services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2026.6.1@sha256:59aa8824955c9db491b75d2eebe42bd68494f80c2ec69ec0d66d9dae37d37514
    container_name: homeassistant
    restart: unless-stopped
    environment:
      TZ: Europe/Berlin
    volumes:
      - /mnt/user/appdata/homeassistant:/config
      - /mnt/user/services/smart-home-kalli/home-assistant/configuration.yaml:/config/configuration.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/automations.yaml:/config/automations.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scripts.yaml:/config/scripts.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/scenes.yaml:/config/scenes.yaml:ro
      - /mnt/user/services/smart-home-kalli/home-assistant/packages:/config/packages:ro
    networks:
      - frontend_net
      - smarthome_net
    expose:
      - "8123"
    security_opt:
      - no-new-privileges:true
    depends_on:
      - mosquitto
    labels:
      - traefik.enable=true
      - traefik.docker.network=frontend_net
      - traefik.http.routers.homeassistant.rule=Host(`home.kaleschke.info`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls=true
      - traefik.http.routers.homeassistant.tls.certresolver=le
      # Temporary onboarding guard: keep HA reachable only from LAN/Tailscale
      # until the owner account exists.
      - traefik.http.routers.homeassistant.middlewares=homeassistant-lan-only
      - traefik.http.middlewares.homeassistant-lan-only.ipallowlist.sourcerange=192.168.178.0/24,100.64.0.0/10,217.249.114.123/32
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123

  mosquitto:
    image: eclipse-mosquitto:2.0.22@sha256:914f529386804c8278a4e581526b9be5e1604df44b30daabc70aa97dcefe5268
    container_name: smarthome-mosquitto
    restart: unless-stopped
    volumes:
      - ./mosquitto/config/mosquitto.conf:/mosquitto/config/mosquitto.conf
      - /mnt/user/appdata/mosquitto/config:/mosquitto/external_config
      - /mnt/user/appdata/mosquitto/data:/mosquitto/data
      - /mnt/user/appdata/mosquitto/log:/mosquitto/log
    networks:
      - smarthome_net
    expose:
      - "1883"
    security_opt:
      - no-new-privileges:true

networks:
  frontend_net:
    external: true

  smarthome_net:
    name: smarthome_net
    driver: bridge
    internal: true