allowlist.json in Bedrock Server?

@girish said in allowlist.json in Bedrock Server?:

@eganonoa I put some docs at https://docs.cloudron.io/apps/minecraft/#allowlist

Thank you very much!

Are we able to limit the Bedrock server only to white listed playees as we can in Java? I see that from the Docker guide whitelisting needs to be set as an environment variable. Has that been done? If so, where do we place the allowlist.json?

@potemkin_ai said in What's coming in 7.5:

@eganonoa thank you, that makes much sense.

A few questions/proposals if you wouldn't mind:

1. Are you blocking any other access to Cloudron except via Cloudflare? If so - is it a precautious or a mitigation against well understood problem? If the later - could you please, share your experience?

2. I guess it's more to @nebulon and @girish actually - can't nginx proxy TURN/STUN traffic as well, reducing the required ports and system requirements as well?

For 1. Cloudflare proxying, its WAF with quite restricted settings outside of our static IPs. Then various app-level things as necessary. Mostly a precaution as we know our systems (not Cloudron) have been directly targeted by some sophisticated actors in the past.

For 2. there's been a bit of discussion on this (both re access to turn and the difficulty with VOIP services not running on 443) over the last few years here. Also worth checking out discussions outside of Cloudron for things like Nexrcloud Talk, Jitsi Meet, BigBlueButton. Upshot is that one way or another (whether because you run behind a NAT or just have users win the corporate/academic/government spheres with restrictive firewall rules) you really want an external turn, something that listens directly on 443 and can direct traffic. Theoretically there are (apparently) ways around it, but it adds levels of complexity that are just unnecessary given how utterly trivial it is to run an external turn. If interested BigBlueButton have a script that will set you up without any issue (https://github.com/bigbluebutton/bbb-install#install-a-turn-server)

Ultimately, I think we have to recognize that trying to make Cloudron provide all services to all people at all times is unworkable. If it provides a fully functioning base system and then allows flexibility for those needing more "complex" systems, then it is doing its job perfectly. This Redis and Turn change - long requested - is exactly that kind of solution.

@girish said in What's coming in 7.5:

@eganonoa synapse update is now pushed and has optional turn.

Really wonderful. Thank you. Now restarting matrix does not overwrite that section of homeserver.yaml, with the added bonus that if you ever want to revert to the in-built turn you just "flip a switch" as it were and the settings revert to default. That's a very nice implementation.

@potemkin_ai said in What's coming in 7.5:

@eganonoa just for my information - why are you looking for external TURN servers for Synapse/Matrix and NextCloud? What are the benefits?

A couple of reasons that make calls requiring a turn server not function well.

• We run our services behind Cloudflare, and turn servers don't work well (or at all) via reverse proxies like that as the server cannot accurately direct traffic to the correct IP addresses.
• Even if we didn't use Cloudflare proxying, we have many calls with people in academic and government environments with policies limiting what ports they can connect to, usually only allowing 443. Because Cloudron monopolizes that port its turn server has to run on a different port, so those people cannot use the Cloudron turn server even if we turned off Cloudflare proxying (which we don't want to do).

As a result, the ability to use an external turn server with Cloudron is critical and a very welcome development.

Thanks @girish and @nebulon. If you need to prioritize, for the turn server the one that is simply impossible to add an external turnserver is matrix/element as it requires a restart to apply changes, which then of course leads to those changes being overwritten. I believe the others don't have that limitation, but at the same time, Nextcloud would probably have the quickest positive benefit as it is quite trivial to add the external turn server via the Nextcloud admin panel.

@girish said in What's coming in 7.5:

@girish said in What's coming in 7.5:

Add optional flag for turn addon.

This is implemented now - redis and turn can be optional (depending on the app).

Hi @girish, I just upgraded to 7.5.1 to test out the new turn and redis options, but I cannot see the services option in relevant apps (wordpress, nextcould, jitsi). Was this option held back?

@girish said in What's coming in 7.5:

@girish said in What's coming in 7.5:

Add optional flag for turn addon.

This is implemented now - redis and turn can be optional (depending on the app).

The turn option is huge, thank you! I cannot wait to implement it. Is it in the 7.5.0 pre-release?

@girish Works perfectly. Thank you!

@jheiser said in Bedrock update:

Thank you so much! Your support is realy great!

I am getting "outdated client" errors with this new version on version 1.20 android clients. Are you getting that also?

@andreasdueren @girish confirmed a couple days ago that this was coming in 7.4. It was originally scheduled for 7.3, but didn't make it. I hope it does as it's pretty critical for anyone wanting to use a turnserver in academic or corporate contexts.

@girish nice! I didn't pick that up. Thank you.

@girish Is configurable turn off the table?

@girish Have you had any luck with configurable turn? Anything others can do to help?

@anschein Yep. Unfortunately I've never found a solution with matrix as the cloudron matrix overwrites turn on restart. Apparently the external turn option is coming in Cloudron 7.3.

@timconsidine said in Is there any real alternative to Google Docs / Office 365 out there?:

Collaboration for me is working together on a document at more or less the same time. The number of times I have seen this actually happen in business is minimal.

100% agree. This is exactly what i take collaboration to mean and it is truly a rare thing, not often needed at all.

@chetbaker said in Is there any real alternative to Google Docs / Office 365 out there?:

My use case scenario disagrees with that vision.
I'm working with a company that is really committed with digital security and self hosted solutions. They uses a private company for hosting email and calendar (that works just good!),

Just to say, my use case is exactly this above. My organization is among the most digitally-threatened organizations out there, with adversaries that include the largest and most sophisticated state actors out there (think China, Russia, but include those and expand your scope much further than that). We are known to be heavily targeted and surveilled, while also having a mission that ultimately requires us to lean as close as possible to digital sovereignty.

And the reality is that, if you are an organization like this, the very last thing you should be doing is engaging in collaborative editing. The ability for document shares to be open and accessed in the sharing process is simply too great, just as are the chances of leaving open shares for far longer than they should be. The whole live collaboration thing is a security nightmare and the big, consumer companies like Google aren't much good for this because convenience trumps good practice every day.

In terms of what you are saying you are looking for: "The way it works is you just collaborate in a place where you can keep track of changes, you can export in a certain way, it's stored somewhere for offline editing and that is advanced enough for including stuff as footnotes and comments." What I would say about this is three fold:

1. If you really are concerned about digital security, you would not want to keep a historical record anywhere of who said what, when. Comments and tracked changes are quite dangerous from a personal or business liability perspective.

2. To this day, there has never been a more robust solution than document comparison software (in-built or otherwise). Running proper blacklines/redlines on documents and edits, while sharing complete documents is significantly more robust.. So if this is all you want, the question should really only be about versioning, group shares, and secure ways of transmission of documents not in group shares.

3. Live collaboration is really an edge case and is not something that needs anything like a complete editing system with footnotes, etc. Etherpad does the live editing job as well as you could want (albeit with some big caveats regarding security if sharing outside of your own restricted circle).

@chetbaker I think there are plenty of alternatives, but not a single all-in-one suite.

Etherpad, for instance, is in my mind as good as it gets for collaborative document editing. I say that because it is fast and light. And because I think the idea of people collaborating over a document's format (i.e. the final document) is just silly. People should be collaborating over content and then sending the final document to someone to produce the published/finished version.

Collabora is becoming really great (but, again, I really do not believe you need a full-featured suite for collaborative work).

Nextcloud, for instance, does group folders and file sharing much better than either Google or Office 365, which have always ended in a mess. I also think Nextcloud has by far the superior administrative options, especially for a smaller organization needing something simple.

Slack and/or Element are significantly better chat clients than either Google or MS offers.

Similarly, Jitsi, BigBlueButton and Zoom each do group calling better than what Google and MS offer. And Nextcloud talk is, I think, the very best for one-to-one calls.

There are loads of Kanban services out there that provide excellent team management services. Nextcloud Deck is pretty OK in this regard.

Google provides the gold standard in calendaring and email. Nextcloud's calendar is pretty good, but not nearly as good. Outlook is alright, but Gmail and Google Calendar are still the best.

etc, etc, etc.

The fallacy, I think, is that you need one single cloud service to provide everything. I'd rather specialist services, with something capable of tying things together. Nextcloud does a pretty good job of that. You can piece a lot of stuff together in one place, inc. element, jitsi, bigbluebutton, etherpad, though the mail client is seriously lacking. Element is also quite good at bringing various things together.

But, the one thing that I think gets missed in all of this is the desktop! This is still the place, and the OS itself, to bring everything together in one place. And if you look at it like that, the whole idea of one cloud portal that tries to do it all (whether Google, MS, Zoho, Nextcloud, or whatever) seems ultimately a silly idea: both unobtainable and not sufficiently flexible or specialized enough.

@jdaviescoates said in Jitsi session recording:

To be clear, you record using BBB, and then record the mixed together BBB playback using OBS?

Exactly. Takes additional time, of course. But gives you complete control over what you are posting online. It allows you to manipulate the BBB recording session in playback to emphasise the things that you want emphasised. Ensures that you can cut out anything that a participant wouldn't have wanted posted. And, I think most importantly, gives you a period of pause and reflection to think about whether actually the thing you are posting should be posted at all.

@jdaviescoates Cool. Yeah definitely re the neat mp4 and then upload, though for that we just use OBS to record the recording on playback, and then upload. A good process also because simply uploading a recording is difficult in terms of wanting to make sure that things that get posted are curated a little before they go up.