Home Assistant: Docker startup + SSL Internet access

 

Besides installing it on its own hardware, the second recommended installation option for Home Assistant is to use Docker, see also: HAOS vs. Home Assistant Docker Installation. To run Home Assistant in Docker, a Docker setup is of course required, see: Docker. Those who already have Docker setup can start Home-Assistant with the following command:

Docker Basics

Docker allows applications to be launched by command in a so-called container.
A container is an isolated environment independent of the operating system (OS):
When a container is first launched, Docker independently loads all the necessary sources
from the internet.
Docker can be installed on Windows, macOS or an Linux Distribution

docker run -d --name="home-assistant" \
-v ha:/config \
-v /etc/localtime:/etc/localtime:ro \
--net=host \
--restart=always \
homeassistant/home-assistant:stable

The network for Home-Assistant must be set to "--net=host" according to the vendor, but the ports used can also be defined: as an example when using a reverse proxy for access from the Internet, see: Access from the Internet - SSL Let's Encrypt.

First start: Initial configuration

After starting the container, Home-Assistant is accessible by default with the IP address of the host and port 8123 in the browser:

 

Those running Docker on the same machine can also use http://localhost:8123 for the call, see calling localhost: IP address "127.0.0.1", "::1" | what is localhost?

Access from the Internet: SSL Let's Encrypt

Thanks to Let's Encrypt, Home Assistant can easily be provided with an SSL certificate and thus be operated securely on the Internet. As a prerequisite I have the following setup in use: Traefik in Docker | multiple web servers incl. certificate SSL.

For the operation with the reverse proxy I made the following settings in the configuration:

configuration.yaml:

http:
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1    
    - 172.18.0.0/16

I use the network "webproxy" for the web containers that are accessible from the Internet via the Let's Encrypt reverse proxy. Accordingly, I created the following docker-compose file for Home Assistant:

docker-compose.yml

[+]
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
      #- "8123:8123" 
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    name: webproxy
    external: true

For direct access via IP address or localhost - even without reverse proxy, DNS or public IP - the commented out port setting can be enabled for testing purposes byremoving "#" in front of "ports:" and "-"83:80"" .If the reverse proxy is not used, the network webproxy is not needed and the networks: .. section can be removed. For the Internet access via the Traefik reverse proxy, the domain must be replaced in the labels with the previously created DNS entries (in the example: ha.domain.tld) .To make it easier to transfer or back up the relevant container data, the example uses bind mounts and not Docker Volumes for permanent data storage. See: Docker data storage: Docker Volumes vs. Host Folders and Practice: Backup Docker Container Data: Volumes / Bind Mounts.

Bash access

For a direct access to the bash command line of the container, the following command can be used:

docker exec -it home-assistant /bin/bash

See also: /docker

The call can be used for example to assemble and test "command_line" sensors.

ZigBee with ZHA

To use a ZigBee USB dongle, such as the ConBee II, when using ZHA it is sufficient to mount the stick via "devices".

[+]
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
    devices: 
      - /dev/ttyACM0
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
      #- "8123:8123" 
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    name: webproxy
    external: true

Alternative: deCONZ and Home-Assistant in a docker-compose.yml-file

To allow the Conbee 2 stick to be accessed via deCONZ, I modified the docker-compose file as follows:

[+]
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  deconz:
    image: marthoc/deconz
    container_name: deconz
    environment:
      DECONZ_DEVICE: '/dev/ttyACM0'
      DECONZ_VNC_MODE: '1'
      DECONZ_VNC_PORT: '5900'
      DECONZ_VNC_PASSWORD: 'password'
    restart: always
    volumes:
      - ./deconz:/root/.local/share/dresden-elektronik/deCONZ
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    devices: 
      - /dev/ttyACM0
    ports:
       - 83:80
       - 5983:5900

#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    name: webproxy
    external: true

After about a year with deCONZ I switched to Zigbee2MQTT, another year later to ZHA. Zigbee2MQTT offers a solid alternative to ZHA:

Alternative: Zigbee2MQTT, MQTT and Home-Assistant in one docker-compose.yml - file.

My complete setup, consisting of Home Assistant, MQTT and Zigbee2MQTT, a running Let's Encrypt reverse proxy running, looked like this in the meantime:

[+]
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  mosquitto:
    image: eclipse-mosquitto
    container_name: mqtt
    restart: always
    volumes:
      - ./mosquitto/config:/mosquitto/config
      - ./mosquitto/data:/mosquitto/data
      - ./mosquitto/log:/mosquitto/log
    ports:
      - "1883:1883"
      - "9001:9001"      
  zigbee2mqtt:
      container_name: zigbee2mqtt
      restart: always
      image: koenkk/zigbee2mqtt
      volumes:
        - ./zigbee2mqtt-data:/app/data
        - /run/udev:/run/udev:ro
      ports:
        - 83:8080
      environment:
        - TZ=Europe/Vienna
      devices:
        - /dev/ttyACM0
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    name: webproxy
    external: true

other Docker services: InfluxDB and Grafana

In order to store long-term values for my heating and to be able to visualize them better, I also use InfluxDB to store the data and Grafana to analyze it. The connection of the InfluxDB here is done via the Home-Assistant config file configuration.yml

...
influxdb:
  include:
    entities:
       - sensor.1...
       - sensor.2...
  host: influxdb
  port: 8086
  database: ha
  username: ha
  password: ???
  max_retries: 3

Version 1 uses a username and password for the connection, version 2: token, organization and bucket.

Since I don't want to evaluate all data in Grafana, I used "include" to store only certain sensors. The complete Docker setup for Home-Assistant, InfluxDB and Grafana currently looks like this for me:

[+]
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./ha:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
     devices:
        - /dev/ttyACM0
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  influxdb:
      container_name: influxdb
      restart: always
      image: influxdb
      volumes:
        - ./influxdb:/var/lib/influxdb
        - ./influxdb2:/var/lib/influxdb2
      ports:
        - 8086:8086
  grafana:
      container_name: grafana
      restart: always
      image: grafana/grafana
      volumes:
        - ./grafana:/var/lib/grafana
      ports:
        - 3000:3000
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    name: webproxy
    external: true

see also: InfluxDB: Time series database - Docker and Grafana: Docker - visualize data and define alarms

 

Conclusion

Operating Home Assistant as a Docker container is initially more complex and means doing without the HA Add-on Store. However, one of the main advantages of this installation variant is its flexibility and uniformity. Using a reverse proxy container, for example, provides secure access from the internet to any web services on the home network within and outside the Docker environment.

 

positive Bewertung({{pro_count}})
Rate Post:
{{percentage}} % positive
negative Bewertung({{con_count}})

THANK YOU for your review!

Updated: 2024-02-08 von Bernhard | Übersetzung Deutsch |🔔 | Comments:0

MQTT - Broker in Docker | Container | Visitor statistics: Matomo, Google Analytic replacement self-hosting
Home Server | Cheap and economical Docker Mini Server for home use
Hardware-Installation | HAOS Installation: Publish RPi securely over the Internet

Top articles in this section


[DIY] Build your own low power NAS: cheap and energy-efficient

If you are looking for a NAS (Network Attached Storage) for home use, you cannot avoid the manufacturers Synology and QNAP. Both manufacturers deliver small NAS complete solutions with the option to synchronize data locally or via the Internet, and both do not exactly charge little money for the hardware used.


Send signal messages via script / API: signal-cli-rest-api

The well-known Signal Messenger can besides the app also be used via command line or from other systems. The signal-cli-rest-api, which is available in the form of a Docker container, offers a simple option for this. For the API to work, it has to be coupled via the Signal app beforehand.


Nextcloud Server Docker | Setup + https: Let's Encrypt [ssl]

To synchronize contacts, appointments, and photos of my NAS, I tested Nextcloud and thus turned my back on other cloud providers for my private data. Thanks to Docker, the installation is easier and more flexible than ever, allowing Nextcloud to run on almost any hardware.

Questions / Comments


By continuing to browse the site, you agree to our use of cookies. More Details