I looked at HA about a year ago, and it is amazingly improved. I have updated a few times this month without anything breaking so far… I am trying to limit the product variations, and complexity, so I am sure that helps?
The market I am in caters to tech professionals, so I wouldn’t be too concerned. It is highly likely that whoever buys will start from scratch anyway. What I am providing is a solution to encourage exploration and some value-add to the home. HA was a lot easier than rewriting (and supporting ) the homegrown web application I developed for the aged “smart” tech in my home that I have been using for the last 15-20 years. I appreciate your view point. It is valid, but IoT is insecure by it’s nature. Just like the industry, I am just trying to capitalize on it’s availability, and if I can promote HA and improve the experience, that would be cool too?
I have to agree with @tom_l on this. I’ve been using HA for around three years and have two in use, one at my house and one at a rental property. I also have a couple of SmartThings devices in play at some other properties that I’ve been using for nearly five years now.
Of them all, the SmartThings devices are the low maintenance ones. I hate the platform but I can basically ignore it and it is rock solid. HA on the other hand needs regular care and feeding. Some of that is because there is no auto-update functionality in the system for the core, but some of that comes from the rapidly changing integration options.
As to the lack of SSL being “built in”, I personally believe the devs have gone the correct way. They’ve split the SSL management out to something that can be upgraded outside of the core of HA itself and also keeps it from having HA be the opinionated one as to how the cert is managed.
On HAOS that means need to either subscribe to Nabu Casa or you install some add-ons such as the Nginx Proxy Manager (recommended) add-on or the SSL Proxy add-on (only good for handling HA itself and nothing else)
With the straight docker setup on something else, well you’re already into a world of high customization at that point, there are several options. I would suggest looking at Nginx Proxy Manager (which does happen to also be available as a HAOS addon)
For any other type of install, well, you’ve got whatever tools you have in the other installs.
For a something where I was even vaguely considering selling the setup, I would us HAOS. Despite my agreement, it’s the least problematic method if you’re going to turn over a system to someone else.
lol no. That is terrible advice. Sorry but keeping out of date products on your home network isn’t a rule of thumb.
Yes please.
Personally, I think it’s a disaster turning HA over to a new home owner. The very practice/experience that YOU are going through of setting it up is important in the learning aspect of THEMrecovering it and managing it. Once you ‘build it’ for them and turn it over, they would be expected to maintain it. If they really want to maintain it, they should not be deprived the experience/knowledge of how it was setup and built.
HA OS is pretty good but requires care and feeding and patching and refactoring. It isn’t an appliance even though that seems to be the direction the devs would like to take it to.
I have read several threads regarding turning over HA to a new owner, and I have weighed the Pros and Cons… that is not what this thread is about.
Also, a home network is not an isolated network, so “home” and “own” are totally different things. I have 3 isolated networks in my house that never get attached to the Internet. The only updating that happens is when I manually decide to update devices. A couple of the devices are over 40 years old, so it would be a small miracle to get any updates for them anyway.
…back to the original topic: A self signed certificate is a temporary solution and is a pain. dynDnS is pointless for folks that have nothing but static IPs …most everyone in my neighborhood has bought into the lone local ISP’s 8 static IPs on a symmetrical 100 meg connection per house. Most of us are IT professionals who work for one of the colos just down the freeway… a lot of network labs in each house, so a proxy is not a bad idea, but just an unecessary layer to be running on the same box as the app. Especially since this is running on a Pi with a single app. I have seen the Cloudflared solution and it looks interesting, but that complexity is not warranted either if you can run openssl on the box, which must be possible by default since there are connections being made to and from the box from installation.
I think it is just a matter of finding the time to look under the hood and find the web components. This is what I was hoping to get from this thread.
Folks giving advise about security and transferring the system was a little surprising… I dont consider anyone who uses IoT devices security focused by a long shot, and I know from my own experience and from past reading that most people take their devices with them when they move.
@tykeal I find your use case intriguing. How do you handle management? Do you let the tenants make changes? How often do things break, and how are you managing remote connectivity. I envy the free time you must have on your hands?
Well, I know I’m not the only one in my case (multiple properties that they’re renting out). No, tenants have no access to the systems, outside of physical if they break into the location where they are located. I’m using IoT for driving management of short term rental properties so they are handling managing locks primarily along with a specific lighting considerations.
Handling management is simple. I own a domain. I have DNS by way of DNSMadeEasy at their business tier. This gives me access to their API. Therefore, I can use Nginx Proxy Manager (NPM) to handle Let’s Encrypt (LE) certificates for the HA device by way of DNS challenge. It also serves as the proxy to the Ubiquity management console I also have running on the HA device as an add-on (also LE encrypted via NPM). Finally my sprinkler controls are all OpenSprinkler devices which again, I’m proxying through NPM on.
All of the IoT is running on a separate VLAN from the rest of the properties so that I can provide WiFi access to the guests.
The thermostats are also IoT. I presently allow the guests to make changes directly at the thermostat, though they can’t set schedules, if they want that they can talk to me and I’ll set one up remotely.
As for the free time. Managing this isn’t difficult for me, I’m by trade a systems engineer / administrator. I literally work on Linux systems for a living so I’m just leaning heavily on that and my experience as a developer.
I am a retiring network engineer, so I know enough programming languages at a basic level to just be dangerous. I have contributed to a few open source projects, but rarely have the time anymore. Maybe when I retire?
I plan to give one of my domains to the new owner along with the network gear at the house. The IoT stuff is on a segmented wireless network with a vpn appliance which was working well until I didnt read the integration notes and installed a Rachio sprinkler system to replace the Rain8 x10 system I was using for the last 15+ years. Everything works, but the lack of UI updates with Rachio has me rethinking that choice. It has broke my “local only” goal…
Nabucasa cloud has never been an option. I am trying to keep it simple enough that I can replicate the effort on a HA Yellow and give the owner a password list, and then let them decide what they want to do with the gear.
When I bought the house I had a similar choice. I inherited a lot of equipment that I eventually replaced, but the x10 devices were in use until about a month ago. I had a LAMP install controlling everything with web pages I have been improving over the years. The choices now are mind boggling and HA has opened up a whole other level?! HA is a much needed solution over my 15+ year system that is obsolete by todays standards.
BTW, as you’ve pointed out, the purpose behind this thread wasn’t about handing over IoT gear to a new owner, but given the intent behind the start of the thread it’s the root of the matter ;).
Speaking from experience of having recently purchased a house that came with IoT gear in it. I really would have preferred that the previous owner had completely collapsed the IoT network and factory reset gear and given me information on what all the devices were. It would have made my take over significantly easier.
I ended up having to actually get in direct contact with the prior owner to get them to work through relinquishing access on several pieces of gear.
Having IoT in the house as part of the sale is great and all, but having to deal with figuring out how to get access to devices that couldn’t be handed over easily was painful and between HA and SmartThings I’ve been playing with these platforms for 5+ years now. Imagine what it would be like for someone that isn’t as into IoT coming into such a situation? That’s a large part of why people keep saying you shouldn’t build it out and hand it over…
Trust me though… I fully understand the transferring ownership thoughts. Most of the homes in the neighborhood are smart homes, so “smart home ready” is a minimal expectation… some old tech and some newer… When I moved in I had all these x10 devices, 2 mini-timers and 2 remotes. An cm11a was left in a box in the telecommunications closet with a hand written note explaining a few software choices. It was a fun but frustrating journey. I hope I do a better job.
And I guess the SSL piece is just a by-product because I care about not having access compromised if they decide to access it from cell phones and decide to just port forward and not use the vpn. HA is far less complex than the web server I ran my systems on, but I also had other daemons running alerting me of network events, and who was logging in to devices. That is too much to try to pass on. I just want to offer an encrypted login with a functional setup until they have time to dive in.
I am going to look at the nginx proxy again. I saw the yaml config for banning IPs based on failed logins too, so I need to read up on that.
Nginx Proxy Manager looks like the ticket! Thank You! It looks like I have another item to add to my weekend exploration. Curious to find out why MariaDB is needed, but the install seems pretty straight forward? I have an SD Duplicator, so backup is not that big of a deal right now, but I am wondering how others backup the setup. Is there an option to backup containers outside of the Core Install? This is probably all available in the Docs, I just have not had the time to get that far.
I was surprised to find I had overlooked Nginx Proxy Manager. I was a little confused for a moment because I am used to NPM being a package manager, and the acronym made me think I was not understanding what was being discussed. lol Another set of acronyms to try to remember?
As far as handing over the devices, I have been spending time before I make purchases to determine the procedure for transfer of ownership, and that is part of the purchasing decision. I am documenting the procedures to provide to the new owner.
Thanks for that. I will have to look at it to see if I can apply it to backing up to a NAS, but I do not use google products, and in fact have most of google services blackholed, so google drive is not really an option for me.
Awesome! Samba back up is definitely more my speed.
HA really amazes me! I looked at it previously (what I thought was about a year ago, but I am starting to think it was much longer.), and I do not remember all the options. The UI is incredible, and Docker is a bit intimidating for an old hack like me, but am impressed with the user experience so far. This forum is incredible as well! Thank you all for the pointers! It is saving me alot of time.
The conversation about handing your system over to a new home owner is interesting. I use a supervised install. I’ve been running HA for over 2 years I believe. If I ever sell my house I plan to offer the new home buyer the option to take over using HA. HA provides security, full home entertainment control, and smart device control. I expect what I have is more complicated than what you’re looking to do. It would make no sense to not to give the new home owner the option to take over these smart house capabilities. So good for you. Some where in this thread someone mentioned you should use Nabu Casa for remote access. That is the right solution as it provides the easiest way to gain remote 24/7 access. I’ve used both Nabu Casa an openVPN. As a tech individual I’d prefer to use openVPN, however my wife isn’t as good with tech. Nabu Casa works without issue and doesn’t require any additional steps for less tech oriented people. Any person looking to take over a smart house shouldn’t have an issue with a ~$5 monthly charge. If they do then you can disable Nabu Casa and they’ll be giving up remote access until they figure out how they want to implement it. I’d be surprised if anyone buying your house would be planning on getting a fixed IP and a domain name. As someone else mentioned if you go with a supervised install all you to do is tell HA where to find the SSL certs in the configuration.yaml file. While I’m not crazy about using straight HTTP locally, it doesn’t give me great concern. If someone is on your home network you have bigger problems then the attacker possible sniffing your HA user password.
Yea, you sound like you have been at it for awhile.
I am only installing Lutron Caseta, Shelly, Rachio, and Ecobee in HA. I have a few scripts I wrote, and a couple automations handling some motion detection and using the sun to change the blinds with the sun. I am trying to keep the add-ons to a minimum, but I keep finding pretty handy features. lol
The local ISP that is pretty much the only ISP in the area that still gives static IPs gives out /29s with a 100m symmetrical pipe for $39 a month. I already have the domain name for $9 a year. They are getting a IPSec VPN appliance with 8 licenses, and I now have the nginx proxy up and running with SSL functioning. Port 80 redirects to 443, and 404s get sent to google. I don’t really like port 80 open to the Internet, but going to get the IP ban working similar to fail2ban, and hopefully not get hammered by script kiddies.
FYI: if you are using Wifi, you do not need to join your network to sniff the traffic. A Wifi device in monitor mode sees all traffic from all available SSIDs and your username and password are in plain text without SSL. The cracker only needs to be within range of your Wifi communications to get access easily.