Penpot - Design Freedom for Teams

@girish absolutly fantastic... for almaost any development a vaiable alternative to figma...you guys are awsome...

I'm in a struggle to make cloudron.mail even more secure and tried to set up DANE. I don't know whether this is Hosting-Provider specific (currently on Netcup). So I do have difficulties to set up a valid TLSA.

steps to reproduce:

1. Download public key via browser (store it as .pm)
2. Generate TLSA entry for let's say port 25 via ssl-tools with

• Usage: DANE-EE
• Selector: Use subject public key
• Matching Type: SHA-256 Hash
• Certificate: Content of .pem file
• Port: 25
• Protocol: tcp
• Domain: mail.<DOMAIN.TLD>

3. setup entries at netcup with the following entries

_25._tcp.mail    in  TLSA    3 1 1 <FINGERPRINT>

If I check the entries via internet.nl I'm able to get one check for DANE Existance...but it seems to be not valid...

But it seems to be even more difficult to setup DANE with the short living Let's encrypt certificates. According to internet.nl we have to republish the entry every time the certificate is renewed and the cloudron generated certificate seems to have no trust anchor TA. So we are not able to use the TA certificate in the "DANE Rollover sceme" (Current + Issuer CA "3 1 1" + "2 1 1") as second TLSA entry...

Maybe @girish or anybody else has experience in pinning the let's encrypt certificate of cloudron with a sufficient workaround?

Main Page: https://www.nocobase.com
Git: https://github.com/nocobase/nocobase
Licence: AGPL-3.0 https://www.nocobase.com/en/agreement
Docker: Yes
Demo: https://demo.nocobase.com/new

Summary: For those that are amazed by the ease of use of baserow to build internal and public faceing apps, but wish to have a low-no-code app builder they can do a little more with. The community Edition has no constrains but the Branding and self-developed plugins should be given back to the community (pretty fair, I think). Alternative to budibase, Tooljet, bubble etc.

Not to be mixed up with nocoDB which is a database with only small application capabilities …

Alternative to:
budibase - non attractive pricing
Tooljet - non attractive pricing
bubble - closed source

@BrutalBirdie While playing around to overcome this error. I found an alternative solution. It doesn't fix the collabora CODE font issue mentioned here, but makes it possible to add fonts to a Nextcloud instance hosted via cloudron.

It works with Nextclouds' ability to add fonts as remote_fonts therefore do the following:

1. Add the desired fonts at https://[YOUR.NEXTCLOUD.DOMAIN]/settings/admin/richdocuments
2. Switch to the apps-filemanager of your cloudrons Nextcloud. Create the folder ~/apps/richdocuments/settings
3. Find out in which [APP-DATA-DIRECTORY] Nextcloud saves the richdocuments-data inside the directory ~/data (e.g. appdata_ocv42l2jdx7f)
4. in the newly created folder, create a file fonts.json (so ~/apps/richdocuments/settings/fonts.json exists) with the content

{
    "kind": "fontconfiguration",
    "server": "[YOUR.NEXTCLOUD.DOMAIN]",
    "fonts": [
        {
            "uri": "https://[YOUR.NEXTCLOUD.DOMAIN]/[APP-DATA-DIRECTORY]/richdocuments/fonts/[FONTNAME-1].ttf"
        },
        {
            "uri": "https://[YOUR.NEXTCLOUD.DOMAIN]/[APP-DATA-DIRECTORY]/richdocuments/fonts/[FONTNAME-2].ttf"
        }
    ]
}

5. restart the collabora app
6. restart the Nextcloud app

Additional, remove any font added to the collabora fonts directory...

Edit: After trial and erroring even more, I found nextcloud updating the fontlist only if ~/apps/richdocuments/settings/fonts.json is again saved.

Edit-2: Unfortunatly after a collabora update nextcloud needs to be restarted again to make the font changes again available…

@nebulon maybe this might solve the issue?
cheers

Recently I played arround, to improve e-mail security with MTA-STS. I was able to simply use surfer app to publish the mta-sts.txt file and set up the necessary DNS entries. But the solution is somewhat clunky, so may be it might be an easy win @girish , to make this directly possible through cloudron ui, until we implement DANE into cloudron.

Steps to reproduce working MTA-STS setup in cloudron useing surfer app

1. setup surfer app at the following subdomain mta-sts.<DOMAIN.TLD>

2. make folder .well-known inside folder public

3. create mta-sts.txt

version: STSv1
mode: enforce
max_age: 86400
mx: mail.<DOMAIN.TLD>

(where any mail server which it should belong should have an entry. I'am not quite shure wethere we need mx: my.<DOMAIN.TLD> as well, but for the tests the above has been sufficient.)

4. set up following DNS records

_mta-sts in TXT v=STSv1; id=20221123132400Z

(where the id is a simple Timestamp or a uniq number to identify the entry)

_smtp._tls in TXT v=TLSRPTv1; rua=mailto:<USERNAME>@<DOMAIN.TLD> 

(where the rua-Mail-Adress is an Address one want's to get the reports)

EDIT:
We can easily check if the setup is correct via check tls.

@girish First of of all, a huge thank you to all participants. This is huge step for seriuos mail providing especially in germany.... but, maybe I don't see the obvious. As it is published... am I able to install it via the appstore? Or do I have to use the cli route mentioned in vladimirs readme?

The minimal image of ubuntu 22.04 of netcup seems to have resolvconf not installed, which seems to be a dependency for init-ubuntu.sh which is used by cloudron-setup. So it produces a error like this :

Fehler traten auf beim Bearbeiten von:^M
resolvconf^M
needrestart is being skipped since dpkg has failed
E: Sub-process /usr/bin/dpkg returned an error code (1)

To fix it. resolvconf needs to be installed manually with these commands.

sudo apt-get update && sudo apt-get upgrade -y
sudo apt-get install -y resolvconf
sudo chattr -i /etc/resolv.conf && \
sudo dpkg --configure resolvconf

and one can proceed happily with the installation, without needing to use the full Ubuntu DVD. Can someone approve this fix?

I would realy love to see this happening as HPB is a gamechanger for bigger nextclouds. @doodlemania2 do you think that looking into https://github.com/deeztek/deeztek-docker/tree/master/Linux/nextcloud-spreed-signaling might help you with your packageing?

@fbartels you are right the immutability is solved by the last two lines sudo chattr -i /etc/resolv.conf && ... but with my RS 2000 G9.5 the whole resolv.conf seemed to miss when I tried dpkg-reconfigure resolvconf...therefore I simply installed it...like in the snippet...
@girish The VPS have generally AVX not enabled it's only supported by the RS line a supporter of Netcup told me... Maybe this should be mentioned on the list of cloudron providers...

@necrevistonnezr you are absolutely right. @LoudLemur as the same legislative rules already applied to the paper-based business communication for a long time before already... from the surveillance perspective you are right, but it is not the government but the business owners, that are collecting the information and need too anyway to fulfill the business. When I look from different angles on it, I even sort of can understand it.

• As a business owner it makes you safe in legal cases (HGB) or financial audits (AO, GoBD)...

• As an end-user/citizen I like the regulation because, that way it is a bit more difficult to mess around with taxes (I think taxes are fair as long as all of us pay them) and with the GDPR rules we in Europe are always able to ask for deletion, change and handing out of at least any personal information...

IMHO So there is as always a fine line between surveillance and the security/freedom we as a community deserve and rely on and in my eyes we as the technical enablers have to consult at that point wisely...

But I'm neither a judge nor a lawyer anyway

@girish I would love to have this feature as well. Especcially as without it's impossible to register the domain at https://hstspreload.org...as you said.

@girish @jdaviescoates The fix is not for the DVD Installation, but for the "original" netcup ubuntu 22.04 minimal image Netcup provides to their users in the Netcup SCP. It makes the DVD full installation of Ubuntu obsolete (and solves the issue of the OP) and reduces the maintenance burden of Netcup RS server customers... with approval I thought of confirmation on a different system by a different user than me. Sorry for the confusion have to work on my english skills

I would absolutly love to see penpot here. It's going to be the perfect figma alternative.
+1

@girish Thank you so much for the quick response...I can confirm putting in https://lt.my-domain.org/6FoL0A/v2 worked perfectly. the check is added by the firefox plugin itself... cloudron is awsome, for the software and the people...

@girish thanks a lot super fast response. Just installed cloudron this day with the new setup-script. For the people reading this in the future) setting the immutable bit did the trick, no installation like I supposed needed. Works like charme...

I'am doing this first time, so foregive me mistakes I do. I went into the folder structure of the collabara_code install. To me it' obviously picking up fonts at both locations:

• at /opt/collaboraoffice/share/fonts/truetype and
• at /usr/share/fonts/

as it is disirable for some users to get rid of the preinstalled fonts we need to:

RUN mv /opt/collaboraoffice/share/fonts/ /app/data/fonts/ && ln -s /app/data/fonts /opt/collaboraoffice/share/fonts/

right after...

ARG CODE_BRAND_VERSION=21.11-17

in the dockerfile. So users can adjust the fonts to their needs...

@LoudLemur in germany there is a legal requirement for almost all businesses according to different laws and regulations to archive without the user haveing the option to modify, delete…so before it get‘s in the inbox. Additionally you have to find mechanisms to not archive personal information due to regulations of the GDPR/DSGVO. Very hairy therefore a solution like mailpiler was developed…

Mailpiler is a software to archive not to backup so a different usecase

I made some weeks ago my first no-code app with baserow and need to say I loved it. But I reached so fast the limits, that this one seems to be the natural next step. +1 for this

As every user has to have app-user permissions to correct or delete his/her data (didn't found a workaround like in baserow) … it's getting pricey pretty fast. Or am I missing something? How do you guys give your users the option to handle their data or do you do it yourself on request?

Given that, it seems that budibase is only for big companies, that can afford to pay hundreds of EUR's per month fast, for small user groups. Unfortunately in my opinion not quite the target group of cloudron … What do you guys think?

Update:

Steps to reproduce:

1. go to cloudron app store install peertube
2. wait untill peertube reaches state running.
3. stop peertube
4. go to section repair in cloudron peertube app
5. select "restart app" and restart app.
6. try visit your youtube instance

After step 5. redis is stopped as well (without manual restart ist produces a ton of errors like:

2022-08-20T04:53:25.000Z [...:443] 2022-08-20 04:53:25.979 info: Connecting to redis...
2022-08-20T04:53:26.000Z [...:443] 2022-08-20 04:53:26.007 error: Error in job queue activitypub-http-fetcher. {
2022-08-20T04:53:26.000Z "err": {
2022-08-20T04:53:26.000Z "stack": "Error: getaddrinfo ENOTFOUND redis-876aae5e-572c-45d1-b48e-5176ba2e62fe\n    at GetAddrInfoReqWrap.onlookup [as oncomplete] (node:dns:71:26)",
2022-08-20T04:53:26.000Z "message": "getaddrinfo ENOTFOUND redis-876aae5e-572c-45d1-b48e-5176ba2e62fe",
2022-08-20T04:53:26.000Z "errno": -3008,
2022-08-20T04:53:26.000Z "code": "ENOTFOUND",
2022-08-20T04:53:26.000Z "syscall": "getaddrinfo",
2022-08-20T04:53:26.000Z "hostname": "redis-876aae5e-572c-45d1-b48e-5176ba2e62fe"
2022-08-20T04:53:26.000Z }

and after step 6 one will see the following message:

You are seeing this page because the DNS record of ... is set to this server's IP but Cloudron has no app configured for this domain.

the message persists even after manually turning redis on and repeat steps 3. to 6.