[ale] Home Assistant / Docker / Network Security

[Alex Carver]

On 2018-07-24 13:08, Derek Atkins wrote:
> Alex,
> 
> On Tue, July 24, 2018 3:54 pm, Alex Carver via Ale wrote:
>>
>> OpenVPN on a phone is actually quite easy.  I use it all the time on my
>> Android.  Download the client from the store, generate your system keys
>> & certs, generate keys and certs for  each client, then create an
>> all-in-one .ovpn file (contains config, keys, certs, etc. in one block)
>> that the client reads in when creating a new connection.
> 
> Where in iOS can I plug that in?

You transfer the file to the phone.  Then you run the openVPN client and
point it at that file through its "Import Profile" feature.

> 
> [snip]
>> If you're worried about security then you'd have to trust the docker
>> image as well.  The same thing goes for Hass.io.  It seems that even
>> Hass.io is one more wrapper to worry about over the base Home Assistant
>> installation.
> 
> HA is a bunch of python crap.  Hass.io is a docker package and management
> wrapped around the python crap.

>From what I see Hass.io is not even the Docker package, it's a Python
wrapper around the HA python to make configuration easy for new people.
It runs directly on hardware without Docker (so sayeth the docs, it uses
resin-io and was meant to be Raspberry Pi specific).  The Docker
wrapping is a third layer of abstraction.

> 
> I feel perfectly comfortable securing a Fedora system.  I don't feel as
> comfortable securing a bunch of python crap, let along a docker package
> around it.  :(    I feel even less comfortable give the thread I linked in
> my OP.

If you hide everything behind a VPN and never let HA or anything else
talk to the Internet at large directly then you have far less to worry
about than that thread.  That thread *everyone* was opening themselves
up to direct connections.  2FA or not, there was a direct connection
available.

I rolled my own HA and security stuff and it all hides behind the VPN.
I can still do anything I want from anywhere as long as I attach to the
VPN.  That also keeps lowlifes out since they have to penetrate
something much harder than a simple python script.

> 
> The "benefit" of using hass.io is that it allows "add-ons" (which
> apparently are not usable from the raw HA code).  Some of the add-ons I
> don't care about.  Some of the add-ons I can implement myself (e.g.
> LetsEncrypt).  But there may be others that I *do* care about -- hard to
> say.

I see, so it's just more wrappers.  An "add-on" is nothing more than a
link between something and HA from what I'm reading (actually it's a
link wrapped up in a Docker image).  Enventually the add-on just sends
commands to HA via a TCP/IP port.

> 
> At least Raj pointed me to the method to upgrade the python crap.  ;)

Yes, python isn't hard to update, no harder than apt-get.



I'm disappointed that Hass.io's dependency list includes Network Manager.