If you have a dedicated server that you want to set up Home Assistant on and would like to run it natively (not in a container), then this is the tutorial for you. This tutorial focuses on using CentOS 8 because I am personally familiar with RedHat based products. But those who chose to use Ubuntu, Debian, Alpine, Arch, etc should be able to benefit from a good chunk of the information explained here too.
Minimum Requirements
While Home Assistant works awesome on a Raspberry Pi for simple things, it can start to get sluggish and feel under-powered over time as you get addicted like the rest of us and continue to add automations to it. It specifically takes a hard it once you start adding automations that involve video and get fancy with others.
Thus, if you’re a hobbyist who plans on continuing to evolve your homes automation over time, a Raspberry Pi is not good enough. A small PC (and this tutorial of course π ) is the best way to go.
>=100Mbit/s It’s strongly recommended that the server you choose to set up Home Assistant utilize a physical network cable and not WiFi.
Storage
>=32GB Storage is only really important if you plan on installing home surveillance (specifically video cameras). If you do, then target your storage to be at least 512GB or more instead. This will allow you to record with them and save the content locally (should you choose to do this).
Here is the breakdown of where the storage all goes (with respect to this tutorial):
Path
Size
Details
/etc/homeassistant/
1GB
Your configuration files are small (less then 256KB), however Home Assistant maintains what is called a Recorder which tracks itself in an SQLite database. This SQLite database tends to grow over time in size (which you can control). This is also the location of your homeassistant.log file which can also grow in size as well. By giving yourself (at least) 1GB here, you just provide enough room for future growth that will never interrupt your setup over time. More on the contents of this directory is discussed near the end of this blog.
/opt/homeassistant/
2GB
The entire installation of Home Assistant will sit here once you’ve completed this tutorial. The actual installation (with most bells and whistles) is just under 1GB. 2GB is just a suggested size because it will leave you with plenty of room for future growth.
/
6GB
Your root filesystem and all the core directories that go with it such as /boot, /tmp, /home, /usr, /var, … etc. 6GB is more than enough to host the Linux operating system and all of it’s needs while still leaving you ample space for growth.
/opt/homeassistant/video/
>128GB
I’m just throwing this in here… Those who don’t have video recording cameras at their home (inside and out) can ignore this. But consider at LEAST 32GB per camera depending on how much you want to record. You may also want to plan for an expansion down the road too; I said >=512GB earlier and I meant it. Storage is cheap these days, so plan properly at the start.
It is assumed at this point that you’ve set up your server or already had one running. Let’s set up a working environment that Home Assistant can work in. It’s important to have root or sudo privileges prior to running the commands below in each section.
General Server Preparation
The safest way to run Home Assistant is with it’s own dedicated user and permissions. The following will set up a working environment for us to build further onto:
# Again.. our basic layout will be:
# User: homeassistant
# HA Config: /etc/homeassistant
# HA Core: /opt/homeassistant
# Prepare our user:
sudo useradd -rm homeassistant \
--home-dir /opt/homeassistant
# The dialout group allows us to access our external USB
# devices such as the Aeotec Z-Stick Series 5 (which is
# what I use). We want to add our user to this group:
sudo usermod -aG dialout homeassistant
# Prepare our configuration directory
sudo mkdir /etc/homeassistant
# Adjust our permissions
sudo chown -R homeassistant:homeassistant \
/opt/homeassistant /etc/homeassistant
# Some of the packages later installed with pip3
# require that they are compiled in your environment
# (or it will not work) so the following is also
# required:
sudo dnf install -y gcc make gcc-c++ systemd-devel \
unzip tar
Python 3.8 Setup
We need to setup Python 3.8 into our CentOS environment because it is the minimum requirement for Home Assistant to work. So basically we have 2 options here: Take the most stable version of v3.8, or take the one manged by CentOS which is sometimes outdated. Either way, I’ve explained both below:
sudo dnf install -y bzip2-devel expat-devel gdbm-devel \
libuuid-devel libffi-devel\
ncurses-devel openssl-devel readline-devel \
sqlite-devel tk-devel xz-devel zlib-devel wget \
gcc make gcc-c++ tar
# At the time this blog was written, the current
# version was v3.8.5:
VERSION=3.8.5
#
# Acquire
#
wget https://www.python.org/ftp/python/${VERSION}/Python-${VERSION}.tgz
tar -xf Python-${VERSION}.tgz
#
# Configure
#
cd Python-${VERSION}
./configure --enable-optimizations
#
# Build
#
# This step can take a while - so be patient!
make -j 4
#
# Install
#
# This is very safe and will not over-write
# existing Python that ships with CentOS
sudo make altinstall
Regardless of which route you chose to take, you can test the version out to see if you were successful:
# Test the version out:
python3.8 -V
Surveillance Video Camera Setup
Run the following commands if you have or plan on having surveillance cameras installed into your environment. Feel free to run this at a later time if you want. Basically you need a copy of ffmpeg available if you plan on accessing your camera stream in Home Assistant.
Assuming you’ve followed the sections Python 3.8 Setup and General Server Preparation above, we can now install Home Assistant:
# First we switch to our new homeassistant user we created:
sudo -u homeassistant -H -s
# Optional SSH Keygen Setup
[ ! -f ~/.ssh/id_rsa.pub ] && \
ssh-keygen -f ~/.ssh/id_rsa -C "Home Assistant" -q -N ""
# Change to our home directory (if we're not there already)
cd /opt/homeassistant
# Prepare our virtual environment
python3.8 -m venv .
# It's always VERY important you activate your
# environment before you start running pip3
# commands
. ./bin/activate
# Perform our installation:
pip3 install homeassistant home-assistant-frontend \
homeassistant-pyozw colorlog flask-sqlalchemy
# Return back to our root user
exit
Finally we must create an System D Startup file to make it easy to start/stop our instance of Home Assistant:
# the following will drop us in a startup script we can use with our environment
sudo bash <<EOF
cat << _EOF > /usr/lib/systemd/system/home-assistant.service
[Unit]
Description=Home Assistant
After=network-online.target
[Service]
Type=simple
User=homeassistant
ExecStart=/opt/homeassistant/bin/hass -c "/etc/homeassistant"
WorkingDirectory=/opt/homeassistant
PrivateTmp=true
Restart=on-failure
[Install]
WantedBy=multi-user.target
_EOF
EOF
# Pick up our new configuration
sudo systemctl daemon-reload
# Make it so Home Assistant starts even after a
# server reboot
sudo systemctl enable home-assistant
# Let's start it up now
sudo systemctl start home-assistant
The final piece of the puzzle is to expose port 8123 to our network so that we can access our instance of Home Assistant:
sudo bash <<EOF
cat << _EOF > /usr/lib/firewalld/services/home-assistant.xml
<?xml version="1.0" encoding="utf-8"?>
<service>
<short>Home Assistant</short>
<description>Home Assistant Web Portal</description>
<port protocol="tcp" port="8123"/>
</service>
_EOF
EOF
# Reload our firewall so it can find our recently
# created configuration file (defined above)
sudo firewall-cmd --reload
# Now we'll add our new firewall service
sudo firewall-cmd --zone=public \
--add-service=home-assistant --permanent
# once again reload our firewall to open our newly
# declared port:
sudo firewall-cmd --reload
Finalizing Your Installation
You can now visit your new Home Assistant server at http://ip.to.your.server:8123 and start setting up your account for the first time.
When you first access the page you will be able to create the first system user (also the administrator account) that you can build automations with.
Home Assistant Upgrades
You’ll find that Home Assistant is rapidly expanding and always fixing issues and adding more cool features you can play with. Upgrading Home Assistant is as easy as this:
# Switch to our home assistant user:
sudo -u homeassistant -H -s
# Change to our home directory (if we're not there already)
cd /opt/homeassistant
# It's always VERY important you activate your
# environment before you start running pip3
# commands
. ./bin/activate
# Switch to our homeassistant user
pip3 install --upgrade homeassistant
# Return to our user with sudoer's permission
exit
# Restart Home Assistant
sudo systemctl restart home-assistant
A Quick Overview
At this point you should be all set up with a running copy of Home Assistant to play with. Here are some general files and directories that will begin appearing in your server’s filesystem in the /etc/homeassistant/ directory that you may want to know about:
homeassistant.log
All of the logs associated with Home Assistant will show up here. This is a fantastic location to begin your troubleshooting should you run into problems.
configuration.yaml
This is the core configuration that will drive your entire Home Assistant application from this point forward. Any changes to this file will require you to restart Home Assistant for the changes to take effect.
home-assistant_v2.db
This is the Home Assistant Recorder. From within your Home Assistant Dashboard, you can click on History button off of the dashboard to see the contents.
secrets.yaml
This is a simple file that allows you to map key/value pairs. The idea is to keep all of your passwords and/or tokens that you otherwise want to keep from prying eyes. This file should be given very strict permissions:
# protect this file if you intend to use it
chmod 600 /etc/homeassistant/secrets.yaml
For example, you might use Apprise to send you an email notification. In order to send an email Apprise needs your personal email information. As an example, in your configuration.yaml file you might do this:
Then in your secrets.yaml file you now need an entry for a new keyword you created called apprise_url. Your entry in the secrets.yaml file might look like this:
# /etc/homeassistant/secrets.yaml
# Define your Apprise details in a secure location:
apprise_url: mailto://myuser:mypassword@gmail.com
More details on how secrets work can be found here in the Home Assistant documentation. Also, check out the Apprise wiki to see all of the different services you can notify with it.
automations.yaml
This is where you can begin constructing your own Home Assistant automations once you’ve added a few integrations into Home Assistant.
An example of an automation you might have set up could send us an email using Apprise at sunset:
# /etc/homeassistant/automations.yaml
#
# Utilize Apprise to send a notification
#
alias: "[Interactive] - Sunset Apprise Notice"
trigger:
platform: sun
event: sunset
action:
service: notify.apprise
data:
title: "Good evening"
message: "This sun is setting."
Configuration Backup
No setup is complete without regular backups taking place. The following is just a basic configuration backup setup you can use to get you started:
# For Backups (run these commands as the homeassistant user):
sudo mkdir -p /opt/homeassistant/backups
sudo chown homeassistant.homeassistant /opt/homeassistant/backups
# This is a simple script to get you started:
sudo bash <<EOF
cat << _EOF > /opt/homeassistant/bin/backup.sh
#!/bin/sh
# Create a backup of Home Assistant
TARGET=/opt/homeassistant/backups
SOURCE=/etc/homeassistant
[ ! -d "\$TARGET" ] && /usr/bin/mkdir -p "\$TARGET"
[ ! -d "\$TARGET" ] && exit 1
tar cfz "\$TARGET/\$(date +'%Y.%m.%d')-config.tgz" -C \$SOURCE .
RET=\$?
# Tidy; Keep X days worth
find -L \$TARGET/ -mindepth 1 -maxdepth 1 -name "*.config.tgz" -mtime +120 -delete
exit \$RET
_EOF
EOF
# Permissions to be executable
sudo chmod 775 /opt/homeassistant/bin/backup.sh
# Prepare ourselves a cron job that will run our backup every week
sudo bash <<EOF
cat << _EOF > /etc/cron.d/homeassistant_backup
0 0 * * 0 homeassistant /opt/homeassistant/bin/backup.sh &>/dev/null
_EOF
EOF
Credit
This blog took me a very (,very) long time to put together and test! If you like what you see and wish to copy and paste this HOWTO, please reference back to this blog post at the very least. Itβs really all I ask. Alternatively, I certainly won’t turn down a coffee if you wish to buy me one! π
The Home Assistant Official Community Forum: this is probably the best place to get an answer to any question you have about your setup and/or things you can do (including how to do it).
SSL Web Hosting has been made free by a number of providers such as Let’s Encrypt and ZeroSSL for years now. I wrote this blog because I truly believe web administrators and developers should leverage this if they aren’t already.
I’ve personally come across an amazing tool called Dehydrated which I used to leverage this. The best part about Dehydrated is that it even operates using the MIT license, meaning it’s also completely free to use!
Dehydrated Setup
An ideal SSL Web Hosting solution comes with the perfect tool to do all of the work for you…
Installation
#
# Make sure curl is installed:
#
# RedHat/CentOS v5,6, and 7 Users
sudo yum install -y curl
# RedHat/CentOS v8+ and Fedora Systems:
sudo dnf install -y curl
# Debian/Ubuntu Systems
sudo apt update && sudo apt get curl
# Download Dehydrated (as root)
curl https://raw.githubusercontent.com/dehydrated-io/dehydrated/master/dehydrated \
--output /usr/bin/dehydrated
# Set proper permissions
chmod 755 /usr/bin/dehydrated
# Make a wellknown directory for the acme-challenge strings
mkdir -p /var/www/dehydrated
# SELinux Proof it (for those that use it - and you should!)
semanage fcontext -a -t httpd_sys_content_t \
'/var/www/dehydrated/(/.*)?'
Initial Preparation
Next we need to just prepare some basic configuration needed by Dehydrated:
mkdir -p /etc/pki/dehydrated
pushd /etc/pki/dehydrated
# SSL Hosting Configuration; Identify your hosts
#
# Below shows how I set up nuxref.com; you will want to
# identify ALL of the SSL hostnames you plan on supporting
# here:
cat << _EOF > domains.txt
# nuxref Hosts; swap these with your own:
# syntax:
# domain sub1.domain sub2.domain subx.domain > output_file
nuxref.com www.nuxref.com repo.nuxref.com > nuxref_com
_EOF
# Create ourselves a config file:
cat << _EOF > config
# our wellknown directory
WELLKNOWN=/var/www/dehydrated
_EOF
# First time use only
/usr/bin/dehydrated --register --accept-terms
Nginx Configuration
You’ll want to create the the following parameter file that you can source in all of your domain configuration files:
The sourcing part is really easy now. You must add this entry in all of your configuration files that you’ve defined in your /etc/pki/dehydrated/domains.txt file (above).
# Place this in all of your NginX files in the server{} block(s):
include dehydrated_params;
You’ll want to make sure once you got all of the include statements in place, and that you reload NginX so that it can take on your new configuration:
sudo systemctl reload nginx
Generating our SSL Keys
We’re now at the part of the blog where we test to see if all of our setup (defined above) was correctly put into place.
# We must always run Dehydrated from within this directory
pushd /etc/pki/dehydrated
# Force an initial update
dehydrated -c
The above command will run against all of the domains you defined in /etc/pki/dehydrated/domains.txt and attempt to verify them (in order to generate an SSL key for you). If it fails, it’s most likely because of the following:
You’re not correctly hosting that domain on port 80 on this server we just set up together.
You have an error in your NginX configuration and/or you forgot to add an include dehydrated_params; within one of your domain configuration(s).
If everything went smoothly, you’ll now have new SSL keys you can add to your NginX configuration. This allows you to host your website secured now using your own set of registered SSL keys. You’re almost home free now! You need to dive back into NginX and prepare yourself a new server block of code that listens on port 443 with SSL turned on.
server {
# SSL
listen 443;
ssl on;
#
# your security setup and location entries here
# See https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
# for some ideas
# Don't forget to point to your newly generated SSL Keys:
# swap nuxref_com
ssl_certificate /etc/pki/dehydrated/certs/nuxref_com/cert.pem;
ssl_certificate_key /etc/pki/dehydrated/certs/nuxref_com/privkey.pem;
}
Set It and Forget It
Free SSL Web Hosting keys being free do however come with a catch: they don’t last long. They don’t expire in 2-3 years like a normal paid key would – these ones expire in 30 days in some cases. So it’s up to you to either remember to run dehydrated -c often, OR just automated it like so:
# next add a cronjob so it updates automatically
cat << _EOF > /etc/cron.d/dehydrated
# at 14:20 every day update SSL certificates
20 14 * * * root cd /etc/pki/dehydrated/ && dehydrated -c &>/dev/null && systemctl reload nginx &>/dev/null
_EOF
A Nagios blog I wrote which you can use the monitor your servers and notify you if your SSL key is getting close to expiry (should something prevent your cron from running).
Home security is important to all of us but why should we pay someone to monitor our home when we can do it ourselves (for free)? I mean, imagine if it were possible to just receive a text message on your phone when your alarm has been set off. Imagine if you could check to see if you armed the alarm this morning before you left for work. If you had forgotten, wouldn’t it offer you a peace of mind to be able to arm it from wherever you are?
Some great reasons why one would choose to monitor their home themselves:
Hundreds of Dollars in Yearly Savings: Think of how much money you invest in a 3rd party company that does nothing unless your alarm goes off. Even if you’re just paying $25 (before tax) a month for home security, we’re talking about a $300+ in yearly savings that you can pocket!
Faster Emergency Response Time: Consider the scenario where a thief has broken into your home and has begun loading up his van with all of your valuables.
Regardless of whether you’re paying for home monitoring or doing it yourself, the first thing that will happen is: Your alarm will sound within a 30+ seconds of the perpetrator’s entry; a very loud ear piercing siren I might add.
If you’re paying for a monitoring station service: They will call your home line to see if the threat is real or not (meanwhile your home is still being robbed). If they don’t receive an answer or get a busy signal, only then will they call the police. We’re easily a few minutes into the robbery before the authorities are even notified. The police will eventually arrive, they’ll file a report and you’re left to deal with insurance because the crime is long over and the criminals are long gone.
If you’re monitoring the home yourself: Well then your cell phone has already alerted you the second the alarm was set off. It’s a no brainer at this point, you can take action right then and there and call the police or 911 depending on if you’re home or not. You just immediately reduced the time the thief has to accomplish his crime in.
Remote Control: Ensure the alarm is armed at any time. Change the alarm keycode remotely or disarm it from a distance to let a construction worker in. You can even arm/disarm your alarm from the comfort of your bed via your tablet, laptop or cell phone.
This blog focuses on the amazing hard work of Alarm Decoder and their team. It specifically focuses on their AD2USB device which allows you to connect a virtual keypad to your existing alarm system.
It’s also worth noting that I specifically focus on the Honeywell Vista 15p/20p models because that’s what I have. But I’m sure you could use the content of this blog and the other supported alarm systems Alarm Decoders AD2USB supports and follow along.
The Goal
The goal of this blog is to share with you my success, but more importantly:
To show you how easy it is to tap into an existing (pre-wired) alarm system without paying for a monitoring service.
Receive SMS (text) messages, emails or other notification services when your alarm is ever set off.
To be able to control the (security) keypad in your house from anywhere and at anytime.
To provide you all of this in a cookie cutter solution that works out of the box. I spent several hours packaging everything into self installing RPMs residing on my repository.
This blog will assume you’re both familiar with and have access to either CentOS (or Red Hat) 6.x or 7.x.
I’ll also assume you don’t have much experience with alarm systems (as I certainly didn’t at the start). I’ll try to save you as much research as I can and provide everything to you here. As a result, this blog is probably a bit longer then it needs to be since I get wordy trying to explain it.
Prerequisites
There are a few things you’ll need to be able to pull this feat off:
An Ademco/Honeywell Vista 15p or 20p alarm system, but it doesn’t mean you can’t keep reading (just as long as your alarm panel is listed here as being supported).
If you don’t have an alarm system pre-wired in your home already, it might be worth spending the money to have one installed (sensors and keypad included). It will be the last cost you make since the monitoring will be free from that point forward. If you don’t intend do this, then the this blog won’t be of much use to you.
This blog assumes that the zones (sensors/alarms) are already pre-configured too. Thus, your sensors are all hooked up to the alarm system already.
Note: If you’re currently paying a 3rd party company to monitor your home, then you MUST cancel your contract with them before you proceed any further!
You’ll need full access to your Honeywell alarm system (usually in the basement) and at least one keypad (usually near the front entrance). Most alarm systems are (and should be) locked up in a small box accessible with a key. You will want this key because you’ll want to lock everything up when we’re done too!
You’ll need one NuTech AD2USB device which is what will bridge/connect your security system to your Linux Server. The AD2USB device effectively just becomes a second keypad attached to your alarm system.
At the time this blog was written, the NuTech AD2USB devices cost about $88USD ($119.99 CAN) ; a one time fee. The cost is well worth it since it’ll pay itself off in 2-4 months (if you compare it to the costs of a 3rd party home monitoring solution).
You’ll need one Linux server pre-configured with CentOS or Red Hat 6.x (or 7.x).
Enough wiring to get from the locked up alarm system to your Linux server. In my case, I am hooked up just below the panel, so I just needed about 4 feet. You can order this cable with your purchase;it’s only about .50 cents a foot (very inexpensive).
Wire strippers.
A small (1/4″) Philips screw driver.
A Mini-USB to USB cable (no longer then 10ft).
Alarm Installer Code
Before we can even look or use the NuTech AD2USB device, we need to first alert our current alarm system of it’s presence. To do this, you need to be able to re-program a tiny portion of the alarm system. Don’t worry, it’s not as complicated as it sounds! This step is done through the keypad already installed in your house (usually at one of your front entrance ways).
The installer code grants us unrestricted access to our entire alarm system (through it’s programming mode). The installer code is a 4 digit (numeric code) and won’t be the same one you’re used to keying in when activating/deactivate your alarm.
If you already know your installer code you can access the programming mode by keying in the following and skipping to the next section (substitute [ABCD] with the installer code): [ABCD] + [8] + [00]
If you don’t know what your installer code is then don’t worry, just keep reading…
Again, I can’t stress enough that you make sure you are ‘NOT’ still hooked up with an external monitoring service at this point because these next steps will disconnect them from your home (and could cause them to treat the situation as a crime in progress):
Unplug your alarm system’s main power by simply unplugging the transformer nearby from the wall.
Disconnect the battery backup from our alarm system. No need to unplug both terminals, just unplug one for the time being. We’ll be restoring the power back soon enough.
Note: At this point you’ve effectively powered off your alarm system completely.
To gain access to the programming mode and ‘take back’ the alarm system for your own, you need to just plug the transformer back in (leave the battery unplugged now).You now have 30 seconds to locate your alarm keypad and press and hold both the asterisks [*] and the hash button [#] down at the same time (for about ~1 to 2 seconds).
If the above step worked correctly for you, then you should see the value of 20 written on your keypad’s display. If not, then you’ll need to repeat all of the steps above again.
Note: If your battery backup for your alarm system is still unplugged, now would be a good time to just plug it back in (so we don’t forget about it later).
Keypad Configuration
This step requires you to be in-front of the same keypad described in the last section. More importantly, you must be in it’s programming mode. This means you either used your known installer key code or you booted the alarm up in such a away that granted you access to the programming mode (without a code). If you’re unsure what I’m talking about here, make sure to re-read the last section before proceeding!
Your alarm system is effectively organized as a series of registers (think of them as mailboxes organized by 2-3 digit addresses). Registers are basically a spot you can store and retrieve information from. You’ll always press the [*] followed by the register you want to modify (using it’s address), followed by the new value you want to store in it. Alternatively you can always press the hash [#] key followed by the register just to display it’s contents instead.
So with respect to the Mailbox analogy, programming our alarm system through our keypad works like so:
[*] + [mailbox] + [new value] Save content into a specific mailbox (by address) and then print it to the display.
[#] + [mailbox] Just print the content of the mailbox (by address) to the display.
Simple enough right?
Just to avoid any confusion, when I group numbers below as [20] and [1234], they can still be interpreted as pressing (sequentially / one after the other) [2] + [0] + [1] + [2] + [3] + [4]. It’s easier to group the actions separately for readability; this way you can think of it with respect to the mailbox/content analogy.
While in programming mode, execute the following commands:
Command
Details
[*]+ [20] + [ABCD]
Substitute ABCD with a 4 digit code you want to become the new programmer code. This is what you can use in the future to get into programming mode (without having to power off the entire system again).
[*]+ [41] + [*]
Remove the primary phone #’s of any external monitoring station that may or may not be hooked up. Even if this register is already empty; it doesn’t hurt to run this again just to ensure it really is empty. We don’t want our alarm system calling out to anyone.
[*]+ [42] + [*]
Remove the secondary phone #’s of any external monitoring station (if any is set). Again…even if this register is already empty; it doesn’t hurt to run this command again just to ensure it really is empty.. We don’t want our alarm system calling out to anyone.
[*] + [191] + [10]
Enabled keypad slot at Address 18; this is what the AD2USB device defaults to using. This default address should work for everyone.
[*] + [99]
Exit the installer mode returning the keypad to it’s regular state
We’re not done yet though, if this is you first time using your alarm system, it might be wise to set a new Master Code and clear all existing User Codes. In case you didn’t already know, there are actually 3 types of users that are associated with our alarm system:
The Installer: A key code that allows us to add/remove new keypads, acknowledge new sensors, configure zones, etc. In our case, our alarm system will only allows for 1 designated Installer Code.
The Master: A key code that allows us to to create/delete Users of the system. In our case, our alarm system only allows us to have 1 designated Master Code.
The User: Our alarm system allows us to program up to 31 of them (32 if you count the master). Residential owners will probably only need to set one user while a commercial business owner might set several for each of their employees. It will be our User Code that we’ll be using when interfacing with our alarm system 99% of the time. This blog will focus on just dealing with 1 main user.
So if you inherited this alarm, you may not know what was previously configured into it. You ideally should set a new Master Code (different then the Installer Code) and make sure there are no lingering User Codes active that we don’t know about. Note: The commands identified above are called outside of programming mode. They can be issued at any time as long as your alarm is not armed. If you’re still in programming mode, just type [*] + [99] to exit it.
Command
Details
[Installer Code] + [8] + [02] + [DEFG]
Substitute [DEFG] with your new 4 digit Master Code using the Installer Code we setup above.
[Master Code] + [8] + [03] + [WXYZ]
Substitute [WXYZ] with your new 4 digit User Code using the Master Code. This will become our main User account; the [03] identifies us as user #1. This is a code you’ll want to keep secret but can safely tell those whom you trust with access to and from your home.
[Master Code] + [8] + [04] + [#] + [0]
[Master Code] + [8] + [05] + [#] + [0]
[Master Code] + [8] + [06] + [#] + [0]
…
[Master Code] + [8] + [33] + [#] + [0]
Delete User #2 ([04]), #3 ([05]) and , #4 ([06]) in our alarm system (in case they exists). This step is entirely optional, but worth doing since you really don’t know how many users are actually set up from whomever had it before you.
If you’re really paranoid, you’ll iterate through all of the combinations identified here to cover of all 31 possible users where the last user (#31) is identified by [33]. In most cases your system will probably have just a few users (worst case) in it. Thus it’s probably safe to stop at [06] (user #4). I’ll let you use your own paranoia and discretion here as to how far you go.
You now have a security system and 3 Codes. The Installer and Master codes are useful to keep documented (but hidden) somewhere. The User Code will be the main code we use from now on; this code is safe to share with those you share your home with; obviously keep it safe from others.
Hook Up our NuTech AD2USB Device
First of all; let me point out to you that the Alarm Decoder’s Installation videos are a much better reference then anything I’ll identify in this section. I strongly encourage you to check the videos out (they’re only a few minutes) and get properly set up.
But in short, it really just boils down to connecting the AD2USB Device to our Home Alarm System and getting the wires correctly matched up and fastened tightly. From there you just connect the AD2USB device to your Linux Server via the mini-usb cable.
Your goal is to see the little green light blink; this is the devices internal heartbeat. It’s a good thing when this starts to flash on and off; if it isn’t, you’ll want to revisit your wiring!
Here is what my AD2USB device looked like after it was all hooked up. Obviously I can’t capture a pulsating green light in a single photo, so you’ll just to have to take my word for it that the light was blinking on and off. π
At the end of the day, the AD2USB device is nothing but ‘another’ alarm keypad in your house. As far as the Alarm System is concerned, there is no distinguishable difference at all. What makes the device so powerful is the fact that now we can interface with it using software from anywhere!
However, I’ve spent hours (sadly) making it possible for these tools to just work in both CentOS 6.x and 7.x via installable RPMs. I strongly encourage you to go this route for several reasons:
You won’t be required to compile anything.
I handle SELinux for you so you won’t have to to disable it!
I handle all of the initial (and complicated configuration) out of the box for you.
I handled all of the system dependencies for you.
It’s easier to provide safe upgrades and version control through RPMs. Relying on pypi (pip) instead will make it difficult to reproduce your working setup since the packages there change constantly (for better of for worse).
If you want the RPM approach, then keep reading…
Install Core Components
You must be connected to my repository for this to work:
# Assuming you're correctly hooked up to the nuxref repositories:
yum --enablerepo=nuxref --enablerepo=nuxref-shared \
alarmdecoder ser2sock \
alarmdecoder-webapp alarmdecoder-webapp-selinux
Note: the SElinux package has to interact with the kernel to enable 4 web ports Alarm Decoder (WebApp) uses. During this time, it will appear as though your installation froze and/or hung. Do not abort this task, it’s completely normal to take up to a minute or more to do this. If you’re not using SELinux then you don’t need this package.
Enable ser2sock; this will convert your AD2USB device (in /dev/) into a TCP/IP stream. This is much easier to work with (and debug)
# Enable ser2sock and start it
chkconfig ser2sock on
service ser2sock start
If your ser2sock doesn’t start, then you have a problem with your AD2USB configuration and/or hookup. Feel free to have a look at /etc/ser2sock/ser2sock.conf to see the configuration it’s using. Alternatively, the next section discusses some troubleshooting steps you can do.
Start up our Alarm Decoder Webapp
Even if you’re using systemd, these commands will work (it’ll call the proper command for you).
# Enable gunicorn (back-end webserver)
chkconfig ad2web on
service ad2web start
# Enable NginX (front-end web hosting and static file control)
chkconfig nginx on
service nginx start
# If it was already running, then:
service nginx reload
You’ll need to open ports 5080 and 5443 on your firewall. CentOS/Red Hat 6.x users should be able to apply something like this in their /etc/sysconfig/iptables file:
# add (something like) this to your /etc/sysconfig/iptables
#---------------------------------------------------------------
# Home Security Monitoring
#---------------------------------------------------------------
# 192.168.1.0/24 is the subnet of my local home network and eth0
# is the device it access.
-A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 5080 -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --dport 5443 -j ACCEPT
If you’re using CentOS 7.x, then you’ll need to use firewalld to accomplish the same task:
# Open the port in your home network
firewall-cmd --zone=home --add-port=5080/tcp --permanent
firewall-cmd --zone=home --add-port=5443/tcp --permanent
firewall-cmd --reload
I do not recommend opening the ports to the public (zone) network unless you strap on a bit of extra security such as fail2ban. This blog is already long enough, so I won’t discuss that here. Although, you can check out a blog I did on security that can get you started with fail2ban (6.x users).
It’s worth confirming at this point that everything is up and running too:
# This command just checks that we're properly listening on the
# ports we care about (with respect to Alarm Decoder):
netstat -nat | egrep LISTEN | egrep ':(10000|5(00[01]|080|443))'
5080: NginX non-encrypted hosting of the Alarm Decoder WeAapp.
5443: NginX secure hosting of the Alarm Decoder WeAapp.
10000: Ser2Sock (this is converting you’re AD2USB to a TCP/IP stream that the Alarm Decoder WebApp can read and display to you).
5000: This is forked from the gunicorn instance to handle all incoming requests from NginX
5001: This is the gunicorn application which helps with handling some of the backend tasks such as the detection of your AD2USB device.
You should be able to access the keypad website now; simply visit http://localhost:5080/ or it’s secure version https://localhost:5443/. If you’re configuring this on another server, we’ll then you’ll need to access the host/ip accordingly.
You can accept the defaults for everything, just keep pressing next.
When you’re all done with the setup and have created your administrative account, you’ll be able to sign in an access your new virtual keypad.
You can explore the software and take advantage of all of it’s features. You can setup a twilio account and have the Alarm Decoder WebApp send you a text message whenever an even occurs. You can have it email you, and/or use a variety of other messaging services too!
If the page still isn’t coming up, it might be because you have SELinux enabled. Unlike other bloggers, I will NOT tell you to disable it (although that’s an option). Instead I’d advise that you install the SELinux package I put together:
/etc/nginx/conf.d/alarmdecoder-webapp.conf: Here is your NginX configuration file. This is the front end of your keypad.
/etc/alarmdecoder-webapp/alembic.ini: This is another configuration file used by the website. It defines information such as the database type and location. By default, it’s just a simple sqlite database. But feel free to point it to a PostgreSQL or MySQL database too (see the sqlalchemy.url directive).
/etc/ser2sock/ser2sock.conf: This is ser2sock configuration file.
/etc/alarmdecoder-webapp/ad2web.conf.py: This is where your gunicorn configuration is defined.
/var/lib/alarmdecoder-webapp/instance/db.sqlite: Here is the database the website uses and interfaces with.
/var/lib/alarmdecoder-webapp/instance/logs/: Here are where you’re logs will appear from the webapp.
Troubleshooting
First make sure CentOS (or Red Hat) can see your NuTech AD2USB device properly.
# This ideally should return something like /dev/ttyUSB0
find /dev -mindepth 1 -maxdepth 1 -type c -name 'ttyUSB*'
# If you're using my RPM files, you'll also have another
# entry you can look for. The following should output
# something like /dev/alarm-XXXXXXXX where the X's represent
# the Serial # of your NuTech AD2USB
find /dev -mindepth 1 -maxdepth 1 -type l -name 'alarm-*'
If you can’t find your device, then:
Double check that the USB connections are firmly plugged in to both your PC and the AD2USB device.
You’ll want to see a pulsating green light on the AD2USB device signifying it’s getting power and running.
NuTech also make mention that the USB cable you use can not be longer then 10ft. Ideally the shorter the cable the better though (less noise/interference).
If your device does exist, then read on to the next step…
Ensure that the Honeywell Alarm System setup has been correctly configured to support a second keypad. This was discussed above in the Keypad Configuration section of the blog. Specifically you need to be in Programming Mode and enable keypad address 18 (done via the command: [*] + [191] + [10]).
You can verify that you’ve configured this correctly by accessing the Programming mode of your alarm keypad and typing: [#] + [191]. The device should output either a 10 or 0A (both are valid responses).
Make sure your NuTech AD2USB can properly communicate with your Alarm system.
I took extra care and time packaging everything, so I actually have another RPM you can install that may help you out:
# Assuming you're correctly hooked up to the nuxref repositories:
yum --enablerepo=nuxref alarmdecoder-cli
# These commands require you to be the superuser (root)
# or a user that is as a member of the 'alarm' group.
# Test your data feed (through ser2sock):
ad2-disp-sock
# Or test your block device directly:
ad2-disp-dev
Note: If ser2sock is running properly, you will not be able to test the block device (using ad2-disp-dev) until you stop it first. So don’t panic if the ad2-disp-sock works and ad2-disp-dev doesn’t!
You can adjust these test tools by editing /etc/ad2cli.conf (if the defaults
aren’t working for you).
If you can’t communicate properly, then you may need to recheck your wiring. Review the NuTech YouTube videos again if you need to.
If you still can’t communicate with your alarm system after confirming all of the suggestions above, then you may have a faulty device.
Don’t give up if you’re having problems. It’s worth searching the Alarm Decoder Forums for an answer. Post a question there too if you like. The Alarm Decoder team are a great bunch of people always willing to help.
What If
What if the thief cuts the power? In my case, my alarm system (yours should too) has a battery backup locked up tight with it. So it’ll keep monitoring in this situation no matter what. It wouldn’t hurt to connect both your server internet modem into a Uninterruptible Power Supply (UPS). These things are relatively cheap for what they offer. A UPS would certainly handle this situation.
What if the thief powers off the computer within the 30 second deactivation window?
Well, if they are this clever then yes, they cut you off from remote monitoring. But that’s all they do. Keep in mind that the 30 second deactivation timer is still counting down. It will reach zero… and when it does…
A properly installed alarm system will come with a siren (I know mine does) and they are quite loud and irritating! The siren will sound regardless of the NuTech Alarm Decoder, Internet or PC get shut off or unplugged. It might be a good idea to make sure your siren is installed in the attic where it is difficult to get to (and disable). Most people and installations place these devices in the basement. This is silly because a thief can just smash it or yank the wire from it to kill the sound. Either way, unless the thief knows your setup, he’s certainly playing with fire if he thinks silencing the siren will keep him safe.
Consider a backup plan; I mean what would the alarm company do if they could no longer suddenly monitor you’re home. They’d probably immediately attempt to contact you and then call the police. You could do the same. Call a neighbor, call a friend. The fact you even just have a heads up on the situation is more then the guy who doesn’t have any monitoring solution at all.
Another great tool you can use is Nagios; I wrote a blog on it a while ago. Pair that up with aNag (for Google Devices) or iNag (for Apple Devices), and you’ll be monitoring your ability to monitor. You can be notified immediately if your monitoring capabilities diminish.
On a side note, consider notifying your (trustworthy) neighbor(s) too of weeks you intend to be out of town, I’m sure they can alert authorities for you if they hear your house alarm going off.
Home Security Tips
Remember, since you’re doing the monitoring yourself, you need to be prepared for when or if a situation ever arises. There is no longer a remote monitoring station looking out for you. But remember that even they can fail to pull through, so the following information is useful regardless of what your monitoring situation is.
I am not a trained professional when it comes the safety and responsibilities (nor will I claim to be). But there are clear cut obvious things worth stating up front that you must always consider:
If you’re at home at night and the alarm goes off:
It’s our human nature to panic, but just don’t let the panic take over the situation.
Don’t ever second guess the potential danger of the situation!
Do not ever decide to be brave and investigate the situation unless you’re absolutely sure!!
Call 911 immediately. If the phone line is dead, then use a cell phone if you have one.
If you’re at work or on vacation and the alarm goes off:
Ask Yourself? Could it be your spouse? A Child? A Pet? Does the timing of this alarm jive with a notable time of day such as after school (maybe the kids got home)? Perhaps it’s around the time your spouse returns from work or other family member?
Can you contact a specific person in mind directly based on the time of day (with respect to the alarm going off)?
Remember though: if this truly is a robbery, then time is not on your side! The longer you wait, the more your home is exposed.
If you can’t be sure, then call the local police immediately!. If you fear someone else could be home during this time and at risk then call 911! Don’t think twice!
Make sure you have your local police contact information programmed in your cell phone. Alternatively, keep it on a sheet of paper in your wallet or purse.
If you have children, make sure they know what to do if they hear the alarm go off. If they have access to a phone, they should know how to call 911 during these kind of emergencies. Obviously their safety becomes your number one concern, so be sure to educate them to hide someplace close by. Having them leaving the room their in when the alarm is going off could put them in serious jeopardy depending on the situation.
Credit
This blog took me a very (,very) long time to put together and test! The repository hosting alone accommodates all my blog entries up to this date. If you like what you see and wish to copy and paste this HOWTO, please reference back to this blog post at the very least. Itβs really all I ask.
Special thanks to the Alarm Decoder team; their support made it possible for me to write this blog. In return I was able to make it easier for everyone else!