Anyone use "Home Assistant" with Qubes?

I was seriously considering getting the home assistant blue appliance but one thing holding me back is that I do not want my home (other than a few computers and tablets) automation anything to be “internet accessible” (I assume if something is connect to the net then its a question of when not if?).

I was thinking qubes might be an option that would allow me to have home assistant that would be up to date but “offline”… I think? Is having a basic qubes setup on an old NUC with just a home assistant qube reasonable or am I overthinking things?

Thoughts would really be appreciated!

The closest thing I’ve seen is this idea of a QubesTV:

In particular look at the section “6. Secure offline Voice control of QubesTV”

1 Like

I honestly think you are indeed overthinking things a bit.

I happen to use both Qubes and Home Assistant, and they both are awesome software products for their own use cases, but I don’t really see any need to combine them, at least the way you are considering it.

May I ask why you are thinking that with the Home Assistant Blue you would be connecting anything to the Internet? The way I got to know Home Assistant is as a home automation solution which is very well suited for security- and privacy-focused people that Qubes-users happen to be most of the time. In fact, Home Assistant heavily advertises the “no cloud required” aspect itself.

I have installed Home Assistant on my own hardware (well, actually it’s a VM on my home server but that isn’t of importance here) and thus, I do not have detailed knowledge about the Blue appliance, but from what I saw on their website, it is basically a vanilla home assistant installation bundled with hardware that is very well suited to handle most of the usual tasks.

Yes, Home Assistant does offer some optional “online features”. However, these are only meant to make interaction with your setup more comfortable and are in no way obligatory.

But you don’t seem to have doubts about Home Assistant itself, only about how and where to install it.
In that case, a dedicated physical machine, be it the Blue appliance, a Raspberry Pi or the old NUC of yours, would in my opinion be the most secure setup you could go with. First, physical separation is more secure than “just” virtual separation in a VM of its own, because there could always be a hypothetical escape-to-hypervisor exploit which breaks the barrier of VMs.
Second, using a physically separate NUC, installing Qubes on it and then using this device exclusively for running Home Assistant just doesn’t add any more security.
The security of Qubes comes from separating things on one single system. If you are running only one thing (your Home Assistant installation), there is nothing to separate it from. You will only increase the administrative overhead, because you will have to connect your smart home devices to your home assistant installation somehow, and that will inevitably mean to deal with firewall rules and punching holes in your Qubes system just to make it work at all.

My opinion is: take the “Qubes way” and apply it to your home network on a larger scale. Don’t separate VMs on one computer, but device groups in your network. Create separate subnets for your smart home devices and confine them in there, together with your Home Assistant installation. A decent firewall appliance, e.g., pfSense, will help a lot. Work with VLANs, create firewall rules and make sure that communication flows exactly the way you want it. This is how to achieve the best security for your home network. After all, Home Assistant (or any other home automation solution) is just a single piece of a “smart home”.

3 Likes

Great advice on the logic of Qubes’ mode of isolation applied to a home network or any network.

phl’s reply is a great example in taking home networking into your own hands however this can be a time consuming and daunting task that deeplow may not want to dive into. If you want some sort of security in your home network but don’t have the time to configure firewall and vlan tagging which can be a pain for even experienced network administrators. Most consumer wireless routers do not have the ability to allow you to create multiple networks and dictate traffic traversal however a nice new(ish) features is “Guest Wireless” which you can use as your “untrusted network”, connect all your IOT and other devices which do not need to communicate locally on your network essentially isolating the two traffic routes.

1 Like

Yes, I would ask that if the thread is going more in the direction of configuring home networking, to please address it in the newly announced #all-around-qubes category (available to forum members)

But if the goal is to address this setup making use of Qubes features (i.e. RPC policies, etc.), feel free to keep it here.

I guess my question was around being able to update HA without it being connected directly to the internet. But with the comments and in hindsight I guess it would require some networking fungfu which I have very little of. Thanks for the insightful discussion!

You could always install Home Assistant on some dedicated device which does not have Internet access (even the cheaper home routers often allow to restrict certain devices, it is often labeled as some kind of “child protection”).
I don’t think you can update an existing installation by providing an update file manually (maybe you can and I just don’t know about it?). However, it would always be possible to backup the configuration in case of an update, re-install the appliance from scratch with the latest version, and then load the backup config to get it back to where it was before.
Depending on your risk model and the threats you want to defend against it could also be enough to allow Internet access for your appliance only during the exact timeslot when you are scheduling an update.

Anyway, this is no longer Qubes-specific. The thread started out by @stumpi asking if such an installation could be made possible based on Qubes. While technically, this could potentially be realised (you could always go with a standalone VM of ‘Home Assistant OS’ (whatever the official name of their appliance is) I don’t see much benefit.

If you want to prevent Home Assistant from accessing the Internet and your router doesn’t allow to restrict it you can also install some firewall application (probably a frontend for iptables/nftables) on the dedicated host running the software. I would even say this is easier and definitely less likely to break.

1 Like