Homeassistant with traefik 2.2 for TLS in docker-compose in network_mode: host

docker-compose.yml

version: '2.1'

services:
  homeassistant:
    restart: always
    image: homeassistant/raspberrypi3-homeassistant
    expose:
      - 8123
    ports:
      - "8123:8123"
    devices:
      - /dev/ttyACM0
    volumes:
      - ./config:/config
    network_mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hahttp.rule=Host(`MY_DOMAIN`)"
      - "traefik.http.routers.ha.rule=Host(`MY_DOMAIN`)"
      - "traefik.http.routers.ha.tls=true"
      - "traefik.http.routers.ha.tls.certresolver=le"
      - "traefik.http.routers.ha.tls.domains[0].main=MY_DOMAIN"
      - "traefik.http.services.homeassistant.loadbalancer.server.port=8123"

  traefik:
    restart: always
    image: traefik:v2.2
    command: 
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--accesslog=true"
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "--certificatesresolvers.le.acme.email=MY_EMAIL"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    extra_hosts: 
      - host.docker.internal:172.17.0.1
 

Typo in line 18.

Thank you, I don't fully understand how it works, but I made my installation work thanks to the extra_hosts field.

Great! hahttp is intentional, is that what you mean? It allows for a different router for https / http access

Yes, I thought that was an accident. Guess I don't understand that line either. :-)

No worries! Looking through it again it looks like I removed some parts that contained local secrets and not that line which related to the local secrets

Thank you, this was useful to me, both the load balancer line and extra host.

I'm not sure if

    expose:
      - 8123
    ports:
      - "8123:8123"

gives you anything because your in host mode though. I don't have it in mine and it works fine.

Why this works I don't know. But it does!

Just adding the extra host line and things are routed correctly from a Traefik instance in a docker network to a homeassistant instance with 'network_mode: host'. Thanks!

Works for me too. But I also don't understand what the extra_host does... Would be great if you could explain it!

The extra host stanza basically says if you need to talk to host.docker.internal, go to that specified IP instead. We're basically hardcoding the target for all of the requests going into traefik to go to the docker bridge IP

Is the 172.17.0.1 ip universal or do I have to specify that elsewhere?

Edit: seems like it's the default for the IP address of the bridge interface (docker0 by default)

Found here
https://doc.traefik.io/traefik/providers/docker/#host-networking

It’ll be the IP of your default docker bridge network. Usually thats 172.17.0.1/24 but I’ve also seen 172.18.0.1/24. It’s possible to set the default range as a docker startup default but that depends on your platform.

The extra host stanza basically says if you need to talk to host.docker.internal, go to that specified IP instead. We're basically hardcoding the target for all of the requests going into traefik to go to the docker bridge IP

Ah... traefik tries to resolve localhost with a DNS lookup to host.docker.internal. This is probably to support docker-for-windows, which uses this trick to reach the host. Now it makes sense, thanks!