andreas/ente-cloudron
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: andreas:9c3605d93586e054ab58c7748aa97efff77c1315
Branches Tags
andreas:main
andreas:v0.1.133 andreas:v0.1.128 andreas:v0.1.127 andreas:v0.1.123 andreas:v0.1.122 andreas:v0.1.121 andreas:v0.1.119 andreas:v0.1.118 andreas:v0.1.66-routing-fixes andreas:v0.1.64-api-docs andreas:v0.1.62-photos-working andreas:v0.1.36
..
compare: andreas:c336e68347c95fb765b622d41f608b4f4e4e0601
Branches Tags
andreas:main
andreas:v0.1.133 andreas:v0.1.128 andreas:v0.1.127 andreas:v0.1.123 andreas:v0.1.122 andreas:v0.1.121 andreas:v0.1.119 andreas:v0.1.118 andreas:v0.1.66-routing-fixes andreas:v0.1.64-api-docs andreas:v0.1.62-photos-working andreas:v0.1.36

38 Commits
9c3605d935 ... c336e68347

Author SHA1 Message Date
Andreas Dueren
c336e68347 Fix CORS handling and real IP logging 2025-10-30 10:49:54 -06:00
Andreas Dueren
bab3024a7d Update to version 0.4.3 with S3 configuration improvements 
- Always regenerate Museum configuration on startup to enable runtime S3 credential changes
- Improve S3 configuration logging and validation for Cloudflare R2 endpoints
- Update SMTP configuration to use SMTPS port 2465 with TLS encryption
- Fix Caddy proxy headers to properly forward client information
- Add startup.log for enhanced troubleshooting
- Update build instructions and changelog for version 0.4.3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-30 08:57:37 -06:00
Andreas Dueren
5d56c2cb04 Add back SMTP authentication for port 2525 
Restore SMTP username and password for authenticated relay on port
2525. According to Cloudron docs, this port should work with plain
SMTP and authentication without STARTTLS.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 09:18:02 -06:00
Andreas Dueren
2d81c3b588 Revert to port 2525 without authentication for internal mail relay 
The STARTTLS port 2587 requires TLS certificate verification, but
Cloudron's internal mail relay uses a wildcard cert for *.due.ren
which doesn't match the hostname 'mail'. Port 2525 is the internal
plain SMTP relay that doesn't require authentication or TLS for
connections from within the same container network.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 09:12:46 -06:00
Andreas Dueren
c28000a396 Use Cloudron STARTTLS port 2587 for SMTP 
Switch from plain SMTP on port 2525 to STARTTLS on port 2587.
The Go smtp.SendMail function automatically handles STARTTLS
negotiation when encryption is empty, which is required by
Cloudron's sendmail addon on the STARTTLS port.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 09:05:28 -06:00
Andreas Dueren
53c66c29cd Add SMTP authentication using Cloudron sendmail credentials 
Configure Museum to use CLOUDRON_MAIL_SMTP_USERNAME and
CLOUDRON_MAIL_SMTP_PASSWORD for authenticated SMTP relay.
This fixes the "550 I cannot deliver mail" error by properly
authenticating with the Cloudron sendmail addon.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 08:54:03 -06:00
Andreas Dueren
b67a7a6941 Fix SMTP configuration to use Cloudron sendmail hostname 
Change SMTP host from localhost/127.0.0.1 to 'mail' as per Cloudron
sendmail addon documentation. The sendmail addon provides a local SMTP
relay accessible via hostname 'mail' on port 2525.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 08:47:18 -06:00
Andreas Dueren
2c829792f4 Use localhost for SMTP instead of Docker bridge IP 
Change SMTP host from 172.18.0.1 to localhost to properly connect
to Cloudron's sendmail relay running inside the container.

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 08:38:12 -06:00
Andreas Dueren
12fdaa7e25 Fix SMTP configuration to use Cloudron mail relay 
Use Cloudron's internal mail relay at 172.18.0.1:2525 instead of
external SMTP server to fix email sending timeouts during registration.

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-22 08:17:48 -06:00
Andreas Dueren
41f39f62a1 Add Caddy handler for static image assets 
Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 22:04:39 -06:00
Andreas Dueren
675009ca4f Fix redirect loop by using dummy albums domain 
Instead of trying to match the albums host with current host
(which always fails in path-based routing), use a dummy domain
'albums.localhost.invalid' that will never match the actual host.
This prevents the automatic redirect to /shared-albums.

Version bump to 0.3.2

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 20:56:27 -06:00
Andreas Dueren
124c4ef949 Fix redirect loop by setting NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT 
The app was redirecting to /shared-albums because albumsAppOrigin()
returned the same host as the current URL after runtime replacement.
By setting NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT at build time to a
placeholder and replacing it at runtime with the full path-based URL,
the host comparison will fail and prevent the redirect loop.

Version bump to 0.3.1

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 20:29:46 -06:00
Andreas Dueren
d45a524d6b Improve URL replacement strategy for frontend assets 
- Enhanced rewrite_frontend_reference function to handle multiple URL encoding formats
- Now replaces plain URLs, backslash-escaped URLs, and double-backslash-escaped URLs
- Added https://ente.io -> BASE_URL replacement
- Version bump to 0.3.0

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 19:58:39 -06:00
Andreas Dueren
a3be7882db Fix Ente Cloudron packaging issues 
- Fixed admin-helper.sh to use correct Museum binary path (/app/museum-bin/museum)
- Updated start.sh to handle missing S3 configuration gracefully
  - App now starts in configuration mode when S3 is not configured
  - Shows helpful configuration page instead of failing health checks
  - Properly starts Museum server once S3 is configured
- Updated CloudronManifest.json to version 0.2.2
- All web frontends (photos, accounts, auth, cast, albums, family) verified working
- Museum API server running successfully with S3 storage

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-10-21 19:20:15 -06:00
Andreas Dueren
92a3d90b29 Auto-configure CLI endpoint 2025-09-30 09:34:25 -06:00
Andreas Dueren
bd7bbcb65d Persist Museum configuration for manual edits 2025-09-29 22:36:37 -06:00
Andreas Dueren
9cf03586b1 Make Ente CLI usable out of the box 2025-09-29 22:05:24 -06:00
Andreas Dueren
629fb6e680 Bundle Ente CLI for Cloudron console 2025-09-29 21:37:33 -06:00
Andreas Dueren
706a82375e Remove OTT log highlighter 2025-09-29 21:26:21 -06:00
Andreas Dueren
515de87fbf Document S3 examples and refresh template 2025-09-29 21:18:19 -06:00
Andreas Dueren
5e13d1ca4d Allow runtime S3 configuration overrides 2025-09-29 20:59:57 -06:00
Andreas Dueren
772d6ab447 Fix SPA asset routing for web apps 2025-09-29 20:47:07 -06:00
Andreas Dueren
5d9e6b329f Force rebuild: Update asset routing with version bump 2025-08-01 14:02:07 -06:00
Andreas Dueren
8f1c87e6e5 Bump version to 0.1.81 for asset routing fix 2025-08-01 13:56:09 -06:00
Andreas Dueren
b0cc66724b Fix static asset routing for all web apps 
- Add specific _next asset routes for accounts, auth, cast apps
- Add image asset routes for each app
- Ensure each app's assets are served from correct directory
- Keep photos app routing unchanged

Should fix accounts/auth/cast apps loading issues.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-01 13:55:53 -06:00
Andreas Dueren
974c988fc0 Resolve merge conflicts with updated version 0.1.79 2025-08-01 13:46:59 -06:00
Andreas Dueren
d44ef4a13f Fix API endpoint configuration and domain references 
- Change NEXT_PUBLIC_ENTE_ENDPOINT to relative /api for domain flexibility
- Remove runtime JS endpoint replacement (fragile, now unnecessary)
- Fix all domain references to use CLOUDRON_APP_DOMAIN consistently
- Add /ping health check endpoint to Caddy configuration
- Update placeholder server to use dynamic domain

Photos app now working, other apps may need additional fixes.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-08-01 13:46:17 -06:00
Andreas Dueren
eb300ed36d Fix web app endpoint configuration 
- Use relative /api endpoint in Dockerfile build
- Remove complex runtime replacement logic
- Simplify start.sh to avoid read-only filesystem issues
- Restore working Caddy configuration

Version 0.1.78 ready for deployment
 2025-07-26 20:28:15 -06:00
Andreas Dueren
de5bae9791 Remove large ente-source directory to fix build uploads 
🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-25 19:47:47 -06:00
Andreas Dueren
38854d33c6 Implement comprehensive web app API endpoint fix 
- Patch origins.ts during Docker build to use window.location.origin + '/api'
- Update version to 0.1.69 to force rebuild
- Add browser compatibility check for server-side rendering
- Fix both API and uploader endpoint redirections

This addresses the root cause where web apps were hardcoded to use
https://api.ente.io instead of the local Museum server.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-25 19:27:11 -06:00
Andreas Dueren
4f91b7ac83 Fix static asset routing and path handling for auth/accounts/cast apps 
- Fixed Next.js static asset (_next/*) routing for each app separately
- Updated app path handling to work with both /app and /app/* patterns
- Resolved 404 errors for static assets from auth, accounts, and cast apps
- Updated to version 0.1.66
 2025-07-25 11:12:27 -06:00
Andreas Dueren
415148de88 Add comprehensive API documentation to Cloudron setup instructions 
- Added detailed API endpoint information in SETUP-INSTRUCTIONS.md
- Documented API usage with Ente CLI
- Enhanced routing configuration for auth/cast/accounts apps
- Updated to version 0.1.64
 2025-07-25 11:02:06 -06:00
Andreas Dueren
973aabe927 Add OTP email monitor to handle Museum skipped emails 
- Implement comprehensive OTP email monitoring service
- Monitor Museum logs for "Skipping sending email" pattern
- Send verification emails using Cloudron email addon
- Add specific regex pattern for Museum's skip email format
- Version bump to 0.1.62

The monitor captures OTP codes from logs when Museum skips sending
emails and sends them via Cloudron's email system. This ensures
users receive their verification codes even when Museum's email
configuration is not sending directly.
 2025-07-22 12:27:44 -06:00
Andreas Dueren
023dd2e42e Fix JavaScript URL construction error for API endpoint 
- Change NEXT_PUBLIC_ENTE_ENDPOINT from "/api" to "https://example.com/api" during build to satisfy URL constructor requirements
- Add runtime replacement in start.sh to replace placeholder with actual domain endpoint
- This resolves the "TypeError: Failed to construct 'URL': Invalid URL" error in the frontend

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-22 08:58:53 -06:00
Andreas Dueren
ba22efa440 Fix S3 configuration - set are_local_buckets to true 
- Changed are_local_buckets from false to true (required for external S3)
- Simplified S3 configuration to only use b2-eu-cen bucket
- Removed unnecessary replication buckets for single bucket setup

This aligns with Ente's documentation where are_local_buckets=true
is used for external S3 services like Wasabi.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-21 20:44:19 -06:00
Andreas Dueren
e25dc5675a Hardcode Wasabi S3 configuration with proper Ente format 
- Remove dynamic S3 configuration loading
- Hardcode Wasabi credentials as requested
- Use proper Ente S3 configuration format with datacenter names
- Configure all three storage buckets (b2-eu-cen, wasabi-eu-central-2-v3, scw-eu-fr-v3)
- Set are_local_buckets to false for external S3
- Add compliance flag for Wasabi bucket

This should fix the MissingRegion error by properly configuring S3 storage
according to Ente's expected format.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-21 20:41:58 -06:00
Andreas Dueren
74fd34d608 Update CloudronManifest version to 1.0.1 
Increment version after multiple iterations of S3 configuration fixes and port conflict resolution.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-21 20:37:07 -06:00
Andreas Dueren
89e5f2c202 Fix port conflict between Museum server and Caddy 
- Changed Museum server to run on port 8080 instead of 3080
- Updated all health check URLs to use port 8080
- Updated Caddy reverse proxy to forward API requests to port 8080
- Added clarifying comment about port usage

This resolves the circular reference where both Caddy and Museum were trying to use port 3080.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-07-21 17:18:51 -06:00
5 changed files with 360 additions and 77 deletions
Expand all files Collapse all files

8
BUILD-INSTRUCTIONS.md
View File

@@ -12,13 +12,13 @@
git clone https://github.com/andreasdueren/ente-cloudron.git git clone https://github.com/andreasdueren/ente-cloudron.git
cd ente-cloudron cd ente-cloudron
``` ```
2. Build the image via the Cloudron build service. Adjust `--tag` to match `CloudronManifest.json` (`0.2.1`) and optionally override the Ente git ref: 2. Build the image via the Cloudron build service. Adjust `--tag` to match `CloudronManifest.json` (`0.4.3`) and optionally override the Ente git ref:
```bash ```bash
cloudron build \ cloudron build \
--set-build-service builder.docker.due.ren \ --set-build-service builder.docker.due.ren \
--build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \ --build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \
--set-repository andreasdueren/ente-cloudron \ --set-repository andreasdueren/ente-cloudron \
--tag 0.2.1 \ --tag 0.4.3 \
--build-arg ENTE_GIT_REF=main --build-arg ENTE_GIT_REF=main
``` ```
Use a tagged Ente release for reproducible builds (e.g. `--build-arg ENTE_GIT_REF=v0.9.0`). Use a tagged Ente release for reproducible builds (e.g. `--build-arg ENTE_GIT_REF=v0.9.0`).
@@ -28,7 +28,7 @@ Always uninstall the dev instance before reinstalling.
```bash ```bash
cloudron install \ cloudron install \
--location ente.due.ren \ --location ente.due.ren \
--image andreasdueren/ente-cloudron:0.2.1 --image andreasdueren/ente-cloudron:0.4.3
``` ```
If the install command runs for more than ~30seconds without feedback, abort and inspect `cloudron logs --app ente.due.ren`. If the install command runs for more than ~30seconds without feedback, abort and inspect `cloudron logs --app ente.due.ren`.
@@ -54,6 +54,7 @@ Optional: set `CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, and `CLOUDR
## Troubleshooting ## Troubleshooting
- **S3 errors**: Verify credentials in `/app/data/config/s3.env`; check connectivity using `aws s3 ls --endpoint-url ...` from a trusted host. - **S3 errors**: Verify credentials in `/app/data/config/s3.env`; check connectivity using `aws s3 ls --endpoint-url ...` from a trusted host.
- **Startup issues**: Inspect `/app/data/logs/startup.log` (also mirrored to `cloudron logs`) for rendered configuration and error messages.
- **Museum not starting**: Inspect `/app/data/museum/configurations/local.yaml` for syntax issues; delete to regenerate. - **Museum not starting**: Inspect `/app/data/museum/configurations/local.yaml` for syntax issues; delete to regenerate.
- **Frontend stale after update**: Restart the app—the startup script re-syncs static assets on each boot. - **Frontend stale after update**: Restart the app—the startup script re-syncs static assets on each boot.
- **OIDC issues**: Confirm the callback URL `/api/v1/session/callback` is allowed in the Cloudron SSO client configuration. - **OIDC issues**: Confirm the callback URL `/api/v1/session/callback` is allowed in the Cloudron SSO client configuration.
@@ -63,4 +64,5 @@ Optional: set `CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, and `CLOUDR
cloudron exec --app ente.due.ren -- cat /app/data/museum/configurations/local.yaml cloudron exec --app ente.due.ren -- cat /app/data/museum/configurations/local.yaml
cloudron exec --app ente.due.ren -- ente --help cloudron exec --app ente.due.ren -- ente --help
cloudron logs --app ente.due.ren -f cloudron logs --app ente.due.ren -f
cloudron exec --app ente.due.ren -- tail -f /app/data/logs/startup.log
``` ```

31
CHANGELOG.md
View File

@@ -1,5 +1,36 @@
# Changelog # Changelog
## 0.4.5 (2025-10-30)
* Serve photos UI on the primary hostname and mount other apps on `accounts/auth/cast/albums/family.<root-domain>`
* Enable multiDomain in the manifest so aliases can be set in Cloudron UI
* Simplified documentation for S3 setup and alias domains
* Fix CORS responses for auth subdomains and forward real client IPs from Cloudron proxy
## 0.4.4 (2025-10-30)
* Restore Cloudflare R2 path-style URLs and simplify to a single hot-storage data center
* Serve the frontend apps on dedicated subdomains (photos/accounts/auth/cast/albums/family)
* Startup script now regenerates Caddy and Museum configs for the new host layout
* Added post-install checklist entries and updated docs for required DNS records
## 0.4.3 (2025-10-29)
* Always regenerate Museum configuration on startup to pick up S3 credential changes
* Enables seamless workflow: add S3 credentials to /app/data/config/s3.env and restart
* Fixes issue where S3 configuration changes required manual intervention
## 0.4.2 (2025-10-29)
* Use SMTPS (port 2465) with TLS encryption for email delivery
* Fixes email sending with requiresValidCertificate flag on Cloudron 9
## 0.4.1 (2025-10-23)
* Fix email sending for user registration by enabling TLS certificate validation in sendmail addon
* Add requiresValidCertificate flag to sendmail configuration to ensure proper SMTP authentication with Go applications
* Note: Requires Cloudron 9 or later for requiresValidCertificate support
## 1.0.0 (2024-06-01) ## 1.0.0 (2024-06-01)
* Initial release of Ente for Cloudron * Initial release of Ente for Cloudron

5
CloudronManifest.json
View File

@@ -7,7 +7,7 @@
"contactEmail": "contact@ente.io", "contactEmail": "contact@ente.io",
"website": "https://ente.io", "website": "https://ente.io",
"tagline": "Open source, end-to-end encrypted photo backup", "tagline": "Open source, end-to-end encrypted photo backup",
"version": "0.3.2", "version": "0.4.3",
"upstreamVersion": "git-main", "upstreamVersion": "git-main",
"healthCheckPath": "/health", "healthCheckPath": "/health",
"httpPort": 3080, "httpPort": 3080,
@@ -17,7 +17,8 @@
"localstorage": {}, "localstorage": {},
"postgresql": {}, "postgresql": {},
"sendmail": { "sendmail": {
"supportsDisplayName": true "supportsDisplayName": true,
"requiresValidCertificate": true
} }
}, },
"checklist": { "checklist": {

18
config.template.yaml
View File

@@ -18,16 +18,20 @@ database:
maxIdleConns: 25 maxIdleConns: 25
connMaxLifetime: "1h" connMaxLifetime: "1h"
storage: s3:
type: "s3" are_local_buckets: false
s3: use_path_style_urls: true
hot_storage:
primary: b2-eu-cen
secondary: b2-eu-cen
derived-storage: b2-eu-cen
b2-eu-cen:
endpoint: "%%S3_ENDPOINT%%" endpoint: "%%S3_ENDPOINT%%"
region: "%%S3_REGION%%" region: "%%S3_REGION%%"
bucket: "%%S3_BUCKET%%" bucket: "%%S3_BUCKET%%"
accessKey: "%%S3_ACCESS_KEY%%" key: "%%S3_ACCESS_KEY%%"
secretKey: "%%S3_SECRET_KEY%%" secret: "%%S3_SECRET_KEY%%"
prefix: "%%S3_PREFIX%%" path_prefix: "%%S3_PREFIX%%"
forcePathStyle: true
email: email:
smtp: smtp:

365
start.sh
View File

@@ -28,7 +28,15 @@ STARTUP_FLAG="$DATA_DIR/startup.lock"
mkdir -p "$LOG_DIR" "$CONFIG_DIR" "$TMP_DIR" "$SECRETS_DIR" "$MUSEUM_RUNTIME_DIR" "$WEB_RUNTIME_DIR" "$MUSEUM_CONFIG_DIR" mkdir -p "$LOG_DIR" "$CONFIG_DIR" "$TMP_DIR" "$SECRETS_DIR" "$MUSEUM_RUNTIME_DIR" "$WEB_RUNTIME_DIR" "$MUSEUM_CONFIG_DIR"
chown -R cloudron:cloudron "$DATA_DIR" chown -R cloudron:cloudron "$DATA_DIR"
LOG_FILE="$LOG_DIR/startup.log"
touch "$LOG_FILE"
chown cloudron:cloudron "$LOG_FILE"
chmod 640 "$LOG_FILE"
# Mirror all output to a persistent log file while retaining stdout/stderr for Cloudron aggregation
exec > >(tee -a "$LOG_FILE") 2>&1
log INFO "Starting Ente for Cloudron" log INFO "Starting Ente for Cloudron"
log INFO "Startup logs are mirrored to $LOG_FILE"
if ! command -v setpriv >/dev/null 2>&1; then if ! command -v setpriv >/dev/null 2>&1; then
log ERROR "setpriv command not found" log ERROR "setpriv command not found"
@@ -42,14 +50,61 @@ fi
touch "$STARTUP_FLAG" touch "$STARTUP_FLAG"
trap 'rm -f "$STARTUP_FLAG"' EXIT trap 'rm -f "$STARTUP_FLAG"' EXIT
BASE_URL="${CLOUDRON_APP_ORIGIN:-https://$CLOUDRON_APP_FQDN}" APP_FQDN="${CLOUDRON_APP_DOMAIN:-${CLOUDRON_APP_FQDN:-localhost}}"
BASE_URL="${CLOUDRON_APP_ORIGIN:-https://$APP_FQDN}"
BASE_URL="${BASE_URL%/}" BASE_URL="${BASE_URL%/}"
RP_ID="${CLOUDRON_APP_FQDN:-${CLOUDRON_APP_DOMAIN:-localhost}}"
API_ORIGIN="${BASE_URL}/api" ROOT_DOMAIN="$APP_FQDN"
if [ "$APP_FQDN" != "localhost" ] && expr "$APP_FQDN" : '.*\..*' >/dev/null; then
ROOT_DOMAIN="${APP_FQDN#*.}"
fi
PHOTOS_HOST="$APP_FQDN"
ACCOUNTS_HOST="$APP_FQDN"
AUTH_HOST="$APP_FQDN"
CAST_HOST="$APP_FQDN"
ALBUMS_HOST="$APP_FQDN"
FAMILY_HOST="$APP_FQDN"
USE_SUBDOMAIN_ROUTING=false
if [ "$APP_FQDN" != "localhost" ] && [ "$ROOT_DOMAIN" != "$APP_FQDN" ]; then
ACCOUNTS_HOST="accounts.${ROOT_DOMAIN}"
AUTH_HOST="auth.${ROOT_DOMAIN}"
CAST_HOST="cast.${ROOT_DOMAIN}"
ALBUMS_HOST="albums.${ROOT_DOMAIN}"
FAMILY_HOST="family.${ROOT_DOMAIN}"
USE_SUBDOMAIN_ROUTING=true
fi
PHOTOS_URL="https://${PHOTOS_HOST}"
if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then
ACCOUNTS_URL="https://${ACCOUNTS_HOST}"
AUTH_URL="https://${AUTH_HOST}"
CAST_URL="https://${CAST_HOST}"
FAMILY_URL="https://${FAMILY_HOST}"
ALBUMS_URL="https://${ALBUMS_HOST}"
else
ACCOUNTS_URL="${BASE_URL}/accounts"
AUTH_URL="${BASE_URL}/auth"
CAST_URL="${BASE_URL}/cast"
FAMILY_URL="${BASE_URL}/family"
ALBUMS_URL="${BASE_URL}/albums"
fi
if [ "$APP_FQDN" != "localhost" ]; then
API_BASE="https://${APP_FQDN}"
else
API_BASE="$BASE_URL"
fi
API_ORIGIN="${API_BASE}/api"
RP_ID="$PHOTOS_HOST"
log INFO "Application base URL: $BASE_URL" log INFO "Application base URL: $BASE_URL"
log INFO "Relying party ID: $RP_ID" log INFO "Relying party ID: $RP_ID"
log INFO "API origin: $API_ORIGIN" log INFO "API origin: $API_ORIGIN"
if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then
log INFO "Serving frontend hosts: photos=${PHOTOS_HOST}, accounts=${ACCOUNTS_HOST}, auth=${AUTH_HOST}, cast=${CAST_HOST}"
fi
S3_CONFIG_FILE="$CONFIG_DIR/s3.env" S3_CONFIG_FILE="$CONFIG_DIR/s3.env"
if [ ! -f "$S3_CONFIG_FILE" ]; then if [ ! -f "$S3_CONFIG_FILE" ]; then
@@ -112,26 +167,64 @@ if [ "$S3_NOT_CONFIGURED" = "false" ]; then
fi fi
log INFO "Using S3 endpoint $S3_ENDPOINT_HOST (region $S3_REGION, bucket $S3_BUCKET)" log INFO "Using S3 endpoint $S3_ENDPOINT_HOST (region $S3_REGION, bucket $S3_BUCKET)"
S3_REGION_LOWER="$(printf '%s' "$S3_REGION" | tr '[:upper:]' '[:lower:]')"
if printf '%s' "$S3_ENDPOINT_HOST" | grep -q '\.r2\.cloudflarestorage\.com$' && [ "$S3_REGION_LOWER" != "auto" ]; then
log WARN "Cloudflare R2 endpoints require S3_REGION=auto; current value '$S3_REGION' may cause upload failures"
fi
else else
S3_ENDPOINT_HOST="s3.example.com" S3_ENDPOINT_HOST="s3.example.com"
log WARN "S3 not configured - using placeholder values" log WARN "S3 not configured - using placeholder values"
fi fi
DEFAULT_FORCE_PATH_STYLE="true"
if printf '%s' "$S3_ENDPOINT_HOST" | grep -q '\.r2\.cloudflarestorage\.com$'; then
if [ -z "${S3_FORCE_PATH_STYLE:-}" ] && [ -z "${ENTE_S3_FORCE_PATH_STYLE:-}" ]; then
log INFO "Detected Cloudflare R2 endpoint; defaulting to path-style URLs (required by R2)"
fi
fi
S3_FORCE_PATH_STYLE_RAW="${S3_FORCE_PATH_STYLE:-${ENTE_S3_FORCE_PATH_STYLE:-$DEFAULT_FORCE_PATH_STYLE}}"
S3_FORCE_PATH_STYLE="$(printf '%s' "$S3_FORCE_PATH_STYLE_RAW" | tr '[:upper:]' '[:lower:]')"
S3_ARE_LOCAL_BUCKETS="$(printf '%s' "${S3_ARE_LOCAL_BUCKETS:-${ENTE_S3_ARE_LOCAL_BUCKETS:-false}}" | tr '[:upper:]' '[:lower:]')"
S3_PRIMARY_DC="${ENTE_S3_PRIMARY_DC:-b2-eu-cen}"
S3_SECONDARY_DC="${ENTE_S3_SECONDARY_DC:-$S3_PRIMARY_DC}"
S3_DERIVED_DC="${ENTE_S3_DERIVED_DC:-$S3_PRIMARY_DC}"
S3_DCS=()
add_s3_dc() {
local candidate="$1"
if [ -z "$candidate" ]; then
return
fi
for existing in "${S3_DCS[@]}"; do
if [ "$existing" = "$candidate" ]; then
return
fi
done
S3_DCS+=("$candidate")
}
add_s3_dc "$S3_PRIMARY_DC"
add_s3_dc "$S3_SECONDARY_DC"
add_s3_dc "$S3_DERIVED_DC"
S3_PREFIX_DISPLAY="${S3_PREFIX:-<none>}"
log INFO "Resolved S3 configuration: host=$S3_ENDPOINT_HOST region=$S3_REGION pathStyle=$S3_FORCE_PATH_STYLE localBuckets=$S3_ARE_LOCAL_BUCKETS primaryDC=$S3_PRIMARY_DC derivedDC=$S3_DERIVED_DC prefix=$S3_PREFIX_DISPLAY"
DEFAULT_GIN_TRUSTED_PROXIES="127.0.0.1,::1,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
GIN_TRUSTED_PROXIES="${GIN_TRUSTED_PROXIES:-$DEFAULT_GIN_TRUSTED_PROXIES}"
export GIN_TRUSTED_PROXIES
log INFO "Configured trusted proxy ranges for Museum: $GIN_TRUSTED_PROXIES"
MASTER_KEY_FILE="$SECRETS_DIR/master_key" MASTER_KEY_FILE="$SECRETS_DIR/master_key"
HASH_KEY_FILE="$SECRETS_DIR/hash_key" HASH_KEY_FILE="$SECRETS_DIR/hash_key"
JWT_SECRET_FILE="$SECRETS_DIR/jwt_secret" JWT_SECRET_FILE="$SECRETS_DIR/jwt_secret"
SESSION_SECRET_FILE="$SECRETS_DIR/session_secret" SESSION_SECRET_FILE="$SECRETS_DIR/session_secret"
SMTP_HOST="${CLOUDRON_MAIL_SMTP_SERVER:-}" SMTP_HOST="${CLOUDRON_MAIL_SMTP_SERVER:-mail}"
SMTP_PORT="${CLOUDRON_MAIL_SMTP_PORT:-25}" SMTP_PORT="${CLOUDRON_MAIL_SMTPS_PORT:-2465}"
SMTP_ENCRYPTION="${CLOUDRON_MAIL_SMTP_ENCRYPTION:-}" SMTP_ENCRYPTION="tls"
if [ -n "${CLOUDRON_MAIL_SMTPS_PORT:-}" ]; then
SMTP_PORT="${CLOUDRON_MAIL_SMTPS_PORT}"
SMTP_ENCRYPTION="tls"
if [ -n "${CLOUDRON_MAIL_DOMAIN:-}" ]; then
SMTP_HOST="mail.${CLOUDRON_MAIL_DOMAIN}"
fi
fi
SMTP_USERNAME="${CLOUDRON_MAIL_SMTP_USERNAME:-}" SMTP_USERNAME="${CLOUDRON_MAIL_SMTP_USERNAME:-}"
SMTP_PASSWORD="${CLOUDRON_MAIL_SMTP_PASSWORD:-}" SMTP_PASSWORD="${CLOUDRON_MAIL_SMTP_PASSWORD:-}"
SMTP_EMAIL="${CLOUDRON_MAIL_FROM:-no-reply@$RP_ID}" SMTP_EMAIL="${CLOUDRON_MAIL_FROM:-no-reply@$RP_ID}"
@@ -146,7 +239,7 @@ fi
normalize_b64() { normalize_b64() {
local value="$1" local value="$1"
value="$(printf '%s' "$value" | tr -d '\r\n')" value="$(printf '%s' "$value" | tr -d '\r\n')"
value="$(printf '%s' "$value" | tr '-_' '+/')" value="$(printf '%s' "$value" | tr -- '-_' '+/')"
local mod=$(( ${#value} % 4 )) local mod=$(( ${#value} % 4 ))
if [ $mod -eq 2 ]; then if [ $mod -eq 2 ]; then
value="${value}==" value="${value}=="
@@ -161,7 +254,7 @@ normalize_b64() {
normalize_b64url() { normalize_b64url() {
local value="$1" local value="$1"
value="$(printf '%s' "$value" | tr -d '\r\n')" value="$(printf '%s' "$value" | tr -d '\r\n')"
value="$(printf '%s' "$value" | tr '+/' '-_')" value="$(printf '%s' "$value" | tr -- '+/' '-_')"
local mod=$(( ${#value} % 4 )) local mod=$(( ${#value} % 4 ))
if [ $mod -eq 2 ]; then if [ $mod -eq 2 ]; then
value="${value}==" value="${value}=="
@@ -180,7 +273,7 @@ generate_b64() {
generate_b64url() { generate_b64url() {
local bytes="$1" local bytes="$1"
openssl rand -base64 "$bytes" | tr '+/' '-_' | tr -d '\n' openssl rand -base64 "$bytes" | tr -- '+/' '-_' | tr -d '\n'
} }
ensure_secret() { ensure_secret() {
@@ -244,22 +337,22 @@ if [ ! -x "$MUSEUM_BIN" ]; then
exit 1 exit 1
fi fi
if [ ! -f "$MUSEUM_CONFIG" ]; then # Always regenerate Museum config to pick up S3 changes
log INFO "Rendering Museum configuration" log INFO "Rendering Museum configuration"
cat > "$MUSEUM_CONFIG" <<EOF_CFG cat > "$MUSEUM_CONFIG" <<EOF_CFG
log-file: "" log-file: ""
http: http:
port: 8080 port: 8080
use-tls: false use-tls: false
apps: apps:
public-albums: "$BASE_URL/albums" public-albums: "$ALBUMS_URL"
public-locker: "$BASE_URL/photos" public-locker: "$PHOTOS_URL"
accounts: "$BASE_URL/accounts" accounts: "$ACCOUNTS_URL"
cast: "$BASE_URL/cast" cast: "$CAST_URL"
family: "$BASE_URL/family" family: "$FAMILY_URL"
custom-domain: custom-domain:
cname: "${CLOUDRON_APP_DOMAIN:-localhost}" cname: "${APP_FQDN}"
db: db:
host: ${CLOUDRON_POSTGRESQL_HOST} host: ${CLOUDRON_POSTGRESQL_HOST}
@@ -270,19 +363,30 @@ db:
sslmode: disable sslmode: disable
s3: s3:
are_local_buckets: false are_local_buckets: ${S3_ARE_LOCAL_BUCKETS}
use_path_style_urls: true use_path_style_urls: ${S3_FORCE_PATH_STYLE}
hot_storage: hot_storage:
primary: primary-storage primary: ${S3_PRIMARY_DC}
secondary: primary-storage secondary: ${S3_SECONDARY_DC}
primary-storage: derived-storage: ${S3_DERIVED_DC}
EOF_CFG
for dc in "${S3_DCS[@]}"; do
cat >> "$MUSEUM_CONFIG" <<EOF_CFG
$dc:
key: "$S3_ACCESS_KEY" key: "$S3_ACCESS_KEY"
secret: "$S3_SECRET_KEY" secret: "$S3_SECRET_KEY"
endpoint: "$S3_ENDPOINT_HOST" endpoint: "$S3_ENDPOINT_HOST"
region: "$S3_REGION" region: "$S3_REGION"
bucket: "$S3_BUCKET" bucket: "$S3_BUCKET"
path_prefix: "$S3_PREFIX" EOF_CFG
if [ -n "$S3_PREFIX" ]; then
printf ' path_prefix: "%s"\n' "$S3_PREFIX" >> "$MUSEUM_CONFIG"
fi
printf '\n' >> "$MUSEUM_CONFIG"
done
cat >> "$MUSEUM_CONFIG" <<EOF_CFG
smtp: smtp:
host: "${SMTP_HOST}" host: "${SMTP_HOST}"
port: "${SMTP_PORT}" port: "${SMTP_PORT}"
@@ -299,7 +403,7 @@ internal:
webauthn: webauthn:
rpid: "$RP_ID" rpid: "$RP_ID"
rporigins: rporigins:
- "$BASE_URL" - "$PHOTOS_URL"
key: key:
encryption: $MASTER_KEY encryption: $MASTER_KEY
@@ -320,15 +424,12 @@ oidc:
issuer: "${CLOUDRON_OIDC_IDENTIFIER}" issuer: "${CLOUDRON_OIDC_IDENTIFIER}"
client_id: "${CLOUDRON_OIDC_CLIENT_ID}" client_id: "${CLOUDRON_OIDC_CLIENT_ID}"
client_secret: "${CLOUDRON_OIDC_CLIENT_SECRET}" client_secret: "${CLOUDRON_OIDC_CLIENT_SECRET}"
redirect_url: "$BASE_URL/api/v1/session/callback" redirect_url: "$API_BASE/api/v1/session/callback"
EOF_CFG EOF_CFG
fi fi
chown cloudron:cloudron "$MUSEUM_CONFIG" chown cloudron:cloudron "$MUSEUM_CONFIG"
chmod 600 "$MUSEUM_CONFIG" chmod 600 "$MUSEUM_CONFIG"
else
log INFO "Museum configuration already present; leaving untouched"
fi
log INFO "Preparing frontend assets" log INFO "Preparing frontend assets"
if [ -d "$WEB_SOURCE_DIR" ]; then if [ -d "$WEB_SOURCE_DIR" ]; then
@@ -399,14 +500,14 @@ if [ -d "$WEB_RUNTIME_DIR" ]; then
FRONTEND_REPLACEMENTS=( FRONTEND_REPLACEMENTS=(
"ENTE_API_ORIGIN_PLACEHOLDER|$API_ORIGIN" "ENTE_API_ORIGIN_PLACEHOLDER|$API_ORIGIN"
"https://api.ente.io|$API_ORIGIN" "https://api.ente.io|$API_ORIGIN"
"https://accounts.ente.io|$BASE_URL/accounts" "https://accounts.ente.io|$ACCOUNTS_URL"
"https://auth.ente.io|$BASE_URL/auth" "https://auth.ente.io|$AUTH_URL"
"https://cast.ente.io|$BASE_URL/cast" "https://cast.ente.io|$CAST_URL"
"https://photos.ente.io|$BASE_URL/photos" "https://photos.ente.io|$PHOTOS_URL"
"https://web.ente.io|$BASE_URL/photos" "https://web.ente.io|$PHOTOS_URL"
"https://albums.ente.io|$BASE_URL/albums" "https://albums.ente.io|$ALBUMS_URL"
"https://family.ente.io|$BASE_URL/family" "https://family.ente.io|$FAMILY_URL"
"https://ente.io|$BASE_URL" "https://ente.io|$PHOTOS_URL"
) )
OLD_IFS="$IFS" OLD_IFS="$IFS"
for entry in "${FRONTEND_REPLACEMENTS[@]}"; do for entry in "${FRONTEND_REPLACEMENTS[@]}"; do
@@ -429,10 +530,14 @@ chown -R cloudron:cloudron "$DATA_DIR/home"
chmod 700 "$DATA_DIR/home" chmod 700 "$DATA_DIR/home"
log INFO "Rendering Caddy configuration" log INFO "Rendering Caddy configuration"
if [ "$USE_SUBDOMAIN_ROUTING" = true ]; then
cat > "$CADDY_CONFIG" <<EOF_CADDY cat > "$CADDY_CONFIG" <<EOF_CADDY
{ {
admin off admin off
auto_https off auto_https off
servers {
trusted_proxies static private_ranges
}
} }
:3080 { :3080 {
@@ -445,44 +550,178 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
@options { @options {
method OPTIONS method OPTIONS
header Origin *
} }
handle @options { handle @options {
header Access-Control-Allow-Origin "*" header Access-Control-Allow-Origin "{http.request.header.Origin}"
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header Access-Control-Allow-Headers "*" header Access-Control-Allow-Headers "*"
header Access-Control-Allow-Credentials "true"
header Access-Control-Max-Age "3600" header Access-Control-Max-Age "3600"
header Vary "Origin"
respond 204 respond 204
} }
handle_path /api/* { handle_path /api/* {
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
}
@api_cors {
header Origin *
}
header -Access-Control-Allow-Origin
header -Access-Control-Allow-Credentials
header @api_cors {
Access-Control-Allow-Origin {http.request.header.Origin}
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "*"
Access-Control-Allow-Credentials "true"
Vary "Origin"
} }
header Access-Control-Allow-Origin "*"
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header Access-Control-Allow-Headers "*"
header Access-Control-Allow-Credentials "true"
} }
handle /health { handle /health {
rewrite * /ping rewrite * /ping
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
} }
handle /ping { handle /ping {
reverse_proxy localhost:8080 { reverse_proxy localhost:8080 {
header_up Host {http.request.host} header_up Host {http.request.host}
header_up X-Real-IP {http.request.remote} header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.remote} header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.scheme} header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
}
}
handle /public/* {
reverse_proxy localhost:8080
}
@photos_host host ${PHOTOS_HOST}
handle @photos_host {
root * $WEB_RUNTIME_DIR/photos
try_files {path} {path}/index.html /photos/index.html
file_server
}
@accounts_host host ${ACCOUNTS_HOST}
handle @accounts_host {
root * $WEB_RUNTIME_DIR/accounts
try_files {path} {path}/index.html /accounts/index.html
file_server
}
@auth_host host ${AUTH_HOST}
handle @auth_host {
root * $WEB_RUNTIME_DIR/auth
try_files {path} {path}/index.html /auth/index.html
file_server
}
@cast_host host ${CAST_HOST}
handle @cast_host {
root * $WEB_RUNTIME_DIR/cast
try_files {path} {path}/index.html /cast/index.html
file_server
}
@albums_host host ${ALBUMS_HOST}
handle @albums_host {
root * $WEB_RUNTIME_DIR/albums
try_files {path} {path}/index.html /albums/index.html
file_server
}
@family_host host ${FAMILY_HOST}
handle @family_host {
root * $WEB_RUNTIME_DIR/family
try_files {path} {path}/index.html /family/index.html
file_server
}
handle {
respond "Not Found" 404
}
}
EOF_CADDY
else
cat > "$CADDY_CONFIG" <<EOF_CADDY
{
admin off
auto_https off
servers {
trusted_proxies static private_ranges
}
}
:3080 {
log {
level INFO
output stdout
}
encode gzip
@options {
method OPTIONS
header Origin *
}
handle @options {
header Access-Control-Allow-Origin "{http.request.header.Origin}"
header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
header Access-Control-Allow-Headers "*"
header Access-Control-Allow-Credentials "true"
header Access-Control-Max-Age "3600"
header Vary "Origin"
respond 204
}
handle_path /api/* {
reverse_proxy localhost:8080 {
header_up Host {http.request.host}
header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
}
@api_cors {
header Origin *
}
header -Access-Control-Allow-Origin
header -Access-Control-Allow-Credentials
header @api_cors {
Access-Control-Allow-Origin {http.request.header.Origin}
Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Access-Control-Allow-Headers "*"
Access-Control-Allow-Credentials "true"
Vary "Origin"
}
}
handle /health {
rewrite * /ping
reverse_proxy localhost:8080 {
header_up Host {http.request.host}
header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
}
}
handle /ping {
reverse_proxy localhost:8080 {
header_up Host {http.request.host}
header_up X-Real-IP {http.request.header.X-Forwarded-For}
header_up X-Forwarded-For {http.request.header.X-Forwarded-For}
header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
} }
} }
@@ -496,6 +735,11 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
file_server file_server
} }
handle /images/* {
root * $WEB_RUNTIME_DIR/photos
file_server
}
handle /auth/* { handle /auth/* {
root * $WEB_RUNTIME_DIR root * $WEB_RUNTIME_DIR
try_files {path} {path}/index.html /auth/index.html try_files {path} {path}/index.html /auth/index.html
@@ -539,6 +783,7 @@ cat > "$CADDY_CONFIG" <<EOF_CADDY
} }
} }
EOF_CADDY EOF_CADDY
fi
chown cloudron:cloudron "$CADDY_CONFIG" chown cloudron:cloudron "$CADDY_CONFIG"