Skip to content

NitorCreations/ha-nitor-backend

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
.github/workflows
.github/workflows
 
 
nitor_auth_proxy
nitor_auth_proxy
 
 
README.md
README.md
 
 
repository.yaml
repository.yaml
 
 

Repository files navigation

Nitor Home Assistant Add-ons

Public Home Assistant add-on repository for Nitor-maintained add-ons.

Add this repository to Home Assistant

  1. Open Settings -> Add-ons -> Add-on Store.
  2. Open the three-dot menu and choose Repositories.
  3. Add:
    • https://github.com/NitorCreations/ha-nitor-backend

Included add-ons

  • nitor_auth_proxy - Java authentication proxy with Entra auth, group gating, and header forwarding for Home Assistant.

Security model

  • Runtime secrets only (add-on options), no secrets in git.
  • Cookie secret persisted in add-on /data and generated on first start.
  • TLS cert and key read from Home Assistant /ssl using certfile and keyfile options.

Home Assistant configuration

After installing and starting nitor_auth_proxy, configure Home Assistant to trust only this proxy path.

  1. Enable reverse proxy support in configuration.yaml:
http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.30.33.0/24

Adjust trusted_proxies to the actual source network/address that reaches Home Assistant from the add-on. Keep this narrow.

  1. Configure header-based auth provider in Home Assistant to use x-ha-user as username.

    • Install your header-auth integration (for example hass-auth-header) and set:
      • username header: x-ha-user
    • Keep Home Assistant admin users explicit and controlled.

  2. Keep network bypass closed.

    • Block direct external access to Home Assistant 8123 at Proxmox/firewall level.
    • Allow users in through the proxy endpoint only.

  3. Ensure proxy policy matches your access model.

    • Group gate with allowed_groups_regex.
    • Confirm forwarded headers include:
      • x-ha-user
      • x-ha-groups
      • optional x-ha-id

Verification checklist

  • User can log in through proxy and is mapped to a unique HA user.
  • Unauthorized groups are denied before reaching Home Assistant.
  • Direct 8123 access from normal clients is blocked.

Release and image publishing

Docker image publishing is release-driven.

  1. Bump add-on version in nitor_auth_proxy/config.yaml (for example 0.2.0).
  2. Commit and push to main.
  3. Create a GitHub release with tag vX.Y.Z that matches add-on version exactly.
  4. Workflow Build and Publish Add-on Image publishes:
    • docker.io/nitor/ha-nitor-backend:X.Y.Z
    • docker.io/nitor/ha-nitor-backend:latest (non-prerelease releases)

If release tag and add-on version do not match, publishing fails by design.

About

No description, website, or topics provided.

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 9

v0.1.7 Increase websocket limits Latest
Feb 28, 2026
+ 8 releases

Packages

 
 
 

Contributors

Languages