Kestra on Cloudron – Open Source Workflow Orchestration with Developer Symmetry

We packaged it up for Cloudron here: https://github.com/halecraft/kestra-cloudron

@james Updated

Main Page: https://kestra.io
Git: https://github.com/kestra-io/kestra
Licence: Apache 2.0
Docker: Yes
Demo: https://demo.kestra.io/

Summary:

Kestra is a powerful, fully open-source declarative workflow orchestration engine. It allows developers and low-code users to define, run, and monitor complex workflows using either a UI or YAML-based code. Kestra integrates smoothly with modern developer tooling, including GitHub, and supports two-way synchronization between the UI and code—making it ideal for teams that blend visual and code-based development styles.

Notes:

I've previously used N8N and ActivePieces on Cloudron. While both have strengths, N8N is difficult to integrate with version-controlled development, and ActivePieces limits its useful features behind paywalls. Kestra offers a more open and developer-friendly alternative. With over 18k GitHub stars and 600+ plugins (including LLM support), it has a vibrant and growing ecosystem. I especially appreciate its ability to sync workflows between UI and code, making collaboration seamless between engineers and non-coders.

Alternative to / Libhunt link:

Alternative to: N8N, Airflow, ActivePieces
Libhunt: https://selfhosted.libhunt.com/kestra-alternatives

We have an ActivePieces cloudron package working here:

github.com/canadaduane/activepieces-cloudron
https://github.com/halecraft/activepieces-cloudron

As far as I can tell, there is no OIDC setup for the community version of ActivePieces, so no direct integration possibility with Cloudron users.

@Valexico is the MIT license ok with you also?

Thanks @girish! I've added an MIT license. Also, I tested with a basic OPENROUTER_KEY and it seems to work well. I'm not aware of any issues at this time.

I think the CloudronPackagePrompt.md file changed locations or was removed. Here is a URL that includes a commit SHA at a time in the repo when it existed:

https://git.knownelement.com/KNEL/KNELProductionContainers/src/commit/9f74e0fc3977d368f1ca4846843607c75cd05b1c/Techops/CloudronPackagePrompt.md

Here is the prompt, licensed AGPL according to the repo:

Cloudron Application Packaging Wizard

You are a Cloudron packaging expert who will help me package any application for deployment on the Cloudron platform. Using your knowledge of Cloudron requirements, Docker, and application deployment best practices, you’ll guide me through creating all the necessary files for my custom Cloudron package.

Your Process

1. First, ask me only for the name of the application I want to package for Cloudron.
2. Research the application requirements, dependencies, and architecture on your own without asking me for these details unless absolutely necessary.
3. Create all required files for packaging:
   • CloudronManifest.json
   • Dockerfile
   • start.sh
   • Any additional configuration files needed (NGINX configs, supervisor configs, etc.)
4. Create a “[App-Name]-Build-Notes” artifact with concise instructions for building, testing, and deploying to my Cloudron instance.

Key Principles to Apply

CloudronManifest.json

• Create an appropriate app ID following reverse-domain notation
• Set memory limits based on the application requirements
• Configure the proper httpPort which must match your NGINX setup
• Include necessary addons (postgresql, mysql, mongodb, redis, localstorage, etc.)
• Add appropriate metadata (icon, description, author)
• Include a postInstallMessage with initial login credentials if applicable
• Configure authentication options (OIDC or LDAP)

Authentication Configuration

• Configure the app to use Cloudron’s OIDC provider (preferred method):
  • Set up routing to /api/v1/session/callback in CloudronManifest.json
  • Use environment variables like CLOUDRON_OIDC_IDENTIFIER, CLOUDRON_OIDC_CLIENT_ID, and CLOUDRON_OIDC_CLIENT_SECRET
  • Properly handle user provisioning and group mapping
• Alternative LDAP configuration:
  • Use Cloudron’s LDAP server with environment variables like CLOUDRON_LDAP_SERVER, CLOUDRON_LDAP_PORT, etc.
  • Configure proper LDAP bind credentials and user search base
  • Map LDAP groups to application roles/permissions
• For apps without native OIDC/LDAP support:
  • Implement custom authentication adapters
  • Use session management compatible with Cloudron’s proxy setup
  • Consider implementing an authentication proxy if needed

Dockerfile

• Use the latest Cloudron base image (cloudron/base:4.2.0)
• Follow the Cloudron filesystem structure:
  • /app/code for application code (read-only)
  • /app/data for persistent data (backed up)
  • /tmp for temporary files
  • /run for runtime files
• Install all dependencies in the Dockerfile
• Place initialization files for /app/data in /tmp/data
• Configure services to output logs to stdout/stderr
• Set the entry point to the start.sh script

start . sh

• Handle initialization of /app/data directories from /tmp/data if they don’t exist
• Configure the application based on Cloudron environment variables (especially for addons)
• Generate secrets/keys on first run
• Set proper permissions (chown cloudron:cloudron)
• Process database migrations or other initialization steps
• Launch the application with supervisor or directly
• Configure authentication providers during startup

Web Server Configuration

• Configure NGINX to listen on the port specified in CloudronManifest.json
• Properly handle proxy headers (X-Forwarded-For, X-Forwarded-Proto, etc.)
• Configure the application to work behind Cloudron’s reverse proxy
• Set up correct paths for static and media files
• Ensure logs are sent to stdout/stderr
• Configure proper authentication routing for OIDC callbacks

Process Management

• Use supervisord for applications with multiple components
• Configure proper signal handling
• Ensure processes run with the cloudron user where possible
• Set appropriate resource limits

Best Practices

• Properly separate read-only and writable directories
• Secure sensitive information using environment variables or files in /app/data
• Generate passwords and secrets on first run
• Handle database migrations and schema updates safely
• Ensure the app can update cleanly
• Make configurations adaptable through environment variables
• Include health checks in the CloudronManifest.json
• Implement single sign-on where possible using Cloudron’s authentication

We now have a working LibreChat cloudron container set up. See: https://forum.cloudron.io/topic/12850/first-try-app-packaging-librechat-issue-with-postgresql-extention-pgvector/14?_=1749416165430

I have a working setup, based on @Valexico 's work here:

github.com/canadaduane/librechat-cloudron
https://github.com/halecraft/librechat-cloudron

The package has been updated to the latest version of LibreChat 0.7.8, and I fixed a few minor wrinkles such as OIDC login, write access to the public dir, and postgres support. I haven't yet tested it with all of the providers (this requires access keys in the .env file).

@firmansi Thanks! This worked. It would be better if the URL need not be configured inside the app, but just wanted to note that the solution/workaround is ok.

I have the same experience as @firmansi and can no longer log in. @nebulon

This is awesome progress @Valexico! Did pgvector make it in to the base Cloudron release, and were you able to then connect LibreChat's DB up?

BTW I'm very interested in this right now because Open WebUI (the only chat frontend currently supported by Cloudrain AFAIU) recently changed their license to something that is no longer open source (by OSI definition).

Open WebUI has changed their license to a not-strictly-open-source license (by OSI definition):

https://docs.openwebui.com/license/

https://www.reddit.com/r/LocalLLaMA/comments/1kg4avg/openwebui_license_change_red_flag/

I just noticed they have mattermost integration! From the .env.example file:

# Mattermost Integration
MATTERMOST_ENABLED=false                          # Enable Mattermost (true|false)
MATTERMOST_SERVER_URL=YourMattermostServerUrl     # Mattermost server URL
MATTERMOST_USERNAME=YourMattermostUsername        # Mattermost username
MATTERMOST_PASSWORD=YourMattermostPassword        # Mattermost password
MATTERMOST_TOKEN=YourMattermostToken              # Mattermost slash command token
MATTERMOST_COMMAND_NAME=/sfu                      # Mattermost command name
MATTERMOST_DEFAULT_MESSAGE=Here is your meeting room: # Mattermost default message

Coming from a Slack-at-work setup with huddles (video meetings) this is really cool.

Cloudron support mentioned here (but not implemented at time of writing):

https://github.com/activepieces/activepieces/issues/1277

Does PocketBase fill that gap?

PocketBase is interesting, but I wouldn't reach for it first for core application state. Postgres is "boring technology" which is great for reliability, well-known, well-understood etc. That said, I'm sure PocketBase fills an important niche.

Would love to see this. Self-hosted database makes n8n much more powerful.

It's been several months (perhaps more than a year) since I tried logging in to my Ghost installation. When I tried to log in, however, it didn't seem to recognize my email. A pop-up said, "No member exists with this e-mail address. Please sign up first."

When I logged in via MySQL I could tell that the email exists in the users table. In fact, it was the only user. However, it still didn't seem to recognize the email.

It turned out that I needed to add "/ghost" to the URL to log in to the Ghost backend. I had forgotten that there is a "member" login for email sign-ups, and the member login is the visible "sign in" button on the typical landing page.

I hope this helps someone else!

I'm having trouble with this as well. Our peertube didn't make the upgrade and is in a restart loop. Running npm run plugin:install -- -n peertube-plugin-auth-openid-connect -v 0.1.1 as cloudron user in recovery mode yields these errors:

err: Error: Command failed: yarn add peertube-plugin-auth-openid-connect@0.1.1
error /app/data/storage/plugins/node_modules/ffi-napi: Command failed.
...
/app/data/storage/plugins/node_modules/get-uv-event-loop-napi-h/include/get-uv-event-loop-napi.h:26:30: error: invalid conversion from ‘napi_status (*)(node_api_nogc_env, uv_loop_s**)’ {aka ‘napi_status (*)(const napi_env__*, uv_loop_s**)’} to ‘get_uv_event_loop_fn’ {aka ‘napi_status (*)(napi_env__*, uv_loop_s**)’} [-fpermissive]
   26 |   napi_get_uv_event_loop__ = &napi_get_uv_event_loop;
      |                              ^~~~~~~~~~~~~~~~~~~~~~~
      |                              |
      |                              napi_status (*)(node_api_nogc_env, uv_loop_s**) {aka napi_status (*)(const napi_env__*, uv_loop_s**)}
...
error: Cannot install plugin peertube-plugin-auth-openid-connect, removing it...

EDIT: In case the build info is useful:

gyp info using node-gyp@10.1.0
gyp info using node@20.15.1 | linux | x64
gyp info find Python using Python version 3.10.12 found at "/usr/bin/python3"

gyp info spawn /usr/bin/python3
gyp info spawn args [
gyp info spawn args '/usr/local/node-20.15.1/lib/node_modules/npm/node_modules/node-gyp/gyp/gyp_main.py',
gyp info spawn args 'binding.gyp',
gyp info spawn args '-f',
gyp info spawn args 'make',
gyp info spawn args '-I',
gyp info spawn args '/app/data/storage/plugins/node_modules/ffi-napi/build/config.gypi',
gyp info spawn args '-I',
gyp info spawn args '/usr/local/node-20.15.1/lib/node_modules/npm/node_modules/node-gyp/addon.gypi',
gyp info spawn args '-I',
gyp info spawn args '/home/cloudron/.cache/node-gyp/20.15.1/include/node/common.gypi',
gyp info spawn args '-Dlibrary=shared_library',
gyp info spawn args '-Dvisibility=default',
gyp info spawn args '-Dnode_root_dir=/home/cloudron/.cache/node-gyp/20.15.1',
gyp info spawn args '-Dnode_gyp_dir=/usr/local/node-20.15.1/lib/node_modules/npm/node_modules/node-gyp',
gyp info spawn args '-Dnode_lib_file=/home/cloudron/.cache/node-gyp/20.15.1/<(target_arch)/node.lib',
gyp info spawn args '-Dmodule_root_dir=/app/data/storage/plugins/node_modules/ffi-napi',
gyp info spawn args '-Dnode_engine=v8',
gyp info spawn args '--depth=.',
gyp info spawn args '--no-parallel',
gyp info spawn args '--generator-output',
gyp info spawn args 'build',
gyp info spawn args '-Goutput_dir=.'
gyp info spawn args ]

For the record, the resolution was that I had two accounts, one an admin and one a superadmin (both with a similar username). I believe that my logging into an app as the admin caused my current account in Cloudron to also become admin. This hid the "Configure" button in the Backup section--while admins can see the backup settings, only the superadmin can change them. Logging out of the admin account immediately gave me access to superadmin again.