Cloudron Forum

@jdaviescoates said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: @joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: vaultwarden is fine because it doesn't have Cloudron SSO Yet. Vaultwarden itself does now support OIDC. Or it looks like it will shortly - So would hope for Cloudron SSO to be integrated also! Yet in this case 2FA or the 2FA of Vaultwarden does not really matter, ultimately the issue is the same: How to setup Cloudron 2FA with a cloudron-installed 2FA application. @joseph said in Chicken and egg - Onboarding 2FA mandatory cloudron user with 2FA app?: Was discussing this with a friend yesteday and an analogy he gave me was this is like saving the password manager's password in the password manager itself This won't end well ultimately As mentioned, I get some of the security concerns of having the 2FA related application on a server requiring the same 2FA token to be usable, but there is also no denying the advantages: A central point to manage this app and related-mechanism rather than spreading thin over various servers / architecture / platform Especially on a product/service (Cloudron) that allow for user administrations, administration of the app itself and administration of the 2FA security setting on the same architecture In a limited context (single or small number of users), the resources cost related to on-boarding administering and supporting, often non or limited security-literate users, can be apprehended with a simpler concept, whatever this one might be (e.g. 2FA app of the user's choosing etc..). However, in a different scenario, where the number of user grows, SOPs make sense to be able to strike a reasonable balance between security, scalability and sustainability of the services. This is within this context that my original question fit in - chicken and egg? In the end, I would envisioned a situation where Cloudron admins have their 2FA hosted somewhere else (to mitigate security-related / lock up concerns), but end users would benefit from a 2FA Cloudron related app. Hopefully this make sense also - thank a lot for the inputs already!

@uwcrbc see https://forum.cloudron.io/topic/13260/freescout-oidc-support . Just purchase the OIDC module, activate it in freescout and restart freescout. That's it.

We are updating the package slowly. @vladimir.d should get to it at some point...

@uwcrbc the branding change in platform side is quite easy. The env var is injected already with https://git.cloudron.io/platform/box/-/commit/daa8a60da282fc3c8bbccd4b2b1a4920c2b06812 . But the apps have to be updated. I think we should have this feature in 8.2, yes. And yes, the forum or the blog is the best place. Usually, we announce it here only when it's "stable" . Otherwise, there is a frenzy to update and we don't want to hose things if it was not so stable.

We were able to resolve this. The root cause was the missing unbound-anchor ubuntu package. After intstalling this it worked. More info on that issue is at https://forum.cloudron.io/topic/12496/unbound-anchor-not-found-in-ubuntu-24-04?_=1727881329798

@jdaviescoates I absolutely and entirely did..... So clearly missed a step. all working as expected now - Many thanks!

Fixed with next release

@joseph said in issue with update to 1.6.6?: @uwcrbc said in issue with update to 1.6.6?: I am also wondering why the logs are showing a time that is neither the one set in the Cloudron server settings nor the one from the server. Cloudron server time is always UTC. This timezone is an implementation detail but it's easier if all logs and db fields are in standard time. Cloudron Time zone is used for cron job schedules (https://docs.cloudron.io/settings/#timezone) The times you see in the UI like the logs, eventlog are from the browser timezone . So.. I guess your browser is in UTC+1 ? This also makes sense - I have a fairly locked down browser security wise, which explains the difference between local time and the time displayed in the browser. I will try to remember this. Many thanks again @joseph

@uwcrbc said in My App domain filter with unused domains / external domain: At the moment, filtering per domain shows the list of domains configured on the Cloudron server regardless whether there is an app using it or not. Right, this is how it works currently. The same is possible for All States / Groups as well. Just because there are no apps to list, the item does not get hidden. This can be confusing or not depending on user expectations. It also does not allow to filter for proxy app'ed "external" domains. In the common case, the proxy URL is an IP address and not a domain. In fact, the thing is a URL and not a domain (so we cannot put it in the filter).

Thank you @girish - I'll test with v8 and report back thereafter in case of need.

Thank you @girish - Sounds promising. Looking forward to v8.

@BrutalBirdie That should be part of the docs!

I would like to be able to leave a note alongside a particular application backup, too.

Thanks @girish - i though indeed that OIDC will alleviate, at least partly this situation. Yet, on the other hand, not all apps will support/are supporting OIDC. Many thanks for looking into this.

Sadly I haven't worked on meemo for a long time now. I do use it on a daily bases though, its very tailored to my personal use-cases and thus, currently it doesn't actually support checkboxes I will see if I can improve the markdown rendering soon.

@nebulon Sure - let's say for example that you have different apps for different department/teams in your company and a user can be part of multiple teams/departments. So for example: One group/category of apps is common to all users. One group/category of apps cater to teachers only One group/category of apps cater to students and teachers. A applicable scenario in our organization would be for example: One group/category of apps (NodeBB; WikiJS etc..) common to all users One group/category of apps (Invoice Ninja, Kimai etc..) for users in the Accounting department One group/category of apps (tools such as Vaultwarden, Cal.com, LanguageTool etc..) for users with specific related needs. Does this make sense? It is simply an arbitrary personalisation, not at the individual level, but at the company/provider level. Let me know if it doesn't or does not seem intelligible. Many thanks,

@uwcrbc great find, thanks for sharing! A big +1 from me on this!

@Mawoka Cloudron is designed like a PaaS (like heroku). So, only the application container is needed. Rest of the things (database, cache etc) are maintained and provided by the platform.