Docker Compose - network nightmare

Would love some input on my Docker Compose file. I am struggling with combining “host” networking and defined networks. It appears this is not allowed. I would like to do this for 2 reasons:

1. Several of my containers do not need to be externally accessible and I would like to be able to call them from another container by service name (e.g. my image-processing is only ever called by HA)
2. I need to be able to assign a static IP to my apache-reverse service as I have to whitelist this within HA.

If I do start to define networks and assign a “private” and “public” network to HA, many integrations break. Specifically, Homekit does not like this, even if you properly expose all of the necessary ports (several GitHub issues raised on this). For this reason, HA needs to be connected to the default hostnetwork.

Any thoughts advice on how to address this?

version: '3.7'

services:
  homeassistant:
    image: homeassistant/home-assistant:stable
    restart: always
    network_mode: "host"
    volumes:
      - /opt/homeassistant_stack/homeassistant/config:/config
      - /mountpoint/Homeassistant:/mountpoint/Homeassistant 
      - /dev/lio0:/dev/lio0
    environment:
      TZ: America/Toronto  
    depends_on:
      - image-processing
      - mqtt
      - apache-reverse

  image-processing:
    image: snowzach/doods:latest
    restart: always
    ports:
      - "8080:8080"
    volumes:
      - /opt/homeassistant_stack/doods/models:/opt/doods/models 
      - /opt/homeassistant_stack/doods/example.yaml:/opt/doods/config.yaml

  mqtt:
    image: eclipse-mosquitto
    restart: always
    ports:
      - "1883:1883"
      - "9001:9001"
    volumes:
      - /opt/homeassistant_stack/mosquitto/data:/mosquitto/data 
      - /opt/homeassistant_stack/mosquitto/log:/mosquitto/log

  apache-reverse:
    build:
      context: ./apache-reverse-webit
    restart: always
    ports:
      - "8443:8443"
    volumes:
      - /opt/homeassistant_stack/apache-reverse-webit/sites:/usr/local/apache2/conf/sites
    environment:
      TZ: America/Toronto

Below is my working Docker Compose file. I had to compromise on my stated goals; ultimately my main requirement was to be able to assign a static IP to my apache-reverse service. This I have been able to do; I could not figure out any way to keep the HA service fully exposed while using internal networks… c’est la vie!

version: '3.7'

services:
  homeassistant:
    image: homeassistant/home-assistant:stable
    restart: always
    network_mode: "host"
    volumes:
      - /opt/homeassistant_stack/homeassistant/config:/config
      - /mountpoint/Homeassistant:/mountpoint/Homeassistant 
      - /dev/lio0:/dev/lio0
    environment:
      TZ: America/Toronto  
    depends_on:
      - image-processing
      - mqtt
      - apache-reverse

  image-processing:
    image: snowzach/doods:latest
    restart: always
    networks:
      public:
    ports:
      - "8080:8080"
    volumes:
      - /opt/homeassistant_stack/doods/models:/opt/doods/models 
      - /opt/homeassistant_stack/doods/example.yaml:/opt/doods/config.yaml

  mqtt:
    image: eclipse-mosquitto
    restart: always
    networks:
      public:
    ports:
      - "1883:1883"
      - "9001:9001"
    volumes:
      - /opt/homeassistant_stack/mosquitto/data:/mosquitto/data 
      - /opt/homeassistant_stack/mosquitto/log:/mosquitto/log

  apache-reverse:
    build:
      context: ./apache-reverse-webit
    restart: always
    networks:
      public:
        ipv4_address: 172.22.0.100
    ports:
      - "8443:8443"
    volumes:
      - /opt/homeassistant_stack/apache-reverse-webit/sites:/usr/local/apache2/conf/sites
    environment:
      TZ: America/Toronto

networks:
  public:
    ipam:
      driver: default
      config:
        - subnet: "172.22.0.0/24"

For a some period of time I was using Apache as a reverse proxy. Things were working, but with a lot of compromises. Since few weeks I’m using Traefik 2.0 - things a much much better and flexible. Also Traefik is managing by itself SSL cetificates with Let’s Encrypt and DuckDNS perfectly. So for such a cases where reverse proxy is serving only docker - highly recommends Traefik. Also I have some services working on external systems and I’m planning to test how they will work also with Traefik to simplify environment.
Some of the benefits of Traefik are:

• almost native integrations with Docker
• One configuration file (docker-compose) for all containers
• native management of SSL
• docker awere
• A lot of flexibility - as it’s only a reverse proxy, compared with Apache - where it’s a http server with option for reverse proxy.

If containers only need connect to each other you just need to create network and place them on same network.

You may connect a single container to multiple networks. This allows you to, for example, create a network called “DB” and only add containers that connect to the database to it.

The container name is NOT the server hostname. You must set this seperatly.

I don’t use docker compose so I cannot truly help there with setting compose file