search

giaever-online-iot / home-assistant-snap

Snap recipe for the Open source home automation software that puts local control and privacy first.
Apache License 2.0
21 stars 3 forks source link

Configuring the snap so that it can use SSL certificates #16

Closed Lopez-du-63 closed 2 years ago

Lopez-du-63 commented 2 years ago

Hello, first of all thanks for your work. It's appreciated.

I am trying to secure the access to my home assistant domain. But I have trouble having home-assistant-snap using the certificates. So far, it looks like home-assistant-snap cannot access any file of my system. So generating certificates and giving the path in the configurations .yaml file is just not working.

Since acmesh snap does not exist anymore, and that I cannot connect certbot to home assistant neither; do you know of an alternative solution allowing me to secure the connection? I generated my certificates within the "current" folder of home assistant and provided maximum rights (chmod 755). But still, home-assistant is not capable of seeing anything. I also added all permissions to the snap throught he Snapstore UI.

Kind Regards

jmgiaever commented 2 years ago

Hi @Lopez-du-63.

This snap package is strictly confined. This means in general that it's sandboxed and won't have access to files outside of this environment. However there are some interfaces that can give access to files, but we don't have the required interface and wont probably not get it approved.

If you're running this snap on a classic system (e.g Ubuntu Server/Desktop or any other «classic distros») and not on a snappy system (Ubuntu Core) you might have success by installing it with the classic flag sudo snap install home-assistant-snap --classic as it gives the snap more privileges.

I haven't tried this, since I'm running it confined on Ubuntu Core, so I'm not sure if it works - but I think it will.

My solution has been to run it behind a proxy with nginx and just let the magic between nginx+certbot handle everything from proxying to certificates.

Another solution if you're using a classic system and want to keep the confinement, can be to use the «renewal hooks» feature of letsencrypt/certbot and copy the certificate within the snap environment and restart HA whenever the certificate renews. This is a example

FILE: /etc/letsencrypt/renewal-hooks/deploy/deploy: (this might be different on your system)

#!/usr/bin/env bash

HA_DOMAIN="my-ha-domain.tld"

# This might be different on your system
HA_PATH="/var/snap/home-assistant-snap/current"

# RENEWED_DOMAINS is a global available when executed by certbot
for DOMAIN in ${RENEWED_DOMAINS}; do

  if [ "${DOMAIN}" != "${HA_DOMAIN}" ]; then
    continue #Skip for other domains
  fi

  # Copy the newly renewed certificate to the HA location
  # RENEWED_LINEAGE is a global available when executed by certbot
  cp -v "${RENEWED_LINEAGE}/fullchain.pem" "${HA_PATH}/${DOMAIN}.cert"
  cp -v "${RENEWED_LINEAGE}/privkey.pem" "${HA_PATH}/${DOMAIN}.key"

  # Restart the snap
  snap restart home-assistant-snap
done
Lopez-du-63 commented 2 years ago

Hello @jmgiaever , thanks for taking the time to answer me. I tried installing the snap with the command line you provided me to no avail. I was already using hooks to renew certificate and copy-pasting this certificate in the homeassistant subfolders with no success.

Maybe I missed something, I am new to Linux world.. I finally installed Debian 11 to get a Supervised HomeAssistant install and now everything runs perfectly fine.

Wish you a nice week-end.

jmgiaever commented 2 years ago

Great you found a solution.