Simplistic configuration UI

I think you post may have ended up in the wrong thread. :wink:

Ahhh yes, too many tabs open lol my bad.

A new version has been released just now: 0.3.0 (hassio and Docker following)

The changelog:

  • Allow passing settings via environment variables
  • Added basic git stash functionality
  • Added NOTIFY_SERVICE option
  • Notifying if used passwords are insecure and if SESAME has been used
  • CREDENTIALS setting replaced by USERNAME and PASSWORD
  • PASSWORD can optionally be provided as SHA256 hash
  • Added SESAME_TOTP_SECRET for TOTP based IP whitelisting
  • Added git diff functionality
  • Red colored menu button as indicator for outdated version
  • The GIT setting can now also be set with static settings file or environment variable
  • LISTENPORT has been renamed to PORT (LISTENPORT still works though)
  • Hiding git menu when git is disabled
  • Removed right dragging area for editor settings
  • Added IGNORE_SSL option to disable SSL verification when connecting to HASS API

Let me elaborate on some of the new features:

Git related:

  • Use the git stash feature to discard all changes that haven’t been commited yet
  • Use the git diff feature so see what has changed inside a file that has been previously commited and has been modified since then.

Security related:

  • What was the CREDENTIALS option until now is separated into USERNAME and PASSWORD (it’s backwards compatible, so you’re still safe while you haven’t changed your settings file)
  • Instead of setting your PASSWORD in plaintext you can write it in the form of {sha256}abcdef..., where abcdef is a SHA256-hashed version of your password. You can do this here for example. The benefit of this is, that your plaintext password is not stored on your disk anymore. Important: this does not appliy to the HASS_API_PASSWORD because here we really need the plaintext password to successfully connect.
  • If you’re using the SESAME option, you now have an alternative that’s more secure: Time based OTP (the pyotp module has to be installed for this). If you set the SESAME_TOTP_SECRET to a valid Base32 encoded string and also add that to your Google Authenticator or similar, the SESAME changes ever 30 seconds to a new one. Your old SESAME (if provided) will keep working in case you are using it in the panel_iframe link.
  • Somwhat security related is the fact, that you can now pass your options via environment variables instead of the conf-file used until now. This way you don’t have to write your HASS_API_PASSWORD into a file. Of course a process with sufficient rights is able to view the environment variables of any process on the system. But that process would probably also have access to the file where the password is stored. If you’re using systemd, you can have a look at this template on how environment variables can be used. Yes, the HASS_API_PASSWORD would be visible in there too. But you can secure that file by not allowing unprivileged users to access the service file.
  • The NOTIFY_SERVICE allows you to specify a notification service of HASS which will be used to push notifications to you. The default is to create persistent notifications in HASS. Scenarios where notifications are pushed: Weak HASS_API_PASSWORD, weak PASSWORD (in case it’s provided in plaintext), weak SESAME, SESAME usage (with IP that has been whitelisted).

Other stuff

  • The LISTENPORT setting has changed to just PORT. The old variant keeps working too, but PORT looks much nicer.
  • The IGNORE_SSL option allows you to set the HASS_API to your internal IP address instead of the full hostname (when using SSL). This is because otherwise connecting to the API wouldn’t pass the SSL verification check. The worst case would be, that the configurators request path would go outside to the internet and back into your network. By using the internal IP you dodge this behavior.

Everything else is either minor, cosmetic or self explanationary.

I hope you like the new features I have come up with. And even though the notifications about weak passwords could be annoying, they are relevant. Be secure! :slight_smile:

2 Likes

A small update:
There was a bug related to the SESAME / SESAME_TOTP_SECRET feature.
I now have released 0.3.1 which fixes this.

Changelog:

  • Fix SESAME / SESAME_TOTP_SECRET bug
  • Added client IP to network status modal
  • Allow setting logging level with environment variable HC_LOGLEVEL

I’m working on the hassio update now that this is fixed.

1 Like

I am seeing 0.4 as the latest version in Hassio… I think there is an update I should be seeing?

There is. But it always takes a while to get published in the official add-on store. That’s why I have revived my own add-on repository (to which you also have responded here). When using my repository instead of the official one, you’ll get the latest version sooner.

I saw that but I’m unsure how to use that? Do I need to add a repo as a new store?

NVM - I see I need to add the repo in the first post of that other thread…

can you also update the docker images?

thank you.

The Docker images or not built by me. This is the repo for Docker.

The Docker image has been updated now. :+1:

0.3.2 (standalone) has been released. Hassio version too. My latest repository has been updated as well.
This release mainly focuses on fixes for the hassio add-on.

Changelog:

  • Allow PASSWORD to be numeric (Issue #108)
  • Sanity check for ALLOWED_NETWORKS, BANNED_IPS and IGNORE_PATTERN
  • Reading files as UTF-8

Thanks Daniel - loading from your Repo now. Thanks for this great addon

1 Like

Once your done, could you please have a look and confirm if this issue exists for you as well?

Yeah it does. Posted a log there for you.

The hassio version has been update now as well. The error mentioned here was related to the hassio supervisor, not the configurator. So with the latest supervisor version everybody should be fine. :slight_smile:

1 Like

anyone can help me to understand how I can configure sesame_totp_secret… cause I didn’t understand very well how to do it.

If I set my sesame_totp_secret: mypassword … then in the google authenticator I have to set the mypassword and the authenticator will generate OTP code based on this password?

thanks

Yep, that’s how it’s supposed to work. The trickiest part probably is creating the secret. The used library has a function to do this mentioned here.
But don’t confuse this with the password you need to login. The sesame generally is a string you can append to the URL of your configurator, which, when present, whitelists the IP you are accessing from. So it’s a more secure alternative to the regulare sesame option. You will still need to properly login when using it successfully.

After som struggling with ssl and https I finally got Configurator to work again, but now I cant get the “entities” to show up to the left.
Not the biggest problem, but if there is some simple way to tell me what I’m missing I would be glad.
Excellent editor anyway :slight_smile:

This usually happens if the configurator is unable to connect to Home Assistant. If you’re on a newer version, then make sure the legacy API password is enabled. The configurator does not yet support the new auth system introduced with later HASS versions.

Hey Daniel - I don’t have legacy_api anymore and entities and configurator work fine on my Hass.io