- I actually stay on top of all patches, including HomeAssistant itself
- I run it behind a WAF and IPS. lots of VLANs around. even if you breach a service, you'll probably trip something up in the horrific maze I created
- I use 2-factor authentication, even for the limited accounts
- Those limited accounts? I use undocumented HomeAssistant APIs to lock them down to specific entities
- I have lots of other little things in place as a first line of defense (certain requests and/or responses, if repeated a few times, will get you IP banned from my server)
I would not recommend any sane person expose HomeAssistant to the internet, but I think I locked it down well enough not to worry about a VPN.
"successful" is a very optimistic way of looking at it. it has several downsides but largely works for my needs:
- read access is mostly available for sensors, even if access wasn't granted.
- some integrations (especially custom integrations) don't care about authorization. my fork mentioned in the blog does, because I explicitly added logic to authorize requests. the HomeAssistant authorization documentation is outdated and no longer works. I looked through the codebase to find extensions that implement it for an example. maybe I should submit a PR that fixes the doc...
- each entity needs to be explicitly allowed. this results in a massive JSON file.
- it needs a custom group added to the .storage/auth file. this is very much not officially supported. however, it has survived every update I have received so far (and I always update HomeAssistant)
I will share what I did in detail when I get some time on my hands
- I actually stay on top of all patches, including HomeAssistant itself
- I run it behind a WAF and IPS. lots of VLANs around. even if you breach a service, you'll probably trip something up in the horrific maze I created
- I use 2-factor authentication, even for the limited accounts
- Those limited accounts? I use undocumented HomeAssistant APIs to lock them down to specific entities
- I have lots of other little things in place as a first line of defense (certain requests and/or responses, if repeated a few times, will get you IP banned from my server)
I would not recommend any sane person expose HomeAssistant to the internet, but I think I locked it down well enough not to worry about a VPN.