HA Green Setup

A pencil sketch on a dark background: a small green haus-automation appliance glowing on a shelf, faint lines reaching out to a lamp, a thermostat, and a speaker, a wise cat keeping watch from the corner, one warm amber accent on the appliance's status light

Sanctum is the brain. The Home Assistant Green is the hands. It is the little appliance that actually flips your lights, nudges the thermostat, fires a Sonos announcement when curfew lands, and gives screen-time enforcement somewhere to bite. Sanctum decides; the Green does.

It is a dedicated, sealed HAOS appliance — not a Raspberry Pi science project, not a Docker container you babysit. On 2026-06-28 it took over from the old Docker-on-Mini Home Assistant for exactly that reason: a control plane this load-bearing should not share a box with anything. Plug it in, and it just runs.

What you’re connecting

The Green appears on your haus network at homeassistant.local:8123 — or its LAN address, the canonical haus default being 10.0.0.3 (a fixed reservation, pinned next to the gateway and the Mini). It is deliberately locked down, and that is a feature:

No host SSH, no Samba. The front door is closed.
Sanctum talks to it with an owner token, not a password, kept at ~/.sanctum/secrets/ha-token.
The heavy operations (add-ons, backups) ride a WebSocket, and the admin pages open through a browser with that same token — the sealed-appliance way in.

You never have to know any of that. Sanctum’s ha-green-toolkit already does. It is also why the Green is hard to break: there is almost no surface to break.

Get it on the haus

Plug it into the Orbi network. Power and ethernet into the mesh. It boots HAOS and grabs an address — give it a couple of minutes on first boot.
Open it once. Browse to http://homeassistant.local:8123 and finish the Home Assistant owner setup: your account, your location, your name.
Mint the owner token. In Home Assistant, go to your profile, then Security, then Long-Lived Access Tokens, and create one. Drop it at ~/.sanctum/secrets/ha-token (mode 600). That single token is the key Sanctum uses for everything.
Confirm Sanctum sees it. hag-status.sh gives you the whole Green at a glance — health, add-ons, remote-access state, green-or-red.

Reach it from away — privately

You want the lights from the cabin, not a port forward aimed at the whole internet. The Green joins your tailnet as its own node through the Tailscale add-on: tailnet-only, WireGuard-encrypted end to end, zero public exposure. The Jedi council picked Tailscale over a public tunnel four-to-one for precisely that reason.

# one-time, from the Mini
hag-remote.sh setup

It prints a login.tailscale.com URL. You authorize it with your own MFA-protected Tailscale account — that interactive login is the security root, and it is the one step nobody can do for you. After that, Home Assistant lives at http://homeassistant.<your-tailnet>.ts.net:8123, reachable from any device on your tailnet and absolutely nothing else. Plain HTTP is fine here: every byte already rides inside the WireGuard tunnel.

A Mini subnet-route to 10.0.0.3/32 is the recovery path if the add-on ever wedges. It takes a one-time console route-approval, then it is your back door in.

Day to day

You mostly never touch it — that is the whole point. When you do, the toolkit is the systematic way in, the same one Sanctum uses:

Command	What it does
`hag-status.sh`	Health and remote-access at a glance
`hag-remote.sh status`	Is the tailnet path up?
`hag-addon.sh list`	Add-ons, over the WebSocket Supervisor
`hag-backup.sh create`	Snapshot before you change anything

The Green is the one piece of haus hardware that is allowed to be boring. Sanctum keeps the lights on; the Green is where “the lights” actually live.

Firewalla Pairing — the network appliance you paired just before this one
Single-NAT Setup — the network topology the Green sits inside
First Run — verifying the Sanctum install the Green plugs into