Back to blog
FILE 0x37·EDITING HOME ASSISTANT OS CONFIG WITHOUT THE SSH ADD-ON

Editing Home Assistant OS config without the SSH add-on

May 9, 2026 · homelab, homeassistant, proxmox

I deployed Home Assistant OS as a VM on Proxmox so I could try a Wi-Fi smart lock. HA proxied through nginx returned HTTP 400 on every request. The fix required editing configuration.yaml. HAOS doesn't expose SSH by default, and I didn't want to install the SSH add-on just for one edit.

What was happening

Behind the nginx proxy, every HA request returned 400. From the LAN directly, HA worked fine. The problem was that HA's HTTP component, by default, refuses to honor X-Forwarded-For from arbitrary sources. The proxy was rewriting the client IP, HA saw a mismatch, and bailed with a 400.

The fix is a three-line addition to configuration.yaml:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - <proxy-ip>

But applying that fix is the interesting part. HAOS is a locked-down appliance OS. No apt, no shell over SSH unless you install the add-on, no easy way to mount the config volume from the supervisor.

What I found

You can edit the config file offline by mounting the VM's disk on the Proxmox host. The HAOS root disk is an LVM logical volume with a GPT partition table. Partition 8 (hassos-data, ext4) contains /supervisor/homeassistant/configuration.yaml. Mount it, edit, unmount, boot.

The fix

On the Proxmox host:

# Stop the VM
qm shutdown <vmid> --timeout 60

# Map the partitions inside the LVM volume
apt install -y kpartx     # if not already installed
kpartx -av /dev/<vg>/vm-<vmid>-disk-1

# Mount the data partition
mkdir -p /mnt/hadata
mount /dev/mapper/<vg>-vm--<vmid>--disk--1p8 /mnt/hadata

# Edit
vim /mnt/hadata/supervisor/homeassistant/configuration.yaml

# Clean up and boot
sync
umount /mnt/hadata
kpartx -dv /dev/<vg>/vm-<vmid>-disk-1
rmdir /mnt/hadata
qm start <vmid>

Total HA downtime is about 30 seconds. Works on a stock HAOS install with no add-ons.

The actual config change to fix the 400:

http:
  use_x_forwarded_for: true
  trusted_proxies:
    - <proxy-ip>

After boot, HA accepts proxied requests and the dashboard loads through the public URL.

What I'd do differently

For a one-time edit, the offline-mount approach is the right tool. For ongoing config tweaks, the SSH add-on is worth installing — it's official, it sticks around across HA updates, and it doesn't require shutting the VM down. The lesson is "match the tool to the cadence." Shutdown-mount-edit is great when you need to do something once and don't want to install anything. It's a terrible workflow if you're tuning configs over an afternoon.