version: '3.9'

services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:2024.8.3
    environment:
      - TZ=America/New_York
    volumes:
      - /export/homeassistant:/config
    networks:
      - caddy-public
    # Remove privileged access for security hardening
    cap_add:
      - NET_RAW        # For network discovery
      - NET_ADMIN      # For network configuration  
    security_opt:
      - no-new-privileges:true
      - apparmor:homeassistant-profile
    user: "1000:1000"
    devices:
      - /dev/ttyUSB0:/dev/ttyUSB0  # Z-Wave stick (if present)
    healthcheck:
      test: ["CMD", "curl", "-f", "http://localhost:8123/"]
      interval: 30s
      timeout: 10s
      retries: 3
      start_period: 90s
    deploy:
      resources:
        limits:
          memory: 2G
          cpus: '1.0'
        reservations:
          memory: 512M
          cpus: '0.25'
      placement:
        constraints:
          - node.role == manager
      labels:
        - caddy.enable=true
        - caddy.http.routers.ha.rule=Host(`ha.pressmess.duckdns.org`)
        - caddy.http.routers.ha.entrypoints=websecure
        - caddy.http.routers.ha.tls=true
        - caddy.http.services.ha.loadbalancer.server.port=8123

networks:
  caddy-public:
    external: true