Skip to content

Instantly share code, notes, and snippets.

@kmassada

kmassada/homeassistant.md

Last active April 15, 2021 04:43
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save kmassada/c0f2bbe6762db8da175afeae30e737f8 to your computer and use it in GitHub Desktop.
Save kmassada/c0f2bbe6762db8da175afeae30e737f8 to your computer and use it in GitHub Desktop.
Download ZIP
Home network
Raw
homeassistant.md

Auth

MFA

https://www.home-assistant.io/docs/authentication/

  • enable MFA
  • Delete refresh tokens

SSH

https://github.com/home-assistant/addons/tree/master/ssh

  • enable ssh,
  • add authorized-keys

/!\ TODO /!\

  • home assistant ssh disable password..

lets encrypt

configuration

email: email@gmail.com
domains:
  - ha.domain.com
certfile: domain.com
keyfile: privkey.pem
challenge: http
dns: {}

let's encrypt addon can use http for challenge

80/tcp 80 (HA host) Only needed for http challenge

  • open port forwarding on router to allow :80 to route to HA's internal IP:80 this is /!\okay/!, addon will terminate the http server once it validate the state of the certs
  • add dns entry for ha.domain.com to point to external IP
  • open port forwarding on router to allow :8123 to route to HA's internal IP
  • access from everywhere HA by ha.domain.com
  • the certs produced are saved by the addon, at the same location In configuration.yaml:
http:
  ssl_certificate: /ssl/fullchain.pem
  ssl_key: /ssl/privkey.pem

/!\ TODO /!\

This site is missing a valid, trusted certificate (net::ERR_CERT_COMMON_NAME_INVALID).
Raw
unifi.md

Network

SSH

network > system settings > controller > SSH auth

  • use Quick Setup for ssh keys to generate a public key and add it to the ui, where SITE=ROUTERIP... edit locally ~/.ssh/config to include:
Host RouterIP
HostName RouterIP
User RouterUSER
IdentityFile ~/.ssh/LOCALUSER@ROUTERIP

Other "advanced settings"

network > Advanced Features > Gateway

Here all the settings for Static Routes, Port Forwarding,

dDNS

I was looking for a dns provider that will support:

  • using custom domains
  • natively have support for letsencrypt
  • ddns manageable by unifi

In handsight not sure if this was a good decision... cloudflare will support a docker container that updates ddns regularly s6 overlay + cron + really easy cloudflare call with api key

For now:

network > Advanced Features > Gateway

Interface: WAN
Service: afraid
Hostname: ubnt.domain.com
Username: FREEDNS_USER
Password: FREEDNS_Password
Server: leave empty

Cloud Key Gen2

  • pre-reqs and install acme.sh
curl https://get.acme.sh | sh

export FREEDNS_User=FREEDNS_User
export FREEDNS_Password=FREEDNS_Password
  • Errors using DNS API mode.

The first few commands attempting to generate let's encrypt certs fail at the DNS level. For example: Error code 60. Therefore the remediation was to run in DNS Manual Mode. Meaning the acme.sh will give me a TXT record to add to my DNS entries and then validate it in order to generate the certs for me.

/root/.acme.sh/acme.sh --issue --dns dns_freedns -d ubnt.domain \
    --yes-I-know-dns-manual-mode-enough-go-ahead-please
  • Generating the certs
/root/.acme.sh/acme.sh --issue --dns dns_freedns -d ubnt.domain.com --fullchainpath /etc/ssl/private/unifi-core.crt --keypath /etc/ssl/private/unifi-core.key

cd /data/unifi-core/config
cp /etc/ssl/private/cloudkey.crt unifi-core.crt
cp /etc/ssl/private/cloudkey.key unifi-core.key
/etc/init.d/unifi restart

some quick verifications

#verify
md5sum unifi-core.crt
391c8ef9ea7250fca0dfdd16bfa9d902 unifi-core.crt

# md5sum /etc/ssl/private/cloudkey.crt
391c8ef9ea7250fca0dfdd16bfa9d902 /etc/ssl/private/cloudkey.crt

# openssl x509 -in /data/unifi-core/config/unifi-core.crt -text -noout
X509v3 Subject Alternative Name:

        DNS: mydomain.com

      X509v3 Certificate Policies:

        Policy: 2.23.140.1.2.1

        Policy: 1.3.6.1.4.1.44947.1.1.1

                  CPS: http://cps.letsencrypt.org
  • Make it permanent

add this to ~/.bashrc

export FREEDNS_User=FREEDNS_User
export FREEDNS_Password=FREEDNS_Password

#.. before this
#. "/root/.acme.sh/acme.sh.env"

add this to crontab crontab -e, and edit

0 0 * * * "/root/.acme.sh"/acme.sh --renew -d ubnt.domain.com  --pre-hook "tar -zcvf /root/.acme.sh/CloudKeySSL_`date +%Y-%m-%d_%H.%M.%S`.tgz /data/unifi-core/config/unifi-core.*" --fullchainpath /data/unifi-core/config/unifi-core.crt --keypath /data/unifi-core/config/unifi-core.key

Let's encrypt

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment