Introducing an open-source, auto-configured home automation system based on Home Assistant. The system sets up a robust, secure infrastructure in minutes, ensuring top-notch security and privacy.
It’s user-friendly, cost-effective (around $50), and offers out-of-the-box support for a broad range of IoT devices including ZigBee, Ethernet, Wi-Fi, and Bluetooth.
The project is available on GitHub: https://github.com/lucadibello/zerotrust-your-home
Wow that is a lot of reading, which means you did a lot of work researching, planning, testing and writing. Thank you for publishing this.
A cursory look seems like the software you are using could benefit from a more powerful machine. I know power is a concern for some, but for me it is irritating waiting around for things to load. A Dell Optiplex 7070 SFF i7-9700 @ 3.00GHz 16GB RAM 256GB SSD is only $56 on ebay and would be significantly faster than an orange pi. Thoughts?
Yes indeed. This project was part of my Bachelor thesis. I decided to publish part of it as open-source to simplify the life of other security and privacy enthusiasts.
If used correctly, this project brings corporate-grade security into your home without the need of extensive technical knowledge.
God I wish I lived wherever you did. That’s a £300 machine, here.
It’s a live listing still taking bids with 3 days to go.
https://www.ebay.com/itm/355204395401
You can get one for £200 delivered in the UK with identical specs so it’s a good deal cheaper than you think. That said it’s not as cheap as a US machine but they have a market of 5-6 times as many desktop machines.
You don’t have access to ebay?
I have bought three old Optiplexes, similarly equipped, each under $100.
They are great as dedicated servers.
Is it a hard requirement that it run it on a device that’s running armbian? If so, could it run on a device like the innovato Quadra rather than a raspberry pi like device? If not, could it just be run on any device that’s running a Debian based OS?
Does it have to use bind9? What if I prefer to use freeipa as my dns server?
It mentions that I don’t have to use aws s3 for the storage solution for backups, but I don’t see instructions on how to swap in a different solution in its place in the instructions.
What if I already have a fully running home assistant with zigbee and zwave devices with my own mqtt broker? Do I have switch to using the home assistant services that this device is running?
My project has been specifically developed and tested on Armbian, a community-maintained open-source Debian-based distro. Originally, I planned to include Raspbian, but due to time constraints from my Master’s studies, this has not yet been possible. The configuration script is designed for Debian-based systems and, while untested, should work on others.
For the DNS setup, you’re free to choose any system you’re comfortable with. If you opt for an alternative to my default setup, consider the following to maintain a high security level:
• Implement DNSSEC. • Utilize virtualization, like Docker, for isolation. • Ensure a robust configuration of iptables for firewall security. • Connect your container to the required Docker networks.
As for backups, my system primarily uses cloud storage, but local storage options are viable too. You’ll need to adjust the docker-compose file accordingly. I’ve included a link to the relevant official documentation in the README for guidance.
I do want to do this. And then I realized that in a fit of frustration with my home automation crap I turned off all the passwords on everything. So now my network is 100% open.
Impressive. It’s set up like a corporation would do it. Very much overkill for most folks, but still a wonderful writeup. Hopefully it doesn’t turn out to need an entire corporate team just to manage and support it.
What you’re doing here is essentially what I do in my setup, but I haven’t ever attempted to write any of it down or automate the configuration of it. The main differences are: I use two piholes with VRRP addresses as my primary DNS servers, and then IPA as the actual source of record for most of the internal zones. IPA also backs a keycloak cluster which in turn backs my Cloudflare Access config via SAML and thus functions as the SSO arbiter for the tunnels. Also, these days I don’t go nearly as far out of my way to put unnecessary monitoring or restrictions on things just for the sake of “hardening” because it’s just a pain in the ass on down the road unless you’re some high profile target. I get into enough of this stuff at work that I don’t care to deal with it in my personal life. Well-known defaults and best-practices are plenty safe for the average user. 
In general, great writeup. Hopefully it helps guide some of the less experienced folks into setting up something better than what they already have
I’d be curious to know more about your real world setup. I agree that some overkill may be necessary, but not for the majority of us that just want to stay behind closed doors, and at least open them when we see fit.
I’ve started down the path of securing and anonymizing my network a few months ago, but it’s tough finding a more well laid out plan.
Yes, this project might be a bit overkill if used in a home-setting, but the norm if employed in offices / any other workplace.
Thank you very much for your feedback!
Great Project! started installing with the documentation in the Getting Started Docs and ran into a issue with cloning.
root@uefi-x86:~# git clone git@github.com:lucadibello/iot-security-guidelines.git
Cloning into ‘iot-security-guidelines’…
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.Please make sure you have the correct access rights and the repository exists.
This seems very interesting. Though i’m afraid it might be above my capabilites managing it all.
open source
costs $50
hmmmm