Home Assistant setup

Ive been playing with Home Assitant for a while now on a variety of platforms:

  • kubernetes - too complicated and pointless (only one node has Zigbee anyway)
  • Docker - too read only (upgrades dont work, plugins dont work)
  • Raspberry Pi - no power points left and too big to share with OctoPrint

After careful considation, the best way to run Home Assistant in my opinion is to run HAOS on a VM.

VM Setup

Proxmox is one way to do this but I’ll use KVM since I only have very basic VM requirements and dont need clustering.

Its been a while since I’ve needed to do much with KVM/libvirt so here’s a recap on host setup:

  1. Setup host with debian 12 + bridged networking
  2. Fix any IP allocation on router to use new MAC address
  3. Turn off netfilter for bridge devices (part II)
  4. Install libvirt and KVM

Now you can install the VM:

  1. From download the qcow image
  2. Setup the VM with virt-install, eg:
virt-install \
	--name hass \
	--description "Home Assistant OS" \
	--os-variant=generic \
	--ram=2048 \
	--vcpus=2 \
	--disk /data/vms/haos_ova.qcow2,bus=sata \
	--import \
	--graphics none \
	--boot uefi \
	--hostdev 001.002 \
    --network bridge=br0

In this case, hostdev has been used to attach a Zigbee USB dongle. The device ID can be found with lsusb. If you dont have a dongle, leave this setting off.

VM adjustments

To alter/start/stop the VM, use the virsh command, eg virsh edit hass

VM Console

To access VM console, virsh console hass, then enter username root and hit return for no password. This shell is very limited and only allows management of HAOS itself, its not a regular prompt. SSH is disabled and gives the same access.

Accessing home assistant

Find the IP address/hostname of the VM and head to https://THEIPORHOSTNAME:8123 and you should get the setup screen.

Self signed TLS and normal HTTPS port

You need a working home assistant to setup HTTPS access. I like to also use port 443 instead of 8123 so that I dont need to remember the port number.

The easiest way to set this up is to create your CSR and then sign it with your personal CA, eg:

openssl req -new -newkey rsa:2048 -nodes -keyout privkey.pem -out csr.pem
openssl x509 -req -CA ~/ca/ca.pem -CAkey ~/ca/ca-key.pem -in csr.pem -out fullchain.pem -days 3650 -CAcreateserial

We need to copy fullchain.pem and privkey.pem to home assistant. I found this very easy to do by installing the “Studio Code Server” (vscode) add-in. Then I could use the built-in terminal to create files and just copy-past the pem file text from my workstation.

After pasting the files, I adjusted the port and added the path to the pem files by editing the http section in /config/configuration.yaml:

  server_port: 443
  ssl_certificate: /config/ssl/fullchain.pem
  ssl_key: /config/ssl/privkey.pem
  ip_ban_enabled: true
  login_attempts_threshold: 10

Android app access

Self-signed TLS certificates do not play nice with Android apps for obvious reasons. I found the easiest way to get the app working was to setup Nabu Casa. This has the disadvantages of costing money and requiring working internet access but supports the project and is easy to setup.


I want Home Assistant to be able to play sounds when it does something like order me a beer.

KVM Device pass-through

This was a difficult to get working. I forget the exact steps but it was some combination of :

  • PipeWire in PulseAudio mode
  • loginctl enable-linger $USER to make the user-level systemd pipewire service start on boot
  • Apparmor extra permission in /etc/apparmor.d/abstractions/libvirt-qemu: /run/user/64055/pulse/native rw

This then had to be plugged into KVM XML definition with vish edit hass:

    <sound model='ich9'>
      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
    <audio id='1' type='pulseaudio' serverName='unix:/run/user/64055/pulse/native'/>

Basically this means the PulseAudio compatibilty layer from PipeWire appears in KMV as a sound device. This has its own problems:

  • Almost zero support for playing sounds from inside Home Assistant
  • Even once sound is working, theres no easy way to send sounds to the device from Home Assistant scripts
  • Terrible, crackly sound quality

At this point I gave up this approach


By far the easiest way to get audio output from Home Assistant is just to setup a DNLA server somewhere and just send it audio over the network.

One way to do this is just to buy a DNLA enabled speaker, Sonos, etc somewhere on the network. This worked really well in my testing.

To save buying yet more hardware, I used ReadyMedia (formerly minidnla) to start a DNLA server on the KVM host and it worked great.


If you want Audio out of Home Assistant, send audio to a DNLA device somewhere and make your life easy

Good luck!

Post comment