#can you not restore a backup on HA

Thought a thread would be easier

Unzip the backup

Untar the tarball for HA

you cant turn pings off in here

now im nervous

Sure you can

Same rules apply here

oh sorry! You can when replying, but not when starting a new message tagging

However, you also don't need to use Reply

yes sorry

ok so just grab my other backup and unzip it all basically.

Yup

then chuck it all in the /config folder i assume

Yup

Or extract it to there

interesting.

The theory is that if you're rocking Container you can handle your own restores

Also, you should have the host config being backed up anyway, and probably will be using that to back up HA

whilst i have you. Could i ask another question? I think i can manage the lack of add-ons just fine except three

NGINX Home Assistant SSL Proxy
Lets Encrypt
Frigate Proxy (Less important, i can ask in the camera channel about this one)

How do i handle the NGINX and Lets encrypt stuff?

By replacing them both with Traefik

Traefik has native support for LetsEncrypt/ZeroSSL

Plus it handles websockets and stuff without any fancy config

ok and thats just another docker container right? But how do i tell it to protect the HA Docker Container?

Yes, and with tags or a config file

ok ill get to that soon i guess

thank you sir! Let me go and play with this restore!

Let me grab you some links

Assuming you're using Compose files like any sane person, and that they're in the same compose file:

  homeassistant:
    labels:
      - traefik.enable=true
      - traefik.http.services.ha.loadbalancer.server.port=8123
      - traefik.http.routers.ha.rule=Host(`my-ha.example.net`)
      - traefik.http.routers.ha.entrypoints=websecure
      - traefik.http.routers.ha.tls=true
      - traefik.http.routers.ha.tls.certresolver=letsencrypt

That uses an SSL provider called letsencrypt

wait slow down... what do you mean in the "same compose file"? Im using portainer, and creating a stack for each?

but yes using compose

For me since I use cloudflare for my domain the relevant section of my Traefik conf looks like:

  letsencrypt:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: tinkerer@ceard.tech
      storage: /acme/acme.json
      dnsChallenge:
        provider: cloudflare
      eab:
        kid: secret
        hmacEncoded: moreSecret

No idea how Portainer works, but you should be fine to tag things as shown

ok going to take me some time to get my head round this

Traefik is awesome - just add labels to a container and then it has remote access

version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /mnt/nas/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /home/me/homeassistant/home-assistant_v2.db:/config/home-assistant_v2.db
    labels:
      - traefik.enable=true
      - traefik.http.services.ha.loadbalancer.server.port=8123
      - traefik.http.routers.ha.rule=Host(`my-ha.example.net`)
      - traefik.http.routers.ha.entrypoints=websecure
      - traefik.http.routers.ha.tls=true
      - traefik.http.routers.ha.tls.certresolver=letsencrypt
    restart: unless-stopped
    privileged: true
    network_mode: host

so i should make me HA compose file look like that right?

is this going to error whilst i dont already have traefik setup?

ugh didnt see the domain there, obviously change that to my public facing domain

Yes, and no it won't

Labels are ignored by things that don't understand them

ok sorry another question

This seems to be wrong

/home/ben/homeassistant/home-assistant_v2.db:/config/home-assistant_v2.db

this created a folder called home-assistant_v2.db

rather than creating the actual DB File where i wanted it to me?

Yes, because Docker assumes a folder when no file exists there

But also there's two temporary SQLite files that can appear, plus another when it re-packs

so what do i need to change this to so it creates the file, and so it accounts for those two other files?

Well, for the first just restore the file from the backup before restoring HA

Not much you can do for the second... maybe

What you could do would be to change the path:
https://www.home-assistant.io/integrations/recorder#sqlite

recorder:
  db_url: sqlite:////config/database/home-assistant_v2.db

    volumes:
      - /mnt/nas/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /home/me/homeassistant/database:/config/database

version: '3'
services:
  homeassistant:
  recorder:
    db_url: sqlite:////config/database/home-assistant_v2.db
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /mnt/nas/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /home/ben/homeassistant/database:/config/database
    labels:
      - traefik.enable=true
      - traefik.http.services.ha.loadbalancer.server.port=8123
      - traefik.http.routers.ha.rule=Host(`home.mydomain.co.uk`)
      - traefik.http.routers.ha.entrypoints=websecure
      - traefik.http.routers.ha.tls=true
      - traefik.http.routers.ha.tls.certresolver=letsencrypt
    restart: unless-stopped
    privileged: true
    network_mode: host

does this look correct?

No

You mashed the YAML for HA to the YAML for Docker

oh sorry

That's why I linked to the docs

that sqllite one needs to go in my config.yaml

Yes

sorry

And maybe edit out your domain from the above 😉

(not that it's really a secret once you get an SSL cert for it)

oops thanks

just to confirm. my db will now live at home/ben/homeassistant/database/dbname.db

Yes

just so i know where to copy it to.

You can test by not restoring your backup and starting the container then going through onboarding

well thats the thing

last time i did that

it created the folder

instead of the file name

Right

So... try it again 😉

but now we changed it

of course

so its still creating the DB on my NAS share and not locally

which of course is creating a ton of DB corrupt files

because its on a network share

The default DB location is in /config

You need to have updated configuration.yaml to move the database

ok but if i pre populate the folders im getting errors. so my plan was to let it all get created, then stop the container and overwrite it all wiht my backups

is my thinking wrong there?

Should work, but I'd test by:

1. Spin up a fresh HA install
2. Update configuration.yaml to move it
3. Restart HA
4. Check it worked

ok boom

that does look like it worked

all three DB files now local

now to turn it all off and restore.

ok

so....

that went smoother than i thought

although one of my integrations doesnt work for some reason.

Local Tuya

got a few silly errors about automations that rely on add-ons, but i can fix those.

Wonder why local tuya didnt come back working

Oh

they rely on my HA being available over the internet thats why

WTF

well i assume thats the issue

cannot see any other reason for it

that and my octopus (power consumption stuff) is not working

everything else outside of frigate and MQTT which i know i need to spend time on now seems to work

The log is always a good place to look at

hmmm

may have to pick this up tomorrow

2023-10-02 17:57:53.708 WARNING (MainThread) [custom_components.localtuya.climate] [816...afe] Entity None is requesting unknown DPS index 2
2023-10-02 17:57:53.726 WARNING (MainThread) [custom_components.localtuya.climate] [816...afe] Entity climate.bedroom_aircon is requesting unknown DPS index 2
2023-10-02 17:57:53.781 ERROR (callback) [azure.iot.device.common.handle_exceptions] Exception caught in background thread. Unable to handle.
2023-10-02 17:57:53.794 ERROR (callback) [azure.iot.device.common.handle_exceptions] ["azure.iot.device.common.transport_exceptions.ConnectionDroppedError: ConnectionDroppedError('Unexpected disconnection') caused by ConnectionDroppedError('The connection was lost.')\n"]
2023-10-02 17:57:53.960 ERROR (MainThread) [homeassistant.components.esphome.dashboard] Error requesting ESPHome Dashboard data: Cannot connect to host 127.0.0.1:62594 ssl:default [Connect call failed ('127.0.0.1', 62594)]
2023-10-02 17:57:53.961 ERROR (MainThread) [homeassistant.components.esphome.dashboard] Dashboard unavailable; skipping reauth: Cannot connect to host 127.0.0.1:62594 ssl:default [Connect call failed ('127.0.0.1', 62594)]
2023-10-02 17:57:54.040 ERROR (callback) [azure.iot.device.common.handle_exceptions] Exception caught in background thread. Unable to handle.
2023-10-02 17:57:54.042 ERROR (callback) [azure.iot.device.common.handle_exceptions] ["azure.iot.device.common.transport_exceptions.ConnectionDroppedError: ConnectionDroppedError('Unexpected disconnection') caused by ConnectionDroppedError('The connection was lost.')\n"]
2023-10-02 17:57:54.292 ERROR (callback) [azure.iot.device.common.handle_exceptions] Exception caught in background thread. Unable to handle.
2023-10-02 17:57:54.293 ERROR (callback) [azure.iot.device.common.handle_exceptions] ["azure.iot.device.common.transport_exceptions.ConnectionDroppedError: ConnectionDroppedError('Unexpected disconnection') caused by ConnectionDroppedError('The connection was lost.')\n"]
2023-10-02 17:57:54.559 ERROR (callback) [azure.iot.device.common.handle_exceptions] Exception caught in background thread. Unable to handle.
2023-10-02 17:57:54.563 ERROR (callback) [azure.iot.device.common.handle_exceptions] ["azure.iot.device.common.transport_exceptions.ConnectionDroppedError: ConnectionDroppedError('Unexpected disconnection') caused by ConnectionDroppedError('The connection was lost.')\n"]

nnot sure any of this relates to the local tuya stuff or not

well some does

the climate.bedroom is a local tuya device

octopus one sorted its self out

local tuya didnt

So I know you don’t use portainer and I have very little docker knowledge. Can I run traefik in its own container or does it need to be in the HA container? Until now I had no idea you could run two things in one container

Each container is separate, you don't run multiple things in one

Not unless you're going to build your own container images, but I doubt you're at that point 😉

lol I think you guessed from my messages I’m not even close to that point

Would you mind sharing a docker compose example for me to use for traefik?

I’m getting all up in my head because I’m reading this guide here

https://www.homeautomationguy.io/blog/docker-tips/configuring-the-mosquitto-mqtt-docker-container-for-use-with-home-assistant

But I’m confused because he is creating things in a docker-compose.yaml file but he also seems to be using portainer

I’ve always just used portainer and put the docker compose files directly in that

mosquitto:
    image: eclipse-mosquitto
    container_name: mosquitto
    volumes:
      - /opt/mosquitto:/mosquitto
      - /opt/mosquitto/data:/mosquitto/data
      - /opt/mosquitto/log:/mosquitto/log
    ports:
      - 1883:1883
      - 9001:9001    

Obviously changing the volume locations to where I want them to be

  traefik:
    container_name: traefik
    image: traefik:v2.10
    restart: unless-stopped
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - "/data/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro"
      - "/data/traefik/config:/config:ro"
      - "/data/traefik/logs:/logs"
      - "/data/traefik/acme:/acme"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    env_file: traefik.env
    secrets:
      - "cf_api_email"
      - "cf_dns_api_token"
    healthcheck:
      test: ["CMD", "traefik", "healthcheck"]
      interval: 30s
      timeout: 10s
      retries: 3

Oh ffs I’ve got my self confused

Looking at two different things at once

This is super helpful

Ugh sorry! I think I pinged you

's fine

https://blog.ceard.tech/2022/10/traefik-and-remote-home-assistant may help you

Taking a step back. I assume I need to make sure my HA docker always keeps its same IP. What line do I need to add to my compose file for that?

Why?

host networking uses the host IP

For inter-container communication you use the container_name

Oh ok. I’d gone off reading a few things and the thing I read must have been wrong. It was someone having issues using host networking so that’s why they needed to

You almost never need to fix (or know) the IP of containers

I noticed your example above has lots of extra stuff over this

https://doc.traefik.io/traefik/user-guides/docker-compose/basic-example/

Yes

What?

Well I noticed your doesn’t have the command stuff that is on their example

So I assume not needed

Handled by the environment variables

Oh ok

Actually, no, no commands set

Some of those are set from the config file though

https://gist.github.com/DubhAd/5fffb74c683dd0d96f71d41928ca502a - linked from the blog above

version: "3"

# Network stuff
services:
  traefik:
    image: traefik:v2.2
    container_name: traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=<MY-EMAIL-ADDRESS>"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
      - "80:80"
    volumes:
      - /home/ben/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro"
      - /home/ben/traefik/config:/config:ro"
      - /home/ben/traefik/logs:/logs
      - /home/ben/traefik/acme:/acme
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ben/letsencrypt:/letsencrypt

hows that

The question is, does it work?

not got that far yet

Also, you're running a fecking ancient version of Traefik

yours is 2.1 and this one is 2.2 no?

No

    image: traefik:v2.10

But sure, we'll pretend a 3.5 year old release is newer than the current release

lol sorry read 2.2 as newer than 2.10

https://github.com/traefik/traefik/releases

ok updated

version: "3"

# Network stuff
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    command:
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=me@me.co.uk"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "443:443"
      - "8080:8080"
      - "80:80"
    volumes:
      - /home/ben/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro"
      - /home/ben/traefik/config:/config:ro"
      - /home/ben/traefik/logs:/logs
      - /home/ben/traefik/acme:/acme
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ben/letsencrypt:/letsencrypt

Looks better, now time to start the test process

changed the top version to 3.3 too although i have no idea why lol

Personally I much prefer DNS to TLS/HTTP challenges, but you're limited by your DNS provider

im using 1and1 for dns

(I also prefer to put the config in the config file, over the docker command line, but that's entirely down to personal preference)

yeah when i get a bit better at this i will look at that. I need to get it working to first get my head around it all

never touched this before

so will refine it later

whats your suggestion about DNS over TLS/HTTP?

https://github.com/go-acme/lego/issues/727 suggest maybe hope

Nah, 1and1 are still crap

ok so right now stick with what i have?

You should move to Cloduflare 😛

yep i know i should

Assuming you've got port forwarding set up, give it a whirl

let me change my port forwarding

currently pointing at my current HA

do i need both 80 and 443?

No

just 443

      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
``` says you need 443

Deployment error
failed to deploy a stack: Creating network "traefik_default" with the default driver Pulling traefik (traefik:v2.10)... Creating traefik ...  Creating traefik ... error  ERROR: for traefik Cannot create container for service traefik: invalid mode: ro" ERROR: for traefik Cannot create container for service traefik: invalid mode: ro" Encountered errors while bringing up the project. : exit status 1

what does the ro stuff do?

ignore

i had some charachters i shouldnt

redeployin

You've got stray quotes

ok so its all started up

but not sure if there is more i need to do?

cant access on https externally

so i assume more i need to do?

Stopped for 3 minutes with exit code 1

If it stopped, check the logs

logs folder is empty

And maybe read the traefik docs about exposing test services

You can also check the container logs you know 😉

one second i think i found the issue

i have a folder called

traefik.yaml

that cant be helping

2023/10/02 19:38:43 command traefik error: read /etc/traefik/traefik.yaml: is a directory

2023/10/02 19:39:11 command traefik error: read /etc/traefik/traefik.yaml: is a directory

container logs

agree with me 😛

can you remind me what i do to stop that?

Yeah, that needs to be a file

touch /home/ben/traefik/traefik.yaml

And maybe move your bits from

      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=me@me.co.uk"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
``` to it

how do i stop it creating a folder and make it create me a file?

because i dont know what the contents need to look like exactly

You are reading my messages?

#1158429054295347302 message

#1158429054295347302 message

im trying to keep up i promise

I know to you its probably obvious but its not obvious to me how i convert these into the yaml based on the example you gave

sorry i know i am painful to deal with

Yours would start as:

api:
  insecure=true
providers:
  docker:
    exposedbydefault = false
entrypoints:
  websecure:
    address = ":443"
certificatesresolvers:
  myresolver:
    acme:
      tlschallenge = true
      email = me@me.co.uk
      storage = /letsencrypt/acme.json

      - "--api.insecure=true"
``` becomes
```yaml
api:
  insecure=true

etc

do i need to leave

command:
in my docker compose with nothing below it, or can i get rid of command: all together?

ignore.

you left it out

so i will

2023/10/02 20:01:03 command traefik error: acme cannot be a standalone element (type *acme.Configuration)

2023/10/02 20:01:09 command traefik error: acme cannot be a standalone element (type *acme.Configuration)

so now i need to find what i need to put in acme.json i guess

Don't think you edit that file at all

it did not create that file

https://doc.traefik.io/traefik/https/acme/

Make sure that it can write to /home/ben/letsencrypt

it created that folder..... so it must be able to write to it

My current entire traefik.yaml:

global:
  # Send anonymous usage data
  sendAnonymousUsage: true

accessLog:
  filePath: "/logs/access.log"

api:
  dashboard: true
  insecure: true

ping: {}

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  docker:
    exposedByDefault: false
  file:
    directory: /config
    watch: true

log:
  level: INFO

certificatesResolvers:
  letsencrypt_cf:
    acme:
      caServer: https://acme-v02.api.letsencrypt.org/directory
      email: tinkerer@ceard.tech
      storage: /acme/acme.json
      dnsChallenge:
        provider: cloudflare
      eab:
        kid: secret
        hmacEncoded: moreSecret

oh

letsencrypt_cf:

im missing this

and a caserver too

You have myresolver instead of letsencrypt_cf

caServer also has a default: https://doc.traefik.io/traefik/https/acme/#caserver

so im confused what i am missing here?

I have that there because I started with both ZeroSSL and the LE test server

Share your current config file

api:
  insecure=true
providers:
  docker:
    exposedbydefault = false
entrypoints:
  websecure:
    address = ":443"
certificatesresolvers:
  myresolver:
    acme:
      tlschallenge = true
      email = me@me.co.uk
      storage = /letsencrypt/acme.json

and my docker compose

version: "3.3"

# Network stuff
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik

    ports:
      - "443:443"
      - "8080:8080"
      - "80:80"
    volumes:
      - /home/ben/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - /home/ben/traefik/config:/config:ro
      - /home/ben/traefik/logs:/logs
      - /home/ben/traefik/acme:/acme
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ben/letsencrypt:/letsencrypt

https://doc.traefik.io/traefik/https/acme/#tlschallenge

certificatesResolvers:
  myresolver:
    acme:
      tlsChallenge: {}
``` ![shrug](https://cdn.discordapp.com/emojis/729303702761898084.webp?size=128 "shrug")

Maybe that'll help, maybe not

You probably don't need the email line

2023/10/02 20:11:52 command traefik error: yaml: line 13: could not find expected ':'

line 13 was email

so ive removed that

api:
  insecure=true
providers:
  docker:
    exposedbydefault = false
entrypoints:
  websecure:
    address = ":443"
certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge: {}
      storage = /letsencrypt/acme.json

2023/10/02 20:15:27 command traefik error: yaml: line 13: could not find expected ':'

Ah... I see the problem

now line 13 is the storage =

Because you've moved the storage

I didnt move it 🙂

      storage = /letsencrypt/acme.json

certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge = true
      storage = /letsencrypt/acme.json
``` is valid YAML

Whether it's valid traefik conf...

so where does the storage line go?

storage: /letsencrypt/acme.json

https://doc.traefik.io/traefik/https/acme/#configuration-examples

I posted EXACTLY what you need

just got that from here

sorry where? im confused

#1158429054295347302 message

thats what we started with i thought

trying it now

No, no it's not

certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge: {}
      storage = /letsencrypt/acme.json
``` _That_ is where you started

here no?

      tlsChallenge = true

vs

      tlsChallenge: {}

= vs :

we used = here

2023/10/02 20:01:03 command traefik error: acme cannot be a standalone element (type acme.Configuration)

That was where we started trying to fix your problem

And thats where we are back to

with this

certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge = true
      storage = /letsencrypt/acme.json

Try it and see if you get any errors

i did

this same error

2023/10/02 20:22:00 command traefik error: acme cannot be a standalone element (type *acme.Configuration)

And you've rebuilt the container?

That could be coming from the original command

oh no i didnt know i needed to rebuild it as we are just changing the config yaml

ok one second

You changed the compose file, you have to rebuild it

rebuild = update the stack i assume

which i have done

and still getting the error

ill delete it all and start again just in case

No idea what Portainer does

On the command line it'd be docker compose up -d

Stop the container, delete it, and start it

doing it

exactly the same

brand new container

for the avoidance of doubt

api:
  insecure=true
providers:
  docker:
    exposedbydefault = false
entrypoints:
  websecure:
    address = ":443"
certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge = true
      storage = /letsencrypt/acme.json

version: "3.3"

# Network stuff
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik

    ports:
      - "443:443"
      - "8080:8080"
      - "80:80"
    volumes:
      - /home/ben/traefik/traefik.yaml:/etc/traefik/traefik.yaml:ro
      - /home/ben/traefik/config:/config:ro
      - /home/ben/traefik/logs:/logs
      - /home/ben/traefik/acme:/acme
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/ben/letsencrypt:/letsencrypt

api:
  insecure: true
providers:
  docker:
    exposedbydefault: false
entrypoints:
  websecure:
    address: ":443"
certificatesresolvers:
  myresolver:
    acme:
      tlsChallenge: true
      storage: /letsencrypt/acme.json
``` try that - wonder if the use of `=` has been causing issues - been flipping back and fore on to many traefik docs

yep

we are in

🙂

got a couple of errors but it stayed started

I did suggest that here 🙂

time="2023-10-02T20:30:21Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"

time="2023-10-02T20:30:21Z" level=error msg="the router ha@docker uses a non-existent resolver: letsencrypt"

guess i need to change the tag in ha to acme

rather than letsencrypt

Nope

myresolver

certificatesresolvers:
  myresolver:

better i update that in HA, or in my config of traefik?

i guess it doesnt matter

#1158429054295347302 message

As long as they all agree you'll be ok

progress

time="2023-10-02T20:33:16Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=websecure

time="2023-10-02T20:33:16Z" level=error msg="accept tcp [::]:8080: use of closed network connection" entryPointName=traefik

time="2023-10-02T20:33:16Z" level=error msg="close tcp [::]:8080: use of closed network connection" entryPointName=traefik

time="2023-10-02T20:33:16Z" level=error msg="close tcp [::]:443: use of closed network connection" entryPointName=websecure

time="2023-10-02T20:33:22Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"

Bad Gateway when i try and browse to it

https://stackoverflow.com/questions/73257116/traefik-error-use-of-closed-network-connection

i dont really know what i am looking at here

the first guy suggests just ignore

but its not working for me

Is traefik actually still running?

Are those ports available to the container?

yep

im on the browser page for it

Bad Gateway when i try and browse to it
and
im on the browser page for it
Which?

8080 - takes me to the traefik web page (This works fine)

https://my.domain.com takes me to "Bad gateway"

Well, the other ports... have you actually configurerd any containers for Traefik to provide remote access for?

Or were you just expecting magic?

I thought thats what we did with the tags for HA earlier?

the only container i am trying to get working is HA

(at this stage)

Go to your Traefik page

Go to the HTTP routers page

What does it show?

https://i.imgur.com/ibdj7o6.png

Should be like this

If HA doesn't show there then you didn't rebuild the container after you changed the compose entry

The bottom one is HA

and shows like that

restarting HA container now

restarting HA made no difference

i must be looking at an old HA cert here or something

Checked HA's log?

nothing in there at all relevant to this

So, you've configured http: with the proxy IP range?

Logger: azure.iot.device.common.handle_exceptions
Source: /usr/local/lib/python3.11/site-packages/azure/iot/device/common/handle_exceptions.py:29
First occurred: 21:46:35 (1971 occurrences)
Last logged: 21:55:41

["azure.iot.device.common.transport_exceptions.ConnectionDroppedError: ConnectionDroppedError('Unexpected disconnection') caused by ConnectionDroppedError('The connection was lost.')\n"]

#1158429054295347302 message

When you say the proxy IP Range...

Well... share your http entry

# Uncomment this if you are using SSL/TLS, running in Docker container, etc.
http:
#  base_url: https://home.benweinberg.co.uk
  use_x_forwarded_for: true
  trusted_proxies:
     - 192.168.0.0/24
     - 172.30.33.0/24
     - 172.30.32.0/24
  ip_ban_enabled: true
  login_attempts_threshold: 5

the IP of traefik is 192.168.0.239

You know you can edit your post... right?

yes sorry

getting stressed and rushing

That's not the IP if both are in the same Docker stack

http:
 use_x_forwarded_for: true
 trusted_proxies:
   - 172.18.0.0/16 # traefik proxy subnet
``` is more likely to be correct, unless you're using add-ons

Or if portainer is using non-standard ranges

However... your Traefik access logs will help too

You need to work out if Traefik is even trying to reach HA

added this made no difference

how do i view the traefik access log?

so

Start by enabling:

accessLog:
  filePath: "/logs/access.log"
``` in `traefik.yaml`

172.21.0.2 - Traefik

let me add that IP range

192.168.0.44 - - [02/Oct/2023:21:04:41 +0000] "GET /api/overview HTTP/1.1" 200 485 "-" "-" 1 "api@internal" "-" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:01 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 2 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:01 +0000] "GET /hacsfiles/iconset.js HTTP/2.0" 502 11 "-" "-" 3 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:01 +0000] "POST /auth/token HTTP/2.0" 502 11 "-" "-" 4 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:01 +0000] "GET /api/websocket HTTP/1.1" 502 11 "-" "-" 5 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:01 +0000] "GET /manifest.json HTTP/2.0" 502 11 "-" "-" 6 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:03 +0000] "GET /service_worker.js HTTP/2.0" 502 11 "-" "-" 7 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:03 +0000] "GET /lovelace HTTP/2.0" 502 11 "-" "-" 8 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:03 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 9 "ha@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:05:05 +0000] "GET /service_worker.js HTTP/2.0" 502 11 "-" "-" 10 "ha@docker" "http://127.0.0.1:8123" 0ms

network_mode: host

just found this in my HA Docker Compose

Ummm

do i need to remove that?

"http://127.0.0.1:8123/"
``` that's not expected

i would guess because this is in HA Compose?

network_mode: host

or is that correct?

Yeah, but it shouldn't be using 127.0.0.1

HA is not showing its on IP address like traefik is

192.0.2.42 - - [02/Oct/2023:21:07:04 +0000] "GET /api/shelves?count=0 HTTP/1.1" 200 288 "-" "-" 63373 "bookstack@docker" "http://172.18.0.19:80" 193ms
``` that's from my own log, with another container that runs in the same stack (as my HA is on another host)

Should i create a network for HA?

in portainer

traefik has its own network

so does frigate

but HA does not

i assume thats for discovery

so on purpose

Well, HA uses host network

The rest shouldn't have their own networks, that's ... not normal

https://i.imgur.com/a9LWla3.png

HA is the only one on the "host" network

NETWORK ID     NAME             DRIVER    SCOPE
59441f54436e   bridge           bridge    local
6f3f452b498c   docker_default   bridge    local
8bd3d7325271   host             host      local
a803299c359f   none             null      local
``` that's mine from `docker network list`

so what about trying to add "network_mode: host" to traefik?

No

https://doc.traefik.io/traefik/providers/docker/#host-networking

Your HA is homeassistant not ha

version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /mnt/nas/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /home/ben/homeassistant/database:/config/database
    labels:
      - traefik.enable=true
      - traefik.http.services.ha.loadbalancer.server.port=8123
      - traefik.http.routers.ha.rule=Host(`home.mydomain.co.uk`)
      - traefik.http.routers.ha.entrypoints=websecure
      - traefik.http.routers.ha.tls=true
      - traefik.http.routers.ha.tls.certresolver=letsencrypt
    restart: unless-stopped
    privileged: true
    network_mode: host
``` here

Replace .ha. in the labels with .homeassistant.

done

do i need to restart traefik?

Rebuild the HA container

Done that

version: '3'
services:
  homeassistant:
    container_name: homeassistant
    image: "ghcr.io/home-assistant/home-assistant:stable"
    volumes:
      - /mnt/nas/homeassistant:/config
      - /etc/localtime:/etc/localtime:ro
      - /home/ben/homeassistant/database:/config/database
    labels:
      - traefik.enable=true
      - traefik.http.services.homeassistant.loadbalancer.server.port=8123
      - traefik.http.routers.homeassistant.rule=Host(`home.mydomain.co.uk`)
      - traefik.http.routers.homeassistant.entrypoints=websecure
      - traefik.http.routers.homeassistant.tls=true
      - traefik.http.routers.homeassistant.tls.certresolver=letsencrypt
    restart: unless-stopped
    privileged: true
    network_mode: host

Check the access log, see what's happening now

The IP should no longer be loopback

That's me for the night, good luck

192.168.0.1 - - [02/Oct/2023:21:23:14 +0000] "GET /service_worker.js HTTP/2.0" 502 11 "-" "-" 25 "homeassistant@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:23:17 +0000] "GET /lovelace HTTP/2.0" 502 11 "-" "-" 26 "homeassistant@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:23:17 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 27 "homeassistant@docker" "http://127.0.0.1:8123" 0ms
192.168.0.1 - - [02/Oct/2023:21:23:19 +0000] "GET /service_worker.js HTTP/2.0" 502 11 "-" "-" 28 "homeassistant@docker" "http://127.0.0.1:8123" 0ms
192.168.0.44 - - [02/Oct/2023:21:23:20 +0000] "GET /api/overview HTTP/1.1" 200 485 "-" "-" 29 "api@internal" "-" 0ms

still teh same.

Thank you for all your help so far sir! Happy to buy you a beer

if its ok can we continue tomorrow

For tomorrow, but out of interest why is this a bad idea?

https://community.home-assistant.io/t/ha-on-docker-compose-with-traefik-problem/317842/14

i got it working!

extra_hosts: 
      - host.docker.internal:172.17.0.1

was what was required

https://gist.github.com/gaieges/936bdf91e01e4cc782eb047e5873089b

in case you are interested in how i found the fix

MQTT done ✅

just working on ESPHome now

Would you mind helping me setup traefik to work as a proxy for ESPHome. I dont need to access this externally, but i do need to access it on HTTPS

hmmm maybe i just need to add these labels

labels:
traefik.enable: true
traefik.http.routers.esphome.tls: true
traefik.http.routers.esphome.rule: HostRegexp({any:.+})
traefik.http.services.esphome.loadbalancer.server.port: 6052

That worked 🙂 Whoop

well.... it kinda worked. I can browse to esphome via HTTPS now, but view logs does not work?

someone mentioned "Something something websockets"

here is the config i am using

version: '3'
services:
  esphome:
    container_name: esphome
    image: ghcr.io/esphome/esphome
    volumes:
      - /mnt/nas/esphome/config:/config
      - /etc/localtime:/etc/localtime:ro
    restart: always
    privileged: true
    network_mode: host
    environment:
      - USERNAME=
      - PASSWORD=
    labels:
      traefik.enable: true
      traefik.http.routers.esphome.tls: true
      traefik.http.routers.esphome.rule: HostRegexp(`{any:.+}`)
      traefik.http.services.esphome.loadbalancer.server.port: 6052

Traefik supports websockets automatically, that HostRegex looks sus though

hmmm the "view logs" function in ESPHome is not working over https, but does work over http

by the way, do you have somewhere i can "tip" you? As you have literally helped me soo much i honestly cannot thank you enough

Don't worry about it, I'm here to help people because that's what you should do when you have knowledge...

thats very admirable of you, but if there is a way i can tip you or anything i would really like to. You went a little above and beyond the scope of just "Home assistant" support

As for the logs, I'd guess that there's a CORS or iframe problem, but I don't use ESPHome

My HA Config (look at my profile in Discord) has a "buy me a coffee" link

ESPHome guy was sure it was a websocket issue. but you are the most knowledgable person i know on HA soo...

Traefik natively supports websockets, not even sure you can disable that support

You have some coffee sir 🙂

Thank you

lets look what the access log shows when i try and access the "view log"

oh

after the reboot of my machine it seems to just work now

So i think we are at my last question! 😛

Previously when running supervised, life was easy when it came to updating.

How do i manage updates of HA now?

https://www.home-assistant.io/common-tasks/container/#update

Click the Compose button

ok i think there are buttons to do this in portainer.

That's how you update any container with compose

so i should be ok

Aye

oh yes

sorry!

one more

does traefik just automatically renew my SSL?

I just hope to god after all of this i no longer get that corrupt database issues i was having before!

Other containers you may find useful:

• amir20/dozzle - Docker log UI if you move away from Portainer
• crazymax/diun - Tells you when a container image is updated, unlike Watchtower it won't auto-update (and break) things
• ghcr.io/rafhaanshah/container-mon - Tells you when containers are unhealthy (uses the healthcheck)
• quay.io/zenithtecnologia/docker-autoheal - Auto-restarts unhealthy containers
• louislam/uptime-kuma - service monitoring for your home network

excellent! thank you there is some there for sure i am going to use

crazymad/diun looks good

Very handy, and can't break anything 😄

I have it run daily to tell me what's new, so I can go check the release notes before updating

man i ened to figure out how to convert these docker run commands to docker-compose

Ah... hang on

oh wait

https://www.composerize.com/

i think it has it here

https://crazymax.dev/diun/install/docker/#usage

Oh this is excellent!

Uses four rather than two spaces, but that's an easy change 😛

I probably would have spent 2 hours working that out 😛

At some point I need to add something to github listing all the containers I run and why

(plus their compose entry)

  # https://crazymax.dev/diun/
  diun:
    image: crazymax/diun:latest
    container_name: diun
    hostname: river
    command: serve
    volumes:
      - "/data/diun/diun.yaml:/etc/diun/diun.yaml"
      - "/data/diun/data:/data"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    env_file: diun.env
    restart: unless-stopped
``` for instance is my diun entry for the host called `river`

diun.env is:

TZ=Europe/London
LOG_LEVEL=info
LOG_JSON=false
DIUN_PROVIDERS_DOCKER=true

so river is a different docker you have running?

you need one for each docker you want to monitor?

Yeah, there's three Docker hosts

Main server, one for automation, and a test box

oh those are actual servers running docker. you have three of those? i only have one unless ive miss understood?

i thought they were containers.

Yeah, three physical boxes with a bunch of containers on each

if i just want to monitor this single host, do i still need hostname?

Nah, that's just for the display

I'm using Discord for notifications from it

so once diun is running, where do i configure it for notifications etc?

https://crazymax.dev/diun/

https://crazymax.dev/diun/config/#configuration-file for me

regopts:
  - name: "docker.io"
    username: "tinkerer@ceard.tech"
    password: "secret"
    timeout: 30s
watch:
  workers: 10
  schedule: "0 16 * * *"
  firstCheckNotif: false
  compareDigest: true
notif:
  discord:
    webhookURL: https://discord.com/api/webhooks/blahblah
    renderFields: false
    timeout: 10s
    templateBody: '{{ .Meta.Hostname }}: {{ .Entry.Image.Path }} ({{ .Entry.Image.Tag}}) {{ if (eq .Entry.Status "new") }}is available{{ else }}has been updated{{ end }}.'
providers:
  docker:
    watchByDefault: true

I made a mistake when creating the container, so deleting and starting again, but want to delete the folders it would have created by can't find them

volumes:
- "./home/ben/diun/data:/data"
- "/var/run/docker.sock:/var/run/docker.sock"

i had that ./ at the beggining of /home

where would that diun/data folder have gone?

ugh found it

/data/compose/16/home/ben/diun

ugh i may have screwed up

deleted the stack

now can't create a new one

Deployment error
failed to deploy a stack: Named volume "home/ben/diun/data:/data:rw" is used in service "diun" but no declaration was found in the volumes section. : exit status 1

oh

im an idiot

ignore me 🙂

I dont really understand what regopts are for?

trying to create my yaml

here is what i have so far

docker-compose

version: "3.5"

services:
  diun:
    image: crazymax/diun:latest
    command: serve
    volumes:
      - "/home/ben/diun/data:/data"
      - "/home/ben/diun/diun.yaml:/etc/diun/diun.yaml"
      - "/var/run/docker.sock:/var/run/docker.sock"
    environment:
      - "TZ=Europe/London"
      - "DIUN_PROVIDERS_DOCKER=true"
    labels:
      - "diun.enable=true"
    restart: always

then diun.yaml

watch:
  workers: 10
  schedule: "0 10 * * *"
  jitter: 30s
  firstCheckNotif: false
  runOnStartup: true

defaults:
  watchRepo: false
  notifyOn:
    - new
    - update
  sortTags: reverse

notif:
  mail:
    host: smtp.gmail.com
    port: 587
    ssl: false
    username: my@email.address
    password: "my password"
    insecureSkipVerify: false
    from: my@email.address
    to:
      - myother@email.address

regopts:
  - name: "myregistry"
    username: foo
    password: bar
    timeout: 20s
    insecureTLS: true
  - name: "docker.io"
    selector: image
    username: foo2
    password: bar2

providers:
  docker:
    watchStopped: true
  swarm:
    watchByDefault: true
  kubernetes:
    namespaces:
      - default
      - production
  file:
    directory: ./imagesdir
  nomad:
    watchByDefault: true

but not clear what i need to put in regopts?

oh i see. thats the username and password for the docker.io website to check for updates

ok so its all up and running, but doesnt send me the email so something must be up there.

no errors about the email in the log though

/ # diun notif test
Notification sent for mail notifier(s)
/ #

hmmm

notification test actually worked

but in the logs

Tue, 03 Oct 2023 15:12:39 BST INF New image found image=ghcr.io/blakeblackshear/frigate:stable provider=docker

Tue, 03 Oct 2023 15:12:39 BST INF New image found image=ghcr.io/esphome/esphome:latest provider=docker

Tue, 03 Oct 2023 15:12:39 BST INF New image found image=ghcr.io/home-assistant/home-assistant:stable provider=docker

Tue, 03 Oct 2023 15:12:40 BST INF New image found image=docker.io/library/eclipse-mosquitto:latest provider=docker

Tue, 03 Oct 2023 15:12:40 BST INF New image found image=docker.io/library/traefik:v2.10 provider=docker

Tue, 03 Oct 2023 15:12:40 BST INF New image found image=docker.io/portainer/portainer-ce:2.9.3 provider=docker

Tue, 03 Oct 2023 15:12:40 BST INF New image found image=docker.io/crazymax/diun:latest provider=docker

Tue, 03 Oct 2023 15:12:40 BST INF Jobs completed added=7 failed=0 skipped=0 unchanged=0 updated=0

it says it found 7 new images

oh unless it just means they are new because it just found them

not that they have updates available

on the basis i am running traefil 2.10 and thats not the latest

why did it not tell me?

updated yaml

oooh

"FirstChecknotify "false"

that might be why

see what happens tomorrow

ok so i changed the cron to make it happen earlier.

it ran, but doesnt seem to think i have any updates

but we know i am running traefik 2.10 and i think there is a later version

so confused why it didnt tell me?

i cant really tell here: https://hub.docker.com/_/traefik/tags what the latest version is

but looks higher than 2.10.4, and im running 2.10

so what gives

Your tag is 2.10, for any 2.10.x version

oh i see. So if they release a whole new version i wont be notified?

is that going to be an issue for HA etc?

HA does the same

No, and no

Anythin using a number you have to pay attention yourself

interesting. So do you just manually keep an eye out for major updates

You can follow releases on Github and any RSS feader

yea

ok thank you! Honestly, i am finished now and cannot tell you how valuable your help has been!

can't thank you enough.

and only a few pings along the way 😛

No worries, you've been a pleasure to work with

Now to go back to building Mini Motorways

Youve totally lost me on this one 😛

A game, silly fun

oh i thought there was a smart reference 🙂

that went over my head