Okay, let me start by saying that I really do love Home Assistant. I believe that it is a fantastic piece of software, with very dedicated developers that are far more talented than I. Although, that being said, I strongly disagree with a number of their design choices.
My most recent problem has been trying to put Home Assistant behind a reverse proxy with a subpath. The Home Assistant developers flat out refuse any contribution that adds support for this. Supposedly, the frontend has hard-coded paths for some views, to me this doesn’t sound like a good practice to begin with – that being said, I mostly program in Go these days (so I’m unsure if this is something that is pretty common in some frameworks or languages). The official solution is to use a subdomain, which I can’t do – I’m trying to route all services through a Tailscale Funnel (which only provides a single domain; I doubt that Tailscale Funnels where ever designed for this purpose, but I’m trying to completely remove Cloudflare Tunnels for my selfhosted services).
The other major problem I’ve ran into, is that HAOS assumes that you would have no need to run any other Docker services other than those that are add-ons or Home Assistant itself. Which, I’m sorry (not really), Home Assistant add-ons are an absolute pain to deal with! Sure, when they work, they’re supper simple, but having to write an add-on for whenever I just want to spin up a single Docker container is not going to work for me.
Now, some smaller issues I’ve had:
- There’s no way to change the default authentication providers. I host for my (non-techie) family, they’re not going to know what the difference between local authentication and command-line authentication is, just that one works and the other doesn’t.
- Everything that is “advanced” requires a workaround. Like mounting external hard drives and sharing it with containers in HAOS requires you to setup the Samba add-on, add the network drive, and then you can use it within containers.
Again, I still really love Home Assistant, it’s just getting to a point where things are starting to feel hacky or not thought out all the way. I’ve considered other self-hosted automation software, but there really isn’t any other good alternative (unless you want to be using HomeKit). Also, I’m a programmer first, and far away from being a self-hosting pro (so let me know if I’ve missed any crucial details that completely flip my perspective on it’s head).
If you got to the end of this thanks for reading my rant, you’re awesome.
Have you considered not using the Home Assistant OS? You don’t need to run it to use Home Assistant. You can instead set your host up with some other OS, like Debian, and then run Home Assistant in a docker container (or containers, plural) and run any other containers you want.
I’m not doing this myself so can’t speak to its limitations, but from what I’ve heard, if you’re familiar with Docker then it’s pretty straightforward.
A lot of apps use hard coded paths, so using a subdomain per app makes it much easier to use them all. Traefik has middleware, including stripPrefix, which allow you to strip a path prefix before forwarding the path to the app, though - have you tried that approach?
Strip prefix won’t work if the frontend expects to find paths at absolute locations. You would need to patch the html, css and js on the fly, which is somewhere between ugly and (almost) impossible.
I would also suggest to simply use custom (sub) domains. Especially in your intranet you can have whatever domains you want.
Strip prefix won’t work if the frontend expects to find paths at absolute locations. You would need to patch the html, css and js on the fly, which is somewhere between ugly and (almost) impossible.
This is what I’ve seen would be the only “feasible” way of getting HA to work behind a subpath, in my opinion this only works for very small application though (not something as complex as Home Assistant).
I’m (currently) on Raspberry Pi OS (as I need something that “just works”). Home Assistant is running in Docker like everything else.
A lot of apps use hard coded paths, so using a subdomain per app makes it much easier to use them all. Traefik has middleware, including stripPrefix, which allow you to strip a path prefix before forwarding the path to the app, though - have you tried that approach?
I should’ve mentioned this, but I’m using Nginx (I really enjoy the simplicity of just having to add a section to a file whenever I want to add something). Before running HAOS I was running RPIOS again and used Traefik, it worked (but felt like a lot more work to setup than just a plain Nginx setup).
Edit: I forgot to mention, but there are things like
stripPrefix
for Nginx, I’m going to look into them. Although, this is what I meant, when you start to do things that are “advanced” with Home Assistant they turn into “hacks,” and the barrier for advanced things feels a lot lower than with other self-hosted services (and I get that Home Assistant is very complex under the hood, it’s just frustrating).This was going to be my suggestion. Just run home assistant as a Docker container, problem solved!
Still no subpaths, changing default authentication providers, and there can still be workarounds that feel hackish (I’ve used HA is a container before) the difference is that you’ll do less in Home Assistant, so you avoid them as much as possible.
You can’t use add-ons when running HA as a docker container, which basically lobotomizes it.
Yes you can. It requires those docker containers to be installed and plugged into it on a stand alone system. This is exactly what HAOS is doing behind the scenes for is users and why many stick with it.
Addons are just other containers, you can run them next to ha
You don’t get the direct integration then though, as far as I’m aware there’s no way to manually setup an addon
What direct integration? You get a button on the UI, vs you do everything the way you want.
HAOS is intended for people who want everything to just work, without much fiddling. If you need something more, you need a docker based install. You can do everything there and even more, but you have to set it up manually.
deleted by creator
It’s relative, I guess.
deleted by creator
Yeah, that’s why I finally ditched it, (I said this in another reply) but it was intended to be something the family could figure out if I wasn’t available or something did happen to me. There’s no way they could figure all of that out, doubly so with everything that felt “hackish” just to get Home Assistant and Jellyfin running.
I’d rather them have a usable experience now, that I setup with the least amount of hacks and cloud services. I know it’s kinda weird and an unhappy reason, but it also (hopefully) will make my life easier.
deleted by creator
Add ons are just shitty packaging of other software. Just run the other software directly.
What kind of addons? I have HACS and it works fine.
-
No backup solutions besides manual backing up and then setting up baremetal backing up
-
no configuration editor
-
HACS works, but no custom addons
-
manual configuration of esphome/nodered/mosquitto (I prefer this though)
I prefer docker because it is comfortable for me and I run all my services on one server, but it is indeed a bit less easy.
When I host multiple services, I need to back them up as well. I simply mount all data volumes of all containers into a unified location that gets backed up by kopia every hour.
Since the volume is directly on disk, I also didn’t have any problems editing configuration files.
The things I see listed as addons on the website are dedicated services anyway, that have images of their own you can easily spin up as containers.
I think if someone is advanced enough to want to run HASS on their own together with other stuff, they prefer to have more control anyway.
For sure, but the point is that it isn’t integrated into homeassistant.
For many people, they want to do everything from homeassistant. You can always have kludged together solutions. I edit my configs with VIM and backup to my central backup location via an automation. However, this is doing things outside of homeassistant that many people find inconvenient.
My point however was that people who want that kind of convenience (or rather who don’t want to fiddle around manually), why would they want to run HASS in a container in the first place? Either you are tinkerer, then it doesn’t matter or you are not, in which case you probably don’t arrive at the point of running HASS on anything other than a preinstalled distro in the first place.
I prefer docker because it is comfortable for me and I run all my services on one server, but it is indeed a bit less easy.
Reading all of these replying I’m starting to think that maybe my problem was assuming that because add-ons are Docker container they should be treated as such.
-
Yes and no. If you want a really simple setup HAOS add-ons are amazing, but as soon as you want to run something someone else hasn’t created a container for you’re stuck doing extra work than just writing a
Dockerfile
ordocker-compose
. Plus, you can’t setup networks between them and (as mentioned in the original post) sharing drives can be hackish as well.The (grim) reason had I tried HAOS was because of the promise of something really simple that my family could figure out if something ever happened to me.
Home Assistant OS add-ons are usually just repackaged and pre-configured Docker containers. The only thing the add-ons system really gives you is convenience
There’s alternative installation methods.
I think your missing the point of HAOS, it’s an appliance. You don’t manage it like a normal self host system.
Once you treat it as an appliance, it’s great. Also there is a portainer agent you can run that will connect to a portainer instance.
As for your tunnel issues, maybe the tunnel thing is your biggest issue. I run all my self host stuff on its own subdomain, if I want to route something home I use the site to site VPN I have. Even a cheap ovh vps could be a way to run stuff on subdomains
Require a subdinain should not be mandatory in 2024.
Sub paths should be such a basic feature that’s ridiculous devs don’t even take that into consideration.
Why? Because a software requiring absolute paths is as old and obsolete as an msdos program, and the only real reason it happens today is… Bad design choices or limited frameworks.
Requiring a full URL will be more of security thing I would guess, as some users put HA on the internet and it could have access to open doors.
Also I have tried things on sub paths and it got very complicated to know where a service was, a domain keeps things easy to setup and manage. As I run internet facing services for my day job, I have to look at both security and easy of maintenance when setting things up.
I would say that if you need a path over domain, its a skill issue and you need to find a better way of working.
Not really… Your attitude is the problem.
Sub paths are simpler to deploy: need only one certificate, need only one subdomain.
In any case you need reverse proxy so security is not the matter here.
Your use cases are not mine and both ways should always be possible.
You never need a subpath over a subdomain, nor viceversa, it is (or should) always be a choice.
Ok, I dont get your point of view. As I dont see the need to sub path things.
What I do see is a lot of people who seem to think that a sub-path is good security, cheaper to run and lots of other things.
First off, you can get free lets encrypt certs and even a wildcard cert if you know how. Also you can get a SAN cert with a little config of certbot.
Second, you dont need an A record for every domain. You can use a c-name or even a wildcard to catch any domain name.
Then the security is all crap, if the sub path is on the internet it will get found in time. A domain is just more obvious, you can also name the sub domain anything you want. Case in point is my nextcloud on an owncloud sub domain.
If you start to look into ways to automate all that, then things are trivial to add to. I use OVH for my domains, as they provide an API that I can use with certbot to get any certificate I want for my domain. I can also use the API to provision a new subdomain, be that an A record or c-name. But I have a wildcard subdomain so that I can spin up anything on any subdomain and I dont have to do any setup.
A all my services are behind pam-auth, so nobody unless autheorized can see any subpaths. That fix it for security.
And that make it that browser will ask you to save password and login for each subdomain… But only once for a subpaths.
But beside this, is freedom of choice such difficult to grasp? My use cases are not yours, better be free to choose rather than forced, isn’t it?
I do have few subdomains as well, I know perfectly how to automatize them and in fact I do, but I don’t like having two ways and specially not just because some Dev don’t want to look into supporting subpaths. The number of services not supporting subpaths is the vast minority, so there must be enough people wanting to use them after all. And in all cases, they don’t support subpaths because framework don’t support them (immich) or because devs don’t care (ha).
Stuff like gitea, gerrit, WordPress, all wiki’s I ever tried, arrs, jellyfin, podfetch are just the first that pops into my mind that I use and support subpaths.
The other major problem I’ve ran into, is that HAOS assumes that you would have no need to run any other Docker services other than those that are add-ons or Home Assistant itself.
With the caveat that I can tell just from your post that I certainly know way less about this stuff than you do, HAOS’ assumption seems pretty reasonable to me. Isn’t the point of using HAOS (as opposed to installing HA some other way) that you’d be either (a) using it by itself on bare-metal hardware, or (b) using it in a VM? I’m running HAOS and Docker in two different VMs on Proxmox, and it’s working fine for me so far.
(The first complaint you mentioned, about reverse proxies and subpaths, sounds a lot more legitimate. In fact, that’s something I’d like to learn more about because I haven’t yet figured out how to make my HA install – or anything, for that matter – accessible outside my LAN and “Tailscale Funnel” sounds intriguing.)
I’m running HAOS and Docker in two different VMs on Proxmox, and it’s working fine for me so far.
So, I think I’ve mentioned this in another reply, but, I have a very minimal setup. It’s a RPi4 as the main device, Starlink as the ISP (CGNAT; no port-forwarding), and now Tailscale as the only way to access outside of my LAN. I agree that HAOS meets it’s primary job of running Home Assistant. Although, I don’t have the option to run Proxmox (at least I’ve never seen anyone run Proxmox on an RPi) and also have a massive music library (and soon a large movie and TV show collection, once I rip all of those DVDs) so I really only need to run a few things:
- A dashboard to make accessing the services easier for the family.
- A reverse proxy to handle subpaths (this used to be Cloudflare Tunnels with subdomains and NPM with subpaths, now it’s just Nginx).
- Tailscale (to expose services and run a VPN to get past the CGNAT).
- Jellyfin (for TV shows and movies).
- A forked version of Goinc (I have a fork with LDAP support, there’s an open pull request for it, but it needs a little extra work; this wasn’t ran on HA).
- Something to run LDAP authentication.
- Some Home Automation software (was Home Assistant, I migth switch to something else).
Edit: I also run Vaultwarden.
I’ve really scaled things back since previous self-hosting journeys, and when I first started with HAOS there was even less going on, and really I need things to just work. I’m learning now that my mistake was assuming that HAOS add-ons are supposed to behave just like a Docker container, they’re not. I’ve learned the hard way, but, I still don’t love HA’s attitude towards something that are deemed “complex,” such as sub-paths and alternative authentication providers.
I’m on RPi OS now.
I can’t grasp your use case I feel, pretty much all your complaints seem… odd. To me at least.
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
As for your tunnel I don’t know how you’ve set it up and I haven’t used tailscale but them only allowing one domain sounds like a very arbitrary limit, is it something that costs money to add? I use NetBird which I selfhost on my VPS and from there tunnel into my much beefier home setup.
Then docker in HAOS. The proper way I feel of running HA is for sure HAOS, and also running it in its own VM / or on dedicated hardware. This because you will likely need to couple additional hardware like a stick providing support for more protocols like ZigBee or Matter. It really isn’t a good solution for running all your self hosted stuff, and wasn’t ever intended to be. Running Plex in HA for instance is just a plain bad idea, even if it can be done. As such the need for an external drive seems strange as well. If you need to interact with storage you should set up a NAS and share over SAMBA. All this to say that HA should be one VM/Device, your docker environment another VM.
As for authentication there are 10k plus contributors to Home Assistant yearly but very few bother to make authentication more streamlined. I would’ve loved OpenID/OAuth2 support natively but there are ways to do so with custom components and in the end I quite strongly feel that if the end-users of your smarthome setup (i.e. the wife and kids) need to login to Home Assistant then you’ve probably got more work to do. Remote controls which interact with HA handle the vast majority of manual interaction and I’ve dabbled with self-hosted voice interfaces for the more complex operations.
Sorry if this came across as writing you on the nose, that’s not my intention. I just suspect you’re making things harder for yourself and maybe have a strange idea around how to selfhost in general?
You make some good points, I’ve said a few times now that I mistook Home Assistant add-ons as traditional Docker containers (which I’ve learned the hard way is flat out wrong, you know what they say about assumptions).
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
I don’t agree with the comment replying about how developers are lazy. That being said, I also wouldn’t call a subpath an anti-pattern, it’s not uncommon and I wouldn’t say that it is always a bad idea (they have some pros and cons on subdomains and it’s what my setup calls for).
As for your tunnel I don’t know how you’ve set it up and I haven’t used tailscale but them only allowing one domain sounds like a very arbitrary limit, is it something that costs money to add? I use NetBird which I selfhost on my VPS and from there tunnel into my much beefier home setup.
There’s an open feature request for subdomains, but it hasn’t really gone anywhere. I’m assuming that it must be how they handle SSL certificates.
As for authentication there are 10k plus contributors to Home Assistant yearly but very few bother to make authentication more streamlined. I would’ve loved OpenID/OAuth2 support natively but there are ways to do so with custom components and in the end I quite strongly feel that if the end-users of your smarthome setup (i.e. the wife and kids) need to login to Home Assistant then you’ve probably got more work to do. Remote controls which interact with HA handle the vast majority of manual interaction and I’ve dabbled with self-hosted voice interfaces for the more complex operations.
Yeah, I’ve seen the idea that Home Assistant shouldn’t be the part you interact with several times, but I don’t really know of any better things to handle this. None of us really love voice controls and I’ve toyed around with Google Home (but I think it’s absolute garbage and self-host to get away from companies like Google).
I just suspect you’re making things harder for yourself and maybe have a strange idea around how to selfhost in general?
Not my ideas that are strange, I’d love to have a traditional setup. I’ve mentioned it a few times in other replies, I just don’t want to be the “just look at my other replies” person, so here’s whats going on: Starlink is my ISP (CGNAT; I can’t port-forward), Tailscale is now my only way of accessing things off of my LAN (I didn’t mind Cloudflare Tunnels, but Cloudflare scares me and Jellyfin is a pretty important thing and supposedly if you want to stream video you’re not allowed/supposed to use Tunnels), my only device is an RPi4 (I’ve tried other devices, but I really love the simplicity of the Pi – and also don’t have many other devices that would work that good for self-hosting).
Again, I’d love to have a “normal” ISP (we live in the middle of no where) that lets me port-forward and is nice and something other than a Pi to host on, but this is what I’m stuck with.
Sorry if this came across as writing you on the nose, that’s not my intention.
It’s all good I get where you’re coming from, and I’m sure you understand what’s going on for me.
I think a VPS and moving to NetBird self hosted would be the simplest solution for you. $5 per month gives you a range of options and you can go even lower with things like yearly subscriptions. That way you get around the subdomain issue, you get a proper tunnel and can proxy whatever traffic you want into your home.
As for control scheme for your home automation you’ll need to come up with something that fits you but I strongly advise against letting users into Home Assistant. You could build a simple web interface that interacts via API with HA, through Node-Red is super simple if it seems daunting to build the API.
If a RPi 4 is what you’ve got and that’s it then I guess you’re kinda stuck for the time being. Home Assistant is often quite lightweight if you’re not doing something crazy so it runs well on even a RPi 3, same with NAS software for home use, it too works fine on a 3. If SBC is your style my recommendation is to setup an alert on whatever second hand sites operate in your area and pick up a cheap one to allow you to separate things and make the setup simpler.
Why are subpaths an a anti pattern?
Why is taking away choices a problem?
Everybody has its own usage case, why should we prevent them from using their?
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
It’s only an “anti pattern” because app developers are, on the whole, lazy bastards that start out hard coding stuff and then get discouraged at the amount of work needed to fix things after the fact.
I should know: I am one of these people.
It’s crap, it’s best to roll with the punches and use a sub domain.
That’s one part of it, but the other is that there’s no proper way to ensure you won’t cause issues down the line and it makes the configuration unclean and harder to maintain.
It also makes your setup dependent on seemingly unrelated things. Like the certificate for the domain which is some completely different applications problem but will break your Home Assistant setup all the same. That dependency issue can be a nightmare to troubleshoot in some instances, especially when it comes to stuff like authentication. Try doing SSO towards two different applications running on different subpaths on the same domain…
I second the complaint about subpaths. I have all my services on a single domain, except for HA. It’s for security by obscurity, when you issue a certificate for a subdomain you start getting malicious traffic probing for vulnerabilities almost immediately. I don’t have this problems for services with non-obvious subpaths.
I can’t understand the stubbornness of developers to accept patches for fixing this problem.
LetsEncrypt can hand out wildcard certs if you are able to add TXT records to your domain, if that helps any.I realised this was a stupid comment that doesn’t help any.
No no, that’s how i’m working around the problem now, but i’m sure sni sniffing will sooner or later make my domain well known
do – I’m trying to route all services through a Tailscale Funnel (which only provides a single domain
Seems like you have some limitation (I really don’t know tailscail funnel) in your setup, and now you expect them to work around it.
HAOS assumes that you would have no need to run any other Docker services other than those that are add-ons or Home Assistant itself.
Yes, HAOS is great when you have one dedicated machine for it, for example a RPi. That’s the whole purpose of HAOS, as far as I understand.
If you already have a zoo full of docker containers, then you want your Home Assistant (without HAOS) in just one more of your own containers.
Seems like you have some limitation (I really don’t know tailscail funnel) in your setup, and now you expect them to work around it.
Sub-paths are actually a fairly requested feature for Home Assistant. Although, they have a limitation of hard-coded paths, which they now expect us to work around. I’m actually fairly okay with that, they’re programmers who (a number of) work for free, with the exception of the few apart of Nabu Casa, and they’ve already exceeded my personal expectations it’s not like I deserve any features, but they also don’t deserve me to love 100% of their design decisions.
Yes, HAOS is great when you have one dedicated machine for it, for example a RPi. That’s the whole purpose of HAOS, as far as I understand.
I’ve admitted this already, but I seem to have totally miscalculated the ability of HAOS add-ons, and treated them like traditional Docker containers. This was my bad, and I learned the hard way, but at least now I know.
If you already have a zoo full of docker containers, then you want your Home Assistant (without HAOS) in just one more of your own containers.
I’m far from a zoo keeper. Once I setup everything on RPi OS again I’ll have just a few things for media (Jellyfin and a fork of Gonic, at least until my PR gets merged), Vaultwarden, and a home automation service (which may or may not be Home Assistant – if I can figure out a decent way of exposing it) I less services being hosted when I was on HAOS.
I’m always very wary of systems that require a user to deviate as much from the “usual” structure almost all other services use. HAOS has really weird configs and “all the functionality” that presumably breaks when you use docker and don’t have the supervisor for docker… well… If what HA did was the way to go… whi is it that tons of services use docker’s rather powerful internal networking features just fine but HA of all things can’t do that and requires weird addons that for some reason cannot live on any other system than a Debian with weirdly specific modifications (bye bye cgroupsv2)? This will break most other functionality of that host Debian. I mean… if only there was a widespread-way to provide a highly customized Linux kernel in an ephemeral environment that can just be plugged in and out of a host machine without changing the host machine itself… Nah, can’t have that, let’s cause more overhead with a VM…
I’m not willing to make that kind of modifications to my whole setup just for HA and in the long run, this rift between “the way it’s usually done” and “The HA-Way” will become bigger and bigger, causing more and more problems.
I will first admit that I am quite ignorant to Home Assistant.
I am a happy openHAB user for 5+ years. Have you considered switching to see if you like it?
I tried Home Assistant once or twice but never felt comfortable enough to switch.
I run stuff locally and can connect over VPN to my home and operate as if I am inside the home. I have not looked into these other cloudflare tunnels or tail scale as I don’t think it would provide any advantage to my current setup.
OpenVPN server running on my router does the trick.
I am a happy openHAB user for 5+ years. Have you considered switching to see if you like it?
I actually have considered it, and I’m still thinking about it.
I run stuff locally and can connect over VPN to my home and operate as if I am inside the home. I have not looked into these other cloudflare tunnels or tail scale as I don’t think it would provide any advantage to my current setup.
I have a strange setup. My ISP is Starlink (so I’m behind a CGNAT), meaning I kinda need another service to access them outside the network, but (as mentioned) I mainly host for my family who wouldn’t know how to work another app or VPN.
I had to look that up. So ya, I understand your problem a bit better. Wish I could offer some solutions.
For anyone interested…
“Starlink uses Carrier-Grade NAT (CGNAT) to avoid the need for 1,000s of IPv4 addresses, which can be a problem for some users due to how they are using Starlink. However, some VPN services like PureVPN can be used to bypass CGNAT restrictions on Port Forwarding.1 CGNAT prevents direct access to the Starlink antenna from the internet, making setting up a VPN or hosting services challenging. There is no direct public IP address assigned to the Starlink antenna, which hinders traditional methods of setting up a VPN server or hosting services like port forwarding and DMZ access”
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT HA Home Assistant automation software ~ High Availability HASS Home Assistant automation software IP Internet Protocol LXC Linux Containers NAS Network-Attached Storage NAT Network Address Translation Plex Brand of media server package RPi Raspberry Pi brand of SBC SAN Storage Area Network SBC Single-Board Computer SSL Secure Sockets Layer, for transparent encryption SSO Single Sign-On TCP Transmission Control Protocol, most often over IP TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting)
17 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.
[Thread #519 for this sub, first seen 17th Feb 2024, 08:05] [FAQ] [Full list] [Contact] [Source code]
I just used a Cloudflare Tunnel.
Many systems dont support subpaths as it can cause some really weird problems.
As you use tailscale funnels, you really want incoming traffic from the internet. I am not sure thats a good idea for e.g. homeassistant that is limited in access anyways.
Might aswell use tailscale and access the system over VPN.And for anything serious i wouldnt use something like funnel anyways. Rent a VPS and use that as your reverse-proxy, you can then also do some caching or host some services there. Much simpler to deal with and full support for such things as you then have an actual public IPv4/IPv6 address to use.
Heck, dont even have to pay for it with the Oracle Always-Free system.I largely agree with this, but (and this might be me being a little paranoid) I don’t really trust anyone to handle my data like that. I self-host as much as possible to get away from things beyond my control, I understand that this is an extremist view of things, but the only reason why I use Tailscale Funnel is because the family would either not know how to, or not want, to deal with a VPN like that.
As far as i understood tailscale funnel its just a TCP-tunnel.
So you handle TLS on your own system, which makes sure tailscale cannot really interfere.If you already trust them this far, might aswell do the same with a VPS and gain much more flexibility and independence (you can easily switch VPS provider, you cannot really switch tailscale funnel provider, you vendor-locked yourself in that regard)
I’d connect the VPS and your home system via VPN (you can probably also use tailscale for this) and then you can use a tcp-tunnel (e.g. haproxy), or straight up forward the whole traffic via firewall-rules (a bit more tricky, but more flexible… though not that easy with tailscale… probably best to use TCP-tunnel with PROXY-Protocol).
This way you can use all ports, all protocols, incoming and outgoing traffic with the IP-Address of the VPS.Tailscale might even already have something that can configure this for you… but i dont really know tailscale, so idk…
And as you terminate TLS on your home-system, traffic flowing through the VPS is always encrypted.
If you want to go overboard, you can block attackers on the server before it even hits your home-system (i think crowdsec can do it, the detector runs on your home-system and detects attacks and can issue bans which blocks the attacker on the VPS)
And yes, its a bit paranoid… but its your choice.
My internet connection here isnt good enough to do major stuff like what i am doing (handling media, backups and other data) so i rent some dedicated machines (okay, i guess a bit more secure than a VPS, but in the end its not 100% in your control either)
Caddy and Rewrite / strip_prefix doesn’t work?
reverse Proxy based on the /homass and then internally strip the prefix from /homass/x to just /x ?
super simple
Hamburger helper?
I took a look at HAOS and declared it to be junk. I admire your optimism, but you should too.
It’s aimed at a no man’s land of people that run HA but don’t know how to manage their own docker. It’s just weird.
This “no mans land” you speak of is probably 99.999% of home assistant users. Managing docker is not something that most people want to do or know about.
Yeah, I’ve already ditched it. That being said I now understand who it was made for, and it’s not me.