warehack.ing/omni-pca
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

dev stack: expose HA at juliet.warehack.ing via caddy-docker-proxy

Browse Source 
Adds the homeassistant service to the external caddy network with
labels for juliet.warehack.ing so caddy-docker-proxy issues a public
cert and proxies traffic to port 8123. Uses the same streaming-
friendly transport tuning the docs-site service uses, because HA's
frontend keeps long-lived WebSockets open for lovelace state pushes
and config flows -- without stream_timeout: 24h etc., caddy closes
the socket every ~15s and the UI churns reconnects.

Keeps the 8123 host-port mapping intact for direct localhost dev
access; public traffic flows over the caddy bridge.

dev/ha-config/configuration.yaml (not tracked here -- root-owned in
the HA container) was updated separately to add:

    http:
      use_x_forwarded_for: true
      trusted_proxies:
        - 10.10.16.0/20   # caddy bridge subnet

Without that block HA rejects the OAuth redirect_uri at login because
the auth check sees the internal docker IP instead of the public host.
This commit is contained in:
Ryan Malloy 2026-05-11 12:05:18 -06:00
parent 09e2d83b49
commit df628aa56f
1 changed files with 25 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
dev/docker-compose.yml
View File

@ -43,6 +43,8 @@ services:
- "uv pip install --system --quiet cryptography && python /tmp/mock/run_mock_panel.py --host 0.0.0.0 --port 14369" - "uv pip install --system --quiet cryptography && python /tmp/mock/run_mock_panel.py --host 0.0.0.0 --port 14369"
ports: ports:
- "14369:14369" - "14369:14369"
networks:
- default
homeassistant: homeassistant:
image: ghcr.io/home-assistant/home-assistant:2026.5 image: ghcr.io/home-assistant/home-assistant:2026.5
@ -58,12 +60,31 @@ services:
# ``omni-pca==2026.5.10`` (which isn't on PyPI yet) and ensures the # ``omni-pca==2026.5.10`` (which isn't on PyPI yet) and ensures the
# v1 subpackage is present. # v1 subpackage is present.
- ../:/opt/omni-pca-src:ro - ../:/opt/omni-pca-src:ro
# Keep 8123 mapped on localhost for direct access during development;
# public traffic comes in via caddy-docker-proxy on the `caddy` net.
ports: ports:
- "8123:8123" - "8123:8123"
extra_hosts: extra_hosts:
- "host.docker.internal:host-gateway" - "host.docker.internal:host-gateway"
environment: environment:
- TZ=America/Boise - TZ=America/Boise
networks:
- default
- caddy
labels:
caddy: juliet.warehack.ing
caddy.reverse_proxy: "{{upstreams 8123}}"
# HA uses WebSockets for the frontend (lovelace state updates,
# config flow, etc.) so we need the streaming-friendly settings
# from CLAUDE.md, otherwise caddy closes the socket every ~15s.
caddy.reverse_proxy.flush_interval: "-1"
caddy.reverse_proxy.transport: http
caddy.reverse_proxy.transport.read_timeout: "0"
caddy.reverse_proxy.transport.write_timeout: "0"
caddy.reverse_proxy.transport.keepalive: 5m
caddy.reverse_proxy.transport.keepalive_idle_conns: "10"
caddy.reverse_proxy.stream_timeout: 24h
caddy.reverse_proxy.stream_close_delay: 5s
# HA's image entrypoint is /init (s6-overlay). We pre-install our # HA's image entrypoint is /init (s6-overlay). We pre-install our
# local library against site-packages so HA's manifest-requirement # local library against site-packages so HA's manifest-requirement
# check finds it, then exec /init normally. # check finds it, then exec /init normally.
@ -74,3 +95,7 @@ services:
set -e set -e
pip install --quiet --no-deps --upgrade /opt/omni-pca-src pip install --quiet --no-deps --upgrade /opt/omni-pca-src
exec /init exec /init
networks:
caddy:
external: true