From df628aa56fbefe66808c7aaa447c108a615cb271 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Mon, 11 May 2026 12:05:18 -0600
Subject: [PATCH] dev stack: expose HA at juliet.warehack.ing via
 caddy-docker-proxy

Adds the homeassistant service to the external caddy network with
labels for juliet.warehack.ing so caddy-docker-proxy issues a public
cert and proxies traffic to port 8123. Uses the same streaming-
friendly transport tuning the docs-site service uses, because HA's
frontend keeps long-lived WebSockets open for lovelace state pushes
and config flows -- without stream_timeout: 24h etc., caddy closes
the socket every ~15s and the UI churns reconnects.

Keeps the 8123 host-port mapping intact for direct localhost dev
access; public traffic flows over the caddy bridge.

dev/ha-config/configuration.yaml (not tracked here -- root-owned in
the HA container) was updated separately to add:

    http:
      use_x_forwarded_for: true
      trusted_proxies:
        - 10.10.16.0/20   # caddy bridge subnet

Without that block HA rejects the OAuth redirect_uri at login because
the auth check sees the internal docker IP instead of the public host.
---
 dev/docker-compose.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/dev/docker-compose.yml b/dev/docker-compose.yml
index c055394..fbe6a6f 100644
--- a/dev/docker-compose.yml
+++ b/dev/docker-compose.yml
@@ -43,6 +43,8 @@ services:
       - "uv pip install --system --quiet cryptography && python /tmp/mock/run_mock_panel.py --host 0.0.0.0 --port 14369"
     ports:
       - "14369:14369"
+    networks:
+      - default
 
   homeassistant:
     image: ghcr.io/home-assistant/home-assistant:2026.5
@@ -58,12 +60,31 @@ services:
       # ``omni-pca==2026.5.10`` (which isn't on PyPI yet) and ensures the
       # v1 subpackage is present.
       - ../:/opt/omni-pca-src:ro
+    # Keep 8123 mapped on localhost for direct access during development;
+    # public traffic comes in via caddy-docker-proxy on the `caddy` net.
     ports:
       - "8123:8123"
     extra_hosts:
       - "host.docker.internal:host-gateway"
     environment:
       - TZ=America/Boise
+    networks:
+      - default
+      - caddy
+    labels:
+      caddy: juliet.warehack.ing
+      caddy.reverse_proxy: "{{upstreams 8123}}"
+      # HA uses WebSockets for the frontend (lovelace state updates,
+      # config flow, etc.) so we need the streaming-friendly settings
+      # from CLAUDE.md, otherwise caddy closes the socket every ~15s.
+      caddy.reverse_proxy.flush_interval: "-1"
+      caddy.reverse_proxy.transport: http
+      caddy.reverse_proxy.transport.read_timeout: "0"
+      caddy.reverse_proxy.transport.write_timeout: "0"
+      caddy.reverse_proxy.transport.keepalive: 5m
+      caddy.reverse_proxy.transport.keepalive_idle_conns: "10"
+      caddy.reverse_proxy.stream_timeout: 24h
+      caddy.reverse_proxy.stream_close_delay: 5s
     # HA's image entrypoint is /init (s6-overlay). We pre-install our
     # local library against site-packages so HA's manifest-requirement
     # check finds it, then exec /init normally.
@@ -74,3 +95,7 @@ services:
         set -e
         pip install --quiet --no-deps --upgrade /opt/omni-pca-src
         exec /init
+
+networks:
+  caddy:
+    external: true