I’ve finally got my first installation up and running, and I thought I’d share some of the things I learned along the way.
To set the stage, here’s a high-level view of the environment:
I use a Mac mini running macOS as a headless server, with VMware Fusion as a hypervisor. I first started out with Home Assistant running in its own Ubuntu Server VM, but then decided to give the Docker image a try instead. I initially tried to use Docker for Mac, but I wouldn’t recommend it for two reasons:
- There was a networking-related memory leak that slowed the entire server to a crawl, and
- The networking in Docker for Mac is weird, with the net result being that mDNS traffic cannot reach the containers. This breaks Homekit / Siri integration, which is an important feature of the Apple ecosystem. (In my setup I use an automation in Apple’s Home app which is triggered by iCloud location tracking.)
So, I finally settled on using a VM running Container Linux to host the container. I liked this setup enough that I ended up moving my Pi-Hole DNS sinkhole from an Ubuntu VM to a container as well, and I might do the same with my Splunk service in the future (it’s currently running directly in macOS).
Like hosting, networking in my LAN is somewhat complex. I run a Sophos UTM as a border security device, which runs as a VM appliance on VMware Fusion. The Mac mini has two network adapters, WAN and LAN, with the WAN side only accessible to the UTM. Here’s how I configured both local and remote networking:
- The Container Linux VM is bridged to the Mac’s LAN interface, so it gets its own IP address on the LAN.
- The containers run in
net=hostmode, so they have direct access to the VM’s network stack and their services are available at the VM’s IP.
- In order to allow me to access the service locally without any browser warnings about the SSL connection, I added a static DNS entry to the Pi-Hole so that my public domain name is resolved locally to the IP of the Container Linux VM.
- I whitelisted my LAN IP range in the HTTP component to bypass the password prompt.
WAN / Remote Access
- Since the Sophos does not support acting as a reverse proxy for WebSocket connections, unfortunately I was unable to use its web application firewall (WAF) and SSL offloading capabilities.
- In order to enable remote access, I forwarded ports 443 and 8123 from the WAN to port 8123 on the Container Linux VM, and configured the HTTP component to use my public SSL certificate.
- To minimize alerts about failed login attempts, I enabled country blocking on the Sophos, only allowing inbound connections from my home and native land .
Platforms / Components
Most things were pretty smooth to set up, but there were a couple hiccups:
HomeKit / Siri
As I mentioned, Docker for Mac broke HomeKit integration, so it’s a non-starter if you want to use this.
Before I sorted out remote access I wasn’t able to use the Cloud component fully, which sent me down the long and winding path of the Alexa component instead. Even with some AWS experience under my belt, this was a bit of a complicated endeavour, though I did get it working. I hope to contribute to updating the documentation to help others who may end up in the same boat.
There were also a few things that I loved:
This is pure genius, and is probably my favourite component. God bless the internet.
Template and Input Components
These are also genius, and let me easily fill a couple gaps and implement simple logic in my system.
As a longtime user of OpenHAB, my changeover to Home Assistant has been a revelation. Thanks to everyone who has made this project a success, and I hope that I am able to contribute as it continues to move forward.