Securing Domoticz – Authentication

Because there are several options for securing Domoticz, this how-to is divided into several separate how-to’s, each with its own option.

This specific how-to goes further into the aspect of setting up authentication from Domoticz itself. You can choose to enable this protection for all connections other than your own home network, including the internet. It offers basic protection and is not a complete solution on its own if you want to connect Domoticz to the internet.

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

  • Running Domoticz installation with stable Raspbian Buster release and SSH access. See my previous post for a how-to:
  • https://www.sancla.com/domoticz/raspberry-pi-4-with-domoticz/
  • For the Let’s Encrypt SSL certificate, a domain and basic understanding of DNS (DDNS/A-records).
  • For port forwarding, basic networking knowledge and ability to create a port forward with IPv4/NAT.

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Enable authentication

Before we enable authentication, it can be very helpful to exclude your local network. This way, only when you connect from the internet, you need to authenticate. When you are at home and connected to your wifi, authentication is automatically skipped. It can also prevents accidental lock-outs.

Open your Settings in Domoticz

Open your Settings in Domoticz

Depending on the IP address of your Domoticz installation, you need enter the network. For example, if your Domoticz can be reached with IP address 192.168.0.123, we should include the network 192.168.0.*

For example:
IP address 192.168.1.112 -> Add the network 192.168.1.*
IP address 192.168.224.18 -> Add the network 192.168.224.*

Also, make sure to include the loopback address 127.0.0.1 so any local plugins keep working as expected.

You could also specify exact IP addresses that could become handy if you like to test authentication.

For the more experienced network specialists, you need to enter the complete network/subnet (for example 10.*.*.*).

Example of a local network configuration in Domoticz
Example of a local network configuration in Domoticz

Next, the authentication for remote access.
Unfortunately, although we can create users (and viewers & admins) in Domoticz, this can not be used for authentication for remote access. With Domoticz you are limited to a single user and password.

For the authentication part itself, there are 2 options: Login Page and Basic-Auth. Basically, the Login Page option has a nice view and logo. But due to a larger attack vector, it’s less secure by design.

The safest option is the “Basic-Auth” option where you are presented with a ‘dull’ username and password window upon visiting your Domoticz remotely. You can always change this at a later moment but for the sake of security, let’s choose the “Basic-Auth” option. You can see an example of both options further down below…

Give your self a nice clean (but personalized) username and password. Make sure it’s a safe password, if you need help you could try the Roboform password generator: https://www.roboform.com/password-generator

Enabling Website Protection in Domoticz
Enabling Website Protection in Domoticz

Once you enable authentication and you visit Domoticz from a non-exempted IP address, you are required to authenticate:

To reset authentication in case of a boo-boo:

To reset the website username/password in case this is lost there are two options:
– Specify –nowwwpwd as command line argument
– Place a file labeled ‘resetpwd’ inside the root Domoticz installation folder (takes up to a minute to reset).

Source: https://www.domoticz.com/wiki/Application_Settings
READ MORE
debian10

Install Domoticz on Debian 10.3 (Buster)

Step-by-step how-to guide install the Domoticz on a virtual machine with Debian 10 Buster, hosted on VMware vSphere (formally known as ESX).

We are going to be installation and configuring a almost default installation of Debian on a virtual machine. In this case the underlying virtualization platform is VMware ESX. But any other common virtualization platform like Proxmox, VirtualBox, Hyper-V, etc. will probably do just as fine.

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1
Debian Buster 10.3.0

Prerequisites

Tested with

  • VMware vSphere 6.7.0
  • Putty 0.73
  • Debian 10.3.0 amd64 (Buster) – DOWNLOAD HERE
  • Domoticz Stable 2020.1 (compile date 22-3-2020)

Step 1: Create a Virtual Machine

First we need to create virtual machine as host for our new Debian and Domoticz server. I am not going into many details about this step as I assume you are able to achieve a running virtualization platform. If not, perhaps a installation of Domoticz on a Raspberry Pi would be more suited…

For the record, some (minimum) advice regarding resources:

  • CPU: 2 – 4 vCPU, depending on clock speed and generation
  • Memory: 2 GB minimum, 4 GB advised
    (1GB of memory also works but crappy performance in the end).
  • 32 – 64 GB disk space, preferably thick provisioned for performance
  • 1 network connection with internet access

To set you on your way, I provide you with some crude screenshots of an example for a new virtual machine in VMware vSphere, without any further comments:

Step 2: Install Debian

Once we have created a new virtual machine the next step would be install Debian. This step is pretty much standard and straight-forward. A couple of important details to follow during installation:

  • Create a user “pi” during installation, so your Debian installation is a bit more consistent with the default Rasbian based distro’s.
  • During installation you can choose to install packages (Software Selection), make sure to include “SSH server” for headless configuration.

For this step we again assume that you have basic knowledge of Debian and you are able to follow and finish the installation process. For you pleasure and support, we include some basic and crude screenshots of the installation process without any further comments:

Step 3: Connect with SSH

Once Debian is fully installed and rebooted, logon with the root username and corresponding password from your virtualization console. The only thing we need to do within this console is to figure out the IP address so we can connect with SSH (and copy/paste our commands, much easier).

To find the IP address, type the following command:

ip a

You should see the IP address with CIDR notation, see this screenshot for more details. In my case the network adapter is named “ens192” with IP address 10.40.3.17 and subnet /22 (You will probably see something like 192.168.1.123/24 at home):

Results of the "ip a" command with Debian
Results of the “ip a” command with Debian

Step 4: Household tasks

By default, SSH access is enable only for the user you created during setup. In this how-to we created the user “pi” during installation that we are going to need for the next step.

Connect with putty to the IP address of Debian virtual machine and logon with the user “pi”. Please be advised that by default you can not connect with the root user over SSH. This is by design and the default configuration for Debian, as a safety precaution.

Now we have SSH access to our Debian box, let’s do some ‘household’ tasks in preparation:

Step 4-a: Updating Debian

First, we need to install sudo and add our pi user to the sudo group.
Assuming you have SSH access and you are logged on with the pi user, become root with the su command:

su

Execute this command to update Debian to the latest standards and automatically reboot your virtual machine when it’s completed.

apt update -y && apt upgrade -y && systemctl reboot

Step 4-b: Give “pi” user sudo rights

Next step is to make sure that the pi user is able to use the sudo command.
Although strictly speaking this would not be necessary, it does make your Debian Box more compatible with the other Domoticz guides on this website and other Domoticz related documentation.

Connect with SSH and your pi user.
Execute the su command to become root again (see Step 4-a).
Next is to install sudo. By default sudo is not included in Debian so we need to install it first. Execute this command to do so:

apt install sudo -y

Now you have to modify the file /etc/sudoers which is where all the sudo configuration is located. You can use the nano editor for this:

nano /etc/sudoers

The file does not have too many lines. In the user privilege specification section, you will find a line like this.

root ALL=(ALL:ALL) ALL

Under it, add your user and leave the rest the same.

pi ALL=(ALL:ALL) ALL

It should look like this:

pi user added to the sudoers file
pi user added to the sudoers file

Next, press CTRL + O to save the changes and CTRL +X to close the nano editor. Now type exit 2 or 3 times to revert back to the pi user we originally logged on with. The pi user is able to execute the commands with sudo now. For example: sudo reboot.
Every first time that u are using the sudo command in an SSH session Debian will ask for the password of the pi user as confirmation.

Step 4-c: Fixed IP address

Now our pi user has sudo rights, it would be wise to assign a fixed IP address to our Debian box. Although strictly speaking this is also not necessary, it is advised so we can always find back our Debian/Domotiz installation. Use this command to configure a fixed IP address:
(remember, sudo ask for the password of the pi user with every SSH session, but only once per session):

sudo nano /etc/network/interfaces

Now, in this example, I am using a less the normal IP configuration then a general household so I included a configuration with the 192.168.0.0/24 network as example. Also included are the DNS servers from OpenDNS should you not yet know about it.

Press CTRL + O to save the changes and CTRL +X to close the nano editor.

Now, to apply the new network configuration, it’s best to execute the reboot command and apply the new IP address. Keep in mind that once the IP address changes, your SSH connection will drop without warning or dialog. You have to reconnect afterwards with the new IP address and accept a new SSH SSL key.

sudo reboot

Step 4-d: Install VMtools

Next is to install the VMtools. These are necessary so we have a better integration, stability and performance with the underlying virtualization host. Execute this command to install the general VMtools and reboot to complete the installation:

sudo apt install open-vm-tools -y && sudo reboot

Step 5-a: Prepare Debian for Domoticz

So now we have Debian up and running as we like, we need to prepare Debian for Domoticz. Debian is less prepared and expanded by default than Raspbian for the Raspberry Pi. So we will have to ensure that Debian knows and can execute the commands for Domoticz. For this we need to install and prepare a number of things. Execute the following commands:

sudo apt install build-essential -y

sudo apt install cmake libboost-dev libboost-thread-dev libboost-system-dev libsqlite3-dev subversion curl libcurl4 libcurl4-openssl-dev libusb-dev zlib1g-dev libssl-dev git -y

Step 5-b: Install

Per advice by Domoticz forum user “dzjr” you should also install the pip3 package manually (thank you for the feedback dzjr!)
You can do so with the following command:

sudo apt install python3-pip -y

Step 6: Install Domoticz

We are finally there! Say yes to the dress! (don’t ask… I’m sitting next to my wife while writing this article and it’s really awful, awful television…).

We can now install Domoticz the regular way:

curl -sSL install.domoticz.com | sudo bash

NOTE: If you get a curl error, run Step 5-a again:
sudo apt install build-essential -y
sudo apt install cmake libboost-dev libboost-thread-dev libboost-system-dev libsqlite3-dev subversion curl libcurl4 libcurl4-openssl-dev libusb-dev zlib1g-dev libssl-dev git -y

And there she is, our Domoticz server is up and running:

Domoticz is up and running on Debian Buster 10.3.0
Domoticz is up and running on Debian Buster 10.3.0
READ MORE

Backup Domoticz with Duplicati

Step-by-step how-to guide install and configure Duplicati with the latest Raspbian Buster image and Domoticz.

Duplicati is a fantastic and very intuitive backup solution that support a wide range of backup targets. Combined with a webinterface, this makes it perfect for a backup solution for our beloved Domoticz installation.

Duplicati supports not only various online backup services like OneDrive, Amazon S3, Backblaze, Rackspace Cloud Files, Tahoe LAFS, and Google Drive, but also any servers that support SSH/SFTP, WebDAV, or FTP.

It does however need the mono framework as it is mainly written for the Windows platform and this makes it a bit heavy for Linux. Nonetheless, it’s one of my favorite open-source backup products.

Tip: Duplicati is more about making a backup of the most important files. If you are looking for a complete system backup solution, perhaps this is more what you are looking for:
https://www.hackviking.com/single-board-computers/raspberry-pi/automated-raspberry-pi-backup-complete-image/

This how-to is part of a bigger series of Domoticz how-to’s on sancla.com!

This tutorial has been verified with:
Domoticz 2020.1

Prerequisites

Tested with

  • Raspberry Pi 4 (MEM 2GB with 16GB sd-card)
  • Raspbian Buster Lite 4.19, Februari 2020
  • Domoticz Stable 2020.1 (compile date 22-3-2020)
  • Duplicati BETA v2.0.5.1-2.0.5.1_beta_2020-01-18

Step 1: Install the Mono Framework

This step can take a bit of time…

sudo apt install mono-complete ca-certificates-mono -y

Step 2: Sync the certificates

sudo cert-sync /etc/ssl/certs/ca-certificates.crt

Step 3: Install Duplicati

wget https://github.com/duplicati/duplicati/releases/download/v2.0.5.1-2.0.5.1_beta_2020-01-18/duplicati_2.0.5.1-1_all.deb
sudo apt-get install ./duplicati_2.0.5.1-1_all.deb -y

Step 4: Install missing dependencies

Sometimes Raspbian is still missing some required dependencies.
Just to be sure, run the following command so we are not missing out on any:

sudo apt -f install -y

Step 5: Configure the service file

We need to edit the service file in order to make it possible to run this as a service. So go open the file with the nano text editor with the following command:

sudo nano /etc/systemd/system/duplicati.service 
The duplicati.service file

Copy-paste the following configuration and save the file.
To exit and save the changes, press CTRL+X first and confirm to save the file with “Y”).

[Unit]
Description=Duplicati web-server
After=network.target

[Service]
Nice=19
IOSchedulingClass=idle
EnvironmentFile=-/etc/default/duplicati
ExecStart=/usr/bin/duplicati-server $DAEMON_OPTS
Restart=always

[Install]
WantedBy=multi-user.target

Step 6: Configure the initscript file

Next is to edit the initscript file with the following command:

sudo nano /etc/default/duplicati
The duplicati initscript

It should resemble the below configuration. You have to add the last “DAEMON_OPTS…” line to the file and save the changes. To exit and save the changes, press CTRL+X first and confirm to save the file with “Y”).

# Defaults for duplicati initscript
# sourced by /etc/init.d/duplicati
# installed at /etc/default/duplicati by the maintainer scripts

#
# This is a POSIX shell fragment
#

# Additional options that are passed to the Daemon.
DAEMON_OPTS="--webservice-interface=any --webservice-port=8200 --portable-mode"

Step 7: Enable Duplicati service

Now its time to enable and start the service.
Execute the following commands:

sudo systemctl enable duplicati.service
sudo systemctl daemon-reload
sudo systemctl start duplicati.service	
sudo systemctl status duplicati.service

You should now have Duplicati up-and-running and see the below results of a running service:

Duplicati service is running correctly

Step 8: Open the Duplicati web-gui

Next is to navigate to the web interface/gui. It is configured in the initscript file to run on port 8200. In my case, the IP address of my Raspberry Pi is 10.1.3.51. So in order the reach the web gui, I have to open the following address in my browser:

http://10.1.3.51:8200
Duplicati First Run Setup

The first time you open the Duplicati interface, choose the first option “No, my machine has only a single account”.

You should now be able to configure a backup job!

A couple of tips when creating a backup job (see screenshots below for further guidance):

  • Include one of these directories:
    • /home/pi
    • /home/pi/domoticz
  • Enable automatic backup in the Domoticz setup menu so you get consistent backups of your database.
  • Keep your encryption password in a safe place that you can find back should you ever need it (or just do not use an encryption password)!!
  • You can also run scripts in advance or after the backup
  • Configure backup retention to automatically clean up old backups.
  • Enable e-mail notifications to keep track of your backups.
    See this forum post for the proper steps using Google Mail:
    https://forum.duplicati.com/t/how-to-configure-automatic-email-notifications-via-gmail-for-every-backup-job/869

Should you need to restore…

If you ever need to restore, you can do so easily by clicking on the job and selecting to restore files, as seen in the screenshot below.
Follow the steps with these instructions:

https://duplicati.readthedocs.io/en/latest/03-using-the-graphical-user-interface/#restoring-files-from-a-backup

Restore files with Duplicati
Restore files with Duplicati

Worstcase scenario

However, in the worst-case scenario, a F.U.B.A.R. situation, you don’t have a running pi anymore. For example, your SD-card or USB stick died…
First 2 steps are to get your pi running again with a fresh installation of raspbian and Domoticz. Next is to install Duplicati again the guide below. Another option is to just install Duplicati on your own system to retrieve your files. See this link for more information and instructions
https://duplicati.readthedocs.io/en/latest/03-using-the-graphical-user-interface/#restoring-files-if-your-duplicati-installation-is-lost

Further documentation

For more information on Duplicati, how to create a proper backup job and other documentation, you can visit this site:

https://duplicati.readthedocs.io/en/latest/

READ MORE