Categories
General

Expose Local Home Assistant Installation via Tailscale

I am currently setting up Home Assistant to prepare my new Smart Home. Since I do want to control HA via voice, I need to expose my local installation to the public internet. The guide explains clearly that the local installation must be available via HTTPS on port 443. And that is exactly, what I want to show you within this blog post.

Note: There are several options how this can be achieved. Tailscale is just one option and depending on your flavor, you might want to choose another one like Cloudflare Argo, WireGuard, OpenVPN or DynDNS on your dynamic IP address.

Definitions:

  • Local server: The server within your basement running Home Assistant
  • Remote server: The server within some datacenter which has a public IPv4 address (Yes, it could also be an IPv4, but you probably do not want to bother with that)

Steps

  1. Provision a server instance, e.g. a VPS, with a public IPv4
  2. Install docker & docker-compose on that server instance
  3. Install Tailscale on your local and your remote server
  4. Run Traefik to forward the traffic from your remote server IPv4 to your local server

Traefik setup

docker-compose.yml

version: '3.3'

services:
  traefik:
    image: traefik
    container_name: traefik
    volumes:
      - ./acme.json:/acme.json
      - ./static.yml:/static.yml
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.api.rule=Host(`[FQDN_FOR_YOUR_SERVER]`)'
      - 'traefik.http.routers.api.entrypoints=https'
      - 'traefik.http.routers.api.service=api@internal'
      - 'traefik.http.routers.api.tls=true'
      - 'traefik.http.routers.api.tls.certresolver=letsencrypt'
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.auth.basicauth.users=[YOUR_USER_NAME_FOR_TRAEFIK_DASHBOARD]:[HASHED_PASSWORD]" # user/password
    ports:
      - 80:80
      - 443:443
    command:
      - '--api'
      - '--providers.docker=true'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.http=true'
      - '--entrypoints.http.address=:80'
      - '--entrypoints.http.http.redirections.entrypoint.to=https'
      - '--entrypoints.http.http.redirections.entrypoint.scheme=https'
      - '--entrypoints.https=true'
      - '--entrypoints.https.address=:443'
      - '--certificatesResolvers.letsencrypt.acme.email=[INSERT_YOUR_MAIL]'
      - '--certificatesResolvers.letsencrypt.acme.storage=acme.json'
      - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http'
      - '--log=true'
      - '--log.filepath=/var/log/traefik.log'
      - '--providers.file.filename=/static.yml'

static.yml

Place this file within the same folder as your docker-compose.yml

http:
  routers:
    homeassistant:
      rule: Host(`[PUBLIC_FQDN_FOR_HOME_ASSISTANT]`)
      service: homeassistant
      tls:
        certResolver: letsencrypt

  services:
    homeassistant:
      loadBalancer:
        servers:
          - url: http://[TAILSCALE_IP_OF_LOCAL_SERVER]:[PORT_OF_YOUR_LOCAL_HOMEASSISTANT_SERVICE]

Leave a Reply

Your email address will not be published. Required fields are marked *