diff --git a/bundles/homeassistant/files/homeassistant.service b/bundles/homeassistant/files/homeassistant.service
index ece9e21..d97cec7 100644
--- a/bundles/homeassistant/files/homeassistant.service
+++ b/bundles/homeassistant/files/homeassistant.service
@@ -6,7 +6,7 @@ After=network-online.target
 Type=simple
 User=homeassistant
 WorkingDirectory=/var/opt/homeassistant
-ExecStart=/opt/homeassistant/bin/hass -c "/var/opt/homeassistant"
+ExecStart=/opt/homeassistant/venv/bin/hass -c "/var/opt/homeassistant"
 RestartForceExitStatus=100
 
 [Install]
diff --git a/bundles/homeassistant/items.py b/bundles/homeassistant/items.py
index d562859..f5f7a08 100644
--- a/bundles/homeassistant/items.py
+++ b/bundles/homeassistant/items.py
@@ -5,7 +5,9 @@ users = {
 }
 
 directories = {
-    '/opt/homeassistant': {},
+    '/opt/homeassistant': {
+        'owner': 'homeassistant',
+    },
     '/var/opt/homeassistant': {
         'owner': 'homeassistant',
     },
@@ -22,19 +24,11 @@ files = {
 
 actions = {
     'homeassistant_create_virtualenv': {
-        'command': '/usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv',
+        'command': 'sudo -u homeassistant /usr/bin/python3 -m virtualenv -p python3 /opt/homeassistant/venv/',
         'unless': 'test -d /opt/homeassistant/venv/',
-        'needed_by': {
-            'action:homeassistant_install',
-        },
-    },
-    'homeassistant_install': {
-        'triggered': True,
-        'command': ' && '.join([
-            'cd /opt/homeassistant/src',
-            f"/opt/homeassistant/venv/bin/pip install --upgrade homeassistant=={node.metadata.get('homeassistant/version')}",
-        ]) ,
         'needs': {
+            'directory:/opt/homeassistant',
+            'user:homeassistant',
             'pkg_apt:bluez',
             'pkg_apt:libffi-dev',
             'pkg_apt:libssl-dev',
@@ -47,12 +41,16 @@ actions = {
             'pkg_apt:libturbojpeg0-dev',
             'pkg_apt:tzdata',
         },
+    },
+    'homeassistant_install': {
+        'command': 'sudo -u homeassistant /opt/homeassistant/venv/bin/pip install homeassistant',
+        'unless': 'test -f /opt/homeassistant/venv/bin/hass',
+        'needs': {
+            'action:homeassistant_create_virtualenv',
+        },
         'triggers': {
             'svc_systemd:homeassistant:restart',
         },
-        'unless': {
-            "[[ $(/opt/homeassistant/venv/bin/pip freeze | grep homeassistant=={node.metadata.get('homeassistant/version')}) ]]",
-        },
     },
 }
 
diff --git a/bundles/homeassistant/metadata.py b/bundles/homeassistant/metadata.py
index 6c71656..508c274 100644
--- a/bundles/homeassistant/metadata.py
+++ b/bundles/homeassistant/metadata.py
@@ -1,3 +1,5 @@
+from bundlewrap.metadata import atomic
+
 defaults = {
     'apt': {
         'packages': {
@@ -62,3 +64,15 @@ def nginx(metadata):
             },
         },
     }
+
+@metadata_reactor.provides(
+    'firewall/port_rules/8123',
+)
+def firewall(metadata):
+    return {
+        'firewall': {
+            'port_rules': {
+                '8123': atomic(metadata.get('nginx/restrict-to', {'*'})),
+            },
+        },
+    }