info/api/states
+docker exec homeassistant python -m homeassistant --script check_config --config /config
+```
+
+Wichtige Energy-Dashboard-Kandidaten:
+
+- PV-Produktion: `sensor.solaredge_local_i1_ac_energy`
+- Netzbezug: `sensor.solaredge_local_i1_m1_ac_energy_imported`
+- Einspeisung: `sensor.solaredge_local_i1_m1_ac_energy_exported`
+- Batterie geladen: `sensor.solaredge_local_i1_b1_energy_import`
+- Batterie entladen: `sensor.solaredge_local_i1_b1_energy_export`
+- Batterie-SoC: `sensor.solaredge_local_i1_b1_state_of_energy`
+
+Nach der Integration wurde ein HA-native Backup erzeugt und tar-geprueft:
+`/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_14.59_48645373.tar`.
+
+Trade-off: Dieser Pfad ist lokal und liefert Inverter, Meter und Batterie ohne
+Cloud-API, nutzt aber eine Custom-Integration. Bei HA-Core-Upgrades auf Warnungen
+zu `solaredge_modbus_multi` achten.
+
+## 10. Energy Dashboard
+
+Status 2026-06-13: Energy Dashboard ist ueber die Home-Assistant-WebSocket-API
+konfiguriert und validiert.
+
+Konfiguration:
+
+- Netz: Bezug `sensor.solaredge_local_i1_m1_ac_energy_imported`, Einspeisung
+  `sensor.solaredge_local_i1_m1_ac_energy_exported`
+- PV: Produktion `sensor.solaredge_local_i1_ac_energy`, Live-Leistung
+  `sensor.solaredge_local_i1_ac_power`
+- Speicher: Entladung `sensor.solaredge_local_i1_b1_energy_export`, Ladung
+  `sensor.solaredge_local_i1_b1_energy_import`, SoC
+  `sensor.solaredge_local_i1_b1_state_of_energy`
+- Kosten/Preise: noch nicht gesetzt; folgt mit Tibber
+
+Verifikation:
+
+```sh
+TOKEN=$(cat /mnt/user/appdata/secrets/ha_token_codex)
+# WebSocket: energy/get_prefs und energy/validate
+sed -n '1,260p' /mnt/user/appdata/homeassistant/.storage/energy
+```
+
+Erwartung: `.storage/energy` enthaelt drei Quellen (`grid`, `solar`,
+`battery`), und `energy/validate` meldet keine Issues.
+
+Nach der Energy-Konfiguration wurde ein HA-native Backup erzeugt und
+tar-geprueft:
+`/mnt/user/appdata/homeassistant/backups/Custom_backup_2026.6.1_2026-06-13_15.59_25670583.tar`.
+
+Naechster Schritt: Tibber per HA-UI-Config-Flow verbinden und danach Kosten im
+Energy Dashboard ergaenzen.

infra/postgresql17/docker-compose.yml

@@ -1,6 +1,6 @@
 services:
   postgresql17:
-    image: postgres:18.4@sha256:29ee7bb30d804447dc9a91fd0d74322ae1dc3a4072cc6346f70a5ed6e783b565
+    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
     container_name: postgresql17
     restart: unless-stopped
 

monitoring/grafana/dashboards/solar-pv.json

@@ -0,0 +1,204 @@
+{
+  "uid": "ha-solar-pv",
+  "title": "Solar PV System",
+  "tags": ["solar", "solaredge", "homeassistant", "energy"],
+  "timezone": "browser",
+  "schemaVersion": 39,
+  "version": 1,
+  "refresh": "30s",
+  "time": { "from": "now-24h", "to": "now" },
+  "templating": { "list": [] },
+  "annotations": { "list": [] },
+  "panels": [
+    {
+      "id": 1,
+      "title": "Power",
+      "type": "timeseries",
+      "gridPos": { "h": 11, "w": 12, "x": 0, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "kwatt", "custom": { "drawStyle": "line", "fillOpacity": 30, "lineWidth": 1, "showPoints": "never" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Solar Produktion" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#73bf69" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Strom Verbrauch" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fade2a" } } ] }
+        ]
+      },
+      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_pv_live_power' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'kallihome_live_load_power' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 2,
+      "title": "Aktuelle Solar Produktion",
+      "type": "bargauge",
+      "gridPos": { "h": 4, "w": 6, "x": 12, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatt", "min": 0, "max": 8, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_pv_live_power' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 3,
+      "title": "Strom Produziert (Heute)",
+      "type": "gauge",
+      "gridPos": { "h": 7, "w": 6, "x": 18, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatth", "min": 0, "max": 50, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 4,
+      "title": "Produktion und Verbrauch kWh",
+      "type": "bargauge",
+      "gridPos": { "h": 7, "w": 6, "x": 12, "y": 4 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "kwatth", "min": 0, "color": { "mode": "continuous-GrYlRd" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Solar Produktion" } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Netzbezug" } ] }
+        ]
+      },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_import_today' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 5,
+      "title": "Tages Produktion 30 Tage Übersicht",
+      "type": "barchart",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 11 },
+      "timeFrom": "30d",
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "continuous-GrYlRd" }, "custom": { "fillOpacity": 80, "gradientMode": "scheme", "lineWidth": 1 } }, "overrides": [] },
+      "options": { "orientation": "vertical", "showValue": "never", "xField": "time", "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT date_bin(INTERVAL '1 day', time) AS time, max(value) AS value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND $__timeFilter(time) GROUP BY 1 ORDER BY 1" } ]
+    },
+    {
+      "id": 6,
+      "title": "Speicher-Ladestand",
+      "type": "gauge",
+      "gridPos": { "h": 4, "w": 6, "x": 18, "y": 7 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "percent", "min": 0, "max": 100, "thresholds": { "mode": "absolute", "steps": [ { "color": "red", "value": null }, { "color": "yellow", "value": 20 }, { "color": "green", "value": 50 } ] } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": true },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'solaredge_local_i1_b1_state_of_energy' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 7,
+      "title": "Erreichte TOP kWh an einem Tag",
+      "type": "bargauge",
+      "gridPos": { "h": 4, "w": 12, "x": 12, "y": 11 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "kwatth", "min": 0, "max": 50, "color": { "mode": "continuous-GrYlRd" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Bester Wert bis jetzt" } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Heute" } ] }
+        ]
+      },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT max(d) AS value FROM (SELECT date_bin(INTERVAL '1 day', time) AS day, max(value) AS d FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' AND time > now() - INTERVAL '365 days' GROUP BY 1)" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT value FROM \"kWh\" WHERE entity_id = 'solaredge_pv_energy_today' ORDER BY time DESC LIMIT 1" }
+      ]
+    },
+    {
+      "id": 8,
+      "title": "Gesamt Produktion kWh",
+      "type": "stat",
+      "gridPos": { "h": 4, "w": 12, "x": 12, "y": 15 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_local_i1_ac_energy' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 9,
+      "title": "Netzbilanz (heute)",
+      "type": "bargauge",
+      "gridPos": { "h": 4, "w": 12, "x": 0, "y": 19 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "kwatth", "min": 0, "color": { "mode": "continuous-GrYlRd" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Netzbezug" } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Einspeisung" } ] }
+        ]
+      },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "displayMode": "lcd", "orientation": "horizontal", "showUnfilled": true },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_import_today' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'solaredge_grid_export_today' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 10,
+      "title": "Netz & Batterie (Verlauf)",
+      "type": "timeseries",
+      "gridPos": { "h": 7, "w": 24, "x": 0, "y": 23 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "kwatt", "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2 } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Netzbezug" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fa5252" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Einspeisung" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "C" }, "properties": [ { "id": "displayName", "value": "Speicher laden" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#37b24d" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "D" }, "properties": [ { "id": "displayName", "value": "Speicher entladen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#d6336c" } } ] }
+        ]
+      },
+      "options": { "legend": { "displayMode": "list", "placement": "bottom" }, "tooltip": { "mode": "multi" } },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_grid_import_power' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_grid_export_power' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "C", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_battery_charge_power' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "D", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'solaredge_battery_discharge_power' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 11,
+      "title": "Wallbox – Ladeleistung",
+      "type": "timeseries",
+      "gridPos": { "h": 7, "w": 12, "x": 0, "y": 30 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatt", "color": { "mode": "fixed", "fixedColor": "#9775fa" }, "custom": { "drawStyle": "line", "fillOpacity": 20, "lineWidth": 2 } }, "overrides": [] },
+      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'eh7klptt_leistung' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 12,
+      "title": "Ladeleistung",
+      "type": "gauge",
+      "gridPos": { "h": 7, "w": 6, "x": 12, "y": 30 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatt", "min": 0, "max": 11, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kW\" WHERE entity_id = 'eh7klptt_leistung' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 13,
+      "title": "Gesamt geladen",
+      "type": "stat",
+      "gridPos": { "h": 4, "w": 6, "x": 18, "y": 30 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "fixed", "fixedColor": "#9775fa" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'eh7klptt_gesamtenergie' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 14,
+      "title": "Aktuelle Session",
+      "type": "stat",
+      "gridPos": { "h": 3, "w": 6, "x": 18, "y": 34 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "kwatth", "color": { "mode": "fixed", "fixedColor": "#4dabf7" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "none", "textMode": "value" },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"kWh\" WHERE entity_id = 'eh7klptt_sitzungsenergie' AND $__timeFilter(time) ORDER BY time" } ]
+    }
+  ]
+}

monitoring/grafana/dashboards/weather-archive.json

@@ -0,0 +1,165 @@
+{
+  "uid": "ha-weather-archive",
+  "title": "Wetterarchiv KalliHome",
+  "tags": ["weather", "ecowitt", "homeassistant"],
+  "timezone": "browser",
+  "schemaVersion": 39,
+  "version": 2,
+  "refresh": "1m",
+  "time": { "from": "now-7d", "to": "now" },
+  "templating": { "list": [] },
+  "annotations": { "list": [] },
+  "panels": [
+    {
+      "id": 1,
+      "title": "Außentemperatur",
+      "type": "gauge",
+      "gridPos": { "h": 5, "w": 4, "x": 0, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "celsius", "min": -10, "max": 40, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 2,
+      "title": "Luftfeuchte",
+      "type": "gauge",
+      "gridPos": { "h": 5, "w": 4, "x": 4, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "percent", "min": 0, "max": 100, "color": { "mode": "continuous-BlYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_humidity' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 3,
+      "title": "Wind",
+      "type": "gauge",
+      "gridPos": { "h": 5, "w": 4, "x": 8, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "velocitykmh", "min": 0, "max": 60, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_speed' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 4,
+      "title": "UV-Index",
+      "type": "gauge",
+      "gridPos": { "h": 5, "w": 4, "x": 12, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "short", "min": 0, "max": 11, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"UV index\" WHERE entity_id = 'gw3000a_uv_index' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 5,
+      "title": "Solarstrahlung",
+      "type": "gauge",
+      "gridPos": { "h": 5, "w": 4, "x": 16, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "wattm2", "min": 0, "max": 1200, "color": { "mode": "continuous-GrYlRd" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "showThresholdMarkers": false },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 6,
+      "title": "Luftdruck",
+      "type": "stat",
+      "gridPos": { "h": 5, "w": 4, "x": 20, "y": 0 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "pressurehpa", "color": { "mode": "fixed", "fixedColor": "#4dabf7" } }, "overrides": [] },
+      "options": { "reduceOptions": { "calcs": ["lastNotNull"] }, "colorMode": "value", "graphMode": "area", "textMode": "value" },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"hPa\" WHERE entity_id = 'gw3000a_relative_pressure' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 7,
+      "title": "Temperatur (°C)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 5 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "celsius", "custom": { "drawStyle": "line", "fillOpacity": 12, "lineWidth": 2, "showPoints": "never" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Außen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fa5252" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Gefühlt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#ff922b" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "C" }, "properties": [ { "id": "displayName", "value": "Taupunkt" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "D" }, "properties": [ { "id": "displayName", "value": "Innen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#82c91e" } } ] }
+        ]
+      },
+      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_outdoor_temperature' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_feels_like_temperature' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "C", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_dewpoint' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "D", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"°C\" WHERE entity_id = 'gw3000a_indoor_temperature' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 8,
+      "title": "Luftfeuchte (%)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 5 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "percent", "min": 0, "max": 100, "custom": { "drawStyle": "line", "fillOpacity": 12, "lineWidth": 2, "showPoints": "never" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Außen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#4dabf7" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Innen" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#82c91e" } } ] }
+        ]
+      },
+      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull"] }, "tooltip": { "mode": "multi" } },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_humidity' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"%\" WHERE entity_id = 'gw3000a_indoor_humidity' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 9,
+      "title": "Solarstrahlung (W/m²)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 13 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "wattm2", "color": { "mode": "fixed", "fixedColor": "#f2b705" }, "custom": { "drawStyle": "line", "fillOpacity": 35, "lineWidth": 1, "showPoints": "never", "gradientMode": "opacity" } }, "overrides": [] },
+      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"W/m²\" WHERE entity_id = 'gw3000a_solar_radiation' AND $__timeFilter(time) ORDER BY time" } ]
+    },
+    {
+      "id": 10,
+      "title": "Wind (km/h)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 13 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": {
+        "defaults": { "unit": "velocitykmh", "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2, "showPoints": "never" } },
+        "overrides": [
+          { "matcher": { "id": "byFrameRefID", "options": "A" }, "properties": [ { "id": "displayName", "value": "Wind" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#15aabf" } } ] },
+          { "matcher": { "id": "byFrameRefID", "options": "B" }, "properties": [ { "id": "displayName", "value": "Böe" }, { "id": "color", "value": { "mode": "fixed", "fixedColor": "#fab005" } } ] }
+        ]
+      },
+      "options": { "legend": { "displayMode": "list", "placement": "bottom", "calcs": ["lastNotNull", "max"] }, "tooltip": { "mode": "multi" } },
+      "targets": [
+        { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_speed' AND $__timeFilter(time) ORDER BY time" },
+        { "refId": "B", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"km/h\" WHERE entity_id = 'gw3000a_wind_gust' AND $__timeFilter(time) ORDER BY time" }
+      ]
+    },
+    {
+      "id": 11,
+      "title": "Regen pro Tag (mm)",
+      "type": "barchart",
+      "gridPos": { "h": 8, "w": 12, "x": 0, "y": 21 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "lengthmm", "color": { "mode": "fixed", "fixedColor": "#4dabf7" }, "custom": { "fillOpacity": 80, "lineWidth": 1 } }, "overrides": [] },
+      "options": { "orientation": "vertical", "showValue": "auto", "xField": "time", "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "table", "rawSql": "SELECT date_bin(INTERVAL '1 day', time) AS time, max(value) AS value FROM \"mm\" WHERE entity_id = 'gw3000a_daily_rain' AND $__timeFilter(time) GROUP BY 1 ORDER BY 1" } ]
+    },
+    {
+      "id": 12,
+      "title": "Luftdruck (hPa)",
+      "type": "timeseries",
+      "gridPos": { "h": 8, "w": 12, "x": 12, "y": 21 },
+      "datasource": { "type": "influxdb", "uid": "ha-weather-influx" },
+      "fieldConfig": { "defaults": { "unit": "pressurehpa", "decimals": 0, "color": { "mode": "fixed", "fixedColor": "#9775fa" }, "custom": { "drawStyle": "line", "fillOpacity": 10, "lineWidth": 2, "showPoints": "never" } }, "overrides": [] },
+      "options": { "legend": { "showLegend": false }, "tooltip": { "mode": "single" } },
+      "targets": [ { "refId": "A", "datasource": { "type": "influxdb", "uid": "ha-weather-influx" }, "rawQuery": true, "format": "time_series", "rawSql": "SELECT time, value FROM \"hPa\" WHERE entity_id = 'gw3000a_relative_pressure' AND $__timeFilter(time) ORDER BY time" } ]
+    }
+  ]
+}

monitoring/grafana/provisioning/datasources/datasources.yml

@@ -31,3 +31,19 @@ datasources:
       insecureGrpc: true
     secureJsonData:
       token: $GRAFANA_INFLUXDB_TOKEN
+
+  # Wetter-/Langzeitarchiv aus Home Assistant (Ecowitt). Gleiche InfluxDB-Instanz,
+  # aber Datenbank `homeassistant`; gleicher Admin-Read-Token.
+  - name: InfluxDB HA Weather
+    uid: ha-weather-influx
+    type: influxdb
+    access: proxy
+    url: http://influxdb3-core:8181
+    editable: false
+    jsonData:
+      version: SQL
+      dbName: homeassistant
+      httpMode: POST
+      insecureGrpc: true
+    secureJsonData:
+      token: $GRAFANA_INFLUXDB_TOKEN

ops/glance/config/home.yml

@@ -106,10 +106,91 @@
             - timezone: UTC
               label: UTC
 
-        - type: weather
-          location: Berlin, Germany
-          units: metric
-          hour-format: 24h
+        - type: custom-api
+          title: Wetter · KalliHome
+          title-url: https://home.kaleschke.info
+          cache: 30s
+          url: http://homeassistant:8123/api/states/sensor.gw3000a_outdoor_temperature
+          headers:
+            Authorization: Bearer ${GLANCE_HA_TOKEN}
+            Content-Type: application/json
+          subrequests:
+            feels:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_feels_like_temperature
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            humidity:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_humidity
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            wind:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_wind_speed
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            gust:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_wind_gust
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            rain:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_daily_rain
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            solar:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_solar_radiation
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            uv:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_uv_index
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+            pressure:
+              url: http://homeassistant:8123/api/states/sensor.gw3000a_relative_pressure
+              headers:
+                Authorization: Bearer ${GLANCE_HA_TOKEN}
+          template: |
+            {{ $temp := .JSON.String "state" }}
+            {{ $feels := (.Subrequest "feels").JSON.String "state" }}
+            {{ $hum := (.Subrequest "humidity").JSON.String "state" }}
+            {{ $wind := (.Subrequest "wind").JSON.String "state" }}
+            {{ $gust := (.Subrequest "gust").JSON.String "state" }}
+            {{ $rain := (.Subrequest "rain").JSON.String "state" }}
+            {{ $solar := (.Subrequest "solar").JSON.String "state" }}
+            {{ $uv := (.Subrequest "uv").JSON.String "state" }}
+            {{ $press := (.Subrequest "pressure").JSON.String "state" }}
+            {{ $gustF := (.Subrequest "gust").JSON.Float "state" }}
+            {{ $divider := "border-left: 1px solid hsla(220, 40%, 70%, 0.14);" }}
+            <div class="text-center" style="margin-bottom: 12px;">
+              <div class="color-highlight size-h2" style="font-weight: 700;">{{ $temp }}°C</div>
+              <div class="size-h6 color-subdue">gefühlt {{ $feels }}° · {{ $hum }}% feucht</div>
+            </div>
+            <div class="flex justify-between text-center" style="margin-bottom: 12px;">
+              <div style="flex: 1;">
+                <div class="size-h4 {{ if gt $gustF 40.0 }}color-negative{{ else }}color-highlight{{ end }}">{{ $wind }}</div>
+                <div class="size-h6 uppercase color-subdue">km/h Wind</div>
+              </div>
+              <div style="flex: 1; {{ $divider }}">
+                <div class="size-h4 {{ if gt $gustF 40.0 }}color-negative{{ else }}color-highlight{{ end }}">{{ $gust }}</div>
+                <div class="size-h6 uppercase color-subdue">km/h Böe</div>
+              </div>
+              <div style="flex: 1; {{ $divider }}">
+                <div class="size-h4 color-highlight">{{ $rain }}</div>
+                <div class="size-h6 uppercase color-subdue">mm heute</div>
+              </div>
+            </div>
+            <div class="flex justify-between text-center">
+              <div style="flex: 1;">
+                <div class="size-h4 color-highlight">{{ $solar }}</div>
+                <div class="size-h6 uppercase color-subdue">W/m² Solar</div>
+              </div>
+              <div style="flex: 1; {{ $divider }}">
+                <div class="size-h4 color-highlight">{{ $uv }}</div>
+                <div class="size-h6 uppercase color-subdue">UV-Index</div>
+              </div>
+              <div style="flex: 1; {{ $divider }}">
+                <div class="size-h4 color-highlight">{{ $press }}</div>
+                <div class="size-h6 uppercase color-subdue">hPa Druck</div>
+              </div>
+            </div>
 
         - type: calendar
           first-day-of-week: monday

ops/glance/docker-compose.yml

@@ -14,6 +14,7 @@ services:
       GLANCE_GITEA_TOKEN: ${GLANCE_GITEA_TOKEN:-}
       GLANCE_PAPERLESS_TOKEN: ${GLANCE_PAPERLESS_TOKEN:-}
       GLANCE_MEALIE_TOKEN: ${GLANCE_MEALIE_TOKEN:-}
+      GLANCE_HA_TOKEN: ${GLANCE_HA_TOKEN:-}
     volumes:
       - ./config:/app/config:ro
       - ./assets:/app/assets:ro

ops/restore-tests/README.md

@@ -59,7 +59,7 @@ Stand 2026-06-11 ist der Betrieb auf V1+ (validierte Bash-Host-Jobs mit ntfy):
 # Frische-Check
 bash /mnt/user/services/homelab-infra/ops/restore-tests/run-restore-checks.sh freshness
 
-# Dienst-Restore-Check (vaultwarden|gitea|paperless|immich|authelia|adguard|redis|komodo-bootstrap|nextcloud)
+# Dienst-Restore-Check (vaultwarden|gitea|paperless|immich|authelia|adguard|redis|homeassistant|komodo-bootstrap|nextcloud)
 bash /mnt/user/services/homelab-infra/ops/restore-tests/run-restore-checks.sh <dienst>
 
 # Negativtest des Alarmwegs (quartalsweise)
@@ -77,6 +77,7 @@ Einziger Status-Ort ist die **Reifegrad-Tabelle** in `docs/RESTORE_MATRIX.md`
 - **Nextcloud:** Test am 2026-06-03 erfolgreich, aber mit Unraid-shfs-Eigenheit: Nextcloud fuehrt `chmod()` unter `/var/www/html` aus, was auf FUSE/shfs scheitert. Das Skript patcht `check_data_directory_permissions: false` und legt den `.ncdata`-Marker an.
 - **Authelia:** bewusst Config-Smoke ohne produktiven Dump-Restore (Storage-Encryption-Key-Kopplung).
 - **Immich:** Foto-Dateien-Restore ist bewusst nicht Teil des Smokes (separater DR-Drill); Test-Postgres nutzt das produktive VectorChord-Image.
+- **Home Assistant:** nutzt das neueste HA-native Backup-Artefakt und eine Kopie der Mosquitto-Appdata; Testcontainer laufen nur auf localhost-Ports, ohne Traefik/Public Route.
 - **Unraid-Flash / Tailscale:** noch ohne vollstaendigen Erstlauf - `unraid-flash-runbook.md`, `tailscale-runbook.md`; offene Schritte in `docs/MASTER_TODO.md`.
 
 ## Naechste Ausbaustufen

ops/restore-tests/homeassistant-compose.test.yml

@@ -0,0 +1,29 @@
+services:
+  restoretest-ha-mosquitto:
+    image: eclipse-mosquitto:2.0.22@sha256:914f529386804c8278a4e581526b9be5e1604df44b30daabc70aa97dcefe5268
+    container_name: restoretest-ha-mosquitto
+    restart: "no"
+    volumes:
+      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf:ro
+      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/config:/mosquitto/external_config:ro
+      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/data:/mosquitto/data
+      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/mosquitto/appdata/log:/mosquitto/log
+    ports:
+      - "127.0.0.1:11883:1883"
+    security_opt:
+      - no-new-privileges:true
+
+  restoretest-homeassistant:
+    image: ghcr.io/home-assistant/home-assistant:2026.6.1@sha256:59aa8824955c9db491b75d2eebe42bd68494f80c2ec69ec0d66d9dae37d37514
+    container_name: restoretest-homeassistant
+    restart: "no"
+    depends_on:
+      - restoretest-ha-mosquitto
+    environment:
+      TZ: Europe/Berlin
+    volumes:
+      - ${RESTORE_ROOT:-/mnt/user/backups/restore-lab/homeassistant}/homeassistant/config:/config
+    ports:
+      - "127.0.0.1:18123:8123"
+    security_opt:
+      - no-new-privileges:true

ops/restore-tests/homeassistant-restore-test.sh

@@ -0,0 +1,236 @@
+#!/bin/bash
+set -euo pipefail
+
+# Home Assistant + Mosquitto Restore Smoke Test
+#
+# Scope:
+# - Restore aus dem neuesten HA-nativen Backup-Artefakt
+# - Kopie der Mosquitto-Appdata in ein isoliertes Restore-Lab
+# - Kopie des Fachrepo-Clones zur Lesbarkeits-/Git-Status-Pruefung
+# - Start isolierter Testcontainer auf localhost-Ports, ohne Traefik/Public Route
+# - HA HTTP/API-Smoke und MQTT Publish/Subscribe + retained Topic nach Restart
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+. "$SCRIPT_DIR/common.sh"
+
+WHATIF=0
+KEEP_DATA=0
+for arg in "$@"; do
+  case "$arg" in
+    --what-if) WHATIF=1 ;;
+    --keep-data) KEEP_DATA=1 ;;
+    *) echo "Unknown argument: $arg" >&2; exit 1 ;;
+  esac
+done
+
+RESTORE_ROOT="/mnt/user/backups/restore-lab/homeassistant"
+REPORT_ROOT="/mnt/user/backups/restore-reports"
+REPORT_FILE="$REPORT_ROOT/homeassistant-$(date +%F).md"
+COMPOSE_FILE="$SCRIPT_DIR/homeassistant-compose.test.yml"
+HA_BACKUP_DIR="/mnt/user/appdata/homeassistant/backups"
+MOSQUITTO_APPDATA="/mnt/user/appdata/mosquitto"
+MOSQUITTO_REPO_CONF="/mnt/user/services/homelab-infra/smart-home/mosquitto/config/mosquitto.conf"
+FACHREPO_SOURCE="/mnt/user/services/smart-home-kalli"
+HA_TOKEN_FILE="/mnt/user/appdata/secrets/ha_token_codex"
+
+if [ "$WHATIF" -eq 1 ]; then
+  cat <<EOF
+Home Assistant restore test
+Mode: WhatIf
+RestoreRoot: $RESTORE_ROOT
+HA backup source: newest *.tar under $HA_BACKUP_DIR
+Mosquitto source: $MOSQUITTO_APPDATA
+Fachrepo source: $FACHREPO_SOURCE
+Test endpoints: HA http://127.0.0.1:18123, MQTT 127.0.0.1:11883
+Scope: HA backup extract + isolated HA boot + API token smoke + MQTT auth/retained smoke
+EOF
+  exit 0
+fi
+
+require_cmd docker
+require_cmd tar
+require_cmd curl
+require_path "$COMPOSE_FILE"
+require_path "$HA_BACKUP_DIR"
+require_path "$MOSQUITTO_APPDATA/config/passwordfile"
+require_path "$MOSQUITTO_APPDATA/config/aclfile"
+require_path "$MOSQUITTO_APPDATA/data"
+require_path "$MOSQUITTO_REPO_CONF"
+require_path "$FACHREPO_SOURCE"
+require_path "$HA_TOKEN_FILE"
+
+RESTORE_SUCCESS=0
+cleanup() {
+  RESTORE_ROOT="$RESTORE_ROOT" cleanup_compose "$COMPOSE_FILE"
+  if [ "$RESTORE_SUCCESS" -ne 1 ]; then
+    preserve_on_failure "homeassistant" "$RESTORE_ROOT"
+    return
+  fi
+  if [ "$KEEP_DATA" -ne 1 ]; then
+    rm -rf "$RESTORE_ROOT"
+  fi
+}
+trap cleanup EXIT
+
+latest_backup="$(find "$HA_BACKUP_DIR" -maxdepth 1 -type f -name '*.tar' -printf '%T@ %p\n' | sort -nr | awk 'NR==1 {print substr($0, index($0,$2))}')"
+if [ -z "$latest_backup" ] || [ ! -f "$latest_backup" ]; then
+  echo "No HA native backup tar found under $HA_BACKUP_DIR" >&2
+  exit 1
+fi
+
+rm -rf "$RESTORE_ROOT"
+mkdir -p \
+  "$RESTORE_ROOT/ha-backup" \
+  "$RESTORE_ROOT/homeassistant/config" \
+  "$RESTORE_ROOT/mosquitto/config" \
+  "$RESTORE_ROOT/mosquitto/appdata/config" \
+  "$RESTORE_ROOT/mosquitto/appdata/data" \
+  "$RESTORE_ROOT/mosquitto/appdata/log" \
+  "$RESTORE_ROOT/fachrepo"
+
+tar -xf "$latest_backup" -C "$RESTORE_ROOT/ha-backup"
+require_path "$RESTORE_ROOT/ha-backup/backup.json"
+require_path "$RESTORE_ROOT/ha-backup/homeassistant.tar.gz"
+tar -xzf "$RESTORE_ROOT/ha-backup/homeassistant.tar.gz" -C "$RESTORE_ROOT/homeassistant/config" --strip-components=1 data
+
+cp "$MOSQUITTO_REPO_CONF" "$RESTORE_ROOT/mosquitto/config/mosquitto.conf"
+cp -a "$MOSQUITTO_APPDATA/config/." "$RESTORE_ROOT/mosquitto/appdata/config/"
+cp -a "$MOSQUITTO_APPDATA/data/." "$RESTORE_ROOT/mosquitto/appdata/data/"
+if [ -d "$MOSQUITTO_APPDATA/log" ]; then
+  cp -a "$MOSQUITTO_APPDATA/log/." "$RESTORE_ROOT/mosquitto/appdata/log/" || true
+fi
+cp -a "$FACHREPO_SOURCE/." "$RESTORE_ROOT/fachrepo/"
+
+ha_config="$RESTORE_ROOT/homeassistant/config"
+require_path "$ha_config/configuration.yaml"
+require_path "$ha_config/secrets.yaml"
+require_path "$ha_config/trusted_proxies.yaml"
+require_path "$ha_config/.storage/onboarding"
+require_path "$ha_config/.storage/auth"
+
+fachrepo_head="$(git -C "$RESTORE_ROOT/fachrepo" log -1 --oneline)"
+fachrepo_status="$(git -C "$RESTORE_ROOT/fachrepo" status --short)"
+if [ -n "$fachrepo_status" ]; then
+  echo "Restored fachrepo clone is not clean:" >&2
+  echo "$fachrepo_status" >&2
+  exit 1
+fi
+
+backup_size="$(stat -c '%s' "$latest_backup")"
+ha_file_count="$(find "$ha_config" -type f | wc -l | tr -d ' ')"
+ha_bytes="$(du -sb "$ha_config" | awk '{print $1}')"
+mosquitto_data_bytes="$(du -sb "$RESTORE_ROOT/mosquitto/appdata" | awk '{print $1}')"
+
+RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" down >/dev/null 2>&1 || true
+RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" up -d >/dev/null
+
+mqtt_user="$(sed -n 's/^mqtt_username:[[:space:]]*//p' "$ha_config/secrets.yaml" | sed "s/^['\"]//;s/['\"]$//")"
+mqtt_pass="$(sed -n 's/^mqtt_password:[[:space:]]*//p' "$ha_config/secrets.yaml" | sed "s/^['\"]//;s/['\"]$//")"
+if [ -z "$mqtt_user" ] || [ -z "$mqtt_pass" ]; then
+  echo "Missing mqtt_username or mqtt_password in restored HA secrets.yaml" >&2
+  exit 1
+fi
+
+mqtt_topic="restoretest/homeassistant/smoke"
+mqtt_payload="ok-$(date +%s)"
+mqtt_out="$RESTORE_ROOT/mqtt-sub.out"
+rm -f "$mqtt_out"
+docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$mqtt_topic" \
+  restoretest-ha-mosquitto sh -lc \
+  'mosquitto_sub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -C 1 -W 10' \
+  > "$mqtt_out" &
+sub_pid=$!
+sleep 1
+docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$mqtt_topic" -e MQTT_PAYLOAD="$mqtt_payload" \
+  restoretest-ha-mosquitto sh -lc \
+  'mosquitto_pub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -m "$MQTT_PAYLOAD"'
+wait "$sub_pid"
+mqtt_result="$(cat "$mqtt_out")"
+if [ "$mqtt_result" != "$mqtt_payload" ]; then
+  echo "MQTT publish/subscribe smoke failed" >&2
+  exit 1
+fi
+
+retained_topic="restoretest/homeassistant/retained"
+retained_payload="retained-$(date +%s)"
+docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$retained_topic" -e MQTT_PAYLOAD="$retained_payload" \
+  restoretest-ha-mosquitto sh -lc \
+  'mosquitto_pub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -m "$MQTT_PAYLOAD" -r'
+docker restart restoretest-ha-mosquitto >/dev/null
+sleep 3
+retained_result="$(docker exec -e MQTT_USER="$mqtt_user" -e MQTT_PASS="$mqtt_pass" -e MQTT_TOPIC="$retained_topic" \
+  restoretest-ha-mosquitto sh -lc \
+  'mosquitto_sub -h 127.0.0.1 -p 1883 -u "$MQTT_USER" -P "$MQTT_PASS" -t "$MQTT_TOPIC" -C 1 -W 10' | tr -d '\r')"
+if [ "$retained_result" != "$retained_payload" ]; then
+  echo "MQTT retained smoke failed" >&2
+  exit 1
+fi
+
+ha_http_status=""
+ha_body="$RESTORE_ROOT/ha-http-body.html"
+for _ in $(seq 1 180); do
+  ha_http_status="$(curl -sS -o "$ha_body" -w '%{http_code}' http://127.0.0.1:18123/ || true)"
+  if [ "$ha_http_status" = "200" ] && grep -qi "Home Assistant" "$ha_body"; then
+    break
+  fi
+  sleep 1
+done
+if [ "$ha_http_status" != "200" ] || ! grep -qi "Home Assistant" "$ha_body"; then
+  echo "HA HTTP smoke failed, status=$ha_http_status" >&2
+  docker logs --tail 120 restoretest-homeassistant >&2 || true
+  exit 1
+fi
+
+ha_api_status="$(curl -sS -o "$RESTORE_ROOT/ha-api.json" -w '%{http_code}' \
+  -H "Authorization: Bearer $(cat "$HA_TOKEN_FILE")" \
+  -H 'Content-Type: application/json' \
+  http://127.0.0.1:18123/api/ || true)"
+if [ "$ha_api_status" != "200" ]; then
+  echo "HA API token smoke failed, status=$ha_api_status" >&2
+  exit 1
+fi
+
+RESTORE_ROOT="$RESTORE_ROOT" docker compose -f "$COMPOSE_FILE" exec -T restoretest-homeassistant \
+  python -m homeassistant --script check_config --config /config >/tmp/restoretest-ha-check-config.out
+
+write_report "$REPORT_FILE" <<EOF
+# Home Assistant Restore Test Report - $(date +%F)
+
+- Service: \`homeassistant\` + \`smarthome-mosquitto\`
+- HA backup source: \`$latest_backup\`
+- Restore root: \`$RESTORE_ROOT\`
+- Test containers:
+  - \`restoretest-homeassistant\`
+  - \`restoretest-ha-mosquitto\`
+- Test endpoints:
+  - HA: \`http://127.0.0.1:18123\`
+  - MQTT: \`127.0.0.1:11883\`
+- Result: \`SUCCESS\`
+
+## Checks
+
+- HA-native backup tar readable: \`ok\`
+- HA inner archive restored: \`ok\`
+- HA backup size bytes: \`$backup_size\`
+- Restored HA file count: \`$ha_file_count\`
+- Restored HA bytes: \`$ha_bytes\`
+- Restored Mosquitto appdata bytes: \`$mosquitto_data_bytes\`
+- Fachrepo clone clean: \`ok\`
+- Fachrepo HEAD: \`$fachrepo_head\`
+- HA HTTP status: \`$ha_http_status\`
+- HA API token smoke: \`$ha_api_status\`
+- HA check_config: \`ok\`
+- MQTT publish/subscribe with restored credentials: \`ok\`
+- MQTT retained topic after broker restart: \`ok\`
+
+## Notes
+
+- Productive \`homeassistant\` and \`smarthome-mosquitto\` containers were not used.
+- Test ran without Traefik and without the productive domain.
+- Test ports were bound to localhost only.
+- Token and MQTT password values were used for smoke tests but not printed.
+- Test data was cleaned after success: \`$([ "$KEEP_DATA" -eq 1 ] && echo no || echo yes)\`
+EOF
+
+RESTORE_SUCCESS=1
+echo "Home Assistant restore test ok -> $REPORT_FILE"

ops/restore-tests/run-restore-checks.sh

@@ -55,6 +55,12 @@ case "$MODE" in
     fi
     exec "$SCRIPT_DIR/redis-restore-test.sh"
     ;;
+  homeassistant)
+    if [ "$WHATIF" = "--what-if" ]; then
+      exec "$SCRIPT_DIR/homeassistant-restore-test.sh" --what-if
+    fi
+    exec "$SCRIPT_DIR/homeassistant-restore-test.sh"
+    ;;
   nextcloud)
     if [ "$WHATIF" = "--what-if" ]; then
       exec "$SCRIPT_DIR/nextcloud-restore-test.sh" --what-if
@@ -98,7 +104,7 @@ case "$MODE" in
     exec "$SCRIPT_DIR/shared-pg-cluster-restore-test.sh"
     ;;
   *)
-    echo "Usage: $0 {freshness|freshness-negative|vaultwarden|gitea|paperless|immich|authelia|adguard|redis|nextcloud|komodo-bootstrap|komodo-mongo-restore|traefik|mailarchiver|mealie|shared-pg-cluster} [--what-if]" >&2
+    echo "Usage: $0 {freshness|freshness-negative|vaultwarden|gitea|paperless|immich|authelia|adguard|redis|homeassistant|nextcloud|komodo-bootstrap|komodo-mongo-restore|traefik|mailarchiver|mealie|shared-pg-cluster} [--what-if]" >&2
     exit 1
     ;;
 esac

smart-home/docker-compose.yml

@@ -15,8 +15,16 @@ services:
     networks:
       - frontend_net
       - smarthome_net
-    expose:
-      - "8123"
+      # Zugang zum bestehenden Monitoring-Netz nur fuer den InfluxDB-3-Writer
+      # (Wetter-/Langzeitarchiv). HA schreibt intern an monitoring-influxdb3-core:8181,
+      # kein Host-Port, keine LAN-Exposition. Siehe docs/DECISIONS.md (2026-06-13).
+      - monitoring_net
+    # LAN-only Host-Bind nur fuer den Ecowitt-HTTP-Push: das GW3000-Gateway kann
+    # kein HTTPS und pusht per HTTP direkt an den HA-Webhook. Bindung ausschliesslich
+    # auf die LAN-IP (nicht 0.0.0.0, nicht WAN). Dokumentierte Ausnahme analog
+    # InfluxDB 8181, siehe docs/DECISIONS.md (2026-06-13) und Architektur-Master 10.
+    ports:
+      - "192.168.178.58:8123:8123"
     security_opt:
       - no-new-privileges:true
     depends_on:
@@ -28,8 +36,7 @@ services:
       - traefik.http.routers.homeassistant.entrypoints=websecure
       - traefik.http.routers.homeassistant.tls=true
       - traefik.http.routers.homeassistant.tls.certresolver=le
-      # Temporary onboarding guard: remove after the HA owner account exists.
-      - traefik.http.routers.homeassistant.middlewares=authelia@file,secure-headers@file
+      - traefik.http.routers.homeassistant.middlewares=secure-headers@file
       - traefik.http.services.homeassistant.loadbalancer.server.port=8123
 
   mosquitto:
@@ -56,3 +63,9 @@ networks:
     name: smarthome_net
     driver: bridge
     internal: true
+
+  # Bestehendes Observability-Netz (vom monitoring-Stack angelegt); hier nur
+  # extern referenziert, damit HA den InfluxDB-3-Writer erreicht.
+  monitoring_net:
+    external: true
+    name: monitoring_net