Pi Hole - network-wide ad blocking

Pi-Hole: https://pi-hole.net/
Especially interesting for on-premises Cloudrons

• Network-wide ad blocking via your own Linux hardware
• Block Over 100,000 Ad-serving Domains: Known ad-serving domains are pulled from third party sources and compiled into one list.
• Block Advertisements On Any Device: Network-level blocking you to block ads in non-traditional placed such as mobile apps and smart TVs, regardless of hardware or OS.
• Improve Overall Network Performance: Since ads are blocked before they are downloaded, your network will perform better.
• Reduce Cellular Data Usage: Pair your Pi-hole with a VPN for on-the-go ad-blocking and save on data costs.
• Monitor Performance And Statistics: The Web interface shows how many ads were blocked, a query log, and more.
• API: Utilize Pi-hole’s API in your scripting or programing projects.

Docker image: https://hub.docker.com/r/diginc/pi-hole/
Pi-Hole on Docker how-to: https://dxpetti.com/blog/2018/running-pi-hole-on-docker/ (part 1) and https://dxpetti.com/blog/2018/keeping-your-pi-hole-container-fresh-with-cron/ (part 2)

I just want to take this opportunity to say Merry Christmas, happy holidays, and a big thank you to the Cloudron staff for their great work which makes all of our lives easier - and even provides the basis for income for many of us.

You’ve built something remarkable, including this helpful community.

Thank you and take some rest!

https://linkwarden.app
https://github.com/linkwarden/linkwarden

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. The objective is to organize useful webpages and articles you find across the web in one place, and since useful webpages can go away (see the inevitability of Link Rot), Linkwarden also saves a copy of each webpage as a Screenshot and PDF, ensuring accessibility even if the original content is no longer available.

Additionally, Linkwarden is designed with collaboration in mind, sharing links with the public and/or allowing multiple users to work together seamlessly.

From: https://docs.rsshub.app/en/

RSSHub is a lightweight and extensible RSS feed aggregator, it's able to generate feeds from pretty much everything.

Perfect companion to TT-RSS, I think.

Examples: https://docs.rsshub.app/en/#application-updates and below

Manual Deployment: https://docs.rsshub.app/en/install/#manual-deployment
Docker Deployment: https://docs.rsshub.app/en/install/#docker-deployment

As Paperless-NG development has stalled, a quite big group of developers have picked up development and released its first version.
Many updates - should be very easy to transition.
https://github.com/paperless-ngx/paperless-ngx

See discussion at https://github.com/jonaswinkler/paperless-ng/issues/1599 and https://github.com/jonaswinkler/paperless-ng/issues/1632

Happy to announce the first release of Paperless-ngx a successor to the awesome DMS Paperless-ng. Migrating from -ng is as easy as pointing your docker image to the new location ( ghcr.io/paperless-ngx/paperless-ngx:latest ) and re-creating (reminder: backup first).
Paperless-ngx is focused on being community-driven, this release alone has contributions from over 50 (!) people with over 250 commits since the old repository and includes new features, bug fixes and security updates. If you're interested, please check it out (there's a demo now too) and if you're willing to contribute we'd love to have you, we are already working on more features for the next release!

More info for the curious:
As many of you know "Paperless-ng" was a very popular fork of the document management system "Paperless". The initial author of -ng, Jonas Winkler, created an amazing project that was eventually designated as the 'official' successor. He maintained a furious development pace for some time but as of this post hasn't been heard from in months. A group of folks dedicated to the software (myself included) decided to try and revive the project and hopefully set it up for a long future. Yes, a similar thing happened with the original Paperless, we are hoping to avoid some of the same mistakes. See jonaswinkler/paperless-ng#1599, jonaswinkler/paperless-ng#1632 and historically the-paperless-project/paperless#711 if you are curious for more about all of this.

A demo is available at demo.paperless-ngx.com using login demo / demo. Note: demo content is reset frequently and confidential information should not be uploaded.

http://www.mailpiler.org

Email archiving provides lots of benefits to your company. Piler is a feature rich open source email archiving solution, and a viable alternative to commercial email archiving products; check out the comparison with Mailarchiva.
Piler has a nice GUI written in PHP supporting several authentication methods (AD/LDAP, SSO, Google OAuth, 2 FA, IMAP, POP3).

• archiving and retention rules
• legal hold
• deduplication
• digital fingerprinting and verification
• full text search
• tagging emails
• view, export, restore emails
• bulk import/export messages
• audit logs
• Google Apps
• Office 365

Docker Image: http://www.mailpiler.org/wiki/testing:create-docker-image

From the makers of Cryptomator: Cryptomator Hub

Video:

Cryptomator Hub adds zero-knowledge key management for teams and organizations to Cryptomator. It easily integrates into your existing identity management incl. OpenID Connect, SAML, and LDAP. As usual, your favorite cloud service remains your free choice.

Cryptomator Hub depends on Keycloak, an open-source identity and access management solution. That means, Hub manages access to your vaults whereas Keycloak manages users, groups, and authentication. In the Setup Wizard, you will have the option to choose between deploying Keycloak alongside Hub or specifying an URL to an existing Keycloak installation.

When Cryptomator Hub is freshly installed, it comes with a community license. This license is valid for 5 seats. Only users assigned to a vault will occupy a seat.

Docs: https://docs.cryptomator.org/en/latest/hub/setup/
Setup Wizard: https://cryptomator.org/hub/setup/

As suggested here, I turned my old post into a separate topic:

This is what I use for remote backups of my local Cloudron backup snapshots (done by rsync) via restic / rclone to Onedrive.

restic is a robust backup solution for incremental, encrypted, mountable(!) backups to local and remote storage. rclone, an equally robust sync software, is just a "transporter tool" that expands the available remote storages by a lot.

Maybe it can be a starting point and some inspiration for your personal needs.

Tools

• rclone: https://rclone.org/docs/
• restic: https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html#other-services-via-rclone
• ssmtp: https://wiki.archlinux.org/title/SSMTP

Installation

• Install tools above via apt
• afterwards update to latest version (repo versions are old): sudo restic self-update && sudo rclone selfupdate

Setup rclone

• Enter an interactive setup process via rclone config
• in my case I use Onedrive as it has 1TB of space coming with my Office 365 subscription
• for the rest of this summary, we assume you gave it the repository name "REPOSITORY"
• details at https://rclone.org/commands/rclone_config/

Setup restic

• set up a backup repository restic -r rclone:REPOSITORY init (for compression support add --repository-version 2- recommended!)
• for a subfolder on onedrive just use restic -r rclone:REPOSITORY:subfolder init (for compression support add --repository-version 2 - recommended!)
• save password that you gave the repository in file /home/USER/resticpw
• details at https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#other-services-via-rclone

Setup SSMTP

• for receiving backup results, otherwise not needed
• See https://wiki.archlinux.org/title/SSMTP

Cloudron Backup settings

• Provider: mountpoint
• Location: /media/CloudronBackup (<-- obviously adjust to your settings)
• this creates a snapshot at /media/CloudronBackup/snapshot for the current backup
• Storage Format: rsync
• Adjust schedule and retention to your liking

Backup, Prune and Check scripts

restic-cron-backup.sh: The actual backup

#!/bin/bash
d=$(date +%Y-%m-%d)
if pidof -o %PPID -x “$0”; then
echo “$(date “+%d.%m.%Y %T”) Exit, already running.”
exit 1
fi
restic -r rclone:REPOSITORY:subfolder backup /media/CloudronBackup/snapshot -p=/home/USER/resticpw 
restic -r rclone:REPOSITORY:subfolder forget --keep-monthly 12 --keep-weekly 5 --keep-daily 14 -p=/home/USER/resticpw
restic -r rclone:REPOSITORY:subfolder check --read-data-subset=2% -p=/home/USER/resticpw
exit

First line does the backup (incremental, encrypted), second line is the backup retention, third line checks a random 2 % of all data for errors.
Note that I only backup the /snapshot folder as all versioning is done by restic.
For compression, add --compression auto (or max) to the backup command.

restic-cron-prune.sh: Pruning unused files in the backup

#!/bin/bash
d=$(date +%Y-%m-%d)
if pidof -o %PPID -x “$0”; then
echo “$(date “+%d.%m.%Y %T”) Exit, already running.”
exit 1
fi
restic -r rclone:REPOSITORY:subfolder prune -p=/home/USER/resticpw
exit

removes unused data from the repository, I run this once a week

restic-cron-check.sh: thorough health check of the backups

#!/bin/bash
d=$(date +%Y-%m-%d)
if pidof -o %PPID -x “$0”; then
echo “$(date “+%d.%m.%Y %T”) Exit, already running.”
exit 1
fi
restic -r rclone:REPOSITORY:subfolder check --read-data -p=/home/USER/resticpw
exit

checks all data for errors, I run this once a week

Crontab

30 2 * * * sh /home/USER/restic-cron-backup.sh | mailx -s "Restic Backup Results" server@mydomain.com
1 5 1 * * sh /home/USER/restic-cron-prune.sh | mailx -s "Restic Prune Results" server@mydomain.com
1 8 1 * * sh /home/USER/restic-cron-check.sh | mailx -s "Restic Full Check Results" server@mydomain.com

Backup daily at 2:30, prune and check once a week. Receive results to specified mail

Mount backups

Just to be complete: You can mount restic backups locally like
restic -r rclone:REPOSITORY:subfolder mount /media/resticmount/ -p=/home/USER/resticpw && cd /media/resticmount
obviously adjust /media/resticmount/to your settings; allows you to browse and copy from full snapshots for each backup

List backups

For listing all available snapshots use
restic -r rclone:REPOSITORY:subfolder snapshots -p=/home/USER/resticpw

Migrate existing backups to compressed backups

For migrating existing repos to compressed repos use these two steps (will take long!)

• restic -r rclone:REPOSITORY:subfolder migrate upgrade_repo_v2 -p=/home/USER/resticpw
• restic -r rclone:REPOSITORY:subfolder prune --repack-uncompressed -p=/home/USER/resticpw

See https://restic.readthedocs.io/en/latest/045_working_with_repos.html#upgrading-the-repository-format-version for details.

It would be great if the Fulltext Search App could be included in the Nextcloud package. The app allows for fulltext search of files and bookmarks via Elasticsearch or Solr.

Homepage: https://apps.nextcloud.com/apps/fulltextsearch / https://github.com/nextcloud/fulltextsearch

Instructions: https://github.com/nextcloud/fulltextsearch/wiki

Snappymail: a modern fork of Rainloop

https://github.com/the-djmaze/snappymail
https://snappymail.eu/

Demo: https://snappymail.eu/demo/
Under active development: https://github.com/the-djmaze/snappymail/releases
Differences to Rainloop: https://github.com/the-djmaze/snappymail#modifications

Simple, modern, lightweight & fast web-based email client.
This is a fork of the much appreciated RainLoop, but with massive changes to be compatible with (mobile) browsers in 2020.

Homepage: https://github.com/zadam/trilium
Screenshots: https://github.com/zadam/trilium/wiki/Screenshot-tour
Docker server installation: https://github.com/zadam/trilium/wiki/Docker-server-installation

Features

• Notes can be arranged into arbitrarily deep tree. Single note can be placed into multiple places in the tree (see cloning)
• Rich WYSIWYG note editing including e.g. tables and images with markdown autoformat
• Support for editing notes with source code, including syntax highlighting
• Fast and easy navigation between notes, full text search and note hoisting
• Seamless note versioning
• Note attributes can be used for note organization, querying and advanced scripting
• Synchronization with self-hosted sync server
• Strong note encryption with per-note granularity
• Relation maps for visualizing notes and their relations
• Scripting - see Advanced showcases
• Scales well in both usability and performance upwards of 100 000 notes
• Touch optimized mobile frontend for smartphones and tablets
• Night theme
• Evernote and Markdown import & export

Builds

Trilium is provided as either desktop application (Linux, Windows, Mac) or web application hosted on your server (Linux).

• If you want to use Trilium on the desktop, download binary release for your platform from latest release, unzip the package and run trilium executable.
• If you want to install Trilium on server, follow this page.
  • Currently only recent Chrome and Firefox are supported (tested) browsers.

https://photostructure.com/
https://photostructure.com/server/photostructure-for-servers/

Photo library with auto organizing, deduping, etc.

• Your PhotoStructure library makes browsing and sharing a lifetime of memories delightful.
• Self-hosted, easy to install, and effortless to run. PhotoStructure is your cloud that runs on your computer. Your data stays yours.
• Automatically organize and dedupe all your photos and videos into one tidy place.
• Browse and share your library on all your devices securely through the web.

@girish said in Love this app:

Same! I use this at home as my internal DNS server. The stats are great. It's amazing how much is blocked.

I think you would do the community here a great favor if you put together a little how-to! I remember folks had trouble setting it up correctly as a local DNS filter.... (including me )

Note that (very effective) compression using zstd has been added to restic beta recently (beta versions are quite stable) - my repository went from 221 GB down to 180 GB with default settings. I have updated the tutorial to reflect this and also a section for migration of existing repos.

Photoprism gets face detection. Shared albums on its way.
https://docs.photoprism.org/release-notes/

Just a FYI:

I see more and more checks in my mail logs by service providers like helo@gamalogic.com or check@kickboxio.net if my email server has a "catch-all" mailbox.

They send emails either to a random address like 4a47f57a869a0ea0@domain.com or at the same time to such random address and the address you used for e.g. registration on a website.

I have long switched from catch-all mailboxes to aliases with wildcards so the emails mentioned above are rejected; they would get delivered to a catch-all mailbox (and such successful delivery will be monitored).

If you do use catch-all mailboxes and have problems with registration at websites and / or reputation of your mail server, you might want to consider a switch.

BTW the security flaws were discovered as part of CAOS, a code review program run by the German Federal Office for Information Security: https://www.bsi.bund.de/DE/Service-Navi/Presse/Alle-Meldungen-News/Meldungen/Codeanalyse-KeePass-Vaultwarden_241014.html (German)

As part of the project for the "Code Analysis of Open Source Software" (CAOS 3.0), the Federal Office for Information Security (BSI) examined the password managers KeePass and Vaultwarden for their security characteristics. Two security vulnerabilities with the "high" rating were identified in Vaultwarden.

In most cases, cyber attacks can be attributed to errors in the program code of the affected applications. The CAOS project helps to identify and eliminate common vulnerabilities and risks. The BSI checked the source code of the password managers KeePass and Vaultwarden for possible defects with mgm security partners GmbH. The BSI has communicated vulnerabilities found in the process to the developers concerned as part of a responsible disclosure procedure. They have analyzed the weak points and have already reacted. The now published results are a combination of source code review, dynamic analysis and interface analysis in the areas of network interfaces, protocols and standards.

In cooperation with mgm security partners GmbH, the BSI started the project "Code Analysis of Open Source Software" (CAOS) in 2021. The task of the project is the vulnerability analysis with the aim of increasing the security of open source software. The project is intended to support developers in the creation of secure software applications and increase confidence in open source software. The focus is on applications that are increasingly used by authorities or private individuals. This new publication is the result of the successor project "Code Analysis of Open Source Software" (CAOS 3.0).

In order to increase the security of open source software in the future, further code analyses are planned. The project for the "Code Analysis of Open Source Software" will be continued. The results will also be published on the BSI website after a responsible disclosure procedure. The procedure allows developers a reasonable period of time to fix security vulnerabilities before publishing them.

Currently we have a static network blocking list, to be filled manually (and in stages, depending on the size of the list): https://docs.cloudron.io/networking/#blocklist

Using the blocklist configuration, one or more IP addresses and/or networks can be blocked from connecting to Cloudron.

There are several providers who provide regularly updated lists of malicious actors, e.g. https://www.blocklist.de/en/export.html

Maybe Cloudron could ingest and update such lists automatically?

It’s not what you communicated but how.

And I believe it‘s far more commendable that @girish kept his patience, analyzed your particular problem (no one else reported something similar), reported it upstream, and merged the fix himself, all within hours. And all without an SLA.

So credit where credit is due.