Per domain user subscription and admin role

I'm sure something similar has been asked already but I couldn't find it on the forum.

Would it be possible to add to following features of User & Groups in future version of Cloudron:

• subscribe users to a specific domain (say with another drop down option for each users: default being "all" but with the possibility to select domains individually - as it is down for selecting group membership). Those users would then only be allowed to login on apps which are installed under that/those particular domain(s). Effectively this is no different that manually creating a group for each domain and then manually setting the correct access permission when installing apps, except that it would automate that process by creating those groups in the background for each domain and setting the correct rights automatically. Also it would be helpful for implementing the "3. per domain user management" aspect of the "domain admin" feature below

• create a "domain admin" role to give some members admin rights but only on certain domains so that they can (and only can): 1. access all apps and email settings on a given domain(s); 2. an managed all of apps on that/those domain(s) 3. can see all users subscribed to that/those domain(s) and can invite new users to that/those domain(s). So as role we'd have: Owner, Admin (would automatically be administrates all domains), Domain Admin (which when selected would open the drop down menu to select domains without the "All" option), Users (which when selected would open the drop down menu to select domains, with default choice on the "All" option).

It feels these two features would greatly enhance cloudron management for cases where you don't necessarily want to have admins able to administrate all domains (either for security reasons and for reducing admin time) but still want someone able to configure email accounts / lists, manage apps and invite people.

Here is just some concepts and some ideas on how it could work on the UI side. Hope this proves useful.

Could be useful, don't think we have already an app for this.
https://www.signserver.org/
https://hub.docker.com/r/primekey/signserver-ce

Hello,

Is it possible to integrate mailman to cloudron to be able to manage email lists?

It would be a great feature to have.

@girish Yes you are right that the post started with different domains but this is because I had in mind the case of an organisation that uses separate domains for different activities, with different people being in charge of those different activities. While you are right that Cloudron does a fantastic job as isolating access to apps with the Group feature, as soon as if you give Admin right to someone, then they get full access to everything irrespectively of group / user access rules (which is of course kinda of the point of an admin!).
The issue is that in the case I mentioned, it would still be useful to give some people the ability to at least managed emails, users and apps for their particular domain / area of the organisation.
While this may not be a "common" case, I reckon it is not super rare either.

That said, the thread though as kinda of evolved into looking at ways to fine tune the rights of the Admin role rights rather than a split per domain as it started original. Lots of ideas in there. Maybe another intermediate Admin role could be step in that direction to delegate some rights (like email management) to people which would be useful in large organisations (see my second post) without granting full admin rights ?

@scooke I too would very much like to use Kopano Meet with external users (without them to login into my Cloudron), so like you I think it would be a great feature to have but still, I think we should be grateful on the fact some developer bothered making a Cloudron package even if there are limitations for now and not be too harsh or focused on criticisms and enjoy that we got a videoconference app running on Cloudron. And maybe kindly ask for support if you're trying to do something which you cannot do on your own (I believe the Kopano Meet Cloudron app has an open source code which you could be modify to add the functions you want, if you know how to do it).

As @fbartels explained, Kopano does have this functionality, it "just" needs to be configured. Now the "just" doesn't seem very straightforward and yes it'd be great if someone could package the app with that function turned on. Maybe @fbartels can help? Personally I'm not a developer so I can't help with this but appreciate any work anyone can put into this or into anything else that makes Cloudron better.

@jdaviescoates said in Meet Kopano (unstable version) - a few questions & problems :

with full p2p WebRTC apps like Kopano Meet all users need to have enough bandwidth for all streams or something

Here is a nice explanation of the pros and cons of the three main typologies used for video conference: p2p / MCU / SFU

Is there any update on this app? It would be awesome to have it!

I like the idea of having more app filters!

SSO great idea.

When it comes to an "open source" filter, I think the open code based makes more sense, rather than looking at all add-ons or price. We are talking about filters on Cloudron App Store, therefore think the question is, "is the app actually installed from cloudron app store opened of closed?", not any add-ons people may choose to install later on.

Other options could be to have:

• a Free Software filter for program without any proprietary add-ons
• a "close sourced" filter for apps where the code of the base app is not available (i.e. that app actually installed from the app store)
• a $ filter for program that require a paid license

Mainly I think we should NOT conflate price/money and license type / openness of source case. Take Teamspeak, for e.g., it can be used for free, on a free (as in free beer) license, yet it is proprietary software.

I think that whatever filter option we choose, the openness of the code that is actually being installed from the Cloudron App Store (i.e. without add-ons) is the thing that users should be made aware of / able to easily choose from. So as a first implementation of any filter, I thing the open/closed source filter would be the priority.

Hello,

When it comes to syncing files, Synthing outperform Nextcloud by a long stretch. However with syncthing installed on the server you cannot access your files via a web interface, as you would do with Nextcloud.

Two main approached to integrate the tow are:

1. to manually give permission to syncthing on your nextcloud folder on your server, and add that folder as a sync in thinking. Issues with this is that the files synced with Syncthing won't be visible in the nextcloud interface unless you trigger manually a rescan of that folder with a nextcloud command (occ files:scan --all). This process is resource intensive as it rescans all files rather than the one that changes. If you use the nextcloud web interface a lot you'd have to schedule that command to run regularly. So overall quite inefficient. Also it some limitations in terms of integrate file versioning and trash between the two apps. Now someone clever wrote a script to file watch modification made by syncthing, and address the versioning issue. See here and here. Issue is it hasn't been maintained for 5 years, though was still working fine 3 years ago. Might be a good place to start though as I reckon things might not have changed much in the architecture of both apps on that front.
   Apparently there would not be such a problem using Pydio instead of Nextcloud. Not yet on Cloudron though.

2. Adding Syncthing folder as external storage. Apparently works fine in terms of detecting changes right away but has some limitations again in terms file versioning and trash. Not the end of the world in many use case (you just have two file versioning systems and two trash systems). THE issue here is that external storage is not support in the Cloudron version of Nextcloud

Relevant post on the topic if people wanna look into this. I think it'd be great to come up with a solution for users of Nextcloud on Cloudron. I;d be up to help testing stuff. Sadly I cannot code...

https://forum.syncthing.net/t/integrate-syncthing-with-nextcloud-and-owncloud/11289
https://forum.syncthing.net/t/integrating-syncthing-with-owncloud/6332
https://forum.syncthing.net/t/mixed-syncthing-with-nextcloud/10499/3
https://github.com/nextcloud/server/issues/8384
https://help.nextcloud.com/t/syncthing-nextcloud-how-to/5459

Also might be of interest:

An article which test a methodology to compare SFUs, and then test a few of them. Results probably do not reflect real case scenario though.

@jdaviescoates said in Roundcube 1.5 beta - development continues!:

and K-9 Mail gets a new stable release

Have you ever tried FairEmail? I've been using this instead of K-9 Mail after the development stopped and I like it a lot. Maybe you like it too and it'll bring you one step closer to self-hosting emails

@murgero Sorry it took a while, done now!

@girish Many thanks Girish. It must have been a space problem indeed. Looking at the log, the processed froze while downloading the last big part of the image (~570MB). I tried to duplicate the app, which worked fine but and the process also froze when trying to update it (also while downloading that part the image).

Anyway, I had a about 3GB of free space which I though would be enough to update Wekan but after doing some cleaning up on the server (like deleting old apps I wasn't using), I went to about 7GB of free space and the update started working again.

In one of my Cloudron, I have just noticed that Wekan stayed stuck v4.57 (auto update are NOT disabled) with an error message. I have used the "Retry update task" button and that restored the app to a working state but still on version 4.57 and showing "Update available" label.

I have tried to update and it only proposes to update to v4.58 instead of latest v.4.63 and then fail when downloading the image with the following error:
Error : Task Error - Task 2662 crashed with code 7 and signal null

Any idea what I should do?

Many thanks

PS: it's all fine on all of my other Cloudrons

@girish Yes you are right that the post started with different domains but this is because I had in mind the case of an organisation that uses separate domains for different activities, with different people being in charge of those different activities. While you are right that Cloudron does a fantastic job as isolating access to apps with the Group feature, as soon as if you give Admin right to someone, then they get full access to everything irrespectively of group / user access rules (which is of course kinda of the point of an admin!).
The issue is that in the case I mentioned, it would still be useful to give some people the ability to at least managed emails, users and apps for their particular domain / area of the organisation.
While this may not be a "common" case, I reckon it is not super rare either.

That said, the thread though as kinda of evolved into looking at ways to fine tune the rights of the Admin role rights rather than a split per domain as it started original. Lots of ideas in there. Maybe another intermediate Admin role could be step in that direction to delegate some rights (like email management) to people which would be useful in large organisations (see my second post) without granting full admin rights ?

@marcusquinn said in Zulip - Powerful open source group chat:

Zulip threads aren't that clever, you can recreate that with sub-channels in any other chat platform,

Except that you cannot create sub-channels in Rocket.chat. You could see "Discussions" as sub-channels but they're not in terms of ux, there is no hierarchy displayed. Plus the idea is that Zulip forces to sort each message someone within a topic or as a new topic (like on email) which greatly helps with keeping the whole instance organised.
Channels in Zulip are more like placeholders within which you have topics and not somewhere you type messages, which is a level hierarchy to organise discussion that rocket.chat does not have (you could say that "Teams" in Mattermost are kinda similar in that respect - though the intended purpose is different).

@girish Particularly for Nextcloud that would be great. Apparently Nextcloud is able to sync LDAP groups, are Cloudron groups not LDAP?

@jdaviescoates I've found Collabora much better in terms of performance with recent versions (even though I am still dubious about their design choice when it comes to server / client processing). It's got also much less restrictions and prefer the default compatibility with odfs (the development seem to be faster these days too). I have stopped using OnlyOffice for quite a few month now and I don't regret it.

@fbartels Oops sorry, I should have at least tried to restart. It working fine just with restarting the app (no need to even reinstall). Thanks

@fbartels Thanks!