I am rebuilding my system and I have a few questions related to network set up. I have installed a new Unifi system, set up IoT VLAN and opened port for HA. That part I THINK is right. My questions lie with setting up DuckDNS and Let’s Encrypt. I plan on doing more self hosting stuff in the future. Can/Should I be doing things like Dynamic DNS and certificates via an entity outside of HA such as my router or some other container in the “system” or is it better to handle HA’s requirements inside of HA itself?
Additionally, in my current config I can only reach the HA brain via the DuckDNS URL. What sort of set up is required to have the unit accessible when the internet is down? Seems with the mobile app it is the URL or nothing. What do I need to be doing for internal access when on local LAN?
I am running it on the HA Blue hardware and I plan to rebuild from scratch if that matters. I am sketchy on the network set up and making sure things are all secure. Bit paranoid lol. So if you have any good set up guides on this portion it would be appreciated. Thanks.
it make sense to handle Certificate renewal where your reverse proxy is just because they are easier to install this way. Having a single homeassistant let it handle it. The day you’ll start hosting more staff and put all of it behind a single reverse proxy (caddy or nginx are the most popular options) you can move certificate handling on the machine with reverse proxy.
to make your homeassistant reachable even when internet is down you just need a local DNS that resolves yourdomain.duckdns.org to your local IP. This is usually easier configured on the router but many stock firmwares don’t allow it. Another option is to install a DNS (pihole is the most famous, I personally use blocky) somewhere and configure your router to advertise this DNS instead of its own.
I have been using pihole for a while, but switched to the adguard ha plugin. Works like a charm, also with local DNS for my services.
so now HA needs an proxy server and a DNS server? There has to be a simpler method that adding additional devices on to the network. More devices, more complex and more points of failure.
HA doesn’t need either of these, but if you want an SSL certificate (to run over HTTPS instead of plain HTTP) it is bound to a domain name, which must be public unless you want to enter in the zone of adding our custom certification authority to each of your devices. This name is resolved by a public DNS. You asked how to use it when internet is down, in this case a public DNS is not reachable so you need your own on the local network.
The reverse proxy is useful when you have a bunch of web services and you want to protect all of them with HTTPS. Instead of delivering the certificate to each of them, you add the HTTPS layer at your reverse proxy and it queries the servers behind in plain HTTP. The reverse proxy has also the benefit of making handling subdomains easier. So instead of distinguishing the different services because they have a different port number you can have a few https://ha.my.domain/ and https://feedreader.my.domain/
If you just have homeassistant and not care of HTTPS the easiest option is to use the local resolution: modern OSes advertise the name of the device on the network and it can be resolved on the
.localdomain. But, if you configured HTTPS to use https://name.duckdns.org/ you’ll se an error when you try to use https://name.local/ because your browser sees a mismatch between the name in the certificate and the name that you are trying to connect to. You can always ignore this error and move on, but it mostly defeats the point of HTTPS.@KingOogaBooga for the DNS part:
I have indeed a #pihole running in my local network where I host a nextcloud instance with a fix IP address.
If I am connected to my local network with a client or want access via a browser, pihole returns this IP address to my device.
If my device is connected to the internet one of the DNS server handling dynamic IPs will return the official current IP address of e.g. a Home assistant server.
It is mostly a point of easier and faster. Why should my device connected to my local Wlan go out to the internet just to use my server in the local Wlan?
You don’t really need a reverse proxy if you have just one application running on one server. But the more applications you are hosting the easier is it for handling SSL certificates for all of them
@lorentz