PicoClaw 🦀 — Go based alternative to OpenClaw / ZeroClaw / Nanobot / AgentZero

@robi That is a great explainer image at the end.

@timconsidine Please be careful out there, tim

@jdaviescoates thanks. If you click on the "documentation" of "first time setup" links inside the panel after you install it, the links don't take us to that page. Instead they lead here: https://docs.cloudron.io/apps/snappymail/

Please update the links Joseph, when you have a chance.

https://docs.cloudron.io/apps/snappymail/

Please sort this @staff

Where is the mail admin panel found now? it used to be the app's domain with /?admin appended.

@timconsidine I totally agree! Cloudflare is like a single throttle point on almost all the internet. It would be interesting to see what would happen if, for some reason, Cloudflare "went evil" (if it already isn't!).
I wonder how much of the internet would work. It is kind of like a gangster "protection racket"...

@IniBudi I am not sure, but according to Grok:

"you've got a classic volumetric DDoS (the kind that floods bandwidth with junk traffic like UDP floods or SYN floods) that chewed through 1TB and knocked your server offline. Cloudflare free + Hetzner/Netcup anti-DDoS is a solid starter setup, but it's getting bypassed or overwhelmed because:Most attacks hit your VPS's real IP directly (bypassing Cloudflare unless everything is perfectly proxied).
Hetzner's protection (Arbor/Juniper-based) is automated but often slow to kick in or just null-routes your IP (blackholes the whole server to protect their network). Netcup's 2 Tbps filter is better but still leaks big attacks or causes brief downtime.
Cloudflare free is unmetered and excellent for web traffic routed through it (absorbs massive attacks at the edge), but it only helps if traffic never reaches your VPS.

The 1TB bandwidth bill/spike proves the attack was hitting your origin directly.Immediate Effective Fixes (Do These Right Now — Mostly Free)Force everything through Cloudflare
In Cloudflare DNS, make ALL records Proxied (orange cloud icon). No A/AAAA records pointing directly to your VPS IP. This routes attacks to Cloudflare's global network first.
Lock your VPS firewall to Cloudflare IPs only (this is the #1 game-changer)
Block everything except Cloudflare's published IP ranges. This stops 99% of direct IP attacks. Hetzner: Use their Cloud Firewall (or iptables).
Netcup: Same with ufw/iptables.
Cloudflare publishes the list here: cloudflare.com/ips (update it automatically via their API — there's a simple cron script for this).
Result: Attack traffic dies at Cloudflare; your VPS barely sees clean traffic.

Activate Cloudflare's emergency mode Turn on "I'm Under Attack" mode (Security → Overview).
Enable Bot Fight Mode + managed WAF rules + rate limiting (free tier has these).
Set Security Level to "High" or "I'm Under Attack".
This challenges suspicious traffic with JS/captchas before it even reaches your server.

Extra quick wins Use Cloudflare Tunnel (cloudflared) if possible — runs on your VPS and proxies traffic without exposing any ports publicly. Zero public IP exposure.
On the server: iptables rate limiting + fail2ban for extra layers.
Contact your VPS support immediately — they can sometimes manually tune mitigation.

These steps alone usually stop the bandwidth massacre because Cloudflare absorbs the junk at their edge (they've mitigated 11+ Tbps attacks).The Strongest Solutions (Ranked by Effectiveness vs Cost)Here's what actually survives big attacks in 2026:Best affordable strong solution: Switch VPS to OVHcloud + keep Cloudflare free/Pro
OVH has the strongest built-in, always-on DDoS protection in the budget VPS world (unlimited, multi-Tbps scrubbing centers, rarely null-routes, works great for L3/L4 volumetric). Users consistently report it handles attacks that destroy Hetzner/Netcup. Pair it with Cloudflare for L7 (web) protection and you're basically bulletproof for most attacks. Migration is straightforward (snapshot your server, spin up OVH VPS, point DNS). This is the combo I recommend for 90% of people in your spot.
Specialized DDoS-protected hosting DDoS-Guard (or similar like PATH.net / Evolution Host): Purpose-built for heavy volumetric attacks. Offers protected VPS or proxy services with fixed pricing and excellent filtering. Great if you want to stay cheap but stronger than Hetzner/Netcup.
BuyVM: Super cheap add-on protection (handles 700M+ pps).

Upgrade Cloudflare only (if you love your current VPS)
Go Pro ($20/mo) for advanced WAF, better rate limiting, and more rules. Still use the firewall lockdown above. For non-HTTP/UDP (games, APIs, etc.), you'll eventually need Cloudflare Spectrum (paid) or a dedicated L4 protector.
Enterprise-level (if budget allows and attacks are constant)
Cloudflare Magic Transit (BGP routing) + your VPS, or Akamai/Imperva. These are what big sites use — full network scrubbing.

Quick Reality CheckIf your server is a website/API (HTTP/HTTPS), the Cloudflare + firewall lockdown + OVH combo will solve 95% of cases for very low cost.
If it's a game server, UDP-heavy service, or Minecraft/etc., prioritize a host with native L4 protection (OVH or specialized like TCPShield) — Cloudflare free alone won't proxy those ports easily.The core principle for any strong solution: You need high-capacity upstream scrubbing so the 1TB flood never reaches your VPS bandwidth/CPU.Do the immediate firewall + proxy steps first — that often fixes it instantly without spending anything. If you tell me exactly what your server runs (website? game? API? ports?), attack type (from CF analytics), or your budget, I can give exact config commands/scripts or migration steps.

"

@ekevu123 said:

I'm the developer of Tymeslot, and I built Cloudron support in from the start. The cloud version is hosted on Cloudron right now. The app also supports authentication with Cloudron accounts and uses the postgres and sendmail addons.

Hey, that is great! Thank you very much! I wish there were more developers like you. When you chat with other devs, do you mention Cloudron to them? What is there reaction? Have they heard of it?

@fanvyr fair point, and I'll hold my hands up on both counts.
On the MongoDB thing: you're right, I was working from stale information. Strapi dropped NoSQL support a while back. Corrected.
On the read-only filesystem critique: I think I framed this wrong. After sitting with your reply and looking at this more carefully, the Content-Type Builder being unavailable in production isn't a Cloudron constraint being imposed on Strapi — it's Strapi's own documented stance. They explicitly discourage using the Content-Type Builder in production regardless of your hosting environment, because schema changes belong in version control and should be deployed deliberately. Cloudron's immutable container model is actually aligned with that philosophy, not fighting it.
The real workflow is:

Develop and modify content types locally in dev mode
Schema files land in src/api/ in your Git repo
Rebuild your Docker image with the updated schemas baked in
cloudron update --image to deploy

That's not a workaround, it's just treating your CMS schema like code, which is the right call when business logic depends on it.
Where I think the "unsuitable" framing has some merit is for a narrower use case: someone who wants a fully self-contained admin experience where non-technical editors can modify the data model directly in the browser in production, with no local dev environment involved. For that specific workflow, Directus (schema-in-database) is genuinely a better fit on Cloudron. But that's a workflow preference, not a fundamental incompatibility.
So to revise my original position: Strapi on Cloudron is well-suited for teams who treat their CMS like code, schemas in Git, changes shipped via image builds, proper dev/staging/prod cycle. If that matches how you work, it's a great fit. If you want point-and-click schema changes in production with no local tooling, look at Directus.
Thanks for the correction!

Well done!

We did an automated check on how suitable Docs is for packaging on Cloudron. TL/DR: it is a pretty good candidate:

https://wanderingmonster.dev/blog/monster-manual-la-suite-docs/

https://wanderingmonster.dev/blog/monster-manual-facilmap/

@timconsidine Can concur - we ran an automated test on how suitable Firebase is for Cloudron packaging and it was the strongest "NO" we have had yet.

You can see the report here. We will eventually put these on a blog...

https://wanderingmonster.dev/blog/monster-manual-supabase/

https://enjoys.rocks/?6b5b1a3c20f9aa0a#582G6tGpuhXqahwG8wt1ZRLAReMBiTNvjGkRLw6epL3D

@robi said:

@LoudLemur would it be more discoverable if it was published as a blog or docs site and then include llms.txt and llms-full.txt to make parsing easier for the agents?

Thanks, @robi You can see the blog here:

https://wanderingmonster.dev/blog/cloudron-packaging-assessment-toolkit/

Cloudron Packaging Assessment Toolkit: automated app assessment using AI

Following the discussion here about AI-assisted packaging, I have been building tooling to help assess applications before committing to packaging them. The core idea: the initial packaging is roughly 30% of the total effort. The other 70% is SSO integration, upgrade path testing, backup correctness, and ongoing maintenance. A good assessment upfront saves everyone time.

What it does

Give the assessment agent a GitHub URL and it produces a structured report with two scores:

• Structural difficulty (how hard to get it running): processes, databases, runtime, broker, filesystem writes, auth
• Compliance/maintenance cost (how hard to keep it running well): SSO quality, upstream stability, backup complexity, platform model fit, configuration drift risk

Each score comes with specific evidence from the repo's actual files, not guesses from the README alone. It reads the docker-compose.yml, Dockerfile, package manifests, and deployment docs.

I have used it to assess several wishlist apps and posted the results in their respective threads. The reports look like this (FacilMap example):

Structural difficulty: 1/14 (Trivial)
Compliance/maintenance cost: 3/13 (Low)
Confidence: High

Single Node.js server, Sequelize ORM, MySQL or PostgreSQL via addon.
No native SSO (link-based access model). Requires external map tile
API keys for core routing features.

Key risks:
- No SSO path (app design uses share links, not user accounts)
- External API keys needed for routing (ORS, Mapbox, MaxMind)
- socket.io needs WebSocket proxy config

Each axis has an evidence column explaining what was found and where.

How to use it

You need a quality AI tool which can reach the internet:

1. Create a new AI Project
2. Paste the assessment agent instructions (linked below) into the Project Instructions
3. Optionally add the packaging reference document as Project Knowledge
4. Start a conversation and type: "Assess this app for Cloudron packaging: https://github.com/org/repo"

The agent fetches the repo, analyses it, and produces a report you can post directly into a wishlist thread.

What it cannot do

• It cannot test SSO, backup/restore, or upgrade paths. Those need a live Cloudron instance.
• It cannot predict upstream behaviour (licensing changes, breaking updates).
• Confidence scales with available evidence. An undocumented alpha project gets a low-confidence assessment.
• It tends to be slightly optimistic. When scores feel low for a complex app, check the compliance axis and the "key risks" section.

Files

All files are available here: https://forgejo.wanderingmonster.dev/root/cloudron-packaging

• README.md — explains every file and how to use them
• cloudron-assessment-agent.md — the Claude Project instructions (this is the agent itself)
• cloudron-packaging-reference.md — verified base image inventory for 5.0.0 on Cloudron 9.1.3
• cloudron-scorer.html — interactive HTML scorer with ~40 pre-scored wishlist apps and GitHub auto-lookup
• example-assessment-facilmap.md — full example report

The scorer HTML is a single 40 KB file with no dependencies. Open it locally or host it on Surfer.

Feedback welcome

If you have packaged an app and think the scores are wrong, I would love to hear about it. Calibrating against real experience is exactly what this needs. As @joseph suggested earlier in this thread, comparing against existing packages is the best quality measure.

The agent instructions and scoring rubric are plain markdown files. If you think an axis is missing or miscalibrated, the rubric is easy to edit.

There is a blog post introducing this here:
https://wanderingmonster.dev/blog/cloudron-packaging-assessment-toolkit/

We did an automated assessment of how well Huginn lends itself to packaging and maintenance in Cloudron (pretty well!)

https://wanderingmonster.dev/blog/monster-manual-huginn/

https://enjoys.rocks/?87005dda9d2368ec#3FAGaggruF1FRvmYmXhB4DKyxfN9MpL4x9xv7x5XGEG1

We did an automated assessment of how challenging it would be to package and maintain AppFlowy on Cloudron. (TL/DR - too difficult!)

https://wanderingmonster.dev/blog/monster-manual-appflowy/

https://enjoys.rocks/?002e80d922a9a859#DRKfRQGgaJRWUQG7HR1rREtQW3Bo7kf5RxkKLg7vg2T8

We ran an automated assessment of how difficult it would be to package and then maintain Prosody as an application on Cloudron. The assessment is here (TL/DR - it would be a lot more feasible than Ejabberd):

https://wanderingmonster.dev/blog/monster-manual-prosody/

https://enjoys.rocks/?8957edc0c6a1b7fa#DdSoHsPAZQwxnUHuNVfiQcdFd6soCFf8XLRogrXTNpgy

We created an experimental tool to assess whether an application is worth a packaging attempt for Cloudron.
Here is the report for ejabberd. (TL/DR - don't attempt it until eg Cloudron supports raw TCP passthrough.

https://wanderingmonster.dev/blog/monster-manual-ejabberd/

https://enjoys.rocks/?19b53d80739dfd33#BU1rYEiegFVDCNCYkxi74WFFDw1qnPooLjahZUxLzKLv

Cloudron Application Packaging Reference

This might be of use to those using AI to package applications for Cloudron. For example, you could include the document as part of your prompt.

It was generated by AI, so we won't post it in the forum. You can find it here:

https://enjoys.rocks/?0c1ef13f2cb2b5cb#3famJDh4a4euNUCrqhMfKG4wkYaJK1XvXT3w5v6of9W7

@timconsidine That is fantastic, Tim!
I was just trying a version 2 using the Docker Compose approach, but if you have managed to do it on the Cloudron base, that would be much better.