Okay, let me start by saying that I really do love Home Assistant. I believe that it is a fantastic piece of software, with very dedicated developers that are far more talented than I. Although, that being said, I strongly disagree with a number of their design choices.
My most recent problem has been trying to put Home Assistant behind a reverse proxy with a subpath. The Home Assistant developers flat out refuse any contribution that adds support for this. Supposedly, the frontend has hard-coded paths for some views, to me this doesn’t sound like a good practice to begin with – that being said, I mostly program in Go these days (so I’m unsure if this is something that is pretty common in some frameworks or languages). The official solution is to use a subdomain, which I can’t do – I’m trying to route all services through a Tailscale Funnel (which only provides a single domain; I doubt that Tailscale Funnels where ever designed for this purpose, but I’m trying to completely remove Cloudflare Tunnels for my selfhosted services).
The other major problem I’ve ran into, is that HAOS assumes that you would have no need to run any other Docker services other than those that are add-ons or Home Assistant itself. Which, I’m sorry (not really), Home Assistant add-ons are an absolute pain to deal with! Sure, when they work, they’re supper simple, but having to write an add-on for whenever I just want to spin up a single Docker container is not going to work for me.
Now, some smaller issues I’ve had:
- There’s no way to change the default authentication providers. I host for my (non-techie) family, they’re not going to know what the difference between local authentication and command-line authentication is, just that one works and the other doesn’t.
- Everything that is “advanced” requires a workaround. Like mounting external hard drives and sharing it with containers in HAOS requires you to setup the Samba add-on, add the network drive, and then you can use it within containers.
Again, I still really love Home Assistant, it’s just getting to a point where things are starting to feel hacky or not thought out all the way. I’ve considered other self-hosted automation software, but there really isn’t any other good alternative (unless you want to be using HomeKit). Also, I’m a programmer first, and far away from being a self-hosting pro (so let me know if I’ve missed any crucial details that completely flip my perspective on it’s head).
If you got to the end of this thanks for reading my rant, you’re awesome.
I took a look at HAOS and declared it to be junk. I admire your optimism, but you should too.
It’s aimed at a no man’s land of people that run HA but don’t know how to manage their own docker. It’s just weird.
I’m always very wary of systems that require a user to deviate as much from the “usual” structure almost all other services use. HAOS has really weird configs and “all the functionality” that presumably breaks when you use docker and don’t have the supervisor for docker… well… If what HA did was the way to go… whi is it that tons of services use docker’s rather powerful internal networking features just fine but HA of all things can’t do that and requires weird addons that for some reason cannot live on any other system than a Debian with weirdly specific modifications (bye bye cgroupsv2)? This will break most other functionality of that host Debian. I mean… if only there was a widespread-way to provide a highly customized Linux kernel in an ephemeral environment that can just be plugged in and out of a host machine without changing the host machine itself… Nah, can’t have that, let’s cause more overhead with a VM…
I’m not willing to make that kind of modifications to my whole setup just for HA and in the long run, this rift between “the way it’s usually done” and “The HA-Way” will become bigger and bigger, causing more and more problems.
I can’t grasp your use case I feel, pretty much all your complaints seem… odd. To me at least.
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
As for your tunnel I don’t know how you’ve set it up and I haven’t used tailscale but them only allowing one domain sounds like a very arbitrary limit, is it something that costs money to add? I use NetBird which I selfhost on my VPS and from there tunnel into my much beefier home setup.
Then docker in HAOS. The proper way I feel of running HA is for sure HAOS, and also running it in its own VM / or on dedicated hardware. This because you will likely need to couple additional hardware like a stick providing support for more protocols like ZigBee or Matter. It really isn’t a good solution for running all your self hosted stuff, and wasn’t ever intended to be. Running Plex in HA for instance is just a plain bad idea, even if it can be done. As such the need for an external drive seems strange as well. If you need to interact with storage you should set up a NAS and share over SAMBA. All this to say that HA should be one VM/Device, your docker environment another VM.
As for authentication there are 10k plus contributors to Home Assistant yearly but very few bother to make authentication more streamlined. I would’ve loved OpenID/OAuth2 support natively but there are ways to do so with custom components and in the end I quite strongly feel that if the end-users of your smarthome setup (i.e. the wife and kids) need to login to Home Assistant then you’ve probably got more work to do. Remote controls which interact with HA handle the vast majority of manual interaction and I’ve dabbled with self-hosted voice interfaces for the more complex operations.
Sorry if this came across as writing you on the nose, that’s not my intention. I just suspect you’re making things harder for yourself and maybe have a strange idea around how to selfhost in general?
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
It’s only an “anti pattern” because app developers are, on the whole, lazy bastards that start out hard coding stuff and then get discouraged at the amount of work needed to fix things after the fact.
I should know: I am one of these people.
It’s crap, it’s best to roll with the punches and use a sub domain.
That’s one part of it, but the other is that there’s no proper way to ensure you won’t cause issues down the line and it makes the configuration unclean and harder to maintain.
It also makes your setup dependent on seemingly unrelated things. Like the certificate for the domain which is some completely different applications problem but will break your Home Assistant setup all the same. That dependency issue can be a nightmare to troubleshoot in some instances, especially when it comes to stuff like authentication. Try doing SSO towards two different applications running on different subpaths on the same domain…
You make some good points, I’ve said a few times now that I mistook Home Assistant add-ons as traditional Docker containers (which I’ve learned the hard way is flat out wrong, you know what they say about assumptions).
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
I don’t agree with the comment replying about how developers are lazy. That being said, I also wouldn’t call a subpath an anti-pattern, it’s not uncommon and I wouldn’t say that it is always a bad idea (they have some pros and cons on subdomains and it’s what my setup calls for).
As for your tunnel I don’t know how you’ve set it up and I haven’t used tailscale but them only allowing one domain sounds like a very arbitrary limit, is it something that costs money to add? I use NetBird which I selfhost on my VPS and from there tunnel into my much beefier home setup.
There’s an open feature request for subdomains, but it hasn’t really gone anywhere. I’m assuming that it must be how they handle SSL certificates.
As for authentication there are 10k plus contributors to Home Assistant yearly but very few bother to make authentication more streamlined. I would’ve loved OpenID/OAuth2 support natively but there are ways to do so with custom components and in the end I quite strongly feel that if the end-users of your smarthome setup (i.e. the wife and kids) need to login to Home Assistant then you’ve probably got more work to do. Remote controls which interact with HA handle the vast majority of manual interaction and I’ve dabbled with self-hosted voice interfaces for the more complex operations.
Yeah, I’ve seen the idea that Home Assistant shouldn’t be the part you interact with several times, but I don’t really know of any better things to handle this. None of us really love voice controls and I’ve toyed around with Google Home (but I think it’s absolute garbage and self-host to get away from companies like Google).
I just suspect you’re making things harder for yourself and maybe have a strange idea around how to selfhost in general?
Not my ideas that are strange, I’d love to have a traditional setup. I’ve mentioned it a few times in other replies, I just don’t want to be the “just look at my other replies” person, so here’s whats going on: Starlink is my ISP (CGNAT; I can’t port-forward), Tailscale is now my only way of accessing things off of my LAN (I didn’t mind Cloudflare Tunnels, but Cloudflare scares me and Jellyfin is a pretty important thing and supposedly if you want to stream video you’re not allowed/supposed to use Tunnels), my only device is an RPi4 (I’ve tried other devices, but I really love the simplicity of the Pi – and also don’t have many other devices that would work that good for self-hosting).
Again, I’d love to have a “normal” ISP (we live in the middle of no where) that lets me port-forward and is nice and something other than a Pi to host on, but this is what I’m stuck with.
Sorry if this came across as writing you on the nose, that’s not my intention.
It’s all good I get where you’re coming from, and I’m sure you understand what’s going on for me.
I think a VPS and moving to NetBird self hosted would be the simplest solution for you. $5 per month gives you a range of options and you can go even lower with things like yearly subscriptions. That way you get around the subdomain issue, you get a proper tunnel and can proxy whatever traffic you want into your home.
As for control scheme for your home automation you’ll need to come up with something that fits you but I strongly advise against letting users into Home Assistant. You could build a simple web interface that interacts via API with HA, through Node-Red is super simple if it seems daunting to build the API.
If a RPi 4 is what you’ve got and that’s it then I guess you’re kinda stuck for the time being. Home Assistant is often quite lightweight if you’re not doing something crazy so it runs well on even a RPi 3, same with NAS software for home use, it too works fine on a 3. If SBC is your style my recommendation is to setup an alert on whatever second hand sites operate in your area and pick up a cheap one to allow you to separate things and make the setup simpler.
I think your missing the point of HAOS, it’s an appliance. You don’t manage it like a normal self host system.
Once you treat it as an appliance, it’s great. Also there is a portainer agent you can run that will connect to a portainer instance.
As for your tunnel issues, maybe the tunnel thing is your biggest issue. I run all my self host stuff on its own subdomain, if I want to route something home I use the site to site VPN I have. Even a cheap ovh vps could be a way to run stuff on subdomains
Require a subdinain should not be mandatory in 2024.
Sub paths should be such a basic feature that’s ridiculous devs don’t even take that into consideration.
Why? Because a software requiring absolute paths is as old and obsolete as an msdos program, and the only real reason it happens today is… Bad design choices or limited frameworks.
Requiring a full URL will be more of security thing I would guess, as some users put HA on the internet and it could have access to open doors.
Also I have tried things on sub paths and it got very complicated to know where a service was, a domain keeps things easy to setup and manage. As I run internet facing services for my day job, I have to look at both security and easy of maintenance when setting things up.
I would say that if you need a path over domain, its a skill issue and you need to find a better way of working.
Not really… Your attitude is the problem.
Sub paths are simpler to deploy: need only one certificate, need only one subdomain.
In any case you need reverse proxy so security is not the matter here.
Your use cases are not mine and both ways should always be possible.
You never need a subpath over a subdomain, nor viceversa, it is (or should) always be a choice.
I just used a Cloudflare Tunnel.
