authentik is an open-source Identity Provider focused on flexibility and versatility. You can use authentik in an existing environment to add support for new protocols, implement sign-up/recovery/etc. in your application so you don't have to deal with it, and many other things.
https://goauthentik.io/
https://github.com/goauthentik/authentik
https://goauthentik.io/docs/installation/docker-compose/
I have packaged Odoo successfully.
Please check out http://github.com/njsubedi/cloudron-odoo
I had to patch the default Database connection function to prevent Odoo from connecting to the database named “postgres” from different places.
Otherwise, everything is working as expected. Simply clone the repo, and then from inside the repo, run
cloudoron build
cloudron install -l <subdomain.yourcloudron.tld>
Please post any error logs or problems here so I can continue to improve it.
Update: somehow LDAP login is failing; need to look into it.
@ianhyzy I finally managed to run Keycloak on Cloudron after a few days of trying. Most of the code is from this repository. The author seemed to have used a heavily modified configuration file, tailored to fit their needs. Also they had a two-step build system, where they pushed a customized Keycloak image to the hub, then the actual Cloudron app made use of the previously pushed image. That didn't seem necessary.
So, I wrote a simple build script that would:
The app I put together is based on cloudron/base:3.2 and makes use of the freshly exported and customized configuration file, which IMO is more compatible with Keycloak updates.
I'll publish the code on Github this weekend. I'm planning to use this instance to install Outline because it now supports a custom OIDC auth provider.
Cheers!
I will be attempting to package this app this weekend. I will post updates in this thread.
@girish Please check this out. I previously packaged Keycloak but suddenly the Keycloak team decided to deprecate the Wildfly version and started supporting Quarkus runtime. So I had to re-package it again. Took a while during the weekdays.
Help Needed. Please check issue on github.
I'm inches away from either successfully running ErpNext or quitting the idea of packaging it. Never had I ever stuck with this kind of stupid errors. 
When everything goes smooth, one of the modules (Payment Module in particular) make the entire table crash in the middle of loading the modules. Fix one error, then another pops up, then another.
I no longer have time nor patience to package this after this week. Here's the progress.. github.com/njsubedi/cloudron-erpnext if anyone has time, skill and patience, please go ahead and continue packaging this piece of sofware.
If anyone knows people from Frappe, please tell them to stop putting spaces and uppercase letters in table names, and at least retry any database operation instead of leaving the entire database in broken state when something fails, then have the user restart the minutes long process from the beginning.
Hours spent: 100+
Please check the issue on Github
I have also packaged Outline: https://github.com/njsubedi/cloudron-outline, thanks to the work @klawitterb started. Still no success with passport-ldapauth but since I've also packaged Keycloak, LDAP auth is no longer a blocker for Outline. I also added some more details on the manifest/POSTINSTALL.md file if anyone is interested. It would be awesome if minio was available as an addon.
I recommend someone with more knowledge of passport-ldapauth to try adding support for authenticating cloudron users.
@girish That worked. By the way, is there a plan to package Keycloak? I managed to run Keycloak and Outline on Cloudron. Keycloak needed some patching to make it work on the read-only system without mounting everything to /app/data. Outline wiki app can be easily set up to authenticate using Keycloak. Both apps seem to be working as they should. Do you think we can publish those apps to the Cloudron App Store? That would be my first experience publishing an app.
Currently, I am packaging the Outline app to directly authenticate with the Cloudron user directory without the need to install Keycloak. If anyone is interested, I published a little more details in my blog. I'm doing another write-up describing the issues I solved while packaging Keylcloak.
Re: Swagger Editor - define REST api
I have been using Postman with my team for developing and publishing APIs for our services, but the costs are adding up pretty quickly ($15/user/month), and still no support for SSO.
I am moving to Swagger Editor, Swagger Codegen & Swagger UI, but it would be great if I could install it inside my Cloudron instance instead of paying for another server.
I noticed that your documentation makes use of Swagger, so I am sure it would be fairly easy to add support for the same.
Please don't forget to upvote if you think it's a good idea.
Update available: Outline v0.63.0
@infogulch I think that's doable. I'll see if I can get it working.
Two major issues that I ran into while testing on cloudron.
frappe framework requires the database name and database username to be the same (its hardcoded and all over the place). When testing locally it worked but in cloudron, db name is appended with “db” and username with “user”
frappe framework needs root access to the database, eg. password of the user named “postgres” (its hardcoded, even if —dbroot-username exists, it’s for mariadb only)
That’s why I’m running postgres server on the Docker container itself, and not use any db addons. I’ll map the db storage to /app/data so it gets backed up regularly.
See you guys with good news next time. Most apps made in Python seem to write all over the filesystem so I’m testing it on readonly environment; once done ErpNext should be available soon. Thank you for your patience.
I have packaged Odoo, and posted about it here.
https://forum.cloudron.io/topic/1256/odoo-distributed-business-apps/25?_=1647263459265
As our team is growing, people start moving out, and sometimes we need to add temporary staff, so there are 2x many users that are marked as not active. The "Users" list is quite hard to navigate. There's a pagination of 20-100 results per page, which is somewhat helpful, but still no way to only show active users.
If there was a way to only show Active users like the screenshot above, that would be much helpful.
Thank you!
@girish I think I didn’t make it clear enough earlier. The Keycloak app itself doesn’t support working as a LDAP server, but makes use of Cloudron LDAP to federate users from Cloudron. It works as a OIDC server. So it’s a pretty trivial setup..
Update available: Outline v0.65.2
@ei8fdb said in Penpot - Design Freedom for Teams:
@nj said in Penpot - Design Freedom for Teams:
I will be attempting to package this app this weekend. I will post updates in this thread.
Are we there yet?
Not yet. 
Had to re-package Keycloak to support the latest version that broke everything. I'm into penpot rn.
@BrutalBirdie It seems the problem only occurs in new installation. Since I've always been updating from previous versions, the error didn't show up. I'm fixing it now; and will update you when done.
Issue: Starting v19.0, Keycloak would require kc.sh --optimized to start Keycloak. Otherwise it would try to run kc.sh build before starting. That resulted in failure in the readonly system.
Issue 2: I had set optionalSso=true but that lead to another issue where CLOUDRON_LDAP_URL variable would be unbound when installed from CLI. I don't think this was the default behaviour when I first packaged Cloudron. Anyway, I have set optionalSso=false just in case Cloudron's default changes again.
The package should build and install correctly. PS: I'll start testing on fresh installs from next releases, so it should not repeat again.
https://github.com/njsubedi/cloudron-keycloak/releases/tag/v19.0.1-patch2
@Sam_uk I still think Keycloak is more stable. If I had to choose between Authentik and Keycloak I'd pick Keycloak any day. Also, I have successfully packaged Keycloak. https://github.com/njsubedi/cloudron-keycloak
I once added an wildcard A Record for *.mydomain that pointed to my box. It would show the message You found a Cloudron out in the wild! message whenever I tried to open a non-existent subdomain, like foobarbaz.mydomain.
Non-existent app:
/home/yellowtent/box/dashboard/dist/splash.htmlYou found a Cloudron out in the wild!foobarbaz.yourdomain to the box and visit the url.Non-responding app:
/home/yellowtent/boxdata/custom_pages/app_not_responding.htmlI am not sure if those files will be replaced during upgrade, but I have the following content in both of those files. 
<html>
<head><title>404 Not Found</title></head>
<body>
<center><h1>404 Not Found</h1></center>
<hr><center>nginx</center>
<!-- no such app / app not working -->
</body>
</html>
It would be cool to be able to add a custom file app_not_installed.html alongside app_not_responding.html.
@girish the app itself is great. I moved our team from Bookstack to Outline because it was extremely easy to create groups and assign permissions, default permission, etc. It also supports real-time collaboration on the document so we also started using it for meeting notes. So far, no issues. Working wonderfully inside cloudron with minio and keycloak both hosted alongside.
It is also pretty simple to keep updating regularly because of the simple migration command, and storage based on minio. No need to fuss with manual migration and storage, etc.
Also, I’d like to request S3 as an addon, because it’s trivial to create a bucket for an app, and an user for it, then grant “all” permissions on that bucket to that user.
@girish I'd say it is ready to be released as an unstable app. I tried restarting, reinstalling, updating, etc, and everything is working fine. I'm still unsure whether to keep the IMAP settings or remove it, because recvmail is mostly deprecated.
As other members said, there will be missing out on a lot of community addons but sooner or later they will be updated to support the latest Odoo version.
@luckow I've pushed a fix for LDAP Login. I had to map cn to displayName, and use a proper LDAP filter. I was able to immediately log in after installing Odoo.
However, there are two issues:
1. You have to log in with email and password. When I tried to have it login with both username and email, Odoo was creating two different users - one with the email and another one with the username.
2. Odoo throws a Server Error on the first login for a user from LDAP. From the second time, the error is not raised for the same user. Simply reload the page to "resend" the email/password, or log in again.
I spent some time debugging, but couldn't fix it. Looks like a bug in the record cache system of Odoo. If anyone is interested, I have opened an issue.
Update available: Outline v0.64.3
PS: Still no time to look into auth using Cloudron ProxyAuth
@girish for the initial release, I've given up on the idea of using Cloudron addons for now. Postgres is also getting over-complicated so I think I'd stick with MariaDB. Let's see how it goes. The build-run-test cycle is quite tedious when there are all kinds of new errors to resolve. ErpNext turned out to be a lot harder than I expected.
Current status: frappe installed, up and running. ErpNext won't install, and require all its dependencies (apps) to be installed. My target is to publish it by this week.
Gitlab supports adding custom gitlab.yml file (add to the Home of File Manager in the Cloudron dashboard). I am sharing a few custom configurations which I think are really important.
Adding the IP address of the reverse proxy 172.18.0.1 will show the real IP address of the client in Gitlab's logs. The IP address set using X-Forwarded-For by the reverse proxy. For that purpose production/gitlab/trusted_proxies parameter can be set.
For compliance reasons, we cannot allow users to change their username in the Gitlab instance. A setting is not available in the Admin area to prevent users from changing their usernames, but a custom flag production/gitlab/username_changing_enabled can be set.
While configuring 2FA with current default Gitlab installation in gitlab.example.com, the account name in authenticator apps will be shown as localhost:someone@gilab.example.com. To fix this, we can add the production/gitlab/host parameter. After this fix, authenticator apps will show the gitlab instance's domain name instead of localhost.
Current default Gitlab installation wills show the git-clone URL as ssh://git@localhost:port/user/repo. To fix this, we should add a custom production/gitlab/ssh_host parameter.
I would like to have my brand name set on the Branding -> Cloudron Name from my dashboard on Gitlab's LDAP log-in page instead of Cloudron. Simply changing the LDAP server's label production/ldap/servers/main/label did not work. So I simply copied the entire production/ldap configuration block.
Here is my custom gitlab.yml file, that fixes all the above issues.
production:
<<: *base
gitlab:
host: gitlab.mydomain
ssh_host: gitlab.mydomain
trusted_proxies:
- 172.18.0.1
username_changing_enabled: false
ldap:
enabled: true
prevent_ldap_sign_in: false
servers:
main:
label: 'My Domain Login'
host: '172.18.0.1'
port: 3002
uid: 'username'
bind_dn: 'cn=**************************,ou=apps,dc=cloudron'
password: '****************************'
encryption: 'plain'
verify_certificates: false
ca_file: ''
ssl_version: ''
timeout: 10
smartcard_auth: false
active_directory: false
allow_username_or_email_login: false
block_auto_created_users: false
base: 'ou=users,dc=cloudron'
user_filter: ''
group_base: ''
admin_group: ''
external_groups: []
sync_ssh_keys: false
attributes:
username: ['username']
email: ['mail']
name: 'displayname'
first_name: 'givenName'
last_name: 'sn'
lowercase_usernames: false
In my opinion, Gitlab Cloudron package could add the custom file gitlab.yml to the file manager home by default, and set the the above fields in that file instead of modifying the default config file.
Hi @luckow ,
Could you try following this blog post? https://blog.yarsalabs.com/self-hosting-outline-wiki-on-cloudron/
The description and first-time setup still need some work, so I'll look into it again.
I onboarded my entire team to Cloudron; signed up, mailboxes set up, 2FA enabled, and more. Then I realized that the 2FA setting enabled on Cloudron is useless for other apps. Some apps don't have a 2FA option yet; for example, Taiga, which we use to manage all the projects. Also, Bookstack, where all our internal docs go, supports 2FA.
I have understood how Cloudron works, and that this topic has already been discussed in the forum. I started looking for ways to leverage 2FA settings of Cloudron to protect access to other apps. I have thought of a possible solution.
After researching for a while I discovered a solution. Cloudron itself has an active directory server. We could have the users append/prepend the 2FA token with their password every time they log in; the Cloudron LDAP server would see if 2FA is enabled on the account, and if enabled, it will extract the password & 2FA code from the password input and perform authentication. This is pretty trivial because the Cloudron login page has an optional 2FA token field, and the token is only looked required if the user has enabled 2FA.
One of the service offerings I came across has a simple but complete description of this method of using 2FA with LDAP with a dynamic password. https://www.protectimus.com/blog/active-directory-two-factor-authentication/.
This feature is absolutely necessary for me, and I believe there are other people like me. Do you think we could pull this off?
The comment thread on this post seems to have diverted from the original topic. I would like to comment on @marcusquinn's request for 2FA for LDAP apps. As @girish has said, we have had a long discussion about it, and the team couldn't come up with a one-size-fits-all solution. I was expecting the PASSWORD;TOTP feature in version 6 too. Here's my understanding and proposed solution:
1. Apps that have their own 2FA system, like Gogs, Gitlab, Wiki.JS, etc.
NOTE: I have used this trick in quite a few apps to save myself from having dozens of 2FA secrets. I simply replace the app's mfa_secret value with the secret from Cloudron (Hint: while setting up 2FA on your Cloudron account, select to enter code manually, and write the displayed secret in a piece of paper so you can copy it elsewhere).
Cloudron has access to the database so Cloudron could automate this process:
The 2FA code from Cloudron will also work on the app, so no need to have per-app 2FA codes. But this approach has downsides:
I have only done this with my own account because it's quite time consuming to replace the TOTP Secret for all users of my Cloudron instance; a script would certainly help.
2. Apps that do note have native support for 2FA
Proposed solutions:
Enabling 2FA for all apps is an important feature for some users like me, because of compliance reasons & a bit of paranoia. I can't trust everyone to not fall for phishing attacks, so I really wish Cloudron team kept this feature in priority. For the time being, I'm enabling 2FA in per-app basis, and avoiding apps that don't have 2FA built in. 
Update available for Keycloak 18.0.0. Up and running without issues for a while.
https://github.com/njsubedi/cloudron-keycloak
After around a year of using Cloudron, I have installed many apps, and now the admin interface needs scrolling. I have a really wide screen but the layout won't adjust to fill the available space (4 cols only).
If only there was a way to fit more items on the screen it would be easier. For now, supporting upto 6 or 8 rows would do.
PS: The design of the App Store would do too.
If you look at the logs at /app-logs/users you'll see all logins seem to have originated from the docker network.
Please fix this. Thanks!
@humptydumpty I like your idea of educating the users on the login page itself. 
You could also add something like This code protects your account even if someone stole your password. Or a better wording would make an impact, really!
@girish after giving some more thoughts, I don't see a reason to go through all the apps to see if they support 2FA? This only makes stuff more complicated. Even if the app supports 2FA, the Cloudron 2FA will make it redundant; so we can skip that. If someone would like to skip Cloudron 2FA they're free to use the app's own 2FA if it supports.
There could be a choice of ["Use Cloudron 2FA / Let the app handle it"] just like the choice of user management. If the first option is selected, TOTP is checked, otherwise it is not.
@girish, is there a way to import only active users when syncing users with LDAP?
After setting up Keycloak, only the "active" users could log in to Keycloak. But when I try to import active users to Keycloak, all users were imported, including those who were marked as not active in my Cloudron Users dashboard.
I am starting a new topic to keep the discussion to the point. Previous discussions are linked at the bottom of this post. This is to request Cloudron to support inline TOTP code with LDAP Password in the form password;2FCODE.
;TLDR User Stories
Admin can choose to opt-in for
password:2fcodefeature from Settings.
During authentication, Cloudron checks for the setting, and if enabled, splitspasswordand2fcode.
Cloudron performs authentication based on password and the 2fa code.
The last discussion with @girish ended with him mentioning that there's some standardization going on in the field of 2FA in custom fields of LDAP. Out of curiosity, I looked at the roadmaps of many open source projects and found that very few have any plans to standardize or even support TOTP secret through LDAP fields. I have no hopes of any standardization in the near future that Cloudron can look forward to.
I am serious about security, and mandate everyone in my team to enable 2FA whenever possible. We're also using more and more new apps, and I'm seeing mandatory 2FA in individual apps a lot of trouble to go through.
I already have 13 different entries for individual apps' 2FA codes, and the list is growing. Then there are the recovery codes of all apps written on dozens of pieces of paper - The situation is the same across the team, and it's only going to be worse when we stop using apps.
Please do something about it! Pretty, please?
More discussion on this topic:
https://forum.cloudron.io/topic/3285/2fa-for-all-ldap-apps/39
https://forum.cloudron.io/topic/2433/the-real-sso-with/1
https://forum.cloudron.io/topic/1972/i-am-missing-real-sso/1
I would love it if Cloudron supported PowerDNS as a DNS backend. I want wildcard certificate from Let’s Encrypt but it required a programmable backend.
I like to run my own DNS server- a hidden primary that isn’t published (eg. no hostname) and multiple secondary servers across different geolocations. This gives a lot of freedom, and most importantly gives me as little TTL as I want.
Unfortunately, I’ve not been able to use it for my Cloudron.
I'm in for this too. I haven't packaged an app yet, but only because of lack of confidence. It would be awesome to see someone do it, and later be able to help others do the same!
A surprisingly simple, user-friendly and free help desk software with an integrated knowledgebase. It's a simple LAMP app though, so posting it here for everyone even if it does not get packaged. https://www.hesk.com/
Caveat: You can only "download" it; no docker images and such, so it's best suited to be installed in a folder as a LAMP application. You can see it in action at https://www.yarsahost.com/support/.
Context:
I discovered Hesk after testing dozens of other helpdesk software because according to this issue on Github, FreeScout team is not going to have any decent homepage. Custom homepage and knowledgebase come out of the box. I quite regret purchasing so many "modules" for Freescout because I decided to switch to Hesk. That's the reason why I shared it here. Cheers!
@luckow did you try logging in for the second time? As I have mentioned, first-time login still fails. Also if you could raise an issue on Github with the contents of “/run/logs/odoo.log” as soon as you log in, I can look into it.
@infogulch said in ERPNext - cost-effective ERP solution:
frappe framework needs root access to the database
Surely this is not actually necessary to run the app, but is just part of their custom dynamic deployment system (ick). I hope it's possible to extricate the actual app from the framework...
I thought so too. Unfortunately, it keeps asking for "postgres super user password".
@marcusquinn I could do the entire EspoCRM in Directus if I had to. 
I wanted to package it because it's one of the most wanted apps, but I think it takes someone else who knows python and databases more than me.
@nebulon Thanks for the quick fix. I can confirm it works. No ipv6 on my cloudron yet.
@humptydumpty Cloudron asks for the TOTP code on the same page, no?
Some websites show two steps in the UI, but actually send the username, password and code in a single request. Some websites ask for your username first, then display the password field, such as Google and Apple ID web. Some companies use the most common method of asking username and password at once, such as Facebook and Apple ID mobile app interface.
I don't think there's more security risk in one method than the other. If that was the case, all of them would be using the most secure way. That's exactly the same case for the TOTP code. Personally I prefer the username+password+totp in a single page because it "feels" more secure.
Adding this to my list of apps to package.
If a rogue client is an attack vector, the app-specific password doesn't really save from the damage on that particular app. App-specific password have a long lifetime, so they can be silently misused without your knowledge for a relatively long time.
Whereas, the TOTP tokens are refreshed every 30 seconds or so. Even if someone stole your password, they must (MUST) brute-force the TOTP code after 30 seconds, which is going to trigger the brute-force detection mechanism. With immediate session revocation, the damage can be contained.
Hence I believe the only savior is 2FA if that particular app supports. Unfortunately, not all apps support 2FA; even if they did, it's not really fun to enable 2FA, manage backup codes, and in case the authenticator & backup codes are lost, it's not easy to have the admin bypass 2FA on all services. For example, RocketChat admins should do that by directly changing the user's data using the mongo shell.
I haven't looked into the source code of Cloudron yet, but I'm sure we can also have the app-specific passwords to be appended with a TOTP code if 2FA is enabled on the account. The app-specific password and TOTP will be validated by Cloudron in the same way it would validate the account password.
I believe this system reduces friction:
I'm sorry if this comment sounded like a marketing pitch, but I genuinely believe we should pull this off. I'm fascinated by Cloudron because it has saved me a lot of hassle, and by @girish's support, which is by far the best I've ever received from any service provider!
@girish I don't remember creating any folder myself, so I can't tell how it got created there. None of my other Cloudron instances had this issue so it might have happened somehow. I don't have any custom nginx config.
Maybe removing the tmp folder could have solved the issue without the -r flag. The error cp: -r not specified; omitting directory '/home/yellowtent/boxdata/certs/tmp' meant it couldn't copy the tmp folder because -r flag was missing. Also, I added -r because the error message hinted me to do so and it fixed the issue.
I think I am a little too paranoid here. Once I had to recover data deleted from the Gitea instance a month before. Since then I have this backup strategy:
At all times I use around 23x180GB = ~4TB space only for backup.
I recently came across this post https://dirtypipe.cm4all.com/. Looks like everyone needs to look at this. What can be done to update the Kernel version, @girish @nebulon ?
2021-04-29: first support ticket about file corruption
2022-02-19: file corruption problem identified as Linux kernel bug, which turned out to be an exploitable vulnerability
2022-02-20: bug report, exploit and patch sent to the Linux kernel security team
2022-02-21: bug reproduced on Google Pixel 6; bug report sent to the Android Security Team
2022-02-21: patch sent to LKML (without vulnerability details) as suggested by Linus Torvalds, Willy Tarreau and Al Viro
2022-02-23: Linux stable releases with my bug fix (5.16.11, 5.15.25, 5.10.102)
2022-02-24: Google merges my bug fix into the Android kernel
2022-02-28: notified the linux-distros mailing list
2022-03-07: public disclosure
@girish I always thought marking the users as inactive would mean they can't log in to the services that use Cloudron LDAP. On the other hand, for instance, Keycloak has an option to do a full sync of users from the LDAP server. In such cases, Keycloak does not have any way to know whether the users are still active. That's why I asked if there's any filter that I can apply to only fetch/sync active users.
Previously I had enforced 2FA for all users. Today, I saw that the checkbox was turned off. I turned it on. Then clicked "Save". The following error is shown, without any network request.
Note: My account has 2FA enabled. I don't know why the message is shown when I have enabled 2FA in my admin account. I disabled and re-enabled 2FA to see if this error goes away, but it doesn't.
After refreshing the page, the "Require users to set up 2FA" is automatically turned off.
@BrutalBirdie do you mean the Cloudron's usual tests to see if the app installs, backs up and restores correctly? If so I don't think I'll do that because you guys better know how to do that.
@girish @nebulon While installing the cloudron cli, I got this message. Is this something that we should worry about? Please confirm and fix if required. Thanks!
nj@mac% npm install cloudron
up to date, audited 114 packages in 583ms
15 packages are looking for funding
run `npm fund` for details
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
Run `npm audit` for details.
nj@mac% npm audit
# npm audit report
tar-fs <1.16.2
Severity: high
Improper Input Validation in tar-fs -
https://github.com/advisories/GHSA-x2mc-8fgj-3wmr
fix available via `npm audit fix --force`
Will install cloudron@0.9.4, which is a breaking change
node_modules/tar-fs
cloudron >=0.9.5
Depends on vulnerable versions of tar-fs
node_modules/cloudron
2 high severity vulnerabilities
To address all issues (including breaking changes), run:
npm audit fix --force
So quick! It works, thanks! @girish!
I have come across these problem after installing Matomo.
After first-time logging in with admin:changeme, I opened the personal settings page. I changed the default email admin@server.local to admin@mydomain. Then, I tried to change the default password, which told me that LDAP users cannot change their passwords. Maybe because admin conflicts with existing LDAP user. Problem: **I could continue to log in with admin:changme as well as with admin:MyLDAPpassworld.
The file manager runs into a problem while trying to view/edit matomo.js. The issue repeats with all all *.js files. Other files with different extention, like php.ini are good to view/edit.
This is a minor one - new version is available - 4.1.0.