Hacker News new | ask | show | jobs
by vladgur 890 days ago
"I expose HomeAssistant to the internet so I can use it remotely without a VPN,"

I wonder if this is a common use case? I would not want to expose Home Assistant to the internet because it requires trust in HASS that they keep an eye on vulnerabilities and trust in me that i update HASS regularly.

Do many Home assistant users do it? I prefer keeping it behind wireguard.
1 comments
JohnTheNerd 890 days ago
I do it, but I'm completely insane:

- I actually stay on top of all patches, including HomeAssistant itself

- I run it behind a WAF and IPS. lots of VLANs around. even if you breach a service, you'll probably trip something up in the horrific maze I created

- I use 2-factor authentication, even for the limited accounts

- Those limited accounts? I use undocumented HomeAssistant APIs to lock them down to specific entities

- I have lots of other little things in place as a first line of defense (certain requests and/or responses, if repeated a few times, will get you IP banned from my server)

I would not recommend any sane person expose HomeAssistant to the internet, but I think I locked it down well enough not to worry about a VPN.

link
localtoast 889 days ago
> - Those limited accounts? I use undocumented HomeAssistant APIs to lock them down to specific entities

Mind sharing your process to achieve what sounds like successful implementation of the much-requested ACL/RBAC support?

link
JohnTheNerd 889 days ago
"successful" is a very optimistic way of looking at it. it has several downsides but largely works for my needs:

- read access is mostly available for sensors, even if access wasn't granted.

- some integrations (especially custom integrations) don't care about authorization. my fork mentioned in the blog does, because I explicitly added logic to authorize requests. the HomeAssistant authorization documentation is outdated and no longer works. I looked through the codebase to find extensions that implement it for an example. maybe I should submit a PR that fixes the doc...

- each entity needs to be explicitly allowed. this results in a massive JSON file.

- it needs a custom group added to the .storage/auth file. this is very much not officially supported. however, it has survived every update I have received so far (and I always update HomeAssistant)

I will share what I did in detail when I get some time on my hands

link
localtoast 889 days ago
Much appreciated. Sounds as if you're way out of spec. Still; should be interesting to go through your methods.
link