Hi all, not really sure where this belongs so thought I’d throw it here, and see if anyone could help.
I was running HA Supervised - mostly to try out, as previously running core for years - and tbh I haven’t been paying too much attention to it. Every month or so I updated HA through supervisor, and occasionally updated the Debian Buster install it was running off.
I go now and look, and to my surprise I can’t access HA. So I SSH in to my home server and lo and behold, there are no traces of HA. My custom bash aliases are still working, except the HA relevant ones. Tbh I am just at a loss. I was using built in snapshots before every update, but I imagine they went with the ship so to speak. So all my config, secrets, automations, integrations, etc are all gone.
Does anyone have any idea what happened, or how to find out? My only thought is that my way of updating debian is a bit lazy, and I run -y with upgrade? Could I have accidentally agreed to wipe out my near entire HA install??
I worked out what was the problem all along. So what “broke” my install was one of the breaking changes in July’s update which I did not read in advance. Specifically it was related to HAs tolerance for poorly configured proxies. So my install was actually fine, all I needed to do was some config changes. Unfortunately I worked this out after reinstalling HA fresh two or three times…
There are forum posts regarding these new issues but I didn’t see one which fit me exactly as most of them seem to be using a reverse proxy host consciously. I set up SSL through cloudflare following this guide (Securing Home Assistant with Cloudflare) and didnt pay any mind to the proxy aspect as it just worked. What took me a long time to realise is that cloudflare IS the proxy host in this setup, so when you edit your configuration.yaml to include reverse proxy info - specifically the trusted proxies list, you have to put in the IP addresses that cloudflare uses. If you manage your own reverse proxy (e.g. nginx) that is likely only one address you need to put in, but cloudflare is a big company with lots of them.
Luckily they put out a nice little list of ip4 and ip6 addresses for third party look ups (https://www.cloudflare.com/en-gb/ips/). So I made a bash script to download the list, edit it to fit yaml syntax, and then put that file in to the config folder. Then I could use an !include statement to pull it in as the trusted proxies list. Finally I set up a cron job as root to update this list weekly, though I don’t imagine it will change that often.
If this isn’t a completely stupid thing to do and full of security issues, then I’m happy to write something up? Though as I see it, all it’s doing is telling HA to only let in requests that go through cloudflare servers, which is the intention anyway. As long as SSL certificate is correct, and add in TFA then it all seems fine to me?
TL;DR: HA didn’t delete itself, was always there. July HA update broke my specific method of achieving remote access via a custom domain.