When I was using a RPi I would make an SD card image periodically after any major configuration (yaml) file changes and before every upgrade to the next version of HA. That way if something went wrong it was easy enough to just re-burn the image back to the SD card and I’m off and running with a known good install.
I have to say that’s the one thing I miss about moving away from the RPi to a NUC. But using docker at least mitigates some of the risk.
As far as restarting HA after a config change, it depends on what the change is made to. If it’s a change to automations, scripts or groups then there is a section in the configuration menu to allow you to reload those without doing a complete HA restart. There is a “reload core” option but I’ve never seen an explanation of what that does so I don’t use it. For pretty much any other change you need to restart the HA service (but not reboot the RPi) as @gpbenton stated above. And as another note, there is a “restart” option under server management that is supposed to restart the HA service but I personally have never had it work for me. Others have reported success with it though.
there are other ways to accomplish the restart through automations tho or, as previously stated, thru the terminal.
there is an automations editor in the config section along with some other various vaguely explained functions for customizations but I never use them. If something doesn’t work correctly and I need to go and manually try to edit an automation I find the layout of the yaml syntax as created by the editor challenging to read. But the functionality to edit the majority of the configuration can’t be done thru the frontend. It needs to be done in a decent code editor. I use Notepad++ on my windows PC.
Thank a lot you guys for your explanations, I think I get the idea!
Because I was doing some testing yesterday, I found my best way to edit and restart is by using the RasPi VNC viewer access, open several console tabs and use every tab for a dedicated task.
For example, using one tab in the virtual mode homeassistant user, using midnight commander (sudo apt install mc) to edit and switch to command mode by pressing ctr+o and a second tab as root user to restart Home Assistant service (systemctl restart [email protected]). I’m use mc a lot in Linux so I’m familiar with it.
Backing up the RasPi complete SD is what I already did, so that is definitely something I will do time by time. For more daily basis I was thinking of enabling SMB on the RasPi and let my Synology NAS do the automatic backup or cloud station syncing.
BTW @finity thank you for your suggestion to test MQTT, that is working! (yeaaaaah!!)
Later on I discovered their was also an extra button which was added when the MQTT was activated:
Nice! Here I can send topic messages very easily!
The only thing what was a bit of trouble was to get the Home Assistant MQTT user/password registered in the MQTT-broker. Probably I used a character in the password the MQTT broker didn’t like or HA didn’t send it right. I couldn’t find the exact reason, but it is working, so what the #hack…
I found some documents on how to get a device working, so that will be the next step. After that I will try to get my Zwave USB dongle to talk to me…
I’m using HA now for two days and I’m getting more and more enthusiastic!
Once again, thank you guys!! Your contributions are highly appreciated!
I managed to backup my .homeassistant-directory automatically via my Synolog NAS using the Active Backup for Server package (rsync shell mode via SSH).
Restoring is not possible (yet) because I have to use the user pi to backup. Does anyone know how to make a SSL connection available for the virtual environment homeassistant user?
I have an MQTT topic where my Home state is published (Home/Watched/Away/Vacation). I want to see this somehow in HA, so I need a HA entity where these four states are presented. Does anyone know how to get that working?
Does this have to be configured as device or sensor?
Pull is already done, because all the homeassistant files are set to read for everyone. So backing up the files from the RasPi to my Synology NAS is working alright. To ‘restore’ (push) files from my Synology NAS to homeassistant I need _homeassistant_user privileges. In short, I need an SSL homeassistant account I can connect to.
Because I used the ‘old’ way to install Home Assistant (not hass.io), HA is installed in a py virtual environment with it’s own user (homeassistant) and own group (homeassistant). If I login with the raspberry Pi standaard user (pi) I can read the files but I can not write files used by homeassistant due to (linux) file rights.
So it should be nice if I could add the user homeassistant to the ssh users or install ssh capabilities to the HA virtual py environment.
So the ssh command I should be using is: ssh <RASPI_IP> -l homeassistant
instead of ssh <RASPI_IP> -l pi
What I understand is the reason Home Assistant uses this approach is to isolate HA from the rest of the RasPi to restrict security risks and impact on each other. If I give the user pi full permissions, will this be weaken?
If anyone can log on to your pi as pi user, they will be able to do this command anyway, so I don’t see that security would be compromised.
But it would make it easier to delete things accidentally, which I think is why I would avoid it. I like to think I am reasonably safe as Pi user, providing I don’t use sudo.
Allowing remote login directly to homeassistant user is probably a bigger security risk. I think it would be safer to copy the files to the pi user and then copy them again from the pi user account as homeassistant user.
Restoring backups shouldn’t happen that often so don’t have to be that convenient, and it would prevent something accidentally overwriting the current configuration with a backup.
I honestly don’t see how it could affect any security of the rest of the system.
It was the only way I could figure out to be able to modify my config files that were owned by homeassistant when I switched from hassbian to my debian installed on a NUC (before i went to using docker - so much easier now!). I’ve never had any issues doing it that way.
If you think about it you (the physical you) are the pi user and the homeassistant user. So either way you are the one making changes and it won’t make any difference to the end result which user you actually log in to. If you’re going to break it you’ll do it with either user. Make it easy on yourself and just give your pi user write access to skip the middle you. Do you see what I’m saying?
Because I’m very stubborn I tried an other approach. As pi-sudo-user, I added a password to the homeassistant-user.
This way I can login with ssh as a homeassistant-user and able to make a (complete) backup from the complete /home/homeassistant directory with my Synology NAS Backup for Server package (rsync shell mode via SSH) and restore (individual) files/directories if I want to.
The homeassistant-user is not a member of the sudo group, so it can not perform any root operations. Of course I can view/edit files or directories when files/directories are set to view-to-all permissions system wide on the Raspberry Pi.
This will meet my wishes at the moment. FYI, my Raspberry Pi is not accessible from the internet and is not going to be accessible in the future from the internet (I use a VPN to access my local LAN).
I can’t see any obvious drawback. If it works for you then it works. Since YOU are the pi user and YOU are the homeassistant user I fail to see any distinction between those two YOU’s.
And using a VPN is a definite positive. I eventually stumbled my way to using one after many realizations on the potential security issues in using the “recommended/normally accepted” practices of the majority of users here. I even put in a request to update the docs to recommend using a VPN as a minimum practice if you are going to be opening the complete control of your house to the internet. I’m no expert so it took me almost a year and several “I got hacked!” threads to realize that what most new users (including me at the time) are doing is tantamount to having the keys to their front doors protected by a password.
I try to think from security-point first. That’s why I have taken several security measures:
All Home automation/IoT devices is separated from my other LAN devices, using VLAN
Blocked all access to and from the internet by insecure devices, like IP-cams or IoT devices. If not blocked it is monitored (for example by the use of Pi-Hole)
If possible, all communication (even on my LAN) is encrypted (with self-signed certificates)
All services uses different user/password verification, Like HA, Node-RED, MQTT etc.
Enabled IPS (Intrusion Prevention System) on my network and extensive logging
No cloud (except Telegram) or port forwarding (except OpenVPN) is used. Connection to my devices from the internet to LAN is done by OpenVPN
Update, update and update (did I mention update?) as good as possible.
Even if devices are compromised, try retaining (by setup) as much as possible. Try to learn from best practises and check security resources, like shodan, exploits database, forums (like this one) and, in my case, security.nl.
My cams are on vlans, and I use an asus router with built in openvpn support. So no open ports, I only use openvpn to get into my home network.
I wrote this a while ago, and recently updated because Asus added some stuff Asus openvpn guide
Cams are pretty notorious for backdoors, so my cams are all on a vlan.
Lately I was wondering if it was worth it to add nginx or something like that to make HA more secure, but not sure how to do it without opening a port, and I’ve gone to a fair amount of effort to not have any open ports.
Thanks for the tip
There were some exploits for older firmware on asus routers, but didn’t see anything I need to worry about, I just checked and I’m running their latest firmware.
which was added when the MQTT was activated:
I tried an other approach. As pi-sudo-user, I added a password to the homeassistant-user.
reaches, keep your 
