You make some good points, I’ve said a few times now that I mistook Home Assistant add-ons as traditional Docker containers (which I’ve learned the hard way is flat out wrong, you know what they say about assumptions).
First subdomain. I think HA is completely right that proxy with a subpath is basically an anti-pattern that just makes things worse for you and is always a bad idea (with very few exceptions).
I don’t agree with the comment replying about how developers are lazy. That being said, I also wouldn’t call a subpath an anti-pattern, it’s not uncommon and I wouldn’t say that it is always a bad idea (they have some pros and cons on subdomains and it’s what my setup calls for).
As for your tunnel I don’t know how you’ve set it up and I haven’t used tailscale but them only allowing one domain sounds like a very arbitrary limit, is it something that costs money to add? I use NetBird which I selfhost on my VPS and from there tunnel into my much beefier home setup.
There’s an open feature request for subdomains, but it hasn’t really gone anywhere. I’m assuming that it must be how they handle SSL certificates.
As for authentication there are 10k plus contributors to Home Assistant yearly but very few bother to make authentication more streamlined. I would’ve loved OpenID/OAuth2 support natively but there are ways to do so with custom components and in the end I quite strongly feel that if the end-users of your smarthome setup (i.e. the wife and kids) need to login to Home Assistant then you’ve probably got more work to do. Remote controls which interact with HA handle the vast majority of manual interaction and I’ve dabbled with self-hosted voice interfaces for the more complex operations.
Yeah, I’ve seen the idea that Home Assistant shouldn’t be the part you interact with several times, but I don’t really know of any better things to handle this. None of us really love voice controls and I’ve toyed around with Google Home (but I think it’s absolute garbage and self-host to get away from companies like Google).
I just suspect you’re making things harder for yourself and maybe have a strange idea around how to selfhost in general?
Not my ideas that are strange, I’d love to have a traditional setup. I’ve mentioned it a few times in other replies, I just don’t want to be the “just look at my other replies” person, so here’s whats going on: Starlink is my ISP (CGNAT; I can’t port-forward), Tailscale is now my only way of accessing things off of my LAN (I didn’t mind Cloudflare Tunnels, but Cloudflare scares me and Jellyfin is a pretty important thing and supposedly if you want to stream video you’re not allowed/supposed to use Tunnels), my only device is an RPi4 (I’ve tried other devices, but I really love the simplicity of the Pi – and also don’t have many other devices that would work that good for self-hosting).
Again, I’d love to have a “normal” ISP (we live in the middle of no where) that lets me port-forward and is nice and something other than a Pi to host on, but this is what I’m stuck with.
Sorry if this came across as writing you on the nose, that’s not my intention.
It’s all good I get where you’re coming from, and I’m sure you understand what’s going on for me.
I largely agree with this, but (and this might be me being a little paranoid) I don’t really trust anyone to handle my data like that. I self-host as much as possible to get away from things beyond my control, I understand that this is an extremist view of things, but the only reason why I use Tailscale Funnel is because the family would either not know how to, or not want, to deal with a VPN like that.