Cloudron Forum

deSEC integration is now implemented.

image.png

@girish Sorry for the delayed response. My server is also hosted in Singapore (by Hostinger). I've noted a couple of seconds delay to open Cloudron's app store but it is definitively back. Thank you again for the support 🙂 !

Here's my guide on how to run your local Cloudron from home or office through a public reverse proxy server on a VPS in the 'Cloud' through Tailscale. No port forwarding or network acrobatics are required!

Diagram showing a basic overview of how this solution fits together

Procure and configure the VPS in the 'Cloud'. I use Vultr.com and you can get a $100 credit for two weeks to test things out (affiliate link) or DigitalOcean.com for $200 for 60 days (affiliate link).

I use Debian 12, but you can choose Ubuntu or something similar. Not tried it with RedH*t or Arch.

Ideally, you should get a VPS with direct access to the internet and an IPv4 address. Watch out as some providers try to save costs, and IPv6 and network shenanigans are out of the scope of this tutorial.

Install Docker: (ref. https://docs.docker.com/engine/install/debian/#install-using-the-convenience-script)

You may need to install docker-compose separately:

Pull Nginx Reverse Proxy (or your preferred reverse proxy with Let's Encrypt SSL). I use Docker Compose to keep things neat. You can find out more here: https://nginxproxymanager.com/setup/#running-the-app.

Configure your firewall - I use the one at the provider - to only allow ports 80 and 443 to the public. Wall-off SSH (22) and the Nginx Proxy Manager's admin port (81) by only allowing access from your home/office IP(s) and or Tailscale network.

Install Tailscale and set it to accept routes (this is key):

Get Tailscale online and accept routes (important!):

Make sure you have restarted and tested. You can see your node in the Tailscale control panel, and the routes have been enabled.

Ready? Let's go local.

Install a fresh VM (ideally) with Ubuntu 22.04 (boo!).

Set your VM's IP to be fixed via DHCP or manually, as we don't want it to change again.

Install your favourite tools, such as mc and qemu-guest-agent (if you're using Qemu/Proxmox), git, and curl.

Ensure you install Tailscale on the server and run it with the option to expose its route using the local IP:

Log in to the Tailscale control panel and enable the route!

Screenshot of the Tailscale control panel showing the route config dialog

Log on to your VPS and ping the VM's local IP to ensure our proxy can access the server.

All good? If not, return a few steps and make sure your routes are exposed and accepted.

On your DNS for the domain you want to use, create two A Records, one for the root domain and one wildcard, both pointing to the VPS IP address.

On the VPS, login to Nginx Proxy Manager (http://<IP of VPS>:81) and create a wildcard SSL certificate for the domain (*.example.com).

Create a new reverse proxy entry using both the root and wild card, pointing at https://<local IP of your VM>:443.

Head over to the local VM and install Cloudron (finally).

Once installed, reboot and log on to the configuration wizard (https://<local IP>/).

Now come the critical bits, which took me some trial and error. Be sure to snapshot the VM before you continue to avoid reinstalling everything in case you make a mistake!

Example of Cloudron install screen

If you are sure you have taken a backup/snapshot of your VM at this point, be braver and hit the 'Next' button.

It will take a while to check itself and present you with the Cloudron account set-up screen. If not, watch for errors in the log file (the path is shown on the screen).

If all goes well, browse my.<your domain>.<tld> and log in. If not, restore to the snapshot and try again. Feel free to post your comments and questions below, and I'll do my best to help.

Once logged on, head to settings and set up the backups. I use a local Samba share from my NAS and rsync (no encryption as the volume is already encrypted). This should make for fast, local backups. I just entered my local NAS IP address (e.g. 192.168.x.x) and login details. Remember that while Cloudron is served from behind the proxy on the VPS, the actual Cloudron server is on your local network and you can point it to local services 😉

You can also set up other volumes on your NAS for photos or other stuff.

Check the email set up for our primary domain is working and it is probably showing some red marks if you chose manual DNS set up. In this case, head to your DNS and create the missing records shown in the error messages.

The reverse DNS entry (PTR record) will fail unless you change it on your VPS provider's DNS (where available). While you can host multiple Cloudrons behind the same Nginx Proxy Manager and IP, if you care about performance and email deliverability, I recommend a separate VPS and IPv4 for each or ignore the error and use an external bulk SMTP service like SMTP2GO or Mailgun.

Ensure everything you need is green, and double-check the error logs for messages. Once you are happy, install an app and enjoy your new Cloudron 🐵

The next part of this guide will focus on using Tailscale to access the Cloudron service locally without going out of the network and back in again. One of the strengths of Tailscale (and similar services) is that it can connect services directly for lower latency and increased performance.

Let me know what else you would like to see. I post this primarily as a note to myself and share it hoping you found it helpful.

Let me know your questions or comments on how I accomplished this, and note that I am not affiliated with any of the service providers, Cloudron, or companies mentioned unless stated otherwise.

The help I provide on this forum is free and constitutes my opinion, not that of my employer. Professional services are available via the link in my signature - I cannot provide any paid support in this forum. No warranties are provided or implied.

@jrl-abstract27 Dup of https://forum.cloudron.io/topic/11559/possibility-to-add-app-notes-for-admins-operators-users/ .

We have already implemented this for next release. Feel free to comment in the other thread, please.

their docker-compose.yml
seams heavy on configuration

From Arya:

"Multi-stage Docker files are a way to build Docker images in multiple stages, allowing you to create a more efficient and optimized final image. This is useful because it allows you to separate the build environment from the final runtime environment, removing unnecessary dependencies and reducing image size. This leads to faster build times, less vulnerability to security issues, and easier deployment of the final image."

@jdaviescoates I'm just using the terms that were in the post. "A single Bitcoin transaction...", "iPhone ... process more transactions". Both transactions are on the blockchain. Perhaps the first statement was trying to say something more like "ALL the computers connected to the blockchain when a transaction occurs use more energy than...". The first statement sounds like an exaggeration and frankly won't sway most away from using Bitcoin (well, any phrase always has the potential to sway some number of people any which way). It wouldn't be accurate to say that ALL computers connected to the blockchain are essential for any given transaction to process, but that is what is implied. It isn't true. It certainly is fine and good for people to make others aware that there are costs associated with Bitcoin, but I'd avoid fearmongering.

I thought I'd brush up my info before posting, and read https://river.com/learn/how-does-a-bitcoin-transaction-work/. So, yeah, I can't confirm how much energy a given mining NODE uses to mine a specific order, but it still looks to me like fearmongering when the costs are talked about, generally.