Skip to content

Instantly share code, notes, and snippets.

@purp

purp/00 Setting up an M1 Mac Mini for Home Automation.md

Last active March 25, 2023 19:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save purp/02546dcedfd41950107e1717c1ba5281 to your computer and use it in GitHub Desktop.
Save purp/02546dcedfd41950107e1717c1ba5281 to your computer and use it in GitHub Desktop.
Download ZIP
Setting up an M1 Mac Mini for Home Automation using Home Assistant
Raw
00 Setting up an M1 Mac Mini for Home Automation.md

How To Set Up An M1 Mac Mini As Your Home Automation Server Using Home Assistant

Intro

This is mostly just me scratching out notes on a work in (slow) progress, and preserving knowledge for future me.

If I get to a successful end, I may polish things up into a useful guide. There are no doubt better places to find this and easier ways to do it ... but I couldn't find them, and if you've ended up here, you couldn't either. Sorry for that.

Goals

My primary goal is to create the most elegant native setup using an M1 mini and MacOS Ventura with a good balance of ease of operation and maintainability; my secondary goal is to enjoy being a geek and learn a lot of things. This means I'm all good with spending a few hours learning about Apple's built-in virtualization framework to see if I can use it directly vs. things like VirtualBox, Docker, or UTM. I want to get to the end goals of useful dashboards, etc., but my need isn't urgent so this is my geek therapy project.

Server

  • Use an M1 Mac Mini as the heart of a home automation system
  • Operate using security best practices
    • FileVault disk encryption
    • ssh available, no passwords allowed
  • Deploy all software in containers
  • Operate everything securely in a .home TLD
    • Set up a CA to generate certs
    • Make it easy to get the CA cert into new devices
  • Have short, unqualified names that lead to services (e.g. https://dash/ for main dashboards, etc)
  • Have everything start properly at boot

Home Assistant

  • Know the state of all the home automation devices in the house
  • Have useful dashboards
    • for the house
    • for each person
    • for guests
  • Use Apple iCloud services for family info
    • calendars
    • iCloud drive?
    • location services
  • Be able to use the Home Assistant mobile apps with this setup

Remote Access/VPN (stretch goal)

  • Be able to VPN into our home network to see/do any of the above
Raw
01 Server Setup.md

Setting up the M1 Mini as a Containerized Home Automation Server

This section will (eventually) outline all the bits you want to get lined up to have an M1 Mac Mini that starts a set of containers at boot with a good balance of security, operability, and maintainability.

Security

Proper security is always balancing being secure against convenience. How you balance that should depend on the level of threat you expect and the value of what you're protecting.

In our case, I'm protecting data about our house, including room presence, as well as data about my family's location. I'd like to keep that reasonably secure; I don't want some script kiddie who's managed to get onto my network (aka one of the kids' 1337 h@x0r fr3nz) to have an easy time of pwning our stuff while still allowing guests to enjoy some of the benefits of the work we've done to make the house easier to operate.

FileVault: To Enable or Not To Enable?

FileVault encrypts the drive in your machine. If someone gains physical access, they need a valid login on the machine to unlock and mount the drive. This is a goodness.

However, if the machine reboots itself (due to power loss, kernel fault, cat stepping on the power strip switch, etc.) you'll have to log in before services will start on the box. This Is A Royal Pain.

With FileVault on, MacOS requires an interactive login on reboot to unlock and mount the root drive; no services can start until that happens. This means you can't easily have sshd running if the machine reboots due to power loss.

You can manually reboot without needing to be at the machine to login, though. sudo fdesetup authrestart will ask you to enter either a recovery key or a username and password, then hold the provided credential in memory while executing a reboot and use them to unlock and mount the FileVault'd drive. IF you've enabled sshd (via the Remote Login setting in the Sharing panel of System Settings/System Preferences), it'll start immediately and you'll be able to ssh into the machine. fdesetup does a number of interesting things that might be worth exploring.

Automatically Log A Given User In?

Many tools that would be useful (like Docker or UTM for providing virtualization) require that you start a GUI app for them to load. This is easy if you make those apps startup items for your user account, but now a restart really really needs you to log in at console to bring all your container services up. Ugh.

The usual way to get around this is to grab something like VirtualBox, set up a VM in that, start k8s in the VM at boot, and have VB start at startup. This is all well and good, but I'm curious to see if we can do this using Apple's native virtualization tools.

[next steps]

The Road Not Taken (yet)

If you are less security oriented and/or less determined to use native frameworks, a faster path could look like:

  • Disable FileVault
  • Auto-log in your Automation User
    • Enable Remote Login for this user
    • Have Docker run as a startup item for this user
    • Have your containers start up when Docker boots
Raw
02 Setting up container services.md

Setting Up Container Services On Your Nifty New Home Automation Server

I'm going to set up Home Assistant as a containerized service. To make admin and maintenance of our containerized services easy, I'll run Portainer. To make accessing these from a browser super easy (e.g. https://dash/ for dashboards, etc.), I'll use nginx as a reverse proxy to our containerized services. And to make this all secure on the network, I'll create a local certificate authority so we can generate internal certificates for the various web servers and aliases for all of this. Whew!

I'm doing one thing at a time, all the way through, to make sure I don't confound myself with multiple layers of configuration madness. Here's the order of steps I'll do:

  1. Set up Portainer
  2. Set up an nginx reverse proxy for http://portainer/
  3. Set up a local certificate authority to generate SSL certs
  4. Serve the CA Root Key on a path from nginx for easy install on devices
  5. Enable SSL for https://portainer/
  6. Configure http -> https redirect for all web servers

When I've done all of that, I'll have a standard pattern for setting up a containerized web service (like Home Assistant) via https as well as an easy way to provide the CA root key to new devices so they don't get annoying nag messages about self-generated certificates.

Setting up Portainer

Install

Run

Test

Setting up nginx as a reverse proxy

Install

Run

Test

Setting up a local CA to issue SSL certs

This isn't a containerized thing; in fact, we'll use MacOS keychain services to set this up.

[...]

Enable SSL for https://portainer

Configure nginx to automatically upgrade all http connections to https

Raw
03 Setting up Home Assistant as a containerized service.md

Setting Up Home Assistant As A Containerized Service

Install

Configure For Reverse Proxy

Run

Test

Troubleshooting

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment