RE: Major bunch of issues related to technical transition out of DigitalOcean

thanks for proving my point that one cannot have a discussion with you

Maybe this is helpful to you:

• https://about.gitlab.com/what-is-gitlab/
• https://en.wikipedia.org/wiki/GitLab
• https://usersnap.com/blog/gitlab-github/

Issue about this in the Nextcloud app integration: https://github.com/ONLYOFFICE/onlyoffice-nextcloud/issues/421

This looks like it should be possible with OnlyOffice 7.1.0 onwards. Cloudron seems to be using 6.3.1. correction: the 7.1.0 seems to refer to the version of the Nextcloud app integration, not the version of the onyoffice software itself.

@wexlerj said in Major bunch of issues related to technical transition out of DigitalOcean:

Of course I could burn the latest version of Ubuntu and reinstall it - but I have sensitive data on my current machine and want to avoid this if possible.

Another reason why this would have been a bad idea is that Cloudron is designed to be installed on a freshly installed system and take over full control of the machine. When you say its a laptop, then this could imply that you already (apart from that "sensitive data") also a desktop environment and other applications already installed on the system. All these are very likely to collide with future operation of said system as a Cloudron host.

Another critical question if I may. Is this now your fifth or sixth account on this forum or did I miss some in between? Why are you constantly deleting your user account whenever you shift your focus to something else and why is it always some variation of your name when coming back?

@potemkin_ai said in update domain names with the cli (yet another topic):

Is there something I'm missing with passing token as a header?

It needs to be -H "authorization: Bearer $TOKEN".

@nebulon "after every successful login" may be an unlucky way to say it. But something like a "broadcast message", a "message box just above the app list", simply a way to inform the users about, for example planned downtime, without relying on email. That would be great.

@timconsidine on the topic of oidc. There is a fully featured oidc provider within the Kopano Meet app. For internal use I have even separated the oidc provider into a separate app.

I did write down how to configure external apps on cloudron against it in https://blog.9wd.eu/posts/cloudron-oidc-nextcloud/

@potemkin_ai said in update domain names with the cli (yet another topic):

I need to make it in command line (cli).

Like I said, if its part of the web ui, then you can easily trigger it from the cli with curl. Just checked it myself and this is the request that gets sent (from the network console and then selected "copy as curl"):

curl 'https://my.cloud.ron/api/v1/cloudron/renew_certs' \
  -H 'authority: my.cloud.ron' \
  -H 'sec-ch-ua: "Google Chrome";v="93", " Not;A Brand";v="99", "Chromium";v="93"' \
  -H 'dnt: 1' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'authorization: Bearer my-token' \
  -H 'content-type: application/json;charset=UTF-8' \
  -H 'accept: application/json, text/plain, */*' \
  -H 'user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/93.0.4577.63 Safari/537.36' \
  -H 'sec-ch-ua-platform: "macOS"' \
  -H 'origin: https://my.cloud.ron' \
  -H 'sec-fetch-site: same-origin' \
  -H 'sec-fetch-mode: cors' \
  -H 'sec-fetch-dest: empty' \
  -H 'referer: my.cloud.ron' \
  -H 'accept-language: en,de-DE;q=0.9,de;q=0.8,en-US;q=0.7,nl-NL;q=0.6,nl;q=0.5,zh-TW;q=0.4,zh;q=0.3' \
  --data-raw '{}' \
  --compressed

(in the above example there are parts that can easily be removed)

Hi @potemkin_ai,

generally I think it would be a better solution to use a dns provider that supports dns validation.

@potemkin_ai said in update domain names with the cli (yet another topic):

I understand I can do it GUI

Is that a typo? If its possible to do this in the gui then you just need to check which requests/commands it sends to the server when doing so. This is how I sniffed the requests I needed to make to trigger a full box backup and poll for its completion.

The api is also described at https://docs.cloudron.io/api.html

Hi @timconsidine,

here that links works just fine. Could it be that you have an overzealous ad blocker installed in your browser?

Not sure if it was already mentioned here, but there is https://github.com/mitchellurgero/cloudron-ldap-proxy by @murgero. It's downside is however that the connection is not encrypted.

A potential improvement over this would be to have a small app, that generates a custom ssl ca and serves its root cert over a small webserver. Then you use the same ca to provide a certificate to stunnel, which simply passes through the otherwise internal Cloudron ldap.

Then at least the communication would be secured, but it may still be an idea to limit who can actually reach that port through your firewall.

As a custom build this is quite easily doable, as an official app its probably too special.

A new version has been released with a bunch of nice new features. More information are at https://vikunja.io/blog/2021/09/whats-new-in-vikunja-0.18.0/

I have already opened a pr to bring the latest versions to the Cloudron app:
https://git.cloudron.io/cloudron/vikunja-app/-/merge_requests/7

@timconsidine said in Moving Cloudron to new server : stop apps?:

that I didn't set the PTR record in the new VPS provider until I started the migration

I ran into exactly this problem the last time as well

was about to post about this here as well.

The community edition LDAP feature will allow workspaces to connect to an LDAP server and sync user names and identifiers, but additional capabilities such as syncing extended user attributes, managing group & team assignments and background synchronization will require an enterprise license. Here’s a full description of the feature set available with each edition and an FAQ.

Edit: the biggest limitation seems to be that you can no longer filter which users are supposed to be able to login. A strange (but probably investor driven) decision.

I have a few articles on Cloudron on my blog, you can find the list at https://blog.9wd.eu/tags/cloudron/

@timconsidine said in Moving Cloudron to new server : stop apps?:

is it best(better) practice to stop all apps before taking a backup ?

Stopping the app actually counterproductive, since stopped apps are not part of the whole system backup. Therefore it cannot be recommended.

I recently also had to move my Cloudron instance to a newer (bigger and latest supported os) server and was tinkering with scripts to smoothen out the already very good migration experience. What I ended up doing was writing a small bash script to kick off the backup, poll its state until complete and directly turn off the old server and send me a notification about it.

I have collected my steps at https://blog.9wd.eu/posts/cloudron-migration/

As far as I know there is no tool called:

@vprasad84 said in Migrating Google Calendar & Contacts to WebDAV (CalDAV & CardDAV):

cloudron-davsync

There is also no app on cloudron for icewarp.

Cloudron is a like a control panel form your server to install, update and backup pre defined apps.

Edit: such a tool actually exists: https://www.npmjs.com/package/cloudron-davsync?activeTab=readme

@nebulon no problem at all. The topic itself is quite large so individual bits are easy to miss.

A script could be a nice idea as most users will probably not be comfortable with doing sql updates manually. But such a script can probably turn into something complicated quite easily. The flow that immediately comes to mind would be doing in ldap server on the ldap backend and comparing it with the users that Cloudron already knows. Followed by the possibility to switch auth for any users that are primarily managed on Cloudron, but exist on the ldap side as well. Probably easier to do it in javascript than it would be in e.g. bash.

I have played with this scenario a while ago and came to the conclusion that as long as the usernames are the same only a single value in the Cloudron database needs to be updated. I documented this at https://forum.cloudron.io/topic/2189/ldap-ad-server/49?_=1630386173323

@infogulch said in Nice ideas for reducing container size:

but there's no reason for that final image to not be based on cloudron/base.

That is exactly how I see it as well. Since it's shared it does not matter that much that it's quite big itself.

One should however check why that bitwarden image is so big. That seems pretty excessive.

I've run into this recently as well. While setting the records manually would work, automating this (particularly with Cloudflare) would be wonderful.

FYI: This project cannot really be compared to Teamviewer/Anydesk. This project is a simple screensharing tool, you cannot interact with a shared screen and you share the screen through the means of a url. In the end this is similar to the screensharing ability of webmeeting tools.

Hi @martinkbs,

this sounds like something that is better suited for the invoice ninja developers directly. https://forum.invoiceninja.com/

@doodlemania2 said in Apple/iPhones not secure anymore:

use their AI models locally on the iDevice

Which would make a lot of sense. Modern devices have more than enough power. But the end result is the same, you cannot trust the encryption anymore. when the ai detects something, this needs to be reported somewhere and verified, hence any potential match is sent somewhere out of your control.

Think of all the doomsday scenarios you can derive from a private company playing police.

In recent news: https://joonas.fi/2021/08/saml-is-insecure-by-design/

Hi @jordanurbs,

the viability of snapshots for backup has for example been discussed in https://forum.cloudron.io/topic/4161/disc-snapshots?_=1628139201934.

Just to have it said. You could probably also host your "landing page" within Cloudron itself. Depending how that page is built you could for example host it as a static page in "surfer".

@breixopd said in Landing page not working:

my.jessiscute.xyz is set to the IP of the server running cloudron but jessiscute.xyz is set to my other host

Since your landing page is not hosted on Cloudron, its highly unlikely that it is broken "because you installed Cloudron". Maybe the hosting provider has some issues?

@privsec said in Can not uninstall Nextcloud:

I am not sure where to run those commands

These are to be run directly on the Cloudron host via for example ssh.

@roru2k20 you could have a look how its done in the builder app. its source code is available at https://git.cloudron.io/cloudron/cloudron-build-service

This uses the docker capability of exposing the local docker socket to the container. then you only need the Docker binaries in the app itself, but everything is executed on the host. This however also has the downside that you can practically take over the whole host of someone gets access to your app, which has unrestricted access to the socket.

@baswaraj said in etcd for minio:

here which ip address , do i need to put and how it works

The ip address/fqdn where you installed etcd

Hi @baswaraj,

in your last post you were not entirely clear if you are using minio on Cloudron, or of you are using Cloudron at all.

@baswaraj said in etcd for minio:

minio_etcd_endpoints

This is defined in the following way in the Minio documentation:

MINIO_ETCD_ENDPOINTS
This is comma separated list of etcd servers that you want to use as the MinIO federation back-end. This should
be same across the federated deployment, i.e. all the MinIO instances within a federated deployment should use same
etcd back-end.

So this is the ip of the etcd service that you have already installed.

PS: the link you posted does not work

@micmc afaik Rocket chat is written in meteor. in the and almost everything is possible in a custom app.

@oversight said in Could not install setup dependencies (curl).:

on a raspberry Pi4 (4G)

I don't think running Cloudron on something else than amd64 is currently not possible (although there have been some attempts at it in the past).

The app seems to be missing the capabilities item in the manifest.

Example from statping: https://git.cloudron.io/cloudron/statping-app/-/blob/master/CloudronManifest.json#L27

Interesting choice for for the vm size at Linode. With just a gig of ram I cannot imagine that Guacamole runs nicely on it however.

A last reply about my use of Standardnotes. I have just retired my own installation of it. While its a nice editor it simply did not really cut in in terms of searching content and organising todos within notes. I've used it as a kind of journal/log for work and to keep an overview of open tasks related to these. That worked quite ok, even though I was limited to text and could not really cross link.

The standardnotes devs have been busy replacing the ruby based server with a more elaborate setup, which in the future should support binary data in notes (like pictures). However two weeks ago they broke the compatibility of their desktop and mobile applications with the old syncing server, and that without any prior notice. This does not really leave a good impression for others self hosting their software. So instead of migrating to their new stack I migrated away. Tasks are now organised in Vikunja, which also allows extensive notes and comments on tasks, and the log/journal is simply a channel in my private Rocketchat.

@hillside502 https://en.m.wikipedia.org/wiki/Blue-green_deployment

Kind of like a marketplace or classified website? Yes, I am certain this can be done with Cloudron as a base. Like use Wordpress as a base, or write your own fully custom solution and deploy it as an app (which means that Cloudron will take care of e.g. database backups for you).

Or you split it over multiple apps, where you have a static website in surfer, and e.g. a go or rust api backend in a custom app.

The only limitation is that you are basically limited to a single host. You cannot scale your app over multiple servers, geolocate requests, or do blue-green deployments where you route certain users to a newer version of your code.

PS: to be fair, if you make your own proxy app and let it route between two other apps, you could kind of do a blue-green even on cloudron.

@samir said in What's coming in 6.4:

fix the "https://forum.cloudron.io/topic/2611/cannot-send-email-from-outlook-2007-with-5-2-4-connection-error-ssl-routines-tls/2" instead of having a workaround...

The problem here is outlook that uses old encryption by default. Changing it would weaken the security of every other mail client.

Yes, depending on quality this could of course cause some confusion. But there are a few examples of working third party repositories out there that extend a main product. The external app stores on Synology come to mind for example. Plus since apps are running in read-only containers and are mostly isolated from the host I don't think an app can mess up a server at all. But the most important part for me was in the last sentence:

@fbartels said in What's coming in 6.4:

This could also be a nice revenue model for external app developers.

@girish said in What's coming in 6.4:

I added a last item "Make it easy to install non-app store apps".

That is great news. In case you do not yet have a better idea how this could be designed, I want to pitch the way this is organised in Portainer again. I explained it already a while back in https://forum.cloudron.io/topic/4485/proposal-the-cur-cloudron-user-repository/14?_=1626194230000. Basically a local admin can override/extend the entries from their official "appstore". Additional entries are defined in a json structure. When opening the Cloudron appstore it makes a request to https://my.cloudron.host/api/v1/appstore/apps which gets a json response with all the appstore data. What if opening the store would in addition to this also make a request to https://user:password@store.my.domain/apps.json and also show a category "community" that lists apps from this json listing. Plus points if the listing can be password protected (like the private docker registry). This could also be a nice revenue model for external app developers.

@luckow said in New Default limited (instead of private):

what concerns do you have about the possible new default?

I don't really have a concern about it, but when the default changes to something more public it should be highlighted.

At the very least the urls of notes get logged on the reverse proxy and setting them to editable or limited can mean that the local admin (or someone else with access to logs) could find note urls and view them.

@luckow that's actually a good idea, but may be something that needs to be explicitly mentioned in the app description.

I just changed the configurable on mine to make notes limited by default.

@girish could the purge be worthwhile to be configurable? It goes a bit beyond notifications, but a general system log could be interested. To see when apps where updated, users created, reboot, mail, maybe even user defined messages to note down messages like "disk replaced". I just realized that the more detailed logs are already covered in the event log.

But as it is, it's really useful already.

@b1nar10 if there is also hook support in gogs, then this could be helpful to you. It's how I'm mirroring repos from my gitea to GitHub.

https://blog.9wd.eu/posts/git-mirror/

@timconsidine duplicate of https://forum.cloudron.io/topic/3224/simple-login-manage-email-aliases-and-dynamically-reply-as-the-alias?_=1625553255325

@thetomester13 have a look at https://forum.cloudron.io/topic/5236/request-a-cli-flag-to-skip-the-reboot-y-n-question-on-cloudron-installation/7

Hi,

a small ui glitch (at least it seems so to me) I just noticed in 6.3.4. When there is the update symbol for an app on the dashboard, clicking on it always brought you directly to the update screen in the past. In fact it still does, but additionally it now opens the app in a new tab.

I guess https://forum.cloudron.io/topic/5297/supervisord-to-manage-running-processes-in-nextcloud-app is related to this

@robi said in New admin advisor notifications + Errors removing:

the CLI doesn't seem to work.

Generally the CLI works just as described in the Cloudron manual: https://docs.cloudron.io/apps/mattermost/#command-line-tool

But looking at https://mattermost.atlassian.net/browse/MM-34893 (which was linked to in the initial post you linked) it looks like the advisor is not active at all in versions after 5.35 (Cloudron is at 5.36.1 it seems).

Relevant issue in the upstream project: https://kolaente.dev/vikunja/frontend/issues/484

@abhishek I've sent you details via dm. For everyone else I have also posted at https://forum.cloudron.io/topic/3350/offered-drone-ci-on-cloudron about it.

@girish https://github.com/calendso/calendso/pull/7#issuecomment-865868170 but that is in my eyes more of a "we currently don't want a dockerfile in this repo" than the software being unable to run in Docker.

Hi @krschuerman,

for me this still works, but as already said in my last post here in this thread the setting needs to be placed in the security block.

[security]
[..]
DISABLE_GIT_HOOKS = false

@atrilahiji yes, now it also starts in normal (non debug) mode. A nice addition would be auto configuration of ldap.

@atrilahiji the modules directory does not exist at all in /app/code and then it fails at creating it in the first place. You have to prepare this in a similar way to https://git.atridad.dev/alt-ron/cloudron-humhub-app/-/blob/harden-app-code/Dockerfile#L78-80 where the folder symlink needs to already be created during docker build and then in start.sh you need to make sure that the folder and its default contents exist.

@atrilahiji ah nevermind, i forgot that part of debug is that the container is not read-only. Looking at the code now a bit closer.

@atrilahiji no, no changes at all. maybe some leftovers from a previous installation of yours?

Yes, you can run cloudron install --debug where then the init script is not run. you then need to exec into the app and run it manually.

@atrilahiji for me this works with

➜  cloudron-humhub-app git:(harden-app-code) git rev-parse --short HEAD
0b5df1c

Steps I tried:

• Install app (in debug mode, but only so that i could override and start the start.sh manually)
• finished Humhub installation
• went into admin and selected modules
• installed a module
• activated a module
• no php error can be seen

@atrilahiji can you push your current wip? I'd like to give the code a look.