For those that would be interested. I have just created a live stream on Youtube for Sunday 21.06. 14:00 (CET). During that stream I want to show a bit how to make a Cloudron app and will use Matterbridge as the example for it.
I would timebox the whole stream to a max of two hours, lets see how far I'll get in that time, maybe I won't even need that much time.
There will be an unedited recording of the stream later on.
You can follow the stream at https://www.youtube.com/watch?v=RKcH2yJiLUo
Hello everyone. See you on half an hour at https://youtu.be/RKcH2yJiLUo!
While native support for OAuth has recently been removed from Cloudron users can still utilise OAuth 2 and OpenID Connect (oidc) to authorize users thanks to the built in OpenID Provider of the Kopano Meet app.
Under the hood Kopano Meet uses OpenID Connect to sign users into the application and this functionality is provided through Kopano Konnect, which is bundled inside of the app and pre-configured to allow Cloudron users to login. This article will show how to extend the configuration of Kopano Konnect to allow other apps to make use of OpenID Connect.
Requirements:
Nextcloud only serves as an example most users will probably already be familiar with, any other app allowing login through oidc can be configured in a similar way.
In the below configuration snippets I am going to use the domain meet.9wd.eu for my Kopano Meet installation and cloud.9wd.eu for my Nextcloud installation. Make sure to use your actual domain names during the configuration.
To modify the configuration of Konnect you need to login at your Cloudron dashboard (which is usually available at https://my.your-comain.com) and open the terminal view of the Meet app (Look for "Console Access" in the settings of Meet). Here you need to open /app/data/konnectd-identifier-registration.yaml in an editor and add the following text to the end of the file:
- id: cloud.9wd.eu
application_type: web
name: Nextcloud Cloudron
trusted: true
redirect_uris:
- https://cloud.9wd.eu/index.php/apps/sociallogin/custom_oidc/CloudronMeet
Important: the redirect url must match the "internal name" specified during the social login configuration later on
After the file has been modified restart Konnect by running supervisorctl restart kopano-konnectd (alternatively the whole meet app could be restarted, but this is faster).
The rest of the configuration is done inside of Nextcloud.
To configure Nextcloud for oidc you first need to login with an admin level user and install the "social login" app inside of Nextcloud. After the app has been installed you have go into its settings (which are located at https://cloud.9wd.eu/settings/admin/sociallogin) to configure it.
I recommend to have the following general configuration settings set in the app:
This will mean that new users will first need to login through the "traditional" Nextcloud login and then from within their user settings link their oidc login to Nextcloud. This will be further explained once oidc is generally setup in Nextcloud.
Further down in the settings add your own "custom OpenID Connect" provider. You need to fill in the following values:
redirect_uris in konnectd-identifier-registration.yamlhttps://meet.9wd.eu/.well-known/openid-configurationOnce this is setup log out with your admin user account and you will see another login button on the Nextcloud login page titled "Kopano Konnect (Cloudron)".
Before the user can use oidc to log into Nextcloud, he need to link his existing Cloudron user to it. For this log into Nextcloud like you have done in the past and afterwards go into the settings of the user. Here you will now find an option called "social login" (the url will be similar to https://cloud.9wd.eu/settings/user/sociallogin).
Users need to manually connect their existing Nextcloud account with the oidc identity.
At this menu item you will find a section called "Available providers" with a button underneath that will read "Kopano Konnect (Cloudron)". Click this button once to link your Nextcloud account to your new OpenID identity. In case you have previously not been logged into Meet you will be asked for your credentials for this (which are your normal Cloudron credentials).
Once your Nextcloud account has been linked you can easily switch between Nextcloud and Kopano Meet without having to login again.
This article has also been published on my blog.
Hi everyone,
in the past weeks I have been working with the Cloudron team to make Kopano Meet available as an app for Cloudron.
Meet is a modern video conferencing app that is designed as a so called Progressive Web App (PWA) which means that you can add it as an app to your phone/tablet/desktop directly from within Meet and without relying on external app stores. Functionality wise Meet provides 1 to 1 and group video calls as well as screensharing. We are utilising a library called "Glue" which facilitates easy integration into other applications, internal proof of concepts with this have already been done with Matrix and ownClouds new Phoenix UI (based on customer projects).
The app has been released to unstable last week and can be found at https://cloudron.io/store/com.kopano.meet.cloudronapp.html.
Looking forward to your feedback!
Hi,
I'm thinking about creating a Cloudron app that uses fetchmail to fetch external mailboxes and deliver their mails to local accounts. Depending if I find a good example for a config ui this would then be configurable either from a small web ui or by simply editing the fetchmailrc file from the console.
Anyone else interested?
@d19dotca said in Cachet - status page system:
I think the more common ones to Cachet is StatPing, ..
I played around with statping today. What intrigues me about it (apart from it being written in golang) is the ability to use custom webhooks and even own scripts for notifications.
App is located at https://git.cloudron.io/fbartels/statping-app/, but surely can use some more polish. But it is generally in an "it works" state.
@JOduMonT I already answered you via chat message, but for the sake of somebody else stumbling over this.
The app generates a random password at first startup. The password can be read out from /app/data/.env. From your local system you could simply run cloudron exec grep ADMIN_PASSWORD= .env.
I have just now also added a simple readme with this information.
Hi @will,
SAML is basically "old tech". It's XML based and requires clients to generate keys through openssl which makes it in my experience both complex and difficult to set up for novice admins and also implement for developers. Apart from that SAML only works for browser based workflows.
Like I said before the one thing SAML has going for it is that its already well supported in enterprise applications. But I recently had a chat with someone involved in quite some university and government projects on the infrastructure side and he told me that he sees a trend to favour oidc over SAML recently.
An article with a comparison can be found at https://spin.atomicobject.com/2016/05/30/openid-oauth-saml/
PS: with Kopano Meet there is actually already an OpenID Connect provider present on Cloudron as all authentication is done through OIDC in it. What we use there is Go and React, but I am confident that there is code to be reused for Node as well.
basic prototype now lives in https://git.cloudron.io/fbartels/bitwardenrs-app
cannot build it at the moment, though. since its stuck at
$ cloudron build
Building com.github.bitwardenrs@0.1.0
Build scheduled with id 9fcf31f1-04f9-445e-b687-79b2f7d54659
Waiting for build to begin, this may take a bit...
@girish is the backend maybe hanging?
edit: by now the build has finished
For those that would be interested as well. I have just created a live stream on Youtube for tomorrow 14:00 (CET). During that stream I want to show a bit how to make a Cloudron app and will use Matterbridge as the example for it.
I would timebox the whole stream to a max of two hours, lets see how far I'll get in that time, maybe I won't even need that much time.
There will be an unedited recording of the stream later on.
You can follow the stream at https://www.youtube.com/watch?v=RKcH2yJiLUo
Hi @marcuswquinn,
not speaking for the developers, but I am afraid that using Kubernetes as the base would be a whole different thing than what Cloudron does at the moment.
Cloudron is currently interacting with containers through the local docker socket, if looking for scalability the easier choice would be to use something like Swarm as the next best step. (I think @girish mentioned looking into it a while ago even).
Or something custom to bridge communication with existing installations (which seems something to be coming with the next release).
Hi @atrilahiji,
I've got Drone running on my Cloudron (coupled with Gitea on Cloudron as well). PM me for details.
Hi @JaceBarnett,
yes I think that matches the statements made on the forum in the past. A subscription is always "bound" to the server its running on. When migrating it will move, but it cannot be active on more than one server at the same time.
@murgero its a bit of a mixture between a status page (to communicate planned downtime and current availability) and a simple monitoring solution.
@ultraviolet I managed to get ldap login working. In the end I needed to change the lookup attribute (it weird that you can configure a search filter for groups, but not for users).
Change is in https://github.com/euanmcgregor/vault-cloudron/pull/4
Edit: OIDC login is not yet working btw.
@girish ah, yes of course. You need to set the capability on the binary to make use of it (as non root).
@ultraviolet do you have ldap working already?
You had the ldap script missing (not added with git add) so I tried my own, but even after config has completed I cannot login and only get Authentication failed: ldap operation failed: unable to retrieve user bind DN
@ultraviolet yes, that is the workaround I am using at the moment as well.
@ultraviolet I think I got a littler closer to a working state. Currently restarting since my Cloudron wanted a reboot after the last update.
https://github.com/euanmcgregor/vault-cloudron/pull/1
edit: hmm, no. this is what is logged:
Jun 29 20:54:05 2020-06-29 18:54:05,044 INFO spawned: 'vault' with pid 12
Jun 29 20:54:05 Error initializing core: Failed to lock memory: cannot allocate memory
Jun 29 20:54:05
Jun 29 20:54:05 This usually means that the mlock syscall is not available.
Jun 29 20:54:05 Vault uses mlock to prevent memory from being swapped to
Jun 29 20:54:05 disk. This requires root privileges as well as a machine
Jun 29 20:54:05 that supports mlock. Please enable mlock on your system or
Jun 29 20:54:05 disable Vault from using it. To disable Vault from using it,
Jun 29 20:54:05 set the `disable_mlock` configuration option in your configuration
Jun 29 20:54:05 file.
Jun 29 20:54:05 2020-06-29 18:54:05,115 INFO exited: vault (exit status 1; not expected)
Jun 29 20:54:06 2020-06-29 18:54:06,118 INFO spawned: 'vault' with pid 23
@ultraviolet hm.. the configure shows that ssh support should be enabled, though. But I must say that I am already at a loss at creating connections inside of guacamole.
Thanks for the praise on the stream.