Homeassistant with traefik 2.2 for TLS in docker-compose in network_mode: host

docker-compose.yml

version: '2.1'

services:
  homeassistant:
    restart: always
    image: homeassistant/raspberrypi3-homeassistant
    expose:
      - 8123
    ports:
      - "8123:8123"
    devices:
      - /dev/ttyACM0
    volumes:
      - ./config:/config
    network_mode: host
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.hahttp.rule=Host(`MY_DOMAIN`)"
      - "traefik.http.routers.ha.rule=Host(`MY_DOMAIN`)"
      - "traefik.http.routers.ha.tls=true"
      - "traefik.http.routers.ha.tls.certresolver=le"
      - "traefik.http.routers.ha.tls.domains[0].main=MY_DOMAIN"
      - "traefik.http.services.homeassistant.loadbalancer.server.port=8123"

  traefik:
    restart: always
    image: traefik:v2.2
    command: 
      - "--api.dashboard=true"
      - "--api.insecure=true"
      - "--accesslog=true"
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--entryPoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.le.acme.tlschallenge=true"
      - "--certificatesresolvers.le.acme.email=MY_EMAIL"
      - "--certificatesresolvers.le.acme.storage=/letsencrypt/acme.json"
    ports:
      - 80:80
      - 8080:8080
      - 443:443
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./letsencrypt:/letsencrypt"
    extra_hosts: 
      - host.docker.internal:172.17.0.1
 

HA is network_mode: host

What I found weird is that traefik is recognizing the labels in HA, it's pointing to the right URL, it's displaying the HA can't connect but I receive different errors.

I also ran into this issue when I set up HA, although I don't quite remember what I did to resolve it. What does your HA config look like? Here's mine:

configuration.yaml

# Loads default set of integrations. Do not remove.
default_config:

# Load frontend themes from the themes folder
frontend:
  themes: !include_dir_merge_named themes

automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml

homeassistant:
  external_url: "https://ha.domain.com"
  internal_url: "http://serverip:8123"

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 10.0.4.2

The important parts being external_url and internal_url as well as the http section. I think what I did to get it to work was hardcode the traefik container's IP under trusted_proxies. This was an issue, as described above, which I found a workaround for.

I also remember having an issue with getting traefik pointed to the right IP address using labels, but I think this was an unrelated issue, but I'll include below in case it's related:

For HA, which I have running in host mode, I have it configured via a config file, config.yaml, which is in the same directory as traefik.yaml. Note that you would need to include this file as a provider in your traefik.yaml. All of my other containers are configured via labels, and I remember this being significant at the time, but I don't remember if it was the fix to this specific issue or not. Here is how mine is configured:

traefik.yaml

providers:
  file:
    directory: /etc/traefik
    watch: true

config.yaml

http:
  routers:
    homeassistant:
      entryPoints:
        - web
        - websecure
      rule: "Host(`ha.domain.com`)"
      service: homeassistant
      tls: {}
  services:
    homeassistant:
      loadBalancer:
        servers:
          - url: "http://serverip:8123"