Cloudron migration to new server: amazing!!!

Hi all,

just wanted to share a wow experience.

I had a Cloudron Premium server at DO for almost a year and wanted to migrate it to NetCup (better specs and cheaper).

The docs are very clear and promising (https://cloudron.io/documentation/backups/#move-cloudron-to-another-server) but yeah, you never know ...

Well, I know now .... within 5 minutes after entering the backup location details EVERYTHING (4 websites + Matomo + Searx) and all email (all together about 6GB) was in production on the new server including all DNS of all 17 domains.

Downtime: 0 seconds

This is really amazing!

Thanks @girish and @nebulon for this great product, I already was a Cloudron fan but now even more.

Kind regards,

Marcel.

It's almost 2021 and time for Cloudron to step-up to IPv6

see:

https://forum.cloudron.io/topic/3783/firewall-ip-blocking-ipv6-not-possible
https://forum.cloudron.io/topic/2161/is-cloudron-ready-for-ipv6-or-not

https://gitlab.com/Deamos/open-streaming-platform-docker
https://gitlab.com/Deamos/flask-nginx-rtmp-manager

OSP as an alternative for OSP was designed a self-hosted alternative to services like Twitch.tv, Ustream.tv, and Youtube Live

https://www.resourcespace.com/download

Why ResourceSpace?

Digital Asset Management (DAM) software such as ResourceSpace can be used by photographers, marketers, designers and anyone who wants to organize, modify and securely share their images, documents, presentations, videos, audio files, indesign files and every other digital file.

If you're working with large amounts of digital assets, whether they are pictures, stock photos, indesign files, documents, presentations, videos, audio files or any other rich media content a good solution is crucial for saving time and money, whilst increasing your efficiency. A good DAM platform will eliminate any wasted time spent on searching and trying to find a certain file, and will ensure that you can share your content instantly with anybody.

Many people ask why they would need a Digital Asset Management in place if they have Dropbox or Google Drive. A DAM system is a tool with extensive features that go far beyond any simple photo storage or cloud based file storage system.

Your DAM system will have thumbnails and full previews of your images, video and design files so you can see your files before selecting them.

A Digital Asset Management system allows you to create a 'single source of truth' for all of your digital assets. It eliminates the need to search for your digital assets on servers located across the world, your colleagues computers, email inboxes and even USB sticks.

Spending ages searching for that one illusive logo, the current version of the power point template or even the newest version of your poster ad campaign for your project can be infuriating; now you, your team and clients can browse your digital content visually as well as having the ability to find the right material with an intuitive search. By adding tags and other relevant metadata you'll make sure that everyone can always find the right digital assets within seconds of searching.

Is there any update on this?

The COVID-19 pandemic is (almost everywhere) increasing and measures for working from home are again and/or still there. The public Jitsi service is overloaded so it's very very welcome after all these months to have a Cloudron version of Jitsi-server.

Website: https://friendlycaptcha.com/
GitHub: (for the “server application”) https://github.com/friendlycaptcha/friendly-pow
Wordpress plug-in: https://wordpress.org/plugins/friendly-captcha/

Friendly Captcha, the privacy and user-friendly CAPTCHA alternative

Friendly Captcha is a tool for preventing spam on your website
Other CAPTCHAs are a burden on your users, Friendly Captcha respects your users.

The most popular CAPTCHA system, Google ReCAPTCHA depends on tracking users and collecting user data across the internet. This is a price that you are forcing your users to pay in order to use your website. They can not opt out.

Just got a phonecall of a user, an email folder of 2020 with thousands of emails was accidentally deleted and was not in the 'deleted items'.

Couldn't find a quick solution on search engines, so tried it the 'keep it stupid simple way':

1. In my SCP app left pane I went to the server, up into the users' mailbox (no 2020 folder!)
2. In my SCP app right pane I went to the minio backup server (backup just 1 hour old), up into the users' mailbox (there is a 2020 folder)
3. "Simply" copied all the 2020 (sub)folders from right to left
4. After a few seconds the user saw the folders again in Roundcube but ... the file/folder permissions were not good
5. Restarted the mail service in Cloudron and guess what?!
6. It's all back and working!

Good to know for all of you if someone calls

As we know Dovecot it storing all emails of all users in plain text and so they are all readable by the person(s) who have access to the server.

I was wondering if it’s feasible to encrypt this for better privacy and security and found this: https://workaround.org/ispmail/buster/optional-server-based-mailbox-encryption/

Is this something to add to Cloudron, maybe as an option for those who don’t want it?

Create Your Own Broadcast Network with AVideo Platform. AVideo is a powerful base platform for uploading, curating, organizing, indexing, and distributing audio and video content.

AVideo Platform has been download and installed on over 4000 sites in over 190 countries throughout the world. Each AVideo Platform Clone is indexed in our META Search Engine and supported by our worldwide community of developers and contributors.
190+ COUNTRIES
852,567+ AUDIO AND VIDEO UPLOADS
4,237+ AVIDEO SITES
967+ CONTRIBUTORS

https://platform.avideo.com/AVideo_OpenSource
https://github.com/WWBN/AVideo/blob/master/README.md

@girish just for inspiration I found an easy way to configure and manage WireGuard in Docker:

https://github.com/WeeJeWel/wg-easy

This can make the long awaited WireGuard app on Cloudron also easy?

In this thread https://forum.cloudron.io/topic/4723/what-s-coming-in-cloudron-6-3/4?_=1637136154239 long time ago a lot of suggestions where offered to harden the Cloudron security.

Still today IMHO we are still blind in for example failed logins, rate limiting, etc.

Is Cloudron audited? Is it an idea to gather ideas to harden Cloudron like mentioned in that thread?

Today IFTTT announced that they will charge you $10 a month (!!!!) for their service. Maybe now it’s really time to put Cloudron in a unique position with this app?!

@ultraviolet it’s already there, see docs: https://cloudron.io/documentation/email/#subaddresses-and-tags

@jeau said in Omeka - platform for digital cultural heritage web publishing:

we have to solve the Ldap configuration

@girish & @nebulon is it possible that you guys help @jeau with the LDAP configuration so the app can be published in the AppStore?

I did an extensive research on this app and I’m pretty sure our museum will going to use this for our collectionmanagement and online availability of our collection.

@scooke 2 of my 3 Cloudron Pros are on NetCup (1 still on DO):

Cloudron 1 (lots of traffic/usage):

RS 8000 G9
AMD EPYC 7702
64 GB DDR4 RAM (ECC)
10 dedizierte Kerne
2 TB SSD

Cloudron 2 (less traffic/playground):
VPS 2000 G9
4 vCore
16 GB RAM
320 GB SSD (RAID10)
80 TB Traffic

@robi said in Firewall IP blocking: IPv6 not possible:

Marcel, can you share more detail about your chosen block list and how others can do the same?

Sure!

top 10 countries of attacks: https://www.privacyaffairs.com/geopolitical-attacks/

Source of country ip's: https://www.ipdeny.com/ipblocks/

I've choosen to only block those below, we don't expect any necessary traffic from those countries (it's more than 45% of the known Countries where attacks come from):

China: https://www.ipdeny.com/ipblocks/data/aggregated/cn-aggregated.zone

Russia: https://www.ipdeny.com/ipblocks/data/aggregated/ru-aggregated.zone

North Korea: https://www.ipdeny.com/ipblocks/data/aggregated/kp-aggregated.zone

Iran: https://www.ipdeny.com/ipblocks/data/aggregated/ir-aggregated.zone

Pakistan: https://www.ipdeny.com/ipblocks/data/aggregated/pk-aggregated.zone

Syria: https://www.ipdeny.com/ipblocks/data/aggregated/sy-aggregated.zone

India: https://www.ipdeny.com/ipblocks/data/aggregated/in-aggregated.zone

Vietnam: https://www.ipdeny.com/ipblocks/data/aggregated/vn-aggregated.zone

All those IP's copy-pasted in Cloudron > Network> Firewall, currently 20906 ranges blocked.

I added them this morning and I can tell now already that spam has reduced with 90%

It would be very convenient to extend/change the current settings (see screenshot) with:

1. Allow users to edit their name
2. Allow users to edit their Primary email
3. Allow users to edit their Recovery email
4. Require admin users to setup 2FA
5. Require non-admin users to setup 2FA

Reason for me for the first 3 is that I don't want users to edit their name (I discovered LDAP <> Moodle requires firstname lastname), I don't want users to edit their Primary email because it's set to their Cloudron email, but I DO want users to be able to edit their Recovery email as that can change over time.

@girish wouldn't it be a good idea to have something like a "pause switch" all it does is (don't know technically):

1. "freeze" all the containers,
2. then make a backup,
3. migrate to new server,
4. do some testing and
5. switch DNS
6. finally "un-freeze / un-pause" all the containers on the new server (leaving the old one freezed)

Between 1 and 6 you can show the now already available and customizable custom_pages and incoming mail is already buffered at the sender.

@girish https://shlink.io/apps/ (Shlink web client)

@girish said in What's coming in Cloudron 6.3:

(Security) - Inform users about new browser/IP logins.

I was already thinking for days to express my concerns about security on Cloudron, so happy to see some improvements.

But also I would like to invite @girish and @nebulon to get inspiration from the Wordpress plug-in called Wordfence. Wordfence imho needs to be installed by default in Wordpress and they have excellent security measures and management (also in the free version), here some I would like to see on Cloudron:

• don't inform users about new browser/IP/location logins but the Admin, users usually don't even know what an IP is. In Wordfence there is a setting to inform the Admin (via email and log) about new IP/browser/location of either admins and/or users
• create a separate login log GUI with successful and especially unsuccessful login attempts and also on the "individual log record" the possibility to block the, either misused username or login IP for x-time or forever
• when you notice login attempts of non-existing users, also create the possibility to create a blocking list of non-existing usernames that are commonly misused and block them forever
• extend user setting: https://forum.cloudron.io/post/24708
• IP logging in apps with real IP, in https://forum.cloudron.io/post/24706 it's solved but many other apps like Freescout it's still the docker IP
• GEO blocking of countries: https://forum.cloudron.io/post/19901
• make the login rate limiting configurable: https://docs.cloudron.io/security/#rate-limits
• make the activity log also log every LDAP login (attempt), not only replace the LDAP login log record by the last login attempt

@humptydumpty I installed it on a brand new Wordpress site for a first test. It looks promising!

Tomorrow I’ll install it on one of the high traffic sites I manage. Will share my experiences here too.

Meanwhile I translated the plug-in into Dutch and they released a new ‘base’ version with 4 languages.

@atrilahiji & @girish & @nebulon is it possible to add this to the AppStore?

@imc67 said in Owncast – An open-source, self-hosted live streaming server:

@atridad & @girish & @nebulon is it possible to add this to the AppStore?

Ok, found the solution. After updating the app from a previous version you have to open the port in app "location".

@d19dotca said in What's coming in Cloudron 6.3:

I totally agree with the rest of your suggestions

it wasn’t my intention at all to suggest to add Wordfence by default in the Cloudron package as indeed everyone has to decide themselves. Personally I install it in every Wordpress site I manage.

@jdaviescoates @nebulon found this somewhere:

The Calibre-Web is only a web front end to the actual Calibre application/database itself. You still need a Calibre metadata.db file for Calibre Web to function. To get this, you have to install Calibre somewhere and you can move the metadata.db file into your /storage folder.

That’s why it did work for me, my books where already “managed” by Calibre and the Calibre local ‘root’ folder on my computer contained all the folders and files INCLUDING the metadata.db.

I guess the only way for Calibre Web to know there is something new is via it’s own upload.

@jeau said in What is the RAM usage for this?:

To upload large files, Omeka users prefer to use the FileSideload module.

O, ok, that’s a good learning, thanks!

@girish it would be great to have Pi-hole in Cloudron and I agree with you it should be save so it would be great to have it together with WireGuard.

Is it possible to make a Cloudron-app with Pi-hole in VPN so you can make use of it anywhere AND safe!?

Kind regards,
Marcel.

First of all, this piece of software is magnificent!!! It has not only a beautiful GUI but it's functionality is fantastic!

Is there a possibility to get LDAP so Cloudron users can login automatically?

I just installed and explored EspoCRM and it looks promising!

After configuring in/out going groupbox I noticed emails didn't fetch. Looking at the jobs they are only processed once every 10 minutes. EspoCRM advises to use a minute cron but the app is configured at every 10 minutes.

Is it possible to change this to 1 minute otherwise one had to wait too long for emails to be fetched?

@nj please read the very well documented manual: https://docs.cloudron.io/email/#import-email

@rmdes for all my VPS’s I use Zabbix to monitor. However still not able to monitor inside containers.

@nebulon I see here https://git.cloudron.io/cloudron/freescout-app an app with the comment "Basic installation without setup". I can't wait to see this great app in the Cloudron store

Keep up the good work!

@doodlemania2 could it be that:

1. there are self registered "users" you don't know
2. that these users use your Vaultwarden Send to send spam maybe even with ("phishing") attachments?

I think it's good to have a look at the users and their Sends?

It would be extremely convenient to have Cloudron as a LDAP server (app) and contains "the one and only truth" about usermanagement (all users/groups etc) so external systems (like local NAS) can make use of it.

Is that feasible, easy to do, safe ...?

@nebulon said in Proposal: Free-Tier Alterations :

To wrap up, my opinion: With more adoption, we can afford to lower prices for everyone, BUT we won't just buy more adoption by giving more for free, as this results in pushing the cost to subscribers.

I hope with this clear and good statement this ever returning discussion can be closed.

If you can't afford 3 beers a month (=$15) for this wonderful product (=Cloudron) that manages your server safely, keeps it up-to-date, provides you with hundreds of apps, keep them up-to-date and provides you email, backups, usermanagement, etc etc ... then you always have a choice to not use Cloudron.

Any news on a Jitsi app on Cloudron?

The Privacy Authority of The Netherlands published a overview of video-call apps (https://autoriteitpersoonsgegevens.nl/nl/nieuws/keuzehulp-privacy-bij-videobel-apps) and here (https://autoriteitpersoonsgegevens.nl/sites/default/files/atoms/files/keuzehulp_privacy_videobellen.pdf) you see that it looks like Jitsi is the best choice!

@nebulon if you can add Dutch/Nederlands I will provide the translations for that

@nebulon and @girish somehow this change (or something else) made the reboot of my 3 cloudron servers superfast!

Before it took at least 4-6 minutes and today everything (all services and apps) are up again within 1 minute!!!!

Good job!!

@LoudLemur YES of course, that IS Cloudron

@girish you don't have these issues if you combine with Wireguard.

Today I found out that during a restore of an app at the app URL the screen below is showed.

I think this is highly unwanted. There is already functionality (and I use that) to create custom pages https://docs.cloudron.io/branding/#custom-pages why not use that one?

@Mallewax said in AdGuard - Network-wide ads & trackers blocking DNS server:

Pihole plus Wireguard

Let's vote more here: https://forum.cloudron.io/topic/1355/pi-hole-network-wide-ad-blocking

In short why:

WireGuard is a very fast, safe and stateless VPN, great with mobile apps to be ALWAYS CONNECTED via your own VPN & covered by the Pi-hole adfilter & security platform. Faster (mobile) connections (no more ads and bulky stuff) to your own safe VPN (no more sniffing by mobile providers or obscure VPN providers).

Need to say more

@marcusquinn great, I do something similar and add "My" in front of the name when it is LDAP, so the user know it can login with same credentials (but here is the thing like mentioned before, sometimes with username and sometimes with full email address).

@nebulon I’ve setup AAAA records manually for all domains, however AAAA for the mailserver doesn’t work. Check your domain and email at https://en.internet.nl and try to get 100%.

For all domains I get a 100% now because you guys did some tweaking in the latest version. However email is still stuck at 84% because of IPv6 and DANE.

It’s now closer to 2022 and really time to implement IPv6 also in blocklists and firewall.

@girish @nebulon one year later: it’s almost 2022 and still Cloudron is not able to handle IPv6 properly out of the box!?

More and more mail clients are supporting BIMI for for digital certifying mails and show logo as proof.

What is BIMI?
Brand Indicators for Message Identification or BIMI (pronounced: Bih-mee) is an emerging email specification that enables the use of brand-controlled logos within supporting email clients. BIMI leverages the work an organization has put into deploying DMARC protection, by bringing brand logos to the customer’s inbox. For the brand’s logo to be displayed, the email must pass DMARC authentication checks, ensuring that the organization’s domain has not been impersonated.

With BIMI you can:
Display your logos on your emails.
Control the logos that display with your email messages.
Cultivate immediate brand recognition and enhanced user experience.

More information:
https://support.apple.com/en-us/HT213155
https://developer.apple.com/support/bimi
https://bimigroup.org

@imc67 one way to solve it (temporary?) is to clear cache and cookies

@murgero

About php.ini, I changed the values in the app-root version but Resourcespace is still noticing the “wrong” values, even after restarting the app.

About your offer for packaging: thanks, this is a generous offer, though we have to wait for Cloudron 6 because of mounting external “disks” into the app to ingest videos and photos.

If it’s really that simple (it was in LAMP) it’s time for me to make a study of packaging and finally do it myself after almost 2 years using Cloudron

Hi @girish I was wondering when the (un)managed WP apps are upgraded to PHP7.4?

WP is already for a long time "complaining" (site diagnose) that 7.3 is outdated and should be upgraded to 7.4.

@girish I had a "similar" issue with Minio in Docker on two different Synology NAS's. The WatchDog automatically updated the containers, the backups from Cloudron to these kept on working however accessing the GUI was not possible.

Yesterday and today I took a lot of time to solve this, in words:

1. API is still on the default port (ie. 9000, 9001 etc), accessing this with a browser will redirect to the GUI port
2. GUI I moved to port 9100 (or 9101, etc)

With the command below and some port forwarding in my router it's all working again (the trick that solved issues was MINIO_SERVER_URL, because of TLS):

sudo docker run -dit --restart unless-stopped -p 9000:9000 -p 9100:9100 --name minio -e "MINIO_ROOT_USER=**********************" -e "MINIO_ROOT_PASSWORD=********************" -e "MINIO_SERVER_URL=https://sub.domain.tld:9000" -v /volume1/IT/cloudron-backup:/data -v /volume1/docker/minio/config:/root/.minio minio/minio server /data --console-address ":9100"

@girish and @scooke just a few minutes ago the 2.3.0 version is released!!!

https://github.com/Chocobozzz/PeerTube/releases/tag/v2.3.0

I really can't wait to have this on Cloudron and use it for our 1000+ videos on our own "...tube"

@atrilahiji and @robi

I tried restream.io (didn't knew that!) to check if stream can be arrived there and restreamed to Twitch, all worked fine!

We use a Datavideo Encoder, the settings are:

Resolution : 1280 x 720
Framerate : 50.00 (Progressive)
Scale Down NO
SD Aspect Ratio (Input) 16:9
H.264 Encode Main 3.1
GOP Structure IPPP
GOP Size 50
Video Bitrate (Kbps) 2500
Video Rate Mode CBR
Audio Stereo Stereo
Stereo Bitrate (Kbps) 384
Audio Source DIG
Analog Audio System EBU

I think I'm going to create an issue on their Github.

However, Peertube livestream has for us some limitations like, they don't have and will get a 'passthrough' (like a build-in restream) which many platform of course do have.

I really think that OSP (https://forum.cloudron.io/topic/2707/open-streaming-platform-osp/) has better credits, is much actively developed by people who are into streaming. So let's vote for that too

This is something! +1 from me

@v_shnu I succeeded in continuing ... the reason was "simple" I used Firefox and it's privacy settings were too tight. In Safari I succeeded to connect.

Tests succeeded, now I need to get the app approved which is very though at FB I experienced before.

Thanks for the great product!

@nebulon @girish I'm discovering EspoCRM and really, this is an absolutely fantastic piece of software with lots of (hidden) gems!

However it is also a privacy related app because (of course) mostly used with personal data. Therefore they build in several audit possibilities.

But one is impossible to track: real IP of a user, only the docker internal IP is logged.

Can you please make it possible to log real IP's?

@fbartels https://forum.cloudron.io/topic/8032/apps-stuck-updating-cleaning-up-old-install-even-after-stopping-restarting-task/

If they move the notifications, I'd also suggest to add a red-bullet in the menu-button on mobile. Now you have to open the menu to check if there are notifications.

Freescout is absolutely awesome, fast and easy "shared mailbox".

Would love to see this in an CloudronApp, I know 2 organizations using Cloudron will immediately start using this app.

@marcusquinn said in Security audits not possible: real IP not logged:

Are you a power user

A power user