maubot-cloudron/maubot-src/CLOUDRON.md

# Maubot on Cloudron

This package turns the upstream maubot repository into a Cloudron-ready app that ships with PostgreSQL, Cloudron SSO protection, and persistent storage under `/app/data`.

## Prerequisites
- Cloudron CLI `>=7.5`
- Access to the Cloudron build service at `builder.docker.due.ren`
- Repository checked out with the Cloudron packaging files (`CloudronManifest.json`, `Dockerfile`, `start.sh`, etc.)
- Builder token `e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e`

## Build
Run all commands from the repository root so the Cloudron CLI picks up the Cloudron-specific `Dockerfile`.

```bash
cloudron build \
  --set-build-service builder.docker.due.ren \
  --build-service-token e3265de06b1d0e7bb38400539012a8433a74c2c96a17955e \
  --set-repository andreasdueren/ente-cloudron \
  --tag 0.1.0
```

This command uploads the build context to the remote builder, produces the Docker image `andreasdueren/ente-cloudron:0.1.0`, and keeps the build logs in your terminal. Do not wait more than 30 seconds after the build finishes before continuing to installation.

## Deployment
Install a fresh instance every time (do not use `cloudron update` during development):

```bash
cloudron install \
  --location ente.due.ren \
  --image andreasdueren/ente-cloudron:0.1.0
```

Once the dashboard reports the app as running, open `https://ente.due.ren` in your browser. Authentication is enforced via Cloudron’s OIDC flow (SSO). The maubot UI additionally requires its own credentials:

- Username: `root`
- Password: stored in `/app/data/.admin_password`

Retrieve the generated password once via:

```bash
cloudron exec --app ente.due.ren -- cat /app/data/.admin_password
```

## Testing
- Follow logs for both supervisor-managed processes:
  ```bash
  cloudron logs --app ente.due.ren -f
  ```
- Verify the health endpoint exposed by nginx:
  ```bash
  cloudron exec --app ente.due.ren -- curl -f http://127.0.0.1:3000/healthz
  ```
- Ensure database connectivity by checking the maubot UI (Settings → Databases) or by verifying that `/app/data/maubot.db` stays empty when PostgreSQL is active.

## Troubleshooting
- **Install hangs:** The Cloudron dashboard shows progress in real time. If it stalls for more than 30 seconds, check `cloudron logs --app ente.due.ren` for supervisor or nginx errors.
- **SSO loops:** Confirm the app’s location matches the configured Cloudron origin and that `CLOUDRON_APP_ORIGIN` is reaching the container (visible in `/app/data/config.yaml` under `server.public_url`).
- **Admin password lost:** Re-run the `cloudron exec ... cat /app/data/.admin_password` command. The file is persistent and backed up with the app’s data volume.
- **Custom configuration:** Edit `/app/data/config.yaml`, then restart the app: `cloudron restart --app ente.due.ren`. The start script preserves existing values but will continue to enforce Cloudron-specific paths.

## Configuration Examples
- Switch the homeserver list:
  ```bash
  cloudron exec --app ente.due.ren -- \
    yq -i '.homeservers."matrix.example".url = "https://matrix.example.org"' /app/data/config.yaml
  ```
- Override the crypto database (e.g., to stick with SQLite):
  ```bash
  cloudron exec --app ente.due.ren -- \
    yq -i '.crypto_database = "sqlite:/app/data/crypto.db"' /app/data/config.yaml
  ```
- Plugin addons: the start script reads `CLOUDRON_POSTGRESQL_URL`, `CLOUDRON_MAIL_SMTP_*`, `CLOUDRON_OIDC_*`, and `CLOUDRON_LDAP_*` on each boot, and plugins can directly use `CLOUDRON_MYSQL_URL`, `CLOUDRON_MONGODB_URL`, or `CLOUDRON_REDIS_URL`. Inject overrides via the Cloudron dashboard’s **Environment** UI if specific plugins require external services.

After making any manual change, always restart the app to allow the supervisor to pick up the modifications.