HomeAssistant(1) - HelloMorningStar/HomeAssistant GitHub Wiki
前面热身了一下,现在开始试用各个功能模块。
基本要求:
- iOS device running at least iOS 9, but iOS 10 is greatly preferred.
- Home Assistant 0.42.4 or higher for push notification support.
- SSL is strongly recommended. Self-signed SSL certificates will not work due to Apple’s limitations.
配置非常简单:
配置 ---> 集成 ---> 选择 Home Assistant iOS
地图中家庭位置要用google earth(注意不是google maps)获得经纬度坐标,设置电子围栏,即可知晓授权的iPhone(iPhone端安装home assistant,并进行一些授权)是否在家?
遇到的问题:
1)配置ios出现许多重复的battery_level等,在web界面无法删除,需要打开隐藏文件
ls -a
sudo gedit .ios.conf 手动删除其中重复的部分即可
2)编辑.ios.conf文件后还需要从配置中移除ios,删除无效的实体,重新启动hass即可
3)我仍然无法解决自签名证书(目前在desktop版本上可以使用,但是在服务器版本上却无法使用)?
配置SSL:
根据文档Self-signed Certificate for SSL/TLS进行实验
在本地局域网配置失败!!!
主要是证书SSC(自签名证书)不能被信任
配置SSL总算成功了(仅仅对首页的安装方式有效),方法如下:
参考第二种方法
生成私钥:
sudo openssl genrsa -out server.key 1024
根据私钥生成证书申请文件csr(本地IP):
sudo openssl req -new -key server.key -out server.csr
根据私钥生成证书申请文件csr(服务器IP):
sudo openssl req -new -key server.key -out server-g.csr
私钥对证书申请进行签名从而生成证书(本地IP):
sudo openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
私钥对证书申请进行签名从而生成证书(服务器IP):
sudo openssl x509 -req -in server-g.csr -out server-g.crt -signkey server.key -days 3650
在iPhone上安装了为本地服务器和外部服务器IP生成的证书(无需申请域名)
configuration.yaml文件加入以下语句(必须按此顺序,否则iPhone不能连接外部server_ip):
http: base_url: https://server_ip:443 ssl_certificate: ~/.homeassistant/server.crt ssl_certificate: ~/.homeassistant/server-g.crt ssl_key: ~/.homeassistant/server.key
以上证书只能在iOS上使用,PC上Chrome无效。
配置外部访问(域名或内部IP) FRP成功SSH/WEB内网服务器!
配置DuckDNSDuckDNS 局域网内部服务器运行成功测试OK,但最终配置失败了!
配置FRP,参考配置FRP ,这次成功了!
下载frp到服务器
wget https://github.com/fatedier/frp/releases/download/v0.25.0/frp_0.25.0_linux_amd64.tar.gz
tar xzvf frp_0.25.0_linux_amd64.tar.gz
mv frp_0.25.0_linux_amd64 frp
在服务器启动frps
cd frp
cat frps.ini
可以自己修改frps.ini 的 bind_port = 7000
./frps -c ./frps.ini
下载frp到本地局域网服务器
wget https://github.com/fatedier/frp/releases/download/v0.25.0/frp_0.25.0_linux_amd64.tar.gz
tar xzvf frp_0.25.0_linux_amd64.tar.gz
mv frp_0.25.0_linux_amd64 frp
修改客户端的配置文件frpc.ini
server_addr = xxx.xxx.xxx.xxx
server_port = 7000
[ssh]
type = tcp
local_ip = xxx.xxx.xxx.xxx
local_port = 22
remote_port = 6000
启动客户端
./frpc -c ./frpc.ini
在任意联网终端输入
ssh -oPort=6000 usr(local_lan_server_usr)@your_web_server_ip
最终配置文件:
注意要监听80/443端口必须以root用户名义启动
外网服务器: (注意:终于搞清楚了,vhost_http_port / vhost_https_port只能分别指定一个端口)
[common] privilege_token = 12345678 bind_port = 7000 bind_port = 80 vhost_https_port = 443
局域网服务器: (注意:local_port必须指定,且必须区分子/域名,也就是一个指定的本地端口对应一个子/域名)
[common] privilege_token = 12345678 server_addr = www_server_ip server_port = 7000 [ssh] type = tcp local_ip = local_server_ip local_port = 22 remote_port = 5000 [web] type = https local_ip = local_server_ip local_port = 443 custom_domains = www_server_ip
这次研究letsencrypt
https://letsencrypt.org/
certbot
修改private-key权限,否则无法从外网服务器拷贝到本地服务器,然后恢复400
chmod 400 ~/.ssh/[KEY_FILENAME]
-rw------- (600) 只有拥有者有读写权限。
-rw-r--r-- (644) 只有拥有者有读写权限;而属组用户和其他用户只有读权限。
-rwx------ (700) 只有拥有者有读、写、执行权限。
-rwxr-xr-x (755) 拥有者有读、写、执行权限;而属组用户和其他用户只有读、执行权限。
-rwx--x--x (711) 拥有者有读、写、执行权限;而属组用户和其他用户只有执行权限。
-rw-rw-rw- (666) 所有用户都有文件读、写权限。
-rwxrwxrwx (777) 所有用户都有读、写、执行权限。
以上证书是在外网服务器生成,fetch安装后,浏览器都正常了,但是生成的证书在iOS上home assistant APP不能用?待研究(要安装3份*.pem证书到iPhone就可以了)
在局域网内部服务器配置时提示80端口被占用,查询解决 sudo /etc/init.d/apache2 stop
sudo netstat -tlnp|grep 80 tcp6 0 0 :::80 :::* LISTEN 17116/apache2
sudo /etc/init.d/apache2 stop
开启一个临时web测试
python -m SimpleHTTPServer 8080
查看开放的端口:
nmap 127.0.0.1
Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-22 16:21 CST Nmap scan report for localhost (127.0.0.1) Host is up (0.000054s latency). Not shown: 995 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 631/tcp open ipp
临时打开制定的端口,重启服务器后会关闭
sudo iptables -I INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables-save
生成证书(加上--dry-run测试):
sudo certbot certonly --standalone --preferred-challenges http-01 --email [email protected] -d www.xxx.pub --dry-run
sudo ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d www.xxx.pub --dry-run
./certbot-auto has insecure permissions!
To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Cert not due for renewal, but simulating renewal for dry run
Renewing an existing certificate
IMPORTANT NOTES:
- The dry run was successful.
ssh -i ~/.ssh/android-key [email protected] #登录服务器 sudo certbot renew #(注意目前 --dry-run 已经实效,可能是版本问题?) (sudo ./certbot-auto renew --dry-run) sudo cp /etc/letsencrypt/live/www.xxx.pub/*.pem /home/hello_xxx/ssl/ #(拷贝证书) sudo chmod 777 *.pem # 更改证书权限 sudo scp -i ~/.ssh/android-key [email protected]:/home/hello_xxx/ssl/*.pem ~/ssl/ #拷贝证书到本地服务器 sudo ssl-cert-check -b -c /home/homeassistant/.homeassistant/ssl/cert.pem | awk '{ print $NF }' #查询证书有效期 sudo cp ~/ssl/*.pem /home/homeassistant/.homeassistant/ssl/ #将新的证书拷贝到对应的目录并更改权限 cd /home/homeassistant/.homeassistant/ssl sudo chmod 400 *.pem #更改证书权限 发送cert.pem fullchain.pem证书到ios设备并安装,chain.pem有效期较长可以不必每三个月更新一次
ssh -i ~/.ssh/xxx-key usr@server_ip_addr
cd ./certbot
关闭占用80端口的frp
sudo ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d www.xxx.pub --dry-run
IMPORTANT NOTES: - The dry run was successful.
sudo ./certbot-auto certonly --standalone --preferred-challenges http-01 --email [email protected] -d www.xxx.pub
./certbot-auto has insecure permissions! To learn how to fix them, visit https://community.letsencrypt.org/t/certbot-auto-deployment-best-practices/91979/ Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/www.xxx.pub.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Keep the existing certificate for now 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Renewing an existing certificate Performing the following challenges: http-01 challenge for www.xxx.pub Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/www.xxx.pub/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/www.xxx.pub/privkey.pem Your cert will expire on 2019-08-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again. To non-interactively renew *all* of your certificates, run "certbot-auto renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le
90天以后运行如下指令:
sudo ./certbot-auto renew
复制更新的*.pem,
sudo cp /etc/letsencrypt/live/www.xxx.pub/*.pem ./certbot/
修改权限
sudo chmod 777 *.pem
sudo scp -i ~/.ssh/xxx-s-key usr@server_ip:~/certbot/*.pem ~/ssl-s/
Enter passphrase for key '/home/xxx-s/.ssh/xxx-s-key': cert.pem 100% 1915 38.9KB/s 00:00 chain.pem 100% 1647 34.8KB/s 00:00 fullchain.pem 100% 3562 74.9KB/s 00:00 privkey.pem 100% 1708 34.8KB/s 00:00
sudo chmod 400 *.pem
手动更新完成!
sudo ssl-cert-check -b -c /home/homeassistant/.homeassistant/ssl/cert.pem | awk '{ print $NF }'
90
如果没有ssl-cert-check需要安装
$ sudo apt-get update
$ sudo apt-get install ssl-cert-check
配置如下:
1,内部路由器openwrt ddns 域名指向申请到公网ip(这个ip会改变,所以需要ddns指向)
2,光猫配置dmz 暴露二级路由器(二级路由器静态ip),nat端口转发443 / 8080 到 8123
3,二级路由器端口转发8123到ha服务器IP 端口8123(ha可以从外网访问域名后面无需输入8123)
4,内部二级路由没有nat loopback,可以编辑host 强制域名指向内部ha ip,如果有旁路由器需要编辑旁路由器/etc/hosts文件(强制域名指向内部ha ip)
以上配置完美,内外网对ha服务器访问速度很快
设置证书:
1)233服务器dmz到ha ip地址(后来测试可以了,网络 - 防火墙 - 端口转发 - 新建了一个规则需要用的时候启用就可以了,之前不能用其实只要不要选择任何协议即可) (直接小米路由dmz 35到公网也可以,但是这个需要删除一些端口转发的规则)
2)在ha服务器运行
首次: sudo certbot certonly
之后: sudo certbot renew --dry-run(可以用dry-run测试一下,正式更新不需要这个参数)
3) 修改权限
sudo chmod 755 /etc/letsencrypt/live/ sudo chmod 755 /etc/letsencrypt/archive/ sudo chmod -R 777 /etc/letsencrypt/
4)在mac电脑运行 sudo scp ubuntu@ip_addr:/etc/letsencrypt/live/www.xxx.xxx/*.pem ~/downloads/s