I would like Cloudron to support password complexity setting.
Allowing for (ideally via GUI and some kind of json/yaml etc file that can be version controlled/deployed via IAC):
(checkboxes/fields for setting:)
The default should be the same as it is now (to not break any existing users).
Feel free to move this (entire topic/parts of it) to the best category as appropriate.
As my company/businesses mature and I am pursuing larger contracts/fundraising, I have more involved due diligence requirements from my board and counter parties.
Using Cloudron as our central IDP, we would like to be able to set password complexity requirements. For now, using 2fa (since everything we use now supports OIDC with the recent dollibar update) we can get an exception to the complexity requirements, but that won't last forever. Any possibility of being able to set complexity requirements? Even if it needs to be done via changing a json file or something?
Centralized logging (OS/container) logs. I have a Librenms VM I run on premise (where all my bulk/slow storage is) running syslog-ng integrated into Librenms.
Official support for Tailscale (or other overlay networks such as Netbird). Currently installing Tailscale into the Cloudron VM and editing /etc/resolv.conf to point at my Librenms Vm (running a DNS docker container) allows everything to work.
Support for the Wazuh agent (for compliance reporting/enforcement)
Hardening of the underlying Ubuntu server (via say https://github.com/ComplianceAsCode ) (and also things like hardening the SSH configuration).
I am happy todo all of the heavy lifting in regards to the above. I have a set of provisioning scripts https://git.knownelement.com/KNEL/FetchApply ) and am working on all of the security hardening/system monitoring/centralized logging on all of my non Cloudron servers. I would like to work with the project to "officially" integrate (in a maintainable/supportable way) these more "enterprise" focused things into the Cloudron product. I realize that it's a slider between hardening and convenience and that (many? most?) Cloudron users are small/medium businesses/(pro)sumers who don't necessarily want these things. Product management/positioning is very difficult!
I imagine, many/most of the Linux hardening things will have zero impact on most users, and only serve to make attackers life harder.
Hello all.
I am in the process of packaging up many apps for Cloudron (several of which are from this forum category).
Working on them in the open here: https://git.knownelement.com/KNEL/KNELProductionContainers/src/branch/master/Cloudron
It's a long list across many different areas of focus and levels of complexity.
Who wants to help me?
Full disclosure:
Hello all.
I’ve used Claude to do first cut of packing apps I want in cloudron.
Here’s the repo:
https://git.knownelement.com/KNEL/KNELProductionContainers/src/branch/master/Techops
Here’s the prompt I use :
I’ll do a bit of restructuring into a Cloudron and non cloudron directory. Check the history for the stuff I’ve been doing :
https://git.knownelement.com/KNEL/KNELProductionContainers/commits/branch/master
I would like the ability to search in the domain list when I’m deploying an app from the Cloudron application store.
Basically , every list selection box should be searchable. Users , groups , domain etc
My Cloudron details:
Hosting Provider: Netcup
Hosting Product: VPS 8000 G11 iv 12M MNZ (16 core, 64gb ram, 2048 SSD)
Total Apps: 158
Backup provider: Backblaze B2
I and my company are all in on Cloudron.
I use it for my business and for my family office. In the process of packaging up a number of applications for Cloudron that a fully self-hosted business would need.
@girish said in What's coming in Cloudron 9:
Show backup/restore progress
Can you expand on this a bit? The current backup UI shows the progress.
Granular Backup schedule / Multiple Backup Desinations
As in per application? That would be awesome. For example, I would want say Nextcloud/Gitea/ Redmine backed up multiple places and daily, but MiroTalk/Searxng monthly and to one place. If it could be done off of tags, that would be wonderful. I would tag apps as stateful, stateless myself (and perhaps some kind of priority tag). If one could have some kind of Recovery Time Objective/Recovery Point Objective , that would be very "enterprise". Honestly just per app / tag granular backup schedule/destination would let one achieve that.
Would it be possible to set (chrony/timesyncd/ntp pick your poision) parameters in the GUI?
I run a stratum1 high precision timing source on my network and have all my (non cloudron) systems configured to use it.
I presume I can alter the underlying configuration of Ubuntu to point at it, but I try to make zero changes to the underlying OS.
This is now working for me. Unless anyone else is still having an issue, I think this issue can be closed.
Hello.
I was doing some research and I see Dolibarr supports OIDC.
https://wiki.dolibarr.org/index.php?title=Authentication,_SSO_and_SSL
Any possibility of switching to that from LDAP?
Dolibarr is my only Cloudron app using LDAP and not 2fa protected.
Oh yes. I’m sure I’ll need to make some tweaks. So far it’s been pretty good results across languages. It searches as it works and pulls the results into how it builds the output.
I’ve yet to do any testing. I hack in the open from the very get go
For me, I have avoided all HA/replication (with the exception of backups). In my 20+ year career as a professional system admin/engineer/architect in increasing levels of responsibility/authority I have only seen HA/replication cause more issues than it's worth.
To be clear, I am referring to things with state (databases). Starless (application frontends) and clustered "semi stateful" (think memcached/redis) is quite welcome/acceptable.
Database replication with appropriate monitoring/resiliency/planning could be useful. It can also go sideways in nasty ways.
I have found Cloudron backup/restore to be quite fast (presuming your Cloudron instance is network close enough to your backup target). The upcoming backup changes are quite welcome and address all of my concerns.
Add a CDN in the front and enjoy stateless/horizontal scaling.
As I understand it, swapping out your data store to a cluster (and keeping the docker/readonly/app bits in Cloudron) should be easy? Just need to update the DB_ related environment variables?
I (and my company) are very heavy users of Cloudron. Being on a single box hasn't been an issue for us. When we need to scale (we expect to have some massive read heavy apps using some complex GIS stuff) we will use a CDN. We are spinning up a large k8s cluster to run a number of high compute workloads. All of the command/control will be via Cloudron hosted apps (BOINC/SLURM).
Cloudron is for "bootstrap/core" "pets" (but using a kind of "cattle" architecture/model)(this combination is very powerful) , k8s is for your scale out cattle. (k3s/rancher/longhorn) makes k8s deployment quite easy).
The prompt file is here :
I’ve been busy building out the front office (physical facilities ) of my rental businesses. That’s finishing up this weekend.
So now I’m coming back to building out the middle / back office , and that means lots of cloudron packaging!
(I realize this is an old post, but I can't let such things go un-addressed).
@LoudLemur said in Configuring Apache Superset to install and show demo data on Cloudron:
Will do! I love Cloudron and it is a pleasure to recommend it, though this is tinged by the licence.
Really?
You won't pay $1.00 a day for Cloudron? Why not?
How can you not see the cost/value/return on investment of $1.00 a day for all the amazing work/time savings etc that Cloudron provides?
Why would you attack such a successful business model? They could easily charge $50.00 a month as a base level and it would be worth it.
To circle back on this...
I deployed Keycloak from the app store. I created a new (local) admin user and deleted the temp one (as per the instructions out of the box).
I then used the "Login with Cloudron" button and was able to login to Keycloak (as the non admin user from Cloudron directory) and my Cloudron user shows up in Keycloak .
I would be very interested in developing/documenting a tight integration/best practices between Cloudron/Keycloak as a way to greatly extend/enhance Cloudron user management. Setting up various tenants, self service enabling signups in those tenants etc. For example, building user on-boarding / approval workflows (where you bring on a new team member and they need to be provisioned into groups). Right now, only Cloudron Superadmins have the ability to manage groups, and that isn't a privilege I want to hand out 
I originally planned to have Claude build me a web app and utilize the Cloudron API to build that functionality (and was going to AGPLv3 it). However, perhaps, with Keycloak we don't have to fully re-invent the wheel?
IAM is a VERY important requirement/feature to compete with AWS/Azure. It's the next thing my board wants to see as we move through go-live with Cloudron across our various projects/entities.
Who would be the key people I would need to work with to get this built out/tested/integrated/streamlined?
I realize that Cloudron (as I understand it) isn't currently positioned/targeting "enterprise" or those who may use AWS/Azure. I am happy todo the light/medium/(some) heavy lift work to help get it to where I need it to be. I am a founder/CTO of a company that is in the ramp up/growth phase. I steadfastly refuse to use the "big cloud" and Cloudron has been amazing at eliminating about 90% of system admin duties in a reliable way.
Make these two things match:
Groups doesn't have a search function, where users does.
The Cloudron Forum link on:
https://docs.cloudron.io/apps/dolibarr/
is broken.
It takes you to the Moodle forum.
I have my docker registry setup (one in gitea for testing, one on my cloudron for the images I'll release) and I have the cloudron build service setup. Also have the cloudron tooling on my development workstation (and, you know, have a development workstation setup finally). Progress on packaging very soon. Been going through my bookmarks/notes and found a few more things to package up.
I'll be posting updates throughout the month of July as I progress.
I briefly searched the forum and didn't find anything on this topic. Feel free to point me to existing topics.
Is off-box/remote logging possible? I presume I can drop to the root shell and tweak the (r)syslog configuration to send things to a remote target. I would prefer a UI/API way todo this task (to ensure it doesn't break anything).
Same for other logging settings (retention/rotation).
Integration of logwatch
Is the /etc/aliases (root) alias setup to send to whatever Cloudron (SuperAdmin)(s) e-mail addresses?
What about docker logs? (Targeting/retention)?
Cloudron is wonderful and covers many of my needs. However I also have a Coolify server and it's running things like Graylog/Librenms and other infrastructure bits that Cloudron doesn't provide. For those of us with a bit bigger "enterprise" type setup/requirements, Cloudron could use some lightweight integration points/support.
Connecting...
root@16405153-e269-41e3-ab8d-095606d5b07e:/app/data/public/KNEL/FetchApply# gup
Already up to date.
root@16405153-e269-41e3-ab8d-095606d5b07e:/app/data/public/KNEL/FetchApply# cat /app/data/.bashrc
cd /app/data/public/KNEL/FetchApply
alias gup='su www-data -c "git pull"'
root@16405153-e269-41e3-ab8d-095606d5b07e:/app/data/public/KNEL/FetchApply#
Ah this opens up all manner of creature comforts. Excellent! Really appreciate the prompt response @joseph