this post was submitted on 17 Feb 2024

78 points (85.5% liked)

Selfhosted

39253 readers

189 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 1 year ago

MODERATORS

[email protected]

I love Home Assistant, but... (lemmy.ml)

submitted 7 months ago by [email protected] to c/[email protected]

58 comments fedilink hide all child comments

Okay, let me start by saying that I really do love Home Assistant. I believe that it is a fantastic piece of software, with very dedicated developers that are far more talented than I. Although, that being said, I strongly disagree with a number of their design choices.

My most recent problem has been trying to put Home Assistant behind a reverse proxy with a subpath. The Home Assistant developers flat out refuse any contribution that adds support for this. Supposedly, the frontend has hard-coded paths for some views, to me this doesn't sound like a good practice to begin with -- that being said, I mostly program in Go these days (so I'm unsure if this is something that is pretty common in some frameworks or languages). The official solution is to use a subdomain, which I can't do -- I'm trying to route all services through a Tailscale Funnel (which only provides a single domain; I doubt that Tailscale Funnels where ever designed for this purpose, but I'm trying to completely remove Cloudflare Tunnels for my selfhosted services).

The other major problem I've ran into, is that HAOS assumes that you would have no need to run any other Docker services other than those that are add-ons or Home Assistant itself. Which, I'm sorry (not really), Home Assistant add-ons are an absolute pain to deal with! Sure, when they work, they're supper simple, but having to write an add-on for whenever I just want to spin up a single Docker container is not going to work for me.

Now, some smaller issues I've had:

There's no way to change the default authentication providers. I host for my (non-techie) family, they're not going to know what the difference between local authentication and command-line authentication is, just that one works and the other doesn't.
Everything that is "advanced" requires a workaround. Like mounting external hard drives and sharing it with containers in HAOS requires you to setup the Samba add-on, add the network drive, and then you can use it within containers.

Again, I still really love Home Assistant, it's just getting to a point where things are starting to feel hacky or not thought out all the way. I've considered other self-hosted automation software, but there really isn't any other good alternative (unless you want to be using HomeKit). Also, I'm a programmer first, and far away from being a self-hosting pro (so let me know if I've missed any crucial details that completely flip my perspective on it's head).

If you got to the end of this thanks for reading my rant, you're awesome.

top 50 comments

sorted by: hot top controversial new old

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago)

Caddy and Rewrite / strip_prefix doesn't work?

reverse Proxy based on the /homass and then internally strip the prefix from /homass/x to just /x ?

[–] [email protected] 1 points 7 months ago

I just used a Cloudflare Tunnel.

[–] [email protected] 9 points 7 months ago (1 children)

I second the complaint about subpaths. I have all my services on a single domain, except for HA. It's for security by obscurity, when you issue a certificate for a subdomain you start getting malicious traffic probing for vulnerabilities almost immediately. I don't have this problems for services with non-obvious subpaths.

I can't understand the stubbornness of developers to accept patches for fixing this problem.

[–] [email protected] 4 points 7 months ago* (last edited 7 months ago) (1 children)

~~LetsEncrypt can hand out wildcard certs if you are able to add TXT records to your domain, if that helps any.~~

I realised this was a stupid comment that doesn't help any.

[–] [email protected] 1 points 7 months ago

No no, that's how i'm working around the problem now, but i'm sure sni sniffing will sooner or later make my domain well known

[–] [email protected] 2 points 7 months ago (1 children)

I will first admit that I am quite ignorant to Home Assistant.

I am a happy openHAB user for 5+ years. Have you considered switching to see if you like it?

I tried Home Assistant once or twice but never felt comfortable enough to switch.

I run stuff locally and can connect over VPN to my home and operate as if I am inside the home. I have not looked into these other cloudflare tunnels or tail scale as I don't think it would provide any advantage to my current setup.

OpenVPN server running on my router does the trick.

[–] [email protected] 1 points 7 months ago (1 children)

I am a happy openHAB user for 5+ years. Have you considered switching to see if you like it?

I actually have considered it, and I'm still thinking about it.

I run stuff locally and can connect over VPN to my home and operate as if I am inside the home. I have not looked into these other cloudflare tunnels or tail scale as I don’t think it would provide any advantage to my current setup.

I have a strange setup. My ISP is Starlink (so I'm behind a CGNAT), meaning I kinda need another service to access them outside the network, but (as mentioned) I mainly host for my family who wouldn't know how to work another app or VPN.

[–] [email protected] 1 points 7 months ago

I had to look that up. So ya, I understand your problem a bit better. Wish I could offer some solutions.

For anyone interested..

"Starlink uses Carrier-Grade NAT (CGNAT) to avoid the need for 1,000s of IPv4 addresses, which can be a problem for some users due to how they are using Starlink. However, some VPN services like PureVPN can be used to bypass CGNAT restrictions on Port Forwarding.1 CGNAT prevents direct access to the Starlink antenna from the internet, making setting up a VPN or hosting services challenging. There is no direct public IP address assigned to the Starlink antenna, which hinders traditional methods of setting up a VPN server or hosting services like port forwarding and DMZ access"

[–] [email protected] -2 points 7 months ago

super simple

Hamburger helper?

[–] [email protected] 33 points 7 months ago (1 children)

I think your missing the point of HAOS, it's an appliance. You don't manage it like a normal self host system.

Once you treat it as an appliance, it's great. Also there is a portainer agent you can run that will connect to a portainer instance.

As for your tunnel issues, maybe the tunnel thing is your biggest issue. I run all my self host stuff on its own subdomain, if I want to route something home I use the site to site VPN I have. Even a cheap ovh vps could be a way to run stuff on subdomains

[–] [email protected] 4 points 7 months ago (1 children)

Require a subdinain should not be mandatory in 2024.

Sub paths should be such a basic feature that's ridiculous devs don't even take that into consideration.

Why? Because a software requiring absolute paths is as old and obsolete as an msdos program, and the only real reason it happens today is... Bad design choices or limited frameworks.

[–] [email protected] 1 points 7 months ago (1 children)

Requiring a full URL will be more of security thing I would guess, as some users put HA on the internet and it could have access to open doors.

Also I have tried things on sub paths and it got very complicated to know where a service was, a domain keeps things easy to setup and manage. As I run internet facing services for my day job, I have to look at both security and easy of maintenance when setting things up.

I would say that if you need a path over domain, its a skill issue and you need to find a better way of working.

[–] [email protected] 2 points 7 months ago (1 children)

Not really... Your attitude is the problem.

Sub paths are simpler to deploy: need only one certificate, need only one subdomain.

In any case you need reverse proxy so security is not the matter here.

Your use cases are not mine and both ways should always be possible.

You never need a subpath over a subdomain, nor viceversa, it is (or should) always be a choice.

[–] [email protected] 1 points 7 months ago (1 children)

Ok, I dont get your point of view. As I dont see the need to sub path things.

What I do see is a lot of people who seem to think that a sub-path is good security, cheaper to run and lots of other things.

First off, you can get free lets encrypt certs and even a wildcard cert if you know how. Also you can get a SAN cert with a little config of certbot.

Second, you dont need an A record for every domain. You can use a c-name or even a wildcard to catch any domain name.

Then the security is all crap, if the sub path is on the internet it will get found in time. A domain is just more obvious, you can also name the sub domain anything you want. Case in point is my nextcloud on an owncloud sub domain.

If you start to look into ways to automate all that, then things are trivial to add to. I use OVH for my domains, as they provide an API that I can use with certbot to get any certificate I want for my domain. I can also use the API to provision a new subdomain, be that an A record or c-name. But I have a wildcard subdomain so that I can spin up anything on any subdomain and I dont have to do any setup.

[–] [email protected] 1 points 7 months ago

A all my services are behind pam-auth, so nobody unless autheorized can see any subpaths. That fix it for security.

And that make it that browser will ask you to save password and login for each subdomain... But only once for a subpaths.

But beside this, is freedom of choice such difficult to grasp? My use cases are not yours, better be free to choose rather than forced, isn't it?

I do have few subdomains as well, I know perfectly how to automatize them and in fact I do, but I don't like having two ways and specially not just because some Dev don't want to look into supporting subpaths. The number of services not supporting subpaths is the vast minority, so there must be enough people wanting to use them after all. And in all cases, they don't support subpaths because framework don't support them (immich) or because devs don't care (ha).

Stuff like gitea, gerrit, WordPress, all wiki's I ever tried, arrs, jellyfin, podfetch are just the first that pops into my mind that I use and support subpaths.

[–] [email protected] 1 points 7 months ago* (last edited 7 months ago) (1 children)

Many systems dont support subpaths as it can cause some really weird problems.
As you use tailscale funnels, you really want incoming traffic from the internet. I am not sure thats a good idea for e.g. homeassistant that is limited in access anyways.
Might aswell use tailscale and access the system over VPN.

And for anything serious i wouldnt use something like funnel anyways. Rent a VPS and use that as your reverse-proxy, you can then also do some caching or host some services there. Much simpler to deal with and full support for such things as you then have an actual public IPv4/IPv6 address to use.
Heck, dont even have to pay for it with the Oracle Always-Free system.

[–] [email protected] 1 points 7 months ago (1 children)

I largely agree with this, but (and this might be me being a little paranoid) I don't really trust anyone to handle my data like that. I self-host as much as possible to get away from things beyond my control, I understand that this is an extremist view of things, but the only reason why I use Tailscale Funnel is because the family would either not know how to, or not want, to deal with a VPN like that.

[–] [email protected] 3 points 7 months ago* (last edited 7 months ago)

As far as i understood tailscale funnel its just a TCP-tunnel.
So you handle TLS on your own system, which makes sure tailscale cannot really interfere.

If you already trust them this far, might aswell do the same with a VPS and gain much more flexibility and independence (you can easily switch VPS provider, you cannot really switch tailscale funnel provider, you vendor-locked yourself in that regard)

I'd connect the VPS and your home system via VPN (you can probably also use tailscale for this) and then you can use a tcp-tunnel (e.g. haproxy), or straight up forward the whole traffic via firewall-rules (a bit more tricky, but more flexible.. though not that easy with tailscale.. probably best to use TCP-tunnel with PROXY-Protocol).
This way you can use all ports, all protocols, incoming and outgoing traffic with the IP-Address of the VPS.

Tailscale might even already have something that can configure this for you.. but i dont really know tailscale, so idk..

And as you terminate TLS on your home-system, traffic flowing through the VPS is always encrypted.

If you want to go overboard, you can block attackers on the server before it even hits your home-system (i think crowdsec can do it, the detector runs on your home-system and detects attacks and can issue bans which blocks the attacker on the VPS)

And yes, its a bit paranoid.. but its your choice.
My internet connection here isnt good enough to do major stuff like what i am doing (handling media, backups and other data) so i rent some dedicated machines (okay, i guess a bit more secure than a VPS, but in the end its not 100% in your control either)

[–] [email protected] 4 points 7 months ago

I'm always very wary of systems that require a user to deviate as much from the "usual" structure almost all other services use. HAOS has really weird configs and "all the functionality" that presumably breaks when you use docker and don't have the supervisor for docker... well... If what HA did was the way to go... whi is it that tons of services use docker's rather powerful internal networking features just fine but HA of all things can't do that and requires weird addons that for some reason cannot live on any other system than a Debian with weirdly specific modifications (bye bye cgroupsv2)? This will break most other functionality of that host Debian. I mean... if only there was a widespread-way to provide a highly customized Linux kernel in an ephemeral environment that can just be plugged in and out of a host machine without changing the host machine itself.... Nah, can't have that, let's cause more overhead with a VM...

I'm not willing to make that kind of modifications to my whole setup just for HA and in the long run, this rift between "the way it's usually done" and "The HA-Way" will become bigger and bigger, causing more and more problems.

load more comments