Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?

@Joseph I understand this this is not the absolute highest level of security and you'd be better off storing your 2FA keys in a separate module, but in practice this will decrease your security only very little. I'm also hosting Vaultwarden on a separate server than the cloudron they're using so this is also an improvement

@uwcrbc I am having people use vaultwarden which is independent of the Cloudron SSO. So you can onboard them there simultaneously.

@necrevistonnezr It's working, but it is running next to Cloudron which isn't really optimal. I wanted to test and see if it breaks anything though, currently there seem to be no issues.

@joseph

But even with read only it fails

@nebulon Yup that did the trick, thank you

@nebulon

Just to clarify, you're saying, this should work? Because it's only returning the system admins (me)

@nebulon in /etc/elasticsearch/elasticsearch.yml I tried network.host: 172.18.0.1 & 0.0.0.0. Wouldn't docker be one of these?

On my quest to get auto discovery working with apple devices I stumbled across this project: https://github.com/Monogramm/autodiscover-email-settings @girish Maybe worth looking into packaging?

@girish said in how to connect to a cloudron ldap via federation?:

That works, but now I need to figure out what the Bind DN is to list all users, not just admins. user, users, person etc. don't seem to be correct.

@nebulon Still running into problems. Running curl on machine via terminal resolves fine:

root@my:~# curl -u elastic:PASSWORD http://localhost:9200
{
  "name" : "my",
  "cluster_name" : "elasticsearch",
  "cluster_uuid" : "LpqIch-iRl2KRaK6-_DvuQ",
  "version" : {
    "number" : "8.17.2",
    "build_flavor" : "default",
    "build_type" : "deb",
    "build_hash" : "747663ddda3421467150de0e4301e8d4bc636b0c",
    "build_date" : "2025-02-05T22:10:57.067596412Z",
    "build_snapshot" : false,
    "lucene_version" : "9.12.0",
    "minimum_wire_compatibility_version" : "7.17.0",
    "minimum_index_compatibility_version" : "7.0.0"
  },
  "tagline" : "You Know, for Search"
}

But

root@539fd472-7ce9-455f-80b0-869ffba5faab:/app/code# curl -u elastic:PASSWORD http://172.18.0.1:9200
curl: (28) Failed to connect to 172.18.0.1 port 9200 after 132415 ms: Connection timed out

from the CLI within the app fails for some reason.

@robi I'm running this via docker compose on a raspberry pi at home now. Was surprisingly uncomplicated to set up, but I'd rather have it on my Cloudron. @girish can you open me an account on the git? I'd like to experiment with creating a build for this at some point.

@girish I thought that was necessary because it didn't seem like the feature was installed on my instance. I'll investigate...

My understand is, that this was added to the package but enabling it still won't work:

root@bdb4c70c-3a98-4263-b7b4-06816ea7d6c3:/app/code/bin# ./kc.sh build --features="passkeys"
WARNING: The following run time options were found, but will be ignored during build time: kc.cache, kc.db-url, kc.db-username, kc.db-password, kc.hostname, kc.hostname-strict, kc.http-enabled, kc.http-host, kc.http-port, kc.proxy-headers, kc.proxy-trusted-addresses

Updating the configuration and installing your custom providers, if any. Please wait.
2025-02-13 13:16:07,396 INFO  [org.key.com.Profile] (main) Preview features enabled: passkeys:v1
2025-02-13 13:16:08,305 INFO  [org.key.com.Profile] (main) Preview features enabled: passkeys:v1
2025-02-13 13:16:08,680 WARN  [io.qua.config] (build-21) Unrecognized configuration key "quarkus.smallrye-health.extensions.enabled" was provided; it will be ignored; verify that the dependency extension for this configuration is set or that you did not make a typo
2025-02-13 13:16:09,481 INFO  [io.qua.hib.orm.dep.HibernateOrmProcessor] (build-19) Persistence unit 'keycloak-default': Enforcing Quarkus defaults for dialect 'org.hibernate.dialect.H2Dialect' by automatically setting 'jakarta.persistence.database-product-version=2.3.230'.
2025-02-13 13:16:09,483 INFO  [io.qua.hib.orm.dep.HibernateOrmProcessor] (build-19) A legacy persistence.xml file is present in the classpath. This file will be used to configure JPA/Hibernate ORM persistence units, and any configuration of the Hibernate ORM extension will be ignored. To ignore persistence.xml files instead, set the configuration property 'quarkus.hibernate-orm.persistence-xml.ignore' to 'true'.
ERROR: Failed to run 'build' command.
ERROR: io.quarkus.builder.BuildException: Build failure: Build failed due to errors
        [error]: Build step io.quarkus.deployment.pkg.steps.JarResultBuildStep#buildRunnerJar threw an exception: java.nio.file.ReadOnlyFileSystemException
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystem.checkWritable(ZipFileSystem.java:370)
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystem.createDirectory(ZipFileSystem.java:708)
        at jdk.zipfs/jdk.nio.zipfs.ZipPath.createDirectory(ZipPath.java:742)
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystemProvider.createDirectory(ZipFileSystemProvider.java:186)
        at java.base/java.nio.file.Files.createDirectory(Files.java:700)
        at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:808)
        at java.base/java.nio.file.Files.createDirectories(Files.java:753)
        at io.quarkus.deployment.pkg.steps.JarResultBuildStep.buildThinJar(JarResultBuildStep.java:664)
        at io.quarkus.deployment.pkg.steps.JarResultBuildStep.buildRunnerJar(JarResultBuildStep.java:228)
        at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
        at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:856)
        at io.quarkus.builder.BuildContext.run(BuildContext.java:256)
        at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
        at java.base/java.lang.Thread.run(Thread.java:1583)
        at org.jboss.threads.JBossThread.run(JBossThread.java:483)

ERROR: Build failure: Build failed due to errors
        [error]: Build step io.quarkus.deployment.pkg.steps.JarResultBuildStep#buildRunnerJar threw an exception: java.nio.file.ReadOnlyFileSystemException
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystem.checkWritable(ZipFileSystem.java:370)
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystem.createDirectory(ZipFileSystem.java:708)
        at jdk.zipfs/jdk.nio.zipfs.ZipPath.createDirectory(ZipPath.java:742)
        at jdk.zipfs/jdk.nio.zipfs.ZipFileSystemProvider.createDirectory(ZipFileSystemProvider.java:186)
        at java.base/java.nio.file.Files.createDirectory(Files.java:700)
        at java.base/java.nio.file.Files.createAndCheckIsDirectory(Files.java:808)
        at java.base/java.nio.file.Files.createDirectories(Files.java:753)
        at io.quarkus.deployment.pkg.steps.JarResultBuildStep.buildThinJar(JarResultBuildStep.java:664)
        at io.quarkus.deployment.pkg.steps.JarResultBuildStep.buildRunnerJar(JarResultBuildStep.java:228)
        at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:733)
        at io.quarkus.deployment.ExtensionLoader$3.execute(ExtensionLoader.java:856)
        at io.quarkus.builder.BuildContext.run(BuildContext.java:256)
        at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18)
        at org.jboss.threads.EnhancedQueueExecutor$Task.doRunWith(EnhancedQueueExecutor.java:2516)
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2495)
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1521)
        at java.base/java.lang.Thread.run(Thread.java:1583)
        at org.jboss.threads.JBossThread.run(JBossThread.java:483)

For more details run the same command passing the '--verbose' option. Also you can use '--help' to see the details about the usage of the particular command.

@bmann Just found this. I'm interested in participating

I know I'm not supposed to do this and am fully aware of all possible consequences (this is merely a small development server to play on).

But I would like to install elasticsearch next to cloudron and have nextcloud access it. However, the containers don't seem to be able to call to elasticsearch. curl "http://localhost:9200"fails with curl: (7) Failed to connect to localhost port 9200 after 0 ms: Connection refused

I have the feeling there is a way to do that though?

@nj Could you share your configuration as to how to connect to a cloudron ldap via federation?

This isn't fetching my users:

@girish Proposition to change the OpenID Identifier from "Cloudron" to "OpenID" or "SSO" since we can't have the branding from the Cloudron instance

Migration of a smaller instance seems to work smoothly so far.

@robi Unfortunately that's the only full text search provider that's supported by Nextcloud…

@girish Works perfectly now, thanks!