Home Assistant in Docker hosts mode with Traefik 2 and Let's Encrypt: Working sample

cstuder · April 27, 2020, 1:25pm

There are multiple threads about using Home Assistant with Docker (Not Hass.io) running in hosts mode and Traefik 2.2 as reverse proxy server. I have a fully working configuration with TLS from Let’s Encrypt.

I have to admit that I don’t fully understand how this is working. I found the extra_hosts bit in this Gist over here: https://gist.github.com/gaieges/936bdf91e01e4cc782eb047e5873089b

Here is my working docker-compose.yaml:

version: "3"

# Network stuff
services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=<MY-EMAIL-ADDRESS>"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
    extra_hosts:
      - host.docker.internal:172.17.0.1 # I don't know why this is needed

  homeassistant:
    container_name: homeassistant
    image: homeassistant/raspberrypi3-homeassistant:stable
    volumes:
      - homeassistant:/config
    network_mode: host
    ports:
      - "8123:8123" # This is required as well.
    expose:
      - 8123 # As is this.
    environment:
      - TZ=Europe/Zurich
    labels:
      - traefik.enable=true
      - traefik.http.routers.homeassistant.rule=Host(`<MY-DOMAIN-NAME>`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls.certresolver=myresolver
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123

volumes:
  letsencrypt:
  homeassistant:

Fill in <MY-EMAIL-ADDRESS> and <MY-DOMAIN-NAME> before using it.

Stores ACME certificates and the Home Assistant-configuration in Docker volumes.

Thanks to the TLS-Challenge for Let’s Encrypt I don’t even bother to open port 80.

sacredshapes · June 7, 2020, 3:08pm

I’m not sure how this works either. Trying to do the same thing and having no luck.

Gateway just times out.

version: '3'
services:
  homeassistant:
    container_name: hass
    image: homeassistant/home-assistant:stable
    volumes:
      - /share/docker/homeassistant:/config
    network_mode: host
    ports:
      - "8123:8123"
    expose:
      - 8123
    environment:
      - TZ=Europe/London
    labels:
      - traefik.enable=true
      - traefik.http.routers.hass.rule=Host(`hass.domain.com`)
      - traefik.http.routers.hass.entrypoints=websecure
      - traefik.http.routers.hass.tls.certresolver=le
      - traefik.http.services.hass.loadbalancer.server.port=8123


  traefik:
    image: "traefik:v2.2"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--api.dashboard=true"
      - "--api.debug=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entryPoints.websecure.address=:443"
      - "[email protected]"
      - "--certificatesResolvers.le.acme.storage=/letsencrypt/acme.json"
      - "--certificatesResolvers.le.acme.tlsChallenge=true"

    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    extra_hosts:
      - host.docker.internal:172.17.0.1

Any ideas?

sarkyscouser · June 7, 2020, 3:45pm

Well you don’t need to specifically map ports in your hass container if you are in host mode, one or the other. I’m surprised that docker doesn’t warn or error out on that (?)

MrNonoss · June 7, 2020, 5:38pm

Hi there,

I wrote a paper on how to build à traefik V2 container and how to make it work with home assistant https://bordas.xyz/2020/04/14/en-avant-pour-traefik-v2-2-part1/

But it is in French

mmahmoodictbd · December 8, 2020, 10:41pm

I suck at writing down stuff, however, I tried.

jpmiller25 · December 27, 2020, 2:08pm

Trying this technique, but my docker is giving error:
docker.errors.InvalidArgument: "host" network_mode is incompatible with port_bindings

I didn’t think we could specify ports if running host mode. How is it working for you guys?

whizzzkid · December 28, 2020, 8:05pm

This was way simpler to setup than I previously thought. Once you have traefik working you can simply add this entry:

homeassistant:
    image: homeassistant/raspberrypi4-64-homeassistant:stable
    volumes:
      - ../hass-config:/config
    network_mode: host
    environment:
      - TZ=America/Edmonton
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hass.rule=Host(`hass.${BASE_URL}`)"
      - "traefik.http.routers.hass.entrypoints=websecure"
      - "traefik.http.services.hass.loadbalancer.server.port=8123"
      - "traefik.http.routers.hass.service=hass"
      - "traefik.http.routers.hass.tls.certresolver=<your resolver>"

And since you are running this host mode, let traefik know that a request can be mapped to the default host:

extra_hosts:
      - host.docker.internal:172.17.0.1

Pretty simple.

harpdogg · March 3, 2021, 9:37pm

Followed this for the HA portion of my docker-compose and got it working finally! Thanks for the tips.

funny0frank · September 5, 2021, 6:03pm

Just an FYI on the first line: version: "3" equates to version: "3.0" not version: "3.*"

Source https://stackoverflow.com/a/64568805/1465640