My reason for wanting HomeAssistant and a locked down VLAN...
from Landless2029@lemmy.world to selfhosted@lemmy.world on 01 Jul 22:36
https://lemmy.world/post/32337939
from Landless2029@lemmy.world to selfhosted@lemmy.world on 01 Jul 22:36
https://lemmy.world/post/32337939
cross-posted from: lemmy.world/post/32265822
xkcd #3109: Dehumidifier
Title text:
It’s important for devices to have internet connectivity so the manufacturer can patch remote exploits.
Transcript:
[A store salesman, Hairy, is showing Cueball a dehumidifier, with a “SALE” label on it. Several other unidentified devices, possibly other dehumidifier models, are shown in the store as well.]
Salesman: This dehumidifier model features built-in WiFi for remote updates.
Cueball: Great! That will be really useful if they discover a new kind of water.Source: xkcd.com/3109/
#selfhosted
threaded - newest
I just bought my first home and as soon as I’m decently unpacked I’m going to start my journey on self hosting.
Currently planning:
Not sure what else to add. Open to advice or suggestions.
if you have a garage, design a method to basically ensure your garage door is closed without you needing to go back to check.
of course if you trust yourself with never making that mistake.
last thing you want to feel is if you remembered to close the door or not and youre already far off
I have a controller that plugs right into my opener with a magnetic sensor for if the door is open or not. Running Homebridge I can see it and open and close it from anywhere. Did it all the way from Thailand a while back just for shits and giggles. I gotta see if I can configure it to auto shut if it’s still open at night, have had a couple of whoopsies there.
A camera would work too.
ratcloud.llc/pages/about
I agree, I set my grandparents doors up on a timer, if its still open at 11 PM it auto closes both doors. I’ve got the ping a few times now saying “emergency door schedule activated” meaning that they were open and had not been closed prior.
Get a Meross Garage Door Opener/closer: shop.meross.com/…/smart-wifi-garage-door-opener
Fantastic product, works in homeassistant.
And it’ll be bricked when their app shuts down.
I use GarHAge which uses open hardware and software and was pretty easy and cheap too. github.com/marthoc/GarHAge
That sounds like the way to do it. It’s under your control and it’ll always work.
No garage sadly.
I wish I had setup an identity management system sooner. Been self-hosting for years and about a year ago took the full plunge into setting up all my services behind Authentik. Its a game changer not having to deal with all the usernames and passwords.
In a similar vein, before Authentik, I used Vaultwarden to manage all my credentials. That was also a huge game changer with my significant other. Being able to have them setup their own account and then share credentials as an organization is super handy.
My SO is already using keepass locally. Used to be only a paper notebook. Data breach paranoia.
I plan to setup vaultwarden or keepassXC
I use keepass, it’s a little more work than many closed source ones, but it’s only as online as you want it to be, and runs on anything
If it’s something that’s vital, my mantra is pay to have someone else professional host it.
I’ll pay the $10/year for Bitwarden.
Cameras.
Yeah that’s on the list. I want them hard wired though. Gotta hire an electrician to wire up the outside of the house.
I’ve been happy with the SMLIGHT SLZB-06M. You can easily flash firmware, and it has PoE which was important for me. I believe it also supports Thread, but I haven’t tried this yet (and I’m not sure if it supports it at the same time as Zigbee).
Zigbee smart plugs from Third Reality have been pretty solid in my experience, and they report power usage.
For circuit breaker level monitoring, I have an Emporia Vue2. I have it running esphome, completely local — unfortunately this requires some simple soldering and flashing, so it’s not turnkey. But it’s been rock solid ever since flashing it. (Process is well documented online.)
I’ve had decent luck with cheap wifi Matter bulbs, but provisioning them is finicky, and sometimes they just crap out and need to be power cycled; Zigbee bulbs (e.g., Ikea) have generally been reliable, though sometimes I’ve had difficulty pairing them initially. After power cycling a Matter WiFi bulb, it takes a while for it to respond to Home Assistant; Zigbee bulbs generally respond as soon as you power them on.
I have a wired smart light switch from TP-Link/Kasa (KS205), and it’s been completely hassle free (and totally local — Matter over wifi). The Kasa smart switch dongles I have work flawlessly but need proprietary pairing, and I’m afraid to update firmware in case they lose local support.
Good luck! Fun adventure :)
I’ve watched enough Lock Picking Lawyer never to want a consumer ‘smart lock.’ Half of them can be opened with a magnet. Maybe commercial grade is better, but I’ve been locked out of my job after every power failure for the last 10 years, until someone comes along with a physical key.
Re homeassistant on a Pi: homeassistant does a lot of database transactions, so you may want to have db storage on something other than an SD card.
Good call. I was thinking of trying a 128GB usb3 stick I got. Maybe a ssd/nvme on a USB3 controller.
I have an old 2.5inch 500GB laptop HDD plugged into a USB/sata adaptor into my rasberry pi.
that’s been running flawlessly for 3 years and drops every concern with running HA on a pi
I have tentative plans to make my own smart lock by way of electric motor and commercial deadbolts with an RF scanner and a back up battery for emergency. It won’t be amazingly secure in a tech way, but I figure the combination of novelty and DIY should make it reliable.
That said, I gotta be that guy and remind everyone that all locks are security theatre and are not going to protect your house from the persistent or prepared. Your best defense is a combination of foresight and social engineering.
I’m gonna differ on this. The point of a lock is to control law-abiding access to your house. If someone wants in your house, they can attack your windows, doors, or even a wall if the lock is too strong. A smart lock let’s you open the door for a family member remotely, or set one time-access for your in-laws to come over and pickup a tool.
I wouldn’t use a smart lock for something hardened, like a bunker or a vault, but for a house and garage, it’s okay not to have the most bullet proof lock in the world.
Great list! If you already have the Raspberry Pi devices, great. If you were going to buy some, I would look at thin clients instead. Low-power, cheaper, more powerful, can use real hard drives instead of SD cards or adapters, and x86 instead of ARM. I have an HP T630 I like but I hear good things about the Dell Wyse 5070 too.
I have:
I work as a sysadmin so I’ve picked up a few things that wouldve gone to recycling.
My concern is power draw running 24/7 so I need wattage monitors and going to start with the Pi systems. Until I hit performance issues then migrate to a SFF.
I have a rule that “Nothing will be automated that cannot be manually overridden.”
Well, actually it’s my wife’s rule but it’s a good rule nonetheless. As a result, there’s a big panel full of relays in the basement that is the “last mile” for anything climate control or security related.
There have been a few times when it’s been handy. Like when the exhaust fan isn’t working and I don’t want to debug the ESP32 controller today so I just flip it over to “Manual”.
That’s a great rule of thumb. So setup two switches. One for manual and one with a ESP32.
KNX.
Everything is decentrally programmed, and you can do extra automations and stuff from home assistant, but KNX devices are wired (generally) and will always Just Work™. More expensive that the cheaper retrofit options, but if you factor in manual overrides or getting the “better” wireless smart devices it is comparable. They generally also have a manual override at the panel. For core functions like lights, HVAC, roll shutters or blinds, etc… That is honestly the best option (unless you want every light to be an RGB light for some reason, then you still need smart bulbs)
Smart, you don’t want some hacker to drown you remotely.
Dehydrate you
Really you don’t want hackers using your random Internet appliance as a point of attack to access your whole network.
More IoT devices means a greater attack surface. And it’s an appliance you don’t actually want to spend time thinking about. You don’t want to waste time troubleshooting network issues with your dehumidifier… It just needs to work, or you use a different one.
It got hacked and now I’m really, really dry.
This has been my approach and it has gone okay so far except for 2 issues that are quite a pain:
1: you have to thoroughly research what you buy. Does it work on an isolated vlan? Just because it works with home assistant does not guarantee this. Many home assistant users are comfortable with some degree of data collection and an integration does not mean that it will work local only (nor does it mean that all features will work). If it does work local only you may sacrifice some features. Cameras are a good example. Most cameras with object/person detection do this in hardware, but not all. If you circumvent the Internet connection and proprietary app you may sacrifice this, or more likely alerts
2: there is 0 regulation binding a vendor to the terms of service agreed to at the point of sale, including making significant and sweeping changes. Case in point: I got a chamberlain myQ garage door opener. It worked well and opened my garage door. Integrated with home assistant via the API. However, chamberlain serves a lot of ads for upsells and services via their shitty app. They decided that users circumventing the app and not seeing that you could give amazon drivers access to your garage to deliver packages (seriously) or buy shitty cameras was unacceptable so they updated the TOS and revoked API access for all users. The only way it works now is via their app. I sold mine and built a ratgdo
Another example is Philips hue: while they have been able to be used local only for over a decade Philips has decided they’re going to start a subscription security service with all the devices that entails based around the hue hub. At some point in the near future if your hub updates it will require you to sign in to a Philips account and be online. This one’s way worse as some people have thousands of dollars invested in hue. I have like $300 in the fancier white hue bulbs but some people on the HA forums and reddit literally have their house decked out with like 80-100 bulbs, many of which are the RGB. Kind of silly but they do work very well, flicker free, good color, and last ages. I still have some from like 2016 going strong. Luckily here if you have the bridge on an isolated vlan it won’t update and worst case the bulbs work with
zwavezigbee but the principle of the thing is ridiculous. It should be illegal for a company to change the terms this far after the contract of saleOther examples too. Many car manufacturers (Mazda, Chevrolet, ford) because api access limited data collection for them to sell, some companies are openly hostile to home assistant and when an integration is created they will go out of their way to break it (Ariston, bambu), etc. see github.com/unixorn/internet-of-trash
My “smart” bulbs are at the less online end of the spectrum, they host local wifi or bluetooth for configuration via their app, but even that can bite you
I added a wifi range extender to address the problem of stuff at one end of the house regularly losing connection and needed to point one of a particular brand at the new wifi
Its app hadn’t been updated and I needed to dig out my old phone stuck on an old version of Android to set the bulb up again
Gahhhh…
Sounds like a total PITA
And yes we need stronger consumer protections.
I follow FUTO so I’m aware of TOS BS.
I’ve been happy with reolink cameras fwiw though not 100% so. They do have some nonsense though
I also prefer Lutron Caseta for lighting. It’s fairly bulletproof (I’ve literally never had any connectivity issues in like 6+ years) and they haven’t pulled any tos nonsense as far as I know. Downside is pricey and the install is more complex than typical iot stuff. And while they can control outlets they are only rated for 10A lighting so keep that in mind.
The only internet requirement for both of these (not always with reolink I think but at least with the cameras I have) is that you have to allow internet once during initial setup to pair devices. Once that is done you can remove internet access and delete the app
The common thread with these is wired too. The further along I go the more I realize that 2.4ghz WiFi iot shit is garbage. going from WiFi cameras that had privacy concerns and disconnected to local only poe cameras that just work was very nice. Learn from my mistake, don’t buy bullshit eufy cameras that you then have to sell at a loss.
And for your own sanity don’t try to get smart smoke detectors. Your options are either Google/nest that apparently does work well (never tried it, fuck Google), the new kidde that is built into amazons ring platform (never tried it, fuck amazon, plus the preceding model had awful reviews), or the new firstalert that is replacing the Google/nest (again, fuck Google, but I did try the preceeding first alert and it was atrociously bad).
I mention this because this brings up a key issue with regulatory compliance in the US (and probably EU, dunno). You can also try a number of off brand detectors as well that apparently work a lot better. If you search amazon for smart detectors you’ll see stuff like x sense and these apparently have somewhat solid reviews and work okay (though getting them to work in HA is mixed).
However, what amazon fails to mention is that these types of detectors have not been submitted for regulatory compliance in the US (unlike Kidde, firstalert, etc that you’d find at a home depot). They “meet UL requirements” but they have not been submitted for testing so they cannot print the UL logo on the box (legally) but they can write “meets UL requirements”, which is misleading. Fuck amazon and fuck the us government for giving them no culpability in selling obscenely dangerous bullshit
This means if you use these and your house burns down your insurance could technically nullify your policy for not having adequate protection. Or they could not work and you could die, of course
There are smart relays you can tie into an interconnected smoke detector circuit using normal smoke detectors that are appropriately rated if you do want alerts on your phone. There are also device that will listen for chirps but these get false positives
I thought Hue bulbs used Zigbee?
you’re right, my bad
We do have more than one type of water, D~2~0, HD0, HT0, T~2~0, DTO, which are all different mixtures of Hydrogen, Deuterium and Tritium or in other words the hydrogen has more neutrons, there is also a different ionization for each of those, plus there are different phases of ice which are made from different pressure that is ice I-VII, and it’s not impossible for more types we don’t know about, then there is isotopic water that have different mass and reaction rates and it’s not impossible for other types that we just don’t know about or even to create other types.
Tldr: atoms and molecules are more varied and complex than you’d think.
You lost a bit of credibility when you misspelt atoms
That’s just because I’m using a pH from Like 2008 and it has progressively stupid autocorrect.
Even when I correct it if I don’t spacial go to the next would and then do back it will change what I said.
As an example I just left this how it wasn’t me too.
There is more than one type of water, but unless your IoT device is a fusion reactor it’s probably just running off the normal blend.
enron.com/pages/the-egg
Right, but none of them are new. They’ve all been around for billions of years.
I just shopped for a humidifier, purposely avoided anything “smart”, I ended up with a really fucking simple one, it has a hydrostat and can aim to automatically reach a level you want (40-50-60), has 4 speed,1,2,3,auto and sleep.
And the whole thing is nothing else just a wicking filter sitting in water that has a fan pointed at it, I think Technology Connectios would be proud of my purchase.
I will have to disinfect and change filters, but no need for distilled water like with ultrasonic humidifiers, and I boil my water and let it cool back to room temperature before adding it to the humidifier, hopefully that will help with staving off build up of bacteria
I bought a Venta LW25 and couldn’t be happier. Simple and functional, good old German engineering
Boiling definitely helps and is a hell of a lot cheaper than constantly buying gallons of distilled
I bought a distiller for €60 capable of distilling 4 liters of water (about 1 gallon) en generates some heat. The electricity cost is way lower than buying 4 liters of distilled water, don’t need to throw away a 4 liter plastic bottles every time and the distiller heats up my room in the winter (when the air is dryest here).
Internet of things sucks, but lan of things is pretty cool
you must have lots of LoTs
Lord of the Trackers!
And it probably needs to connect using WEP
wpa2, but password limited to 10 characters. letters and numbers only, trying anything else crashes it, and you have to figure this out yourself
Nah, it will just broadcast a 2.4Ghz noise for no reason
I feel like it’s missing that nifty FCC sticker…
And you must enter password through a 2 character wide menu screen with only up and down arrows
The up arrow moves through the letters, e.g., A->B->C. The down arrow moves to the next character in the sequence, e.g., C->CA->CAA. If you click past the correct letter, you’ll have to click all the way through again. And if you submit the wrong letter, you have to start all over (after it takes twenty seconds attempting to connect with the wrong password and then alerts you that it didn’t work, of course).
And when you press down, the current letter’s value briefly increments to the next letter before being replaced by an asterisk. Z causes the router to crash.
I was an idiot and bought a high end TPLink router, I can't even use Vlans without signing up for their back door service.
Yeah. Even my old solid netgear got a firmware update that’s begging me to get the app now. Shobe that shit up your ass.
At least give me a checkbox to stop bothering me
Try OpenWRT
Yeah that’s on my todo list. I’ve got 3 decent but old routers.
Shit, are consumer appliances really getting that bad? ew!
I'd assume all Chinese devices are being backdoored via CCP incentives. Buy Asus perhaps, assuming Taiwan never gets infiltrated.
Don’t buy ASUS, they have a terrible security record. At this point I would trust only MikroTik and Ubiquiti.
And they too aggressively push their cloud services and at least some point their management tool gave you ads on their other products.
Hm, at least with their enterprise equipment you can completely disable Omada.
maybe install openwrt/ddwrt?
My house has manual windows, manual locks, and a dumb garage door controller… because I work in IT.
I do have a few smart appliances (environment reporting) but they are only allowed on the banishment VLAN so they don’t get to interact with any single appliance inside my network. All they see is internet and nothing else.
The S in IoT stands for security
Yeah, companies have abused that to release buggy, incomplete products faster and only make the software stable and feature complete if they make a good profit.
Or add new bloat features / brick devices after updating TOS…
Remote device bricking is cheaper than researching part wear for planned obsolescence.
And both make me go with a different company next time so idk what they think they’re gaining.
They gained a cost reduction for a single quarter of a single year. No further thought was put into it.
i love it when my vacum makes a remote connction to a other countrye goverment that way i get tracked by mine and theres whatba time we live in
New kinds of water, you say? The marketing department is already on it and boy have I got news for you!
<img alt="" src="https://lemmy.world/pictrs/image/4183462d-0ffb-46cb-8370-25ebd82c3ac7.jpeg">
Wait… Is that heavy water?? /s
How about I hook you up with a brand new water softener on a 30 year lease but no payments in the first 5 years so it’ll be the next owner’s problem
Omfg it’s like solar panel companies…
So many damn houses with solar leases more expensive than just electricity
FYI I learned About VLANs that it is in no way „locked down“. I can spoof the MAC address of a known device from a specific VLAN and I’m in that VLAN. Yes your devices can’t reach the internet/other devices by default but it won’t stop a bad actor.
Yes, VLAN is an IT convenience feature, you don’t need it just because it is a feature of the more expensive hardware.
Instead just establish separate L2s and operate proper L3 firewalls between them. For IoT devices, any kind of reliable potato will do just fine.
I’m aware you need a firewall (I used sonicwall professionally) vlans are for segmentation
Depends on you hw. That seems rather poor implementation… I believe my TP switch might handle that, because it rejects traffic to its management interface from mac X from vlan 20 because it sees the same mac in vlan 10… (only vlan 20 is allowed for management)
That’s a very cool feature actually but how does it stop a hacker if he has obtained a trusted MAC address from another device and connect to vlan 20 directly while the real device is offline?
Isn’t that what 802.1x is for? If you really want to lock down your network, there are options.
Well. The segmentation is to avoid security holes from Rogue third party devices. If you can access my pc vlan that only exists on my wired pcconnection, then you have indeed broken in to my domain. Letting the things that doesn’t give a shit about security have their own network is just sanity/sanitary.
and this is why I have a completely separate physical network for my IOT stuff.
We have water, heavy water, hydrogen infused water, nitrogen infused water, ice-9, h2o2…what will they think of next?!