Project Selfhosting - How we can use community and developer resources more effectively

Development
1

Hi :slight_smile: I created this Topic, because I think I had an Idea how we can use the time and the available resources available for OpenHab more effectively :slight_smile:

Today there was an issue with the OpenHab cloudā€¦I saw a lot of posts and a lot of people try to solve it for a whole day and longerā€¦as some installations depend on the cloud, this creates some time-urgency and stress under the developers and maintainers which leads to less ā€œfunā€ in the development-process in opensource-softwareā€¦

To avoid that, I want to come up with a (rather huge) plan to avoid having this Problem again and reducing maintainance for the community to keep the focus on the core functions, stability and enchanced functions of OpenHab :slight_smile: Therefore I would suggest the following schedule

1) Prepare everything for Selfhosting
Instead of hosting a ā€œfully fledgedā€ OpenHab-Cloud, it would be much easier to host ā€œjustā€ a ddns server, with an IP-adress determining service that tells the OpenHab-binding when to update the IP addressā€¦This may lead to much less downtime and maintainance -> maybe also lower costs regarding hosting I donā€™t know details about the Cloud hereā€¦ This makes together with the OpenHab-Auth wich was implemented in 3.0.0 it much easier for everyone to selfhost. Maybe there is already enough opensource here, which we can use for this purpose, or adjust OpenHab-Cloud. GitHub - nsupdate-info/nsupdate.info: Dynamic DNS service
I think we should ensure that you can only use it with an Openhab installationā€¦

1.2)Identify Alexa-Skills and other Bindings/Skills that actually rely on the OpenHab cloud
Every skill should have the possibility to not use the Cloud easily. Therefore we should determine which skill needs the Cloud, and how we can adjust itā€¦I opened an Issue for Alexa here: Integrate URL into settings Ā· Issue #386 Ā· openhab/openhab-alexa Ā· GitHub
Maybe we have to determine if this is even possibleā€¦ For the Alexa-Skill this seems not be which would be a problemā€¦maybe someone in the community finds a solution? Otherwise this projectpoint maybe doomedā€¦

2) Enchance security on OpenHab to make it more attractive for Selfhosting
For making OpenHab more attractive for Selfhosting, we should further enchance the security of itā€¦like with 2fa Auth :slight_smile:

With ddns, and all skills able to point to your URL easyly, I think Selfhosting is much more attractive especially in todayā€™s time of data-protection. Also all the maintainers and developers donā€™t have to do so much maintainance-work on the Server I hope.

I donā€™t know if I have forgotten somethingā€¦but I would be really interested what the developers and the community thinks about this idea :slight_smile:. Be free to post your thoughts and ideas for saving time and stress for all the developers and maintainers who brought this wonderful program to the community.:heart:

Nevertheless this would be a huge project and I guess very time-consuming, but I hope that it can save time for all the awesome people working on OpenHab for the future :slight_smile:.

2

The server software has always been available for self-hosting.

The non-profit foundation running the clod server cannot charge for services and does not have the resources to improve infrastructure.

i think they would welcome somebody to host a paid instance but nobody has done that yet.

3

How much capacity/what exactly would they need do you know that?

Yes :slight_smile: but I meant Selfhosting the OpenHab instance directly (without Cloud companion) as for now, one would have to rewrite his own Alexa skill (or Google home skill) and host the companion, ā€œjustā€ to become independent from the Cloudā€¦

4

The OH security model is currently no where near that level.

5

I know :slight_smile: thatā€™s why I wrote point 2 :slight_smile:

6

I think there is a big misunderstanding. It is just a small part of our developers being involved in maintaining the cloud part. So what you suggest would not be really helpfull. Also, issues occured today were caused by our hosting provider, so nothing really causing big trouble for maintainers.

I really donā€˜t see any benefit in your proposal, apart from introducing security issuesā€¦

1 Like
7

Okay thanks for the Information :slight_smile:

Okay than it would make no senseā€¦I mark that as solution for now if itā€™s not beneficialā€¦

8

This was just my opinion, not necessarily common senseā€¦

1 Like
9

@hmerk and @Bruce_Osborne what are the security-features you would implement to make it ā€œfit for Selfhostingā€? Is this doc still applicable? Securing Communication and Access | openHAB

10

Okay thanks for that :slight_smile: unmarked to keep up discussion :slight_smile:

11

I for myself would never expose my openHAB installation to the internet in any way. I really like our current approach where communication is initiated from openHAB to myopenHAB, which is acting like a proxy in this case.
If I need to connect to my openHAB server from out of my home, I use a VPN tunnelā€¦

2 Likes
12

Yes, it is still valid.

1 Like
13

It would need a strong authentication ( who you are) and authorization ( what you can do) system with no unauthenticated access permitted, You do not want your system revealing details about your home that could be used against you for harm.

Web access needs to be secure ( HTTPS) Only. The system software also regularly needs to be audited for security vulnerabilities. Some also include penetration testng.

1 Like
14

Nice! I also would suggest some security-headers and additional TLS-optionsā€¦ personally I use security-headers.io for testingā€¦ nextcloud (which is meant for Selfhosting) has a nice approach hereā€¦I think Https is not really integrable in OpenHab directly right?

15

Even for OpenHab 3 as it has authentication build in? Or is this a system that is not meant for exposure, just for ā€œin-home securityā€

16

I think by default it uses a self-signed certificate on port 8443. I have my OH2 instance running behind an ssl protected reverse proxy. Home NAT solutions will not work for the could access features provided by the server though. Paying for Business class Internet access to get a static ip address is insanely expensive for most people.

1 Like
17

As it is implemented actually, i would see it just for in-home security.

I use openHAB since about 9 years now and never had big issues using myopenHAB for remote access. Therefore I see no need for big changes.

1 Like
18

Me too Iā€™m using traefik Traefik Proxy Documentation - Traefik and run everything in docker as it reduces host-sytsem caused errorsā€¦

Yes I knowā€¦this also differs from country to countryā€¦ therefore Iā€™m using dyndns-providersā€¦

19

Yes itā€™s a cool service :slight_smile: I thought it has to eat up a lot of your time supporting itā€¦ thatā€™s why I came up with the idea of easier self-hosting :slight_smile:

20

Residential users are still hidden behind NAT,(Network Address Translation) or likely PAT ( Port Address Translation) with many people sharing the same public ip address.

Yes, I am a Network Engineer.

1 Like