Cloudron 9 - VPN In/Out for Containerized Apps

@james I'm TERRIBLE at writeups, but I'll summarize it and maybe we can write something better together if you think it's interesting enough:

So I have a cloudron machine with a public IP, vanilla setup. I also have a raspberry pi in my home network running a few services, and an external VPS.

I use a "hub-and-spoke" wireguard architecture, which is pretty common and straightforward as well. It is set up like so:

• VPS has a public IP
• I installed and set up wireguard in it. Let's say it uses interface wg0, and its wg IP address is 10.0.0.1, network 10.0.0.0/24
• I had to set a few things to enable packet forwarding on the VPS so it would act as a "router" between my raspberry pi and other devices, but its pretty straightforward stuff
• I installed and set up wireguard in my raspberry pi, interface wg0, IP address 10.0.0.2; added the VPS added as a peer with its public key, allowed-ips 10.0.0.1/24, and the endpoint is its public IP and the port I had wireguard listen on

So now when I turn on wireguard on both VPS and pi, I can ping 10.0.0.1 from the pi, and I can ping 10.0.0.2 from the VPS. This is the simple hub-and-spoke setup, with the VPS acting as the hub (because it has a public IP address) and the raspberry pi and other devices (say my laptop or phone) are the "spokes".

So now for the cloudron part:

• installed wireguard on my cloudron machine and set it up as a peer to the wireguard network, same as I did on the pi. Added the VPS as the only peer, and on the VPS added one more peer which was the cloudron server. Say its IP is 10.0.0.100
• I can now ping 10.0.0.1 (vps) and 10.0.0.2 (pi) from the cloudron server, and I can also ping these IPs FROM ANY CLOUDRON APP as well!
• I had a service running on the raspberry pi on port 8080, so I installed a new app proxy on the cloudron from the app store, and the upstream address was http://10.0.0.2:8080, and it all worked.

Now, I COULD get rid of the VPS and use only cloudron, boith as the wireguard "hub" and reverse proxy. That would be great because it's one less machine I have to pay for and maintain (the VPS), and I would benefit from user management and stuff. Cloudron explicitly says it needs to be the sole service installed on the machine, though (which makes sense, not complaining), so I haven't done this yet.

Not sure this is a good enough description, but I'm here to answer any questions if needed.

Yeah, I did. I installed wireguard manually and my homelab computer was a peer. Used the proxy app from the App Store to point to its wireguard IP, and it worked well.

VPN as an external addon like databases and the like would be sweet. I've managed to have a proxy app to an internal (homelab) service by manually installing wireguard on the cloudron server, and routing just worked.

I'm not using it like this anymore, since cloudron doesn't support maintaining external tools on the server, but I think an addon might solve this.

@girish yep, separate things indeed. That said, it'll be pretty useful for me, that's why I packaged it.

About being open, yeah, I don't like that as well, but I'll try to make it work either with basic auth as they suggest (insecure, but better than nothing), or with cloudron's own ProxyAuth, not sure if it would work.

Now that I read this thread properly, I don't think the packaged app will work as people are asking for here, which is for cloudron to use it for it's own notifications. Maybe if cloudron ran it as an internal container and add-on for other apps...

I still think it is a useful app to have packaged for Cloudron, so I'll keep working on the packaging effort.

Hi, @girish! So, there's apprise the lib, and Apprise API, a lightweight REST API that is essentially a wrapper around apprise.

Here:
This is apprise the lib: https://github.com/caronc/apprise
And this is apprise API: https://github.com/caronc/apprise-api

The cloudron app is my attempt at packaging it, which is working fine, although it's completely open to the internet, need to think about it a bit better.

Maybe on the next days I can open a proper app wishlist post, to get more visibility and see what people think about it.

Hi, everyone!

Is there still interest in this? I took a stab at packaging it just for personal use it and got it to work. And when I say "got it to work" I mean literally just got it to work:

• initialized a new cloudron app
• looked at apprise-api's code and other packaged apps for inspiration
• bashed everything into submission until it worked

I paid no attention whatsoever to documentation, production settings and the like. Also, the way it works now, there's no authentication or anything, it's just open on the internet. If anyone wanna take a look, give feedback and maybe help out ou the packaging, it's here:

https://github.com/malvim/apprise-api-cloudron-app

No sure what to do about authentication, maybe just use the proxyAuth addon, and keep open just the needed URLs for POSTing notifications? Have to think about that.

Thanks!

@andreasdueren Yes, this is the way. I've done it with a few apps I wrote, and it works great. Plus, you get backups, which is great!

Put everyone’s name in, choose the “captains” and have they draft names for their teams? Is that what you have in mind?

Oh, nice. I'll try dry-run, then, thanks.

Integrity checks sound like a great feature, looking forward to it.

Thanks!

@necrevistonnezr how have you been testing backups? I have a raspberry pi at home, set up with restic/rclone backups as well. Once in a while I mount one of the latest snapshots and check a bit randomly if things "look ok". I'd like to have a better system to check if backups are okay, so any pointers would be appreciated.

On a more cloudron-related note, @girish, is there a way people test restoring backups on their cloudrons? How would one go about tesing if restore will run okay when needed?

It sure is a lot of testing for stuff that is not supported by nextcloud itself...

I myself use the nextcloud mobile app for some things. No idea how it works with OIDC...

@girish that would be nice, and it seems to me to be more "natural" to a user, like @d19dotca mentioned. Thanks for taking a look at this!

Thanks for your help, @nebulon, but it seems that's not how it works. At least not on my cloudron.
I'm using a LAMP app, and the "Cron" item on its config page.

This is how it looks:

# +------------------------ minute (0 - 59)
# |    +------------------- hour (0 - 23)
# |    |    +-------------- day of month (1 - 31)
# |    |    |    +--------- month (1 - 12)
# |    |    |    |    +---- day of week (0 - 6) (Sunday=0 or 7)
# |    |    |    |    |
# *    *    *    *    * command to be executed
# * 7,8 * * 1-5  /app/data/latest/main.sh >> /app/data/app.log

It should fire at 7am and then again at 8am, on weekdays. And it's working, but it's 7 and 8am UTC, not on my timezone. And I've changed cloudron's system timezone to my local time.

Yeah, I understand and that makes sense. Scheduled jobs are the only case in which this is kind of annoying, right? Since the container should still run in UTC, but then we should account for it when scheduling our jobs.

Maybe I'll just find another way to schedule the jobs, since a few of them need to be run in a specific time of day (on my TZ). I guess this would be the preferred approach? Because even if I account for the difference in hours and schedule them in UTC time, there's all kinds of specifics like daylight savings and the like that would make it kind of a nightmare...

Thanks anyway for the answers

Yeah, I looked into that, but that's for the cloudron system itself. Backup and update tasks. Host machine and app containers still use UTC.

Hey, guys. Happy holidays!

So I installed a basic LAMP app in order to run a few small jobs and services I have for personal use.

I use the scheduler for the jobs, but my server is not in my timezone, and I understand it's cloudron's policy to have everything outside applications in GMT, which makes sense. But that leads to me having to schedule stuff with GMT in mind, which is not ideal.

Is there a way to set timezone for a specific app container, or is that done on an app-by-app basis? I'd like to not have to package and publish a cloudron app just for that, but am failing to see how easily do this.

Is there a "default" way of injecting environment variables? Does cloudron's base image support some set of env vars it loads from somewhere?

Thanks!

Ah, cool, thanks for the clarification, guys, appreciate it.

Looking forward to using this one!

Hi, guys.

Sorry for the new topic, but the original in the App Wishlist category is locked.

I've just tested https://git.cloudron.io/cloudron/pocketbase-app adding just the sqlite add-on to the manifest ("paths": ["/app/data/pb_data/data.db"]), and it seems to have worked fine.

Tried the API, authentication (local user only, not very familiar with how to authenticate cloudron users in this app), creating and removing collections, items, etc. It all seems to be working fine. Maybe we could publish this in that "experimental" state in the app store?

Another thing I just thought is that it'd be cool to be able to have other apps be VPN clients as well...

So docker-compose has the "service" network mode, which I think is like the "host" network mode, but instead of the host it uses another container's network. Not sure how we'd implement it, and maybe this would be easier if we had a VPN add-on instead of an app, not sure.

The use case is one I'm going through right now: I want to use prometheus and grafana to monitor something that i'd like only be accessed through a wireguard VPN. So at the moment (for testing purposes), I'm keeping the things I want to monitor open on the internet and using prometheus to collect metrics, but if we want to go through with it in production, I'll probably have to host at least prometheus by myself inside our VPN.

what do you guys think?