diff --git a/docker-compose.yml b/docker-compose.yml
index 6939355..2bf898c 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,11 +28,8 @@ services:
       - "traefik.http.routers.dashboard.entrypoints=web"
       - "traefik.http.services.dashboard.loadbalancer.server.port=8080"
       - "traefik.http.routers.dashboard.service=api@internal"
-#    ports:
-#      - "80:80"
-#      - "443:443"
     depends_on:
-      - sonarr
+      - pihole
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /srv/docker/container/traefik/:/configuration
@@ -172,11 +169,6 @@ services:
       - /export/docker/storage:/data
       - /export/myth/tv:/myth-recordings
       - /etc/localtime:/etc/localtime:ro
-#    ports:
-#      - "8096:8096"
-#      - "8920:8920"
-#      - "7359:7359/udp" 
-#      - "1900:1900/udp"  
     depends_on:
       - pihole
     labels:
@@ -186,8 +178,6 @@ services:
       - "traefik.http.services.emby.loadbalancer.server.port=8096"
       - "traefik.http.routers.emby.tls=true"
       - "traefik.http.routers.emby.entrypoints=secureweb"
-#    devices:
-#      - /dev/dri:/dev/dri
 
 
   #
@@ -224,7 +214,6 @@ services:
       - /srv/docker/container/mail/log:/var/log/mail
       - /srv/docker/container/mail/config/:/tmp/docker-mailserver/
       - /srv/docker/container/letsencrypt/etc:/etc/letsencrypt
-#      - /srv/docker/container/mail/fail2ban/etc:/etc/fail2ban
       - /etc/localtime:/etc/localtime:ro
     environment:
       - ENABLE_SPAMASSASSIN=1
@@ -410,6 +399,7 @@ services:
     image: homeassistant/home-assistant
     container_name: hass
     privileged: true
+    network_mode: host
     restart: always
     security_opt:
       - seccomp:unconfined
@@ -418,20 +408,43 @@ services:
       - openldap
     volumes:
       - /srv/docker/container/hass:/config
+      - /export/docker/storage/music/:/music
       - /var/run/docker.sock:/var/run/docker.sock
       - /var/run/dbus/system_bus_socket:/var/run/dbus/system_bus_socket
       - /etc/localtime:/etc/localtime:ro
+      - /run/dbus:/run/dbus:ro
     labels:
       - "com.centurylinklabs.watchtower.enable=false"
-      - "traefik.enable=true"
-      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
-      - "traefik.http.routers.hass.tls=true"
-      - "traefik.http.routers.hass.tls.options=tls12@file"
-      - "traefik.http.services.hass.loadbalancer.server.port=8123"
-      - "traefik.http.routers.hass.entrypoints=secureweb"
+#      - "traefik.enable=true"
+#      - "traefik.http.routers.hass.rule=Host(`hass.depaoli.id.au`)"
+#      - "traefik.http.routers.hass.tls=true"
+#      - "traefik.http.routers.hass.tls.options=tls12@file"
+#      - "traefik.http.services.hass.loadbalancer.server.port=8123"
+#      - "traefik.http.routers.hass.entrypoints=secureweb"
+#    ports:
+#      - "8095:8095"
+#      - "8123:8123"
+#      - "3610:3610/udp"
+
+  mosquitto:
+    container_name: mosquitto
+    image: eclipse-mosquitto
+    restart: always
+    volumes:
+      - /srv/docker/container/mosquitto:/mosquitto
     ports:
-      - "8123:8123"
-      - "3610:3610/udp"
+      - "1883:1883"    
+    
+  esphome:
+    container_name: esphome
+    image: esphome/esphome
+    volumes:
+      - /srv/docker/container/esphome/config:/config
+      - /dev:/dev
+      - /etc/localtime:/etc/localtime:ro
+    restart: always
+    privileged: true
+    network_mode: host
     
   sabnzbd:
     image: linuxserver/sabnzbd
@@ -579,6 +592,9 @@ services:
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
+      - "traefik.http.routers.grafana_ssl.rule=Host(`graf.depaoli.id.au`)"
+      - "traefik.http.routers.grafana_ssl.tls=true"
+      - "traefik.http.routers.grafana_ssl.entrypoints=secureweb"
       - "traefik.http.routers.grafana.rule=PathPrefix(`/grafana/`)"
       - "traefik.http.routers.grafana.entrypoints=web"
 
@@ -819,6 +835,7 @@ services:
       - "PASSWORD=JUkoCuA!wH*f9Jeg^w*d"
       - "COUNTRY=AU"
       - "DEBUG=-v"
+      - "TRUSTED_DEVICE_NAME=Samsung S10"
     ports:
       - "3000:3000"
     labels:
@@ -916,7 +933,7 @@ services:
       # Steam's server-list port
       - "27015:27015/udp"
 
-# php wordpress??? (use traefik for https ssl offload)
+# php wordpress (use traefik for https ssl offload)
   mimosa-clinic:
     restart: always
     container_name: mimosa-clinic
@@ -933,9 +950,14 @@ services:
     labels:
       - "com.centurylinklabs.watchtower.enable=true"
       - "traefik.enable=true"
+      - "traefik.http.routers.mimosa.entrypoints=secureweb"
       - "traefik.http.routers.mimosa.rule=Host(`mimosa.depaoli.id.au`)"
       - "traefik.http.routers.mimosa.tls=true"
-      - "traefik.http.routers.mimosa.entrypoints=secureweb"
+      - "traefik.http.routers.mimosa-http.entrypoints=web"
+      - "traefik.http.routers.mimosa-http.rule=Host(`mimosa.depaoli.id.au`)"
+      - "traefik.http.middlewares.mimosa-http-redirect.redirectscheme.scheme=https"
+      - "traefik.http.middlewares.mimosa-http-redirect.redirectscheme.permanent=true"
+      - "traefik.http.routers.mimosa-http.middlewares=mimosa-http-redirect@docker"
   mimosa-db:
     restart: always
     container_name: mimosa-db