checkmk monitoring solution

@jayonrails @robi @joseph @jdaviescoates

the request is now live. i have also added the following comment (which is awaiting approval) to clarify the request:

The problem is that, currently, a Ubuntu server or a Docker engine is required to host Checkmk (Raw), which creates administrative overhead.
Cloudron is a magical tool (makes it very easy) to self host open source software without adding much effort for system administration.
It runs with Docker containers but they need to be specifically created for the system. Since Checkmk is already creating a docker image with a docker file it should be relatively simple to also provide a Cloudron package.
Cloudron is currently missing a proper monitoring solution. A gap Checkmk could fill. Giving many Cloudron users easy access to Checkmk.

is there maybe a way to block a cloudron app from accessing the internet/making calls to external servers? this way it would block any saas connection to google or similar?

I would very much prefer an installation of excalidraw without any third party connections.

+1 for this. would make database testing/administration much easier!

@lanhild - i just saw you archived the git repository for the cloudron psql. is the code still usable/"up to date" or should i look elsewhere?

With Cloudron supporting custom apps soon, it would be nice to have this available somehow

I submitted a "cloudron platform package" as a feature request if anybody wants to upvote it:

https://ideas.checkmk.com/suggestions/694337/cloudron-platform-package

Unfortunately I get the same error with the updated package. Here is my current config:

OpenID Client on Cloudron:

https://lampoidc.mydomain.com/secure/redirect_uri
<clientId>
<secret>

/app/data/apache/app.conf:

ServerName localhost

<VirtualHost *:80>
    ServerName localhost
    UseCanonicalName Off
    DocumentRoot /app/data/public

    LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" proxy
    CustomLog "|/bin/cat" proxy
    ErrorLog "|/bin/cat"

    <Directory /app/data/public>
        Options +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Do not remove this include. It's required for your app to see the Real IP
    Include "/app/code/apache/rpaf.conf"
    # This line can be commented out, if you do no require PHPMyAdmin Access
    Include "/app/code/apache/phpmyadmin.conf"

</VirtualHost>

# OIDCRedirectURI is a vanity URL that must point to a path protected by this module but must NOT point to any content
OIDCRedirectURI https://lampoidc.mydomain.com/secure/redirect_uri
OIDCCryptoPassphrase somethingsecret

OIDCProviderMetadataURL https://my.mydomain.com/.well-known/openid-configuration
OIDCClientID <clientId>
OIDCClientSecret <secret>

/app/data/public/.htaccess:

AuthType openid-connect
Require valid-user

---

Any ideas?

@girish, I am not sure how to merge the update from the master to the oidc-support branch.

would you be able to do that, so I can pull the branch again like I managed to do before?

@nebulon, so I finally got around to testing this:

authentication works (nice!) but the redirect url appends port 80 (https://lampoidc.mydomain.com:80/) which results in an ssl error (SSL_ERROR_RX_RECORD_TOO_LONG)

manualy removing the port then loads the page.

ai suggested adding this to the app.conf virtual host:

UseCanonicalName Off
UseCanonicalPhysicalPort Off

which did not help...

any ideas?

The latest update seems to have fixed it.

Patience is a virtue xD

@joseph, thanks for the info.

Asking as a git-amateur: would the automatic updates still work with custom packages?

We are trying out osTicket and have hit the issue where emails which are S/MIME-signed are not converted to tickets (empty).

Here is a solution from the community. Would it be possible to integrate this code into the Cloudron osTicket App?

https://github.com/osTicket/osTicket/issues/6806#issuecomment-2800854901

@nebulon any (easy) way I could beta test this?

@nebulon awesome, glad you like the idea! and thanks for working on it. I was surprised there was no "pre-built" solution for securing a website with a login - sounds like this could be it!

Please do not pre-provision the client data. My use case would be with keycloak, so users are able to login there and access a members only website, as well as further services.

I would like to have the possibility of users self registering - which is impossible with cloudron (atm).

is there no way to auto-provision it with the cloudron data, but allow admins to edit the config? That way it would work "out-of-the-box" but could still be used with other IAMs.

@girish, any updates on installing apache modules in the cloudron LAMP stack?

I would like to try https://github.com/OpenIDC/mod_auth_openidc in it

And Koel supports SSO, but only Google. So its pretty nuanced in some cases

And for Element the base version does not support it, but the enterprise license does. I'm not sure if it's possible to run that on Cloudron though

@Neiluj thanks, that helps for sure.

Although, NodeBB is SSO capable with a plugin. So it makes sense to double check apps listed as unsupported

Keycloak allows centralized user management across multiple apps via SSO, and self sign-up for new users.

There is currently no app filter in Cloudron for these SSO capabilities, so I thought I would start this list* (*work in progress):

• NodeBB OAuth2 with Plugin
• MediaWiki OAuth2 with Plugin
• Pretix See Docs
• NextCloud OAuth2 with Plugin
• RocketChat See Docs
• JellyFin With Plugin (Alpha)

@timconsidine

This could be a good alternative to SimpleLogin. They have a dockerfile available as well!

Not sure about the issue of it possibly clashing with the cloudron email service though

@timconsidine to specify: my goal is having the support system with projects/tickets directly integrated with the invoicing.

Then I don't have to switch between systems and manually copy/paste data from one to the other, and the customer has the option to login to one portal and see everything.