Home Assistant Installation using Docker on NUC in Debian 9

NUC installation using Docker:

Throughout this procedure you'll need to add your personal details to different sections. Replace anything that has anything between "<...>" or where it says "your" in it.

Install Debian 9 Desktop:

use win32diskimager to create a live cd on USB stick

If needed, follow the instructions for UEFI boot repair from:

https://arstechnica.com/gadgets/2014/02/linux-on-the-nuc-using-ubuntu-mint-fedora-and-the-steamos-beta/

install from USB live but don’t reboot.

Open terminal and the do the following:

$ sudo mount /dev/sda1 /mnt
$ sudo mkdir /mnt/EFI/BOOT
$ sudo cp /mnt/EFI/ubuntu/* /mnt/EFI/BOOT
$ sudo mv /mnt/EFI/BOOT/grubx64.efi /mnt/EFI/BOOT/bootx64.efi

- reboot

Add user to sudoers file:

$ su

Enter root password

$ adduser <username> sudo
$ exit

- reboot

install openssh-server from command line:

$ sudo apt-get install openssh-server

Install curl:

$ sudo apt install curl

Install git:

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install git


Setup a static IP

$ sudo nano /etc/dhcpcd.conf

Edit /etc/dhcpcd.conf as follows:

#here is an example which configures a static address, routes and dns.
       interface eth0
       static ip_address=192.168.1.11/24
       static routers=192.168.1.1
       static domain_name_servers=192.168.1.1 8.8.8.8

save & reboot

install Putty on the computer you will use to remotely access your Home Assistant machine

Set up a Key for encrypting SSH:

Generate key using puttygen

Create a new .ssh directory (if not already created by default…)

$ mkdir .ssh

Change permissions on .ssh to 700 (if not done by default…)

$ chmod 700 .ssh

Create a file called “authorized_keys” using nano

$ nano ~/.ssh/authorized_keys


Copy & paste the key from puttygen into that file.

- Save file

Change permissions of “authorized_keys” to 600

$ chmod 600 ~/.ssh/authorized_keys

Restart SSH service

$ sudo service ssh restart

Exit putty session

Run Putty but don't connect then open saved session info & add key to “auth” under SSH

Change ssh to not allow password login

$ sudo nano /etc/ssh/sshd_config

Add the following line

PasswordAuthentication no

- Save

Restart ssh service

$ sudo service ssh restart

Get rid of iv6

$ sudo nano /etc/sysctl.conf

Add:

net.ipv6.conf.all.disable_ipv6=1

- Save file

Commit changes

$ sudo sysctl -p


Install & setup WinSCP on the computer you plan to use to remotely edit your configuration files:

Give WinSCP the ability to edit files:

Select SCP/Shell under Environment
Select profile.
Select edit.
Select advanced.
Under Shell on the left select “bin/bash“

After authorized keys from above is complete:

Select profile.
Select edit.
Select advanced.
Select Authentication under SSH on the left
Enter location of private key you saved from Puttygen above


Setup duckdns

create a dynamic dns name (using duckdns.org)

yourdomain.duckdns.org
yourdomain2.duckdns.org (not required)
token = xxxxxxxxxxxxxxxxxxxxxxxxxxx

install duckdns

$ mkdir duckdns
$ cd duckdns
$ nano duck.sh

create an update script by entering the following:

echo url="https://www.duckdns.org/update?domains=yourdomain,yourdomain2&token=xxxxxxxxxxxxx" | curl -k -o ~/duckdns/duck.log -K -

- save file

change permissions on file

$ sudo chmod 700 duck.sh

set it to update the public ip every 5 minutes

$ sudo crontab -e

Pick default editor (selection 1)

Add line:

*/5 * * * * ~/duckdns/duck.sh >/dev/null 2>&1

- Save file

Test the file

$ ./duck.sh
$ cat duck.log

Should see ‘OK’


Install Docker

https://docs.docker.com/install/linux/docker-ce/debian/#install-docker-ce-1

$ sudo apt-get install \
     apt-transport-https \
     ca-certificates \
     curl \
     gnupg2 \
     software-properties-common

$ curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add –
$ sudo apt-key fingerprint 0EBFCD88
$ sudo add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"

$ sudo apt-get update
$ sudo apt-get install docker-ce


To test docker installed correctly:

$ sudo docker run hello-world

To update docker:

$ sudo apt-get update
$ sudo apt-get install docker-ce


Install Docker Images

Homeassistant:

Create a new config directory:

/home/<username>/docker/hass-config (or wherever you want it but you will need to adjust the paths below accordingly)

Create and run a new home assistant container:

$ sudo docker run -d --name="home-assistant" --restart=unless-stopped -v /home/<username>/docker/hass-config:/config -v /etc/localtime:/etc/localtime:ro --net=host homeassistant/home-assistant

The above will create the basic config files at the config directory. Copy existing config files to that directory & restart the container.

The above will only create an installation of HA without the access to the zigbee and z wave devices.

If you already have an existing zwave or zigbee install on another HA then copy the options.xml & ozw config xml files to the config directory

To get access to the USB devices run the following:

$ sudo docker run -d --name="home-assistant" --restart=unless-stopped -v /home/<username>/docker/hass-config:/config -v /etc/localtime:/etc/localtime:ro --device /dev/zigbee:/dev/zigbee --device /dev/ttyUSB-ZStick-5G:/dev/ttyUSB-ZStick-5G  --net=host homeassistant/home-assistant

The above will work when you modify the /etc/udev/rules.d/99-com.rules file to make the zigbee & zwave USB sticks persistent.

For the Aeotec Zwave Gen 5 USB stick add this to the end of above udev file:

SUBSYSTEM=="tty", ATTRS{idVendor}=="0658", ATTRS{idProduct}=="0200", SYMLINK+="ttyUSB-ZStick-5G"

If you want to use the HUSBZB-1 Zigbee stick add the following to that same file:

SUBSYSTEM=="tty", ATTRS{interface}=="HubZ ZigBee Com Port", SYMLINK+="zigbee"

One problem using Docker is that you can't run shell commands on the host machine from within the Home Assistant container.
To be able to do that you need to see the section below to set it up. Then come here and run the new docker command to enable that functionality:

$ sudo docker run -d --name="home-assistant" --restart=unless-stopped -v /home/<username>/docker/hass-config:/config -v /etc/localtime:/etc/localtime:ro -v /home/finity/docker/sshkey/.ssh:/root/.ssh --device /dev/zigbee:/dev/zigbee --device /dev/ttyUSB-ZStick-5G:/dev/ttyUSB-ZStick-5G  --net=host homeassistant/home-assistant


To install a specific version of Home Assistant add

:0.xx.x

To the end of the image name

##########################################################

these containers are all optional but are useful:

Portainer:

https://portainer.readthedocs.io/en/stable/deployment.html#quick-start

$ sudo docker run --name portainer -d -p 9001:9000 --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /opt/portainer:/data portainer/portainer

user: admin
pass: net

create a new user & password

-------------

NGINX/Letsencrypt:


From: https://community.home-assistant.io/t/nginx-reverse-proxy-set-up-guide-docker/54802


Get uid & gid:

$ id <username>

Create config directory

$ mkdir /home/<username>/docker/letsencrypt/config

Forward ports 80 & 443 to your NGINX machine.

Run the docker container:

$ sudo docker run -d --cap-add=NET_ADMIN --name=letsencrypt --restart=unless-stopped -v /home/<username>/docker/letsencrypt/config:/config -v /etc/localtime:/etc/localtime:ro -e PGID=1000 -e PUID=1000 -e EMAIL=<youremail@address.com> -e URL=yourdomain.duckdns.org -e SUBDOMAINS=hass,conf,graf -e VALIDATION=http -p 80:80 -p 443:443 -e TZ=<your timezone> linuxserver/letsencrypt

Once you run the container, you’ll need to edit (DON’T RENAME THE OLD DEFAUALT FILE TO SOMETHING ELSE – IT WILL MESS IT UP) the default file at:

home/<username>/docker/letsencrypt/config/nginx/site-confs/default

Make sure you comment out the following lines in the server blocks.

  auth_basic "Restricted"#;
  auth_basic_user_file /config/nginx/.htpasswd;

These lines will enforce password protection from Nginx and when you try to login you will not be able. You may need to activate this for some component. For instance the configurator component, for some reason will no longer follow its settings file and once live you’ll be able to access it without password. So you’ll need to create an Nginx user:password with this command: docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd .

Default config file:

###########################################
## Version 2018/04/20 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#   listen 80;
#   server_name _;
#   return 301 https://$host$request_uri;
#}

# main server block
server {
    listen 443 ssl default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name yourdomain.duckdns.org;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php7-cgi alone:
        fastcgi_pass <yourmachine IP>:9000;
        # With php7-fpm:
        #fastcgi_pass unix:/var/run/php7-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#   location ^~ /cp {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050/cp;
#   }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#   listen 443 ssl;
#
#   root /config/www;
#   index index.html index.htm index.php;
#
#   server_name cp.*;
#
#   include /config/nginx/ssl.conf;
#
#   client_max_body_size 0;
#
#   location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.50:5050;
#   }
#}

### HOMEASSISTANT ####

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name hass.<username>.duckdns.org;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#       auth_basic "Restricted";
#       auth_basic_user_file /config/nginx/.htpasswd;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering               off;
        proxy_ssl_verify              off;
#       include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.11:8123;
    }
}

### CONFIGURATOR ###
#
#server {
#    listen 443 ssl;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name conf.bussnet.duckdns.org;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
#       include /config/nginx/proxy.conf;
#       proxy_pass http://192.168.1.11:3218;
#    }
#}

### GRAFANA ###
#
#server {
#    listen 443 ssl;
#
#    root /config/www;
#    index index.html index.htm index.php;
#
#    server_name graf.xxxxxxx.duckdns.org;
#
#    include /config/nginx/ssl.conf;
#
#    client_max_body_size 0;
#
#    location / {
##       auth_basic "Restricted";
##       auth_basic_user_file /config/nginx/.htpasswd;
#        include /config/nginx/proxy.conf;
#        proxy_pass http://192.168.1.11:3003;
#    }
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;


-----------------------------------------


Synchthing:

$ sudo docker create --name=syncthing --restart=unless-stopped -v /home/<username>/docker/syncthing/config:/config  -v /home/<username>/docker/hass-config:/hass-sync -v /etc/localtime:/etc/localtime:ro -e PGID=1000 -e PUID=1000 -e UMASK_SET=000 -p 8384:8384 -p 22000:22000 -p 21027:21027/udp  linuxserver/syncthing

Install Syncthing on the other computer.

Create a new folder named /hass-sync and share it

-------------------------------

Ha-dockermon:

$ sudo docker run -d --name=ha-dockermon --restart=unless-stopped -v /var/run/docker.sock:/var/run/docker.sock -v /home/<username>/docker/ha-dockermon:/config -p 8126:8126 philhawthorne/ha-dockermon

--------------------------------

MQTT:

$ sudo docker run -itd --name=eclipse-mosquitto -p 1884:1883 -p 9002:9001 -v /home/<username>/docker/mqtt/config/mosquitto.conf:/mosquitto/config/mosquitto.conf -v /home/<username>/docker/mqtt/config/passwd:/mosquitto/config/passwd -v /home/<username>/docker/mqtt/data:/mosquitto/data -v /home/<username>/docker/mqtt/log:/mosquitto/log -e PGID=1000 -e PUID=1000 -e UMASK_SET=000 eclipse-mosquitto

Download the default mosquitto.conf file from:

https://raw.githubusercontent.com/eclipse/mosquitto/master/mosquitto.conf


and edit as necessary. Change the persistence info and logging.


Give those files full permissions using:

$ sudo chmod 777 -R /home/<username>/docker/mqtt/


Then enter the shell of the container by:

$ sudo docker exec -it eclipse-mosquitto sh

Create a username and password:

/ # mosquitto_passwd -c /mosquitto/config/passwd/pwfile <mqtt username>

Once it goes to the next line just type in the password (there won’t be a prompt until after you hit enter)
Re-enter password

/ # exit

--------------------------------

OZWCP:


for the zwcfg... file you will need to find out the correct file name from your config folder.

https://github.com/ruimarinho/docker-openzwave

$ sudo docker create --name openzwave -itd -p 8090:8090 --device=/dev/ttyUSB-ZStick-5G -v /home/<username>/docker/hass-config/options.xml:/root/open-zwave-control-panel/config/options.xml -v /home/<username>/docker/hass-config/zwcfg_0xecbef344.xml:/root/open-zwave-control-panel/zwcfg_0xecbef344.xml ruimarinho/openzwave

How to use this image:
To launch the OpenZWave Control Panel, you should add a device map to your Z-Wave Controller and map the server port (by default 8090).
In this example, the USB Z-Wave Controller is available on the host under /dev/ttyACM0, but the USB device enumeration varies from host and OS (another popular nomenclature is /dev/ttyUSB*).

❯ docker run --rm -it -p 8090:8090 --device=/dev/ttyACM0 ruimarinho/openzwave

Now go to http://127.0.0.1:8090 and enter /dev/ttyACM0 under Device name. Click on Initialize to boot the network and that's it.

Integration with Home Assistant:
As mentioned below, you can also share the zwcfg_0x_<HomeId>.xml and options.xml file between applications on the host. The following is an example of sharing the Z-Wave network configuration with the popular Home Assistant home automation software, available under /volume1/applications/home-assistant/.

First, stop Home Assistant. Assuming you've used --name home-assistant when launching the container (otherwise you need to grab its container id), run:
❯ docker stop home-assistant

Launch the OpenZWave Control Panel:
❯ docker run --name openzwave --rm -it -p 8090:8090 \
  --device=/dev/ttyACM0 \
  -v /volume1/applications/home-assistant/options.xml:/root/open-zwave-control-panel/config/options.xml \
  -v /volume1/applications/home-assistant/zwcfg_0x00001111.xml:/root/open-zwave-control-panel/zwcfg_0x00001111.xml \
  ruimarinho/openzwave

Run all the desired operations on the OpenZWave Control Panel and don't forget to hit Save if you've changed something.
When you're done, stop the OpenZWave Control Panel and launch Home Assistant again:
❯ docker stop openzwave && docker start home-assistant

Done!

--------------------------------

TasmoAdmin:

$ sudo docker run -d --name tasmoadmin --restart=unless-stopped -v /home/<username>/docker/tasmoadmin/data:/data -p 9003:80 raymondmm/tasmoadmin


The url is http://<your_host_ip>:9003 which opens TasmoAdmin.


--------------------------------

Zigbee2MQTT:

https://github.com/Koenkk/zigbee2mqtt

$ sudo docker run -itd --name="zigbee2mqtt" --restart=unless-stopped -v /etc/localtime:/etc/localtime:ro --net=host -v /home/<username>/docker/zigbee2mqtt/data:/app/data --device=/dev/Zigbee2MQTT koenkk/zigbee2mqtt

---------------------------------

Amazon-Dash:

https://github.com/Nekmo/amazon-dash

$ sudo docker pull nekmo/amazon-dash:latest

$ sudo docker run -itd --network=host --name="amazon-dash" --restart=unless-stopped -v /home/<username>/docker/amazon-dash/amazon-dash.yml:/config/amazon-dash.yml nekmo/amazon-dash:latest amazon-dash run --ignore-perms --root-allowed --config /config/amazon-dash.yml

###########################################

Add ability to use command line in docker container:

https://hastebin.com/sojasolite.sql

1-Need to modify the host user privileges to skip typing your password with sudo
sudo visudo
hostuser ALL=(ALL) NOPASSWD:ALL

2-create the following directory:
$ mkdir /home/<username>/docker/sshkey/.ssh

Then mount this volume in HA container to preserve the sshkey generated from the HA container and used to execute shell commands. Key will then persist through reboot or upgrades.
-v /home/hass/<username>/sshkey/.ssh:/root/.ssh

3-login to container via portainer or

$ sudo docker exec -it home-assistant /bin/bash

4-generate sshkey. - https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
$ ssh-keygen -t rsa  (press enter, enter, enter)

5-copy the sshkey to your host ***
$ ssh-copy-id hostuser@192.168.x.x (type password when prompted)

*** this won’t work if you have an existing authorized_keys file. You have to copy the key manually into the file. Put one key per line with no lines between them.


MI45fiHjJAeyCxH//eSFrI9Mzi2NR9njQTAW5YviSmvetYjuCTLHSTVOFycgiHR34Tfn2LUSOALQ7zUvq8yXseVFI7OHC5X07zPnbvQw28UMAlmhego6rOZ3exQKobORwqYpk7xVRj5FNr4vnff2/u7SWsZRlQylUBa4ZKK+W1TPEc7knXPl8cesh3YJ+J62ncCiNVgzSgQ7qjMmrRnuLkB3DNKPs1BIlC6t3x0abMotSgom0WZIGGGIR3MIouFp root@NUC

additional info from:

https://megamorphf.github.io/homeassistant/hyperion/ssh/hassio/2018/01/22/controlling-anything-via-ssh.html

https://www.cyberciti.biz/tips/linux-multiple-ssh-key-based-authentication.html

https://wiki.mcs.anl.gov/IT/index.php/SSH_Keys:authorized_keys
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++