infra/home-assistant/README.md

# Home Assistant — ha.manohargupta.com

HA runs **at home**; Hetzner only proxies the subdomain. Two deploy targets:

- `home-assistant/` → HOME BOX (Pi/N100), plain `docker compose up -d`. NOT Dokploy.
- `ha-proxy/` → HETZNER via Dokploy (nginx reverse-proxy over Tailscale).

## Deploy order
1. **Home box**: `docker compose up -d` → onboard HA at `http://<lan-ip>:8123` →
   paste `configuration.snippet.yaml` into `config/configuration.yaml` → restart.
2. Join home box to Tailscale; `tailscale ip -4` → note the 100.x IP.
   `ufw allow in on tailscale0 to any port 8123` on the home box.
3. **DNS**: `ha` A-record → `77.42.82.225`  (done).
4. **Hetzner**: set the home tailnet IP in `ha-proxy/nginx.conf`, deploy `ha-proxy`
   as a Dokploy Compose app.

## Dead-man's-switch — verify BEFORE trusting the cert flow
From inside the running ha-proxy container:
```
wget -qO- http://100.XX.XX.XX:8123 | head -c 200
```
HTML back → good. Hang/refused → host isn't forwarding container→tailnet; check
`ip route get 100.XX.XX.XX` resolves via tailscale0 + Docker bridge MASQUERADE.

## Why this shape
- HA needs `network_mode: host` (mDNS/Matter multicast + LAN RTSP for Tapo).
- An HA instance in Helsinki cannot reach home-LAN cameras — hence home box.
- ha-proxy is dual-homed (dokploy-network ingress + bridge egress), same pattern
  as the n8n stack, because the swarm overlay can't egress to a tailnet peer.

## Security (flagged)
Public subdomain = HA login is internet-facing. Enable HA 2FA; consider Authentik
forward-auth later. Tailnet-only access (skip the public route) is safer if you
only reach HA from your own devices.