The last project of the year. To get all the music programs, amplifier, DAC, speakers, etc., to turn on when I press play. Surprisingly, the hardest part was getting the album art to change correctly. Well, it wouldn’t have been difficult if I had just looked in the right place… Happy New Year!
3 Likes
I believe I’ve now ordered everything for the most substantial HA project. The heating system for the entire apartment building has been replaced, and this project encompasses its control based on the spot electricity market. So, the oil heating system has been upgraded to a contemporary one. 3 floors and 14 apartments/tenants.
Parts list
Networking (on-site internet)
- TP-LINK ER706-4G AX3000 4G+ LTE modem & VPN router – 1×
- 4G data subscription + Nano-SIM – 1×
Automation / control
- Nabu Casa Home Assistant Green – 1×
- Shelly Pro 2 (DIN rail relay, 2-channel, dry contacts) – 1×
- Utilized for driving the heat pump’s SG and EVU inputs (2 channels = SG + EVU)
Zigbee monitoring (sensors + repeaters)
- SMLIGHT SLZB-07p7 (Zigbee coordinator) – 1×
- Zigbee temperature/humidity sensors – 10×
- Plan: 2 sensors per floor (at opposite ends) + common areas
- Zigbee smart plugs with power metering (employed as Zigbee routers/repeaters) – 10x
- Rationale: mains-powered Zigbee devices function as routers/repeaters, whereas battery-operated sensors typically do not route signals.
Power backup
- APC Back-UPS BX1600MI-GR – 1×
Questions / feedback welcome
- Zigbee mesh in a concrete apartment building: how many mains-powered repeaters (smart plugs) would you recommend per floor?
- Spot price strategy: cheapest N / most expensive M vs absolute price thresholds?
- Any “remote-only site” reliability tips (UPS sizing, watchdog automations, LTE antennas)?
2 Likes
What sorts of “hardening” measures do you folks have in your configuration.yaml?
I’ve got these implemented myself and was contemplating whether there’s anything else worth adding.
http:
use_x_forwarded_for: true
trusted_proxies:
- XXX.XXX.XXX.XXX
ip_ban_enabled: true
login_attempts_threshold: 5
And then to do a bit of cleaning
recorder:
purge_keep_days: 10
auto_purge: true
exclude:
domains:
- automation
- updater
entity_globs:
- sensor._rssi
- sensor._linkquality
- sensor._lqi
- sensor._noise
- sensor._last_seen
- sensor._uptime
- sensor._signal
edit. I’m actually learning these specifically for that project. 
I ended up composing a rather lengthy piece I’d been wrestling with, but then it dawned on me that I can’t bring myself to admit how I’ve squandered my Friday and Saturday on such pointless fine-tuning. Does that feeling ring a bell?
1 Like
No hardening since I don’t expose HA to the Internet.
Yeah, I don’t have one of my own either, which is precisely why I inquired. That other project is situated in a different city, but I’m quite confident I’ve managed to get that one running with rock-solid stability using Tailscale as well.
Are security cameras compatible with Home Assistant Green? Or is there a link where I can see what’s compatible? I’m looking for something which is more or less plug and play and the Home Assistant Green caught my eye, but I couldn’t explicity find if it’s compatible with cameras.
Depends on your definition of “compatible” haha, everything should work but then it also depends on your needs.
Give the forum a search, I replied quite extensively to that topic on several questions here. 
1 Like
I can’t believe how much I overcomplicated this project. Putting IVPN on the router is a total game changer. I’ve got the second HA and its router configured now, and everything’s running smoothly.
1 Like
Not exactly hardening on Home Assistants side, but I use Caddy as a https reverse proxy with authentication via authentik.
1 Like
I’ve been using it myself for quite some time now. It’s a brilliant program!
edit. Caddy is but not authentik
edit2. I meant to say that I’m familiar with Caddy, but not with authentik.
There’s likely not much benefit to be gained from authentik, considering I’ve generated the certificates myself using mkcert, management access is restricted solely to my own IP address, and naturally, that interface is also secured with a TOTP stored on my YubiKey.
What I intended to convey earlier is that although I’m acquainted with Caddy, authentik was entirely off my radar until yesterday. It wasn’t my aim to knock it.
I haven’t actually come up with a final fix yet, though. It’s super annoying that the IVPN WireGuard config is missing the PresharedKey entirely.
Yeah I get where you’re coming from, it just felt like the easiest way to make home assistant and other stuff hosted on the same machine accessible to other family members without relying on the different services auth mechanisms.
Yeah, it most certainly is.