services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2026.6.1@sha256:59aa8824955c9db491b75d2eebe42bd68494f80c2ec69ec0d66d9dae37d37514
    container_name: homeassistant
    restart: unless-stopped
    environment:
      TZ: Europe/Berlin
    volumes:
      - /mnt/user/appdata/homeassistant:/config
      - /mnt/user/services/smart-home-kalli/home-assistant/configuration.yaml:/config/configuration.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/automations.yaml:/config/automations.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scripts.yaml:/config/scripts.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scenes.yaml:/config/scenes.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/packages:/config/packages:ro
    networks:
      - frontend_net
      - smarthome_net
      # Zugang zum bestehenden Monitoring-Netz nur fuer den InfluxDB-3-Writer
      # (Wetter-/Langzeitarchiv). HA schreibt intern an monitoring-influxdb3-core:8181,
      # kein Host-Port, keine LAN-Exposition. Siehe docs/DECISIONS.md (2026-06-13).
      - monitoring_net
    # LAN-only Host-Bind nur fuer den Ecowitt-HTTP-Push: das GW3000-Gateway kann
    # kein HTTPS und pusht per HTTP direkt an den HA-Webhook. Bindung ausschliesslich
    # auf die LAN-IP (nicht 0.0.0.0, nicht WAN). Dokumentierte Ausnahme analog
    # InfluxDB 8181, siehe docs/DECISIONS.md (2026-06-13) und Architektur-Master 10.
    ports:
      - "192.168.178.58:8123:8123"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - mosquitto
    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.homeassistant.rule=Host(`home.kaleschke.info`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls=true
      - traefik.http.routers.homeassistant.tls.certresolver=le
      - traefik.http.routers.homeassistant.middlewares=secure-headers@file
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123

  mosquitto:
    image: eclipse-mosquitto:2.0.22@sha256:914f529386804c8278a4e581526b9be5e1604df44b30daabc70aa97dcefe5268
    container_name: smarthome-mosquitto
    restart: unless-stopped
    volumes:
      - ./mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - /mnt/user/appdata/mosquitto/config:/mosquitto/external_config
      - /mnt/user/appdata/mosquitto/data:/mosquitto/data
      - /mnt/user/appdata/mosquitto/log:/mosquitto/log
    networks:
      - smarthome_net
    expose:
      - "1883"
    security_opt:
      - no-new-privileges:true

networks:
  frontend_net:
    external: true

  smarthome_net:
    name: smarthome_net
    driver: bridge
    internal: true

  # Bestehendes Observability-Netz (vom monitoring-Stack angelegt); hier nur
  # extern referenziert, damit HA den InfluxDB-3-Writer erreicht.
  monitoring_net:
    external: true
    name: monitoring_net