Software Engineer turned Director at a Silicon Valley company.
After the switch to management I was eager for a technical project and decided to take on self hosting for privacy and ethical reasons as well as the technical challenge. I’ve made several attempts at managing all my self hosted services from scratch and eventually found Cloudron.
I've got a branch where I've almost gotten LDAP syncing fully working, but invites don't seem to be working properly.
Even if I try to send an invite directly through the web interface, it just hangs. The user shows in the list, however the logs never show a success or failure response for the request. I've checked the SMTP settings and they appear to be correct. I'll keep debugging though.
https://git.cloudron.io/iamthefij/bitwardenrs-app/tree/ldap-sync
@nicolas Are your wordpress instances up to date? Do you have plugins installed in those instances?
That's where my mind goes immediately.
Way back when this first came up in 2017, there was a discussion on the issue boards for Ubuntu. This is the response from the PM at Canonical who added the feature including an explanation of how it has been used in the past and how they intend to use it.
https://bugs.launchpad.net/ubuntu/+source/base-files/+bug/1701068/comments/11
It can be disabled entirely by running sudo sed -i 's/^ENABLED=.*/ENABLED=0/' /etc/default/motd-news (source).
Debian support would be great, but I thought I'd present a bit more information for folks stumbling on this to read up on and make a decision on how they want to manage their server.
LDAP syncing is now available for bitwarden_rs. Check it out on the wiki.
Do you have your app shared on git.cloudron.io yet? If so I can help contribute.
@JOduMonT First off, that site is just reviewing app permissions. It’s docking Signal for requesting things like access to camera (used for taking and sending photos). That’s not really relevant here.
From a security standpoint, the Signal protocol is the gold standard for secure messaging. Other apps , like WhatsApp have even implemented it themselves.
Signal is also a non-profit and spends a considerable amount of effort in reducing knowledge needed to operate on the server. Their goal is to get to a point you don’t have to trust the server at all.
I have never heard of the app you’re recommending, but I don’t see any information about how they manage their encryption. Their website link (from Google Play) lands on some obscure website that doesn’t really load unless I turn off my tracker blockers. The site then doesn’t really indicate why I should trust them. No information on their funding or security. Also, the Play Store listing says it includes Ads. Which is a huge no-no for privacy.
Telegram is a popular app, but Signal is often recommended for security/privacy. First off, Telegram offers both encrypted and unencrypted messaging and defaults to unencrypted. Group messages cannot even be encrypted at all. In Signal, all is encrypted. Furthermore, when using encryption, Telegram uses a custom crypto algorithm they wrote rather than industry trusted ones like Signal does. This goes against a common maxim in the security industry “don’t roll your own crypto”. It could be just as secure, but less eyes on it means we just don’t know enough about it. Most professionals prefer a tried and true system.
Anyway, I’m pretty passionate about secure messaging, so I’ve done a bit of research here. All that said, unless they are willing to switch, the best one is the one your friends are using. Messaging is useless if you’re the only one with it. Kinda relates to the article will posted about encrypted email in the first place.
Got it working! Turns out I needed to enable SMTP_EXPLICIT_TLS.
Now I just have to schedule the sync task and do some cleanup. Should have a fully ready app soon.
@jdaviescoates Mailpile has both those features: https://www.mailpile.is/
Might be a good app request.
@will just a note, I don't believe fbartels version supports a using a dump for backing up the database. This means that if the backup is taken while the db is in a transaction, it could be corrupted.
Bitwarden_rs now supports an admin API for making sqlite backups, but does not have any cron embedded. Similar to the way the LDAP sync tool works, an additional script could be added to periodically make dumps of the sqlite database so that it can be properly backed up.
Instead, the version I have is using MySQL, which leverages the native Cloudron backup and restore functionality.
That and the LDAP invite service are the real differences between the two forks. If you do not wish to use automated LDAP invites on my fork, you can select to opt out when installing. This is covered in the readme.
It would seem that supporting Keycloak would be a great way to still only really have to maintain LDAP on the Cloudron side and then add support for OpenID Connect, OAuth 2.0
and SAML 2.0.
I've never set up Keycloak though, so I can't speak to it's ease of use or maintaining, but it is often recommended when people talk about FOSS Identity and Access Management tools.
@nicolas Are your wordpress instances up to date? Do you have plugins installed in those instances?
That's where my mind goes immediately.
@Lonk LDAP is just a directory tool. You can use it today with 2FA by storing the TOTP info there, just like you would with any other database.
The difficulty is that the application must actually use that data.
Alternatives would be to use methods like a proxy where you authenticate with username and password+token rather than a third field for token. This would allow implementing 2FA universally though it is unintuitive to users.
Cool! Do apps already have access to each other through the bridge? Or would that need to be made possible as well?
I've build and maintain a bunch of multi-arch images myself for some of my smaller projects.
You can definitely build on an x86 system by using emulation. I used to install qemu and then use build args to ensure that the right base image was being pulled (eg library/ubuntu for x86 vs armv7/ubuntu for armv7) because otherwise, by default, an x86 machine would pull the x86 image. After building and pushing I generate a manifest and push that so that each platform pulls the right image. This is probably the simplest example I have of that since it's a single Python file.
All that said... there is now an experimental feature of Docker available via the docker buildx command.
Here's a recent (April) blog post from Docker about the new method. It's far simpler, so if you can get that working, it'd be ideal. I haven't taken the time to switch over myself just yet.
@doodlemania2 I'm not sure exactly what you've configured, but many folks do not have static IP addresses to do this with. Not only does my home network frequently change IP addresses, but my mobile network does as well.
@girish yea, that's pretty much all that should be required. As long as the two containers can communicate via their internal host names, it should be sufficient.
The other advantage here is that it enables you to use the DNS from a mobile phone. Otherwise whenever you switch to a new network you receive the networks DNS via DHCP.
@girish It's pretty straightforward as far as I can tell. I've got two instances hosted via Docker on Raspberry Pis at my home.
I agree with folks above suggesting though that it'd be best to expose only to internal services and likely inside a VPN. There is probably a decent way to do this in a single app, but I wonder if there is value in creating a new way to expose particular Apps to other apps via a shared network.
This would allow exposing a Pi-Hole app that has no "public" ports to any VPN app (OpenVPN, Wireguard, etc) with an internal hostname (app name?).
@murgero Even the Spectre or Plaid importers require being run as separate services: https://github.com/firefly-iii/spectre-importer
@murgero according to the docs, the importers are separate web applications that you host and connect to FF3. Given that Cloudron doesn't really support setting up auxiliary web applications on the box, it looks like the only way to use it would be for me to host the csv-importer on a different server and then direct that to my Cloudron FF3.
Is that how others are using it?
Are there any packaged / bundled importers for the Cloudron FF3 app? I'm not finding any instructions for that, but I'm also new to Firefly.