Private CloudronVersions.json
-
The convenience and the standardization benefits of using
CloudronVersions.jsonand its features shouldn't be restricted to publicly accessible URLs.Whether be it manually pasting a
CloudronVersions.json's content in my dashboard, I'd like to be able to install my private custom applications this way. -
Hello @lanhild
its features shouldn't be restricted to publicly accessible URLs
Although this sounds like a good idea, there is an issue.
A URL is needed to make the app update process work.
With just pasted JSON or an uploaded JSON file the app update flow would never work since there is no target to pull the new JSON from.
If this is also about security, there are some options.
Haven't tested this, but a password protected URL should work. i.e URL it with?password=xx.
Or another security via obscurity way would be to upload the CloudronVersions.json to a LAMP app in a folder with a 'secret' folder.
For example https://lamp.cloudron.dev/a4ef19b785acd7c11ccd0b5c1551a8bd/CloudronVersions.json, thea4ef19b785acd7c11ccd0b5c1551a8bdis the 'password'.A secure approach would be to use a private docker registry for your community app and to give users credentials for the docker registry which they can configure in Cloudron.
If the community app git repository is not public, there is also no way to just build the docker image yourself.
This way, other people can have the CloudronVersions.json file but will not be able to pull the image without granted access to the private docker registry.
It would be nice if they could be hosted by the local registry app.
The docker images? That should already work and is close to my above suggestion with a private registry. You'd just need to configure the docker registry in the Cloudron dashboard under
/#/docker.
Or do you mean hosting the CloudronManifest.json file in the registry app as well?
I believe to understand that this feature request is not about security, hiding or protecting the CloudronVersions.json, but is about comfort and usability.
If you are fine with losing the automatic app update flow, you can always just runcloudron install --locationfrom the repo, which is not as comfortable as just pasting the JSON but resolves to the same outcome.Due to the mentioned disadvantages of just pasting JSON or upload a JSON file, it is my opinion that we should not add this.
-
Hello @lanhild
its features shouldn't be restricted to publicly accessible URLs
Although this sounds like a good idea, there is an issue.
A URL is needed to make the app update process work.
With just pasted JSON or an uploaded JSON file the app update flow would never work since there is no target to pull the new JSON from.
If this is also about security, there are some options.
Haven't tested this, but a password protected URL should work. i.e URL it with?password=xx.
Or another security via obscurity way would be to upload the CloudronVersions.json to a LAMP app in a folder with a 'secret' folder.
For example https://lamp.cloudron.dev/a4ef19b785acd7c11ccd0b5c1551a8bd/CloudronVersions.json, thea4ef19b785acd7c11ccd0b5c1551a8bdis the 'password'.A secure approach would be to use a private docker registry for your community app and to give users credentials for the docker registry which they can configure in Cloudron.
If the community app git repository is not public, there is also no way to just build the docker image yourself.
This way, other people can have the CloudronVersions.json file but will not be able to pull the image without granted access to the private docker registry.
It would be nice if they could be hosted by the local registry app.
The docker images? That should already work and is close to my above suggestion with a private registry. You'd just need to configure the docker registry in the Cloudron dashboard under
/#/docker.
Or do you mean hosting the CloudronManifest.json file in the registry app as well?
I believe to understand that this feature request is not about security, hiding or protecting the CloudronVersions.json, but is about comfort and usability.
If you are fine with losing the automatic app update flow, you can always just runcloudron install --locationfrom the repo, which is not as comfortable as just pasting the JSON but resolves to the same outcome.Due to the mentioned disadvantages of just pasting JSON or upload a JSON file, it is my opinion that we should not add this.
-
Hello @lanhild
its features shouldn't be restricted to publicly accessible URLs
Although this sounds like a good idea, there is an issue.
A URL is needed to make the app update process work.
With just pasted JSON or an uploaded JSON file the app update flow would never work since there is no target to pull the new JSON from.
If this is also about security, there are some options.
Haven't tested this, but a password protected URL should work. i.e URL it with?password=xx.
Or another security via obscurity way would be to upload the CloudronVersions.json to a LAMP app in a folder with a 'secret' folder.
For example https://lamp.cloudron.dev/a4ef19b785acd7c11ccd0b5c1551a8bd/CloudronVersions.json, thea4ef19b785acd7c11ccd0b5c1551a8bdis the 'password'.A secure approach would be to use a private docker registry for your community app and to give users credentials for the docker registry which they can configure in Cloudron.
If the community app git repository is not public, there is also no way to just build the docker image yourself.
This way, other people can have the CloudronVersions.json file but will not be able to pull the image without granted access to the private docker registry.
It would be nice if they could be hosted by the local registry app.
The docker images? That should already work and is close to my above suggestion with a private registry. You'd just need to configure the docker registry in the Cloudron dashboard under
/#/docker.
Or do you mean hosting the CloudronManifest.json file in the registry app as well?
I believe to understand that this feature request is not about security, hiding or protecting the CloudronVersions.json, but is about comfort and usability.
If you are fine with losing the automatic app update flow, you can always just runcloudron install --locationfrom the repo, which is not as comfortable as just pasting the JSON but resolves to the same outcome.Due to the mentioned disadvantages of just pasting JSON or upload a JSON file, it is my opinion that we should not add this.
It would be nice if they could be hosted by the local registry app.
The docker images? That should already work and is close to my above suggestion with a private registry. You'd just need to configure the docker registry in the Cloudron dashboard under
/#/docker.I believe what @robi meant is to be able to store the
CloudronVersions.jsonin a registry, much like what authentik does with blueprints.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login