dev stack: expose HA at juliet.warehack.ing via caddy-docker-proxy

Adds the homeassistant service to the external caddy network with labels for juliet.warehack.ing so caddy-docker-proxy issues a public cert and proxies traffic to port 8123. Uses the same streaming- friendly transport tuning the docs-site service uses, because HA's frontend keeps long-lived WebSockets open for lovelace state pushes and config flows -- without stream_timeout: 24h etc., caddy closes the socket every ~15s and the UI churns reconnects. Keeps the 8123 host-port mapping intact for direct localhost dev access; public traffic flows over the caddy bridge. dev/ha-config/configuration.yaml (not tracked here -- root-owned in the HA container) was updated separately to add: http: use_x_forwarded_for: true trusted_proxies: - 10.10.16.0/20 # caddy bridge subnet Without that block HA rejects the OAuth redirect_uri at login because the auth check sees the internal docker IP instead of the public host.
2026-05-11 12:05:18 -06:00 · 2026-05-11 12:05:18 -06:00 · df628aa56f
commit df628aa56f
parent 09e2d83b49
1 changed files with 25 additions and 0 deletions
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@ -43,6 +43,8 @@ services:
      - "uv pip install --system --quiet cryptography && python /tmp/mock/run_mock_panel.py --host 0.0.0.0 --port 14369"
    ports:
      - "14369:14369"
+    networks:
+      - default

  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2026.5
@ -58,12 +60,31 @@ services:
      # ``omni-pca==2026.5.10`` (which isn't on PyPI yet) and ensures the
      # v1 subpackage is present.
      - ../:/opt/omni-pca-src:ro
+    # Keep 8123 mapped on localhost for direct access during development;
+    # public traffic comes in via caddy-docker-proxy on the `caddy` net.
    ports:
      - "8123:8123"
    extra_hosts:
      - "host.docker.internal:host-gateway"
    environment:
      - TZ=America/Boise
+    networks:
+      - default
+      - caddy
+    labels:
+      caddy: juliet.warehack.ing
+      caddy.reverse_proxy: "{{upstreams 8123}}"
+      # HA uses WebSockets for the frontend (lovelace state updates,
+      # config flow, etc.) so we need the streaming-friendly settings
+      # from CLAUDE.md, otherwise caddy closes the socket every ~15s.
+      caddy.reverse_proxy.flush_interval: "-1"
+      caddy.reverse_proxy.transport: http
+      caddy.reverse_proxy.transport.read_timeout: "0"
+      caddy.reverse_proxy.transport.write_timeout: "0"
+      caddy.reverse_proxy.transport.keepalive: 5m
+      caddy.reverse_proxy.transport.keepalive_idle_conns: "10"
+      caddy.reverse_proxy.stream_timeout: 24h
+      caddy.reverse_proxy.stream_close_delay: 5s
    # HA's image entrypoint is /init (s6-overlay). We pre-install our
    # local library against site-packages so HA's manifest-requirement
    # check finds it, then exec /init normally.
@ -74,3 +95,7 @@ services:
        set -e
        pip install --quiet --no-deps --upgrade /opt/omni-pca-src
        exec /init
+
+networks:
+  caddy:
+    external: true