name: esphome
networks:
  traefik-net:
    external: true
  macvlan1:
    external: true
#secrets:
#  wireguard_private_key:
#    file: ${SECRETSDIR}/wireguard_private_key

services:
  esphome:
    image: esphome/esphome:2025.11.0 #2025.9.1
    env_file: .esphome.env
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${DATADIR}/config:/config
    #      - /var/run/avahi-daemon/socket:/var/run/avahi-daemon/socket
    restart: unless-stopped
    privileged: true
    # added network_mode for VPN access
    #    network_mode: "service:gluetun"    
    #    depends_on:
    #      gluetun:
    #        condition: service_healthy    
    # hostname, networks and labels removed for VPN access
    #    hostname: esphome
    networks:
      traefik-net: null
      macvlan1:
        ipv4_address: ${ESPHOME_LOCAL}
    labels:
      - traefik.enable=true
      - traefik.docker.network=traefik-net
      - traefik.http.services.${APPLICATION_NAME}-svc.loadbalancer.server.port=${WEBUI_PORT}
      - traefik.http.routers.${APPLICATION_NAME}-rtr.entrypoints=web
      - traefik.http.routers.${APPLICATION_NAME}-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
        PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-rtr.middlewares=http-mw-secureHeaders-redirect@file
      - traefik.http.routers.${APPLICATION_NAME}-rtr.service=${APPLICATION_NAME}-svc
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.entrypoints=websecure
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.rule=Host(`${APPLICATION_NAME}.${DOMAINNAME}`)&&
        PathPrefix(`/`)
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.middlewares=http-mw-secureHeaders@file
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls=true
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.options=tls-options@file
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.tls.certresolver=solver-dns
      - traefik.http.routers.${APPLICATION_NAME}-secure-rtr.service=${APPLICATION_NAME}-svc
  avahi-tools:
    volumes:
      - /run/dbus:/var/run/dbus
      - /run/avahi-daemon:/var/run/avahi-daemon
    image: ahasbini/avahi-tools:latest
    command: avahi-publish -a esphome.local ${ESPHOME_LOCAL}
    #command: avahi-publish-service -s esphome.local _http._tcp 

    # temporary VPN
    #  gluetun:
    #    image: qmcgaw/gluetun:latest
    #    #hostname: gluetun-qb
    #    env_file: .gluetun.env
    #    cap_add:
    #      - NET_ADMIN
    #    devices:
    #      - /dev/net/tun
    #    volumes:
    #      - "${DATADIR}/appdata:/gluetun"
    #    secrets:
    #      - wireguard_private_key
    #    networks:
    #      traefik-net:
    #        ipv4_address: 10.255.239.4  # to access services in this project from other containers; hostnames and aliases will not work
    #    restart: always
    #    labels:
    #      - traefik.enable=true
    #      - traefik.docker.network=traefik-net
    #      ##################################################################################
    #      ################################# ESPH_APP ##################################
    #      #
    #      # http services
    #      # -------------
    #      - "traefik.http.services.${ESPH_APP}-gt-svc.loadbalancer.server.port=${ESPH_PORT}"
    #      #
    #      # http routers
    #      # ------------
    #      # limit router to web ":80" entrypoint (Note: web entrypoint http requests are globally redirected to websecure router in traefik.yml)
    #      - "traefik.http.routers.${ESPH_APP}-rtr.entrypoints=web"
    #      # set match criteria for router
    #      - "traefik.http.routers.${ESPH_APP}-rtr.rule=Host(`${ESPH_URL}`)&& PathPrefix(`/`)"
    #      # attach middlewares to router
    #      - "traefik.http.routers.${ESPH_APP}-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress-redirect@file"
    #       # assign svc target to router
    #      - "traefik.http.routers.${ESPH_APP}-rtr.service=${ESPH_APP}-gt-svc"
    #      #
    #      # limit router to websecure ":443" entrypoint
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.entrypoints=websecure"
    #      # set match criteria for router
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.rule=Host(`${ESPH_URL}`)&& PathPrefix(`/`)"
    #      # set router to be dedicated to secure requests only for the host specified in match criteria 
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls=true"
    #      # apply tls options
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls.options=tls-options@file"
    #      # generate certificates using following certresolver
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.tls.certresolver=solver-dns"
    #      # attach middlewares to routers
    #      #- "traefik.http.routers.${ESPH_APP}-secure-rtr.middlewares=${ESPH_APP}-auth"
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.middlewares=http-mw-rateLimit-secureHeaders-compress@file"
    #      # assign svc target to router
    #      - "traefik.http.routers.${ESPH_APP}-secure-rtr.service=${ESPH_APP}-gt-svc"