Ucav's homelab blog

So I have really been itching to get into a yubikey based security system and home automation setup for a while now and I will be using this as a place for me to post my thoughts and notes for my reference as well as anyone else. Going to start the planning and resource collecting now and implementation will probably be in about 6-8 months. Please contribute with experience and ideas especially as the brainstorming part of this is so long.

Security System Goals:

Self Hosted (no google, Alexa, nest, subscriptions, etc) and FOSS as much as possible.

Use yubikey for primary access control.

Key code/USB Key/RFID cards for guest access

Notify home automation system who is home

Segmented physical access (guest privileges only allow access to main living space and entrances. My key would be the “master” for accessing my office, workshop, boiler room, etc.)

Reduce wireless devices to a minimum and all security appliances are hard wired.

Computers are secured using yubikey and encrypted disks.

Low power servers for security system (ARM or low power x86) that are on seperate LAN or VLAN to increase security and prevent them from calling home. (Will most likely be using a lot of Chinese cameras and card readers)

External cameras (Will be using @wendell Hikvison hacks)

Home Automation Goals:

Voice control (Ideally I would like to get close to or approximate something like Siri or Alexa but really if it could just play my spotify and look up google searches and repeat it back to me that would be great. + Controlling home automation devices.

Tablet or cell phone control

Each room has presence detection

Each room has microphones for voice commands

Each room has a speaker or sound system for playing media


Automatic watering for house plants

First i am focusing on the security system then the home automation stuff.

1 Like

After doing some digging on google I went down the AliExpress rabbit hole :hole: of security and access control devices. It was hard to find US companies that made similar devices that were through the roof on prices or would only sell if you were buying bulk.

There are tons of options for RFID/pin pad systems. My main concern or preference is that it would be TCP/IP so that the actual authentication would happen at the Security system server vs on device. Also, many of the “dumb” ones that are just readers use wigand signals which I do not think are compatible with the newer encryption methods but I need to double check that and do more reading. Would be nice to just use FIDO2 for everything including nfc.


Something like this would be great for the front door but idk if all the authentication happens on device or if you can have it fwd it to the server when someone enters a code or presents a yubikey. As cheap as they are I might just buy one and experiment.



1 Like

There’s this thing called Ada - in case you want to start deploying a bunch of pi zeros with microphones.
Start here: Almond & Ada: privacy-focused voice assistant - Home Assistant

Re door locks, esphome is probably the way to go on the account of infrastructure and programmability - you can lock/unlock via RFID/NFC/Bluetooth/pin pad/or mqtt , the trouble is finding a good electromechanical cylinder/actuator.

There’s also some locks here: zigbee2mqtt.io | 📘 Zigbee2mqtt documentation … I’m now curious, I’ve used zigbee2mqtt with great success so far, perhaps a combination esp32 for wireless capability that can send request via mqtt to a coordinator that would then in turn ask door lock - would be the way to go?

1 Like

Thanks for the links, I will check those out.

Any idea how Almond compares to MyCroft?

1 Like

After more research and self reflection I might be overthinking the tcp/ip authentication and using fido2. The biggest annoyance with these Chinese readers that are IP is that they use a Access Management software that I obv don’t trust. I just want something that will take the token/code that is input into the reader/keypad and send it to a server that actually has the user accounts with their individual token/code associations, then a signal is sent to the locks and security system to disarm. Wiegand 26 or varients of seems to be what all of these pin pads and RFID readers use to communicate to the ACS (Access Control System).

1 Like

Ok, this would solve my problem


1 Like

Just throwing this here:


1 Like

Current sketch of what I imagine it will look like when it is done.

~Edited diagram for clarity

1 Like

Closing thoughts for the evening:

Card reader/PIN pads wired to Security server with Wiegand-to-USB interface>Server ID’s whoever is asking to come inside>Server sends unlatch signal to door lock and alerts Home Assistant that the user has accessed the property. Home Assistant then performs tasks like turn on the lights, A/C, open the blinds, etc. Security server unlocks internal doors that are associated with user profile.

Honestly I am wondering if I even need a separate security server or if everything except Blue Iris can be done through Home Assistant. I need to dig into their literature more. Also, I am curious about presence detection methods. I am toying with the idea of just using cameras for presence detection in each room as they would then have dual functions and I would think that it would be more reliable than a simple motion sensor.

1 Like

So this guy is using RFID readers to play music but he is basically doing what I want to do. Building a database of RFID cards that are associated to music in his library and then sending a command to HA to play the music that is associated with the card. Just replace music with unlock the door and it is the same thing.

Edit: Found this

1 Like

These two maybe:

If home assistant was a spider, think of esphome as a spider web.

You get to deploy a single instance of home assistant in some nice and powerful cushy VM, but you need that VM to interface with hardware pins and sensors and stuff in various other places in your home.

ESPHome can’t do complex stuff like run neural networks for speech / picture / object recognition, or serve large multi megabyte UIs, or store years worth of timeseries … but can do simple wifi connected micro controller level of automation, and it has basic watchdogs and logging for reliability.
It’s based on FreeRTOS / Espressif SDK (not Linux/less complex) and mostly lets you do things with yaml configs that it translates into c++ that then get built into an image that can be updated OTA(wifi). If you want to do something really custom, it provides various hooks letting you write your own c++ either to interface with custom hardware or to talk custom network protocols.

It’s really easy to run these esp82xx / esp32 ; with esphome off of batteries / solar panels; depending on use case. For example, a motion/distance sensor can wake the RFID coil that can boot within milliseconds do it’s business, like get on wifi and talk to whatever, and then go back to single digit microamps deep sleep half a second later.

Look into getting some cheap esp32 boards and random sensors to play with, it’s loads of fun. Look at how people make doorbells and that kind of stuff with it.

Not sure about Mycroft vs Ada/Almond. I have home minis scattered around the house and have home assistant exposed to Google home / google assistant.

Ada/Almond are supposed to be more flexible and let you do non home related stuff, or stuff not supported in Google home models, but i haven’t tried them.


I started reading up on esphome this evening. I love it except that it is all WiFi and I would really like to keep the security stuff on a wired network. I will definitely use it for non-security automation stuff. It seems like a fantastic platform.

1 Like

So after thinking about the server for the security and HA stuff I think that I will do a AM4 platform in a rack mount case. Blue Iris requires Windows so I am trying to decide on ProxMox with with a Windows VM and a HA VM or do I just do Windows Server and run hyper-v vm’s? Ideally I would like this to be as low power as possible so if I could get away with an Athalon that would be great but idk how much horsepower Blue Iris needs. Would also have a couple of HDD’s for video recording.

1 Like

It’s a bit more expensive, there’s some boards that do ethernet and a couple of them can even do POE (even more expensive).


Shameless self-plug on my Wiki:

This is a work in progress for the IPv6 network stack (have to deal with some issues), but should give anyone interested a few indications on how to setup the network. Depending on one’s threat model, one can block all outgoing traffic coming from the UNTRUSTED network. I tried not to completely block the untrusted network’s access to the internet, as you may want things like software updates (port 80 and 443). Depending on what untrusted devices you get, you may want to block them completely, but that’s up to the individual. That is how my network is set up, because I don’t own IoT devices.

Any suggestion for improvements is welcome.

Also, I’m at a point where I don’t really trust most computers and I try to avoid home automation. I prefer to get up and press a light switch instead of using some wireless remote controls. Also a fan of wiring everything up, but I also tend towards minimalism (not a minimalist per se though).




1 Like

Have you considered that voice is easily spoofed, and what that can do to your security goals?

Do you have a solution for access control for voice that relies on a 2nd factor?

Cheesy codephrase might be easier than having ports for Yubis everywhere.

Have you considered the legal status of having this much information and (presumably) logging it?

You can be bitten by this as much as a home invader could be.


Voice will not interact with security system other than to set alarm (you can increase security posture but not decrease it via voice). I did have a thought about having microphones in the RFID readers and having to authenticate with yubikey before you give a security related voice command but haven’t had a lot of time to think it out. What information do you mean? Like camera footage?


I recall some jurisdictions won’t accept footage that contains sound as valid in courts (which is dumb), in some jurisdictions recording sound is completely illegal, which you can be fined for (which is even dumber) and in some jurisdictions you are allowed to record both, but separated streams (separated audio and separated video). Recording voice separated is your best bet if you want to.

  • Camera footage might be ordered turned over
  • Presence information might be ordered turned over
  • Audio (recording it without consent of all parties may be illegal in your jurisdiction as @Biky points out)

I’d give a local lawyer a call and see if they know whether local PDs are acting unethically with these sorts of things, too.