Restricting the SSH port to the public IP address of the VPN

I don't think this is possible unless there is a document I have missed somewhere. I wanted to do this myself for the same reason. I ended up moving SSH to port 202 and disabling password authentication, this has cut down all the SSH connection attempts. Cloudron configures the firewall to allow inbound port 202, no need to explicitly allow that port.

Ok that file is showing regular checks but no packages marked for upgrade. I will keep an eye on this. Thanks for the support.

Thanks for this. I know how the reboot notifications get triggered, but I don't believe my system is pulling in security updates in the first place. My understanding is that Cloudron configures Apt to pull in security updates automatically. How can I verify whether this is happening or not? This used to happen on my previous Hetzner server image, but this time I did a clean install of Ubuntu 24.04 from a minimal ISO install.

Hi.
I've just logged into my machine after a few weeks of upgrading to Cloudron 8.0 on Ubuntu 24.04 (to check Cloudron 8.2 upgrade) and noticed I had some kernel and security updates pending. I then realised Cloudron hasn't nagged me about a system reboot since I did the migration. This is a fresh Ubuntu 24.04 install and I used the restore option in Cloudron.
What do I need to check to identify whether this is working correctly?
Thanks.
Andrew.

I was looking at setting up an AdguardHome instance but wanted it to use the recursive Unbound DNS server as upstream rather than a third-party DNS server like Google or CloudFlare. Some questions on the Unbound config:

Unbound is used primarily for RBL queries (host 2.0.0.127.zen.spamhaus.org)

We cannot use dnsmasq because it is not a recursive resolver and defaults to the value in the interfaces file (which is Google DNS!)

In my case Unbound is using Hetzner DNS servers based on Netplan config. Should Cloudron use Google DNS by default?

server:
port: 53
interface: 127.0.0.150
interface: 172.18.0.1

Does this mean that in Adguard Home I can use 172.18.0.1 as the upstream DNS server?

[...]

    cache-max-negative-ttl: 30
    cache-max-ttl: 300

Though these options may make this unviable.

Thanks.
Andrew.

Well just gone through the upgrade process on a fresh instance through Hetzner to Ubuntu 24.04:

• Upgraded to Cloudron 8.0 and took backup to storage box. Downloaded the backup metadata file.
• Wiped server with ubuntu image from Hetzner and apt failed to do upgrade, moaned about missing files on the mirror. Tried to resolve but I wanted to try out an iso installation from Ubuntu directly rather than using the Hetzner images anyway so gave that a go.
• Installing from ISO is actually easier than I thought it would be, there was no messing around with the routes as discussed in Hetzner docs. IPV4 works out of the box, I decided to take the netplan config file supplied by Hetzner's imaging process for my server and used that on the fresh Ubuntu install to get IPV6 working.
• After wiping and reinstalling the new system I changed the SSH port and then ran Cloudron-setup. It installed 8.0 for me as it detected a Ubuntu 24.04 install.
• In the setup wizard clicked on the restore option and supplied the file. Realised then I didn't have my storage box password so had to change that in the interface. However once changed the restore happened and all my apps were back in around 15 minutes.
  Nice work guys, and I've always wanted to test the bear-metal restore from backup.

I've tried for a while to get a good UK based VPS as I moved away from Bytemark a while ago and haven't found anything as good. I'd love to go with Mythic Beasts but they aren't competitive. I use Hetzner right now but there was doubting voices about them on Mastodon a couple of months back when they failed to stop some abuse, not sure what was exactly going on there.

Would be interesting to see anyone go to Ubuntu 24.04 with this upgrade. I would do this on a new instance, so know I would have to upgrade to 8.0 on my existing host to do the restore.

I'm not running Mailman in another container as I want Cloudron to manage the Docker instance. Its running on the OS through a Python venv. Cert renewal is done via Certbot which just touches the Nginx configuration for Mailman and nothing else. Regarding the reverse proxy in Cloudron, my Nginx config doesn't just do reverse proxy it serves up static images so I don't think this will work, also the destination for the proxy is on localhost so this may be an issue as well. I did think about running something like Surfer for serving up the images, however with the exception of Cloudron moving the conf file out of the way on occasional (not all) upgrades, this setup has been working solidly for 2 years.

I have been doing this for around 2 years as I run a Mailman instance alongside Cloudron and it works very well, however on occasions (upgrades) I find the /etc/nginx/applications directory is oblitterated and I have to copy my custom .conf file again.

Is there any chance we could get an include setup for a directory like sites-enabled where Cloudron doesn't touch files in that directory? I'm also interested if we can use the reverse proxy configuration tool in Cloudron itself to provide this capability but suspect it won't allow me to set up the custom features in Nginx I want.

I realise this is only supported on a best-guess effort but it would be really good if we could have a "you're on your own" directory where we know it won't wipe out the contents where we can add our own custom Nginx configuration.

Andrew.

Hi.

I had a similar issue running this on my home lab setup when I was testing out Cloudron before I put it in my VPS. I diagnosed the issue because I was funneling all traffic through my own DNS server and blocking all outbound DNS queries using a firewall. From what I could see the default Ubuntu Unbound setup makes the system act as a recursive DNS server on 127.0.0.1 using root hints and the system's default resolution uses this server. I may be completely off the ball with this but this was what I was seeing back in November.

Andrew.

Hi.

So I'm running Cloudron on a Hetzner box as its providing me the cheapest VM size for the money. However I have identified one issue with Hetzner and that is the IP addresses being on most blacklists. I am looking at setting up a cheap VM elsewhere to run a mail relay for the Cloudron instance as I don't want to use a transactional email solution to solve this problem as they mess about with the headers too much, and I'm on just over 100 emails a day with the apps installed on this VM.

My paid Cloudron instance is on the Hetzner box but it would be really cool if we could have a second instance as part of a cluster and say mine out the email capabilities to that second instance. Is that something that could be looked at?

Thanks.
Andrew.

@girish Mailman only accepts messages via LMTP. If your mail server has issues with LMTP, you could get the Mailman container to run an MTA like Exim or Postfix. Haraka could send the email via SMTP to the MTA running inside the Mailman container, which would then do LMTP to Mailman.

Mailman has been Dockerised before: https://github.com/maxking/docker-mailman

These containers assume an MTA is running on the host and can pass LMTP to the Mailman container via the Docker network.

I've just done a migration of a few small VPS instances to a larger Cloudron instance, main reason because I wanted to run a small Mastodon instance. Mailman is the only app I've had to install manually alongside Cloudron. I can post notes here on how I did it but if we can get a Mailman package started that would be fab. I've experience with the Docker Mailman images as well as installing using Pip. My current setup uses a subdomain Cloudron doesn't know about, the mail for that is handled outside of Cloudron email via Exim. Only shared component is Nginx which is running the Cloudron apps as well as hosting the reverse proxy to Django using Uwsgi. Really impressed with the Cloudron ecosystem by the way.

I wouldn't mind betting that the majority of Mailman 2 instances now run on a CPannel host, there is nothing like that for Mailman3 and setting up Mailman3 isn't trivial and has put several people off. I've done some consultancy work for some small orgs who want to implement Mailman3 but there isn't much out there. I think it would be a real boost to get Mailman3 on a platform such as Cloudron.

Relating to the mail setup I'm not fimiliar with Haraka in any way. Would you look at controlling the lists in Mailman via the Cloudron interface so Haraka knows what lists exist for a given domain, or have the lists on a dedicated domain that Haraka sends mail out to via LMTP? Since Mailman 3.3.6 we can use RCPT TO callout verification via LMTP which may help. Prior integrations either use Postfix with generation the transport maps via Mailman or with Exim as each list has a directory in the filesystem which Exim can check to ensure it is actually a valid list.

Andrew.