My migration to improve Hassio performance and increase security

Background:

It’s been over 2 years since I started to use Home Assistant. As a complete novice, I got my start watching Ben’s BruhAutomation videos on YouTube. Over those 2 years I’ve continued to upgrade HASS every month integrating everything I could as part of my home renovations alongside my brother in law @Zpeed. I now use HassIO and it blows my mind the amount of integrations that are possible with the docker add-on libraries.

Long story short… The Raspberry Pi 3B+ that I upgraded and migrated to months back just doesn’t cut it anymore for the workload and automations that I get Hassio to do. The more and more integrations that I add to Home Assistant it’s turning into something that our household can no longer live without, so when it crashes/loses performance/sd card is full or corrupt there’s a mini-crisis as I frantically try to figure out what’s going wrong. I can see that many others are in the same position and those who’ve migrated onto dedicated servers, they’re very happy once they do. So I’ve decided to migrate the bulk of HassIO’s workload to a Virtual Machine running on my always on Windows Server. As part of this exercise I’m also going to beef up the security aspects of my setup and try to encrypt all services in the house that are exposed to the net.

My Goals:

  1. Setup a new instance of Hassio running as a VM on my Windows Server that will bear the bulk of HASS’s workload
  • The easiest way to do this for me was to use the supported VMDK file and run it using VirtualBox. Hopefully as more users use this approach, more addons will support this setup too.
  1. Keep a lightweight instance of Hassio running on my Raspberry Pi
  • Why? Because I’m finding that the Raspberry Pi HW is very well supported by the HASS community. The Pi’s bluetooth is well supported and other addons work well with it’s USB ports and GPIO pins. I can understand why, it’s much easier to help others when they’re running the exact same hardware as you.
  1. Secure as much of the traffic exposed to the internet as possible (i.e. use SSL certificates and stop exposing more and more ports to the internet)

I plan to document my progress for the benefit of other novices here. I’m not sure how i’ll document things and roughly at what pace i’ll go at, however I’m hoping the walk-through guides I write can help others, just like how Ben’s videos got me started. If you’re an absolute beginner, I’d still recommend using a Raspberry Pi because it’s still the most supported solution.

Cheers!!!

Walkthough:

1. How to get Hassio VMDK running on any computer using Virtualbox

Background: As mentioned above, you do this if you want your Home Assistant to have better performance, however the trade-off is that you’ll probably not get the same level of support as you would if you used a Raspberry Pi.

Steps:

  1. Download VirtualBox for either OSX or Windows and install https://www.virtualbox.org/wiki/Downloads
  2. Download the Hass.IO VMDK file https://www.home-assistant.io/hassio/installation/
  3. Within VirtualBox setup as following:
  • General > OS "Other Linux (64 bit)
  • System > I use 2gb of ram and 4 cpus
  • Storage > Controller IDE and point the HDD to be the VMDK file downloaded
  • Network > I use “bridge adapter” rather than the default NAT. This allows your Hassio VM to get it’s own IP address that different to the server VirtualBox is running on.
  1. I use Windows so i create a startup shortcut file by doing the following (if you’re using OSX or other, then google a solution)
  • right click, start icon at bottom left corner and choose “run”
  • In the Run dialogbox enter “shell:startup”
  • This will open up the startup folder where you can right click > new > shortcut
  • Enter the following as the Target for the shortcut “C:\Program Files\Oracle\VirtualBox\VBoxManage.exe” startvm “Hassio VM” --type headless" NOTE: “Hassio VM” is the name you’ve given the VM in virtualbox.

All going well you now have a Hassio Instance running on VirtualBox with it’s own unique IP address that will work in much the same way as a Raspberry Pi’s instance of Hassio

2. How to resize Hassio VMDK

Background: By default the standard Hassio VMDK file is only 6gb. This is great for beginner usage, however if you’re heavily invested in Hassio already you’ll find that isn’t enough and you’ll want more pretty quickly. For me i resized the VMDK from the get go. The steps I used are below to make a 30gb vmdk.

Steps:
I followed the following guide to resize the VMDK file https://www.upnxtblog.com/index.php/2018/09/03/how-to-resize-a-virtualbox-vmdk-file/amp/ For me I used the below commands in a Windows Command Prompt

  1. path C:\Program Files\Oracle\VirtualBox
  2. vboxmanage clonehd “hassos_ova-1.13.vmdk” “cloned.vdi” --format vdi
  3. VBoxManage modifyhd “cloned.vdi” --resize 30000
  4. VBoxManage clonehd “cloned.vdi” “hassos_ova-1.13-resized.vmdk” --format vmdk
  5. Download GParted per the instrin the link and boot the vm using GParted as a cd. This will allow you to expand the 6gb vmdk to make full use of the 30gb space you just created with the commandline.
  6. Remove GParted from the VMs cd mount and point the VMDK mounted to the newly resized one.

All going well Hassio will boot as before but have the extra space you allocated for it.

3. How to secure services in your smart home using Caddy and DuckDNS

Background: There’s heaps of instructions out there for how to get your Home Assistant secured using SSL and HTTPS. You don’t have to take these steps, however this is what’s worked well for me. If you do follow the steps below this will allow you to secure other services exposed to the internet. This means lessport forwarding on your router, as all you’ll need to do is port forward 443 to the Home Assistant IP and from there the Caddy and DuckDNS can securely route to any other services within your internal network.

Steps:
To give credit where credit is due I’ve followed the steps in the following link: https://dew-itwebservices.com.au/setting-home-assistant-up-for-secure-access-over-the-internet/

Rather than re-write the article, I’ll summarise the steps in the article:

  1. Remove any existing SSL configurations if you’re planning to switch to Caddy (steps 1-6 in the article)

  2. Install DuckDNS and Caddy Addons (step 7 Note: you’ll have to add the repository for Caddy). Note: for my own DuckDNS addon config i used the below. Make sure you’ve created all the necessary domains in DuckDNS online.

    {
    “lets_encrypt”: {
    “accept_terms”: true,
    “certfile”: “fullchain.pem”,
    “keyfile”: “privkey.pem”
    },
    “token”: “XXXXX-XXX-XXXX-XXXX-tokenfromduckdns”,
    “domains”: [
    DOMAIN1.duckdns.org”,
    DOMAIN2.duckdns.org”,
    DOMAIN3.duckdns.org
    ],
    “seconds”: 300
    }

  3. Configure the Caddyfile and put it in the correct folder using the SMB addon (step 8) Note: Because my ISP blocks port 80 I can’t use sub-domains of the main domain like in the example within the article (this has something to do with how “challenges” are coded into the addons. So instead I create individual domains in DuckDNS like the configuration shown above and use these within the Caddyfile.

  4. Remember to alter the URLs you use in future for your services and you can even use the steps above for getting Google Assistant to work on your Home Assistant (steps 9 and onwards)

To Do:

  • How to setup MQTT so sensors in one HASS instance is visible in another (this is needed so that anything connected to the Raspberry Pi is visible on the VMDK instance)
8 Likes

Sorry for the delay between my initial post and now. I started a new job 2 weeks ago and it’s been pretty full on. Anyway I’ve found some time to document the first steps on my migration journey and you’ll see that in the “walkthrough” section of the top post. Expand the steps you want to read. I’ll continue to update the topmost post accordingly.

If you have any feedback or questions on the steps I’ve written so far. I can’t promise to respond straight away but I will eventually respond or update my steps to suit.

Cheers!

1 Like

Ok I’ve added steps on how to secure your services using Caddy and DuckDNS. If you’re having issues following any of the steps please let me know and I can clean up the instructions if needed.

Whenever I start the addon I get this error:

open /share/caddy/Caddyfile: no such file or directory

I did create the directory and file in /share/caddy/caddyfile (noextension)
I am on 91.4

Did you put a capital C on the the file ‘Caddyfile’?

Are these all sensors? Ie readonly? You don’t need to take action from the main instance to the pi instance?

If so this is easy to accomplish with state stream.

On the remote instance setup mqtt (easy with the integration) to connect to your broker.

Then set the statestream component up to push all your states to the broker. Exclude everything you don’t need to lighten the load on your broker.

https://github.com/SilvrrGIT/HomeAssistant-Remote/blob/master/configuration.yaml#L35

Then create MQTT senors to pick them up from the broker.

https://github.com/SilvrrGIT/HomeAssistant/blob/master/sensors/remotepi.yaml

I’ve had this running for a month or so and it’s been solid. Thinking of moving my Zwave to the pi as it’s centrally located and then zwave is always up.

Hope that helps.

1 Like

Hi Sebastian,
I’ve only just found this thread and hope it is going to be very useful…
I share your concern about the RPi, great though it is! I’m on my second one…
I’m in the process of migrating HA to an old PC that I bought online and installed Ubuntu server 18.04 and Docker on. Presently I have both instances up and running whilst I compare the two.
So far so good but have encountered a few issues. The performance of the new box is obviously much better!
I just wanted to encourage you to keep going with the documentation of this project as I am sure that there are many of us who would much appreciate it!
Cheers
John

Thanks for the positive feedback. If you’re migration home assistant I find this addon incredible https://github.com/sabeechen/hassio-google-drive-backup

Basically is takes all your configuration makes a backup and you can easily transport everything onto the new device. You’ll have to make new ip address alterations as needed.

Thanks Sebastian, I’ll look into that. I just used a HA snapshot and that seemed to work for the most part.
Cheers
John