Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.
This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.
This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!
This tutorial has been verified with: Domoticz 2020.1
Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.
Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
Raspbian Buster Lite 4.19, Februari 2020
Domoticz Stable 2020.1 (compile date 22-3-2020)
Before we enable authentication, it can be very helpful to exclude your local network. This way, only when you connect from the internet, you need to authenticate. When you are at home and connected to your wifi, authentication is automatically skipped. It can also prevents accidental lock-outs.
Open your Settings in Domoticz
Depending on the IP address of your Domoticz installation, you need enter the network. For example, if your Domoticz can be reached with IP address 192.168.0.123, we should include the network 192.168.0.*
For example: IP address 192.168.1.112 -> Add the network 192.168.1.* IP address 192.168.224.18 -> Add the network 192.168.224.*
Also, make sure to include the loopback address 127.0.0.1 so any local plugins keep working as expected.
You could also specify exact IP addresses that could become handy if you like to test authentication.
For the more experienced network specialists, you need to enter the complete network/subnet (for example 10.*.*.*).
Next, the authentication for remote access. Unfortunately, although we can create users (and viewers & admins) in Domoticz, this can not be used for authentication for remote access. With Domoticz you are limited to a single user and password.
For the authentication part itself, there are 2 options: Login Page and Basic-Auth. Basically, the Login Page option has a nice view and logo. But due to a larger attack vector, it’s less secure by design.
The safest option is the “Basic-Auth” option where you are presented with a ‘dull’ username and password window upon visiting your Domoticz remotely. You can always change this at a later moment but for the sake of security, let’s choose the “Basic-Auth” option. You can see an example of both options further down below…
Once you enable authentication and you visit Domoticz from a non-exempted IP address, you are required to authenticate:
To reset authentication in case of a boo-boo:
To reset the website username/password in case this is lost there are two options: – Specify –nowwwpwd as command line argument – Place a file labeled ‘resetpwd’ inside the root Domoticz installation folder (takes up to a minute to reset).
Step-by-step how-to guide install the Domoticz on a virtual machine with Debian 10 Buster, hosted on VMware vSphere (formally known as ESX).
We are going to be installation and configuring a almost default installation of Debian on a virtual machine. In this case the underlying virtualization platform is VMware ESX. But any other common virtualization platform like Proxmox, VirtualBox, Hyper-V, etc. will probably do just as fine.
This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!
This tutorial has been verified with: Domoticz 2020.1 Debian Buster 10.3.0
Running modern version of VMware vSphere (ESX) or similar
Decent knowledge about virtualization, networking and the Linux basics (like installing and configuring Debian for example).
First we need to create virtual machine as host for our new Debian and Domoticz server. I am not going into many details about this step as I assume you are able to achieve a running virtualization platform. If not, perhaps a installation of Domoticz on a Raspberry Pi would be more suited…
For the record, some (minimum) advice regarding resources:
CPU: 2 – 4 vCPU, depending on clock speed and generation
Memory: 2 GB minimum, 4 GB advised (1GB of memory also works but crappy performance in the end).
32 – 64 GB disk space, preferably thick provisioned for performance
1 network connection with internet access
To set you on your way, I provide you with some crude screenshots of an example for a new virtual machine in VMware vSphere, without any further comments:
Step 2: Install Debian
Once we have created a new virtual machine the next step would be install Debian. This step is pretty much standard and straight-forward. A couple of important details to follow during installation:
Create a user “pi” during installation, so your Debian installation is a bit more consistent with the default Rasbian based distro’s.
During installation you can choose to install packages (Software Selection), make sure to include “SSH server” for headless configuration.
For this step we again assume that you have basic knowledge of Debian and you are able to follow and finish the installation process. For you pleasure and support, we include some basic and crude screenshots of the installation process without any further comments:
Step 3: Connect with SSH
Once Debian is fully installed and rebooted, logon with the root username and corresponding password from your virtualization console. The only thing we need to do within this console is to figure out the IP address so we can connect with SSH (and copy/paste our commands, much easier).
To find the IP address, type the following command:
You should see the IP address with CIDR notation, see this screenshot for more details. In my case the network adapter is named “ens192” with IP address 10.40.3.17 and subnet /22 (You will probably see something like 192.168.1.123/24 at home):
Step 4: Household tasks
By default, SSH access is enable only for the user you created during setup. In this how-to we created the user “pi” during installation that we are going to need for the next step.
Connect with putty to the IP address of Debian virtual machine and logon with the user “pi”. Please be advised that by default you can not connect with the root user over SSH. This is by design and the default configuration for Debian, as a safety precaution.
Now we have SSH access to our Debian box, let’s do some ‘household’ tasks in preparation:
Step 4-a: Updating Debian
First, we need to install sudo and add our pi user to the sudo group. Assuming you have SSH access and you are logged on with the pi user, become root with the su command:
Execute this command to update Debian to the latest standards and automatically reboot your virtual machine when it’s completed.
Next step is to make sure that the pi user is able to use the sudo command. Although strictly speaking this would not be necessary, it does make your Debian Box more compatible with the other Domoticz guides on this website and other Domoticz related documentation.
Connect with SSH and your pi user. Execute the su command to become root again (see Step 4-a). Next is to install sudo. By default sudo is not included in Debian so we need to install it first. Execute this command to do so:
apt install sudo -y
Now you have to modify the file /etc/sudoers which is where all the sudo configuration is located. You can use the nano editor for this:
The file does not have too many lines. In the user privilege specification section, you will find a line like this.
root ALL=(ALL:ALL) ALL
Under it, add your user and leave the rest the same.
pi ALL=(ALL:ALL) ALL
It should look like this:
Next, press CTRL + O to save the changes and CTRL +X to close the nano editor. Now type exit 2 or 3 times to revert back to the pi user we originally logged on with. The pi user is able to execute the commands with sudo now. For example: sudo reboot. Every first time that u are using the sudo command in an SSH session Debian will ask for the password of the pi user as confirmation.
Step 4-c: Fixed IP address
Now our pi user has sudo rights, it would be wise to assign a fixed IP address to our Debian box. Although strictly speaking this is also not necessary, it is advised so we can always find back our Debian/Domotiz installation. Use this command to configure a fixed IP address: (remember, sudo ask for the password of the pi user with every SSH session, but only once per session):
sudo nano /etc/network/interfaces
Now, in this example, I am using a less the normal IP configuration then a general household so I included a configuration with the 192.168.0.0/24 network as example. Also included are the DNS servers from OpenDNS should you not yet know about it.
Press CTRL + O to save the changes and CTRL +X to close the nano editor.
Now, to apply the new network configuration, it’s best to execute the reboot command and apply the new IP address. Keep in mind that once the IP address changes, your SSH connection will drop without warning or dialog. You have to reconnect afterwards with the new IP address and accept a new SSH SSL key.
Step 4-d: Install VMtools
Next is to install the VMtools. These are necessary so we have a better integration, stability and performance with the underlying virtualization host. Execute this command to install the general VMtools and reboot to complete the installation:
sudo apt install open-vm-tools -y && sudo reboot
Step 5-a: Prepare Debian for Domoticz
So now we have Debian up and running as we like, we need to prepare Debian for Domoticz. Debian is less prepared and expanded by default than Raspbian for the Raspberry Pi. So we will have to ensure that Debian knows and can execute the commands for Domoticz. For this we need to install and prepare a number of things. Execute the following commands:
Step-by-step how-to guide install and configure Duplicati with the latest Raspbian Buster image and Domoticz.
Duplicati is a fantastic and very intuitive backup solution that support a wide range of backup targets. Combined with a webinterface, this makes it perfect for a backup solution for our beloved Domoticz installation.
Duplicati supports not only various online backup services like OneDrive, Amazon S3, Backblaze, Rackspace Cloud Files, Tahoe LAFS, and Google Drive, but also any servers that support SSH/SFTP, WebDAV, or FTP.
It does however need the mono framework as it is mainly written for the Windows platform and this makes it a bit heavy for Linux. Nonetheless, it’s one of my favorite open-source backup products.
Next is to edit the initscript file with the following command:
sudo nano /etc/default/duplicati
It should resemble the below configuration. You have to add the last “DAEMON_OPTS…” line to the file and save the changes. To exit and save the changes, press CTRL+X first and confirm to save the file with “Y”).
# Defaults for duplicati initscript
# sourced by /etc/init.d/duplicati
# installed at /etc/default/duplicati by the maintainer scripts
# This is a POSIX shell fragment
# Additional options that are passed to the Daemon.
DAEMON_OPTS="--webservice-interface=any --webservice-port=8200 --portable-mode"
Step 7: Enable Duplicati service
Now its time to enable and start the service. Execute the following commands:
You should now have Duplicati up-and-running and see the below results of a running service:
Step 8: Open the Duplicati web-gui
Next is to navigate to the web interface/gui. It is configured in the initscript file to run on port 8200. In my case, the IP address of my Raspberry Pi is 10.1.3.51. So in order the reach the web gui, I have to open the following address in my browser:
The first time you open the Duplicati interface, choose the first option “No, my machine has only a single account”.
You should now be able to configure a backup job!
A couple of tips when creating a backup job (see screenshots below for further guidance):
Include one of these directories:
Enable automatic backup in the Domoticz setup menu so you get consistent backups of your database.
Keep your encryption password in a safe place that you can find back should you ever need it (or just do not use an encryption password)!!
You can also run scripts in advance or after the backup
Configure backup retention to automatically clean up old backups.