diff --git a/kube/deploy/apps/home-assistant/app/hr.yaml b/kube/deploy/apps/home-assistant/app/hr.yaml
index 2aafd1df..1e86027d 100644
--- a/kube/deploy/apps/home-assistant/app/hr.yaml
+++ b/kube/deploy/apps/home-assistant/app/hr.yaml
@@ -21,6 +21,7 @@ spec:
         type: deployment
         replicas: 1
         pod:
+          hostname: "home-assistant"
           labels:
             ingress.home.arpa/nginx-internal: "allow"
             ingress.home.arpa/world: "allow"
@@ -111,6 +112,8 @@ spec:
         ports:
           http:
             port: 8123
+            protocol: TCP
+            appProtocol: http
       vscode:
         primary: false
         controller: "vscode"
@@ -157,7 +160,7 @@ spec:
         enabled: true
         existingClaim: "home-assistant-data"
         advancedMounts:
-          main:
+          home-assistant:
             main:
               - subPath: "config"
                 path: "/config"
diff --git a/kube/deploy/apps/home-assistant/app/netpol.yaml b/kube/deploy/apps/home-assistant/app/netpol.yaml
new file mode 100644
index 00000000..f0df3a1b
--- /dev/null
+++ b/kube/deploy/apps/home-assistant/app/netpol.yaml
@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://crds.jank.ing/cilium.io/ciliumnetworkpolicy_v2.json
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app home-assistant
+  namespace: *app
+spec:
+  endpointSelector: {}
+  ingress:
+    - fromCIDR: &privIPv4
+        - "10.0.0.0/8"
+        - "172.16.0.0/12"
+        - "192.168.0.0/16"
+        - "100.64.0.0/10"
+      toPorts:
+        - ports:
+            - port: "21061"
+              protocol: TCP
+  ingressDeny: # only ingress can hit HTTP port
+    - fromEntities: [world]
+      toPorts:
+        - ports:
+            - port: "8123"
+              protocol: ANY
+