Home Assistant: Docker startup + SSL Internet access

Home Assistant Home Assistant integrations

Besides installing it on its own hardware, the second recommended installation option for Home Assistant is to use Docker, see also: HAOS vs. Home Assistant Docker Installation. To run Home Assistant in Docker, a Docker setup is of course required, see: Docker. Those who already have Docker setup can start Home-Assistant with the following command:

Docker Basics

Docker allows applications to be launched by command in a so-called container.
A container is an isolated environment independent of the operating system (OS):
When a container is first launched, Docker independently loads all the necessary sources
from the internet.
Docker can be installed on Windows, macOS or an Linux Distribution

docker run -d --name="home-assistant" \
-v ha:/config \
-v /etc/localtime:/etc/localtime:ro \
--net=host \
--restart=always \
homeassistant/home-assistant:stable

The network for Home-Assistant must be set to "--net=host" according to the vendor, but the ports used can also be defined: as an example when using a reverse proxy for access from the Internet, see: Access from the Internet - SSL Let's Encrypt.

First start: Initial configuration

After starting the container, Home-Assistant is accessible by default with the IP address of the host and port 8123 in the browser:

 

Those running Docker on the same machine can also use http://localhost:8123 for the call, see calling localhost: IP address "127.0.0.1", "::1" | what is localhost?

Access from the Internet: SSL Let's Encrypt

Thanks to Let's Encrypt, Home Assistant can easily be provided with an SSL certificate and thus be operated securely on the Internet. As a prerequisite I have the following setup in use: Traefik in Docker | multiple web servers incl. certificate SSL.

For the operation with the reverse proxy I made the following settings in the configuration:

configuration.yaml:

http:
  server_port: 8123
  use_x_forwarded_for: true
  trusted_proxies:
    - 127.0.0.1
    - ::1    
    - 172.18.0.0/16

I use the network "webproxy" for the web containers that are accessible from the Internet via the Let's Encrypt reverse proxy. Accordingly, I created the following docker-compose file for Home Assistant:

docker-compose.yml

[+]
version: "3"
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
      #- "8123:8123" 
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    external:
      name: webproxy

For direct access via IP address or localhost - even without reverse proxy, DNS or public IP - the commented out port setting can be enabled for testing purposes byremoving "#" in front of "ports:" and "-"83:80"" .If the reverse proxy is not used, the network webproxy is not needed and the networks: .. section can be removed. For the Internet access via the Traefik reverse proxy, the domain must be replaced in the labels with the previously created DNS entries (in the example: ha.domain.tld) .To make it easier to transfer or back up the relevant container data, the example uses bind mounts and not Docker Volumes for permanent data storage. See: Docker data storage: Docker Volumes vs. Host Folders and Practice: Backup Docker Container Data: Volumes / Bind Mounts.

ZigBee with ZHA

To use a ZigBee USB dongle, such as the ConBee II, when using ZHA it is sufficient to mount the stick via "devices".

[+]
version: "3"
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
    devices: 
      - /dev/ttyACM0
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
      #- "8123:8123" 
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    external:
      name: webproxy

Alternative: deCONZ and Home-Assistant in a docker-compose.yml-file

To allow the Conbee 2 stick to be accessed via deCONZ, I modified the docker-compose file as follows:

[+]
version: "3"
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  deconz:
    image: marthoc/deconz
    container_name: deconz
    environment:
      DECONZ_DEVICE: '/dev/ttyACM0'
      DECONZ_VNC_MODE: '1'
      DECONZ_VNC_PORT: '5900'
      DECONZ_VNC_PASSWORD: 'password'
    restart: always
    volumes:
      - ./deconz:/root/.local/share/dresden-elektronik/deCONZ
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    devices: 
      - /dev/ttyACM0
    ports:
       - 83:80
       - 5983:5900

#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    external:
      name: webproxy

After about a year with deCONZ I switched to Zigbee2MQTT, another year later to ZHA. Zigbee2MQTT offers a solid alternative to ZHA:

Alternative: Zigbee2MQTT, MQTT and Home-Assistant in one docker-compose.yml - file.

My complete setup, consisting of Home Assistant, MQTT and Zigbee2MQTT, a running Let's Encrypt reverse proxy currently looks like this:

[+]
version: "3"
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./haconfig:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  mosquitto:
    image: eclipse-mosquitto
    container_name: mqtt
    restart: always
    volumes:
      - ./mosquitto/config:/mosquitto/config
      - ./mosquitto/data:/mosquitto/data
      - ./mosquitto/log:/mosquitto/log
    ports:
      - "1883:1883"
      - "9001:9001"      
  zigbee2mqtt:
      container_name: zigbee2mqtt
      restart: always
      image: koenkk/zigbee2mqtt
      volumes:
        - ./zigbee2mqtt-data:/app/data
        - /run/udev:/run/udev:ro
      ports:
        - 83:8080
      environment:
        - TZ=Europe/Vienna
      devices:
        - /dev/ttyACM0
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    external:
      name: webproxy

other Docker services: InfluxDB and Grafana

In order to store long-term values for my heating and to be able to visualize them better, I also use InfluxDB to store the data and Grafana to analyze it. The connection of the InfluxDB here is done via the Home-Assistant config file configuration.yml

...
influxdb:
  include:
    entities:
       - sensor.1...
       - sensor.2...
  host: influxdb
  port: 8086
  database: ha
  username: ha
  password: ???
  max_retries: 3

Version 1 uses a username and password for the connection, version 2: token, organization and bucket.

Since I don't want to evaluate all data in Grafana, I used "include" to store only certain sensors. The complete Docker setup for Home-Assistant, InfluxDB and Grafana currently looks like this for me:

[+]
version: "3"
services:
  hass:
    image: homeassistant/home-assistant:stable
    container_name: home-assistant 
    #Labels for ReverseProxy, see: https://www.libe.net/en-traefik
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ha.rule=Host(`ha.domain.tld`)"      
      - "traefik.http.routers.ha.entrypoints=web"
      - "traefik.http.routers.ha.entrypoints=websecure"
      - "traefik.http.routers.ha.tls.certresolver=myresolver"      
      - "traefik.http.services.ha.loadbalancer.server.port=8123"
    restart: always
    volumes:
      - ./ha:/config
      - /etc/timezone:/etc/timezone:ro
      - /etc/localtime:/etc/localtime:ro
     devices:
        - /dev/ttyACM0
    expose:
       - "8123"
   #For direct test access, remove "#" in the following 2 lines. Call: http://localhost:8123 or http://ServerIP:8123
    #ports:
    #  - "8123:8123"
  influxdb:
      container_name: influxdb
      restart: always
      image: influxdb
      volumes:
        - ./influxdb:/var/lib/influxdb
        - ./influxdb2:/var/lib/influxdb2
      ports:
        - 8086:8086
  grafana:
      container_name: grafana
      restart: always
      image: grafana/grafana
      volumes:
        - ./grafana:/var/lib/grafana
      ports:
        - 3000:3000
#Without using a reverse proxy (https://www.libe.net/en-traefik) the webproxy network is likely to be missing
#and the following lines can be removed or commented out. Alternatively, the network can be created with "docker network create webproxy".
networks:
  default:
    external:
      name: webproxy

see also: InfluxDB: Time series database - Docker and Grafana: Docker - visualize data and define alarms

positive Bewertung({{pro_count}})
Rate Post:
{{percentage}} % positive
negative Bewertung({{con_count}})

THANK YOU for your review!

Publication: 2023-03-07 from Bernhard | Übersetzung Deutsch |🔔


Top articles in this section


Nextcloud Server Docker | Setup + https: Let's Encrypt [ssl]

To synchronize contacts, appointments, and photos of my NAS, I tested Nextcloud and thus turned my back on other cloud providers for my private data. Thanks to Docker, the installation is easier and more flexible than ever, allowing Nextcloud to run on almost any hardware.Nextcloud Hub 4 (Version 26) releasedNextcloud Hub 4 includes numerous innovations: Improved performance, numerous new features, improved help and share options, and app improvements.


Running Bitwarden in Docker - Setup step by step

Bitwarden is a web-based password manager, similar to LastPass, but open source and the ability to run (host) it yourself. How Bitwarden compares to other password managers, I have considered on the following page: Password Managers Secure? KeePass vs LastPass vs Bitwarden. Bitwarden consists of several services, which can be provided via different containers. The relatively complex setup has been simplified with "Bitwarden Unified" especially for self-hosting by packing all services into one co...


Commissioning Zigbee2MQTT in Docker - step by step

Zigbee2MQTT is an open source Zigbee bridge which can be easily integrated into existing smart home solutions thanks to the MQTT network protocol. As an example, Zigbee2MQTT combined with MQTT broker Mosquitto and Home Assistant can collect, display, record and control data from Zigbee devices. The setup described here uses Docker as a base. Manufacturer's website: https://www.zigbee2mqtt.io


Questions / Comments


By continuing to browse the site, you agree to our use of cookies. More Details