Sophos, Mac mini, and Docker (oh my!)

michaeldavie · May 26, 2018, 9:16pm

I’ve finally got my first installation up and running, and I thought I’d share some of the things I learned along the way.

To set the stage, here’s a high-level view of the environment:

Hosting

I use a Mac mini running macOS as a headless server, with VMware Fusion as a hypervisor. I first started out with Home Assistant running in its own Ubuntu Server VM, but then decided to give the Docker image a try instead. I initially tried to use Docker for Mac, but I wouldn’t recommend it for two reasons:

There was a networking-related memory leak that slowed the entire server to a crawl, and
The networking in Docker for Mac is weird, with the net result being that mDNS traffic cannot reach the containers. This breaks Homekit / Siri integration, which is an important feature of the Apple ecosystem. (In my setup I use an automation in Apple’s Home app which is triggered by iCloud location tracking.)

So, I finally settled on using a VM running Container Linux to host the container. I liked this setup enough that I ended up moving my Pi-Hole DNS sinkhole from an Ubuntu VM to a container as well, and I might do the same with my Splunk service in the future (it’s currently running directly in macOS).

Networking

Like hosting, networking in my LAN is somewhat complex. I run a Sophos UTM as a border security device, which runs as a VM appliance on VMware Fusion. The Mac mini has two network adapters, WAN and LAN, with the WAN side only accessible to the UTM. Here’s how I configured both local and remote networking:

LAN

The Container Linux VM is bridged to the Mac’s LAN interface, so it gets its own IP address on the LAN.
The containers run in net=host mode, so they have direct access to the VM’s network stack and their services are available at the VM’s IP.
In order to allow me to access the service locally without any browser warnings about the SSL connection, I added a static DNS entry to the Pi-Hole so that my public domain name is resolved locally to the IP of the Container Linux VM.
I whitelisted my LAN IP range in the HTTP component to bypass the password prompt.

WAN / Remote Access

Since the Sophos does not support acting as a reverse proxy for WebSocket connections, unfortunately I was unable to use its web application firewall (WAF) and SSL offloading capabilities.
In order to enable remote access, I forwarded ports 443 and 8123 from the WAN to port 8123 on the Container Linux VM, and configured the HTTP component to use my public SSL certificate.
To minimize alerts about failed login attempts, I enabled country blocking on the Sophos, only allowing inbound connections from my home and native land .

Platforms / Components

Most things were pretty smooth to set up, but there were a couple hiccups:

HomeKit / Siri

As I mentioned, Docker for Mac broke HomeKit integration, so it’s a non-starter if you want to use this.

Alexa

Before I sorted out remote access I wasn’t able to use the Cloud component fully, which sent me down the long and winding path of the Alexa component instead. Even with some AWS experience under my belt, this was a bit of a complicated endeavour, though I did get it working. I hope to contribute to updating the documentation to help others who may end up in the same boat.

There were also a few things that I loved:

Workday

This is pure genius, and is probably my favourite component. God bless the internet.

Template and Input Components

These are also genius, and let me easily fill a couple gaps and implement simple logic in my system.

Conclusion

As a longtime user of OpenHAB, my changeover to Home Assistant has been a revelation. Thanks to everyone who has made this project a success, and I hope that I am able to contribute as it continues to move forward.

gambit2552 · May 26, 2018, 9:47pm

What are the specs of your mac mini?

michaeldavie · May 26, 2018, 11:05pm

Specs are:

Mac mini (Late 2012)
2.5 GHz Intel Core i5
8 GB 1600 MHz DDR3
500 GB HDD
Onboard 1 Gpbs Ethernet
Thunderbolt 1 Gbps Ethernet adapter

rebelelephant · October 10, 2018, 11:06am

Can you advise how you achieved this on the Sophos UTM (especially the SSL certificate part).

I too was struggling with the WAF component of the Sophos UTM and your post has really helped me out.
Thanks for sharing.

michaeldavie · October 10, 2018, 11:22pm

Port forwarding on the Sophos is a bit buried, but this guide lays it out fairly clearly. In this case, the source should be TCP traffic to port 443 to the WAN interface, the new destination should be your Home Assistant instance, and the destination port should be 8123 (unless you’ve changed it).

For SSL I got a certificate from Let’s Encrypt (using a domain that I already had, but you can also use Duck DNS) and configured it as per the instructions for the HTTP component. The Sophos isn’t involved in this part, it just forwards the HTTPS traffic and the HTTP component takes care of setting up the TLS connection.

I hope that helps, but let me know if you have any trouble.

rebelelephant · October 11, 2018, 9:47am

Thanks for the explanation.
It seems I was missing the SSL part within the HTTP Component. When I enabled that I was getting all sorts of weird errors in the logs and the frontend would not load.

2018-10-11 19:37:54 ERROR (MainThread) [homeassistant.config] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/config/ssl/cert.pem'
not a file for dictionary value @ data['http']['ssl_key']. Got '/config/ssl/privkey.pem'. (See /config/configuration.yaml, line 34). Please check the docs at https://home-assistant.io/components/http/

Perform multiple searches in the forums and it appears many people are having this same issue. No provided solution seemed to fix it for me.

As I run an Nginx reverse proxy on my server, I tried configuring it to host the SSL certificate and it worked.
I can now access my HA remotely in a secure manner.

Thanks for your original post and followup, these definitely pointed me in the right direction to get it working.

afalzon · September 21, 2019, 2:58am

Hi @michaeldavie, great post!

I realise this was a little while ago that you posted it but I am running a setup a little like this, and thought i would comment on a few things that i have slightly different incase it helps you or anyone.
I am using an Intel NUC with only one NIC, my Sophos is doing all the SSL Certificate work so when you hit https://xxx.mydomainname it hand out a valid certificate.
This works both in my network and outside my network.

I currently have most of my IOT devices on a seperate VLAN and i plan on putting in some cameras soon too.

Hope this is helpful to someone

Cheers,

Aaron

michaeldavie · September 21, 2019, 5:39pm

Cool, thanks for posting!

I don’t use the Sophos anymore myself; I found that it was causing a bottleneck when I upgraded my WAN connection, so I switched to a physical Ubiquiti EdgeRouter X instead. Otherwise though, things are pretty much the same.

I’d like to separate my IOT devices into a separate VLAN as well, but I can’t with my current AP. What sort of APs are you using in your setup?

afalzon · September 21, 2019, 10:17pm

I am using Ubiquiti unifi APs, and unifi switches.
I was using the unifi gateway but found it was lacking WAF and a few other features.