What's coming in 5.1

First off, I hope all you guys are staying safe in these tough times! Our team is split in Santa Clara and Berlin and we are doing well!

5.1 will be a quick release. There are a bunch of security related fixes but the main feature is the integration of turn addon/service into the platform. This will help us get the video conference apps in asap since it's the need of the hour.

https://vikunja.io/
https://code.vikunja.io/

For the coming weeks, we are going to focus on getting some new apps packaged. The list is:

• OnlyOffice
• Bitwarden - @Felix and @iamthefij have done much of the heavy lifting, we just have to get it across the line.
• OpenVPN - We will add an admin interface that let's the admins configure some popular vpn settings.
• BigBlueButton or Jitsi (we will evaluate which works well for conferencing. We have used both and they both work well but BBB might win). If you have any thoughts here, please leave a comment.
• Development apps - basically provide a git push workflow for hosting custom nodejs/php apps (and make it work so that they can be mixed with various caches and databases).

If we should prioritize something else, please let us know! But the above should keep us occupied this month.

What we initially planned as Cloudron 4.5 is now Cloudron 5. We decided to bump the major version since it got a lot of changes to justify the bump.

New installations will already get Cloudron 5. Existing installations will get an update in a week or two. We roll out updates conservatively as always, if you want it immediately, please just send a mail to support@cloudron.io and we will make it available.

I am preparing the blog post which will have the screenshots for the features.

Changes:

• Add user roles - owner, admin, user manager and user

• Show backup disk usage in graphs

• Mail server event log and mailbox usage information

• Spam auto-learning - the spam solution is now per mailbox. The mail server will now periodically auto learn spam and ham from the mailbox with no user intervention.

• CPU resource allocation - We have implemented CPU Shared

• Whitelabel the footer/404

• App specific passwords

• Import backups UI - this lets you easily move apps across Cloudrons

• Display timestamps in browser timezone in the UI

• linode: add object storage backend

• Enhancements in the built-in LDAP to better support SOGo (more on this in a separate post).

There's a lot of other bug fixes as well. You can read through the commits for that

I have added a new category called Apps - https://forum.cloudron.io/category/9/apps . I am slowly adding all the apps we have into it as subcategories. It seems this might work better than tags (people are mistyping tags) and also provides a better direction/place for people to post.

Ideally, we keep the current Support category to Cloudron platform related issues. I am moving existing Apps related posts this new category.

Finally, we will start posting app updates in these new categories. Basically, https://cloudron.io/appstatus.html with a changelog. But since now apps are a separate category we can post it a bit more freely without being concerned about polluting the main support category.

We are continuing to work on getting many more of the apps published, see the WIP tag. Thanks to the community for really helping us out here!

6.0 will be a feature rich release:

• Dark mode for dashboard
• File manager UI to edit the files inside apps. For the initial version, one can only view and edit the files under /app/data (i.e one cannot view the files in the read-only parts of the file system. this is because of some technical reasons)
• Backup upload/download speed - Currently, backups can be quite slow but we have some ideas to speed it up
• Allow admin to lock email and display name globally. This essentially makes the LDAP directory non-editable by normal users.
• Optimize WP and Nextcloud installations. This is not directly related to box code but we want to speeden things up and optimize the configs since we have a large number of installs with these 2 apps. @MooCloud_Matt has given us a lot of ideas to work with here.
• Mailbox sharing
• Allow backup and update time to be set. Currently, this is all hard coded and it's causing problems for people working in the night
• Unified dashboard for multiple cloudron setups - This will provide a unified auth across cloudron setups plus a single dashboard to control multiple cloudrons. Details are still being worked on and I will post it once I have more info.
• Fix access control for service provider setups - There's a few small issues. Service providers wants admin flag per app, better control of SFTP user management and also to unify PHPMyAdmin across apps. We will see what we can do.

@jdaviescoates For pricing, as mentioned, we just offer discounted pricing on a case by case basis. Given we are a small company ourselves, we don't want Cloudron pricing to be a blocker for another business relying on us. We have a dozen or so re-sellers and they are generally IT admins, sysadmins who host for co ops, non-profits and schools.

As for Cloudron the company itself, we are profitable and pay ourselves a salary, and I can say we are not going away anytime soon. We are completely bootstrapped and haven't tried to ever raise money nor do we plan to. Future wise, one thing we really want to happen it is to grow to a size where we can start supporting upstream opensource apps - either by contributing with people or funding them.

Wanted to give some progress on the release here. Both @nebulon and I are taking a bit of break for Jitsi We will revisit once we finish some more enjoyable tasks.

• Update base image - this is done! Apps are slowly getting updated one by one.

• Add support for member-only mailing lists - done!
  

• Default to ECC certs from Let's Encrypt - done!
  

• Redis status - Under services, you can now tune redis instance of each app
  

App firewall will not make it this release since the changes are stacking up.

Some more updates.

• Clicking the update button now will always give you an update, if it's available. No more required to ask us to whitelist an update.

• Encrypted backups - there were security flaws with the current encryption. It's been fixed (more info when we do the actual release). thanks to @mehdi who has patiently worked with us through this.

• App graphs! Currently, just RAM and Disk. CPU and Network will come later.
  

• System graphs
  

• Backup listing UI for the platform
  

• New backup retention policy (this is same as keep daily/weekly/monthly in borg/restic).
  

• Finally, there is a way import and export the backup configuration easily. You see this in the right of the backups. You get a config file that can then be put in another Cloudron instance for restore or import.

We hope to get this out next week. Just doing a lot testing now.

As others pointed, Cloudron uses PBKDF2-HMAC-SHA1 with a per-user salt. This is totally different from just using SHA1.

As we are not cryptographers ourselves, the best approach is to not try to re-implement crypto ourselves and just follow NIST guidelines - NIST 800-63 Specs.

It recommends PBKDF2 and atleast 10k iterations. We also follow most of it's other password guidelines including following including 8 character minimum, support at least 64 characters maximum length, all ASCII characters (including space) should be supported, no password hints/expiry, non-SMS 2FA etc.

There is a good article summarizing the NIST guidelines at the Sophos website and also an article how to store passwords safely.

Hi all,
We released Cloudron 4 now. The blog has more details about the release.

Changes:

• SFTP access is built into the platform. As of this release, WordPress, Surfer and LAMP apps support SFTP access. You can get the SFTP credentials from the i button in the app grid. Note that the username for each app is different!
• App tags and labels - this lets you easily categorize and search app. The current UI is very basic, we hope to iterate on this. Feedback welcome.
• Scaleway Object Storage backend for backups
• Easier email import. There is some basic docs on how to use imapsync here
• Unmanaged WordPress app - this app allows you to edit WordPress code unlike the existing WordPress app. Since, we let you edit the code, we won't deal with updates either. You can to use the WPs built-in updater for that. Docs for this app are here. Currently, this app is marked as unstable. So, you have to enable the unstable flag in settings before you can install it/see it in your Cloudron.
• Immediate App Update notifications
• Backups created right before an app update are retained for upto 3 weeks. This lets admins roll back in case they notice some breakage late.
• Community/Unstable apps. There's been a lot of app packaging going on and we can't keep up with testing of all the apps. So, we will get them all listed in the coming weeks, so others can easily test them out.
• Upstream app version is now listed in the app info dialog
• Support for email relays that do not require authentication and self-signed certificates
• Cloudron updates can now be applied without taking a full backup. This was added for situations where there might a bug in the backup logic and an upcoming Cloudron update fixes the backup issue.
• Add a way to disable outbound mail for a domain. Email -> Outbound -> Select Disabled

I changed the title of this post to be less flame-baity

For the coming weeks, our focus is simply to get more of the apps out. bitwardern/jitsi/matrix etc are in various states and we want to get those out asap.

We are working on some ideas on the Cloudron side:

• Mail fts search - This will be optional since the dovecot+solr integration takes a lot of memory.
• Mail server queue and reports - This is just a UI to get an insight into what emails are incoming and outgoing on the mail server
• Mail spam controls - This will tackle the popular "Spams are still getting through" reports
• CPU resource allocation - Currently, you can control memory per app. This will allow you to control the CPU allocation as well.
• Firewall API
  • This will allow setting up basic application firewall rules. This is not clear yet but we will build on top of modsecurity/fail2ban potentially.
  • For email, this will have whitelist/blacklist
• Backup - listing, download and remove API and UI (for box and the apps).
• Per-app backup format.
• Group admins - The idea here is to create "sub admins" who can invite users but cannot control server level settings like backups.
• Whitelabel the footer/404
• App specific passwords

BTW, if you have comments/suggestions, feel free to open a thread in the Discuss section or comment here for any clarification

We released Cloudron 5.1 for all now. See the blog for screenshots and more info.

• TURN Service - This allows completely private P2P voice/video and data transfer. We have updated Kopano Meet, Nextcloud Talk, Matrix Synapse and FilePizza to use this built-in turn server. No configuration needed from your side, just make sure you are running Cloudron 5.1!
• We have released Mastodon. For supporting federated apps like Mastodon and Matrix, we have added support for .well-known URIs (docs)
• Mail eventlog now has search and filter options
• Disk graphs are now sorted by usage (thanks to @d19dotca for the suggestion)
• Apps that have automatic backups disabled are now listed in the Backups view (thanks to @d19dotca for the suggestion)
• Dropped support for TLSv1 and TLSv1.1 (thanks to @zerononcense)
• Support for ECC certs (thanks to @zerononcense for helping us test)
• Docker addon is now more secure (thanks to @iamthefij for reporting)
• fix bug with listing of >25 mailboxes and aliases
• branding: make the login page title show cloudron name
• mail fix incorrect eventlog db perms

Before everyone jumps to conclusions So far, @nebulon has been trying to make coturn to be part of the app itself. This is indeed quite hard.

So, I think what this means is that we have to integrate the turn server into the platform code base itself. So, it would become an addon/service just like the databases and other things. And then nextcloud, jitsi, kopano meet etc can just use this coturn service. Integrating coturn into cloudron is not very hard but will require a new release of Cloudron.

Here's what you can expect from 5.2. We are still working actively on a few more apps and the apps have more priority. Specifically @nebulon is working on Bitwarden and I am trying to get Jitsi/BBB.

• Update base image - this should update many packages, the vim/bash history configuration etc.
• Some user onboarding flow - don't have concrete plans here. But sometimes new users are confused by all the automation we do - like db, email, user management. Feels very magical, so we have to put in some videos/images to re-assure them/explain what's happening.
• Add support for member-only mailing lists.
• Support for external volumes for apps
• Default to ECC certs from Let's Encrypt.
• App firewall (protect login screens and login routes of apps)

Any more suggestions?

Here's what you can expect from 5.3. This will be a fairly short release as we are going to get back into packaging apps. Pixelfed, Metabase, Grafana, Akaunting, Jellyfin, River are all packaged and waiting for our attention, so we want to get them out. Jitsi has to be completed as well.

As for 5.3 itself:

• User onboarding flow - Currently, many of the automation we do - like db, email, user management is not understood entirely by users because other tools don't do it and we don't explain what we do.
• s3: path style is being deprecated by AWS in Sep 2020 - https://forums.aws.amazon.com/ann.jspa?annID=6776
• CIFS storage backend
• Synchronize LDAP groups - issue

Anyone else have any pressing need? The release after this will be a more feature rich release but we want to keep this one as minimal as possible.

Hi all,
Pixelfed is now available in the app store. Most of the packaging work was done by @doodlemania2 (thanks!)

Code: https://git.cloudron.io/cloudron/pixelfed-app
App store link: https://cloudron.io/store/org.pixelfed.cloudronapp.html
Docs: https://cloudron.io/documentation/apps/pixelfed/

Good question! So far, we haven't been overwhelmed with the app count. I think we can actually easily support far more. This is only because:

• The main packaging cost is the first initial version. If you see the source code of any app package, we hardly have to make changes for a new release. It's mostly bumping the version. I am hoping once we have a CI/CD app on Cloudron, we can automate this part.
• All our stable apps have tests. We don't test anything manually. The apps that don't have proper automated tests (like confluence), we have regretted publishing. But we keep them supported and test them manually since enough paying customers are using it. But that was a lesson for us to not add apps that don't have tests.
• Many of the new apps that we are publishing now was packaged by our community - @msbt , @iamthefij , @Felix, @thetomester13 , @jimcavoli , @murgero (there's also 2-3 more but I am unable to find their id) etc. So, we are just building on top of their hard work (thanks a lot again guys!).
• Finally, our goal is not to package all the apps possible. We just want the best 2-3 apps in each category. So, if there are 30 categories. This will only come to 90 apps or so.

All that said, if you see a drop in quality in support or general, please let us know and that will a hint for us to look into adding resources

I managed to get federation working just now, yay! I will make matrix available tomorrow It does require a new Cloudron release for well-known support.