Flameshot to Xbackbone on GNU+Linux - problems and solutions

Problems with Flameshot, GNU+Linux, Wayland, keyboard short-cuts?

Check out this blog for solutions and save time, especially if you use Bazzite as your operating system.

https://wanderingmonster.dev/blog/flameshot-xbackbone-linux/

If you've migrated from Windows and miss ShareX's one-key capture-and-upload workflow, this guide
gets you there on Linux using Flameshot and your self-hosted
XBackBone instance.

The end result: press a key → Flameshot GUI opens → annotate → confirm → image uploads
automatically → URL is in your clipboard → desktop notification appears. No extra clicks.

---

Why this isn't obvious

Flameshot v13+ deliberately removed its built-in Imgur uploader. The project's stance is that
uploaders don't belong in core — they want a plugin system instead (still in progress). So there's
no settings toggle for "upload to XBackBone".

The approach below uses flameshot gui -r which pipes the captured PNG to a shell script,
keeping the full Flameshot GUI (annotation tools, preview, cancel) intact.

---

Prerequisites

You'll need these installed:

• flameshot — native package only, not Flatpak (Flatpak sandboxing prevents running external scripts)
• curl — HTTP upload
• jq — JSON parsing
• wl-copy — Wayland clipboard (package: wl-clipboard). X11 users: use xclip instead
• notify-send — desktop notifications (usually pre-installed)
• xbindkeys — key binding daemon (see Step 4)

# Fedora / Bazzite
sudo dnf install flameshot curl jq wl-clipboard xbindkeys

# Ubuntu / Debian
sudo apt install flameshot curl jq wl-clipboard xbindkeys

---

Step 1 — Get your XBackBone token

Log into your XBackBone instance → click your username → Profile → scroll to
Linux Script → note the upload URL and token value.

---

Step 2 — Create the upload script

mkdir -p ~/.local/bin
nano ~/.local/bin/flameshot-xbackbone.sh

#!/usr/bin/env bash
XBACKBONE_URL="https://xb.yourdomain.com/upload"
XBACKBONE_TOKEN="token_your_token_here"
LOGFILE="$HOME/.local/share/flameshot-xbackbone/upload.log"
mkdir -p "$(dirname "$LOGFILE")"

for cmd in flameshot curl jq wl-copy notify-send; do
    if ! command -v "$cmd" &>/dev/null; then
        notify-send "flameshot-xbackbone" "Missing: $cmd" -i dialog-error
        exit 1
    fi
done

TMPFILE=$(mktemp /tmp/flameshot-XXXXXX.png)
trap 'rm -f "$TMPFILE"' EXIT

flameshot gui -r > "$TMPFILE" 2>/dev/null

if [[ ! -s "$TMPFILE" ]]; then
    exit 0  # user cancelled — silent exit
fi

# Note: field name is "upload" not "file", token sent first (see troubleshooting)
RESPONSE=$(curl -s \
    -F "token=$XBACKBONE_TOKEN" \
    -F "upload=@$TMPFILE" \
    "$XBACKBONE_URL")

URL=$(echo "$RESPONSE" | jq -r '.url // empty' 2>/dev/null)

if [[ -n "$URL" ]]; then
    printf '%s' "$URL" | wl-copy
    notify-send "Screenshot uploaded" "$URL" -i flameshot -t 6000
    echo "$(date '+%F %T') OK: $URL" >> "$LOGFILE"
else
    ERROR=$(echo "$RESPONSE" | jq -r '.message // "Unknown error"' 2>/dev/null)
    notify-send "Upload failed" "$ERROR" -i dialog-error -t 10000
    echo "$(date '+%F %T') FAIL: $RESPONSE" >> "$LOGFILE"
    exit 1
fi

chmod +x ~/.local/bin/flameshot-xbackbone.sh
# Test it manually first
~/.local/bin/flameshot-xbackbone.sh

---

Step 3 — First run: Wayland permission prompt

On the first capture, KDE/GNOME may show: "Allow [app] to take a screenshot?" — click Allow.
This is a one-time Wayland portal prompt. It won't appear again.

---

Step 4 — Keyboard shortcut via xbindkeys

Why not KDE Custom Shortcuts?

KDE Plasma 6 removed khotkeys, the daemon that powered custom shortcuts. The UI still exists
but the daemon does not ship on Fedora-based systems. KDE's alternative service shortcut
mechanism (kglobalacceld) works for system services but is unreliable for user scripts.
On Wayland, Plasma's compositor also intercepts PrtSc and common modifier combinations
(Ctrl+PrtSc, Meta+PrtSc) before the shortcut system sees them.

xbindkeys is a standalone daemon that bypasses KDE's shortcut infrastructure entirely.
It just works.

# Create the xbindkeys config
cat > ~/.xbindkeysrc << 'EOF'
"/home/YOUR_USERNAME/.local/bin/flameshot-xbackbone.sh"
  control + Pause
EOF

# Start it now (no reboot needed)
xbindkeys

# Verify
pgrep xbindkeys

Recommended key: Ctrl+Pause — nothing in KDE, Steam, Spectacle, or NVIDIA intercepts
the Pause key. PrtSc variants will be grabbed by Plasma's compositor on Wayland.
If you prefer a different key, use xbindkeys --key to get the key name interactively.

Autostart xbindkeys on login

cat > ~/.config/autostart/xbindkeys.desktop << 'EOF'
[Desktop Entry]
Name=xbindkeys
Exec=xbindkeys
Type=Application
Terminal=false
StartupNotify=false
X-KDE-AutostartPhase=1
EOF

---

Troubleshooting

"Token not specified" error on large screenshots

This is a PHP behaviour: when a file exceeds post_max_size, PHP silently drops all POST fields
including the token, returning a misleading error. Fix on your server:

• php.ini: post_max_size = 256M and upload_max_filesize = 256M
• nginx.conf: client_max_body_size 256M

Both must be set — nginx rejects before PHP sees the request if its own limit is hit.

Clipboard is empty after upload

You're on Wayland but using xclip instead of wl-copy. Install wl-clipboard:

sudo dnf install wl-clipboard   # Fedora/Bazzite
sudo apt install wl-clipboard   # Ubuntu/Debian

Flameshot doesn't open when shortcut is pressed

Test the script directly from a terminal first. If that works, check xbindkeys is running:

pgrep xbindkeys || xbindkeys

Logs

cat ~/.local/share/flameshot-xbackbone/upload.log

---

Tested on Bazzite (Fedora-based, KDE Plasma 6, Wayland and X11) with Flameshot 13.3.0
and XBackBone 3.8.1.

Full write-up including a tour of every failed KDE shortcut approach:
wanderingmonster.dev/blog/flameshot-xbackbone-linux

Reference implementation and upstream RFC:
forgejo.wanderingmonster.dev/WanderingMonster/flameshot-post-capture-command

@staff

https://forum.cloudron.io/

We should see Xbackbone listed here but it is absent.

@robi That is a great explainer image at the end.

@timconsidine Please be careful out there, tim

@jdaviescoates thanks. If you click on the "documentation" of "first time setup" links inside the panel after you install it, the links don't take us to that page. Instead they lead here: https://docs.cloudron.io/apps/snappymail/

Please update the links Joseph, when you have a chance.

https://docs.cloudron.io/apps/snappymail/

Please sort this @staff

Where is the mail admin panel found now? it used to be the app's domain with /?admin appended.

@timconsidine I totally agree! Cloudflare is like a single throttle point on almost all the internet. It would be interesting to see what would happen if, for some reason, Cloudflare "went evil" (if it already isn't!).
I wonder how much of the internet would work. It is kind of like a gangster "protection racket"...

@IniBudi I am not sure, but according to Grok:

"you've got a classic volumetric DDoS (the kind that floods bandwidth with junk traffic like UDP floods or SYN floods) that chewed through 1TB and knocked your server offline. Cloudflare free + Hetzner/Netcup anti-DDoS is a solid starter setup, but it's getting bypassed or overwhelmed because:Most attacks hit your VPS's real IP directly (bypassing Cloudflare unless everything is perfectly proxied).
Hetzner's protection (Arbor/Juniper-based) is automated but often slow to kick in or just null-routes your IP (blackholes the whole server to protect their network). Netcup's 2 Tbps filter is better but still leaks big attacks or causes brief downtime.
Cloudflare free is unmetered and excellent for web traffic routed through it (absorbs massive attacks at the edge), but it only helps if traffic never reaches your VPS.

The 1TB bandwidth bill/spike proves the attack was hitting your origin directly.Immediate Effective Fixes (Do These Right Now — Mostly Free)Force everything through Cloudflare
In Cloudflare DNS, make ALL records Proxied (orange cloud icon). No A/AAAA records pointing directly to your VPS IP. This routes attacks to Cloudflare's global network first.
Lock your VPS firewall to Cloudflare IPs only (this is the #1 game-changer)
Block everything except Cloudflare's published IP ranges. This stops 99% of direct IP attacks. Hetzner: Use their Cloud Firewall (or iptables).
Netcup: Same with ufw/iptables.
Cloudflare publishes the list here: cloudflare.com/ips (update it automatically via their API — there's a simple cron script for this).
Result: Attack traffic dies at Cloudflare; your VPS barely sees clean traffic.

Activate Cloudflare's emergency mode Turn on "I'm Under Attack" mode (Security → Overview).
Enable Bot Fight Mode + managed WAF rules + rate limiting (free tier has these).
Set Security Level to "High" or "I'm Under Attack".
This challenges suspicious traffic with JS/captchas before it even reaches your server.

Extra quick wins Use Cloudflare Tunnel (cloudflared) if possible — runs on your VPS and proxies traffic without exposing any ports publicly. Zero public IP exposure.
On the server: iptables rate limiting + fail2ban for extra layers.
Contact your VPS support immediately — they can sometimes manually tune mitigation.

These steps alone usually stop the bandwidth massacre because Cloudflare absorbs the junk at their edge (they've mitigated 11+ Tbps attacks).The Strongest Solutions (Ranked by Effectiveness vs Cost)Here's what actually survives big attacks in 2026:Best affordable strong solution: Switch VPS to OVHcloud + keep Cloudflare free/Pro
OVH has the strongest built-in, always-on DDoS protection in the budget VPS world (unlimited, multi-Tbps scrubbing centers, rarely null-routes, works great for L3/L4 volumetric). Users consistently report it handles attacks that destroy Hetzner/Netcup. Pair it with Cloudflare for L7 (web) protection and you're basically bulletproof for most attacks. Migration is straightforward (snapshot your server, spin up OVH VPS, point DNS). This is the combo I recommend for 90% of people in your spot.
Specialized DDoS-protected hosting DDoS-Guard (or similar like PATH.net / Evolution Host): Purpose-built for heavy volumetric attacks. Offers protected VPS or proxy services with fixed pricing and excellent filtering. Great if you want to stay cheap but stronger than Hetzner/Netcup.
BuyVM: Super cheap add-on protection (handles 700M+ pps).

Upgrade Cloudflare only (if you love your current VPS)
Go Pro ($20/mo) for advanced WAF, better rate limiting, and more rules. Still use the firewall lockdown above. For non-HTTP/UDP (games, APIs, etc.), you'll eventually need Cloudflare Spectrum (paid) or a dedicated L4 protector.
Enterprise-level (if budget allows and attacks are constant)
Cloudflare Magic Transit (BGP routing) + your VPS, or Akamai/Imperva. These are what big sites use — full network scrubbing.

Quick Reality CheckIf your server is a website/API (HTTP/HTTPS), the Cloudflare + firewall lockdown + OVH combo will solve 95% of cases for very low cost.
If it's a game server, UDP-heavy service, or Minecraft/etc., prioritize a host with native L4 protection (OVH or specialized like TCPShield) — Cloudflare free alone won't proxy those ports easily.The core principle for any strong solution: You need high-capacity upstream scrubbing so the 1TB flood never reaches your VPS bandwidth/CPU.Do the immediate firewall + proxy steps first — that often fixes it instantly without spending anything. If you tell me exactly what your server runs (website? game? API? ports?), attack type (from CF analytics), or your budget, I can give exact config commands/scripts or migration steps.

"

@ekevu123 said:

I'm the developer of Tymeslot, and I built Cloudron support in from the start. The cloud version is hosted on Cloudron right now. The app also supports authentication with Cloudron accounts and uses the postgres and sendmail addons.

Hey, that is great! Thank you very much! I wish there were more developers like you. When you chat with other devs, do you mention Cloudron to them? What is there reaction? Have they heard of it?

@fanvyr fair point, and I'll hold my hands up on both counts.
On the MongoDB thing: you're right, I was working from stale information. Strapi dropped NoSQL support a while back. Corrected.
On the read-only filesystem critique: I think I framed this wrong. After sitting with your reply and looking at this more carefully, the Content-Type Builder being unavailable in production isn't a Cloudron constraint being imposed on Strapi — it's Strapi's own documented stance. They explicitly discourage using the Content-Type Builder in production regardless of your hosting environment, because schema changes belong in version control and should be deployed deliberately. Cloudron's immutable container model is actually aligned with that philosophy, not fighting it.
The real workflow is:

Develop and modify content types locally in dev mode
Schema files land in src/api/ in your Git repo
Rebuild your Docker image with the updated schemas baked in
cloudron update --image to deploy

That's not a workaround, it's just treating your CMS schema like code, which is the right call when business logic depends on it.
Where I think the "unsuitable" framing has some merit is for a narrower use case: someone who wants a fully self-contained admin experience where non-technical editors can modify the data model directly in the browser in production, with no local dev environment involved. For that specific workflow, Directus (schema-in-database) is genuinely a better fit on Cloudron. But that's a workflow preference, not a fundamental incompatibility.
So to revise my original position: Strapi on Cloudron is well-suited for teams who treat their CMS like code, schemas in Git, changes shipped via image builds, proper dev/staging/prod cycle. If that matches how you work, it's a great fit. If you want point-and-click schema changes in production with no local tooling, look at Directus.
Thanks for the correction!

Well done!

We did an automated check on how suitable Docs is for packaging on Cloudron. TL/DR: it is a pretty good candidate:

https://wanderingmonster.dev/blog/monster-manual-la-suite-docs/

https://wanderingmonster.dev/blog/monster-manual-facilmap/

@timconsidine Can concur - we ran an automated test on how suitable Firebase is for Cloudron packaging and it was the strongest "NO" we have had yet.

You can see the report here. We will eventually put these on a blog...

https://wanderingmonster.dev/blog/monster-manual-supabase/

https://enjoys.rocks/?6b5b1a3c20f9aa0a#582G6tGpuhXqahwG8wt1ZRLAReMBiTNvjGkRLw6epL3D

@robi said:

@LoudLemur would it be more discoverable if it was published as a blog or docs site and then include llms.txt and llms-full.txt to make parsing easier for the agents?

Thanks, @robi You can see the blog here:

https://wanderingmonster.dev/blog/cloudron-packaging-assessment-toolkit/

Cloudron Packaging Assessment Toolkit: automated app assessment using AI

Following the discussion here about AI-assisted packaging, I have been building tooling to help assess applications before committing to packaging them. The core idea: the initial packaging is roughly 30% of the total effort. The other 70% is SSO integration, upgrade path testing, backup correctness, and ongoing maintenance. A good assessment upfront saves everyone time.

What it does

Give the assessment agent a GitHub URL and it produces a structured report with two scores:

• Structural difficulty (how hard to get it running): processes, databases, runtime, broker, filesystem writes, auth
• Compliance/maintenance cost (how hard to keep it running well): SSO quality, upstream stability, backup complexity, platform model fit, configuration drift risk

Each score comes with specific evidence from the repo's actual files, not guesses from the README alone. It reads the docker-compose.yml, Dockerfile, package manifests, and deployment docs.

I have used it to assess several wishlist apps and posted the results in their respective threads. The reports look like this (FacilMap example):

Structural difficulty: 1/14 (Trivial)
Compliance/maintenance cost: 3/13 (Low)
Confidence: High

Single Node.js server, Sequelize ORM, MySQL or PostgreSQL via addon.
No native SSO (link-based access model). Requires external map tile
API keys for core routing features.

Key risks:
- No SSO path (app design uses share links, not user accounts)
- External API keys needed for routing (ORS, Mapbox, MaxMind)
- socket.io needs WebSocket proxy config

Each axis has an evidence column explaining what was found and where.

How to use it

You need a quality AI tool which can reach the internet:

1. Create a new AI Project
2. Paste the assessment agent instructions (linked below) into the Project Instructions
3. Optionally add the packaging reference document as Project Knowledge
4. Start a conversation and type: "Assess this app for Cloudron packaging: https://github.com/org/repo"

The agent fetches the repo, analyses it, and produces a report you can post directly into a wishlist thread.

What it cannot do

• It cannot test SSO, backup/restore, or upgrade paths. Those need a live Cloudron instance.
• It cannot predict upstream behaviour (licensing changes, breaking updates).
• Confidence scales with available evidence. An undocumented alpha project gets a low-confidence assessment.
• It tends to be slightly optimistic. When scores feel low for a complex app, check the compliance axis and the "key risks" section.

Files

All files are available here: https://forgejo.wanderingmonster.dev/root/cloudron-packaging

• README.md — explains every file and how to use them
• cloudron-assessment-agent.md — the Claude Project instructions (this is the agent itself)
• cloudron-packaging-reference.md — verified base image inventory for 5.0.0 on Cloudron 9.1.3
• cloudron-scorer.html — interactive HTML scorer with ~40 pre-scored wishlist apps and GitHub auto-lookup
• example-assessment-facilmap.md — full example report

The scorer HTML is a single 40 KB file with no dependencies. Open it locally or host it on Surfer.

Feedback welcome

If you have packaged an app and think the scores are wrong, I would love to hear about it. Calibrating against real experience is exactly what this needs. As @joseph suggested earlier in this thread, comparing against existing packages is the best quality measure.

The agent instructions and scoring rubric are plain markdown files. If you think an axis is missing or miscalibrated, the rubric is easy to edit.

There is a blog post introducing this here:
https://wanderingmonster.dev/blog/cloudron-packaging-assessment-toolkit/

We did an automated assessment of how well Huginn lends itself to packaging and maintenance in Cloudron (pretty well!)

https://wanderingmonster.dev/blog/monster-manual-huginn/

https://enjoys.rocks/?87005dda9d2368ec#3FAGaggruF1FRvmYmXhB4DKyxfN9MpL4x9xv7x5XGEG1

We did an automated assessment of how challenging it would be to package and maintain AppFlowy on Cloudron. (TL/DR - too difficult!)

https://wanderingmonster.dev/blog/monster-manual-appflowy/

https://enjoys.rocks/?002e80d922a9a859#DRKfRQGgaJRWUQG7HR1rREtQW3Bo7kf5RxkKLg7vg2T8

We ran an automated assessment of how difficult it would be to package and then maintain Prosody as an application on Cloudron. The assessment is here (TL/DR - it would be a lot more feasible than Ejabberd):

https://wanderingmonster.dev/blog/monster-manual-prosody/

https://enjoys.rocks/?8957edc0c6a1b7fa#DdSoHsPAZQwxnUHuNVfiQcdFd6soCFf8XLRogrXTNpgy