Mannu 4fc7893d28 Add Home Assistant (home box) + ha-proxy (Hetzner/Dokploy) stacks

- home-assistant/: HA Core + matter-server, host networking (home box, not Dokploy)
- ha-proxy/: nginx reverse-proxy, ha.manohargupta.com -> home HA over Tailscale
- dual-homed (dokploy-network ingress + bridge egress), mirrors n8n pattern

2026-06-11 10:26:45 +05:30

1.6 KiB

Raw Blame History

Home Assistant — ha.manohargupta.com

HA runs at home; Hetzner only proxies the subdomain. Two deploy targets:

home-assistant/ → HOME BOX (Pi/N100), plain docker compose up -d. NOT Dokploy.
ha-proxy/ → HETZNER via Dokploy (nginx reverse-proxy over Tailscale).

Deploy order

Home box: docker compose up -d → onboard HA at http://<lan-ip>:8123 → paste configuration.snippet.yaml into config/configuration.yaml → restart.
Join home box to Tailscale; tailscale ip -4 → note the 100.x IP. ufw allow in on tailscale0 to any port 8123 on the home box.
DNS: ha A-record → 77.42.82.225 (done).
Hetzner: set the home tailnet IP in ha-proxy/nginx.conf, deploy ha-proxy as a Dokploy Compose app.

Dead-man's-switch — verify BEFORE trusting the cert flow

From inside the running ha-proxy container:

wget -qO- http://100.XX.XX.XX:8123 | head -c 200

HTML back → good. Hang/refused → host isn't forwarding container→tailnet; check ip route get 100.XX.XX.XX resolves via tailscale0 + Docker bridge MASQUERADE.

Why this shape

HA needs network_mode: host (mDNS/Matter multicast + LAN RTSP for Tapo).
An HA instance in Helsinki cannot reach home-LAN cameras — hence home box.
ha-proxy is dual-homed (dokploy-network ingress + bridge egress), same pattern as the n8n stack, because the swarm overlay can't egress to a tailnet peer.

Security (flagged)

Public subdomain = HA login is internet-facing. Enable HA 2FA; consider Authentik forward-auth later. Tailnet-only access (skip the public route) is safer if you only reach HA from your own devices.

1.6 KiB Raw Blame History