docs(agents): enforce host-as-read-only; only use preinstalled docker/git/tea/curl; all work in containers

This reverts commit 33e9a861b0.

.editorconfig

@@ -0,0 +1,25 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[Dockerfile]
+indent_size = 2
+
+[*.sh]
+indent_size = 2
+
+[*.yml]
+indent_size = 2
+
+[*.yaml]
+indent_size = 2
+
+[*.json]
+indent_size = 2
+

.gitattributes

@@ -0,0 +1,16 @@
+* text=auto eol=lf
+
+# Enforce LF line endings for key file types
+*.sh text eol=lf
+Dockerfile text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.json text eol=lf
+*.md text eol=lf
+
+# Binary assets
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.ico binary
+

.gitignore

@@ -0,0 +1,34 @@
+# Development workspace (upstream clones, not tracked)
+PackagingForCloudronWorkspace/Docker/*
+PackagingForCloudronWorkspace/NonDocker/*
+
+# Temporary packaging work directories
+temp_*
+*_package_new/
+packaging_temp/
+
+# Common local environment and editor files
+.env
+*.env
+*.local
+*.log
+.envrc
+.python-version
+.tool-versions
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Build outputs (if any local builds are done)
+dist/
+build/
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db

AGENTS.md

@@ -0,0 +1,78 @@
+# Agent Operating Guide (Project-wide)
+
+Scope: This file applies to the entire repository. It defines how assistants and automation must work here.
+
+## Purpose
+Package ~100 free/libre/open-source applications as Cloudron apps with a fast, container-only workflow and a minimal, single-branch repo.
+
+## Golden Rules
+- Single branch: use only `main`. Do not create feature branches unless explicitly requested.
+- Host is read-only: do not install or modify anything on the host OS. You MAY only check for the presence of tools and run them if already installed.
+- Allowed host tools (if present): `docker`, `git`, `tea` (optional), and `curl` for connectivity checks. Never attempt to install or upgrade them.
+- Containers only: all build, test, lint, and packaging commands must run inside the packaging container.
+- Do not push to remote without approval: never run `git push` for a package change until it has been validated and explicitly approved by the maintainer.
+- Keep repo slim: do not commit upstream source trees or build artefacts. Only commit package files under `CloudronPackages/<AppName>/`, small helper scripts, and minimal docs.
+- Secrets: do not commit secrets or credentials. Use environment variables or Cloudron addons.
+- Consistency: follow `.editorconfig`, `.gitattributes`, and `.gitignore`.
+
+## Container-Only Workflow
+- Packaging image: built from `docker/packaging/Dockerfile`.
+- Control scripts (host-side wrappers):
+  - `scripts/packaging-up.sh` – build and start the packaging container; mounts repo at `/workspace` and `/var/run/docker.sock`.
+  - `scripts/packaging-enter.sh` – open a shell inside the container.
+  - `scripts/packaging-exec.sh <cmd>` – run any command inside the container.
+  - `scripts/workspace-clone.sh` – clone upstream repos (inside container).
+  - `scripts/workspace-update.sh` – update upstream repos (inside container).
+- Never run package build/test outside the container. If a command needs to run, wrap it via `scripts/packaging-exec.sh`.
+
+## Creating a New Package
+- Scaffold from template using the helper:
+  - `scripts/new-package.sh <AppName> --id <com.example.app> --title "Title" --port <port> [--base <cloudron_base_tag>]`
+- Edit `CloudronPackages/<AppName>/Dockerfile` and `start.sh` to run the app.
+- Prefer prebuilt upstream releases over building toolchains in Docker to keep images small.
+- Default Cloudron base image tag is `5.0.0`. Override with `--base` as needed.
+
+## Validation Checklist (must pass before proposing push)
+- Build succeeds inside the packaging container:
+  - `scripts/packaging-exec.sh "docker build -t <app>:dev CloudronPackages/<AppName>"`
+- Run sanity check inside container:
+  - `scripts/packaging-exec.sh "docker run --rm -p <hp>:<hp> -v <app>-data:/app/data <app>:dev"`
+  - Health endpoint responds; logs show no fatal errors; app starts with least privilege.
+- Manifest sanity: `CloudronManifest.json` has accurate `id`, `version`, `httpPort` or addon definitions, and `healthCheckPath`.
+- No secrets or hard-coded credentials; proper ownership of `/app/data`.
+- Image hygiene: no unnecessary build deps; minimal layers; correct exposed ports.
+- Optional: `cloudron install --image <app>:dev` tested from inside the packaging container using `cloudron` CLI, if available.
+
+## Approval Gate and Push Policy
+- Commits: frequent, small, and descriptive commits are encouraged; no approval needed for local commits.
+- After validation, present a concise summary of changes and validation output to the maintainer and request permission to push.
+- Push only at “natural” points (coherent, validated milestones). Examples:
+  - First green build of a new package scaffold (image builds + container starts + health OK).
+  - A feature-complete slice (e.g., addon integration added and tested).
+  - A bug fix with verification.
+  - Pre-release stabilization checkpoint.
+- Batch pushes to avoid noise (aim for 1–3 pushes per active app per work session).
+- NEVER push a broken or non‑validated build.
+- Only on explicit approval run `git push origin main` for package-affecting changes.
+- Never force‑push unless explicitly instructed.
+
+## Repository Hygiene
+- Do not commit upstream repos. The directories `PackagingForCloudronWorkspace/Docker/` and `PackagingForCloudronWorkspace/NonDocker/` are gitignored on purpose.
+- Keep package directories focused: `CloudronManifest.json`, `Dockerfile`, `start.sh`, and minimal config (e.g., `nginx.conf`, `supervisord.conf`, `config.yaml`, `logo.png`).
+- Use LF line endings and 2-space indentation (see `.editorconfig`/`.gitattributes`).
+
+## Networking & External Access
+- All networked actions (git clones, docker pulls, downloads) must happen from within the packaging container.
+- Host-level curl allowance: You MAY use `curl` on the host strictly for quick connectivity checks IF it is already installed. Do not install any host packages.
+- Do not attempt other host-level network configuration, filesystem changes outside the repo, or host-level package installation.
+
+## Commit Messages
+- Use conventional, concise messages:
+  - `feat(<app>): ...` for new packages or features
+  - `fix(<app>): ...` for fixes
+  - `chore(...)`, `docs(...)` for non-functional changes
+- Avoid large, mixed commits; keep changes scoped to an app.
+
+## When in Doubt
+- Ask for maintainer guidance before introducing new tools, dependencies, or changing global structure.
+- Default to safer, smaller changes and explicit approval before pushing.

CloudronPackages/PackageTemplate/.dockerignore

@@ -0,0 +1,11 @@
+# Ignore typical build context clutter
+.git
+.gitignore
+node_modules
+npm-debug.log
+*.log
+dist
+build
+Dockerfile.*
+.DS_Store
+

CloudronPackages/PackageTemplate/CloudronManifest.json

@@ -0,0 +1,19 @@
+{
+  "manifestVersion": 2,
+  "id": "__APP_ID__",
+  "title": "__APP_TITLE__",
+  "author": "KNEL",
+  "description": "Cloudron packaging template for __APP_TITLE__",
+  "website": "https://example.com",
+  "contactEmail": "admin@example.com",
+  "version": "0.1.0",
+  "changelog": "Initial package template",
+  "healthCheckPath": "/",
+  "httpPort": __HTTP_PORT__,
+  "addons": {
+    "localstorage": {}
+  },
+  "tags": ["template", "example"],
+  "icon": "logo.png"
+}
+

CloudronPackages/PackageTemplate/Dockerfile

@@ -0,0 +1,38 @@
+FROM cloudron/base:__CLOUDRON_BASE__
+
+# Metadata labels (edit as needed)
+LABEL org.opencontainers.image.title="__APP_TITLE__"
+LABEL org.opencontainers.image.description="Cloudron package for __APP_TITLE__"
+LABEL org.opencontainers.image.source="https://example.com"
+
+# Install OS dependencies here as needed
+# RUN apt-get update && apt-get install -y --no-install-recommends \
+#     curl ca-certificates tini \
+#  && rm -rf /var/lib/apt/lists/*
+
+# App code lives in /app/code (read-only at runtime)
+WORKDIR /app/code
+
+# Copy application code (adjust as needed)
+# COPY . /app/code
+
+# Create persistent directory for application data
+RUN mkdir -p /app/data && chown -R cloudron:cloudron /app/data
+
+# Copy startup script
+COPY start.sh /app/pkg/start.sh
+RUN chmod +x /app/pkg/start.sh && chown cloudron:cloudron /app/pkg/start.sh
+
+USER cloudron
+
+# Expose the app port specified in manifest
+EXPOSE __HTTP_PORT__
+
+# Default environment (customize per app)
+ENV NODE_ENV=production \
+    APP_PORT=__HTTP_PORT__
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsS http://127.0.0.1:${APP_PORT}/ || exit 1
+
+CMD ["/app/pkg/start.sh"]

CloudronPackages/PackageTemplate/README.md

@@ -0,0 +1,24 @@
+# Package Template for Cloudron Apps
+
+This is a minimal template to package an application for Cloudron.
+
+Replace placeholders in files with your app specifics:
+- `__APP_ID__` (e.g., com.example.myapp)
+- `__APP_TITLE__` (human name)
+- `__HTTP_PORT__` (default internal app port)
+- `__CLOUDRON_BASE__` (Cloudron base image tag, e.g., 5.0.0)
+
+Files
+- `CloudronManifest.json` – base manifest
+- `Dockerfile` – uses cloudron/base, non-root user, healthcheck
+- `start.sh` – startup script with addon detection examples
+- `nginx.conf` (optional) – example reverse proxy
+- `supervisord.conf` (optional) – process manager example
+- `config.yaml` (optional) – sample app config
+- `logo.png` – add your 512x512 PNG icon here (not provided in template)
+
+Usage
+1. Create a new package from this template using `scripts/new-package.sh`:
+   `scripts/new-package.sh MyApp --id com.example.myapp --title "My App" --port 3000`
+2. Adjust Dockerfile and start.sh to run your app.
+3. Build and test locally; then commit and push.

CloudronPackages/PackageTemplate/config.yaml

@@ -0,0 +1,11 @@
+# Example configuration template for __APP_TITLE__
+server:
+  port: __HTTP_PORT__
+
+data:
+  dir: /app/data
+
+database:
+  # url: ${CLOUDRON_POSTGRESQL_URL}
+  # redis: ${CLOUDRON_REDIS_URL}
+

CloudronPackages/PackageTemplate/nginx.conf

@@ -0,0 +1,26 @@
+user  cloudron;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /run/nginx.pid;
+
+events { worker_connections  1024; }
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  access_log    /var/log/nginx/access.log  main;
+  sendfile      on;
+
+  server {
+    listen __HTTP_PORT__;
+    server_name _;
+
+    location / {
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_pass http://127.0.0.1:__HTTP_PORT__;
+    }
+  }
+}
+

CloudronPackages/PackageTemplate/start.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() { echo "[start] $(date -Is) $*"; }
+abort() { echo "[start] ERROR: $*" >&2; exit 1; }
+
+# Defaults
+: "${APP_PORT:=__HTTP_PORT__}"
+
+log "Starting __APP_TITLE__ on port ${APP_PORT}"
+
+# Example: ensure /app/data exists and is writable
+mkdir -p /app/data
+chown -R cloudron:cloudron /app/data || true
+
+# Example addon integration (uncomment and adapt as needed)
+# if [[ -n "${CLOUDRON_POSTGRESQL_URL:-}" ]]; then
+#   log "Detected PostgreSQL addon"
+#   # Use $CLOUDRON_POSTGRESQL_* env vars
+# fi
+
+# if [[ -n "${CLOUDRON_REDIS_URL:-}" ]]; then
+#   log "Detected Redis addon"
+# fi
+
+# If your app needs config generation, do it here
+# cat > /app/data/config.yaml <<'YAML'
+# key: value
+# YAML
+
+# Example: start a simple HTTP server (placeholder)
+# Replace with your actual app start command
+if command -v python3 >/dev/null 2>&1; then
+  log "Launching placeholder server: python3 -m http.server ${APP_PORT}"
+  exec python3 -m http.server "${APP_PORT}" --bind 0.0.0.0
+else
+  abort "No application command configured. Replace placeholder with your app's start command."
+fi
+

CloudronPackages/PackageTemplate/supervisord.conf

@@ -0,0 +1,12 @@
+[supervisord]
+logfile=/var/log/supervisor/supervisord.log
+pidfile=/run/supervisord.pid
+nodaemon=true
+
+[program:app]
+command=/app/pkg/start.sh
+autorestart=true
+stdout_logfile=/var/log/supervisor/app.stdout.log
+stderr_logfile=/var/log/supervisor/app.stderr.log
+user=cloudron
+

CloudronPackages/Rathole/.dockerignore

@@ -0,0 +1,7 @@
+.git
+.gitignore
+*.log
+dist
+build
+.DS_Store
+

CloudronPackages/Rathole/CloudronManifest.json

@@ -0,0 +1,18 @@
+{
+  "manifestVersion": 2,
+  "id": "io.knel.rathole",
+  "title": "Rathole",
+  "author": "KNEL",
+  "description": "A reverse proxy that enables secure tunnels between local services and the internet.",
+  "website": "https://github.com/rathole-org/rathole",
+  "contactEmail": "admin@knownelement.com",
+  "version": "0.1.0",
+  "changelog": "Initial Cloudron package (server/client configurable).",
+  "healthCheckPath": "/",
+  "httpPort": 3000,
+  "addons": {
+    "localstorage": {}
+  },
+  "tags": ["network", "tunnel", "reverse-proxy"]
+}
+

CloudronPackages/Rathole/Dockerfile

@@ -0,0 +1,41 @@
+FROM cloudron/base:5.0.0
+
+ARG RATHOLE_VERSION=v0.5.0
+ARG ARCH=x86_64-unknown-linux-gnu
+
+USER root
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends curl ca-certificates tar python3 \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app/pkg
+
+# Download Rathole release binary (adjust version/arch via build args)
+RUN set -eux; \
+    url="https://github.com/rathole-org/rathole/releases/download/${RATHOLE_VERSION}/rathole-${ARCH}.tar.gz"; \
+    echo "Fetching ${url}"; \
+    curl -fsSL "$url" -o rathole.tar.gz; \
+    tar -xzf rathole.tar.gz; \
+    rm rathole.tar.gz; \
+    mv rathole /app/pkg/rathole; \
+    chmod +x /app/pkg/rathole; \
+    chown cloudron:cloudron /app/pkg/rathole
+
+# Start script
+COPY start.sh /app/pkg/start.sh
+RUN chmod +x /app/pkg/start.sh && chown cloudron:cloudron /app/pkg/start.sh
+
+WORKDIR /app/code
+RUN mkdir -p /app/data && chown -R cloudron:cloudron /app/data
+
+USER cloudron
+
+ENV APP_PORT=3000 \
+    RATHOLE_CONFIG_PATH=/app/data/rathole.toml
+
+EXPOSE 3000 2333
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsS http://127.0.0.1:${APP_PORT}/ || exit 1
+
+CMD ["/app/pkg/start.sh"]

CloudronPackages/Rathole/README.md

@@ -0,0 +1,36 @@
+# Rathole (Cloudron Package)
+
+Rathole is a reverse proxy that provides secure tunnels for local services.
+Upstream project: https://github.com/rathole-org/rathole
+
+This Cloudron package runs Rathole and a lightweight HTTP health endpoint.
+
+## Defaults
+- Mode: `server` (server-only package)
+- Config path: `/app/data/rathole.toml`
+- Health port: `3000` (Cloudron `httpPort`)
+
+## Configuration
+- Put your Rathole TOML config at `/app/data/rathole.toml`, or provide it via the `RATHOLE_CONFIG` environment variable on first start.
+- Example minimal server config is auto-generated if none exists.
+
+## Build (inside packaging container)
+```
+scripts/packaging-up.sh
+scripts/packaging-exec.sh "docker build -t rathole:dev CloudronPackages/Rathole"
+```
+
+## Run locally (inside packaging container)
+```
+scripts/packaging-exec.sh "docker run --rm -p 3000:3000 -p 2333:2333 -v rathole-data:/app/data rathole:dev"
+```
+
+Note: expose additional service ports as needed per your TOML. Container exposes `2333` by default.
+
+## Deploy to Cloudron
+Use Cloudron CLI from inside the packaging container:
+```
+scripts/packaging-enter.sh
+cloudron login
+cloudron install --image rathole:dev
+```

CloudronPackages/Rathole/start.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() { echo "[rathole] $(date -Is) $*"; }
+abort() { echo "[rathole] ERROR: $*" >&2; exit 1; }
+
+: "${APP_PORT:=3000}"
+: "${RATHOLE_CONFIG_PATH:=/app/data/rathole.toml}"
+
+# Ensure data dir exists
+mkdir -p /app/data
+chown -R cloudron:cloudron /app/data || true
+
+# If RATHOLE_CONFIG is provided, write it to config path if file not present
+if [[ ! -f "$RATHOLE_CONFIG_PATH" && -n "${RATHOLE_CONFIG:-}" ]]; then
+  log "Writing config from RATHOLE_CONFIG env to ${RATHOLE_CONFIG_PATH}"
+  printf "%s\n" "${RATHOLE_CONFIG}" > "$RATHOLE_CONFIG_PATH"
+fi
+
+# If still no config, create a minimal example for server mode
+if [[ ! -f "$RATHOLE_CONFIG_PATH" ]]; then
+  log "No config found. Writing a minimal example config (server). Adjust in /app/data/rathole.toml"
+  cat > "$RATHOLE_CONFIG_PATH" <<'TOML'
+# Minimal Rathole server config example
+[server]
+bind_addr = "0.0.0.0:2333"
+
+# Define services below as needed, for example:
+# [server.services.echo]
+# type = "tcp"
+# local_addr = "127.0.0.1:7"
+TOML
+fi
+
+# Background: lightweight HTTP health endpoint
+python3 -m http.server "$APP_PORT" --bind 0.0.0.0 >/dev/null 2>&1 &
+HEALTH_PID=$!
+log "Started health endpoint on :${APP_PORT} (pid ${HEALTH_PID})"
+
+log "Launching rathole in server mode with config ${RATHOLE_CONFIG_PATH}"
+exec /app/pkg/rathole server -c "$RATHOLE_CONFIG_PATH"

NonCloudron/orchestration/nonk8s.md

@@ -0,0 +1,9 @@
+# Non k8s orchestration 
+
+## Introduction 
+
+Sometimes Subo and RR will want to run large workloads on bare metal. Not using k8s. We need to provide an option for that workload type. Probably managed via slurm. 
+
+## Options 
+
+- MAAS

PackagingForCloudronWorkspace/README.md

@@ -0,0 +1,160 @@
+# Cloudron Packaging Workspace
+
+This workspace contains development tools and upstream source repositories for Cloudron application packaging.
+
+## 🏗️ Workspace Structure
+
+```
+PackagingForCloudronWorkspace/
+├── README.md                      # This file
+├── Docker/ (gitignored)           # Upstream application sources (many apps)
+├── NonDocker/ (gitignored)        # Non-Docker application sources
+├── UpstreamVendor-Clone.sh        # Clone all upstream repositories
+└── UpstreamVendor-Update.sh       # Update existing repositories
+```
+
+## 🚀 Setup Instructions
+
+### Initial Setup
+```bash
+cd PackagingForCloudronWorkspace/
+
+# Create Docker directory for upstream sources
+mkdir -p Docker
+
+# Make scripts executable
+chmod +x *.sh
+
+# Clone all upstream vendor repositories
+./UpstreamVendor-Clone.sh
+```
+
+This clones upstream vendor repositories used when packaging applications for Cloudron.
+
+### Keeping Sources Updated
+```bash
+# Update all existing checkouts to latest versions
+./UpstreamVendor-Update.sh
+```
+
+## 📦 Available Applications
+
+The workspace contains ~56 upstream application repositories including:
+
+### High Priority Applications
+- **apisix** - Apache APISIX API Gateway
+- **jenkins** - Jenkins CI/CD Platform
+- **grist-core** - Grist Database/Spreadsheet
+- **rundeck** - Rundeck Job Scheduler
+- **reviewboard** - ReviewBoard Code Review
+- **consuldemocracy** - Consul Democracy Platform
+
+### Development & Infrastructure Tools
+- **InvenTree** - Inventory Management System
+- **elabftw** - Laboratory Management
+- **netbox-docker** - Network Documentation
+- **signoz** - Observability Platform
+- **healthchecks** - Health Monitoring
+- **fleet** - Device Management
+
+### Productivity & Specialized Applications
+- **huginn** - Web Automation
+- **windmill** - Workflow Automation
+- **docassemble** - Document Assembly
+- **jamovi** - Statistical Analysis
+- And many more...
+
+## 🛠️ Development Workflow
+
+### Using the Workspace
+
+1. **Source Access**: All upstream sources are available in `Docker/[appname]/`
+2. **Development**: Use the `tsys-cloudron-packaging` container for all work
+3. **Package Creation**: Create packages in separate temporary directories
+4. **Git Exclusion**: All upstream sources are gitignored to keep repository clean
+
+### Container Development
+```bash
+# Access development container
+docker exec -it tsys-cloudron-packaging bash
+
+# Navigate to workspace
+cd /workspace
+
+# Access application source
+cd CloudronPackagingWorkspace/Docker/[appname]/
+
+# Create new package (outside of workspace)
+cd /workspace
+mkdir -p [appname]_package_new
+```
+
+## 📋 Workspace Management
+
+### Adding New Applications
+1. Update `UpstreamVendor-Clone.sh` with the new repository URL
+2. Run the clone script to fetch the new application
+
+### Removing Applications
+1. Remove directory from `Docker/`
+2. Update clone script to prevent future re-cloning
+
+### Repository Updates
+- Run `./UpstreamVendor-Update.sh` periodically or before starting packaging work
+- Check for breaking changes in upstream before building
+
+## ⚠️ Important Notes
+
+### Git Exclusions
+- `Docker/` and `NonDocker/` are gitignored (see repo `.gitignore`)
+- Keeps the repo slim while preserving local sources
+
+### Repository Integrity
+- Never commit upstream sources to the repository
+- Develop packages outside of `Docker/` (e.g., directly under `CloudronPackages/<AppName>`)
+
+### Source Licenses
+- Each upstream repository maintains its own license
+- Review license compatibility before packaging
+- Include appropriate license information in final packages
+
+## 🔧 Script Maintenance
+
+### UpstreamVendor-Clone.sh
+- Contains git clone commands for all upstream repositories
+- Handles both GitHub and other git hosting platforms
+- Includes error handling for failed clones
+
+### UpstreamVendor-Update.sh
+- Updates existing repositories to latest versions
+- Skips missing directories gracefully
+- Provides summary of update status
+
+### Customization
+Edit scripts as needed to:
+- Add new repository sources
+- Change clone depth or branch targets
+- Modify update behavior
+- Handle special cases
+
+## 📊 Notes
+
+- Number of upstream repositories and size vary over time.
+
+## 🤝 Team Usage
+
+### For Developers
+1. Use `./UpstreamVendor-Clone.sh` on first setup
+2. Run `./UpstreamVendor-Update.sh` weekly or before new package work
+3. Always work in the containerized environment
+4. Never commit workspace contents to git
+
+### For DevOps
+1. Monitor disk space usage of workspace
+2. Ensure container environment has access to workspace
+3. Backup workspace if needed for disaster recovery
+4. Update scripts when adding/removing applications
+
+---
+
+**Maintained By**: KNEL/TSYS Development Team

PackagingForCloudronWorkspace/UpstreamVendor-Clone.sh

@@ -0,0 +1,229 @@
+#!/bin/bash
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+
+export GIT_REPO_LIST
+GIT_REPO_LIST=(
+
+####################
+# Vp techops stuff
+####################
+
+#https://projects.knownelement.com/issues/179
+https://github.com/apache/apisix.git
+
+#https://projects.knownelement.com/issues/204
+https://github.com/target/goalert.git
+
+#https://projects.knownelement.com/issues/189
+https://github.com/consuldemocracy/consuldemocracy.git
+
+#https://projects.knownelement.com/issues/195
+https://github.com/fleetdm/fleet.git
+
+#https://projects.knownelement.com/issues/227
+https://github.com/fonoster/fonoster.git
+
+#https://projects.knownelement.com/issues/192
+https://github.com/healthchecks/healthchecks.git
+
+#https://projects.knownelement.com/issues/209
+https://github.com/juspay/hyperswitch
+
+#https://projects.knownelement.com/issues/201
+https://github.com/netbox-community/netbox-docker.git
+
+# https://projects.knownelement.com/issues/205 
+https://github.com/openboxes/openboxes-docker.git
+
+#https://projects.knownelement.com/issues/316
+https://github.com/openfiletax/openfile.git
+
+#https://projects.knownelement.com/issues/211
+https://github.com/GemGeorge/SniperPhish-Docker.git
+
+#https://projects.knownelement.com/issues/309
+https://github.com/datahub-project/datahub.git
+
+#https://projects.knownelement.com/issues/54
+https://github.com/wiredlush/easy-gate.git
+
+#https://projects.knownelement.com/issues/208
+https://github.com/Payroll-Engine/PayrollEngine.git
+
+#https://projects.knownelement.com/issues/194
+https://github.com/huginn/huginn.git
+
+#https://projects.knownelement.com/issues/191
+https://github.com/gristlabs/grist-core
+
+#https://projects.knownelement.com/issues/277
+https://github.com/jhpyle/docassemble.git
+
+#https://projects.knownelement.com/issues/273
+https://github.com/kazhuravlev/database-gateway.git
+
+#https://projects.knownelement.com/issues/217
+https://github.com/rundeck/rundeck.git
+
+#https://projects.knownelement.com/issues/222
+https://github.com/SchedMD/slurm.git
+https://github.com/giovtorres/slurm-docker-cluster.git
+
+#https://projects.knownelement.com/issues/225
+https://github.com/rathole-org/rathole.git
+
+#https://projects.knownelement.com/issues/234
+https://github.com/jenkinsci/jenkins.git
+
+#https://projects.knownelement.com/issues/322
+https://github.com/runmedev/runme.git
+
+#https://projects.knownelement.com/issues/301
+https://github.com/apache/seatunnel
+
+#https://projects.knownelement.com/issues/271
+https://github.com/thecatlady/docker-webhook
+
+####################
+# CTO Stuff
+####################
+
+#https://projects.knownelement.com/issues/173
+https://github.com/inventree/InvenTree.git
+
+#https://projects.knownelement.com/issues/180
+https://github.com/Cloud-RF/tak-server
+
+#https://projects.knownelement.com/issues/178
+https://github.com/midday-ai/midday.git
+
+#https://projects.knownelement.com/issues/181
+https://github.com/killbill/killbill.git
+
+#https://projects.knownelement.com/issues/184
+https://github.com/chirpstack/chirpstack.git
+
+#https://projects.knownelement.com/issues/185
+https://github.com/CraigChat/craig.git
+
+#https://projects.knownelement.com/issues/188
+https://github.com/elabftw/elabftw.git
+
+#https://projects.knownelement.com/issues/196
+https://github.com/jamovi/jamovi.git
+
+#https://projects.knownelement.com/issues/197
+https://github.com/INTI-CMNB/KiBot.git
+
+#https://projects.knownelement.com/issues/214
+https://github.com/Resgrid/Core
+
+#https://projects.knownelement.com/issues/216
+https://github.com/reviewboard/reviewboard.git
+
+#https://projects.knownelement.com/issues/218
+https://gitlab.com/librespacefoundation/satnogs/docker-kaitai.git
+https://gitlab.com/librespacefoundation/satnogs/docker-satnogs-webgui.git
+
+#https://projects.knownelement.com/issues/219
+https://github.com/f4exb/sdrangel-docker
+
+#https://projects.knownelement.com/issues/221
+https://github.com/SigNoz/signoz.git
+
+#https://projects.knownelement.com/issues/228
+https://github.com/sebo-b/warp.git
+
+#https://projects.knownelement.com/issues/272
+https://github.com/jgraph/docker-drawio
+
+#https://projects.knownelement.com/issues/274
+https://github.com/openblocks-dev/openblocks.git
+
+#https://projects.knownelement.com/issues/276
+https://github.com/wireviz/wireviz-web.git
+
+#https://projects.knownelement.com/issues/278
+https://github.com/opulo-inc/autobom.git
+
+#https://projects.knownelement.com/issues/279
+https://github.com/PLMore/PLMore
+
+#https://projects.knownelement.com/issues/282
+https://github.com/manyfold3d/manyfold.git
+
+#https://projects.knownelement.com/issues/283
+https://github.com/langfuse/oss-llmops-stack.git
+
+#https://projects.knownelement.com/issues/286
+https://github.com/HeyPuter/puter.git
+
+#https://projects.knownelement.com/issues/285
+https://github.com/windmill-labs/windmill.git
+
+#https://projects.knownelement.com/issues/326
+https://github.com/sbabic/swupdate.git
+
+#https://projects.knownelement.com/issues/300
+https://github.com/mendersoftware/mender-server.git
+
+#https://projects.knownelement.com/issues/50
+https://github.com/vanila-io/wireflow.git
+
+#https://projects.knownelement.com/issues/226
+https://github.com/nautechsystems/nautilus_trader.git
+
+#TBD
+https://github.com/funmusicplace/mirlo.git
+
+)
+
+WORKDIR="$(cd "$(dirname "$0")" && pwd)"
+TARGET_DIR="${WORKDIR}/Docker"
+mkdir -p "$TARGET_DIR"
+
+# If REPOS.txt exists, read additional repos (lines; ignore # and blanks)
+EXTRA_REPOS_FILE="${WORKDIR}/REPOS.txt"
+if [[ -f "$EXTRA_REPOS_FILE" ]]; then
+  mapfile -t EXTRA_REPOS < <(sed -e 's/#.*$//' -e '/^\s*$/d' "$EXTRA_REPOS_FILE")
+else
+  EXTRA_REPOS=()
+fi
+
+ALL_REPOS=("${GIT_REPO_LIST[@]}" "${EXTRA_REPOS[@]}")
+
+echo "Cloning to: $TARGET_DIR"
+printf ' - %s\n' "${ALL_REPOS[@]}"
+
+cd "$TARGET_DIR"
+
+# Parallel clones (default 4 jobs). Avoid failing the whole script on single failures.
+JOBS="${JOBS:-4}"
+printf '%s\n' "${ALL_REPOS[@]}" | xargs -n1 -P "$JOBS" -I{} bash -lc 'repo="{}"; name=$(basename -s .git "$repo"); if [[ -d "$name/.git" ]]; then echo "exists: $name"; else git clone --depth 1 "$repo" "$name" || echo "failed: $repo"; fi'

PackagingForCloudronWorkspace/UpstreamVendor-Update.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+WORKDIR="$(cd "$(dirname "$0")" && pwd)"
+TARGET_DIR="${WORKDIR}/Docker"
+
+cd "$TARGET_DIR"
+
+# Iterate only over directories that are git repos
+while IFS= read -r -d '' repo_dir; do
+  echo "Updating: ${repo_dir}"
+  pushd "$repo_dir" >/dev/null
+  if [[ -d .git ]]; then
+    git -c advice.detachedHead=false fetch --all --prune || true
+    # Fast-forward only to avoid unintended merges
+    git -c advice.detachedHead=false pull --ff-only || true
+  else
+    echo "Skipping (not a git repo): ${repo_dir}"
+  fi
+  popd >/dev/null
+done < <(find . -mindepth 1 -maxdepth 1 -type d -print0)

README.md

@@ -1,13 +1,117 @@
-# TSYS Production docker compose files
+# KNEL Production Containers (Streamlined)
 
-Docker compose files for everything running on cosmos/coolify (that isn't from the marketplace)
+Single-branch, streamlined repository for container work at KNEL. The focus is Cloudron app packaging and a small set of non‑Cloudron artifacts. All work happens directly on `main`.
 
-Anything that is in HEAD is considered in flux. Only use compose files from versioned tags. 
+## Layout
 
-No support is offered for anything in this repository. It’s provided as a service to the community. 
+- `CloudronPackages/`
+  - Empty scaffold for Cloudron app packages. Create a subfolder per app and add your packaging files there.
+  - Tracked with `.gitkeep` so the directory exists in a clean repo.
+- `PackagingForCloudronWorkspace/`
+  - Helper scripts and a workspace for interacting with upstream sources.
+  - Subfolders `Docker/` and `NonDocker/` are ignored by git (see `.gitignore`).
+  - Scripts: `UpstreamVendor-Clone.sh`, `UpstreamVendor-Update.sh`.
+- `NonCloudron/`
+  - Non‑Cloudron experiments and orchestration notes.
+- `.gitignore`, `LICENSE`, `README.md`
 
-## Repo issue
+## Workflow (single branch)
-https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
 
-## Repo Discussion
+- Branching: use only `main`.
-https://community.turnsys.com/c/chiefoperationsandfinanceofficer/vptechnicaloperations/20
+- Commit small, focused changes; push directly to `origin/main`.
+- No integration/feature branch dance; avoid long‑lived branches.
+
+## No Host Pollution (containers only)
+
+- Host requirements: `docker`, `git` (and optionally `tea`). Nothing else.
+- All packaging work runs inside the packaging container. Do not install build tools on the host.
+- Use the scripts provided:
+  - `scripts/packaging-up.sh` – build/run the packaging container (mounts repo, docker socket)
+  - `scripts/packaging-enter.sh` – open a shell inside the container
+  - `scripts/packaging-exec.sh <cmd>` – run a command inside the container
+  - `scripts/workspace-clone.sh` – run upstream clone inside the container
+  - `scripts/workspace-update.sh` – run upstream update inside the container
+
+The container image includes Docker CLI and Cloudron CLI, and accesses the host Docker via `/var/run/docker.sock`.
+
+Quick start:
+```
+# Start container
+scripts/packaging-up.sh
+
+# Enter container shell
+scripts/packaging-enter.sh
+
+# Clone upstreams inside container
+scripts/workspace-clone.sh
+```
+
+## Add a new Cloudron package
+
+1) Create the package folder
+- `mkdir -p CloudronPackages/<AppName>`
+
+2) Add the required files
+- `CloudronManifest.json` – app metadata and addon requirements
+- `Dockerfile` – image build instructions (use cloudron/base as appropriate)
+- `start.sh` – container entry script
+- Optional: `nginx.conf`, `supervisord.conf`, `config.yaml`, `logo.png`, build notes
+
+3) Build/test locally (example)
+- `docker build -t <app>:dev CloudronPackages/<AppName>`
+- `docker run --rm -p 8080:8080 <app>:dev`
+
+4) Commit and push
+- `git add CloudronPackages/<AppName>/`
+- `git commit -m "feat(<app>): initial Cloudron package"`
+- `git push origin main`
+
+## Packaging workspace tips
+
+- The workspace under `PackagingForCloudronWorkspace/` is for local convenience and upstream sync.
+- `Docker/` and `NonDocker/` inside that directory are intentionally gitignored to keep the repo slim.
+- Keep scripts and minimal config tracked; keep large clones and build outputs out of git.
+
+## Notes
+
+- This repo was reset to a simplified structure; historical multi‑branch workflows and extensive docs were removed to reduce friction.
+- If you need legacy materials, refer to your local history/tags or the remote history prior to this cleanup.
+
+### For KNEL Team Members
+1. Review [PLAN.md](PLAN.md) for current priorities
+2. Check [TASKS.md](TASKS.md) for available applications
+3. Follow the packaging workflow above
+4. Update documentation as you work
+5. Create feature branches for each application
+
+### Code Review Checklist
+- [ ] Dockerfile follows Cloudron conventions
+- [ ] All required files present and properly configured
+- [ ] Health checks implemented
+- [ ] Logging configured to stdout/stderr
+- [ ] Security best practices followed
+- [ ] Documentation updated
+- [ ] Build notes include testing steps
+
+## 🐛 Troubleshooting
+
+### Common Issues
+- **Container won't start**: Check logs with `cloudron logs --app [appname]`
+- **Database connection fails**: Verify addon environment variables
+- **Static files not served**: Check nginx configuration and file permissions
+- **Health check fails**: Verify health check endpoint returns 200 OK
+
+### Getting Help
+- Check build notes in `CloudronPackages/[AppName]/`
+- Review Cloudron documentation
+- Examine working examples (EasyGate, InvenTree)
+- Use `cloudron debug --app [appname]` for interactive debugging
+
+## 📝 License
+
+See [LICENSE](LICENSE) file for details.
+
+---
+
+**Last Updated**: 2025-01-04  
+**Maintainers**: KNEL/TSYS Development Team

cloudron/ads.knownelement.com/info

@@ -1,3 +0,0 @@
-lamp app
-
-revive adserver

cloudron/crm.thefnf.net/info

@@ -1 +0,0 @@
-civicrm

cloudron/digital-assets-manager.knownelement.com/info

@@ -1,3 +0,0 @@
-lamp app
-
-https://www.resourcespace.com/knowledge-base/systemadmin/install_overview

cloudron/msp.merchantsofhope.org/info

@@ -1 +0,0 @@
-https://github.com/itflow-org/itflow?tab=readme-ov-file

coolify/serverless/serverless.md

@@ -1 +0,0 @@
-Serverless notes 

coolify/watchtower/docker-compose.yml

@@ -1 +0,0 @@
-#watchtower docker compose for tsys

cosmos/TBD/apigw/apigw.md

@@ -1,14 +0,0 @@
-API gateway notes 
-
-* API gateway (TYK)
-
-<https://tyk.io/>
-
-<https://tyk.io/docs/getting-started/installation/with-tyk-on-premises/docker/>
-
-<https://tyk.io/docs/advanced-configuration/integrate/sso/dashboard-login-ldap-tib/>
-
-
-(or perhaps..)
-
-https://github.com/apache/apisix

cosmos/TBD/apigw/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/TBD/apigw/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/TBD/apigw/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/TBD/cloudDevENv/CloudDev.mf

@@ -1,18 +0,0 @@
-# Cloud dev at tsys 
-
-## Desired architecute
-
-(essentially the lap.dev architecure)
-
-- control plane running as a web app on cosmos 
-- agent that spins up ephermeral containers on runner hosts
-
-
-## Contenders 
-
-- strong.network
-- lap.dev (dont like that it only supports github/gitlab oautg) (also that it doesnt appear to be dockerized)
-
-## Links 
-
-- https://github.com/strong-network/images

cosmos/TBD/cloudDevENv/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/TBD/cloudDevENv/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/TBD/cloudDevENv/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/TBD/e-voting/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/TBD/e-voting/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/TBD/e-voting/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/acme.knownelement.com/docker-compose.yml

@@ -1,3 +0,0 @@
-#cfssl docker compose for tsys
-
-#git subtree add --prefix upstream/cloudflare-cfssl  https://github.com/rjrivero/docker-cfssl.git master --squash

cosmos/acme.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/acme.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/acme.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/agency.merchantsofhope.org/info

@@ -1,2 +0,0 @@
-https://midday.ai/pricing
-https://github.com/midday-ai/midday

cosmos/agency.merchantsofhope.org/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/agency.merchantsofhope.org/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/agency.merchantsofhope.org/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/atak.knownelement.com/info

@@ -1,3 +0,0 @@
-https://www.civtak.org/atak-about/t
-
-https://github.com/Cloud-RF/tak-server

cosmos/atak.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/atak.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/atak.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/billing.knownelement.com/docker-compose.yml

@@ -1 +0,0 @@
-#killbill docker compose for tsys

cosmos/billing.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/billing.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/billing.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/boinc.knownelement.com/docker-compose.yml

@@ -1,3 +0,0 @@
-# boinc docker compose for tsys
-
-# https://boinc.berkeley.edu/trac/wiki/BoincDocker

cosmos/boinc.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/boinc.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/boinc.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/certmgr.knownelement.com/docker-compose.yml

@@ -1,3 +0,0 @@
-#certmgr docker compose for tsys
-
-#git subtree add --prefix upstream/cloudflare-certmgr https://github.com/cloudflare/certmgr.git master --squash

cosmos/certmgr.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/certmgr.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/certmgr.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

cosmos/chirpstack.knownelement.com/info

@@ -1 +0,0 @@
-# chirpstack (lora server)

cosmos/chirpstack.knownelement.com/input-files/info

@@ -1 +0,0 @@
-This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

cosmos/chirpstack.knownelement.com/output-files/info

@@ -1 +0,0 @@
-This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

cosmos/chirpstack.knownelement.com/vendor-files/info

@@ -1 +0,0 @@
-This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory