CCAI : Cloudron Custom App Installer

New version : v4.3.2 (git.cloudron.io updated)
Added optional Cloudflare Turnstile support.
Default : not enabled
Edit /app/data/.env to enable and add your config keys

The 'hosted-as-a-service` ccai.appx.uk is now running with Turnstile for anti-bot protection.
If you install this to your own Cloudron, you can choose to run without Turnstile or to enable it.

Why Cloudflare Turnstile ?

• easiest / best non-google captcha type anti-bot
• free account with generous free-tier usage
• minimal code dependencies to simplify app building

Beyond this, it would need a user registration or failed login rate limiter.

@ruihildt it’s not about not wanting to. It’s about how far to go and I’ve opened up that discussion.

I have already put some antibot measures in some places. Adding some additional rate-limiting this evening.

I am very open to discussing how much further to go.
If you have any specific suggestions, I will gladly implement them (working on a 1-time authorisation. But frankly 2FA handles that much better anyway).

I agree it’s not ideal, but I don’t feel it’s that risky.
It uses exactly the same security that Cloudron uses.
So if it is insecure, then by definition Cloudron is insecure.
As always, all Cloudron users should :

• have secure long passwords
• use 2FA
• ideally follow the recommendation to create a dedicated special purpose user and change its password after each use.

No login creds are stored - code is open for inspection to confirm that.

My clear preference is for this app to be in the AppStore so I can take down my site.
If the Cloudron community prefer this to be taken down or locked down further, I will happily do so.

The app and the site are just a response to the 100’s of requests for an easier way to add apps.

I have thought deeply about adding auth or anti-bot measures.

My current conclusion is that anything I add (captcha, Cloudflare Turnstile, user registration in-app or via Keycloak) is going to :

• reduce the utility of this as a hosted app for easy use by those who don't want to install it themselves
• impact anyone who chooses to deploy the app to their own Cloudron with extra dependencies.

So at this point "the juice is not worth the squeeze".
I have however :

• added some rate-limiting for catalogue entry deletions
• added static text to recommend using a dedicated cloudron user for use with this app

I will think about creating a locked-down version with auth for those who want to deploy it to their own Cloudron, while leaving the hosted version w/o auth (basically my risk on the catalogue, because the actual app installation process is secure already).

Hopefully once Cloudron 9 is out and settled down, the version with proper auth can make it suitable for App Store inclusion, and I will retire the open hosted-as-a- service version.

I will review this later, but leaving it here for now pending further ideas.

@nostrdev totally agree

The issue is I'm unsure about the approach strategically in terms of keeping the "hosted as a service" URL open and easy to make use of.

I can easily add http basic auth or use Cloudron proxyauth but communicating those creds has a raft of issues.

I can add proper user registration, but it kinda goes against the original principles of it being an anonymous utility. I don't really want to be maintaining user records or responsible for them, and it's a pain for users to create yet another username and password for this (because obviously they should not be using Cloudron login details).

Maybe I can add some kind of automated short duration one time code delivered by SMS or email. Doesn't help much but maybe one blocker to scripts without a person behind it.

Ideally auth would be handled best by the app being within the AppStore, but that's not in my hands.

Any clever ideas gratefully received.
Otherwise I might have to bite the bullet and implement a user registration system.

@luckow @robi and anyone else interested

New version 4.3.0 pushed to git.cloudron.io/timconsidine/cloudron-customapp-installer :

• added button to import a catalogue to an instance running on your own URL : the default is to install from my hosted instance at https://ccai.appx.uk, but this value can be overridden so you can import from any instance of the app running under another name/URL
• added trash icon to Grid and List views allowing an app to be removed from the running app's catalogue, if it is no longer needed or import does not work quite as expected
• added auto-backup of catalogue prior to a deletion (so admin user has access to previous versions if someone goes wild on deletions)

About deploying this :

• if you have already installed this app to your own Cloudron instance, make sure you backup the contents of your local apps-config.json because installing this version will wipe your instance.

About import :

• imports whatever is in ccai.appx.uk (or specified URL) catalogue, so I can't offer any assurances on this, as I can't watch the catalogue constantly, but will endeavour to keep an eye on it
• therefore continue to exercise caution on installing any apps listed in the catalogue
• the import process a "dedupe" function built in, so anything imported should not overwrite an existing entry that you may have added to your own catalogue

I'm in a quandary about adding authentication to the app.
Generally I should, but it gets in the way of keeping ccai.appx.uk as an open hosted resource.
I will think about an elegant way to handle this.

@LeZalata I should possibly let (@)staff give the official answer but I think it will go like this.

All apps must comply with Cloudron criteria to be in the AppStore which means packaging them according to the docs (AppPackaging).

If so, you can install anything you want using the traditional (manual) approach of clone repo, build image, use Cloudron CLI to install.

Unofficially you can use my hosted Cloudron custom app installer to ease this process (or install in your own Clinton for max privacy).

Basically what I said in first response .
Just because an app is in a container or docker image does not mean it can be installed in Cloudron.
Some apps (eg Supabase) are difficult to package and deploy on Cloudron.

Other platforms like Heroku and Yunohost appear much more open, but they’re littered with apps which don’t work fully, become outdated on versions etc. and generally don’t come close to matching the stability and reliability of Cloudron.

@LeZalata short simple answer : no, not possible currently and maybe not ever
Cloudron requires apps to be packaged in a particular way - see Cloudron docs.

There are however a number of custom apps which have been packaged as Cloudron needs, but are not yet in the Cloudron App Store.
Many of these can be installed to your Cloudron using my https://ccai.appx.uk installer app.

@robi good idea
Away for a week
Will do when I am back

@nostrdev please upvote https://forum.cloudron.io/topic/14231/ccai-cloudron-custom-app-installer

@nostrdev yes there is a public docker image
tcmbp132021/cloudron-customapp-installer:vX.Y.Z

I’m away at present so please check hub.docker.com for the correct version number.

Totally understand about credentials sensitivity.
You can check the code in the repo to see nothing is stored. And no metrics captured.
But feel free to manually use cloudron install —image tcmbp132021/cloudron-customapp-installer:vX.Y.Z after cloning the repo to have access to CloudronManifest.json

The hosted installer is purely a service, direct install is available.

I guess you could set up a special purpose Cloudron user and disable or change password after using it.

@nostrdev said in BTCpayserver:

We suspect this is an issue with the host machine

Thank you.
Will investigate

@nostrdev said in BTCpayserver:

That web app looks cool! Is it self-hostable?

Yes, if you're referring to CCAI
You can actually use the deployed version at https://ccai.appx.uk to install CCAI onto your own Cloudron server.
Or you do it manually (docker build, docker push, cloudrin install) by cloning the repo

@humptydumpty let me get it to beta, and I will show you easy way

Solved a lot of issues this morning but still working on some more

@humptydumpty some - as in partial - good news

I have an initial package of Zoneminder for Cloudron
Distinctly ALPHA
There are some issues

• CSS / skins rendering
• managing complex Zoneminder configs
• authentication (ZM auth does not work currently, interim Cloudron proxyAuth being used)

Biggest issue for me : I know nothing about Zoneminder !
But I can see it would be useful for my network, so am delving into it.

If you want to be bleeding edge, and don't mind issues, I can share but you probably want to wait a bit, as I can't provide support while I am getting it at least to BETA.
Help testing it at that point would be great.

I am away for a week shortly, so may have to pick this up after return.

EDIT #1 : cloudron proxyAuth implemented as temporary measure

EDIT #2 : more errors than I saw initially - maybe it's pre-alpha

@luckow if CCAI is installed in another location, the app catalog will currently diverge as the data is drawn from /app/data/apps-config.json.

TBH I did not think about a “central” catalogue but that’s a nice idea as an option.
Let me think about how to implement.
Maybe a “Sync Catalogue” button.
But one-way or two-way ?
Maybe one way to start.

First impression of OpenObserve : cool !
Definitely a contender to replace my instance of Seq
But a lot to learn about the app and how I can best use it.

@andreasdueren done

@andreasdueren thank you

Added to custom app installer at https://ccai.appx.uk
Installed.
Need to get to know it

I don't think the line in the template Docker : Yes/No is helpful.
It should be Dockerfile : Yes/No.
Having docker-compose available but no Dockerfile is like a chocolate fireguard.

@humptydumpty
I was worried about cameras on remote networks.
I will see if I can do ZM for Cloudron.