Hassbian + DuckDNS + Certbot + Nginx

Configuration
1

I’m having trouble determining the best approach to certbot/duckdns/nginx…
I have one duckdns subdomain and my own .eu domain with two subdomains (hassbian.mydomain.eu and unifi.mydomain.eu - my unifi controller and hassbian are both running on separate RPIs). I want to direct mydomain.eu subdomains to myduck.duckdns.org, which in turn will terminate at my Unifi Security Gateway, which will forward traffic on port 443 to hassbian.mydomain.eu where I would have Nginx reroute unifi.mydomain.eu 443 traffic to port 8443 (unifi) on the other RPI within my network and hassbian.mydomain.eu to my hass instance at port 8123.

Home%20Assistant%20-%20Network%20config%20-%20Page%201%20-%20anon
Home%20Assistant%20-%20Network%20config%20-%20Page%201%20-%20anon1360×1013 86.6 KB

Now, my questions are…

  1. is my thinking somewhat accurate?
  2. how the hell would I set something like this up with certbot? I’m currently using Ludeeus’ duckdns/dehydrated suite, but I feel it’s somewhat limiting in a more complex setup like this…

Any help would be greatly appreciated :slight_smile:

2

Some of the steps seem unnecessary unless you have some reason for them that’s not included in this post; I have a very similar setup without the DuckDNS or Nginx steps. Your hosting provider should allow you to set DNS records that will forward subdomains to certain ports which your UniFi controller can then forward to the proper local IP addresses/ports.
IE:

hassbian.mydomain.eu > mydomain.eu:8123 > 192.168.10.117:8123
                     ^                  ^
                     |                  |
                  host DNS      UniFi controller

unifi.mydomain.eu > mydomain.eu:8443 > 192.168.1.7(?):8443
                  ^                  ^
                  |                  |
               host DNS      UniFi controller

This shouldn’t have any affect on your ‘mydomain.eu’ certificate.

Edit: Pertified it a little

3

Hi Jason,

Thanks for the reply. DuckDNS is added to the mix because my ISP does not offer static IP addresses. However, since I recently switched my domain names to Gandi, I might be able to use their LiveDNS API to achieve the same and drop DuckDNS.

This script might do the trick:

I’ll try it out and report back tonight. That decomplicates my setup quite a bit and should help in getting certbot set up.

1 Like
4

Ah, gotcha.

You may be able to update your IP directly from your USG, depending on which protocols their API supports.

5

This might be useful too. It looks easy to integrate into HA…

https://nextnet.top/content/using-gandi-livedns-dynamic-dns-server

6

Quickly googled for USG/Gandi integrations, but doesn’t seem to support it.
I came across nexttop site as well, but given that it was published over 18 months ago, I’m not sure if it will still work. (from what I hear, Gandi has made some recent changes to the LiveDNS product).

In any case, I’ll give both a try and keep the community posted :slight_smile:

7

Good point.

If I were to do it this way I think I’d try using the DNS IP Sensor component along with an automation that triggers a cURL shell_command with the current IP as a variable. Something like:

curl -D- -X PUT -H "Content-Type: application/json" \
        -H "X-Api-Key: APIKEY" \
        -d "\"rrset_type\": \"A\",
             \"rrset_ttl\": 1200,
             \"rrset_values\": [\"{{ states('sensor.dnsip') }}"]}" \