Table_of_Contents
1 Home Assistant Configuration
1.1 Accessing Home Assistant Configuration Directory / Files
2.1 Configure Using Provided Snapshot
3 Install HA Basic Integrations
3.1 Samba Share
3.3 Alarmo-Alarm
3.3.1 Alarmo Installation
3.3.2 Alarmo Configuration
3.3.3 Add Alarm Panel Card
3.3.4 Alarmo Notifications
3.3.5 Alarmo Actions
3.4 Mosquitto Broker
3.4.1 SecureOffice / OpenWrt Broker Package
3.4.2 Home Assistant Broker Addon
3.5 ZHA Network Card
4.2 Discover and Configure Sonoff Devices
5 Use Tasmota Flashed Sonoff Devices
1 1Final Result
13.2 Public Remote Access
13.1 Docker-Hassio Public Internet Access
13.2 Use Nginx Server
13.3 Use Alternate Port
List of Figures
Figure 1: HA Initial Registration Page
Figure 2: HA Main Page
Figure 3: HA Restore Snapshot
Figure 4: HA Default configuration.yaml
Figure 5: HA Replacement configuration.yaml
Figure 6: Alarmo Main Page
Figure 7: HA Alarm Card Configuration
Figure 8: HA Alarmo Card
Figure 9: Alarmo Card Configuration
Figure 10: Alarmo Card
Figure 11: Alarmo Triggered
Figure 12: Enable Email Notifications
Figure 13: Alarmo Notification
Figure 14: Alarmo Trigger
Figure 15: Enable MQTT Auto Discovery
Figure 16: Mosquitto Broker Add-on Configuration
Figure 17: Sonoff User Credentials
Figure 18: HA Sonoff Switches
Figure 19: Z-Wave Interface Configuration
Figure 20: Zigbee Interface Configuration
Figure 21: Turn on Light By Motion
Figure 22: Turn on Light For One Minute
Figure 23: Glance Status Configuration
Figure 24: Security Sensors
Figure 25: Smoke Sensors
Figure 26: HA Final Main Page
Figure 27: Detected Zigbee Devices
List of Tables
Table 1: Home Assistant Port Forwards
Given the vast number of add-on's and features of Home Assistant, configuration instructions are limited to achieving control of basic Sonoff, Zigbee and Z-Wave devices plus installing the integrations (packages) required for doing so. To proceed further requires knowing unique per-user requirements. Once basic configuration is complete, search the internet for HowTo's for any features / devices desired.
Home Assistant should be available (browser) at <Home Assistant LAN Address>:8123, where <LAN Address> depends on where HA was installed. For HA on real and virtual machines, it is the machine IP address. For docker-hassio (SecureOffice) installations it will be the SecureOffice LAN address. You should see the initial "create user account" page as shown below. Note that you may not see the left column, since HA is not yet been integrated with the SecureOffice menu system unless using the docker-hassio premium package. If not, verify installation steps and try again.
Figure 1: HA Initial Registration Page
To create the initial HA owner account, enter your name, create a user name, password and select "Create Account".
The next page will allow you to name and detect your location and select units of measurement. Configure according to your preferences. Press "Next", then "Finish".
The Home Assistant main page will be display, like below.
Subsequent configuration requires access to the HA internal filesystem. There are various methods for doing so, depending on how / where HA was installed. Subsequent instructions will refer to "<HA Config Dir>" which can be accessed by the following methods.
If using SecureOffice package "docker-hassio":
For all other HA installations if HA Add-on "Samba Share" is installed:
All HA installations, including docker-hassio if HA Add-on "SSH and Web Terminal" is installed:
HA can be configured by restoring from backup (snapshot) which automatically installs basic integrations and configuration or, manually installing and configuring integrations. Both methods are documented.
Given that HA configuration is a daunting task for new users with a steep learning curve, a snapshot (backup) of a pre-configured system is available to be up and running quickly. Experienced HA users may choose to skip this and start from the beginning and / or restore snapshots from their previous HA installations (eg: upgrading from unreliable Raspberry Pi installations).
As a convenience, a pre-configured Hassio snapshot (created from instructions in next section) is available for download by registered SecureOffice users from the SecureOffice custom repository. The snapshot is already included in the docker-hassio package. This snapshot will work with any Hassio installation on real or virtual machines.
The snapshot has the following configuration: HA user: "admin", password: "admin_54321".
The snapshot must be downloaded for all HA installations except the SecureOffice docker-hassio package.
Download the snapshot using a PC connected to the SecureOffice LAN only (otherwise, access will be denied due to unlicensed domain) from the SecureOffice custom repository. When prompted, enter your SecureOffice user ID and password (as previously entered in "/etc/opkg.conf") to download the snapshot (ha_default.tar). By "LAN only" means disable all network interfaces except the connection to the SecureOffice LAN (wired or WiFi).
Another (easier, no disabling network interfaces) download method is using a SecureOffice command prompt: "cd /tmp; sget ../Files/ha_default.tar" which will place the file in /tmp.
SSH access the <HA Config Dir>, enter "mkdir /backup" to create (if does not exist) the HA backup directory. Copy the downloaded snapshot (ha_default.tar) to the above directory (using shared folders, WinSCP or another method). Reboot the HA PC or VM (Web GUI "Configuration-> Server Controls-> Restart") for HA to detect the snapshot.
If there is more than one snapshot, it may be necessary to SSH into HA to identify the correct snapshot by date. "ls -la backup".
After HA reboots, the snapshot can be accessed by (web GUI) "Supervisor -> Snapshots -> Available Snapshots". Click on the snapshot, a "Restore Snapshot" window will display, as shown below:
Figure 3: HA Restore Snapshot
Unselect (check mark) "Home Assistant" to not use the snapshot Home Assistant version (keep existing HA version). Click "Wipe & Restore", click OK when prompted. Connection with HA will be lost until restore completes. After restore completes, several configuration values are required to personalize settings.
Open the Home Assistant GUI (not from within OpenWrt GUI - authorization bug related to HA in iframe) using https://<Home Assistant LAN address>:8123
The snapshot is pre-configured and tested with the following configuration / integrations:
Default HA configuration will be completely replaced. For reference, the default configuration is shown below:
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
# Text to speech
tts:
- platform: google_translate
group: !include groups.yaml
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
Figure 4:HA Default configuration.yaml
Access <HA Config Dir> to edit file configuration.yaml. Delete all contents. Replace with contents from below:
# Configure a default setup of Home Assistant (frontend, api, etc)
default_config:
homeassistant:
name: Home
# latitude: <your home GPS latitude>
# longitude: <your home GPS longitude>
# elevation: <your home elevation>
unit_system: metric
# time_zone: <your time zone>
# Text to speech
tts:
- platform: google_translate
group: !include groups.yaml
# Configure HA to load all automations (*.yaml files) from "<config dir>/homeassistant/automations" directory
# as opposed to (default) single file "<config dir>/homeassistant/automations.yaml" which can get large and
# confusing. Best to configure automations in separate files per automation for ease of maintenance.
automation: !include_dir_merge_list automations
script: !include scripts.yaml
scene: !include scenes.yaml
mobile_app:
homeassistant:
# Reference: https://www.home-assistant.io/docs/authentication/providers/
# auth_providers:
# - type: trusted_networks
# trusted_networks:
# - <your IPV4 LAN Address>/24
# - <your IPV6 LAN Address>::/10
recorder:
purge_keep_days: 5
db_url: postgresql://postgres:postgres@127.0.0.1/hass
exclude:
domains:
- automation
- weblink
- updater
entities:
- sun.sun # Do not record sun data
- sensor.last_boot # Comes from 'systemmonitor' sensor platform
- sensor.date
event_types:
- call_service # Do not record service calls
#sonoff:
# username: <your sonoff / ewelink username>
# password: <your sonoff / ewelink password>
#zwave:
# usb_path: /dev/<device name of zwave interface>
#zha:
# Older HA versions require USB path
# usb_path: /dev/<device name of zigbee interface>
# database_path: /config/zigbee.db # Don't change
# Reference: https://www.home-assistant.io/integrations/mqtt/
#mqtt:
# discovery: true
# broker: 'mqtt://127.0.0.1:1883' # Will change if broker not on HA machine
# birth_message:
# topic: 'hass/status'
# payload: 'online'
# will_message:
# topic: 'hass/status'
# payload: 'offline'
# Reference: https://community.home-assistant.io/t/bwalarm-akasma74-edition/113666
#alarm_control_panel: !include resources/bwalarm/bwalarm.yaml
# Email / SMS event notifications
# Reference: https://www.home-assistant.io/integrations/smtp/
#notify:
# - name: <send email service name> # eg: gmail
# platform: smtp
# server: <your send email server> # eg: smtp.gmail.com
# port: <email send server port> # eg: 587 for gmail
# timeout: 15
# encryption: <send email server dependent> # eg: starttls for gmail
# sender_name: < who / what message is from> # eg: Home Assistant
# sender: <from email address> # eg: you@gmail.com
# username: <user name for send email server> #eg: you@gmail.com
# password: <password for send email server>
# recipient: <email or SMS gateway address> # eg: you@gmail.com
# Reference: https://www.home-assistant.io/integrations/logger/
logger:
default: warn
# logs:
# homeassistant.components.bwalarm: debug
# homeassistant.components.sonoff: debug
# homeassistant.components.zha: debug
# bellows.ezsp: debug
# bellows.uart: debug
# zigpy.zdo: debug
# zigpy.application: debug
Figure 5:HA Replacement configuration.yaml
Uncomment and alter the GPS and timezone values according to your location. Save the file.
Create directory "<HA_Config_Dir>/automations" for separate file.yaml per automation support.
Further configuration depends on which integrations you choose to enable / install (next section).
The following integrations may be installed manually or by restoring from the preconfigured snapshot with the following configuration settings. Any settings that are not mentioned are left at default values:
SSH & Web Terminal: username: "admin", password: "admin_54321", SSH server port: "2223"
Alarmo Alarm: Disarm code: "4321"
This addon is unnecessary if using package docker-hassio which automatically shares docker image persistent data from SecureOffice directory "/home/data/docker_data/hassio" This data is available to devices connected to the SecureOffice LAN (explorer) at "\\<your SecureOffice LAN address>/Dockers/hassio" (no password required).
This addon enables Home Assistant file sharing across different operating systems over a network. It lets you access your Home Assistant configuration files from Windows, Linux and macOS devices.
Using the Home Assistant web GUI, navigate to "Supervisor - > Add-on Store". Select "Samba Share", press "Install"
Enter add-on configuration values. It is mandatory to at least set the "start on boot, workgroup, username and password" values. After done, press "Start".
Using Windows explorer, navigate to \\<LAN address of Home Assistant>. You should see the following directories: "addons, backup, config, share, ssl". If not, restart Home Assistant and try again. Fix any errors before proceeding.
This add-on allows you to log in to Home Assistant using SSH or the integrated Web Terminal in a browser. It also provides access to the HA command line utility and configuration files for managing home-assistant.
Using the Home Assistant web GUI, navigate to "Supervisor - > Add-on Store". Select "SSH & Web Terminal", press "Install". If the application does not show, enable advanced mode on your user profile page to make it visible.
Enter configuration values. It is mandatory to at least set the "username, password, SSH server port" values. The "SSH server port" must not be "22" or "2222", since it will conflict with the SecureOffice SSH server (2223 is a good choice). Press "Save" after any changes. Press "Start". Under "Log", press "REFRESH" periodically until you see "Starting session". Fix any errors such as insecure password before proceeding.
A HA console session can be started by either "OPEN WEB UI" from within the add-on or using a SSH client (putty) to connect to <IP Address of host>:< SSH server port>.
Docker-hassio ONLY: Be aware there is an authorization bug related to HA in iframe which is used to integrate docker-hassio with the OpenWrt menu system. This means the "OPEN WEB UI" function will have an access error. To avoid this, access HA using https://<SecureOffice LAN address>:8123
If this add-on was installed using restore snapshot from backup, the default configuration values can be seen and changed from "Supervisor->SSH & Web Terminal->Configuration". It is recommended to change the default password.
This add-on replaces the standard Home Assistant alarm panel with a fully functional burglar alarm with the following features:
Alarmo links:
This addon requires motion detectors and / or door / window sensors to function. Tested with Xiaomi Aqara motion sensors, but any HA compatible motion sensor should work.
This addon / HA has also been tested with HEIMAN HS1SA-E (zigbee) smoke detectors, which can also be used as alarm triggers, as can any binary sensor.
Go to HA web GUI->Supervisor->SSH & Web Terminal->Open Web UI
Enter the following commands:
Prior to configuration, ensure that all motion detect and security sensor devices have been discovered by Home Assistant (Configuration -> Devices). If not, install and configure your devices prior to proceeding.
After HA restarts, Click on "Alarmo" in the Home Assistant sidebar. The Alarmo main page will display, as shown below:
Figure 6: Alarmo Main Page
Follow the instructions in the Alarmo documentation to configure Alarmo for your requirements, including modes of operation, sensors, notifications and actions.
Alarmo arm / disarm can be controlled using the standard HA "Alarm Panel" card, or the Alamo custom Alarm Panel which has more features such as a countdown timer for mode entry and displaying which sensors triggered the alarm.
To install the standard HA card, from the HA main page, click the 3 vertical dots in upper right to enter "Edit Dashboard" mode. Click "Add Card" and select the "Alarm Panel" card. Alarm Panel configuration will appear as shown below:
Figure 7: HA Alarm Card Configuration
If interested in additional states such as arm_night or arm_custom_bypass (see documentation), add them and press "Save". The HA Alarm Card will appear in the HA dashboard as shown below:
Figure 8: HA Alarmo Card
To install the custom Alarmo card, from the HA main page, click the 3 vertical dots in upper right to enter "Edit Dashboard" mode. Click "Add Card" and select "Custom: Alarmo Card". Select "alarm_control_panel.alarmo" for entity. Alarmo Panel, configuration will appear as shown below:
Figure 9: Alarmo Card Configuration
Press "Save". The Alarmo Card will appear in the HA dashboard as shown below:
Figure 10: Alarmo Card
After adding sensors and enabling Alarmo "Arm Away" mode, if a sensor is triggered, the Alarmo panel will show "Triggered" and display the last sensor that triggered, as shown below:
A burglar alarm is useless without some way to announce that intruders have been detected. Notification options are:
Configuration instructions to send an email / SMS notification follow.
Enable HA built in email notifications by adding the following code to <HA Config Dir> file "/configuration.yaml":
notify:
- name: gmail
platform: smtp
server: <your email server>
port: 587 <verify port>
timeout: 15
sender: <your email address>
encryption: starttls
username: <your user name for email server>
password: <your password for email server>
recipient: <email or SMS gateway address for notifications>
sender_name: Home Assistant
Figure 12: Enable Email Notifications
To create an email / SMS text notification when the alarm is triggered, Navigate to HA GUI -> Alarmo -> Actions -> Notifications and enter the following:
Figure 13: Alarmo Notification
A burglar alarm is useless without some way to indicate that intruders have been detected. Action options are:
To create an action when the alarm is triggered, Navigate to HA GUI -> Alarmo -> Actions -> Actions.
The flash_light script was defined in Adding Scripts. This particular script was used to test Alarmo triggering, using the settings below:
Figure 14:Alarmo Trigger
Mosquitto Broker is a MQTT server. MQTT is a machine-to-machine (M2M) / "Internet of Things" connectivity protocol. It was designed as an extremely lightweight publish / subscribe messaging transport. It is useful for connections with remote locations where a small code footprint is required and / or network bandwidth is at a premium. For example, it has been used by sensors communicating to a broker via satellite link, over occasional dial-up connections with healthcare providers, and in a range of home automation and small device scenarios. It is ideal for mobile applications because of its small size, low power usage, minimised data packets, and efficient distribution of information to one or many receivers. The MQTT protocol provides a lightweight method of carrying out messaging using a publish (event sources publish events) / subscribe (event listeners subscribe to events of interest) model. This makes it suitable for Internet of Things messaging such as low power sensors or mobile devices, phones, embedded computers or microcontrollers.
Mosquitto broker can be used to control devices flashed with Tasmota (MQTT client), Z-Wave devices using the ZWave2MQTT (gateway) add-on and Zigbee devices by flashing Zigbee2mqtt firmware, (gateway to Zigbee devices - technical skills, hardware required) on an inexpensive CC2531 USB stick.
There are two options for Mosquitto Broker installation, the OpenWrt MQTT broker package (recommended) or the HA MQTT broker addon.
Any Home Assistant installation (virtual, docker or real servers anywhere on the SecureOffice LAN) can choose to use either the OpenWrt MQTT broker package or the HA MQTT broker addon.
Do not install Mosquitto broker until instructed to do so when (optionally) configuring MQTT for Tasmota, ZWave2MQTT or the CC2531 USB stick.
The SecureOffice Mosquitto Broker is automatically installed if using the docker-hassio package.
To install the broker package for use by any other HA installation, enter (SecureOffice command prompt): "opkg update; opkg install mosquitto-ssl"
Create a new user for MQTT via HA GUI Configuration->Users (manage users). Note: This name cannot be "homeassistant" or "addon", those are HA reserved usernames. Suggest name: "MQTT", username: "mqtt", enter and remember the MQTT password. This user must have administrator privileges.
The SecureOffice Mosquitto broker password must match the MQTT password created above. If a user name other than "mqtt" was chosen, replace both "mqtt"'s in the following command by <MQTT username>. All devices connecting to the MQTT broker will require <MQTT username> and <MQTT password> to be set.
To change the SecureOffice MQTT password, enter (SecureOffice command prompt): "echo -e "mqtt\nmqtt\n" | mosquitto_passwd -c /etc/mosquitto/passwords.txt <MQTT password>"
Enable and start the MQTT broker: "/etc/init.d/mosquito enable; /etc/init.d/mosquito restart", using a SecureOffice command prompt.
Several files need to be created in the "/share" directory on the Home Assistant filesystem.
Create <HA Config Dir> file "/share/mosquitto/acl.conf" with contents "acl_file /share/mosquitto/accesscontrollist".
Create <HA Config Dir> file "/share/mosquitto/accesscontrollist" with the following contents (MQTT userid created above):
user <YOUR_MQTT_USER>
topic readwrite #
Navigate to HA GUI->Configuration->Integrations.
If the MQTT integration is enabled, delete it. Press "+" and search for MQTT. Click on MQTT.
Configure the Broker. IP Address: <SecureOffice LAN address>, Port (defaults), MQTT Username, Password (created previously) and Submit.
If not already done, flash your sonoff devices and ensure they show up and are controllable from Home Assistant->Overview.
Enable MQTT auto-discovery (add devices). Add the following to "<HA Config Dir>/configuration.yaml":
mqtt:
discovery: true
broker:'mqtt://<SecureOffice LAN address>:1883'
birth_message:
topic: 'hass/status'
payload: 'online'
will_message:
topic: 'hass/status'
payload: 'offline'
Figure 15:Enable MQTT Auto Discovery
Restart Home Assistant for the configuration to take effect.
This addon is unnecessary if using the SecureOffice docker-hassio package. Mosquitto broker is provided by SecureOffice / OpenWrt.
Official Mosquitto Broker add-on documentation is here.
To install using the Home Assistant web GUI, navigate to "Supervisor- >Add-on Store". Select "Mosquitto broker", press "Install".
Navigate to Supervisor->Add-ons->Mosquitto broker->Configuration. Change Mosquitto Broker options as below:
logins: []
anonymous: false
customize:
active: true
folder: mosquitto
certfile: fullchain.pem
keyfile: privkey.pem
require_certificate: false
Figure 16:Mosquitto Broker Add-on Configuration
Create a new user for MQTT via Configuration->Users (manage users). Note: This name cannot be "homeassistant" or "addon", those are reserved usernames. Suggest name: MQTT, username: "mqtt", enter and remember the password. This user must have administrator privileges.
Several files need to be created in the "/share" directory on the Home Assistant filesystem.
Create <HA Config Dir> file "/share/mosquitto/acl.conf" with contents "acl_file /share/mosquitto/accesscontrollist".
Create <HA Config Dir> file "/share/mosquitto/accesscontrollist" with the following contents (MQTT userid created above):
user <YOUR_MQTT_USER>
topic readwrite #
Start Mosquitto Broker add-on, check the log (Supervisor->System) and fix any reported issues.
Navigate to HA GUI->Configuration->Integrations.
If the MQTT integration is enabled, delete it. Press "+" and search for MQTT. Click on MQTT.
Configure the Broker. IP Address: 127.0.0.1, Port (defaults), MQTT Username, Password (created previously) and Submit.
If not already done, flash your sonoff devices and ensure they show up and are controllable from Home Assistant -> Overview.
Enable MQTT auto-discovery (add devices). Add the following to "<HA Config Dir>/configuration.yaml":
mqtt:
discovery: true
broker:'mqtt://127.0.0.1:1883'
birth_message:
topic: 'hass/status'
payload: 'online'
will_message:
topic: 'hass/status'
payload: 'offline'
Restart Home Assistant for the configuration to take effect.
This add-on displays discovered ZHA (Zigbee) network and device information as shown in Detected Zigbee Devices.
Documentation and installation instructions are available at the author's site.
Two options (integrations) are discussed for controlling standard Sonoff Devices:
Ensure that your Sonoff WiFi device(s) (including RF Bridge - if using) are connected and powered on.
The EWeLink application is required for device discovery. It can be installed on Android or IOS devices. An EWeLink user manual is available (read it).
After installing EWeLink, perform the following steps using EWeLink:
For each Sonoff device, enter pairing mode (press device button for 7 seconds). Press (EWeLink) "+" to enter discovery mode, Select "Quick Pairing". Fill in the WiFi credentials the device will use. If pairing takes too long, press the device button for 7 seconds again. Enter a "Device name" when prompted, press "Complete". The device will show up in EWeLink. Select the icon next to the device name for further configuration. If you see "Firmware update available", go to "Settings" to update.
Important: Every time you add or change devices using EWeLink, delete the hidden file "<HA Config Dir>/.sonoff.json" and restart Home Assistant (Configuration->Server Controls -> Restart). This file contains device settings downloaded from the EWeLink server, if the file does not exist locally. Downloading device settings from EWeLink is the only internet access that SonoffLAN requires and only if a local copy of "<HA Config Dir>/.sonoff.json" does not exist.
Append the following at the end of file "<HA Config Dir>/configuration.yaml" to allow Home Assistant to get device configuration from the EWeLink server.
sonoff:
username: <EWeLink user ID>
password: <EWeLink password>
Figure 17:Sonoff User Credentials
Restart Home Assistant and navigate to "Overview". You should see the Sonoff devices added. The figure below shows two Sonoff Basic switches controlled via the SonOffLAN addon.
Figure 18: HA Sonoff Switches
Choose which Mosquitto Broker implementation to use (SecureOffice MQTT broker package or HA MQTT broker add-on).
Install and configure the chosen Mosquitto broker implementation (previous link).
Enable the HA Z-Wave built-in integration for the Nortek HUSBZB-1 Zigbee / Z-Wave combo USB interface. Add the following to "<HA Config Dir>/configuration.yaml":
zwave:
usb_path: /dev/ttyUSB0
Figure 19:Z-Wave Interface Configuration
If running HA in a virtual machine it is necessary to (Vmware GUI) connect the Z-Wave interface to the virtual machine. Select "Player->Removable Devices-> <Interface Device Name>->Connect (Disconnect from Host)"
If using a different Z-Wave interface device, the USB path may be different. See Identify USB Interface Devices to determine the correct USB path.
New Z-Wave devices (became active after Home Assistant already running) can be discovered by going to Developer Tools->Services and entering "zha.permit". This avoids having to restart Home Assistant to discover new Z-Wave devices.
Enable the HA Zigbee built-in integration for the Nortek HUSBZB-1 Zigbee / Z-Wave combo USB interface. Add the following to "<HA Config Dir>/configuration.yaml":
zha:
# Older HA versions require USB path
# usb_path: /dev/ttyUSB1
database_path: /config/zigbee.db
Figure 20:Zigbee Interface Configuration
The "usb path" entry is not used by newer versions of HA and remains commented. Older HA versions may require this variable to be set.
If running HA in a virtual machine it is necessary to (Vmware GUI) to connect the Zigbee interface to the virtual machine. Select "Player->Removable Devices-> <Interface Device Name> -> Connect (Disconnect from Host)"
If using a different Zigbee interface device, the USB path may be different. See Identify USB Interface Devices to determine the correct USB path.
Refer to the HA automations documentation.
Home Assistant automations are programmed sequences of actions in response to events optionally qualified by states. The Alarmo Alarm is an automation. When the alarm is in armed state and an enabled motion detector triggers (event) occurs, a text message or email is sent. An automation is self-contained and includes triggers (event that invokes automation), conditions (state of some entity) and actions (what to do if trigger occurs and conditions are met).
Automations can be entered / defined using the HA GUI, in which case all automations are defined in a single file (<HA Config Dir>/automations.yaml). To support this mode of operation, "<HA Config Dir>/configuration.yaml" must contain "automation: !include automations.yaml" to include the automations file.
It is also possible to define automations directly in "<HA Config Dir>/configuration.yaml" using a text editor. Automations defined in configuration.yaml cannot be managed using the HA GUI.
As your HA installation grows in complexity, with many automations, it may become confusing to manage them all. To reduce complexity, it is possible to split automations into separate files, each file containing a specific automation, named according to function. Automations defined by this method cannot be managed using the HA GUI. To support this mode of operation, "<HA Config Dir>/configuration.yaml" must contain "automation: !include_dir_merge_list automations" to include all files in the automations directory (must be created).
An example automation is when motion occurs and it is dark: turn on / off a light or appliance, example (<HA Config Dir>/automations/upstairs_light.yaml) below:
- alias: Motion and dark turn on upstairs light
trigger:
platform: state
entity_id: binary_sensor.lumi_lumi_sensor_motion_aq2_fa48cf05_ias_zone
from: 'off'
to: 'on'
condition:
condition: numeric_state
entity_id: sensor.lumi_lumi_sensor_motion_aq2_fa48cf05_illuminance
below: 50
action:
- service: switch.turn_on
data:
entity_id: switch.sonoff_1000a3a038
- alias: No motion for 5 minutes turn off the upstairs light
trigger:
platform: state
entity_id: binary_sensor.lumi_lumi_sensor_motion_aq2_fa48cf05_ias_zone
from: 'on'
to: 'off'
for:
minutes: 5
action:
- service: switch.turn_off
data:
entity_id: switch.sonoff_1000a3a038
Figure 21:Turn on Light By Motion
Refer to the HA script documentation.
Home Assistant scripts are programmed sequences of actions to execute when the script is called by an automation when a trigger occurs and conditions are met.
Scripts can be entered / defined using the HA GUI (script editor), in which case all scripts are defined in a single file (<HA Config Dir>/scripts.yaml). To support this mode of operation, "<HA Config Dir>/configuration.yaml" must contain "script: !include scripts.yaml" to include the scripts file.
It is also possible to define scripts directly in "<HA Config Dir>/configuration.yaml" using a text editor. Scripts defined in configuration.yaml cannot be managed using the HA GUI and must be managed using a text editor.
As your HA installation grows in complexity, with many scripts, it may become confusing to manage them all. To reduce complexity, it is possible to split scripts into separate files, each file containing a specific script, named according to function. Scripts defined by this method cannot be managed using the HA GUI. To support this mode of operation, "<HA Config Dir>/configuration.yaml" must contain "script: !include_dir_merge_named scripts" to include all files in the scripts directory (must be created).
An example script is turn on a light for one minute, then turn off the light, example (<HA Config Dir>/scripts/flash_light.yaml) below:
flash_light:
mode: restart
sequence:
- service: switch.turn_on
data:
entity_id: switch.sonoff_100028e0e9
- delay: 0:01
- service: switch.turn_off
data:
entity_id: switch.sonoff_100028e0e9
Figure 22:Turn on Light For One Minute
Sensor status is important to display open sensors which may prevent arming the burglar alarm, seeing that all sensors are detected and monitoring smoke detectors.
From the HA main page, click the 3 vertical dots in upper right to enter "Edit Dashboard" mode. Click "Add Card" and select the "Glance" card. Glance configuration will appear as shown below:
Figure 23: Glance Status Configuration
Delete all entities and add all burglar alarm sensors. Add "Security Sensors" as title. Click save. Status of all configured entities will appear in the HA dashboard as shown below:
If you have other sensors such as smoke detectors, add another Glance card containing the corresponding entities with title "Smoke Alarms". Status of all configured entities will appear in the HA dashboard as shown below:
Figure 25: Smoke Sensors
Thus far, configuration has dealt with setting up the HA infrastructure (interfaces, protocols, devices, integrations) required to provide event sources (sensors) and devices to control for Home Assistant automations.
What to do next is dependent on what YOU want Home Assistant to do. Consult the Home Assistant automations documentation for ideas, examples and HowTo's.
After following previous installation / configuration instructions (with devices which will change, dependent on user configured devices / UI), the Home Assistant completed main page is as shown below:
Figure 26: HA Final Main Page
The "ZHA STATUS" (discovered Zigbee devices) page is shown below:
Figure 27: Detected Zigbee Devices
HA must be re-configured to delete devices, entities and UI elements that you do not have / want and add what you do have / want. Consult the Home Assistant documentation.
Once satisfied with Home Assistant configuration, it is prudent to backup your configuration, for disaster recovery.
All HA installations can be backed up using Supervisor->Snapshots->Create Snapshot. Copy the snapshot to a safe location on another (not HA) PC using any of the <HA Config Dir> access methods.
Alternatively, if using docker-hassio, Home Assistant can be backed up as part of a full system backup. Using SecureOffice / OpenWrt GUI, navigate to System->Backup / Flash Firmware->Generate Archive which will automatically save the full system backup (including Home Assistant) to your PC.
Do you want to provide public (everyone) access to Home Assistant or keep it private (for those you choose such as family members), accessible locally and / or using VPN?
Four options exist for Home Assistant remote access:
Public access means anyone on the internet can access your services. This is the least secure remote access method, since passwords can be cracked.
Private access means that only users on your local LAN and / or remote VPN (such as family members) can access your service. This is the most secure and recommended approach.
Home Assistant can always be accessed from anywhere (local and / or remote if configured) using a web browser on any device. Various Android and IOS clients exist. To choose the remote access client that is best for you, search "Home Assistant remote client apps". A review of several popular Home Assistant client apps is available here.
Remote access client configuration is client specific and not covered by this document. Consult the client documentation and search for "Home assistant remote access".
This means anyone can take a crack at hacking your site, since anyone can access the login page.
This poses a serious security risk from hackers. Review Home Assistant authentication. Security can be increased by enabling secrets and using multi-factor authentication, but this increases login complexity and may require extra packages to be installed on remote devices.
It is far more secure to remotely access Home Assistant using the SecureOffice VPN Server which allows secure remote access clients to appear as local clients.
At docker-hassio installation, Home Assistant is automatically configured for private (clients on local LAN only) network access as a Nginx virtual host by Nginx configuration file "/etc/nginx/vhosts/hassio" installed as part of the package.
The general approach (and pre-requisites) for serving a site at a domain or subdomain is in the Nginx HowTo documentation.
Assuming prerequisites such as domain, DNS, SSL certificates were met prior to docker-hassio installation, the values "<your LAN address>" and "<your domain name>" were automatically set at docker-hassio installation.
To enable public Home Assistant access, comment (insert "#") or delete the "allow" and "deny" lines in the "/etc/nginx/vhosts/hassio" configuration file, shown below:
Home Assistant will be publicly accessible at "https://hassio.<your domain>".
server {
listen 443;
listen [::]:443;
server_name hassio.<your domain name>;
add_header X-Frame-Options "ALLOW-FROM https://<your LAN address>/ https://$server_name/";
add_header Content-Security-Policy "frame-ancestors 'self' https://<your LAN address> https://$server_name/";
location / {
# Comment "#" following lines to allow internet access
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
allow 127.0.0.0/8;
deny all;
# End comment lines
# Set all cookies to secure, httponly and samesite (strict or lax)
# Need Nginx 1.19.3+ for this
proxy_cookie_flags ~ secure httponly samesite=none;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_pass http://<your LAN address>:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Figure 28: Hassio Virtual Domain
Note: Home Assistant is http only and Nginx is converting http to https and the converse.
Restart nginx: "/etc/init.d/nginx restart; rm -rf /var/luci-*" at a command prompt for the changes to take effect.
Enter "https://hassio.<your domain name>" in a web browser on a PC not connected to the SecureOffice LAN. If all is well, you will see the Home Assistant registration page (Figure 1) without OpenWrt GUI.
If all is not well, enable Home Assistant logging "log_std* '1'" in file "/etc/config/docker/hassio", restart Home Assistant ("/etc/init.d/docker stop; /etc/init.d/docker start"), enter "logread -f | grep docker" (to watch error messages) and try to access Home Assistant again. Enter "CTRL+c" (together) to exit logread. Fix any errors.
Home Assistant installations using any method other than docker-hassio are available at "http://<Home Assistant LAN address>:8123" and needs to be proxied by Nginx to be accessible by domain or subdomain name.
This configures Home Assistant to be accessible at a subdomain, for example, "http(s)//homeassistant/<your domain name>"
Home Assistant can be accessed locally or remotely (if enabled) by "http(s)//homeassistant/<your domain name>".
This approach has the following advantages:
This configuration is similar to the docker-hassio Nginx domain configuration (Hassio Virtual Domain) differing only by the "server_name" and "proxy_pass" directives. Also, since Home Assistant is external to SecureOffice (VM or real machine), it is not integrated with the SecureOffice / OpenWrt GUI.
Assuming the desired HA subdomain is "homeassistant", Nginx configuration ("/etc/nginx/vhosts/homeassistant.conf") will be like below (using method and all prerequisites from Create Nginx Virtual Host):
server {
listen 443;
listen [::]:443;
server_name homeassistant.<your domain name>;
add_header X-Frame-Options "ALLOW-FROM https://<Home Assistant LAN address>/ https://$server_name/";
add_header Content-Security-Policy "frame-ancestors 'self' https://<Home Assistant LAN address> https://$server_name/";
location / {
# Comment "#" following lines to allow internet access
allow 192.168.0.0/16;
allow 172.16.0.0/12;
allow 10.0.0.0/8;
allow 127.0.0.0/8;
deny all;
# End comment lines
# Set all cookies to secure, httponly and samesite (strict or lax)
# Need Nginx 1.19.3+ for this
proxy_cookie_flags ~ secure httponly samesite=none;
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
proxy_pass http://<Home Assistant LAN address>:8123;
proxy_set_header Host $host;
proxy_redirect http:// https://;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}
Figure 29: HA SubDomain Configuration
From a SecureOffice command prompt, enter "/etc/init.d/nginx restart" to have the new settings take effect. Try to access "http(s)//homeassistant/<your domain> ". You should see the Home Assistant add user or login page. Fix any issues before proceeding.
To allow public remote access, comment (add "#') or remove the "allow" and "deny" lines from the configuration file above.
If the URL "http(s)://homeassistant/<your domain name>" is not to your liking, it can be easily changed by changing the "server_name" directive and configuration file name.
This configures Home Assistant to be locally accessible by "<your LAN address>:8123" and remotely by "http//<your domain name>:<port you choose>"
This approach has the following disadvantages:
For port forwarding, follow port forwarding instructions, add the following port forward. When done, from a SecureOffice command prompt, enter "/etc/init.d/firewall restart"
Name | Protocol | Ext Zone | Ext port | Int Zone | Int IP Addr | Int port | Notes |
|
|
|
|
|
|
|
|
Allow-Home-Assistant | tcp | wan | <Port you choose> | lan | <Home-Assistant LAN address> | 8123 | Home Assistant is VM or another computer on LAN. Unnecessary if Nginx used for domain services. |
Table 1:Home Assistant Port Forwards
Try to access "http//<your domain>:<port you chose>". You should see the Home Assistant add user or login page. Fix any issues before proceeding.
|
Technologies Used: