Running Home Assistant on Fedora IoT

Dan Čermák

2022

CC BY 4.0

who -u

Dan Čermák

Software Developer @SUSE
i3 SIG, Package maintainer
Developer Tools, Testing and Documentation, Home Automation
https://dancermak.name
dcermak / D4N
@DefolosDC
@Defolos@mastodon.social

Agenda

What is Home Assistant

  • FLOSS home automation
  • integration with nearly every smart home device
  • intuitive & simple UI
  • powerful templating, blueprint & scene system
  • companion mobile App

Sales Pitch

Why should I use Home Assistant?

  • cloud free/self-hosted home automation
  • runs on your machine(s)
  • automate everything to your heart's desire
  • support for energy tracking

Where to run Home Assistant?

  • for testing: (spare) PC
  • for production: low power-usage machine

Do I need a Pi 4 for HA?

No

Fedora IoT

  • rpm-ostree based system
  • provisioned via ignition & Zezere
  • ready for deploying containerized applications

Required Hardware

  1. PC (with Fedora)
  2. SD-Card & SD-Card reader
  3. Raspberry Pi 3/4

Getting started

  • grab the image & -CHECKSUM from getfedora.org
  • dnf install gnupg2 arm-image-installer
  • verify the image:
curl -O https://getfedora.org/static/fedora.gpg
gpgv --keyring ./fedora.gpg *-CHECKSUM
sha256sum -c *-CHECKSUM
  • find the SD-Card /dev/ entry via udiskctl, lsblk or fdisk -l
  • flash the image:
$ arm-image-installer --image=Fedora-IoT-[version].raw.xz \
      --target=rpi4 --media=/dev/XXX \
      --addkey=/path/to/pubkey \
      --resizefs

Deploy with Zezere

  1. go to provision.fedoraproject.org
  2. claim unowned device → claim → submit provisioning request
  3. copy ssh keys

Run Home Assistant

$ mkdir /path/to/conf/dir
$ podman run -d -v /path/to/conf/dir:/config:Z \
      -v /etc/localtime:/etc/localtime:ro \
      --privileged --network=host \
      --name=homeassistant \
      ghcr.io/home-assistant/home-assistant:stable

Visit http://rpi_ip:8123 and follow onboarding

THE END

Tweaking the setup

  1. run via systemd
  2. setup https
  3. ZigBee

Run via systemd

$ podman generate systemd --new homeassistant > \
    /etc/systemd/system/homeassistant.service
$ podman stop homeassistant
$ systemctl daemon-reload
$ systemctl enable --now homeassistant

Container auto-updates

  • Add the flag:
--label "io.containers.autoupdate=registry"
  • Manual update via:
podman auto-update
  • Scheduled update:
systemctl enable --now podman-auto-update.timer

HTTPS

$ podman secret create fullchain_pem /path/to/fullchain.pem
$ podman secret create privkey_pem /path/to/privkey.pem
  • pass them to the container:
--secret fullchain_pem --secret privkey_pem
  • add to configuration.yaml:
http:
  ssl_certificate: /run/secrets/fullchain_pem
  ssl_key: /run/secrets/privkey_pem
  server_port: 443

ZigBee

VPN

Wireguard

  • rpm-ostree install wireguard-tools
cd /etc/wireguard
umask 077
wg genkey | tee privatekey | wg pubkey > publickey

server config

/etc/wireguard/wg0.conf: 

[Interface]
Address = 10.200.200.1/24
ListenPort = 51820
PrivateKey = # insert private key here
# optional
PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]
PublicKey = # insert pubkey of peer
AllowedIPs = 10.200.200.N/32

host config

/etc/wireguard/wg0.conf: 

[Interface]
PrivateKey = # insert private key here
Address = 10.200.200.N/24
PostUp = iptables -A FORWARD -i wg0 -j ACCEPT; iptables -t nat -A POSTROUTING -o wlp59s0 -j MASQUERADE
PostDown = iptables -D FORWARD -i wg0 -j ACCEPT; iptables -t nat -D POSTROUTING -o wlp59s0 -j MASQUERADE
ListenPort = 51820

[Peer]
PublicKey = # pubkey of server
Endpoint = # IP of the server
AllowedIPs = 10.200.200.0/24
PersistentKeepalive = 25

launch wireguard

systemctl enable --now wg-quick@wg0

Get in Touch

Links

Questions?

Answers!

Legal