One-time purchase is a really bad idea and makes no sense at all .... unless the one-time purchase gets you a one-time version, e.g. version 8.5.0 and you then stick with that, no upgrades (ok, well maybe one year). There are some precedents in financial markets, taking into account present and future value of money, for a fat payment to be made up-front for continuing lifetime service. But generally it's a silly idea to expect to get lifetime continuing service (current version, plus free future versions) for a single fee, unless the multiple is significant, 10x or 20x. I think the Cloudron team have got enough to do without being distracted by this kind of suggestion.

@girish nice, happy to hear!

@james I'm TERRIBLE at writeups, but I'll summarize it and maybe we can write something better together if you think it's interesting enough: So I have a cloudron machine with a public IP, vanilla setup. I also have a raspberry pi in my home network running a few services, and an external VPS. I use a "hub-and-spoke" wireguard architecture, which is pretty common and straightforward as well. It is set up like so: VPS has a public IP I installed and set up wireguard in it. Let's say it uses interface wg0, and its wg IP address is 10.0.0.1, network 10.0.0.0/24 I had to set a few things to enable packet forwarding on the VPS so it would act as a "router" between my raspberry pi and other devices, but its pretty straightforward stuff I installed and set up wireguard in my raspberry pi, interface wg0, IP address 10.0.0.2; added the VPS added as a peer with its public key, allowed-ips 10.0.0.1/24, and the endpoint is its public IP and the port I had wireguard listen on So now when I turn on wireguard on both VPS and pi, I can ping 10.0.0.1 from the pi, and I can ping 10.0.0.2 from the VPS. This is the simple hub-and-spoke setup, with the VPS acting as the hub (because it has a public IP address) and the raspberry pi and other devices (say my laptop or phone) are the "spokes". So now for the cloudron part: installed wireguard on my cloudron machine and set it up as a peer to the wireguard network, same as I did on the pi. Added the VPS as the only peer, and on the VPS added one more peer which was the cloudron server. Say its IP is 10.0.0.100 I can now ping 10.0.0.1 (vps) and 10.0.0.2 (pi) from the cloudron server, and I can also ping these IPs FROM ANY CLOUDRON APP as well! I had a service running on the raspberry pi on port 8080, so I installed a new app proxy on the cloudron from the app store, and the upstream address was http://10.0.0.2:8080, and it all worked. Now, I COULD get rid of the VPS and use only cloudron, boith as the wireguard "hub" and reverse proxy. That would be great because it's one less machine I have to pay for and maintain (the VPS), and I would benefit from user management and stuff. Cloudron explicitly says it needs to be the sole service installed on the machine, though (which makes sense, not complaining), so I haven't done this yet. Not sure this is a good enough description, but I'm here to answer any questions if needed.

@Neiluj sometime soon but yeah, I don't have a timeline yet . Also, a note about your initial post, if you mark users as inactive in Cloudron A, they won't sync to Cloudron B. Of course, they can't login to Cloudron A either.

@andreasdueren A workaround is to set 0.0.0.0/1 128.0.0.0/1 in the allow list . This allows the full internet. But maybe a geo block is better - https://www.ipdeny.com/ipblocks/

Looks good! Is this something that needs to be integrated to Cloudron itself, or as a separate app?

@james Perfect, thank you!

Yeah, that makes sense. having a warning pop up before deleting an address that’s part of a mailing list would save a lot of confusion. even just a simple check and confirmation message would do the trick.

Oh I see now it’s in the app title. Sorry completely missed that

Nice thanks

How fine-grained would those have to be to be useful in your case? I am asking, since apps only have limited support for unix users and groups.

@Lonkle last time you were here was like pre-ChatGPT?

I fully support this. I know it’s not the same but you can build something like this in your .bashrc (and a cron script) so you have some info on the terminal. Mine looks like this after I ssh into my server: [image: 1757554341579-img_2366-resized.jpeg]

@james correct.

Support for OCSP was removed here - https://forum.cloudron.io/topic/14265/how-to-disable-ocsp-stapling/5 . OCSP is being deprecated in favor of CRLs

@mattcazz yes, definitely . In hindsight, we should have maybe package the mail server more like an "app" . And then just like other apps, it would have gained all the customization of Cloudron apps. The email configuration could then have been inside this "mail server" app. We want to rework mail server to an app after Cloudron 9.

@humptydumpty said in Rotating backup destinations please!: @girish can we specify destinations per app? For instance, Nextcloud to my locally attached SSD, other apps to 3rd party like BackBlaze? This has not been implemented yet. But the plan is that each Backup Target will have an include/exclude list of apps. That way you can have apps backing up to specific targets. The automatic backup enable/disable flag of app will also go away. It will move to the Backup Target UI. You can just exclude the app from all the targets to have it not backed up ...