Use Cloudron Logins for host protected settings

Thanks to @MiroTalk in the latest version it works and the config is nearly perfect
Only issue is still one identified erlier that anonymous users can create room if they go to the specific URL

@MiroTalk said in Use Cloudron Logins for host protected settings:

@avatar1024 said in Use Cloudron Logins for host protected settings:

Otherwise, while guest cannot enter the app base domain without a login, they can still create rooms freely by creating a url: mirotalkappprefix.mydomain.com/join/roomname

@MiroTalk is that behaviour intended?

Not a behaviour intended! I'm considering a refinement where guests are only allowed to join specified rooms that have already been created by authenticated users. This approach might offer better control and security. Will be released in the next version.

I did the same but ticked Allow all users from this Cloudron
Thing is @jdaviescoates by default anyone can create/join a room. But I want to restrict room creation to logged in users and anyone can join with the link.
And when activating those parameters is when problems arise.

You are right I misread the Dockerfile, thanks for pointing this out!

Maybe it would it be easier to have an example of a config.js file in the documentation.
I guess I'm not the only one failing to configure it
Do I need to create an OpenID Connect Provider in my Cloudron user directory?

Yes I got that it's a wrapper but this wrapper is never used neither in the dockerfile or start.sh so I don't get when this merge is done

The reinstall doesn't change the content of this file.
And I don't see how it could be looking at the docker file but maybe I'm missing something

I keep having the same error when trying to create a room

Oops, Room not allowed
This room is not allowed for this user

My config.js file looks like this:

// All options at https://github.com/miroslavpejic85/mirotalksfu/blob/main/app/src/config.template.js

module.exports = {
    host: {
        /*
            Host Protection (default: false)
            To enhance host security, enable host protection - user auth and provide valid
            usernames and passwords in the users array.
        */
        protected: true,
        user_auth: false,
        users: [
            /*
            {
                username: 'username',
                password: 'password',
            },
            {
                username: 'username2',
                password: 'password2',
            },
            ...
            */
        ]
    },
    presenters: {
        /*
            By default, the presenter is identified as the first participant to join the room, distinguished by their username and UUID.
            Additional layers can be added to specify valid presenters and co-presenters by setting designated usernames.
        */
        list: [],
        join_first: true, // Set to true for traditional behavior, false to prioritize presenters
    }
};

And looking at the app repo here the config file should look quite different to be able to handle OIDC connection

It doesn't work but I think there is an issue in the config file generation as the template is not used

@girish Hmm it's only for the SFU was trying for the p2p app
Thanks a lot, so for the SFU I should just put protected: true in the config.js and it should work out of the box?

Ok I found the block to add in the env file :

OIDC_ENABLED=false # true or false
OIDC_ISSUER_BASE_URL='https://server.example.com'
OIDC_BASE_URL='http://localhost:3000' # https://p2p.mirotalk.com
OIDC_CLIENT_ID='ClientID'
OIDC_CLIENT_SECRET='ClientSecret'
OIDC_AUTH_REUIRED=false # set to true if authentication is required for all routes
SESSION_SECRET='mirotalk-p2p-oidc-secret'

But I don't know how to set those variables. I created a new client in cloudron OpenID Connect Provider but not sure of what the callback URL should be

I don't get the what the configuration should be to use the OIDC?

From what I understood putting in the env file

HOST_PROTECTED=true
authRequired=true

Should be enough to use my Cloudron accounts and allow guests to only join created rooms but my accounts aren't recognized I didn't find anything about OIDC/OpenID in the doc

@Lanhild Sorry missed your message.
I will see if I can do another test migration this afternoon (CEST) and take some more notes. But basically I wrote the steps below on a clean Mattermost PostgreSQL install:

• Dumped the DB with : pg_dump -d mattermost > mattermost.dump
• Renamed on cloudron config.json to config.json.orig
• Copied mattermost.dump and config.json to cloudron mattermost via the file manager
• Edited config.json with the value from config.json.orig (to get the PostgreSQL details)
  • "ServiceSettings" => "SiteURL"
  • "SqlSettings" => "DataSource" and "DataSourceReplicas"
  • "FileSettings" => "Directory"

• From the terminal app did PASSWORD=${CLOUDRON_POSTGRESQL_PASSWORD} pg_restore -h ${CLOUDRON_POSTGRESQL_HOST} -p ${CLOUDRON_POSTGRESQL_PORT} -U ${CLOUDRON_POSTGRESQL_USERNAME} -d ${CLOUDRON_POSTGRESQL_DATABASE} ../data/mattermost.dump

• Rsynced all my attachments from origin_server to cloudron_server:app_folder (cf girish post )
• Restarted the app

Wouldn't it be possible then to backup the folder containing the configuration+backups made by the influxdb tool and not backuping the live data? I didn't have a deep look at how the backup are done by cloudron so maybe it

It would be great to be able to have tools other than purely webapps (thinking of wireguard and for example)but I understand it is a big step and quite a lot of work

What's you take on this @girish ?
I know on some previous posts you were reluctant to package databases as app because of the backups
Does this argument still stand? Maybe it could be installed as an addon then instead, as I believe the backups are done differently?

Ok So it's perfectly working.

Steps done :

• Dumped the PostgreSQL DB and config.json file
• Uploaded them to the cloudron server
• Copied the files folder to the cloudron server
• Imported the dump with psql from the app terminal
• Changed the files ownership to cloudron in the file manager
• Edited in the config.json from the origin server to add the new files path from the cloudron config.json
  • "ServiceSettings" => "SiteURL"
  • "SqlSettings" => "DataSource" and "DataSourceReplicas"
  • "FileSettings" => "Directory"

Sometimes I do forget that Cloudron isn't a blackbox SaaS application and that I do have access to the server
Currently doing an rsync to the server will let you know when it's all done.
Thank you

I've mostly done it using the official mattermost documentation : https://docs.mattermost.com/onboard/migrating-to-mattermost.html#migrate-mattermost-from-one-server-to-another and https://docs.mattermost.com/deploy/backup-disaster-recovery.html#backup

Copied the config.json from the origin server and changer the SQL settings with the logins from the cloudron mattermost file.

Only issue I'm having is the importing of the local data to cloudron. I've around 20GB of data to be moved to the files folder but the upload crash when uploading the tar.gz file. Uploading the file uncompressed crash too after a while (couple of hours)

@girish Awesome, I will wait for your doc then see if I can validate it

Excellent! I will try to migrate an external mattermost with postgresql to Cloudron

@girish said in Mattermost v8.0+ and PostgreSQL:

And yet, there is no easy way on Mattermost side to switch databases.

I don't understand your remark as there is a whole page dedicated to the migration from MySQL to PostgreSQL : https://docs.mattermost.com/deploy/postgres-migration.html

I understand it is a decision which can be hard to take as it will make some users unhappy, but at some point you will have to make it because Mattermost is slowly but surely deprecating MySQL.

So the real question is not if you have to do the move or not but when you make it.
And IMHO the sooner the better :

• The more you wait, the more installations will be made on Cloudron using MySQL which will have to be migrated and therefore more users/customers will be impacted/annoyed
• People will move to something else than Cloudron for their install as PostgreSQL is required by more and more features.

When you self-host like this you can't use the add node feature or sign in button as those as netdata cloud only as @simon said.
But you can configure your nodes to stream their metrics to your master node and therefore have a centralized node with all your metrics. I'm using the v2 of the Web-UI and don't have any issue with it so far.
And what is not shown in simon screenshot (well it is the blurred part right under the sign-in button) is that you can have a more detailed view for each of your node too.

I don't say that netdata must be use for the monitoring of the Cloudron host (even if it kinda works by default) as I understand that you don't want app accessing the host (but the agent could be installed and stream to a master node/cloud if people want), but it is a great tool to have to monitor all the other servers of your infra and will be very nice to have on Cloudron.