I know this probably comes up a lot and I’ve done some reading but it’s a little overwhelming so I thought I’d just post to help me get my thoughts together. I want to set up HA primarily to start using it with Frigate and give me remote access to my cameras but I might as well double down and get everything on this. I like the idea of clever houses and I’m glad there’s a good option for doing it locally with decent FOSS solution.
So in my network I have a sort of DMZ network. This network has all those dodgy IoT devices on it and it’s basically an untrusted network with internet access. I then have my normal network with everything else on it, like my laptop, phones, home server, etc. I’m planning on installing HA in a Podman container (Docker) on my server but I’d like to have some remote access so I can check out my cameras, 3D printer, and maybe a few other things, I’d also like to be able to receive notifications. However I still want to be able to run it normally without too many complications so I’d like it internal to my trusted network.
I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe. Is this possible? ChatGPT suggested it so I’m not sure if it’s worth pursuing. If not what are my other options? I basically want all the positives of having it on the internet with none of the negatives, how hard can that be?
A DMZ is a decent idea, but you can do the same thing with vLAN and it would be less of a PITA.
I recommend just doing a vLAN and disable outside connection to your network. Use Wireguard to VPN in, and access local services via the VPN.
For notifications, you can use Gotify.
I’m thinking about the possibility of running two containers, one on my trusted network and one on my DMZ. I could sync them up or give them access to the same storage areas maybe.
It is, but it could/would cause huge complications when both containers attempt to access the same resource which is already in use. I wouldn’t recommend running 2 containers from in the same location. It’s a bit antithetical to what docker is used for.
You are over complicating it. I suggest starting out with some sort of VPN. Wireguard is super simple to setup with a wg-easy container
Plus one for the wg-easy container. It’s dead simple!
I pay what I consider a pretty affordable price for this ($65/yr), and support HA dev community. It also allows auto-syncing devices to my Google Assistants. No affiliation but an easy way to get something more and give a little back.
If vanilla Wireguard is too complicated to set up for you: try tailscale.
If you don’t trust the central tailscale server: rent a vps and set up headscale on that.
Just run HA on the network you prefer and add firewall rules to cross to the other network as needed. Don’t need to overcomplicate things!
Why not use cloudflare with client certs?
I am not sure how two synced HA instances (if that’s even possible) would help. You would need to allow your IoT devices to be accessible by the Home Assistant instance you want to use with your personal devices. If that seems like a risk to you, then why not run HA in the DMZ alltogether?
You can configure HA to use an external database, so you could (presumably) config two instances to use the same DB. Not sure how much conflict that would cause for entities that are only attached to one of those instances, but it seems like both should have the same access to state data and history. Could probably even set one instance up with read-only DB access to limit data conflicts, although I imagine HA will complain about that.
Even with an external database, HA still uses its internal DB for some things, so I don’t think you’d ever get identically mirrored instances.
Theres a subscription for this that works kinda like that.
Otherwise a vpn into your hone network gives you access from your devices. Maybe your router already supports this, otherwise tailscale or zerotier and similar can be a good solution.
I dont have issues exposing my ha to the internet through caddy, but i filter traffic based on country of origin (geoip2). Used to have separate auth in front but i removed that a few months ago
Edit: not too much use of running two containers if you expose the same storage to both. Better option would be to have two reverse proxies, one for local and one for internet, both proxyinf the same ha instance. That way you can get ha on normal https port with certs.
Imo you are pretty safe with a reverse proxy with an extra layer of security.
Not sure about linking 2 HAs together, that could get complicated real quick.
If you have your DMZ setup, put HA in that and only allow web access from your main network. Also with camera, there is a feature to allow direct access if you and the camera are on the same network.
