this post was submitted on 05 Dec 2025
2 points (100.0% liked)

homeassistant

17087 readers
11 users here now

Home Assistant is open source home automation that puts local control and privacy first.
Powered by a worldwide community of tinkerers and DIY enthusiasts.

Home Assistant can be self-installed on ProxMox, Raspberry Pi, or even purchased pre-installed: Home Assistant: Installation

Discussion of Home-Assistant adjacent topics is absolutely fine, within reason.
If you're not sure, DM @GreatAlbatross@feddit.uk

founded 2 years ago
MODERATORS
GreatAlbatross@feddit.uk
greatalbatross@lemmy.world
2
Network Configuration Questions (lemmy.world)
submitted 5 days ago by KingOogaBooga@lemmy.world to c/homeassistant@lemmy.world
10 comments fedilink hide all child comments
 

I am rebuilding my system and I have a few questions related to network set up. I have installed a new Unifi system, set up IoT VLAN and opened port for HA. That part I THINK is right. My questions lie with setting up DuckDNS and Let's Encrypt. I plan on doing more self hosting stuff in the future. Can/Should I be doing things like Dynamic DNS and certificates via an entity outside of HA such as my router or some other container in the "system" or is it better to handle HA's requirements inside of HA itself?

Additionally, in my current config I can only reach the HA brain via the DuckDNS URL. What sort of set up is required to have the unit accessible when the internet is down? Seems with the mobile app it is the URL or nothing. What do I need to be doing for internal access when on local LAN?

I am running it on the HA Blue hardware and I plan to rebuild from scratch if that matters. I am sketchy on the network set up and making sure things are all secure. Bit paranoid lol. So if you have any good set up guides on this portion it would be appreciated. Thanks.

you are viewing a single comment's thread
view the rest of the comments
[–] lorentz@feddit.it 3 points 5 days ago (4 children)

it make sense to handle Certificate renewal where your reverse proxy is just because they are easier to install this way. Having a single homeassistant let it handle it. The day you'll start hosting more staff and put all of it behind a single reverse proxy (caddy or nginx are the most popular options) you can move certificate handling on the machine with reverse proxy.

to make your homeassistant reachable even when internet is down you just need a local DNS that resolves yourdomain.duckdns.org to your local IP. This is usually easier configured on the router but many stock firmwares don't allow it. Another option is to install a DNS (pihole is the most famous, I personally use blocky) somewhere and configure your router to advertise this DNS instead of its own.

[–] KingOogaBooga@lemmy.world 1 points 4 days ago (2 children)

so now HA needs an proxy server and a DNS server? There has to be a simpler method that adding additional devices on to the network. More devices, more complex and more points of failure.

[–] lorentz@feddit.it 2 points 4 days ago

HA doesn't need either of these, but if you want an SSL certificate (to run over HTTPS instead of plain HTTP) it is bound to a domain name, which must be public unless you want to enter in the zone of adding our custom certification authority to each of your devices. This name is resolved by a public DNS. You asked how to use it when internet is down, in this case a public DNS is not reachable so you need your own on the local network.

The reverse proxy is useful when you have a bunch of web services and you want to protect all of them with HTTPS. Instead of delivering the certificate to each of them, you add the HTTPS layer at your reverse proxy and it queries the servers behind in plain HTTP. The reverse proxy has also the benefit of making handling subdomains easier. So instead of distinguishing the different services because they have a different port number you can have a few https://ha.my.domain/ and https://feedreader.my.domain/

If you just have homeassistant and not care of HTTPS the easiest option is to use the local resolution: modern OSes advertise the name of the device on the network and it can be resolved on the .local domain. But, if you configured HTTPS to use https://name.duckdns.org/ you'll se an error when you try to use https://name.local/ because your browser sees a mismatch between the name in the certificate and the name that you are trying to connect to. You can always ignore this error and move on, but it mostly defeats the point of HTTPS.

load more comments (1 replies)
load more comments (2 replies)