5mo ago

Security/FULL self hosting? Looking for info before starting...

Hi All,

Looking to steer into HA, but have some questions on how data is handled.

First, I don't mean the opt-in on the scant analytics. HA is very clear about that which is great. Awesome clear policy.

Second, I understand that "integrations", which use a device manufacturer's/services software/infrastructure, are outside scope here (although I do have some questions).

My goal is to find and work a system where no one knows when my lights are turning off and on, and is only on my hardware. IE: If the internet went down, but I was still connected to local wifi, can my HA still work?

The answer seems like a strong "yes", but I want to double check. I also want to make sure if I do use an integration that there's not an avenue for telemetry beyond that integration. IE: I don't want Spotify to gain access to what temperature I keep my house just because I want to play music.

I also have questions about the mobile app, but if the rest is truly locked down, I can navigate that.

I currently have an automated bog garden, but how I did it isn't really scalable. It's all modbus components with values passed to a local server to generate a dashboard. I'd like to expand to more actual "home" automation, and this seems like a great tool!

Thanks for any clarification.

20 comments

I think the answer largely depends on the devices you use. Many devices require an internet connection to integrate with HA. Fortunately, each HA integration should list whether or not they can work locally.
Here are some device suggestions:
Bluetooth
Zigbee/Zwave/Zwhatever (local radio control). I don’t use this, but a lot of HA gripes I notice tend to center around support for these devices.
The HomeKit spec requires local only control at least as an option. HA can act as a HomeKit hub through the HomeKit Devices integration, so you don’t need any Apple hardware to use HomeKit devices.
Shelly makes great wifi and Bluetooth devices that work locally.
If you get wifi devices, put them on a separate network and/or have firewall rules that deny them internet access.
Use a VPN like Tailscale to access your HA from the internet, rather than exposing your HA instance to the internet through port forwarding.
Just as an example, I have Ecobee thermostats that are HomeKit compatible. Ecobee provides a cloud service, but I don’t use it at all, and my thermostats are denied internet access at the network level. They still work great through the HomeKit Devices integration.
Good luck!
- This is the correct answer. HA itself will work completely offline if you want. After that, you just need to make sure about the devices you're buying, and keep in mind, YOU control your own networking.
  Zigbee will be all offline
  Z-Wave...there was some greyish room there, but should be similar to Zigbee aside from firmware updates from certain makers
  Matter CAN be totally offline
  Tuya and similarly branded products: there are offline hacks, but I'd avoid.
  WiFi/Bluetooth branded: avoid because they always require an app to even setup
  Now, as I mentioned, you do control your network, and there are complex ways around these things, but if you want an OTG guarantee, go Zigbee to be sure.
  
  this is fantastic, I'm really excited. I do have a follow up on non-hardware integrations though. I know when I download anything on my phone, it's sharing all sorts of crap. Does HA allow integrations to do that? Going back to spotify example, I understand spotify can obviously track things on their end (what song they're giving me etc), but integrations don't let them see humidity in my basement right?
  
  Not all Bluetooth stuff requires an app. I have dozens of BLE sensors all around my house and I haven't downloaded anything for the majority of them. My BLE proxies pick them up automagically and I get a notification on my phone about a new detected device.
  There are a few where you have to hack some bullshit, but I just avoided buying more of those once I learned that some of my shit needed that.
- This is PERFECT. Thank you. I need figure out Tailscale, I'm much better at the device level than networking, but your answers gave me what I'm looking for: Keep an eye on the device and how it's used and it's workable. Thank you!
  
  Tailscale is pretty easy, though I dislike the management console is via their servers/services.
  Wireguard (which Tailscale uses) is fully self-hostable.
This depends heavily on the hardware you choose. If you stick to Z-Wave, Zigbee, ESPhome, and Tasmota, and some others I'm missing the answer is a resounding yes.
If you invest in the wrong hardware it will be cloud dependent regardless of compatibility with Home Assistant.
I'm sure you can integrate your existing system with something like ESPhome.
- ESPhome is exactly the kind of platform I was looking to use. My hope was to standardize a design or two so I could have some I deployed where needed (garage, basement, etc). That's fantastic, thank you!
My HA is not port forwarded and only accessible when connected to the home network.
I have a private backdoor tunneling into my network with self hosted vpn so i can use it away from home.
Integrations i use come in two types relative to your question. But all of them involve giving HA acces to the controls and data. Not the opposite. I have never heard of an integrations that required data from HA.
The biggest tell on what is what is does the intended way to control the device make use of any cloud. If your device does not require a cloud or account and you can connect it to the integration with just an ip it should all be local.
But many integrations will require you to provide the credentials for a cloud because it’s easier. In that case you are not any more exposed then if you use the vanilla apps.
For my solar panels i could use the cloud but i convinced the technician to give me admin rights enabling a local api i can use instead. That cloud stuff is still there, cant disable it but it means i can still read my solar panels in case of an internet blackout.
If i could all my devices would be blocked from talking to the outside and all use local apis for control but its sadly not how most stuff is build. For stuff like cameras i wont even consider it unless they do though.
I've integrated modbus sensors into HA, there's ways of doing that. HACS has no end of off the wall integrations, and usually they're opensource so you can fix or change them if needed.
One of my main goals when setting up home automation was making sure the devices I'm using do not need cloud access. The only exception is an old Honeywell thermostat that I'll replace eventually. Everything else, including security camera occupancy detection continues to work if the Internet goes down.
My router only has one open port and that's for Wireguard. It's set to a random port number and appears closed to external scanners so I believe my network security is reasonably good. Devices that like to connect to external servers like TP-Link cameras and bulbs are blocked by the router's firewall.
For occasional external access I use Tasker to detect what network I'm on and then automatically connect to Wireguard when away from home. After the WG tunnel's up it starts Home Assistant Companion. It's not as seamless as Home Assistant Cloud, but for occasional use it's fine.
Warning about Home Assistant: It's ridiculously addictive. It is also so flexible that I've been able to implement almost anything that comes to mind and ended up with more sensors and automations than I ever thought I'd use.
- oh this seems like the worst thing ever. I used to have a lot spaghetti stuff reporting. I did not need to be spending this kind of money on ESPs...

20 comments