diff --git a/.gitattributes b/.gitattributes
index e859268..bc209dd 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1,3 +1,5 @@
 .pass.sh filter=git-crypt diff=git-crypt
 ansible/vars/vault.yml filter=git-crypt diff=git-crypt
+ansible/roles/hass/files/automations.yaml filter=git-crypt diff=git-crypt
+ansible/roles/hass/files/configuration.yaml filter=git-crypt diff=git-crypt
 *.yml linguist-detectable
diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml
index a00d938..2c52dc5 100644
--- a/ansible/deploy_home.yml
+++ b/ansible/deploy_home.yml
@@ -10,6 +10,7 @@
   - role: pihole
   - role: http
   - role: drone
+  - role: hass
   - role: nfs
     tags: nfs
   - role: motion
diff --git a/ansible/roles/hass/files/automations.yaml b/ansible/roles/hass/files/automations.yaml
new file mode 100644
index 0000000..3f3f510
Binary files /dev/null and b/ansible/roles/hass/files/automations.yaml differ
diff --git a/ansible/roles/hass/files/configuration.yaml b/ansible/roles/hass/files/configuration.yaml
new file mode 100644
index 0000000..4f709e7
Binary files /dev/null and b/ansible/roles/hass/files/configuration.yaml differ
diff --git a/ansible/roles/hass/meta/main.yml b/ansible/roles/hass/meta/main.yml
new file mode 100644
index 0000000..3f81c4b
--- /dev/null
+++ b/ansible/roles/hass/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: http
diff --git a/ansible/roles/hass/tasks/hass.yml b/ansible/roles/hass/tasks/hass.yml
new file mode 100644
index 0000000..d7476f5
--- /dev/null
+++ b/ansible/roles/hass/tasks/hass.yml
@@ -0,0 +1,38 @@
+---
+- name: create home-assistant host directory volumes
+  become: true
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+    - /usr/share/hass
+    - /usr/share/hass/media
+    - /var/lib/private/hass
+  tags: hass
+
+- name: copy configuration and automations
+  become: true
+  copy:
+    src: "files/{{ item }}"
+    dest: "/var/lib/private/hass/{{ item }}"
+    mode: 644
+  with_items:
+    - configuration.yaml
+    - automations.yaml
+  tags: hass
+
+- name: create home-assistant server container
+  diff: false
+  docker_container:
+    name: hass
+    image: ghcr.io/home-assistant/home-assistant:stable
+    recreate: true
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    volumes:
+      - /var/lib/hass:/config
+      - /usr/share/hass:/share
+    ports:
+      - "8123:8123"
+  tags: hass
diff --git a/ansible/roles/hass/tasks/main.yml b/ansible/roles/hass/tasks/main.yml
new file mode 100644
index 0000000..730cd64
--- /dev/null
+++ b/ansible/roles/hass/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- import_tasks: hass.yml
diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml
index 51a80d2..386d0ba 100644
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -7,6 +7,7 @@ deps: [
 
 ci_server_name: ci.bdebyl.net
 pi_server_name: pi.bdebyl.net
+assistant_server_name: assistant.bdebyl.net
 home_server_name: home.bdebyl.net
 parts_server_name: parts.bdebyl.net
 install_path: /usr/share
diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf
index fff4796..275787d 100644
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ b/ansible/roles/http/files/nginx/nginx.conf
@@ -10,6 +10,11 @@ events {
 }
 
 http {
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+  }
+
   include mime.types;
 
   default_type application/octet-stream;
diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml
index b546b1d..e56bcaa 100644
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -38,6 +38,7 @@
     - "{{ ci_server_name }}.http.conf"
     - "{{ pi_server_name }}.conf"
     - "{{ home_server_name }}.conf"
+    - "{{ assistant_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
   notify: restart_nginx
   tags: http
@@ -59,5 +60,7 @@
     - "{{ ci_server_name }}.http.conf"
     - "{{ pi_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
+    - "{{ home_server_name }}.conf"
+    - "{{ assistant_server_name }}.conf"
   notify: restart_nginx
   tags: http
diff --git a/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2
new file mode 100644
index 0000000..7a2a017
--- /dev/null
+++ b/ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2
@@ -0,0 +1,17 @@
+server {
+  listen 80;
+  server_name {{ assistant_server_name }};
+
+  location / {
+    allow 192.168.1.0/24;
+    allow 127.0.0.1;
+    deny all;
+
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Upgrade         $http_upgrade;
+    proxy_set_header Connection      $connection_upgrade;
+
+    proxy_buffering off;
+    proxy_pass http://localhost:8123;
+  }
+}