Hi everyone!
I finally convinced myself to get into smart home & automation. HomeAssist was the choice of managing everything together. But I actually don’t just want to automate everything but learn on the way.
Therefore I researched a lot in forehand and decided to setup HA containerized with docker (even to learn docker more). I created a setup that works, but is not yet completed. In the past days I spend more than just a few hours configuring, testing, setting up, reverting my setup, reading through numerous questions in this forum, blog posts or chatted with ChatGPT.
One big aspect was security. So I actually tried to get really deep into this, but at this point, I’m not really sure if it’s way to thought over or not. That’s why I wanted to share my current setup up to this point and ask you to help me evaluate it.
Hardware:
As of my hardware, I’m using a Raspberry PI 5 and a Zigbee Sonoff 3.0 Dongle. I decided to use a raspberry just because it fulfilled my needs. I now a lot of people would say using a mini-pc with an intel chip would be better - and maybe it is, but since I just wanted to start with everything, this was a perfect choice for me.
Software:
I installed Raspberry OS 64bit (debian 12 - bookworm). On my raspberry I installed docker-engine as described in the docker documentation.
The containers I currently have installed are:
- portainer - for easier access to docker
- homeassist - obviously
- eclipse-mosquitto - mqtt broker for zigbee2mqtt
- zigbee2mqtt
- nginx - reverse proxy for ssl termination + single entry point
- hass-configurator - file editor for ha configuration
I use docker compose to create the containers and networks/volumes.
Network:
As I started I began to ask myself how to secure everything in my local network. My Raspberry is configured to be accessible through home.local inside my network. Incoming traffic should be blocked by my router and since for now I don’t bother to use homeassist from the outside world, that should be enough. Even though I installed ufw and blocked every traffic not necessary and allowing only my laptop to access the raspberry on configured ports to open webuis.
I then started to think about how to secure my webuis, like homeassist or zigbee2mqtt with an ssl certificate. In order to have a single entry point to my docker containers, I wanted to use something like a nginx-reverse-proxy which also performs ssl-termination.
Therefore I created my own CA-Authority, installed it into my keychains and created a ssl certificate for my raspberry server (thus currently not working, because I probably messed something up in the process).
I created a custom docker network bridge to let my containers communicate with each other and disabled network_mode: ‘host’ on my homeassist container. Because autodiscovery didn’t work anymore at this point, I installed avahi-daemon to broadcast my the devices from my eth0 to my docker bridge I created. That worked fine, even if the rebroadcasting is a bit slower.
I blocked all ports on my docker containers, created a custom nginx-configuration for each ui that should communicate and installed (the currently not working) ssl certificates to enable ssl termination and secure it when accessing the services.
As of now, this setup works as expected, when getting the certificated right.
Backup:
As of now I have not thought about backing up anything, but after setting everything up so I can start, I probably want to integrate a service like Restic.
Questions and thoughts:
As I researched quite a bit and setup my containers and configuration, I started to wonder if I’m maybe overcomplicating things. I try to be as short and descriptive as possible:
-
Using SSL and https all over
I now I’m in my local network. So accessing everything over https is maybe a bit overkill. The variant of using a reverse proxy for ssl termination is unnecessary but I wanted to route incoming traffic through just one place (for better logging and debugging). But should I really go the way of creating a custom CA-Authority and custom ssl certificates for my servers? Or should I just go with http. Thinking of that, are those really the only entry points a person could potentially enter the system then (not talking about ssh, but more on attacks) -
Isolating my containers
As said I isolated my containers with a custom network bridge. Thinking of that, ha can still configure devices in my network or my zigbee coordinator can still add new zigbee devices. Wouldn’t this be a point of attack too? Don’t I just remove my isolation and enable other device to still access my containers when being compromised? I now this would still be the case when just using haos or just with network_mode: ‘host’ in my container, but I just wondered. -
Using a firewall
Is this overkill too? Since only I am in the local network, as well as my devices, this shouldn’t be a problem at all? All my guests are in another network, not even allowing them on my local network. Or is it maybe just good practice?
Considering those questions, I actually thinking about “thinking too much” about everything. Later on I want to use wireguard to setup a vpn, so I can access ha from outside, but with a secure connection, instead of exposing the server to the outside world via port forwarding or so. But this is a post process I want to think about.
I tried to be as clear as I could and not forgetting anything.
I really would appreciate your thoughts on my setup and maybe on getting a few of my questions answered or my setup corrected or discussed and make it more robust.
At this point I’m really “hyped” to try out more things, but I don’t want to leverage security.
Thanks in advance.