RE: restrict apk file download from other domain hotlinking

Hi @apkdlpw,

this is a very off topic question for the cloudron forum (or are you maybe a spam bot?).

I think you can get better help for nextcloud topic in their own forum at https://help.nextcloud.com/.

just to add one more player being active in this field:

• https://www.audriga.com/en/Index

"Modern auth" is nice, since it makes these protocols more secure (through adding e.g. 2fa to imap connections), but indeed it is a bit of a hassle since not all client applications have real support for it (and then there are applications that generally support it, but have hard coded auth providers so you can't use it with your own stack).

Instead of creating your own oauth credentials to get data out of ms365, I would rather recommend to setup app passwords as this simplifies the process greatly. See https://www.limilabs.com/blog/office365-app-passwords for example.

@murgero yes, and sorry for accidentally mentioning you instead of op

@murgero or you’re using a base image other than the Cloudron one and therefore some internal scripting fails (because the user it expects does not exist).

@privsec https://rclone.org/ is a good tool to interact with different cloud apis, but in itself it is not a backup tool.

@darsh_parsana said in How to increase Disk I/O:

disk should be showing more than 250 kb

Only because the y axis ends at 250 kB/s does not mean that this is the limit. The table dynamically grows, so if you have something that would cause more disk i/o the scale would adapt.

@darsh_parsana said in How to increase Disk I/O:

increase the disk i/o

There really aren't any ways in software that you could increase something that is caused by hardware limitation. The numbers in the screenshot look really low however, so I am assuming the hoster you rented your vps from has overbooked the physical server your vps is located on. Often you can contact their support and asked to be moved to a different node.

Hi @Shaun-Snapp,

I think for a proper answer some more details are needed, like how do you manage dns in general for your domain?

The general dns documentation for Cloudron is located at https://docs.cloudron.io/installation/#domain-setup

Whenever I purchase a new domain name, I add it to my Cloudflare account, add the domain with the cloudflare api to Cloudron. Afterwards the domain can be added for new or existing apps.

@girish ok, sounds good to me.

@shrey ah yes, the two points in the app that use redis are indeed hardcoded in the startup script. Let me make a pr so that @staff only needs to merge and do their normal release procedure.

edit: https://git.cloudron.io/cloudron/vikunja-app/-/merge_requests/9

Hi,

I am currently running v7.3.6 (Ubuntu 18.04.5 LTS) and today I ran into an issue where an app refused to come back up after adding a domain alias to it. Reason was that it tried to look up the cname at the authoritative dns server of the new domain.

The fix for this issue was this commit that I found in the Cloudron git:
https://git.cloudron.io/cloudron/box/-/commit/2b260c873fafac29245f2e34ae65eeff0935c457

I fixed the issue for me by manually applying the change from above and restarting the box service. But just to be on the safe side I wanted to check if i need to reapply the fix for any potential 7.3.7 or if it would already be included.

@shrey the relevant error seems to be:

on_find.go:161 +0x9ff
Feb 25 18:55:00 xorm.io/xorm.(*Session).Find(0xc000412480?, {0x1233a40?, 0xc0004504b0?}, {0x0?, 0x0?, 0x0?})
Feb 25 18:55:00 /srv/app/pkg/mod/xorm.io/xorm@v1.3.2/session_find.go:31 +0x7b
Feb 25 18:55:00 code.vikunja.io/api/pkg/models.getUndoneOverdueTasks(0xc0004ccb60, {0x100000101c056?, 0xc000489640?, 0x22210e0?})
Feb 25 18:55:00 /source/pkg/models/task_overdue_reminder.go:44 +0x245
Feb 25 18:55:00 code.vikunja.io/api/pkg/models.RegisterOverdueReminderCron.func1()
Feb 25 18:55:00 /source/pkg/models/task_overdue_reminder.go:128 +0x9c
Feb 25 18:55:00 github.com/robfig/cron/v3.FuncJob.Run(0xc0004a07d0?)
Feb 25 18:55:00 /srv/app/pkg/mod/github.com/robfig/cron/v3@v3.0.1/cron.go:136 +0x1a
Feb 25 18:55:00 github.com/robfig/cron/v3.(*Cron).startJob.func1()
Feb 25 18:55:00 /srv/app/pkg/mod/github.com/robfig/cron/v3@v3.0.1/cron.go:312 +0x6a
Feb 25 18:55:00 created by github.com/robfig/cron/v3.(*Cron).startJob
Feb 25 18:55:00 /srv/app/pkg/mod/github.com/robfig/cron/v3@v3.0.1/cron.go:310 +0xad
Feb 25 18:55:00 2023-02-25 13:25:00,030 INFO exited: vikunja-api (exit status 2; not expected)

So the server throws an error during startup (and then gets restarted). I had a short look on the vikunja forum, but could not find a similar report. I recommend to post the above error message along with version information at https://community.vikunja.io/

@shrey the vikunja app has some frontend files and then a separate backend server (all part of the same app). The error 502 indicates that the backend has stopped for some reason.

I would restart the Cloudron app and have a look at the logging during startup if login still does not work afterwards.

What makes me wonder however is that ad far as I remember the Cloudron app pings the health endpoint of the backend for the health check. So if the backend does not respond, the app should be marked as non responsive in the dashboard.

@jdaviescoates a signalling server is still something else than stun/turn. The signalling server is there to make the initial handshake before stun/turn are involved to establish the peer to peer connection.

@marcusquinn the frontend itself is just a static website and I am quite sure in the past I already hosted it through surfer successfully. But to be fully independent one would need to run their signalling server. this here seems to be a comprehensive list of steps.

If i understand their readme correctly the only way to adjust branding is to modify the index.html file directly.

Hi @jayonrails,

usually the Cloudron team is quick to pick up these suggestions, when they come up on the forum. But if you want to change it yourself the source of the documentation is located at https://git.cloudron.io/cloudron/docs/. All you need to make a pull request is an account on the Cloudron Gitlab installation.

Related issue for roundcube: https://github.com/roundcube/roundcubemail/issues/8143

Currently, Hermes supports Google Workspace. Once users login to Hermes, they can create document drafts using Google Docs.

That does not sound like it's very suiteable for self hosting (at least it is tightly integrated with the Google ecosystem)

It kind of sounds like then classic "i am running my cloudron on my server at home" scenario. Cloudron recently gained a functionality to act as a reverse proxy for other services. This could be used to connect your other services.

The question is: how did you expose your other servers before and is there a way to include cloudron in this configuration.

@girish yes, to see the actual price its still a few more clicks from that page. but 39€ is what i found as well.

@girish I managed to find the info at https://standardnotes.com/help/self-hosting/subscriptions

I was just investigating an expired certificate on one of my Cloudron systems and wanted to leave a note here.

The app in question uses manual dns settings for reasons that are beyond my control, but port 80 is publicly available so that using lets encrypt should be no problem.

Looking at the logs below "Renew certificates" was sadly empty. I guess these have been rotated since the last certificate was issued.

Restarting the app had this bit in the apps logs, which means the certificate must have been successfully renewed back in december, and only the webserver has not been restarted since then.

Jan 25 12:02:44 => Start supervisor
Jan 25 12:02:44 box:reverseproxy providerMatchesSync: subject=CN = lx.example.com domain=lx.example.com issuer=C = US, O = Let's Encrypt, CN = R3 wildcard=false/false prod=true/true issuerMismatch=false wildcardMismatch=false match=true
Jan 25 12:02:44 box:reverseproxy expiryDate: notAfter=Mar 25 11:10:49 2023 GMT daysLeft=59.00561143518519
Jan 25 12:02:44 box:reverseproxy needsRenewal: false
Jan 25 12:02:44 box:reverseproxy ensureCertificate: lx.example.com acme cert exists and is up to date
Jan 25 12:02:44 box:reverseproxy writeAppLocationNginxConfig: writing config for "lx.example.com" to /home/yellowtent/platformdata/nginx/applications/fdda3359-5b81-4228-b4cb-1f5dfe8a3436/lx.example.com.conf with options {"sourceDir":"/home/yellowtent/box","vhost":"lx.example.com","hasIPv6":true,"ip":"172.18.17.213","port":8080,"endpoint":"app","redirectTo":null,"certFilePath":"/home/yellowtent/platformdata/nginx/cert/lx.example.com.cert","keyFilePath":"/home/yellowtent/platformdata/nginx/cert/lx.example.com.key","robotsTxtQuoted":null,"cspQuoted":null,"hideHeaders":[],"proxyAuth":{"enabled":false,"id":"fdda3359-5b81-4228-b4cb-1f5dfe8a3436","location":"/"},"upstreamUri":"","ocsp":true}
Jan 25 12:02:44 box:shell reload spawn: /usr/bin/sudo -S /home/yellowtent/box/src/scripts/restartservice.sh nginx

hmm.. I think it depends on the actual website. A status code in the range of 400-499 would be a return code that signals a kind of error (file not found, or unauthenticated). So if you normally curl your website and get a 403 then it would make sense to use it.

Generally I would say even if you only monitor because you want to get a certificate expiry I would monitor for the expected http return as well. If the / of your website is huge, you could create some kind of dummy file on your webserver that you query instead. For a wordpress site I am monitoring I am querying the license file for example.

@timconsidine no troubles with Vikunja on my end. Have been using it already for quite some time. Especially since its a pwa frontend performance and mobile usage is very good in my opinion.

Maybe worthwhile exploring why the app goes into not responding state/what makes it fail the Cloudron healtcheck.

@mpeterson0418 Oh, I am not using Guac personally, so I cannot really help here.

@mpeterson0418 even if its using different urls Guacamole is configured under the hood to use Cloudron for authentication (no one first needs to head to their Cloudron dashboard, but can directly log into Guac).

And once you have enabled the external ldap integration for your Cloudron all members on your ldap can log into Cloudron and therefore apps that use the Cloudron user management.

@mpeterson0418 said in Guacamole Configuration:

Windows AD LDAP server

In that case it may also be interesting to learn that you can connect your whole Cloudron to your AD. Look at https://docs.cloudron.io/user-management/#external-directory for more information.

Vikunja could be used as well

@Kubernetes said in App proxy with internal IP does not replace IP in html code:

Another option would be to use relative paths for the images in the HTML.

yes, it is in general a good practice to use relative urls in web projects.

@herculist2022 Cloudron is already using nginx as a reverse proxy (for http requests) and with the latest release also can expose applications on other hosts through it.

@herculist2022 what would like want to do with it on Cloudron?

I'm using Gitea for quite some years as well and this got me curious. The current queue can be seen in the webinterface of Gitea at https://your-domain/admin/monitor. My queues however are at 0.

If you have not done yet I would check the logs of gitea if there are any abnormalities in regards to queue handling. Error messages at startup?

The same website also allows to see stacktraces for the running processes.

In the end it may be a bug within Gitea that would need reporting and fixing upstream.

@yeku the people that officially belong to the cloudron company have a "staff" label, i am "just a customer" as well (ok and I packed some apps that i wanted to use myself).

@jaschaezra there recently was a topic of someone building a custom forgejo app https://forum.cloudron.io/topic/8312/moving-from-packaged-app-to-custom?_=1673347978007

Hi @yeku,

yes there are ways to verify your backups, but no not in the way you are describing.

This is described at https://docs.cloudron.io/backups/#dry-run

Basically:

• you install a machine for your cloudron (could be a virtual machine, maybe you even always just return to a certain snapshots of the VM itself)
• you click through the wizard and perform a restore from within cloudron
• you verify the restored data
• you thrown your machine away and restart the process

Something like a cold standby that you can just update with the latest data is not possible.

Do you mean in regards to Hardware transcoding? If you see a high CPU usage during transcoding, then the work is carried out by the CPU instead of the GPU.

Hi @ioctl,

its been a while since I last did it, but when updating an app from the commandline you could easily switch to a custom fork when using the update parameter with an existing location. For the way back there was an additional parameter involved but the cloudron cli should have it in its help text.

PS: I would just start with a fork of the Cloudron gitea packaging and then adapt the code from there.

@andreasdueren said in How can I block email addresses in catch all?:

I thought these addresses are only checked for in the from fiel not the to?

No, to the best of my knowledge it applies to any addresses in the mail. In any case this is how I prevent these kind mails from popping up in my mailbox.

@subven said in How can I block email addresses in catch all?:

via a mail sieve filter

That could work as well, but another mailbox is not necessary. You can just filter on the recipient address.

@userino said in How can I block email addresses in catch all?:

Is there such a black list?

yes, its explained at https://docs.cloudron.io/email/#address-blocklist

@plains-digital said in while i wait for an answer about my 4gb cron logs .... thought id ask:

hmmm 503 is http specific???

http protocol. So it does not matter if using plain http or https. Since you've now mentioned that you're using Cloudflare you should figure out where the 503 error is thrown. Is it in Cloudflare or Cloudron? The system that throws the error may give additional insights into the why the error is thrown.

Hi @plains-digital,

503 is a gateway error in http. Which usually means your frontend proxy cannot connect to it's configured backend.

This looks really cool, having something that is compatible with GitHub actions should make this easy to adapt for projects.

https://blog.gitea.io/2022/12/feature-preview-gitea-actions/

The statement that i heard about this is in the past was a "not required, but greatly recommended".

The integration into Cloudron needs some dependencies to be installed and paths to work. From the top of my head the entrypoint is the same for all containers and bash needs to be installed for the terminal in the Cloudron dashboard to work.

@marcusquinn said in Google "just discovered" PGP for Gmail (if you pay):

more appeasement than complete privacy

Except it is not about privacy, but checking a checkbox for compliance rules of Fortune 500 companies.

To be honest it would have been nice if Google actually made some innovation here, since both PGP and S/MIME are conceptually broken, but sadly they only added native S/MIME capabilities to the Gmail ui and management tooling.

@scooke said in How do I safely upgrade/update?:

The front page of cloudron.io hsa this:

FYI: that guy has not responded to this topic since September last year

@LoudLemur said in SearxNG has an instance with ChatGPT experimental support:

can sometimes provide better results than an actual search engine.

I am not sure if I would subscribe to this statement. Chatgpt for sure is impressive and depending on the use case the output can be quite helpful (a college of mine let it design and refine a dnd campaign for example), but there is also a lot of nonsense in the output.

For example I asked it what are things to do in my local city (which is a very search engine like question) and four out of five places did not exist and for the fifth it did lump together the local sports club and the public swimming pool.

Look like an interesting notion like systems with a powerful plugin system. There is a plugin for realtime collaboration even. Markdown parses nicely in their editor as well.

The only downside, it feels like a single user architecture. But for an experiment it could be put behind cloudrons auth wall. Might give it a shot next week.

https://silverbullet.md/

Unfortunately the current sync server is discontinued:

Note that this repository is no longer being maintained. Use this at your own risk, and with the understanding that it is not being maintained, work is being done on its replacement, and that no support or assistance will be offered.

Source https://github.com/mozilla-services/syncserver

The replacement is https://github.com/mozilla-services/syncstorage-rs, but skimming through the readme it seems deployment of it is coupled to the Google Cloud?

Hi @Jazim,

it feels like you're confusing Hashicorp Vault with Vaultwarden (which is an alternative implementation of Bitwarden). Vaultwarden is mostly a password manager (with the ability to share passwords with others on the same server through the organization feature), while Vault is really meant for access of secrets through code.

@chetbaker said in Mastodon invalid argument error:

/chetbaker/mastodon:20221202-162454-142f2a6eb

the / at the beginning looks a little sus to me.

I am not sure if there is a way to do this with the cli directly, but it stores its configuration in ~/.cloudron.json. There i would adjust the repository and dockerimage values to remove the slash.

Sadly however (from https://docs.activitywatch.net/en/latest/remote-server.html)

Some users ask us if they can run the ActivityWatch server on a separate machine and have other machines report to it, resulting in data from multiple devices on a single ActivityWatch instance.

While this is technically possible, it is not supported and strongly discouraged.

@subven said in Mastodon App Timezone:

app terminal still displays UTC (from the host) I guess?

Yes, running date in the terminal of the app is still using and showing UTC as the timezone. The Cloudron dashboard is configured to use UTC+1.

From my perspective it is fine if both values don't align. That is why timestamps should include a timezone so that software can properly convert these to the local time of the user.

@shanelord01 if Mastodon cannot properly handle timezone information, then this is probably rather something for their issue tracker. I however just made a test, I am currently in UTC+1, while my server is using UTC as the timezone, I sent a toot and the time of sending was shown correctly in the mastodon interface.

@LoudLemur the documentation is located at https://docs.cloudron.io/apps/lamp/

@LoudLemur as heimdall is written in PHP it's likely that it will already run in the lamp app.

@LoudLemur heimdall is only a dashboard and does not install and manage apps for you.

@humptydumpty i'm just carrying mine on my keychain. They are very robust. No problems so far with my 9+ years old key.

Hi @girish,

no, no external storage mounted on that system. Other apps (Rocketchat just updated prior to this) update fine.

Edit: as suggested in the other thread a reboot did make the issue go away and the kuma app was able to update.

Hi,

this morning I noticed that the uptime kuma app on Cloudron is stuck on "cleaning up old installation". In the app log I see

Nov 21 10:20:15 npm ERR! path /app/code
Nov 21 10:20:15 npm ERR! command failed
Nov 21 10:20:15 npm ERR! signal SIGTERM
Nov 21 10:20:15 npm ERR! command sh -c node server/server.js

This is reproducible for me in the following way. When I see the message I cancel the task and the "repair" the app from the settings. Since the update has not been applied I restart the upgrade and the app is again hanging in the cleanup stage.

@davidneuner there is nothing "to fix". On a given instance you see the content of users on that instance and the users they are following. To see content from other instances you need to follow other users. a relay (as suggested by @doodlemania2) can help seed some content for you to follow.