Simplistic configuration UI

danielperna84 · June 30, 2018, 9:24am

I think you post may have ended up in the wrong thread.

akkaria · June 30, 2018, 4:20pm

Ahhh yes, too many tabs open lol my bad.

danielperna84 · July 12, 2018, 11:36pm

A new version has been released just now: 0.3.0 (hassio and Docker following)

The changelog:

Allow passing settings via environment variables
Added basic git stash functionality
Added NOTIFY_SERVICE option
Notifying if used passwords are insecure and if SESAME has been used
CREDENTIALS setting replaced by USERNAME and PASSWORD
PASSWORD can optionally be provided as SHA256 hash
Added SESAME_TOTP_SECRET for TOTP based IP whitelisting
Added git diff functionality
Red colored menu button as indicator for outdated version
The GIT setting can now also be set with static settings file or environment variable
LISTENPORT has been renamed to PORT (LISTENPORT still works though)
Hiding git menu when git is disabled
Removed right dragging area for editor settings
Added IGNORE_SSL option to disable SSL verification when connecting to HASS API

Let me elaborate on some of the new features:

Git related:

Use the git stash feature to discard all changes that haven’t been commited yet
Use the git diff feature so see what has changed inside a file that has been previously commited and has been modified since then.

Security related:

What was the CREDENTIALS option until now is separated into USERNAME and PASSWORD (it’s backwards compatible, so you’re still safe while you haven’t changed your settings file)
Instead of setting your PASSWORD in plaintext you can write it in the form of {sha256}abcdef..., where abcdef is a SHA256-hashed version of your password. You can do this here for example. The benefit of this is, that your plaintext password is not stored on your disk anymore. Important: this does not appliy to the HASS_API_PASSWORD because here we really need the plaintext password to successfully connect.
If you’re using the SESAME option, you now have an alternative that’s more secure: Time based OTP (the pyotp module has to be installed for this). If you set the SESAME_TOTP_SECRET to a valid Base32 encoded string and also add that to your Google Authenticator or similar, the SESAME changes ever 30 seconds to a new one. Your old SESAME (if provided) will keep working in case you are using it in the panel_iframe link.
Somwhat security related is the fact, that you can now pass your options via environment variables instead of the conf-file used until now. This way you don’t have to write your HASS_API_PASSWORD into a file. Of course a process with sufficient rights is able to view the environment variables of any process on the system. But that process would probably also have access to the file where the password is stored. If you’re using systemd, you can have a look at this template on how environment variables can be used. Yes, the HASS_API_PASSWORD would be visible in there too. But you can secure that file by not allowing unprivileged users to access the service file.
The NOTIFY_SERVICE allows you to specify a notification service of HASS which will be used to push notifications to you. The default is to create persistent notifications in HASS. Scenarios where notifications are pushed: Weak HASS_API_PASSWORD, weak PASSWORD (in case it’s provided in plaintext), weak SESAME, SESAME usage (with IP that has been whitelisted).

Other stuff

The LISTENPORT setting has changed to just PORT. The old variant keeps working too, but PORT looks much nicer.
The IGNORE_SSL option allows you to set the HASS_API to your internal IP address instead of the full hostname (when using SSL). This is because otherwise connecting to the API wouldn’t pass the SSL verification check. The worst case would be, that the configurators request path would go outside to the internet and back into your network. By using the internal IP you dodge this behavior.

Everything else is either minor, cosmetic or self explanationary.

I hope you like the new features I have come up with. And even though the notifications about weak passwords could be annoying, they are relevant. Be secure!

danielperna84 · July 15, 2018, 10:04pm

A small update:
There was a bug related to the SESAME / SESAME_TOTP_SECRET feature.
I now have released 0.3.1 which fixes this.

Changelog:

Fix SESAME / SESAME_TOTP_SECRET bug
Added client IP to network status modal
Allow setting logging level with environment variable HC_LOGLEVEL

I’m working on the hassio update now that this is fixed.

DavidFW1960 · July 22, 2018, 2:53am

I am seeing 0.4 as the latest version in Hassio… I think there is an update I should be seeing?

danielperna84 · July 22, 2018, 9:20am

There is. But it always takes a while to get published in the official add-on store. That’s why I have revived my own add-on repository (to which you also have responded here). When using my repository instead of the official one, you’ll get the latest version sooner.

DavidFW1960 · July 22, 2018, 9:24am

I saw that but I’m unsure how to use that? Do I need to add a repo as a new store?

NVM - I see I need to add the repo in the first post of that other thread…

elRadix · July 22, 2018, 11:43am

can you also update the docker images?

thank you.

danielperna84 · July 22, 2018, 1:29pm

The Docker images or not built by me. This is the repo for Docker.

danielperna84 · August 1, 2018, 1:36pm

The Docker image has been updated now.

danielperna84 · August 8, 2018, 10:53pm

0.3.2 (standalone) has been released. Hassio version too. My latest repository has been updated as well.
This release mainly focuses on fixes for the hassio add-on.

Changelog:

Allow PASSWORD to be numeric (Issue #108)
Sanity check for ALLOWED_NETWORKS, BANNED_IPS and IGNORE_PATTERN
Reading files as UTF-8

DavidFW1960 · August 8, 2018, 10:59pm

Thanks Daniel - loading from your Repo now. Thanks for this great addon

danielperna84 · August 8, 2018, 11:01pm

Once your done, could you please have a look and confirm if this issue exists for you as well?

DavidFW1960 · August 8, 2018, 11:33pm

Yeah it does. Posted a log there for you.

danielperna84 · August 10, 2018, 9:44pm

The hassio version has been update now as well. The error mentioned here was related to the hassio supervisor, not the configurator. So with the latest supervisor version everybody should be fine.

Ciquattro · August 12, 2018, 5:33pm

anyone can help me to understand how I can configure sesame_totp_secret… cause I didn’t understand very well how to do it.

If I set my sesame_totp_secret: mypassword … then in the google authenticator I have to set the mypassword and the authenticator will generate OTP code based on this password?

thanks

danielperna84 · August 12, 2018, 6:53pm

Yep, that’s how it’s supposed to work. The trickiest part probably is creating the secret. The used library has a function to do this mentioned here.
But don’t confuse this with the password you need to login. The sesame generally is a string you can append to the URL of your configurator, which, when present, whitelists the IP you are accessing from. So it’s a more secure alternative to the regulare sesame option. You will still need to properly login when using it successfully.

rich710 · October 2, 2018, 11:09am

After som struggling with ssl and https I finally got Configurator to work again, but now I cant get the “entities” to show up to the left.
Not the biggest problem, but if there is some simple way to tell me what I’m missing I would be glad.
Excellent editor anyway

danielperna84 · October 2, 2018, 3:05pm

This usually happens if the configurator is unable to connect to Home Assistant. If you’re on a newer version, then make sure the legacy API password is enabled. The configurator does not yet support the new auth system introduced with later HASS versions.

DavidFW1960 · October 2, 2018, 11:20pm

Hey Daniel - I don’t have legacy_api anymore and entities and configurator work fine on my Hass.io