Home Assistant — Smart Home Hub

Route	URL	Auth
Internal	`ha.k3s.internal.strommen.systems`	Direct, no middleware
Public UI	`ha.k3s.strommen.systems`	HA native auth (no Authentik forwardAuth)
Google Assistant API	`ha.k3s.strommen.systems/api/google_assistant`	HA-managed OAuth2 (open path, must remain accessible)

Integration	Protocol	Notes
Philips Hue	mDNS	Lights + scenes
LG webOS TV (x2)	SSDP	42" + 65" C4, power/volume/input
Google Cast	mDNS	Chromecasts + Home speakers (TTS)
Apple AirPlay	Bonjour	Media control + remote
UniFi Network	HTTP	Presence detection, device tracking
YoLink	OAuth2 Cloud	Hub + 4 leak sensors
Google Nest	OAuth2/Pub-Sub	Thermostat + cameras ($5 SDM API)
Google Assistant	Cloud Actions	Voice control via fulfillment URL
Kasa HS300	KLAP/SHIP 2.0 (LAN, port 80)	Smart plugs — power monitoring

Setting	Value	Notes
`hostNetwork`	`true`	mDNS/SSDP device discovery
`dnsPolicy`	`ClusterFirstWithHostNet`	Required with hostNetwork
`nodeSelector`	`k3s-agent-2`	Stable host IP for mDNS
`service.type`	`LoadBalancer`	MetalLB assigns 192.168.20.202
`persistence.size`	`5Gi`	Longhorn RWO for /config
`capabilities.add`	`NET_BIND_SERVICE, NET_ADMIN, NET_RAW`	mDNS + DHCP watching + Bluetooth
`ip_ban_enabled`	`false`	Traefik pod IP would get banned instead of real client
`trusted_proxies`	`10.42.0.0/16, 192.168.1.0/24, 192.168.20.0/24`	k3s pods + home + server VLAN

¶ Home Assistant — Smart Home Hub