andreas/ente-cloudron
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to version 0.4.3 with S3 configuration improvements

Browse Source 
- Always regenerate Museum configuration on startup to enable runtime S3 credential changes
- Improve S3 configuration logging and validation for Cloudflare R2 endpoints
- Update SMTP configuration to use SMTPS port 2465 with TLS encryption
- Fix Caddy proxy headers to properly forward client information
- Add startup.log for enhanced troubleshooting
- Update build instructions and changelog for version 0.4.3
This commit is contained in:
Andreas Düren
2025-10-30 08:57:37 -06:00
parent 9d4849ee38
commit f28b82db3f
5 changed files with 129 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
BUILD-INSTRUCTIONS.md
View File

@@ -12,13 +12,13 @@
git clone https://github.com/andreasdueren/ente-cloudron.git git clone https://github.com/andreasdueren/ente-cloudron.git
cd ente-cloudron cd ente-cloudron
``` ```
2. Build the image via the Cloudron build service. Adjust `--tag` to match `CloudronManifest.json` (`0.2.1`) and optionally override the Ente git ref: 2. Build the image via the Cloudron build service. Adjust `--tag` to match `CloudronManifest.json` (`0.4.3`) and optionally override the Ente git ref:
```bash ```bash
cloudron build \ cloudron build \
--set-build-service builder.docker.due.ren \ --set-build-service builder.docker.due.ren \
--build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \ --build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \
--set-repository andreasdueren/ente-cloudron \ --set-repository andreasdueren/ente-cloudron \
--tag 0.2.1 \ --tag 0.4.3 \
--build-arg ENTE_GIT_REF=main --build-arg ENTE_GIT_REF=main
``` ```
Use a tagged Ente release for reproducible builds (e.g. `--build-arg ENTE_GIT_REF=v0.9.0`). Use a tagged Ente release for reproducible builds (e.g. `--build-arg ENTE_GIT_REF=v0.9.0`).
@@ -28,7 +28,7 @@ Always uninstall the dev instance before reinstalling.
```bash ```bash
cloudron install \ cloudron install \
--location ente.due.ren \ --location ente.due.ren \
--image andreasdueren/ente-cloudron:0.2.1 --image andreasdueren/ente-cloudron:0.4.3
``` ```
If the install command runs for more than ~30seconds without feedback, abort and inspect `cloudron logs --app ente.due.ren`. If the install command runs for more than ~30seconds without feedback, abort and inspect `cloudron logs --app ente.due.ren`.
@@ -54,6 +54,7 @@ Optional: set `CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, and `CLOUDR
## Troubleshooting ## Troubleshooting
- **S3 errors**: Verify credentials in `/app/data/config/s3.env`; check connectivity using `aws s3 ls --endpoint-url ...` from a trusted host. - **S3 errors**: Verify credentials in `/app/data/config/s3.env`; check connectivity using `aws s3 ls --endpoint-url ...` from a trusted host.
- **Startup issues**: Inspect `/app/data/logs/startup.log` (also mirrored to `cloudron logs`) for rendered configuration and error messages.
- **Museum not starting**: Inspect `/app/data/museum/configurations/local.yaml` for syntax issues; delete to regenerate. - **Museum not starting**: Inspect `/app/data/museum/configurations/local.yaml` for syntax issues; delete to regenerate.
- **Frontend stale after update**: Restart the app—the startup script re-syncs static assets on each boot. - **Frontend stale after update**: Restart the app—the startup script re-syncs static assets on each boot.
- **OIDC issues**: Confirm the callback URL `/api/v1/session/callback` is allowed in the Cloudron SSO client configuration. - **OIDC issues**: Confirm the callback URL `/api/v1/session/callback` is allowed in the Cloudron SSO client configuration.
@@ -63,4 +64,5 @@ Optional: set `CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, and `CLOUDR
cloudron exec --app ente.due.ren -- cat /app/data/museum/configurations/local.yaml cloudron exec --app ente.due.ren -- cat /app/data/museum/configurations/local.yaml
cloudron exec --app ente.due.ren -- ente --help cloudron exec --app ente.due.ren -- ente --help
cloudron logs --app ente.due.ren -f cloudron logs --app ente.due.ren -f
cloudron exec --app ente.due.ren -- tail -f /app/data/logs/startup.log
``` ```

17
CHANGELOG.md
View File

@@ -1,5 +1,22 @@
# Changelog # Changelog
## 0.4.3 (2025-10-29)
* Always regenerate Museum configuration on startup to pick up S3 credential changes
* Enables seamless workflow: add S3 credentials to /app/data/config/s3.env and restart
* Fixes issue where S3 configuration changes required manual intervention
## 0.4.2 (2025-10-29)
* Use SMTPS (port 2465) with TLS encryption for email delivery
* Fixes email sending with requiresValidCertificate flag on Cloudron 9
## 0.4.1 (2025-10-23)
* Fix email sending for user registration by enabling TLS certificate validation in sendmail addon
* Add requiresValidCertificate flag to sendmail configuration to ensure proper SMTP authentication with Go applications
* Note: Requires Cloudron 9 or later for requiresValidCertificate support
## 1.0.0 (2024-06-01) ## 1.0.0 (2024-06-01)
* Initial release of Ente for Cloudron * Initial release of Ente for Cloudron

5
CloudronManifest.json
View File

@@ -7,7 +7,7 @@
"contactEmail": "contact@ente.io", "contactEmail": "contact@ente.io",
"website": "https://ente.io", "website": "https://ente.io",
"tagline": "Open source, end-to-end encrypted photo backup", "tagline": "Open source, end-to-end encrypted photo backup",
"version": "0.4.0", "version": "0.4.3",
"upstreamVersion": "git-main", "upstreamVersion": "git-main",
"healthCheckPath": "/health", "healthCheckPath": "/health",
"httpPort": 3080, "httpPort": 3080,
@@ -17,7 +17,8 @@
"localstorage": {}, "localstorage": {},
"postgresql": {}, "postgresql": {},
"sendmail": { "sendmail": {
"supportsDisplayName": true "supportsDisplayName": true,
"requiresValidCertificate": true
} }
}, },
"checklist": { "checklist": {

26
config.template.yaml
View File

@@ -18,16 +18,20 @@ database:
maxIdleConns: 25 maxIdleConns: 25
connMaxLifetime: "1h" connMaxLifetime: "1h"
storage: s3:
type: "s3" are_local_buckets: false
s3: use_path_style_urls: true
hot_storage:
primary: b2-eu-cen
secondary: b2-eu-cen
derived-storage: b2-eu-cen
b2-eu-cen:
endpoint: "%%S3_ENDPOINT%%" endpoint: "%%S3_ENDPOINT%%"
region: "%%S3_REGION%%" region: "%%S3_REGION%%"
bucket: "%%S3_BUCKET%%" bucket: "%%S3_BUCKET%%"
accessKey: "%%S3_ACCESS_KEY%%" key: "%%S3_ACCESS_KEY%%"
secretKey: "%%S3_SECRET_KEY%%" secret: "%%S3_SECRET_KEY%%"
prefix: "%%S3_PREFIX%%" path_prefix: "%%S3_PREFIX%%"
forcePathStyle: true
email: email:
smtp: smtp:
@@ -48,19 +52,19 @@ auth:
logging: logging:
level: "info" level: "info"
format: "text" format: "text"
# Additional settings based on Museum requirements # Additional settings based on Museum requirements
keygen: keygen:
master: "%%MASTER_KEY%%" master: "%%MASTER_KEY%%"
payments: payments:
enabled: false enabled: false
metadata: metadata:
localPath: "/app/data/storage/metadata" localPath: "/app/data/storage/metadata"
tempDirectory: "/app/data/storage/temp" tempDirectory: "/app/data/storage/temp"
memoryCache: memoryCache:
enabled: true enabled: true
size: 100 size: 100

117
start.sh
View File

@@ -28,7 +28,15 @@ STARTUP_FLAG="$DATA_DIR/startup.lock"
mkdir -p "$LOG_DIR" "$CONFIG_DIR" "$TMP_DIR" "$SECRETS_DIR" "$MUSEUM_RUNTIME_DIR" "$WEB_RUNTIME_DIR" "$MUSEUM_CONFIG_DIR" mkdir -p "$LOG_DIR" "$CONFIG_DIR" "$TMP_DIR" "$SECRETS_DIR" "$MUSEUM_RUNTIME_DIR" "$WEB_RUNTIME_DIR" "$MUSEUM_CONFIG_DIR"
chown -R cloudron:cloudron "$DATA_DIR" chown -R cloudron:cloudron "$DATA_DIR"
LOG_FILE="$LOG_DIR/startup.log"
touch "$LOG_FILE"
chown cloudron:cloudron "$LOG_FILE"
chmod 640 "$LOG_FILE"
# Mirror all output to a persistent log file while retaining stdout/stderr for Cloudron aggregation
exec > >(tee -a "$LOG_FILE") 2>&1
log INFO "Starting Ente for Cloudron" log INFO "Starting Ente for Cloudron"
log INFO "Startup logs are mirrored to $LOG_FILE"
if ! command -v setpriv >/dev/null 2>&1; then if ! command -v setpriv >/dev/null 2>&1; then
log ERROR "setpriv command not found" log ERROR "setpriv command not found"
@@ -112,19 +120,64 @@ if [ "$S3_NOT_CONFIGURED" = "false" ]; then
fi fi
log INFO "Using S3 endpoint $S3_ENDPOINT_HOST (region $S3_REGION, bucket $S3_BUCKET)" log INFO "Using S3 endpoint $S3_ENDPOINT_HOST (region $S3_REGION, bucket $S3_BUCKET)"
S3_REGION_LOWER="$(printf '%s' "$S3_REGION" | tr '[:upper:]' '[:lower:]')"
if printf '%s' "$S3_ENDPOINT_HOST" | grep -q '\.r2\.cloudflarestorage\.com$' && [ "$S3_REGION_LOWER" != "auto" ]; then
log WARN "Cloudflare R2 endpoints require S3_REGION=auto; current value '$S3_REGION' may cause upload failures"
fi
else else
S3_ENDPOINT_HOST="s3.example.com" S3_ENDPOINT_HOST="s3.example.com"
log WARN "S3 not configured - using placeholder values" log WARN "S3 not configured - using placeholder values"
fi fi
DEFAULT_FORCE_PATH_STYLE="true"
if printf '%s' "$S3_ENDPOINT_HOST" | grep -q '\.r2\.cloudflarestorage\.com$'; then
if [ -z "${S3_FORCE_PATH_STYLE:-}" ] && [ -z "${ENTE_S3_FORCE_PATH_STYLE:-}" ]; then
log INFO "Detected Cloudflare R2 endpoint; defaulting to path-style URLs (required by R2)"
fi
fi
S3_FORCE_PATH_STYLE_RAW="${S3_FORCE_PATH_STYLE:-${ENTE_S3_FORCE_PATH_STYLE:-$DEFAULT_FORCE_PATH_STYLE}}"
S3_FORCE_PATH_STYLE="$(printf '%s' "$S3_FORCE_PATH_STYLE_RAW" | tr '[:upper:]' '[:lower:]')"
S3_ARE_LOCAL_BUCKETS="$(printf '%s' "${S3_ARE_LOCAL_BUCKETS:-${ENTE_S3_ARE_LOCAL_BUCKETS:-false}}" | tr '[:upper:]' '[:lower:]')"
S3_PRIMARY_DC="${ENTE_S3_PRIMARY_DC:-b2-eu-cen}"
S3_SECONDARY_DC="${ENTE_S3_SECONDARY_DC:-$S3_PRIMARY_DC}"
S3_DERIVED_DC="${ENTE_S3_DERIVED_DC:-$S3_PRIMARY_DC}"
S3_DCS=()
add_s3_dc() {
local candidate="$1"
if [ -z "$candidate" ]; then
return
fi
for existing in "${S3_DCS[@]}"; do
if [ "$existing" = "$candidate" ]; then
return
fi
done
S3_DCS+=("$candidate")
}
add_s3_dc "$S3_PRIMARY_DC"
add_s3_dc "$S3_SECONDARY_DC"
add_s3_dc "$S3_DERIVED_DC"
S3_PREFIX_DISPLAY="${S3_PREFIX:-<none>}"
log INFO "Resolved S3 configuration: host=$S3_ENDPOINT_HOST region=$S3_REGION pathStyle=$S3_FORCE_PATH_STYLE localBuckets=$S3_ARE_LOCAL_BUCKETS primaryDC=$S3_PRIMARY_DC derivedDC=$S3_DERIVED_DC prefix=$S3_PREFIX_DISPLAY"
DEFAULT_GIN_TRUSTED_PROXIES="127.0.0.1,::1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
GIN_TRUSTED_PROXIES="${GIN_TRUSTED_PROXIES:-$DEFAULT_GIN_TRUSTED_PROXIES}"
export GIN_TRUSTED_PROXIES
log INFO "Configured trusted proxy ranges for Museum: $GIN_TRUSTED_PROXIES"
MASTER_KEY_FILE="$SECRETS_DIR/master_key" MASTER_KEY_FILE="$SECRETS_DIR/master_key"
HASH_KEY_FILE="$SECRETS_DIR/hash_key" HASH_KEY_FILE="$SECRETS_DIR/hash_key"
JWT_SECRET_FILE="$SECRETS_DIR/jwt_secret" JWT_SECRET_FILE="$SECRETS_DIR/jwt_secret"
SESSION_SECRET_FILE="$SECRETS_DIR/session_secret" SESSION_SECRET_FILE="$SECRETS_DIR/session_secret"
SMTP_HOST="${CLOUDRON_MAIL_SMTP_SERVER:-mail}" SMTP_HOST="${CLOUDRON_MAIL_SMTP_SERVER:-mail}"
SMTP_PORT="${CLOUDRON_MAIL_SMTP_PORT:-2525}" SMTP_PORT="${CLOUDRON_MAIL_SMTPS_PORT:-2465}"
SMTP_ENCRYPTION="" SMTP_ENCRYPTION="tls"
SMTP_USERNAME="${CLOUDRON_MAIL_SMTP_USERNAME:-}" SMTP_USERNAME="${CLOUDRON_MAIL_SMTP_USERNAME:-}"
SMTP_PASSWORD="${CLOUDRON_MAIL_SMTP_PASSWORD:-}" SMTP_PASSWORD="${CLOUDRON_MAIL_SMTP_PASSWORD:-}"
SMTP_EMAIL="${CLOUDRON_MAIL_FROM:-no-reply@$RP_ID}" SMTP_EMAIL="${CLOUDRON_MAIL_FROM:-no-reply@$RP_ID}"
@@ -139,7 +192,7 @@ fi
normalize_b64() { normalize_b64() {
local value="$1" local value="$1"
value="$(printf '%s' "$value" | tr -d '\r\n')" value="$(printf '%s' "$value" | tr -d '\r\n')"
value="$(printf '%s' "$value" | tr '-_' '+/')" value="$(printf '%s' "$value" | tr -- '-_' '+/')"
local mod=$(( ${#value} % 4 )) local mod=$(( ${#value} % 4 ))
if [ $mod -eq 2 ]; then if [ $mod -eq 2 ]; then
value="${value}==" value="${value}=="
@@ -154,7 +207,7 @@ normalize_b64() {
normalize_b64url() { normalize_b64url() {
local value="$1" local value="$1"
value="$(printf '%s' "$value" | tr -d '\r\n')" value="$(printf '%s' "$value" | tr -d '\r\n')"
value="$(printf '%s' "$value" | tr '+/' '-_')" value="$(printf '%s' "$value" | tr -- '+/' '-_')"
local mod=$(( ${#value} % 4 )) local mod=$(( ${#value} % 4 ))
if [ $mod -eq 2 ]; then if [ $mod -eq 2 ]; then
value="${value}==" value="${value}=="
@@ -173,7 +226,7 @@ generate_b64() {
generate_b64url() { generate_b64url() {
local bytes="$1" local bytes="$1"
openssl rand -base64 "$bytes" | tr '+/' '-_' | tr -d '\n' openssl rand -base64 "$bytes" | tr -- '+/' '-_' | tr -d '\n'
} }
ensure_secret() { ensure_secret() {
@@ -237,9 +290,9 @@ if [ ! -x "$MUSEUM_BIN" ]; then
exit 1 exit 1
fi fi
if [ ! -f "$MUSEUM_CONFIG" ]; then # Always regenerate Museum config to pick up S3 changes
log INFO "Rendering Museum configuration" log INFO "Rendering Museum configuration"
cat > "$MUSEUM_CONFIG" <<EOF_CFG cat > "$MUSEUM_CONFIG" <<EOF_CFG
log-file: "" log-file: ""
http: http:
port: 8080 port: 8080
@@ -263,19 +316,30 @@ db:
sslmode: disable sslmode: disable
s3: s3:
are_local_buckets: false are_local_buckets: ${S3_ARE_LOCAL_BUCKETS}
use_path_style_urls: true use_path_style_urls: ${S3_FORCE_PATH_STYLE}
hot_storage: hot_storage:
primary: primary-storage primary: ${S3_PRIMARY_DC}
secondary: primary-storage secondary: ${S3_SECONDARY_DC}
primary-storage: derived-storage: ${S3_DERIVED_DC}
EOF_CFG
for dc in "${S3_DCS[@]}"; do
cat >> "$MUSEUM_CONFIG" <<EOF_CFG
$dc:
key: "$S3_ACCESS_KEY" key: "$S3_ACCESS_KEY"
secret: "$S3_SECRET_KEY" secret: "$S3_SECRET_KEY"
endpoint: "$S3_ENDPOINT_HOST" endpoint: "$S3_ENDPOINT_HOST"
region: "$S3_REGION" region: "$S3_REGION"
bucket: "$S3_BUCKET" bucket: "$S3_BUCKET"
path_prefix: "$S3_PREFIX" EOF_CFG
if [ -n "$S3_PREFIX" ]; then
printf ' path_prefix: "%s"\n' "$S3_PREFIX" >> "$MUSEUM_CONFIG"
fi
printf '\n' >> "$MUSEUM_CONFIG"
done
cat >> "$MUSEUM_CONFIG" <<EOF_CFG
smtp: smtp:
host: "${SMTP_HOST}" host: "${SMTP_HOST}"
port: "${SMTP_PORT}" port: "${SMTP_PORT}"
@@ -317,11 +381,8 @@ oidc:
EOF_CFG EOF_CFG
fi fi
chown cloudron:cloudron "$MUSEUM_CONFIG" chown cloudron:cloudron "$MUSEUM_CONFIG"
chmod 600 "$MUSEUM_CONFIG" chmod 600 "$MUSEUM_CONFIG"
else
log INFO "Museum configuration already present; leaving untouched"
fi
log INFO "Preparing frontend assets" log INFO "Preparing frontend assets"
if [ -d "$WEB_SOURCE_DIR" ]; then if [ -d "$WEB_SOURCE_DIR" ]; then
@@ -450,9 +511,9 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
handle_path /api/* { handle_path /api/* {
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Real-IP}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
header Access-Control-Allow-Origin "*" header Access-Control-Allow-Origin "*"
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
@@ -464,18 +525,18 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
rewrite * /ping rewrite * /ping
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Real-IP}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
} }
handle /ping { handle /ping {
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Real-IP}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
} }