Suggestions for a more secure Domoticz installation

[PetervandePol]

Hi,

Like many I have installed Domotics on a raspberry pi/raspbian and just followed the default installation procedure. With succes: everything is working. Now that I have a working environment I am worried about using Domoticz from "outside": it would be great to see if the kids are home, if all windows are indeed closed, that the lights are on / off etc. but I do not want others access to this data: very handy for burglars for instance.

I also plan to set up a alarm system.

This means that the installation needs to be tough enough to be connected to the open internet (with ssl/portforwarding etc.)

I have a few worries here:

1) Domoticz is by default running as user "pi" (or the user who installed the system) this user has way too much rights I think: is usually a member of the sudo group etc. Why not install Domoticz as a user domoticz with a group domoticz?
2) A computer directly connected to the Internet should be hardened more than a system on a private LAN. I am thinking about firewalling, Intrusion dection and that sort of thing.
3) I mistrust the raspberry's performance and especially the SD card which is (IMHO) a recipe for failure in the long run. I am considering bying a cheap micro pc (like this one: https://bit.ly/2swecFy) to run the system on.
4) If I would be truly paranoid I would install the OS on multiple partitions and make some read only (the grand majority) and a writable partition(s) for e.g. /var/log/* /home/*, the Domoticz database etc.
5) Why is installing Domotics in /home/pi (or for that matter /home/$user) recommended? I have installed domotics in /opt to keep things separated and to make sure I do not do something stupid when cleaning out my home dir...
6) directory/file rights/ownership: everyting in /opt/domoticz (my location) has owner/group pi:pi with rights 755 This is way too much I think. Almost everyting can be 444 or 644 I guess...

etc. etc. As you can see I have many questions/ideas and I am looking forward to your reactions!

[ben53252642]

Setup an OpenVPN server, install the OpenVPN app on your phone and use that to access Domoticz on your home network.

[PetervandePol]

Setup an OpenVPN server, install the OpenVPN app on your phone and use that to access Domoticz on your home network.

Excellent suggestion. I saw you suggested https://en.wikipedia.org/wiki/Btrfs when installing on a (mini) pc Why not use this on the raspberry's as well?

[ben53252642]

You can and I personally do use BTRFS in all my Raspberry Pi projects.

It requires work to get a Pi running on BTRFS though as the Raspbian developers for some reason have refused to implement BTRFS support despite many people requesting it. Search for a guide, there are many available.

My experience is that my BTRFS Pi's are much more resilient against file corruption. That said these days I think buying a NUC and using a SSD is by far the better way to go.

[ben53252642]

Actually if I recall Berryboot supports easily setting up the BTRFS file system.

If you are absolutely going to use a Pi and want BTRFS, do the setup using Berryboot.

https://www.berryterminal.com/doku.php/berryboot

[PetervandePol]

Actually if I recall Berryboot supports easily setting up the BTRFS file system.

If you are absolutely going to use a Pi and want BTRFS, do the setup using Berryboot.

https://www.berryterminal.com/doku.php/berryboot

Thank you, Ben. I am actually going to move to a mini PC with 4GB and a SSD, see my initial post. Should make things easier, faster and more reliable. I read the SuSe is using BTRFS on their server; might be interesting to have a look at that; I used a lot of SuSE versions in the '90ies

[ben53252642]

I am actually going to move to a mini PC with 4GB and a SSD

Good idea. Almost every major distro except Raspbian obviously supports BTRFS I'd suggest picking an os that's either Debian or Debian based, eg Ubuntu.

I am sure you could get Domoticz up and running on Suse but just be aware I don't know of anyone else running Domoticz on that OS.