# ============================================================================
# ha-proxy  --  ha.manohargupta.com   (runs on HETZNER via DOKPLOY)
# ----------------------------------------------------------------------------
# Home Assistant runs at HOME. This stack is ONLY a reverse-proxy bridge:
#
#   Browser --TLS--> Traefik (Hetzner) --> ha-proxy (nginx) --tailnet--> HA @ home
#
# WHY nginx and not a plain Traefik route to the home IP:
#   - Traefik (Dokploy's) sits on the dokploy-network swarm OVERLAY, which can't
#     cleanly egress to a tailnet peer. nginx here is dual-homed: it takes
#     ingress from Traefik on dokploy-network, and egresses to the home box
#     over a local BRIDGE network (ha_egress) whose gateway is the Hetzner host
#     -- the host then routes to tailscale0. This is the same dokploy-network +
#     bridge pattern your n8n stack already uses successfully.
#   - nginx also handles the WebSocket upgrade HA's frontend depends on.
#
# RAM cost on Hetzner: ~10-15 MB (nginx:alpine). The heavy part stays home.
# ============================================================================
services:
  ha-proxy:
    image: nginx:1.27-alpine
    restart: unless-stopped
    volumes:
      - ./nginx.conf:/etc/nginx/nginx.conf:ro
    networks:
      - dokploy-network   # ingress: Traefik routes ha.manohargupta.com here
      - ha_egress         # egress: container -> host -> tailscale0 -> home box
    # --- Container-level labels (docker provider) ---
    labels:
      - "traefik.enable=true"
      - "traefik.docker.network=dokploy-network"
      - "traefik.http.routers.ha.rule=Host(`ha.manohargupta.com`)"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=letsencrypt"
      - "traefik.http.services.ha.loadbalancer.server.port=80"
    # --- Service-level labels (swarm provider) -- Dokploy deploys as swarm stack ---
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.docker.network=dokploy-network"
        - "traefik.http.routers.ha.rule=Host(`ha.manohargupta.com`)"
        - "traefik.http.routers.ha.entrypoints=websecure"
        - "traefik.http.routers.ha.tls.certresolver=letsencrypt"
        - "traefik.http.services.ha.loadbalancer.server.port=80"

networks:
  dokploy-network:
    external: true
  ha_egress:
    driver: bridge