k3s-cluster/homeassistant/homeassistant.yaml

---
apiVersion: v1
kind: Namespace
metadata:
  name: home-assistant
---
apiVersion: v1
kind: Service
metadata:
  namespace: home-assistant
  name: home-assistant
spec:
  selector:
    app: home-assistant
  type: ClusterIP
  ports:
  - name: http
    protocol: TCP
    port: 80
    targetPort: 8123
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: home-assistant
  name: home-assistant-config
data:
  configuration.yaml: |
    # Loads default set of integrations
    default_config:

    http:
      use_x_forwarded_for: true
      trusted_proxies:
        - 10.42.0.0/16   # k3s pod CIDR (Traefik pod lives here)
        - 10.43.0.0/16   # k3s service CIDR
        - 10.88.20.0/24  # node subnet (Traefik runs hostNetwork-ish, forwards from 10.88.20.11)
---
apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: home-assistant
  name: home-assistant
  labels:
    app: home-assistant
spec:
  replicas: 1
  selector:
    matchLabels:
      app: home-assistant
  template:
    metadata:
      labels:
        app: home-assistant
    spec:
      containers:
      - name: home-assistant
        image: ghcr.io/home-assistant/home-assistant:stable
        resources:
          requests:
            memory: "256Mi"
          limits:
            memory: "512Mi"
        ports:
        - containerPort: 8123
        volumeMounts:
        - name: config
          mountPath: /config
        - name: configuration
          mountPath: /config/configuration.yaml
          subPath: configuration.yaml
        - name: localtime
          mountPath: /etc/localtime
          readOnly: true
        - name: dbus
          mountPath: /run/dbus
          readOnly: true
        securityContext:
          privileged: true
          capabilities:
            add:
              - NET_ADMIN
              - NET_RAW
              - SYS_ADMIN
      hostNetwork: true
      volumes:
        - name: config
          persistentVolumeClaim:
            claimName: home-assistant-config
        - name: configuration
          configMap:
            name: home-assistant-config
        - name: localtime
          hostPath:
            path: /etc/localtime
            type: File
        - name: dbus
          hostPath:
            path: /run/dbus
            type: Directory
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  namespace: home-assistant
  name: home-assistant-config
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 5Gi
---
init cluster 2025-11-02 18:13:46 +01:00			`---`
			`apiVersion: v1`
			`kind: Namespace`
			`metadata:`
			`name: home-assistant`
			`---`
			`apiVersion: v1`
			`kind: Service`
			`metadata:`
			`namespace: home-assistant`
			`name: home-assistant`
			`spec:`
			`selector:`
			`app: home-assistant`
			`type: ClusterIP`
			`ports:`
			`- name: http`
			`protocol: TCP`
			`port: 80`
			`targetPort: 8123`
			`---`
homeassistant config map 2026-01-28 00:11:26 +01:00			`apiVersion: v1`
			`kind: ConfigMap`
			`metadata:`
			`namespace: home-assistant`
			`name: home-assistant-config`
			`data:`
			`configuration.yaml: \|`
			`# Loads default set of integrations`
			`default_config:`

			`http:`
			`use_x_forwarded_for: true`
			`trusted_proxies:`
fix(homeassistant): trust k3s pod/service CIDRs as X-Forwarded-For proxies HA runs with hostNetwork on roger-nucbox-evo-x2 while Traefik runs on the raspberrypi node, so requests arrive at HA from 10.88.20.11. The previous trusted_proxies entry (10.88.88.0/24) did not include this address, causing HA to reject X-Forwarded-For and return 400 on every ingress request. 2026-06-26 11:58:46 +02:00			`- 10.42.0.0/16 # k3s pod CIDR (Traefik pod lives here)`
			`- 10.43.0.0/16 # k3s service CIDR`
			`- 10.88.20.0/24 # node subnet (Traefik runs hostNetwork-ish, forwards from 10.88.20.11)`
homeassistant config map 2026-01-28 00:11:26 +01:00			`---`
init cluster 2025-11-02 18:13:46 +01:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`namespace: home-assistant`
			`name: home-assistant`
			`labels:`
			`app: home-assistant`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: home-assistant`
			`template:`
			`metadata:`
			`labels:`
			`app: home-assistant`
			`spec:`
			`containers:`
			`- name: home-assistant`
			`image: ghcr.io/home-assistant/home-assistant:stable`
			`resources:`
			`requests:`
			`memory: "256Mi"`
			`limits:`
			`memory: "512Mi"`
			`ports:`
			`- containerPort: 8123`
			`volumeMounts:`
configure home assistant 2026-01-27 23:41:11 +01:00			`- name: config`
			`mountPath: /config`
homeassistant config map 2026-01-28 00:11:26 +01:00			`- name: configuration`
			`mountPath: /config/configuration.yaml`
			`subPath: configuration.yaml`
configure home assistant 2026-01-27 23:41:11 +01:00			`- name: localtime`
			`mountPath: /etc/localtime`
			`readOnly: true`
			`- name: dbus`
			`mountPath: /run/dbus`
			`readOnly: true`
init cluster 2025-11-02 18:13:46 +01:00			`securityContext:`
			`privileged: true`
			`capabilities:`
			`add:`
			`- NET_ADMIN`
			`- NET_RAW`
			`- SYS_ADMIN`
			`hostNetwork: true`
			`volumes:`
configure home assistant 2026-01-27 23:41:11 +01:00			`- name: config`
homeassistant config 2026-01-27 23:56:19 +01:00			`persistentVolumeClaim:`
			`claimName: home-assistant-config`
homeassistant config map 2026-01-28 00:11:26 +01:00			`- name: configuration`
			`configMap:`
			`name: home-assistant-config`
configure home assistant 2026-01-27 23:41:11 +01:00			`- name: localtime`
			`hostPath:`
homeassistant config 2026-01-27 23:56:19 +01:00			`path: /etc/localtime`
			`type: File`
configure home assistant 2026-01-27 23:41:11 +01:00			`- name: dbus`
			`hostPath:`
homeassistant config 2026-01-27 23:56:19 +01:00			`path: /run/dbus`
homeassistant config 2026-01-27 23:58:16 +01:00			`type: Directory`
homeassistant config 2026-01-27 23:56:19 +01:00			`---`
			`apiVersion: v1`
			`kind: PersistentVolumeClaim`
			`metadata:`
			`namespace: home-assistant`
			`name: home-assistant-config`
			`spec:`
			`accessModes:`
			`- ReadWriteOnce`
			`resources:`
			`requests:`
			`storage: 5Gi`
			`---`