Enable Ente CLI persistence and update docs

- Always regenerate Museum configuration on startup to enable runtime S3 credential changes
- Improve S3 configuration logging and validation for Cloudflare R2 endpoints
- Update SMTP configuration to use SMTPS port 2465 with TLS encryption
- Fix Caddy proxy headers to properly forward client information
- Add startup.log for enhanced troubleshooting
- Update build instructions and changelog for version 0.4.3

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

BUILD-INSTRUCTIONS.md

@@ -1,110 +1,34 @@
-# Ente Cloudron App Build and Installation Instructions
+# Ente Cloudron – Quick Guide
 
-This document provides detailed instructions for building and installing the Ente Cloudron app, an open-source, end-to-end encrypted photo storage and authentication solution.
+## Build
+```bash
+git clone https://github.com/andreasdueren/ente-cloudron.git
+cd ente-cloudron
 
-## Prerequisites
+cloudron build \
+  --set-build-service builder.docker.due.ren \
+  --build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \
+  --set-repository andreasdueren/ente-cloudron \
+  --tag 0.4.5
+```
 
-- **Cloudron CLI**: Ensure the Cloudron CLI is installed and configured on your system. Refer to [Cloudron CLI Documentation](https://docs.cloudron.io/packaging/cli/) for setup instructions.
+## Install
-- **Docker**: Required for local testing or custom builds if needed.
+```bash
-- **Git**: To clone or manage the repository.
+cloudron install \
-- **Repository Access**: Ensure you have access to the Ente Cloudron repository at `andreasdueren/ente-cloudron`.
+  --location ente.due.ren \
-- **Build Service Token**: A token for the Cloudron build service is required (provided in the command below).
+  --image andreasdueren/ente-cloudron:0.4.5
+```
 
-## Build Commands
+## After Install
+1. **S3** – In Cloudron File Manager open `/app/data/config/s3.env`, fill in your endpoint/region/bucket/access/secret, then restart the app from the dashboard.
+2. **Subdomains** – In the app’s *Domains* tab add aliases for `accounts`, `auth`, `cast`, `albums`, `family`. Create matching DNS records pointing at the primary domain (e.g. if the app is `ente.due.ren`, add `accounts.due.ren → ente.due.ren`, etc.).
 
-1. **Clone the Repository** (if not already done):
+Once DNS propagates, use the dedicated hosts:
-   ```bash
+- `https://<app-host>` (the hostname you chose during install, main UI & uploads)
-   git clone https://github.com/andreasdueren/ente-cloudron.git
+- `https://accounts.<domain>`
-   cd ente-cloudron
+- `https://auth.<domain>`
-   ```
+- `https://cast.<domain>`
+- `https://albums.<domain>`
+- `https://family.<domain>`
 
-2. **Build the App Using Cloudron Build Service**:
+Check `cloudron logs --app ente.due.ren -f` or `/app/data/logs/startup.log` if anything looks off.
-   Use the provided build service and token to build the app. Replace `<version>` with the desired version tag (e.g., `0.1.0` or as per `CloudronManifest.json`).
-   ```bash
-   cloudron build --set-build-service builder.docker.due.ren --build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e --set-repository andreasdueren/ente-cloudron --tag 1.0.1
-   ```
-   **Note**: The build process should complete within a reasonable time. Monitor the output for any errors.
-
-## Installation Commands
-
-1. **Install the App on Cloudron**:
-   After a successful build, install the app on your Cloudron instance at the desired location (e.g., `ente.due.ren`).
-   ```bash
-   cloudron install --location ente.due.ren --image andreasdueren/ente-cloudron:1.0.1
-   ```
-   **Important**: Do not wait more than 30 seconds for feedback after running the install command. If there's an error, the process may hang, and you should terminate it to troubleshoot.
-   **Note**: Always uninstall and reinstall during development rather than updating an existing app to ensure a clean setup.
-
-## Testing Procedures
-
-1. **Verify Installation**:
-   - Access the app at `https://ente.due.ren` (or your configured domain).
-   - Ensure the Ente web interfaces (Photos, Accounts, Auth, Cast) load correctly.
-
-2. **Check S3 Configuration**:
-   - Confirm that S3 environment variables are set in Cloudron app settings under the 'Environment Variables' section.
-   - Variables to check: `APP_S3_ENABLED`, `APP_S3_ENDPOINT`, `APP_S3_ACCESS_KEY_ID`, `APP_S3_SECRET_ACCESS_KEY`, `APP_S3_BUCKET`.
-
-3. **Monitor Logs for Errors**:
-   - Use the Cloudron CLI to view logs:
-     ```bash
-     cloudron logs --app ente.due.ren -f
-     ```
-   - Alternatively, shell into the app for detailed log inspection:
-     ```bash
-     cloudron exec --app ente.due.ren
-     tail -f /app/data/logs/*
-     ```
-   - Look for S3 connection errors or other issues.
-
-## Deployment Steps
-
-1. **Post-Installation Configuration**:
-   - If S3 is not working, update the environment variables in Cloudron app settings and restart the app:
-     ```bash
-     cloudron restart --app ente.due.ren
-     ```
-
-2. **User Authentication**:
-   - Ente uses its own authentication system. Ensure user registration and login work as expected.
-   - If OIDC integration is desired in the future, it can be configured using Cloudron's OIDC variables (`CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, `CLOUDRON_OIDC_CLIENT_SECRET`).
-
-## Troubleshooting Common Issues
-
-- **S3 Configuration Errors**:
-  - **Symptom**: App falls back to local storage or logs show S3 connection failures.
-  - **Solution**: Verify S3 environment variables in Cloudron settings. Test connectivity manually using AWS CLI (`aws s3 ls s3://<bucket> --endpoint-url <endpoint>`).
-
-- **Build Failures**:
-  - **Symptom**: Build command errors out or hangs.
-  - **Solution**: Check network connectivity to the build service, ensure the token is correct, and review build logs for specific errors.
-
-- **Installation Hangs**:
-  - **Symptom**: Install command does not complete within 30 seconds.
-  - **Solution**: Terminate the command and check Cloudron logs for errors (`cloudron logs --app ente.due.ren`). Reinstall if necessary.
-
-- **App Not Starting**:
-  - **Symptom**: App shows as 'Stopped' or inaccessible after install.
-  - **Solution**: Check logs for startup errors (`cloudron logs --app ente.due.ren`). Ensure database connectivity and correct configuration.
-
-## Configuration Examples
-
-- **S3 Environment Variables** in Cloudron settings:
-  ```
-  APP_S3_ENABLED=true
-  APP_S3_ENDPOINT=s3.amazonaws.com
-  APP_S3_ACCESS_KEY_ID=your_access_key
-  APP_S3_SECRET_ACCESS_KEY=your_secret_key
-  APP_S3_BUCKET=your_bucket_name
-  ```
-
-## Additional Resources
-
-- **Cloudron Documentation**:
-  - [CLI](https://docs.cloudron.io/packaging/cli/)
-  - [Packaging Tutorial](https://docs.cloudron.io/packaging/tutorial/)
-  - [Manifest Reference](https://docs.cloudron.io/packaging/manifest/)
-  - [Addons Guide](https://docs.cloudron.io/packaging/addons/)
-  - [Cheat Sheet](https://docs.cloudron.io/packaging/cheat-sheet/)
-
-For further assistance, contact the Ente team at `contact@ente.io` or refer to the GitHub repository at [https://github.com/ente-io/ente](https://github.com/ente-io/ente).

CHANGELOG.md

@@ -1,5 +1,37 @@
 # Changelog
 
+## 0.4.5 (2025-10-30)
+
+* Serve photos UI on the primary hostname and mount other apps on `accounts/auth/cast/albums/family.<root-domain>`
+* Enable multiDomain in the manifest so aliases can be set in Cloudron UI
+* Simplified documentation for S3 setup and alias domains
+* Fix CORS responses for auth subdomains and forward real client IPs from Cloudron proxy
+* Remove unsupported Caddy `trusted_proxies` stanza while continuing to trust Cloudron-provided `X-Forwarded-For` headers for accurate logging
+
+## 0.4.4 (2025-10-30)
+
+* Restore Cloudflare R2 path-style URLs and simplify to a single hot-storage data center
+* Serve the frontend apps on dedicated subdomains (photos/accounts/auth/cast/albums/family)
+* Startup script now regenerates Caddy and Museum configs for the new host layout
+* Added post-install checklist entries and updated docs for required DNS records
+
+## 0.4.3 (2025-10-29)
+
+* Always regenerate Museum configuration on startup to pick up S3 credential changes
+* Enables seamless workflow: add S3 credentials to /app/data/config/s3.env and restart
+* Fixes issue where S3 configuration changes required manual intervention
+
+## 0.4.2 (2025-10-29)
+
+* Use SMTPS (port 2465) with TLS encryption for email delivery
+* Fixes email sending with requiresValidCertificate flag on Cloudron 9
+
+## 0.4.1 (2025-10-23)
+
+* Fix email sending for user registration by enabling TLS certificate validation in sendmail addon
+* Add requiresValidCertificate flag to sendmail configuration to ensure proper SMTP authentication with Go applications
+* Note: Requires Cloudron 9 or later for requiresValidCertificate support
+
 ## 1.0.0 (2024-06-01)
 
 * Initial release of Ente for Cloudron

CloudronManifest.json

@@ -1,38 +1,42 @@
 {
   "id": "io.ente.cloudronapp",
   "title": "Ente",
-  "author": "Ente Authors",
+  "author": "Ente Development Team",
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG.md",
   "contactEmail": "contact@ente.io",
-  "tagline": "Open Source End-to-End Encrypted Photos & Authentication",
+  "website": "https://ente.io",
-  "upstreamVersion": "1.0.0",
+  "tagline": "Open source, end-to-end encrypted photo backup",
-  "version": "0.1.133",
+  "version": "0.4.5",
-  "healthCheckPath": "/ping",
+  "upstreamVersion": "git-main",
+  "healthCheckPath": "/health",
   "httpPort": 3080,
-  "memoryLimit": 1073741824,
+  "memoryLimit": 1610612736,
+  "postInstallMessage": "file://POSTINSTALL.md",
+  "multiDomain": true,
   "addons": {
     "localstorage": {},
     "postgresql": {},
-    "email": {},
     "sendmail": {
-      "supportsDisplayName": true
+      "supportsDisplayName": true,
+      "requiresValidCertificate": true
     }
   },
   "checklist": {
-    "create-permanent-admin": {
+    "configure-object-storage": {
-      "message": "Required: S3 Storage Configuration!"
+      "message": "Configure your S3-compatible storage in /app/data/config/s3.env before first use."
+    },
+    "configure-subdomains": {
+      "message": "Create DNS records and add Cloudron aliases for accounts., auth., cast., albums. and family. (using the base domain of this app)."
     }
   },
-
   "icon": "file://logo.png",
   "tags": [
     "photos",
-    "authentication",
+    "encryption",
-    "e2ee",
+    "backup",
-    "encryption"
+    "self-hosting"
   ],
   "manifestVersion": 2,
-  "minBoxVersion": "8.1.0",
+  "minBoxVersion": "8.1.0"
-  "website": "https://ente.io"
 }

Dockerfile

@@ -1,188 +1,112 @@
-# Build Museum server from source
+# syntax=docker/dockerfile:1
+
+ARG ENTE_GIT_REF=main
+
+FROM debian:bookworm AS ente-source
+ARG ENTE_GIT_REF
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends ca-certificates git && \
+    git clone --depth=1 --branch "${ENTE_GIT_REF}" https://github.com/ente-io/ente.git /src && \
+    rm -rf /var/lib/apt/lists/*
+
 FROM golang:1.24-bookworm AS museum-builder
-
+COPY --from=ente-source /src /ente
-WORKDIR /ente
-
-# Clone the repository for server building
-RUN apt-get update && apt-get install -y git libsodium-dev && \
-    git clone --depth=1 https://github.com/ente-io/ente.git . && \
-    apt-get clean && apt-get autoremove && \
-    rm -rf /var/cache/apt /var/lib/apt/lists
-
-# Build the Museum server
 WORKDIR /ente/server
-RUN go mod download && \
+RUN apt-get update && \
-    CGO_ENABLED=1 GOOS=linux go build -a -o museum ./cmd/museum
+    apt-get install -y --no-install-recommends build-essential pkg-config libsodium-dev && \
-
+    rm -rf /var/lib/apt/lists/*
-FROM node:20-bookworm-slim as web-builder
+RUN mkdir -p /build/museum && \
-
+    CGO_ENABLED=1 GOOS=linux go build -o /build/museum/museum ./cmd/museum && \
-WORKDIR /ente
+    for dir in migrations web-templates mail-templates assets; do \
-
+      rm -rf "/build/museum/$dir"; \
-# Clone the repository for web app building
+      if [ -d "$dir" ]; then \
-RUN apt-get update && apt-get install -y git && \
+        cp -r "$dir" "/build/museum/$dir"; \
-    git clone --depth=1 https://github.com/ente-io/ente.git . && \
-    apt-get clean && apt-get autoremove && \
-    rm -rf /var/cache/apt /var/lib/apt/lists
-
-# Will help default to yarn version 1.22.22
-RUN corepack enable
-
-# Set environment variables for web app build - use relative endpoint
-ENV NEXT_PUBLIC_ENTE_ENDPOINT="/api"
-RUN echo "Building with relative NEXT_PUBLIC_ENTE_ENDPOINT=/api for self-hosted deployment"
-
-# Debugging the repository structure
-RUN find . -type d -maxdepth 3 | sort
-
-# Check if web directory exists with apps subdirectory
-RUN mkdir -p /build/web/photos /build/web/accounts /build/web/auth /build/web/cast && \
-    if [ -d "web" ] && [ -d "web/apps" ]; then \
-        echo "Found web/apps directory, building web apps"; \
-        cd web && \
-        yarn cache clean && \
-        yarn install --network-timeout 1000000000 && \
-        yarn build:photos && \
-        yarn build:accounts && \
-        yarn build:auth && \
-        yarn build:cast && \
-        if [ -d "apps/photos/out" ]; then \
-            cp -r apps/photos/out/* /build/web/photos/; \
-        fi && \
-        if [ -d "apps/accounts/out" ]; then \
-            cp -r apps/accounts/out/* /build/web/accounts/; \
-        fi && \
-        if [ -d "apps/auth/out" ]; then \
-            cp -r apps/auth/out/* /build/web/auth/; \
-        fi && \
-        if [ -d "apps/cast/out" ]; then \
-            cp -r apps/cast/out/* /build/web/cast/; \
-        fi; \
-    elif [ -d "web" ]; then \
-        echo "Found web directory, looking for alternative structure"; \
-        find web -type d | grep -v node_modules | sort; \
-        if [ -d "web/photos" ]; then \
-            echo "Building photos app"; \
-            cd web/photos && yarn install && yarn build && \
-            if [ -d "out" ]; then cp -r out/* /build/web/photos/; fi; \
-        fi; \
-        if [ -d "web/accounts" ]; then \
-            echo "Building accounts app"; \
-            cd web/accounts && yarn install && yarn build && \
-            if [ -d "out" ]; then cp -r out/* /build/web/accounts/; fi; \
-        fi; \
-        if [ -d "web/auth" ]; then \
-            echo "Building auth app"; \
-            cd web/auth && yarn install && yarn build && \
-            if [ -d "out" ]; then cp -r out/* /build/web/auth/; fi; \
-        fi; \
-        if [ -d "web/cast" ]; then \
-            echo "Building cast app"; \
-            cd web/cast && yarn install && yarn build && \
-            if [ -d "out" ]; then cp -r out/* /build/web/cast/; fi; \
-        fi; \
       else \
-        echo "Web directory not found, creating placeholder web pages"; \
+        mkdir -p "/build/museum/$dir"; \
-        # Create placeholder HTML files for each app \
+      fi; \
-        mkdir -p /build/web/photos /build/web/accounts /build/web/auth /build/web/cast; \
+    done
-        echo "<html><body><h1>Ente Photos</h1><p>Web app not available. Please check the build logs.</p></body></html>" > /build/web/photos/index.html; \
+
-        echo "<html><body><h1>Ente Accounts</h1><p>Web app not available. Please check the build logs.</p></body></html>" > /build/web/accounts/index.html; \
+FROM golang:1.24-bookworm AS cli-builder
-        echo "<html><body><h1>Ente Auth</h1><p>Web app not available. Please check the build logs.</p></body></html>" > /build/web/auth/index.html; \
+COPY --from=ente-source /src /ente
-        echo "<html><body><h1>Ente Cast</h1><p>Web app not available. Please check the build logs.</p></body></html>" > /build/web/cast/index.html; \
+WORKDIR /ente/cli
-    fi
+RUN go build -o /build/ente .
+
+FROM node:20-bookworm-slim AS web-builder
+ENV NEXT_PUBLIC_ENTE_ENDPOINT=ENTE_API_ORIGIN_PLACEHOLDER
+ENV NEXT_PUBLIC_ENTE_ALBUMS_ENDPOINT=https://albums.localhost.invalid
+COPY --from=ente-source /src /ente
+WORKDIR /ente/web
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends build-essential python3 && \
+    rm -rf /var/lib/apt/lists/*
+RUN corepack enable
+RUN yarn install --network-timeout 1000000
+RUN mkdir -p /build/web/photos /build/web/accounts /build/web/auth /build/web/cast /build/web/albums /build/web/family
+RUN set -e; \
+    yarn build:photos; \
+    yarn build:accounts; \
+    yarn build:auth; \
+    yarn build:cast
+RUN if [ -d "apps" ]; then \
+      for app in photos accounts auth cast; do \
+        if [ -d "apps/${app}/out" ]; then \
+          rm -rf "/build/web/${app}"; \
+          mkdir -p "/build/web/${app}"; \
+          cp -r "apps/${app}/out/." "/build/web/${app}/"; \
+        else \
+          printf 'Missing build output for %s\n' "${app}"; \
+          printf '<html><body><h1>Ente %s</h1><p>Build output missing.</p></body></html>\n' "${app}" > "/build/web/${app}/index.html"; \
+        fi; \
+      done; \
+    else \
+      for app in photos accounts auth cast; do \
+        printf '<html><body><h1>Ente %s</h1><p>Build output missing.</p></body></html>\n' "${app}" > "/build/web/${app}/index.html"; \
+      done; \
+    fi && \
+    rm -rf /build/web/albums /build/web/family && \
+    cp -r /build/web/photos /build/web/albums && \
+    cp -r /build/web/photos /build/web/family
 
 FROM cloudron/base:5.0.0@sha256:04fd70dbd8ad6149c19de39e35718e024417c3e01dc9c6637eaf4a41ec4e596c
 
-# Install necessary packages and Caddy webserver
+ENV APP_DIR=/app/code \
+    DATA_DIR=/app/data \
+    HOME=/app/data/home
+
 RUN apt-get update && \
-    apt-get install -y curl git nodejs npm libsodium23 libsodium-dev pkg-config postgresql-client && \
+    apt-get install -y --no-install-recommends ca-certificates curl jq libsodium23 pkg-config postgresql-client caddy openssl && \
-    npm install -g yarn serve && \
+    rm -rf /var/lib/apt/lists/*
-    # Install Caddy for web server
-    apt-get install -y debian-keyring debian-archive-keyring apt-transport-https && \
-    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/gpg.key' | gpg --dearmor -o /usr/share/keyrings/caddy-stable-archive-keyring.gpg && \
-    curl -1sLf 'https://dl.cloudsmith.io/public/caddy/stable/debian.deb.txt' | tee /etc/apt/sources.list.d/caddy-stable.list && \
-    apt-get update && \
-    apt-get install -y caddy && \
-    apt-get clean && apt-get autoremove && \
-    rm -rf /var/cache/apt /var/lib/apt/lists
 
-# Install Go 1.24.1
+RUN mkdir -p /app/pkg /app/web "$HOME" && chown -R cloudron:cloudron /app /app/web "$HOME"
-RUN curl -L https://go.dev/dl/go1.24.1.linux-amd64.tar.gz -o go.tar.gz && \
-    rm -rf /usr/local/go && \
-    tar -C /usr/local -xzf go.tar.gz && \
-    rm go.tar.gz && \
-    ln -sf /usr/local/go/bin/go /usr/local/bin/go && \
-    ln -sf /usr/local/go/bin/gofmt /usr/local/bin/gofmt
 
-# Set up directory structure
+COPY --from=ente-source /src ${APP_DIR}
-RUN mkdir -p /app/code /app/data/config /app/data/caddy /app/web
+RUN rm -rf ${APP_DIR}/.git
 
-WORKDIR /app/code
+RUN mkdir -p /app/museum-bin
+COPY --from=museum-builder /build/museum/museum /app/museum-bin/museum
+COPY --from=museum-builder /build/museum/migrations ${APP_DIR}/server/migrations
+COPY --from=museum-builder /build/museum/web-templates ${APP_DIR}/server/web-templates
+COPY --from=museum-builder /build/museum/mail-templates ${APP_DIR}/server/mail-templates
+COPY --from=museum-builder /build/museum/assets ${APP_DIR}/server/assets
+RUN chmod +x /app/museum-bin/museum
 
-# Clone the ente repository during build (for the Museum server)
+COPY --from=cli-builder /build/ente /app/code/ente
-RUN git clone --depth=1 https://github.com/ente-io/ente.git . && \
+RUN ln -sf /app/code/ente /usr/local/bin/ente && chmod +x /app/code/ente
-    sed -i 's/go 1.23/go 1.24/' server/go.mod && \
-    mkdir -p /app/data/go && \
-    cp -r server/go.mod server/go.sum /app/data/go/ && \
-    chmod 777 /app/data/go/go.mod /app/data/go/go.sum
 
-# Pre-download Go dependencies
-RUN cd server && \
-    export GOMODCACHE="/app/data/go/pkg/mod" && \
-    export GOFLAGS="-modfile=/app/data/go/go.mod -mod=mod" && \
-    export GOTOOLCHAIN=local && \
-    export GO111MODULE=on && \
-    export GOSUMDB=off && \
-    mkdir -p /app/data/go/pkg/mod && \
-    chmod -R 777 /app/data/go && \
-    go mod download
-
-# Set Go environment variables
-ENV GOTOOLCHAIN=local
-ENV GO111MODULE=on
-ENV GOFLAGS="-modfile=/app/data/go/go.mod -mod=mod"
-ENV PATH="/usr/local/go/bin:${PATH}"
-ENV GOSUMDB=off
-ENV GOMODCACHE="/app/data/go/pkg/mod"
-ENV HOME=/app/data/home
-
-# Copy the web app built files from the first stage
 COPY --from=web-builder /build/web/photos /app/web/photos
 COPY --from=web-builder /build/web/accounts /app/web/accounts
 COPY --from=web-builder /build/web/auth /app/web/auth
 COPY --from=web-builder /build/web/cast /app/web/cast
+COPY --from=web-builder /build/web/albums /app/web/albums
+COPY --from=web-builder /build/web/family /app/web/family
 
-# Build Ente CLI and place binary in /app/code
+COPY start.sh /app/pkg/start.sh
-WORKDIR /app/code/cli
+COPY admin-helper.sh /app/pkg/admin-helper.sh
-RUN env GOFLAGS= GOMODCACHE=/tmp/cli-go-cache GO111MODULE=on go build -o /app/code/ente . && chmod +x /app/code/ente
+COPY admin-helper-direct.sh /app/pkg/admin-helper-direct.sh
 
-WORKDIR /app/code
-
-# Symlink CLI into PATH for convenience
-RUN ln -sf /app/code/ente /usr/local/bin/ente
-
-# Prepare CLI data directory symlink to persistent storage
-RUN mkdir -p /app/data/cli-data && ln -s /app/data/cli-data /cli-data
-
-# Copy Museum server binary from builder stage to app directory (not data volume)
-RUN mkdir -p /app/museum-bin
-COPY --from=museum-builder /ente/server/museum /app/museum-bin/museum
-RUN chmod +x /app/museum-bin/museum
-
-# Copy configuration and startup scripts
-ADD start.sh /app/pkg/
-ADD config.template.yaml /app/pkg/
-ADD otp-email-monitor.js /app/pkg/
-ADD package.json /app/pkg/
-ADD admin-helper.sh /app/pkg/
-ADD admin-helper-direct.sh /app/pkg/
-
-# Set proper permissions
 RUN chmod +x /app/pkg/start.sh /app/pkg/admin-helper.sh /app/pkg/admin-helper-direct.sh
+RUN ln -s /app/data/cli-data /cli-data
 
-# Expose the web port (Cloudron expects port 3080)
+EXPOSE 3080 8080
-EXPOSE 3080
-# Also expose API port
-EXPOSE 8080
 
-# Start the application
 CMD ["/app/pkg/start.sh"]

POSTINSTALL.md

@@ -1,34 +1,56 @@
 Your Ente installation is almost ready!
 
-## Required: S3 Storage Configuration
+## Required: External Object Storage
 
-Before you can use Ente, you need to configure an S3-compatible storage service:
+Before using Ente, configure an S3-compatible object storage provider:
 
-1. Go to your Cloudron dashboard
+1. Open the Cloudron dashboard and select your Ente app.
-2. Click on your Ente app
+2. Launch the web terminal.
-3. Click on "Terminal"
+3. Edit `/app/data/config/s3.env` and provide values for **all** required keys:
-4. Edit the S3 configuration file:
+   ```bash
-   ```
    nano /app/data/config/s3.env
    ```
-5. Uncomment the variables you need and fill in your S3 credentials (AWS S3, Cloudflare R2, MinIO, etc.). The file includes commented examples for the previous Wasabi defaults and a generic Cloudflare R2 setup.
+4. Save the file and restart the app from the Cloudron dashboard.
-6. Save the file and restart your Ente app from the Cloudron dashboard
+
+Supported variables:
+- `S3_ENDPOINT` (e.g. `https://<account>.r2.cloudflarestorage.com`)
+- `S3_REGION`
+- `S3_BUCKET`
+- `S3_ACCESS_KEY`
+- `S3_SECRET_KEY`
+- `S3_PREFIX` (optional path prefix)
+
+## Required: DNS Subdomains
+
+Ente now serves supporting apps on dedicated hosts. Create DNS records (CNAME or A) for:
+
+- `accounts.<root-domain>`
+- `auth.<root-domain>`
+- `cast.<root-domain>`
+- `albums.<root-domain>`
+- `family.<root-domain>`
+
+For example, if you installed the app at `ente.due.ren`, create records for `accounts.due.ren`, `auth.due.ren`, etc., all pointing to `ente.due.ren`. After adding the DNS records, open the Cloudron dashboard → Ente app → Domains tab and add each hostname as an alias. DNS propagation must complete before the `/accounts` and `/auth` apps will accept sessions.
 
 ## Next Steps
 
-1. Once S3 is configured, visit your app URL to create an admin account
+- Visit the app URL and create the first administrator account.
-2. Configure your mobile apps to use your custom self-hosted server (Settings → Advanced → Custom Server)
+- Configure the Ente mobile apps to use your custom server (`Settings → Advanced → Custom Server`).
-3. Enjoy your private, end-to-end encrypted photo storage! 
+- Optional: set the environment variables `CLOUDRON_OIDC_IDENTIFIER`, `CLOUDRON_OIDC_CLIENT_ID`, and `CLOUDRON_OIDC_CLIENT_SECRET` to enable Cloudron SSO in the generated Museum config.
+- Administrative CLI tooling is available inside the container. Open a terminal and run:
+  ```bash
+  cloudron exec --app ente.due.ren -- sudo -u cloudron ente --help
+  cloudron exec --app ente.due.ren -- sudo -u cloudron ente admin --help
+  ```
+  The CLI stores its state at `/app/data/cli-data` (inside the container it is available at `/cli-data`). Consult the upstream CLI guide for per-command usage, including storage quota adjustments.
 
-## Ente CLI
+## Administration Helpers
 
-- The Ente CLI binary is pre-built at `/app/code/ente` inside the app container.
+- The Ente CLI binary is shipped at `/app/code/ente`. Run it via the Cloudron web terminal.
-- Open the Cloudron web terminal (working directory `/app/code`) and run commands with `ente ...` or `./ente ...`.
+- CLI configuration lives at `/app/data/home/.ente/config.yaml` and already points to `https://<your-domain>/api`.
-- The CLI configuration at `/app/data/home/.ente/config.yaml` already points to your instance (`https://<your-domain>/api`).
+- The main Museum configuration is generated at `/app/data/museum/configurations/local.yaml`. Delete this file to regenerate it with updated environment variables.
-- CLI state is stored under `/app/data/cli-data/` so re-logins persist.
 
-## Museum Server Configuration
+Logs are streamed to the Cloudron dashboard. For deeper inspection use:
-
+```bash
-- The active configuration lives at `/app/data/ente/server/configurations/local.yaml` and is created the first time the app starts.
+cloudron logs --app <location> -f
-- Subsequent restarts leave this file untouched, so you can whitelist admin accounts or adjust other settings as documented by Ente.
+```
-- Delete the file to regenerate the default template (environment values such as database and S3 credentials are rendered during creation).

README.md

@@ -81,9 +81,15 @@ The package includes several enhancements to ensure proper functionality:
 2. **API Configuration**: Dynamic runtime configuration to ensure the frontend connects to the correct API endpoint
 3. **CORS Headers**: Proper CORS configuration for API access
 
-You need to manually set up and configure:
+### Cloudron Admin Notes
 
-- S3-compatible object storage
+After installing on Cloudron remember to:
+
+1. Open the File Manager for the app, edit `/app/data/config/s3.env` with your object storage endpoint/keys, and restart the app.
+2. Add alias domains for `accounts`, `auth`, `cast`, `albums`, and `family` in the app’s **Domains** tab (create matching DNS records pointing to the primary hostname).
+3. Use the bundled Ente CLI for admin tasks via `cloudron exec --app <location> -- sudo -u cloudron ente --help`. The CLI stores its state in `/app/data/cli-data` (exposed inside the container at `/cli-data`) and already trusts your app’s API endpoint.
+
+The main photos UI continues to live on the hostname you selected during installation.
 
 ## Usage
 

admin-helper.sh

@@ -2,7 +2,7 @@
 # Ente Admin Helper Script for Cloudron
 # This script simplifies admin operations in the Cloudron terminal
 
-MUSEUM_BIN="/app/data/ente/server/museum"
+MUSEUM_BIN="/app/museum-bin/museum"
 
 # Check if museum binary exists
 if [ ! -f "$MUSEUM_BIN" ]; then
@@ -26,7 +26,7 @@ update_subscription() {
     echo "Storage: ${storage_gb}GB"
     echo "Valid for: ${valid_days} days"
     
-    cd /app/data/ente/server
+    cd /app/data/museum
 
     # Use environment variables for database connection
     export DB_HOST="$CLOUDRON_POSTGRESQL_HOST"
@@ -48,14 +48,14 @@ get_user_details() {
         return 1
     fi
     
-    cd /app/data/ente/server
+    cd /app/data/museum
 
     "$MUSEUM_BIN" admin get-user-details --user "$user_email"
 }
 
 # Function to list all users
 list_users() {
-    cd /app/data/ente/server
+    cd /app/data/museum
 
     # Connect to PostgreSQL and list users
     PGPASSWORD="$CLOUDRON_POSTGRESQL_PASSWORD" psql \

config.template.yaml

@@ -18,16 +18,20 @@ database:
   maxIdleConns: 25
   connMaxLifetime: "1h"
 
-storage:
+s3:
-  type: "s3"
+  are_local_buckets: false
-  s3:
+  use_path_style_urls: true
+  hot_storage:
+    primary: b2-eu-cen
+    secondary: b2-eu-cen
+  derived-storage: b2-eu-cen
+  b2-eu-cen:
     endpoint: "%%S3_ENDPOINT%%"
     region: "%%S3_REGION%%"
     bucket: "%%S3_BUCKET%%"
-    accessKey: "%%S3_ACCESS_KEY%%"
+    key: "%%S3_ACCESS_KEY%%"
-    secretKey: "%%S3_SECRET_KEY%%"
+    secret: "%%S3_SECRET_KEY%%"
-    prefix: "%%S3_PREFIX%%"
+    path_prefix: "%%S3_PREFIX%%"
-    forcePathStyle: true
 
 email:
   smtp: