Hi there. I wanted to seek advice on remote access. I know there are many posts, and I have read them all. However, for all the options there seems to be a plethora of discord including dire security warnings. Most solutions or addons are constrained to some abstract or constrained to HA specific walled garden type implementation.
I basically have one use case currently. I want my mobile device (companion app) to report location for geofencing automation (namely arming my Bosch Alarm - I have the HA Integration installed and working).
Other companion app features are a nice-to-have. Currently when I leave my house I loose connection and the geofence is not properly triggered. I am aware of the below options…
- Cassa/Remote paid - Overkill for me, and I’d rather build something myself.
- Direct port forward - Rather not expose my WAN IP.
- Coming in through Cloudflared tunnel - This is the most viable since I already have one set up.
- Addons like NGINX, DuckDNS, Letsencrypt - These seem specific to HA and I don’t really need the features these provide as I have it covered elsewhere on my network. I must say doco for these hasn’t been great. Just some basic yaml config with no real explanation how they dovetail into a remote setup. I don’t think I need yet another NGINX proxy. Lets encrypt add-on seems broken. Cloudflare API doesn’t validate and there’s no HTTP pathway to my HAOS for HTTP validation - at least not permanently.
- SD Networking like ZeroTier as a VPN, or a VPN like WireGuard - This would be good but the client apps don’t turn on automatically very well when you’re away from home or you have to set up a VPN server, plus they use phone battery and are not easy to transparently set up on other family member’s phones.
- Connecting directly to the Bosch Cloud API directly
My real main question here is… How do I best/safely get the companion app working remotely on my existing home web-server setup (see background below)? I can figure out the Cloudflared/firewall/HTTPS side I just need to know where to configure HAOS.
Do I just point at the HAOS IP port 8123? Setting up SSL with a custom IP has been challenging for me in HA as everything is abstracted away. Seems silly having another local NGINX proxy - is it not safe to use the existing HAOS webserver and force TLS? How do you do that?
Background
I host a couple of other websites through a Cloudflare tunnel and dedicated Proxmox Container running a dedicated reverse NGINX proxy on the same CT, and the websites are on separate virtual machines/containners… much like my HAOS.