Papermerge - Scan & OCR

I have begun to package this today. Hope to have something for comment in the next few days.

cc: @marcusquinn

Hey all, I just obtained my LLC status for The Doodle Project! If you're looking for assistance in Cloudron help or are interested in some of my services I offer, <insert shameless plug here>. Delighted to be working with several of you on hosting Nextcloud Talk High Performance Backend, Big Blue Button (both of those offered in both US and EU), as well as a bunch of other shiny fun things. Holler if you need anything!

Of course, if you have questions about the LLC'ness, happy to answer any time. Especially important if you're considering setting up shop in the US with a Mastodon (or similar) instance to provide coverage for the ugliness out there. Have also been thinking about offering a service to help customers host their own instances of that underneath my 'umbrella' - let me know if interested.

This app is now up and functional. Please test! I'll submit to the appstore for WIP in a day or so after some more cleanup and testing.

https://git.cloudron.io/doodlemania2/paperless-ng/

Note: inbound mail is enabled, but you have to configure it yourself in paperless config. I haven't tested that yet and from the looks of the repo, there are lots of issues with mail at the moment, so we may ship unstable without inbound mail.

cc: @girish

I ran some traps on this thread posted by a law group that had set up their own instance. Also @girish echo'ed the DCMA business in another thread. Thought I'd share:

"Do Future You a huge favor, mitigate your potential liability, and register with the copyright office and designate an agent to receive DMCA reports right now. https://copyright.gov/dmca-directory/

It costs $6 a year. Use a forwarding phone # and a PO Box or other address you check frequently, not your home address: it will be public. Without this registration, you WILL be held liable for any copyright violation on your instance.

I also strongly recommend that if you run an instance, incorporate as a LLC and -- this is the critical part -- take out an umbrella liability insurance policy with coverage of at least $2m per incident and covers attorney costs and fees.
(If you have homeowners or renters' insurance, and you should, this should be a very cheap rider on the policy. 99% of the time it will be unnecessary and the other 1% it will save your ass completely.)

I am somehow not surprised that only two Mastodon instances have registered designated agents and one of them is the Lawprofs instance.

<tweak by Derek>Also: "I found someone on my instance posting CSAM" is not the time to have to learn the reporting process for that vileness. Learn and report ASAP via NCMEC in case of CSAM posted to your service. Legally mandated.</tweak by Derek>

But yeah, for copyright, feel free to steal our DMCA policy, it's CC-BY-SA. (Note that we willingly accept a level of potential risk around repeat offender account termination that may be outside your risk tolerance.) https://dreamwidth.org/legal/dmca

Our ToS and privacy policy are also CC, and you're welcome to use them, but they should be more customized for your individual situation than just "take this and change it to your contact info".

The relevant section of copyright law is 17 USC §512 and you can read it here: https://law.cornell.edu/uscode/text/17/512 You are protected from liability for your users' copyright violations, but ONLY if you follow this process, and the process includes registering a designated agent.

I can't give you legal advice and none of this is intended as such, but if you're absolutely at sea and have never heard of any of this before, I can try to answer general questions.

I have posted the "guide to familiarize you with various legal obligations involved in hosting a server that accepts user-generated content such as a Mastodon instance"! It's here: https://denise.dreamwidth.org/91757.html

Original thread: https://twitter.com/rahaeli/status/1593819064161665024 Tweaked by me for clarity.

Net - if you're running an instance that's open - be aware. If you're running a closed or single user instance, still not a terrible idea. I'm going to be doing it myself for my single user instance because I also run an open relay to help folks out.

@robi Here's the recording yall if you like:
https://video.apps.thedoodleproject.net/videos/watch/e7125134-fca9-4c0a-9d29-69cf19eb2464

The encoding was a bit off between audio and video. Not sure what that was about.

As for tech used to produce this glorious (haha) event - writing up a blog entry on that today/tomorrow and will publish if anyone was curious.

Goodnight all - and go paperlessng!

Loki is a horizontally-scalable, highly-available, multi-tenant log aggregation system inspired by Prometheus. It is designed to be very cost effective and easy to operate. It does not index the contents of the logs, but rather a set of labels for each log stream.

https://grafana.com/oss/loki/
https://github.com/grafana/loki

Initial functional version located here for comment: https://git.cloudron.io/doodlemania2/loki

@doodlemania2 If anyone is still interested, I'm game to doing another event. Maybe only loosely related to app packaging, maybe we do an educational series or something about how to use the CR.

As an aside, you are all now welcome to use my BBB/Greenlight I have up and running!

@doodlemania2 I've got this thing to a heartbeat status but it has lots of dependencies flying around - trying another approach to packaging to squash em. Will advise on first checkin.

this is ready for testing - please send me a DM if you'd like to try it out!

@sam_uk I'm going to try next week when things at work calm down a bit.

I have a Nextcloud Talk High Performance Backend and BBB (for your Greenlight app) available for your use.

If you'd like to use it, I'm offering it for free*. Just DM me for details.

*I will likely start charging in the not terribly distant future, but am open to understanding:

1. Does anyone think this is useful?
2. What would you be willing to pay?

I'm thinking $1-2 US / mo for up to 10 users. Eh? Really the only expense is bandwidth and just a hair of admin overhead. Would welcome your thoughts. Not in it to make $$$, just cover costs.

@doodlemania2 If anyone is interested - I know some of you weren't keen on my original service cause it was US based (Latency being the top questions).

So, happy to announce I'm now up and running in Frankfurt, so if you'd like to leverage either of those tools (or anything else I offer hosting for), let me know. See www.thedoodleproject.com for details if you are curious.

Before I go thinking too much about this, wanted to see if there was a simple way baked in to take, say, paperless-ng which I was running as custom app and swap to the new store version without a full port/reinstall?

Thinking like cloudron upgrade --image..."cloudron's image url"?

@doodlemania2 Here's my blog on packaging, love of cloudron, and how I set up my broadcast. https://www.derekmartin.org/my-favorite-way-to-host/

https://github.com/StreisandEffect/streisand implements an outstanding VPN (more than just OpenVPN) solution for dummies to use. Full Ansible scripts available to construct VMs.
Other features include:
L2TP/IPsec using Libreswan and xl2tpd
A randomly chosen pre-shared key and password are generated.
Windows, macOS, Android, and iOS users can all connect using the native VPN support that is built into each operating system without installing any additional software.
Monit
Monitors process health and automatically restarts services in the unlikely event that they crash or become unresponsive.
OpenSSH
Windows and Android SSH tunnels are also supported, and a copy of the keypair is exported in the .ppk format that PuTTY requires.
Tinyproxy is installed and bound to localhost. It can be accessed over an SSH tunnel by programs that do not natively support SOCKS and that require an HTTP proxy, such as Twitter for Android.
An unprivileged forwarding user and SSH keypair are generated for sshuttle and SOCKS capabilities.
OpenConnect / Cisco AnyConnect
OpenConnect (ocserv) is an extremely high-performance and lightweight VPN server that also features full compatibility with the official Cisco AnyConnect clients.
The protocol is built on top of standards like HTTP, TLS, and DTLS, and it's one of the most popular and widely used VPN technologies among large multi-national corporations.
This means that in addition to its ease-of-use and speed, OpenConnect is also highly resistant to censorship and is almost never blocked.
OpenVPN
Self-contained "unified" .ovpn profiles are generated for easy client configuration using only a single file.
Both TCP and UDP connections are supported.
Client DNS resolution is handled via Dnsmasq to prevent DNS leaks.
TLS Authentication is enabled which helps protect against active probing attacks. Traffic that does not have the proper HMAC is simply dropped.
Shadowsocks
The high-performance libev variant is installed. This version is capable of handling thousands of simultaneous connections.
A QR code is generated that can be used to automatically configure the Android and iOS clients by simply taking a picture. You can tag '8.8.8.8' on that concrete wall, or you can glue the Shadowsocks instructions and some QR codes to it instead!
AEAD support is enabled using ChaCha20 and Poly1305 for enhanced security and improved GFW evasion.
The simple-obfs plugin is installed to provide robust traffic evasion on hostile networks (especially those implementing quality of service (QOS) throttling).
sslh
Sslh is a protocol demultiplexer that allows Nginx, OpenSSH, and OpenVPN to share port 443. This provides an alternative connection option and means that you can still route traffic via OpenSSH and OpenVPN even if you are on a restrictive network that blocks all access to non-HTTP ports.
Stunnel
Listens for and wraps OpenVPN connections. This makes them look like standard SSL traffic and allows OpenVPN clients to successfully establish tunnels even in the presence of Deep Packet Inspection.
Unified profiles for stunnel-wrapped OpenVPN connections are generated alongside the direct connection profiles. Detailed instructions are also generated.
The stunnel certificate and key are exported in PKCS #12 format so they are compatible with other SSL tunneling applications. Notably, this enables OpenVPN for Android to tunnel its traffic through SSLDroid. OpenVPN in China on a mobile device? Yes!
Tor
A bridge relay is set up with a random nickname.
Obfsproxy is installed and configured with support for the obfs4 pluggable transport.
A BridgeQR code is generated that can be used to automatically configure Orbot for Android.
UFW
Firewall rules are configured for every service, and any traffic that is sent to an unauthorized port will be blocked.
unattended-upgrades
Your Streisand server is configured to automatically install new security updates.
WireGuard
Linux users can take advantage of this next-gen, simple, kernel-based, state-of-the-art VPN that also happens to be ridiculously fast and uses modern cryptographic principles that all other highspeed VPN solutions lack.

btw - that worked like a champ - was afraid the package version or backup version or something would throw it off, but it worked perfectly.

then uninstalled old app and changed the location. like nothing ever happened!

All - I have begun packaging this based on instructions found here as well as basing it off of PHP Lamp. It's still VERY rough (IE, doesn't fully build yet), but would appreciate some eyes on it.

https://git.cloudron.io/doodlemania2/pixelfed

Currently, I'm trying to decide whether the initial setup goes in Dockerfile (would think so) or in start.sh in the uninitialized section. It's been a VERY long while since I attempted to package something, so am more than a little rusty

Also, my run.sh is doing an artisan migrate force on each run - thinking that is a good thing cause run wouldn't know if the container updated, but maybe there's another pattern somewhere that is better.

cc: @girish

@bubonicfred I am starting to package this fork since I am stuck on Papermerge. Hopefully this one will be a bit more cooperative. Will post link when I get something resembling functional.

@doodlemania2 My initial commit is here: https://git.cloudron.io/doodlemania2/paperless-ng

THIS DOES NOT YET WORK

But - I need to do these things and I think it's done:

1. sed in the environment variables to the config
2. create the start.sh (with #1 above)
3. setup the three services in systemd

I've done all of the above previously, I just am short on time, so, if anyone can give me an assist, would greatly appreciate it! If not, will continue just as quick as I can.

@doodlemania2 Latest checking (simple one tonight) - I switched from supervisor to the build in gunicorn runner and was able to create a username/password and log in! Woot

Now, it's throwing errors about attempt to write to a read only database, so I suspect the auth mechanism is doing something in /app/code that I'll need to symlink.
After that is:
Get the supervisors to work (some weird ini file error)
Test the app
Cleanup
Final commit before handing it off for cloudron test dev in case anyone wants to see it in the app store.