Home Assistant Install In Virtual Env On NUC with Debian 9

1. NUC Installation in python venv
2.  
3. Throughout this procedure you'll need to add your personal details to different sections. Replace anything that has anything between "<...>" or where it says "your" in it.
4.  
5. Install Debian 9 Desktop:
6.  
7. use win32diskimager to create a live cd on USB stick
8.  
9. If needed, follow the instructions for UEFI boot repair from:
10. https://arstechnica.com/gadgets/2014/02/linux-on-the-nuc-using-ubuntu-mint-fedora-and-the-steamos-beta/
11.  
12. install from USB live but don’t reboot.
13.  
14. Open terminal and the do the following:
15. $ sudo mount /dev/sda1 /mnt
16. $ sudo mkdir /mnt/EFI/BOOT
17. $ sudo cp /mnt/EFI/ubuntu/* /mnt/EFI/BOOT
18. $ sudo mv /mnt/EFI/BOOT/grubx64.efi /mnt/EFI/BOOT/bootx64.efi
19.  
20. - reboot
21.  
22. Add user to sudoers file:
23.  
24. $ su
25. Enter root password
26. $ adduser <username> sudo
27. $ exit
28.  
29. - reboot
30.  
31. install openssh-server from command line:
32. $ sudo apt-get install openssh-server
33.  
34. install Putty on the computer you will use to run terminal commands on the HA machine if necessary.
35.  
36. Set up a Key for encrypting SSH:
37.  
38. Generate key using puttygen
39.  
40. Create a new .ssh directory (if not already created by default…)
41. $ mkdir .ssh
42.  
43. Change permissions on .ssh to 700 (if not done by default…)
44. $ chmod 700 .ssh
45.  
46. Create a file called “authorized_keys” using nano
47. $ nano ~/.ssh/authorized_keys
48.  
49. Copy and paste the entire key from puttygen
50.  
51. - Save file
52.  
53. Change permissions of “authorized_keys” to 600
54. $ chmod 600 ~/.ssh/authorized_keys
55.  
56. Restart SSH service
57. $ sudo service ssh restart
58.  
59. Exit putty session
60.  
61. Run Putty and before connecting open saved session info & add key to “auth” under SSH
62.  
63. Connect via SSH using Putty to test that the key is working
64.  
65. Change ssh to not allow password login
66. $ sudo nano /etc/ssh/sshd_config
67.  
68. Add the following line to the end:
69.  
70. PasswordAuthentication no
71.  
72. - Save
73.  
74. Restart ssh service
75. $ sudo service ssh restart
76.  
77. Get rid of iv6
78. $ sudo nano /etc/sysctl.conf
79.  
80. Add:
81. net.ipv6.conf.all.disable_ipv6=1
82.  
83. Save file
84.  
85. Commit changes
86. $ sudo sysctl -p
87.  
88.  
89. Install & Setup WinSCP on computer you will use to edit configuration files:
90.  
91. - Give WinSCP the ability to edit files:
92.  
93. Select SCP/Shell under Environment
94. Select profile.
95. Select edit.
96. Select advanced.
97. Under Shell on the left select “bin/bash“
98.  
99. - After authorized keys from above is complete:
100.  
101. Select profile.
102. Select edit.
103. Select advanced.
104. Select Authentication under SSH on the left
105. Enter location of private key that you created and saved from Puttygen
106.  
107.  
108. Install curl:
109.  
110. $ sudo apt install curl
111.  
112.  
113. Setup duckdns if desired:
114.  
115. create a dynamic dns name (using duckdns.org)
116.  
117. yourdomain.duckdns.org
118. yourdomain2.duckdns.org (if desired, you only need one)
119. token = xxxxxxxxxxxxxxxxxxxxxxx
120.  
121. install duckdns
122.  
123. $ mkdir duckdns
124. $ cd duckdns
125. $ nano duck.sh
126.  
127. create an update script by entering the following:
128.  
129. echo url="https://www.duckdns.org/update?domains=yourdomain,yourdomain2&token=xxxxxxxxxxxip=" | curl -k -o ~/duckdns/duck.log -K -
130.  
131. save file
132.  
133. change permissions on file
134.  
135. $ sudo chmod 700 duck.sh
136.  
137. set it to update the public ip every 5 minutes
138.  
139. $ sudo crontab -e
140.  
141. Pick default editor (selection 1)
142.  
143. Add line:
144.  
145. */5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1
146.  
147. Save file
148.  
149. Test the file
150.  
151. $ ./duck.sh
152. $ cat duck.log
153.  
154. Should see ‘OK’
155.  
156.  
157. Install git:
158. $ sudo apt-get update
159. $ sudo apt-get upgrade
160. $ sudo apt-get install git
161.  
162.  
163. Install Home Assistant in venv:
164.  
165. Do the following as a regular user (not root):
166.  
167. $ sudo apt-get update
168. $ sudo apt-get upgrade
169. $ sudo apt-get install python-pip python3-dev
170. $ sudo pip install --upgrade virtualenv
171. $ sudo adduser --system homeassistant
172. $ sudo addgroup homeassistant
173. $ sudo usermod -G dialout -a homeassistant
174. $ sudo mkdir /srv/homeassistant
175. $ sudo chown homeassistant:homeassistant /srv/homeassistant
176.  
177. Switch to the homeassistant user:
178.  
179. $ sudo su -s /bin/bash homeassistant
180.  
181.  
182. Create a new virtual environment:
183.  
184. $ virtualenv -p python3 /srv/homeassistant
185.  
186.  
187. Activate the venv:
188.  
189. $ source /srv/homeassistant/bin/activate
190.  
191.  
192. Run the following command to install Home Assistant inside the virtualenv container:
193.  
194. $ pip3 install --upgrade homeassistant
195.  
196. Start Home Assistant manually with the "hass" command to make sure that it works as expected:
197.  
198. $ hass
199.  
200. You should get a bunch of console output with no obvious error messages. To confirm that it's working, open a web browser on a computer on the same network and navigate to http://<ip_address>:8123, which is the default web server port for Home Assistant.
201.  
202. If you see the default webpage, you've successfully installed Home Assistant. Now press Ctrl+C in the terminal to exit the process and return to the shell, and exit the virtualenv sub-shell with the following command:
203.  
204. $ exit
205.  
206.  
207. To setup Homeassistant to start at boot create the service file with the following command:
208.  
209. $ sudo nano /lib/systemd/system/home-assistant@homeassistant.service
210.  
211. Now, paste the following content into the new file:
212.  
213. [Unit]
214. Description=Home Assistant
215. After=network.target
216.  
217. [Service]
218. Type=simple
219. User=%i
220. ExecStart=/srv/homeassistant/bin/hass -c "/home/homeassistant/.homeassistant"
221.  
222. [Install]
223. WantedBy=multi-user.target
224.  
225.  
226. #
227. # Service file for systems with systemd to run Home Assistant as the homeassistant user.
228. #
229.  
230. [Unit]
231. Description=Home Assistant for %i
232. After=network.target
233.  
234. [Service]
235. Type=simple
236. User=%i
237. ExecStart=/srv/homeassistant/bin/hass
238. SendSIGKILL=no
239.  
240. [Install]
241. WantedBy=multi-user.target
242.  
243.  
244. Save it.
245.  
246. Then, create a symlink from this file to the "active" systemd location, reload the systemd configuration, and start the service:
247.  
248. $ sudo ln -s /lib/systemd/system/home-assistant@homeassistant.service /etc/systemd/system/home-assistant@homeassistant.service
249. $ sudo systemctl --system daemon-reload
250. $ sudo systemctl enable home-assistant@homeassistant.service
251. $ sudo systemctl start home-assistant@homeassistant.service
252.  
253. You should now be able to open or refresh the same browser window from before and access the Home Assistant web GUI. It might take a few seconds to become available. You can verify that it starts automatically by completely rebooting the system, but this is not strictly necessary.
254.  
255. The default config files should automatically be created at the /home/homeassistant/.homeassistant directory.
256.  
257. After adding current configuration files to the new homeassistant config folders makes sure to set owner back to the homeassistant user:
258.  
259. $ sudo chown -R homeassistant:homeassistant /home/homeassistant
260.  
261. And add read/write privileges to the home assistant config folders for your user (<username>):
262.  
263. $ sudo setfacl -R -m u:<username>:rwx /home/homeassistant/.homeassistant
264.  
265.  
266.  
267. Setup letsencrypt using the instructions here:
268.  
269. https://www.splitbrain.org/blog/2017-08/10-homeassistant_duckdns_letsencrypt
270.  
271. Set up DuckDNS
272.  
273. Set up a port forwarding to your HomeAssistant server. Set a forwarding for port 8123 to the internal HA IP on port 8123.
274.  
275. Before continuing, make sure your HomeAssistant is now available via http://yourdomain.duckdns.org or whatever domain you set up.
276.  
277. Setting up Dehydrated
278.  
279. First get a copy of the current dehydrated script.
280.  
281. $ git clone https://github.com/lukas2511/dehydrated.git
282.  
283. Now change into the new dehydrated directory and create a new domains.txt file containing your duckdns domain name:
284.  
285. $ nano domains.txt
286.  
287. Add:
288.  
289. yourdomain.duckdns.org
290.  
291. save & exit file
292.  
293. We also need a config file containing the following:
294.  
295. $ nano config
296.  
297. Add:
298.  
299. # Which challenge should be used? Currently http-01 and dns-01 are supported
300. CHALLENGETYPE="dns-01"
301.  
302. # Script to execute the DNS challenge and run after cert generation
303. HOOK="${BASEDIR}/hook.sh"
304.  
305.  
306. Next we need a hook that will do the DNS challenge for us and will restart HomeAssistant when the certificate has changed. Create a hook.sh file with the following content:
307.  
308. $ nano hook.sh
309.  
310. Add:
311.  
312. #!/usr/bin/env bash
313. set -e
314. set -u
315. set -o pipefail
316.  
317. domain="yourdomain"
318. token="xxxxxxxxxxxxxxxxxx"
319.  
320. case "$1" in
321. "deploy_challenge")
322. curl "https://www.duckdns.org/update?domains=$domain&token=$token&txt=$4"
323. echo
324. ;;
325. "clean_challenge")
326. curl "https://www.duckdns.org/update?domains=$domain&token=$token&txt=removed&clear=true"
327. echo
328. ;;
329. "deploy_cert")
330. sudo systemctl restart home-assistant@homeassistant.service
331. ;;
332. "unchanged_cert")
333. ;;
334. "startup_hook")
335. ;;
336. "exit_hook")
337. ;;
338. *)
339. echo Unknown hook "${1}"
340. exit 0
341. ;;
342. esac
343.  
344.  
345. Be sure to change the token and domain at the top of the script. Also make the hook script executable:
346.  
347. $ chmod 755 hook.sh
348.  
349.  
350. Generating the Certificate
351.  
352. Time to run dehydrated.
353.  
354. First, register a new private key with letsencrypt:
355.  
356. $ ./dehydrated --register --accept-terms
357.  
358. Should see:
359.  
360. # INFO: Using main config file /home/homeassistant/dehydrated/config
361. + Generating account key...
362. + Registering account key with ACME server...
363. + Done!
364.  
365.  
366. Then generate the certificate:
367.  
368. $ ./dehydrated -c
369.  
370. Should see:
371.  
372. # INFO: Using main config file /home/homeassistant/dehydrated/config
373. Processing myhome.duckdns.org
374. + Signing domains...
375. + Generating private key...
376. + Generating signing request...
377. + Requesting challenge for myhome.duckdns.org...
378. OK
379. + Responding to challenge for myhome.duckdns.org...
380. OK
381. + Challenge is valid!
382. + Requesting certificate...
383. + Checking certificate...
384. + Done!
385. + Creating fullchain.pem...
386. + Walking chain...
387. + Done!
388.  
389.  
390. That's it. We now have a valid certificate!
391.  
392. Automate Renewing
393.  
394. Let'sEncrypt certificates expire after 90 days, so we need to automatically renew them. We simply call dehydrated via cron on every 1st day of the month:
395.  
396. $ crontab -e
397.  
398. Add:
399.  
400. 0 1 1 * * /home/homeassistant/dehydrated/dehydrated -c
401.  
402.  
403. Reconfigure HomeAssistant
404.  
405. Need to add read privileges to the dehydrated folder for the homeassistant user:
406.  
407. $ sudo setfacl -R -m u:homeassistant:rwx /home/<username>/dehydrated
408.  
409. Edit your configuration.yaml and add the new certificate to the http section:
410.  
411. configuration.yaml
412.  
413. http:
414. .
415. .
416. .
417. ssl_certificate: /home/finity/<username>/certs/yourdomain.duckdns.org/fullchain.pem
418. ssl_key: /home/<username>/dehydrated/certs/yourdomain.duckdns.org/privkey.pem
419.  
420.  
421. Finally restart HomeAssistant
422.  
423. $ sudo systemctl restart home-assistant@homeassistant.service
424.  
425. Your HomeAssistant should now be available via https://yourdomain.duckdns.org:8123.
426.  
427.  
428. Set up an automation to show the status of your certs on the dashboard
429.  
430. $ sudo apt-get update
431. $ sudo apt-get install ssl-cert-check
432.  
433.  
434.  
435. Install mosquito:
436.  
437. $ sudo apt-get install mosquitto
438. $ sudo apt-get install mosquitto-clients
439.  
440. Edit the config file:
441.  
442. $ sudo nano /etc/mosquitto/mosquitto.conf
443.  
444. Add the following:
445.  
446. allow_anonymous false
447. password_file /etc/mosquitto/pwfile
448. listener 1883
449.  
450. comment out the existing line:
451.  
452. # include_dir /etc/mosquitto/conf.d
453.  
454. save
455.  
456. Create a username:
457.  
458. $ sudo mosquitto_passwd -c /etc/mosquitto/pwfile <username>
459.  
460. It will then ask for a password
461.  
462.  
463. To test:
464.  
465. Open two instances of putty
466.  
467. In one instance put in the following:
468.  
469. $ mosquitto_sub -d -u <username> -P <password> -t "dev/test"
470.  
471. This will subscribe to the topic “dev/test” and listen until you stop it wich ctrl-c
472.  
473. In the other instance put in:
474.  
475. mosquitto_pub -d -u <username> -P <password> -t "dev/test" -m "Hello world"
476.  
477. this will publish the words “hello worldf to the topic “dev/test”
478.  
479. you should see those words appear in the listener
480.  
481. you can test it in HA by opening the services area, select mqtt, select publich then fill in the desired phrase:
482.  
483. {
484. “topic”: “dev/test”,
485. “payload”: “hello world”
486. }
487.  
488. Then click call service
489.  
490. You see those words pop up again in the listener
491.  
492. To access the MQTT server from outside your network set up your router to open port 1883