Add-ons

In this chapter, we are going to install and configure the Home Assistant OS Add-ons required for the Gbox420 automation.

AdGuard Home: Required for DNS redirection when connecting from the local WiFi network and using SSL certificates with HTTPS. Also super useful for blocking ads/malware on devices connected to the local WiFi.
Duck DNS: Free DNS service for remote access, also used for retrieving Let's Encrypt SSL certificates for HTTPS - Needed for securing communication with Home Assistant.
Grafana: Provides charts, graphs, and alerts (alerts are currently handled by Node-RED) - Historical overview of the sensor readings.
Home Assistant Google Drive Backup: Backing up snapshots of the entire Home Assistant system to Google Drive.
InfluxDB: Database to store the sensor readings reported by the Gbox420 Main sketch. Used as the data source of Grafana.
Mosquitto broker: Handles the MQTT communication between the Main module and Home Assistant / Node-RED. Used to relay sensor readings towards HA, and send back commands to the Main module.
Node-RED: Visual programming interface for creating the data processing logic on the Home Assistant side. This is the "brain" of the automation that handles receiving and storing sensor readings in a database, checking alerts, and displaying a dashboard for interacting with the Arduino modules. ( The Arduino modules are still fully autonomous and do not need Node-RED to operate)
Samba share: Accessing the system files of Home Assistant as a remote file share. Super useful during the setup of other add-ons.
Visual Studio Code: Source-code editor, perfect for editing configuration files directly from a browser window.
WireGuard: VPN service to access Home Assistant from anywhere on the internet. This is a highly recommended component for remote management. Using an encrypted VPN tunnel back to your home network is a lot more secure than opening up ports on your local network toward the internet.

This chapter assumes you have completed the Installation steps and Home Assistant OS is running on a DHCP reserved IP address. In this example, the reserved IP is 192.168.9.100 and the Home Assistant OS is listening on the default port 8123.

Initial steps

Take a note of the IPv4 address assigned to Home Assistant. From a device on the same network open http://<IP address>:8123/ in a browser window. You should be greeted with the Home Assistant On-boarding screen:

I'll refer to this username and password as your Home Assistant account. After the initial setup process you should see the default Lovelace dashboard:

Open your user profile by clicking the user name at the bottom left corner

Enable Advanced Mode - Required for adding 3rd-party add-ons
Disable Automatically close connections (optional)

Third-party repositories

We'll start with adding third-party repositories made by the Home Assistant community:

Navigate to Supervisor - Add-on Store
Click the 3-dots (...) menu at the upper right corner, select Repositories, and add the following URLs:
- Home Assistant Community Add-ons: https://github.com/hassio-addons/repository
- Home Assistant Google Drive Backup: https://github.com/sabeechen/hassio-google-drive-backup

Once a repository is installed the Search function will return matches from it.

Visual Studio Code

The first Add-on to install is a web-based code editor for modifying Home Assistant configuration files.

Install the Add-on, enable Start on boot/Watchdog/Auto update, and Show in sidebar. Then Start the add-on:

Editing secrets.yaml

As a practical example, we are going to edit the secrets.yaml file of Home Assistant which is designed to hold all sensitive credentials at a central location. Start the Visual Studio Code Add-on, select the Hamburger menu - File - Open Folder and open the /config/ folder:

The /config/ folder contains the yaml configuration files of Home Assistant. One of them is the secrets.yaml file designed to centrally store credentials used in other configuration files. Each password is stored in its own line and uses the format key: password
In this example, I'm adding a key called GoogleDriveSnapshot, which is going to be used during the next Add-on setup.

To access stored passwords from another configuration file use: !secret key
PS: Many times the password is expected to be a text. In this case use: '!secret key'

Home Assistant Google Drive Backup

One of the most important addons: making sure we have regular full backups of Home Assistant OS using Home Assistant Google Drive Backup.

Search for "Home Assistant Google Drive Backup", select the Add-on and Install it:

Enable Start on boot, Watchdog, Auto update and Show in sidebar:

Open the Web UI of the add-on and select Authenticate with Google Drive. Copy the Authentication code and paste it back to the Web UI:

Next, click the Settings button and configure how many backups should be kept locally and on Google Drive, set the backup frequency and time, and specify an optional encryption password. The password supports the Home Assistant - Secrets file, I'm going to use the GoogleDriveSnapshot key created in the previous section.

And that is all, daily snapshots should be automatically created and uploaded to Google Drive:

Duck DNS

Duck DNS is a dynamic DNS service for binding your home network's public IP to a fully qualified domain name (FQDN) like <YOURDOMAIN>.duckdns.org. The add-on takes care of keeping the IP-Domain binding up to date and automatically fetches Let's Encrypt certificates required for setting up HTTPS in Home Assistant.

Before starting the add-on we need to configure it first according to the Documentation tab:

- Visit DuckDNS.org and create an account by logging in through any of the available account services (Google, Github, Twitter, Persona)
- Complete the reCaptcha

In the Domains section, type the name of the subdomain you wish to register and click add domain

If registration was a success, the subdomain is listed in the Domains section along with the current IP being the public IP address of the device you are currently using to access duckdns.org. The IP address will be updated by the DuckDNS add-on.

In the DuckDNS add-on Configuration tab, perform the following:
- Copy the DuckDNS token (listed at the top of the page where account details are displayed) from duckdns.org and paste it into the token option.
- Update the domains option with the full domain name you registered. E.g., <YOURDOMAIN>.duckdns.org.

Head back to the Info tab and Start the Duck DNS add-on, then switch to the Log tab and verify the certificate creation for your domain:

The following certificates should be generated:

/ssl/fullchain.pem : Contains your server's public certificate along with intermediate certificates for DuckDNS servers
/ssl/privkey.pem: Private key used in the encryption/decryption of data sent between your server and the connecting clients. Do not publish the content of this file!

Verifing the Domain name - Public IP mapping: Open a Command Prompt / Terminal window and run the following command:
nslookup <YOURDOMAIN>.duckdns.org 8.8.8.8

Enable HTTPS for Home Assistant

Now that we have a dynamic DNS name and the certificates for it, we can secure the Home Assistant website by enabling HTTPS. To do this open the Visual Studio add-on and load the /config/configuration.yaml file and add after the last row:

#SSL certificate

http:

ssl_certificate: /ssl/fullchain.pem

ssl_key: /ssl/privkey.pem

Now restart the Home Assistant OS from the Supervisor - System tab - Reboot Host button

After a few minutes, the web interface of Home Assistant OS should switch to HTTPS. Try opening the URL https://192.168.9.100:8123 in a browser, you should see a certificate error about the URL not matching the certificate. DuckDNS certificates require the URL to use the domain name <YOURDOMAIN>.duckdns.org (like https://growboxguy.duckdns.org:8123 ) which is at this point not accessible. In the next sections, we'll talk about setting up a local DNS server and using DNS Rewrite to fix this problem. For now, click the Advanced button and Proceed to 192.168.9.100

After accepting the temporary certificate error the login screen of Home Assistant should load:

AdGuard Home

AdGuard Home is a local DNS server with DNS filtering and rewriting capabilities. It supports DNS over HTTPS, and load-balancing between multiple upstream DNS servers (like Google Public DNS, Cloudflare, or Quad9 ). When configured as a DNS server for the local network it can provide Ad and Malware filtering to local devices. We will primarily be using it to rewrite DNS lookups for <YOURDOMAIN>.duckdns.org to the Home Assistant server's IP (192.168.9.100)

Add-on repository: https://github.com/hassio-addons/repository

Open the Web UI and select Settings:

Settings - DNS settings

Upstream DNS servers - Add the following upstream servers:

https://dns.google/dns-query

https://dns10.quad9.net/dns-query

https://dns.cloudflare.com/dns-query

DNS server configuration - Enable DNSSEC

Settings - Encryption settings

Tick the following checkboxes:

Enable Encryption (HTTPS, DNS-over-HTTPS, and DNS-over-TLS)
Redirect to HTTPS automatically

And set the Certificate file paths to the Let’s Encrypt certificates created by the Duck DNS add-on:

Certificate: /ssl/fullchain.pem
Private key: /ssl/privkey.pem

Save the changes and restart the add-on from Supervisor - Dashboard - AdGuard Home - RESTART

Filters - DNS blocklist

The blocklist supports third-party ad-block rules. I like to add the following custom lists from https://easylist.to/

Easy list: https://easylist.to/easylist/easylist.txt

Easy privacy: https://easylist.to/easylist/easyprivacy.txt

Fanboy's Annoyance List: https://secure.fanboy.co.nz/fanboy-annoyance.txt

Filters - DNS rewrites

Navigate to Filters - DNS rewrites and add a DNS rewrite rule for <YOURDOMAIN>.duckdns.org to the Home Assistant server's IP (192.168.9.100)

Testing DNS server

At this point the DNS server is ready, we just need to test it. Open a Command Prompt / Terminal window and run the following commands to verify:

Duck DNS to public IP: Using Google's Public DNS server 8.8.8.8: nslookup <YOURDOMAIN>.duckdns.org 8.8.8.8
Should return your public IP address.

DNS rewrite feature: Using Home Assistance - AdGuard DNS server, nslookup <YOURDOMAIN>.duckdns.org 192.168.9.100
Should return the local IP address of Home Assistant.
General DNS lookup: Using Home Assistance - AdGuard DNS server, nslookup google.com 192.168.9.100
Should return the IPv4 and IPv6 addresses of a random Google server.

Now you can set the Home Assistant server as a DNS server for your local network on the router.

Samba share

Home Assistant stores its configuration files, addons, media, and SSL certificates in folders. Samba share makes these accessible via a file share.
Only needed during the setup of WireGuard VPN and Node-RED add-ons, no need to set it to start on boot.

Once installed navigate to the Configuration tab and set the following:

allow_hosts: IP subnet including the subnet mask length where connections are allowed from. (192.168.9.0/24 will allow any device from 192.168.9.1 to 192.168.9.254 ). Also, leave 'fe80:10' in the allow list, which is the link-local address of the Home Assistant server.
username: Username when accessing the shared folder
password: Password for accessing the share. I'm going to use secrets.yaml file to store the password using the key: '!secret SambaShare'

Now head back to the Info tab and Start the service:

Once the add-on is running you can access the Home Assistant folders by opening the IP address of the server hosting it. (Example: smb://192.168.9.100/ from Linux or \\192.168.9.100 from Windows)

WireGuard VPN server

WireGuard is a simple yet fast and modern VPN that utilizes state-of-the-art cryptography. It is designed as a general-purpose cross-platform VPN (Windows, macOS, BSD, iOS, Android). It provides VPN access to your home network over the Internet. This is more secure than exposing Home Assistant directly as it requires setting up an encrypted VPN tunnel before accessing Home Assistant.

Install the Add-on, enable Start on boot/Watchdog/Auto update, and Show in sidebar. Do not start the add-on at this point.

Next we need to forward incoming traffic from the VPN clients to Home Assistant by creating a Router Firewall - Port forwarding rule:

Client setup

In this example, we are going to listen for incoming VPN connections on growboxguy.duckdns.org, port 51820. VPN clients will receive an IP from the VPN range and also the Home Assistant server's IP as a DNS server. I'm going to set up two clients: An Android phone (BitOne) and a Windows 10 laptop (BitWin).

Head over to the Configuration tab and make the following changes to the default configuration:

server:

host: <YOURDOMAIN>.duckdns.org

addresses:

- 172.27.66.1

dns:

- 192.168.9.100

peers:

- name: <CLIENT1>

addresses:

- 172.27.66.2

allowed_ips: []

client_allowed_ips: []

- name: <CLIENT2>

addresses:

- 172.27.66.3

allowed_ips: []

client_allowed_ips: []

The only required parameters for a client are:

name: Needs to be unique
addresses: A free IP from the VPN network range (default: 172.27.66.2 - 172.27.66.254)

Head back to the Info tab and Start the WireGuard add-on. When the add-on starts it will automatically generate the VPN client configuration files under the /ssl/wireguard folder. With the Samba share add-on, you can access the files as smb://192.168.9.100/ssl/wireguard from Linux or \\192.168.9.100\ssl\wireguard from Windows.

Each client will have its own folder containing the configuration file, private key and a QR code for quickly setting up mobile devices:

Address: This is the next free IP address from the VPN IP range configured on the server-side. The first client should have the IP ending with .2 , additional clients should increment this.
DNS: Since we are using AdGuard Home as a private DNS server for DNS redirection and Ad-blocking set this to the Home Assistant server`s IP.
PublicKey: This is the VPN server`s Public key
Endpoint: The DNS name configured in DuckDNS - Home Assistant Add-on.

VPN client - Android

Install WireGuard from Google Play and add a tunnel by scanning the QR code generated in the previous step. After naming the tunnel tap the new VPN entry and connect to the VPN using the top right slider. Verify the connection was by observing the RX and TX counters under the Transfer section, they should slowly increase. If only the TX (transfer) counter is increasing the VPN server is not accessible / refused the connection.

The last step is securing the setup by generating new public and private keys in the Arduino app and storing the new public key in Home Assistant's secrets.yaml file. Edit the imported VPN profile and click the refresh icon next to the Private key to generate a new private and public key pair. Copy the public key by tapping it, then Save the configuration.

On the in Home Assistant server store the new public key in the secrets.yaml file using the format BitOneVPN: <PUBLIC KEY>

Update the Supervisor - WireGuard - Configuration tab to include a reference to the secrets file as: public_key: '!secret BitOneVPN'

server:

host: <YOURDOMAIN>.duckdns.org

addresses:

- 172.27.66.1

dns:

- 192.168.9.100

peers:

- name: BitOne

public_key: '!secret BitOneVPN'

addresses:

- 172.27.66.2

allowed_ips: []

client_allowed_ips: []

Restart the WireGuard add-on from the Info tab, then go to the Log tab. Connect the Android client and verify the connection:

VPN client - Windows

You can find a more detailed guide here. Download the installer, run it and Add an empty tunnel:

Notice that the public and private keys for the client are already auto-generated. Enter the connection Name, copy the Public key, and click Save.

Next we need to Edit the new tunnel:

Copy the public key of the client and store it in Home Assistant's secrets.yaml file in the format of BitWinVPN: <PUBLIC KEY>

Navigate to Supervisor - WireGuard - Configuration tab and append the following configuration parameters for new client. Select the next free IP from the VPN range for the addresses field:

server:

host: <YOURDOMAIN>.duckdns.org

addresses:

- 172.27.66.1

dns:

- 192.168.9.100

peers:

- name: BitWin

public_key: '!secret BitWinVPN'

addresses:

- 172.27.66.3

allowed_ips: []

client_allowed_ips: []

Save the changes and restart the add-on from the Info tab. When the add-on starts it will automatically generate the VPN client configuration files under the /ssl/wireguard folder. With the Samba share add-on, you can access the files as smb://192.168.9.100/ssl/wireguard from Linux or \\192.168.9.100\ssl\wireguard from Windows.

Copy the content of the client.conf file to the Windows client's configuration window, while keeping the PrivateKey value from the original configuration:

The last step is to connect to the VPN from the main page by clicking the Activate button:

Node-RED

Node-RED is a visual programming tool for wiring together hardware devices, APIs, and online services. Node-RED provides a web browser-based flow editor, which can be used to create JavaScript functions. I was only recently introduced to Node-RED by one of you guys and was blown away by how intuitive and easy it is to use it.

Gbox420 Node-RED dashboard

Interface for controlling the Gbox420 sketch

Gbox420 Flow

Data processing logic, communicates with the Gbox420 sketch over MQTT

Node-RED requires two components to fully integrate with Home Assistant:

Node-RED companion integration: Adds custom nodes to Node-RED for creating/reading/updating Home Assistant entities
Node-RED add-on: Provides the interface for creating Flows(data processing logic) and Dashboards for controlling devices.

Node-RED companion integration

For Node-RED to interact with Home Assistant. Based on https://github.com/zachowj/hass-node-red#installation.

Download the hass-node-red GitHub library as a ZIP file. Inside the ZIP file locate the /hass-node-red-main/custom_components/nodered/ folder and upload its contents to Home Assistant under the config/custom_components/nodered folder (create the custom_components/nodered folder) . Requires the Samba share add-on, you can access the files as smb://192.168.9.100/config/ from Linux or \\192.168.9.100\config\ from Windows.

Restart Home Assistant

Go to Settings - Devices & services - Integrations click + ADD INTEGRATION button and search for Node-RED Companion.

Once the integration is installed it should show up under the Settings - Devices & services - Integrations tab. You can restart/stop/disable/remove the integration using the ... menu.

Node-RED add-on

Install the Node-RED add-on from Settings - Add-ons:

After installing Node-RED switch to the Configuration tab and fill the credential_secret, used for encrypting sensitive data withing Node-RED:

Now go back to the Info tab, Start the add-on and enable Start on boot, Watchdog, Auto update, and Show in sidebar:

Open Node-RED from the sidebar and verify the Home Assistant nodes are available in Flows:

Mosquitto broker

Mosquitto is an MQTT broker to exchange lightweight messages between IoT devices using the publish/subscribe model. We are going to use it to relay the Gbox420 sensor readings from ESP-link to Node-RED, and send back control messages to the Gbox420 sketch from the Node-RED dashboard.

Install the Mosquitto broker add-on from Supervisor - Add-on Store:

Start the add-on and Enable Start on boot, Watchdog and Auto update:

Once the add-on is running it will accept connections on ports: 1883 (MQTT), 1884 (MQTT over WebSocket), 8883 (MQTT with SSL), and 8884 (MQTT over WebSocket with SSL) using the Home Assistant credentials.

Connecting ESP-link

Once the Mosquitto MQTT server is up we can connect the ESP-link firmware to it and start sending regular MQTT reports from the Gbox420 sketch. Configure the MQTT client on the ESP-link website under the REST/MQTT tab. Tick the Enable MQTT client and Enable SLIP on serial port check-boxes and fill in the following details:

Server hostname or IP: IP of the Home Assistant server (192.168.9.100)
Server port: Use the default un-encrypted MQTT port 1883
Client ID: Unique ID that identifies the device, two devices cannot have the same Client ID!
Client Timeout (seconds): Length of time the MQTT client waits for a response from the MQTT broker when initiating the connection. Leave it on default for 50 seconds.
Keep Alive Interval (seconds): Maximum time that can pass between the exchange of messages. If the MQTT broker does not receive a packet within this interval it considers the client “dead” and sends out the client's Last Will and Testament (LWT) message to all subscribers. Leave it on default 60 seconds.
Username: Your Home Assistant account name
Password: Your Home Assistant password

Click the Update server settings! button and restart the ESP-link firmware from the Debug log tab using the Reset esp-link button. Wait a few seconds for the ESP-link firmware to reload, then restart the Gbox420 Arduino sketch using the: μC Console tab - Reset μC button. After this go back to the REST/MQTT tab where the MQTT client state should now display connected state. If it still displays disconnected double-check the server details, make sure SLIP and MQTT are enabled, and verify that the ESP-Link is connected to a WiFi network.

On the Home Assistant server you should see the MQTT client registering under Supervisor - Mosquitto broker - Log tab:

The last step is setting up the publish - subscribe topics and LWT (Last Will and Testament) message in the Gbox420 sketch. This can be done in two ways:

From the Main module's Setting.h file by editing the following variables:

MqttPubTopic: Topic to send reports to
MqttSubTopic: Listen for commands under this topic
MqttLwtTopic: When the Gbox420 sketch goes offline the MQTT broker will notify all subscribers using this topic
MqttLwtMessage: The content of the LWT message the broker sends out to all subscribers

2. From the ESP-link web interface - Settings tab ( http://192.168.9.101/Settings.html ). These changes are stored to the EEPROM and kept between reboots, however, they get lost if the sketch defaults are restored.

InfluxDB

InfluxDB is a time-series database to store Internet of Things sensor data and provide real-time analytics. Node-RED will push the sensor readings received over MQTT to InfluxDB and Grafana will display charts from the data.

After installing the add-on head over to the Configuration tab and disable usage statistics reporting by setting reporting: false

Start the add-on and Enable Start on boot, Watchdog, Auto update, and Show in sidebar:

Head over the the InfluxDB - InfluxDB admin - Databases and click + Create Database. Name the database: homeassistant

Create a new user under InfluxDB - InfluxDB admin - Users called: homeassistant and grant ALL permissions to it:

Store the homeassistant account's password in the secrets.yaml file as InfluxDBhomeassistant.

The last step is connecting Home Assistance to InfluxDB. To do this open the Visual Studio add-on and load the /config/configuration.yaml file and add after the last row:

#InfluxDB database

influxdb:

host: a0d7b954-influxdb

port: 8086

database: homeassistant

username: homeassistant

password: !secret InfluxDBhomeassistant

max_retries: 9

default_measurement: state

Restart the Home Assistant server from Configuration - Server Control - Server Management by clicking the RESTART button

Once the server reboots all Home Assistant will transfer all state changes to the homeassistance InfluxDB database. You can verify this from InfluxDB - InfluxDB Admin and selecting the homeassistant.autogen DB and viewing the value of any of the measurements:

Grafana

Grafana is an analytics and interactive visualization web application that provides charts, graphs, and alerts. Install the add-on from Settings - Add-ons:

On the Configuration tab add the below parameters to enable Anonymous access on a local network:

plugins: []

env_vars:

- name: GF_AUTH_ANONYMOUS_ENABLED

value: 'true'

ssl: true

certfile: fullchain.pem

keyfile: privkey.pem

grafana_ingress_user: homeassistant

Under the Network section specify port 3000:

Start the add-on and Enable Start on boot, Watchdog, Auto update, and Show in sidebar:

Next we need to connect InfluxDB to Grafana. For this we need the Hostname of InfluxDB from: Settings - Add-ons - InfluxDB:
Default: http://a0d7b954-influxdb:8086

Navigate to Grafana - Connections - Data Sources and add InfluxDB as a new data source:

Set the URL of the InfluxDB data source to: http://a0d7b954-influxdb:8086

Under the Database Access section specify the Database name (homeassistant), User (homeassistant) and the password specified during the InfluxDB user creation. Set the HTTP Method to POST, Min interval to 5s and Max series to 100.000:

At this point, all the required Add-ons are installed and we are ready to import the data processing logic and dashboards for the Gbox420 automation

SSH & Web Terminal (optional)

SSH & Web Terminal allows you to log in to your Home Assistant instance using SSH or by using the built-in Web Terminal. It gives access to the operating system tools and hardware of your system. This is an optional component, mostly needed if you run Home Assistance OS directly on a device as the primary operating system.

Install the add-on from Supervisor - Add-on Store:

Once installed, set the Watchdog and Auto update features. You can enable running commands as root/administrator in the terminal by disabling Protection mode.

Create a secrets.yaml file entry with your Home Assistance login password and call it TerminalAccess. On the Add-on's Configuration tab set the username and password attributes, and Start the add-on from the Info tab.

Click the Terminal tab to start a session. The ha command will display the Home Assistant specific commands:

You can also use SSH or Putty to open a session with Home Assistant OS:

Using Authorized_keys

Consider generating public/private SSH keys if you enable the Start on boot feature to increase security. Generate a key pair by connecting to Home Assistant over SSH or through the Terminal add-on and run: ssh-keygen -t ed25519 -C "YOUREMAIL@gmail.com"

Set the output file to /ssh/TerminalAccess
and specify a passphrase to access the private key.

The two output files should be:

/ssl/TerminalAccess.pub: Public key that needs to be set on the Home Assistant server side

Add the key under Supervisor - Dashboard - SSH & Web Terminal - Config tab as the ssh authorized_keys attribute and blank out the password attribute :

ssh:

username: growboxguy

password: ''

authorized_keys: [ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX YOUREMAIL@gmail.com]

sftp: false

compatibility_mode: false

allow_agent_forwarding: false

allow_remote_port_forwarding: false

allow_tcp_forwarding: false

zsh: true

share_sessions: false

packages: []

init_commands: []

log_level: debug

Temporary set the log_level: debug to capture detailed connection attempts. Save the changes and Restart the Add-on. The authorization_keys attribute should get auto-formatted: