docs(agents): enforce host-as-read-only; only use preinstalled docker/git/tea/curl; all work in containers

This reverts commit 33e9a861b0.

.editorconfig

@@ -0,0 +1,25 @@
+root = true
+
+[*]
+charset = utf-8
+end_of_line = lf
+insert_final_newline = true
+trim_trailing_whitespace = true
+indent_style = space
+indent_size = 2
+
+[Dockerfile]
+indent_size = 2
+
+[*.sh]
+indent_size = 2
+
+[*.yml]
+indent_size = 2
+
+[*.yaml]
+indent_size = 2
+
+[*.json]
+indent_size = 2
+

.gitattributes

@@ -0,0 +1,16 @@
+* text=auto eol=lf
+
+# Enforce LF line endings for key file types
+*.sh text eol=lf
+Dockerfile text eol=lf
+*.yml text eol=lf
+*.yaml text eol=lf
+*.json text eol=lf
+*.md text eol=lf
+
+# Binary assets
+*.png binary
+*.jpg binary
+*.jpeg binary
+*.ico binary
+

.gitignore

@@ -0,0 +1,34 @@
+# Development workspace (upstream clones, not tracked)
+PackagingForCloudronWorkspace/Docker/*
+PackagingForCloudronWorkspace/NonDocker/*
+
+# Temporary packaging work directories
+temp_*
+*_package_new/
+packaging_temp/
+
+# Common local environment and editor files
+.env
+*.env
+*.local
+*.log
+.envrc
+.python-version
+.tool-versions
+.vscode/
+.idea/
+*.swp
+*.swo
+
+# Build outputs (if any local builds are done)
+dist/
+build/
+
+# OS generated files
+.DS_Store
+.DS_Store?
+._*
+.Spotlight-V100
+.Trashes
+ehthumbs.db
+Thumbs.db

AGENTS.md

@@ -0,0 +1,78 @@
+# Agent Operating Guide (Project-wide)
+
+Scope: This file applies to the entire repository. It defines how assistants and automation must work here.
+
+## Purpose
+Package ~100 free/libre/open-source applications as Cloudron apps with a fast, container-only workflow and a minimal, single-branch repo.
+
+## Golden Rules
+- Single branch: use only `main`. Do not create feature branches unless explicitly requested.
+- Host is read-only: do not install or modify anything on the host OS. You MAY only check for the presence of tools and run them if already installed.
+- Allowed host tools (if present): `docker`, `git`, `tea` (optional), and `curl` for connectivity checks. Never attempt to install or upgrade them.
+- Containers only: all build, test, lint, and packaging commands must run inside the packaging container.
+- Do not push to remote without approval: never run `git push` for a package change until it has been validated and explicitly approved by the maintainer.
+- Keep repo slim: do not commit upstream source trees or build artefacts. Only commit package files under `CloudronPackages/<AppName>/`, small helper scripts, and minimal docs.
+- Secrets: do not commit secrets or credentials. Use environment variables or Cloudron addons.
+- Consistency: follow `.editorconfig`, `.gitattributes`, and `.gitignore`.
+
+## Container-Only Workflow
+- Packaging image: built from `docker/packaging/Dockerfile`.
+- Control scripts (host-side wrappers):
+  - `scripts/packaging-up.sh` – build and start the packaging container; mounts repo at `/workspace` and `/var/run/docker.sock`.
+  - `scripts/packaging-enter.sh` – open a shell inside the container.
+  - `scripts/packaging-exec.sh <cmd>` – run any command inside the container.
+  - `scripts/workspace-clone.sh` – clone upstream repos (inside container).
+  - `scripts/workspace-update.sh` – update upstream repos (inside container).
+- Never run package build/test outside the container. If a command needs to run, wrap it via `scripts/packaging-exec.sh`.
+
+## Creating a New Package
+- Scaffold from template using the helper:
+  - `scripts/new-package.sh <AppName> --id <com.example.app> --title "Title" --port <port> [--base <cloudron_base_tag>]`
+- Edit `CloudronPackages/<AppName>/Dockerfile` and `start.sh` to run the app.
+- Prefer prebuilt upstream releases over building toolchains in Docker to keep images small.
+- Default Cloudron base image tag is `5.0.0`. Override with `--base` as needed.
+
+## Validation Checklist (must pass before proposing push)
+- Build succeeds inside the packaging container:
+  - `scripts/packaging-exec.sh "docker build -t <app>:dev CloudronPackages/<AppName>"`
+- Run sanity check inside container:
+  - `scripts/packaging-exec.sh "docker run --rm -p <hp>:<hp> -v <app>-data:/app/data <app>:dev"`
+  - Health endpoint responds; logs show no fatal errors; app starts with least privilege.
+- Manifest sanity: `CloudronManifest.json` has accurate `id`, `version`, `httpPort` or addon definitions, and `healthCheckPath`.
+- No secrets or hard-coded credentials; proper ownership of `/app/data`.
+- Image hygiene: no unnecessary build deps; minimal layers; correct exposed ports.
+- Optional: `cloudron install --image <app>:dev` tested from inside the packaging container using `cloudron` CLI, if available.
+
+## Approval Gate and Push Policy
+- Commits: frequent, small, and descriptive commits are encouraged; no approval needed for local commits.
+- After validation, present a concise summary of changes and validation output to the maintainer and request permission to push.
+- Push only at “natural” points (coherent, validated milestones). Examples:
+  - First green build of a new package scaffold (image builds + container starts + health OK).
+  - A feature-complete slice (e.g., addon integration added and tested).
+  - A bug fix with verification.
+  - Pre-release stabilization checkpoint.
+- Batch pushes to avoid noise (aim for 1–3 pushes per active app per work session).
+- NEVER push a broken or non‑validated build.
+- Only on explicit approval run `git push origin main` for package-affecting changes.
+- Never force‑push unless explicitly instructed.
+
+## Repository Hygiene
+- Do not commit upstream repos. The directories `PackagingForCloudronWorkspace/Docker/` and `PackagingForCloudronWorkspace/NonDocker/` are gitignored on purpose.
+- Keep package directories focused: `CloudronManifest.json`, `Dockerfile`, `start.sh`, and minimal config (e.g., `nginx.conf`, `supervisord.conf`, `config.yaml`, `logo.png`).
+- Use LF line endings and 2-space indentation (see `.editorconfig`/`.gitattributes`).
+
+## Networking & External Access
+- All networked actions (git clones, docker pulls, downloads) must happen from within the packaging container.
+- Host-level curl allowance: You MAY use `curl` on the host strictly for quick connectivity checks IF it is already installed. Do not install any host packages.
+- Do not attempt other host-level network configuration, filesystem changes outside the repo, or host-level package installation.
+
+## Commit Messages
+- Use conventional, concise messages:
+  - `feat(<app>): ...` for new packages or features
+  - `fix(<app>): ...` for fixes
+  - `chore(...)`, `docs(...)` for non-functional changes
+- Avoid large, mixed commits; keep changes scoped to an app.
+
+## When in Doubt
+- Ask for maintainer guidance before introducing new tools, dependencies, or changing global structure.
+- Default to safer, smaller changes and explicit approval before pushing.

CloudronPackages/PackageTemplate/.dockerignore

@@ -0,0 +1,11 @@
+# Ignore typical build context clutter
+.git
+.gitignore
+node_modules
+npm-debug.log
+*.log
+dist
+build
+Dockerfile.*
+.DS_Store
+

CloudronPackages/PackageTemplate/CloudronManifest.json

@@ -0,0 +1,19 @@
+{
+  "manifestVersion": 2,
+  "id": "__APP_ID__",
+  "title": "__APP_TITLE__",
+  "author": "KNEL",
+  "description": "Cloudron packaging template for __APP_TITLE__",
+  "website": "https://example.com",
+  "contactEmail": "admin@example.com",
+  "version": "0.1.0",
+  "changelog": "Initial package template",
+  "healthCheckPath": "/",
+  "httpPort": __HTTP_PORT__,
+  "addons": {
+    "localstorage": {}
+  },
+  "tags": ["template", "example"],
+  "icon": "logo.png"
+}
+

CloudronPackages/PackageTemplate/Dockerfile

@@ -0,0 +1,38 @@
+FROM cloudron/base:__CLOUDRON_BASE__
+
+# Metadata labels (edit as needed)
+LABEL org.opencontainers.image.title="__APP_TITLE__"
+LABEL org.opencontainers.image.description="Cloudron package for __APP_TITLE__"
+LABEL org.opencontainers.image.source="https://example.com"
+
+# Install OS dependencies here as needed
+# RUN apt-get update && apt-get install -y --no-install-recommends \
+#     curl ca-certificates tini \
+#  && rm -rf /var/lib/apt/lists/*
+
+# App code lives in /app/code (read-only at runtime)
+WORKDIR /app/code
+
+# Copy application code (adjust as needed)
+# COPY . /app/code
+
+# Create persistent directory for application data
+RUN mkdir -p /app/data && chown -R cloudron:cloudron /app/data
+
+# Copy startup script
+COPY start.sh /app/pkg/start.sh
+RUN chmod +x /app/pkg/start.sh && chown cloudron:cloudron /app/pkg/start.sh
+
+USER cloudron
+
+# Expose the app port specified in manifest
+EXPOSE __HTTP_PORT__
+
+# Default environment (customize per app)
+ENV NODE_ENV=production \
+    APP_PORT=__HTTP_PORT__
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsS http://127.0.0.1:${APP_PORT}/ || exit 1
+
+CMD ["/app/pkg/start.sh"]

CloudronPackages/PackageTemplate/README.md

@@ -0,0 +1,24 @@
+# Package Template for Cloudron Apps
+
+This is a minimal template to package an application for Cloudron.
+
+Replace placeholders in files with your app specifics:
+- `__APP_ID__` (e.g., com.example.myapp)
+- `__APP_TITLE__` (human name)
+- `__HTTP_PORT__` (default internal app port)
+- `__CLOUDRON_BASE__` (Cloudron base image tag, e.g., 5.0.0)
+
+Files
+- `CloudronManifest.json` – base manifest
+- `Dockerfile` – uses cloudron/base, non-root user, healthcheck
+- `start.sh` – startup script with addon detection examples
+- `nginx.conf` (optional) – example reverse proxy
+- `supervisord.conf` (optional) – process manager example
+- `config.yaml` (optional) – sample app config
+- `logo.png` – add your 512x512 PNG icon here (not provided in template)
+
+Usage
+1. Create a new package from this template using `scripts/new-package.sh`:
+   `scripts/new-package.sh MyApp --id com.example.myapp --title "My App" --port 3000`
+2. Adjust Dockerfile and start.sh to run your app.
+3. Build and test locally; then commit and push.

CloudronPackages/PackageTemplate/config.yaml

@@ -0,0 +1,11 @@
+# Example configuration template for __APP_TITLE__
+server:
+  port: __HTTP_PORT__
+
+data:
+  dir: /app/data
+
+database:
+  # url: ${CLOUDRON_POSTGRESQL_URL}
+  # redis: ${CLOUDRON_REDIS_URL}
+

CloudronPackages/PackageTemplate/nginx.conf

@@ -0,0 +1,26 @@
+user  cloudron;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /run/nginx.pid;
+
+events { worker_connections  1024; }
+
+http {
+  include       /etc/nginx/mime.types;
+  default_type  application/octet-stream;
+  access_log    /var/log/nginx/access.log  main;
+  sendfile      on;
+
+  server {
+    listen __HTTP_PORT__;
+    server_name _;
+
+    location / {
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_pass http://127.0.0.1:__HTTP_PORT__;
+    }
+  }
+}
+

CloudronPackages/PackageTemplate/start.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() { echo "[start] $(date -Is) $*"; }
+abort() { echo "[start] ERROR: $*" >&2; exit 1; }
+
+# Defaults
+: "${APP_PORT:=__HTTP_PORT__}"
+
+log "Starting __APP_TITLE__ on port ${APP_PORT}"
+
+# Example: ensure /app/data exists and is writable
+mkdir -p /app/data
+chown -R cloudron:cloudron /app/data || true
+
+# Example addon integration (uncomment and adapt as needed)
+# if [[ -n "${CLOUDRON_POSTGRESQL_URL:-}" ]]; then
+#   log "Detected PostgreSQL addon"
+#   # Use $CLOUDRON_POSTGRESQL_* env vars
+# fi
+
+# if [[ -n "${CLOUDRON_REDIS_URL:-}" ]]; then
+#   log "Detected Redis addon"
+# fi
+
+# If your app needs config generation, do it here
+# cat > /app/data/config.yaml <<'YAML'
+# key: value
+# YAML
+
+# Example: start a simple HTTP server (placeholder)
+# Replace with your actual app start command
+if command -v python3 >/dev/null 2>&1; then
+  log "Launching placeholder server: python3 -m http.server ${APP_PORT}"
+  exec python3 -m http.server "${APP_PORT}" --bind 0.0.0.0
+else
+  abort "No application command configured. Replace placeholder with your app's start command."
+fi
+

CloudronPackages/PackageTemplate/supervisord.conf

@@ -0,0 +1,12 @@
+[supervisord]
+logfile=/var/log/supervisor/supervisord.log
+pidfile=/run/supervisord.pid
+nodaemon=true
+
+[program:app]
+command=/app/pkg/start.sh
+autorestart=true
+stdout_logfile=/var/log/supervisor/app.stdout.log
+stderr_logfile=/var/log/supervisor/app.stderr.log
+user=cloudron
+

CloudronPackages/Rathole/.dockerignore

@@ -0,0 +1,7 @@
+.git
+.gitignore
+*.log
+dist
+build
+.DS_Store
+

CloudronPackages/Rathole/CloudronManifest.json

@@ -0,0 +1,18 @@
+{
+  "manifestVersion": 2,
+  "id": "io.knel.rathole",
+  "title": "Rathole",
+  "author": "KNEL",
+  "description": "A reverse proxy that enables secure tunnels between local services and the internet.",
+  "website": "https://github.com/rathole-org/rathole",
+  "contactEmail": "admin@knownelement.com",
+  "version": "0.1.0",
+  "changelog": "Initial Cloudron package (server/client configurable).",
+  "healthCheckPath": "/",
+  "httpPort": 3000,
+  "addons": {
+    "localstorage": {}
+  },
+  "tags": ["network", "tunnel", "reverse-proxy"]
+}
+

CloudronPackages/Rathole/Dockerfile

@@ -0,0 +1,41 @@
+FROM cloudron/base:5.0.0
+
+ARG RATHOLE_VERSION=v0.5.0
+ARG ARCH=x86_64-unknown-linux-gnu
+
+USER root
+RUN apt-get update \
+ && apt-get install -y --no-install-recommends curl ca-certificates tar python3 \
+ && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /app/pkg
+
+# Download Rathole release binary (adjust version/arch via build args)
+RUN set -eux; \
+    url="https://github.com/rathole-org/rathole/releases/download/${RATHOLE_VERSION}/rathole-${ARCH}.tar.gz"; \
+    echo "Fetching ${url}"; \
+    curl -fsSL "$url" -o rathole.tar.gz; \
+    tar -xzf rathole.tar.gz; \
+    rm rathole.tar.gz; \
+    mv rathole /app/pkg/rathole; \
+    chmod +x /app/pkg/rathole; \
+    chown cloudron:cloudron /app/pkg/rathole
+
+# Start script
+COPY start.sh /app/pkg/start.sh
+RUN chmod +x /app/pkg/start.sh && chown cloudron:cloudron /app/pkg/start.sh
+
+WORKDIR /app/code
+RUN mkdir -p /app/data && chown -R cloudron:cloudron /app/data
+
+USER cloudron
+
+ENV APP_PORT=3000 \
+    RATHOLE_CONFIG_PATH=/app/data/rathole.toml
+
+EXPOSE 3000 2333
+
+HEALTHCHECK --interval=30s --timeout=5s --start-period=20s --retries=3 \
+  CMD curl -fsS http://127.0.0.1:${APP_PORT}/ || exit 1
+
+CMD ["/app/pkg/start.sh"]

CloudronPackages/Rathole/README.md

@@ -0,0 +1,36 @@
+# Rathole (Cloudron Package)
+
+Rathole is a reverse proxy that provides secure tunnels for local services.
+Upstream project: https://github.com/rathole-org/rathole
+
+This Cloudron package runs Rathole and a lightweight HTTP health endpoint.
+
+## Defaults
+- Mode: `server` (server-only package)
+- Config path: `/app/data/rathole.toml`
+- Health port: `3000` (Cloudron `httpPort`)
+
+## Configuration
+- Put your Rathole TOML config at `/app/data/rathole.toml`, or provide it via the `RATHOLE_CONFIG` environment variable on first start.
+- Example minimal server config is auto-generated if none exists.
+
+## Build (inside packaging container)
+```
+scripts/packaging-up.sh
+scripts/packaging-exec.sh "docker build -t rathole:dev CloudronPackages/Rathole"
+```
+
+## Run locally (inside packaging container)
+```
+scripts/packaging-exec.sh "docker run --rm -p 3000:3000 -p 2333:2333 -v rathole-data:/app/data rathole:dev"
+```
+
+Note: expose additional service ports as needed per your TOML. Container exposes `2333` by default.
+
+## Deploy to Cloudron
+Use Cloudron CLI from inside the packaging container:
+```
+scripts/packaging-enter.sh
+cloudron login
+cloudron install --image rathole:dev
+```

CloudronPackages/Rathole/start.sh

@@ -0,0 +1,41 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+log() { echo "[rathole] $(date -Is) $*"; }
+abort() { echo "[rathole] ERROR: $*" >&2; exit 1; }
+
+: "${APP_PORT:=3000}"
+: "${RATHOLE_CONFIG_PATH:=/app/data/rathole.toml}"
+
+# Ensure data dir exists
+mkdir -p /app/data
+chown -R cloudron:cloudron /app/data || true
+
+# If RATHOLE_CONFIG is provided, write it to config path if file not present
+if [[ ! -f "$RATHOLE_CONFIG_PATH" && -n "${RATHOLE_CONFIG:-}" ]]; then
+  log "Writing config from RATHOLE_CONFIG env to ${RATHOLE_CONFIG_PATH}"
+  printf "%s\n" "${RATHOLE_CONFIG}" > "$RATHOLE_CONFIG_PATH"
+fi
+
+# If still no config, create a minimal example for server mode
+if [[ ! -f "$RATHOLE_CONFIG_PATH" ]]; then
+  log "No config found. Writing a minimal example config (server). Adjust in /app/data/rathole.toml"
+  cat > "$RATHOLE_CONFIG_PATH" <<'TOML'
+# Minimal Rathole server config example
+[server]
+bind_addr = "0.0.0.0:2333"
+
+# Define services below as needed, for example:
+# [server.services.echo]
+# type = "tcp"
+# local_addr = "127.0.0.1:7"
+TOML
+fi
+
+# Background: lightweight HTTP health endpoint
+python3 -m http.server "$APP_PORT" --bind 0.0.0.0 >/dev/null 2>&1 &
+HEALTH_PID=$!
+log "Started health endpoint on :${APP_PORT} (pid ${HEALTH_PID})"
+
+log "Launching rathole in server mode with config ${RATHOLE_CONFIG_PATH}"
+exec /app/pkg/rathole server -c "$RATHOLE_CONFIG_PATH"

NonCloudron/RandD/Apps/app.ap4ap.org/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.ap4ap.org/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.ap4ap.org/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.hfnfc.net/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.hfnfc.net/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.hfnfc.net/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.hfnoc.net/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.hfnoc.net/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.merchantsofhope.org/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.merchantsofhope.org/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.merchantsofhope.org/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.rackrental.net/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.rackrental.net/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.rackrental.net/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.sidedoorgroup.org/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.sidedoorgroup.org/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.sidedoorgroup.org/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.startinglineprodictions.com/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.startinglineprodictions.com/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.startinglineprodictions.com/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.teamrental.net/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.teamrental.net/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.teamrental.net/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/Apps/app.yourdreamnamehere.com/Dockerfile

@@ -0,0 +1 @@
+# dockerfile for an app at tsys 

NonCloudron/RandD/Apps/app.yourdreamnamehere.com/devcontainer.json

@@ -0,0 +1 @@
+# dev environment for an app at tsys

NonCloudron/RandD/Apps/app.yourdreamnamehere.com/docker-compose.yml

@@ -0,0 +1,5 @@
+# app docker compose file for tsys 
+
+## app name
+## ports 
+## deps 

NonCloudron/RandD/GIS-backend/input-files/info

@@ -0,0 +1 @@
+This directory contains template files for the application at FQDN indidicated by the parent directory. They will be processed using mo (bash mustache).

NonCloudron/RandD/GIS-backend/output-files/info

@@ -0,0 +1 @@
+This directory contains final docker compose files for the application at FQDN indidicated by the parent directory. 

NonCloudron/RandD/GIS-backend/vendor-files/info

@@ -0,0 +1 @@
+This directory contains files from the vendor unmodified. They serve as a base for the input-files sibling directory

NonCloudron/RandD/portmap.md

@@ -0,0 +1 @@
+# Cosmos port map

NonCloudron/orchestration/nonk8s.md

@@ -0,0 +1,9 @@
+# Non k8s orchestration 
+
+## Introduction 
+
+Sometimes Subo and RR will want to run large workloads on bare metal. Not using k8s. We need to provide an option for that workload type. Probably managed via slurm. 
+
+## Options 
+
+- MAAS

PackagingForCloudronWorkspace/README.md

@@ -0,0 +1,160 @@
+# Cloudron Packaging Workspace
+
+This workspace contains development tools and upstream source repositories for Cloudron application packaging.
+
+## 🏗️ Workspace Structure
+
+```
+PackagingForCloudronWorkspace/
+├── README.md                      # This file
+├── Docker/ (gitignored)           # Upstream application sources (many apps)
+├── NonDocker/ (gitignored)        # Non-Docker application sources
+├── UpstreamVendor-Clone.sh        # Clone all upstream repositories
+└── UpstreamVendor-Update.sh       # Update existing repositories
+```
+
+## 🚀 Setup Instructions
+
+### Initial Setup
+```bash
+cd PackagingForCloudronWorkspace/
+
+# Create Docker directory for upstream sources
+mkdir -p Docker
+
+# Make scripts executable
+chmod +x *.sh
+
+# Clone all upstream vendor repositories
+./UpstreamVendor-Clone.sh
+```
+
+This clones upstream vendor repositories used when packaging applications for Cloudron.
+
+### Keeping Sources Updated
+```bash
+# Update all existing checkouts to latest versions
+./UpstreamVendor-Update.sh
+```
+
+## 📦 Available Applications
+
+The workspace contains ~56 upstream application repositories including:
+
+### High Priority Applications
+- **apisix** - Apache APISIX API Gateway
+- **jenkins** - Jenkins CI/CD Platform
+- **grist-core** - Grist Database/Spreadsheet
+- **rundeck** - Rundeck Job Scheduler
+- **reviewboard** - ReviewBoard Code Review
+- **consuldemocracy** - Consul Democracy Platform
+
+### Development & Infrastructure Tools
+- **InvenTree** - Inventory Management System
+- **elabftw** - Laboratory Management
+- **netbox-docker** - Network Documentation
+- **signoz** - Observability Platform
+- **healthchecks** - Health Monitoring
+- **fleet** - Device Management
+
+### Productivity & Specialized Applications
+- **huginn** - Web Automation
+- **windmill** - Workflow Automation
+- **docassemble** - Document Assembly
+- **jamovi** - Statistical Analysis
+- And many more...
+
+## 🛠️ Development Workflow
+
+### Using the Workspace
+
+1. **Source Access**: All upstream sources are available in `Docker/[appname]/`
+2. **Development**: Use the `tsys-cloudron-packaging` container for all work
+3. **Package Creation**: Create packages in separate temporary directories
+4. **Git Exclusion**: All upstream sources are gitignored to keep repository clean
+
+### Container Development
+```bash
+# Access development container
+docker exec -it tsys-cloudron-packaging bash
+
+# Navigate to workspace
+cd /workspace
+
+# Access application source
+cd CloudronPackagingWorkspace/Docker/[appname]/
+
+# Create new package (outside of workspace)
+cd /workspace
+mkdir -p [appname]_package_new
+```
+
+## 📋 Workspace Management
+
+### Adding New Applications
+1. Update `UpstreamVendor-Clone.sh` with the new repository URL
+2. Run the clone script to fetch the new application
+
+### Removing Applications
+1. Remove directory from `Docker/`
+2. Update clone script to prevent future re-cloning
+
+### Repository Updates
+- Run `./UpstreamVendor-Update.sh` periodically or before starting packaging work
+- Check for breaking changes in upstream before building
+
+## ⚠️ Important Notes
+
+### Git Exclusions
+- `Docker/` and `NonDocker/` are gitignored (see repo `.gitignore`)
+- Keeps the repo slim while preserving local sources
+
+### Repository Integrity
+- Never commit upstream sources to the repository
+- Develop packages outside of `Docker/` (e.g., directly under `CloudronPackages/<AppName>`)
+
+### Source Licenses
+- Each upstream repository maintains its own license
+- Review license compatibility before packaging
+- Include appropriate license information in final packages
+
+## 🔧 Script Maintenance
+
+### UpstreamVendor-Clone.sh
+- Contains git clone commands for all upstream repositories
+- Handles both GitHub and other git hosting platforms
+- Includes error handling for failed clones
+
+### UpstreamVendor-Update.sh
+- Updates existing repositories to latest versions
+- Skips missing directories gracefully
+- Provides summary of update status
+
+### Customization
+Edit scripts as needed to:
+- Add new repository sources
+- Change clone depth or branch targets
+- Modify update behavior
+- Handle special cases
+
+## 📊 Notes
+
+- Number of upstream repositories and size vary over time.
+
+## 🤝 Team Usage
+
+### For Developers
+1. Use `./UpstreamVendor-Clone.sh` on first setup
+2. Run `./UpstreamVendor-Update.sh` weekly or before new package work
+3. Always work in the containerized environment
+4. Never commit workspace contents to git
+
+### For DevOps
+1. Monitor disk space usage of workspace
+2. Ensure container environment has access to workspace
+3. Backup workspace if needed for disaster recovery
+4. Update scripts when adding/removing applications
+
+---
+
+**Maintained By**: KNEL/TSYS Development Team

PackagingForCloudronWorkspace/UpstreamVendor-Clone.sh

@@ -0,0 +1,229 @@
+#!/bin/bash
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+
+export GIT_REPO_LIST
+GIT_REPO_LIST=(
+
+####################
+# Vp techops stuff
+####################
+
+#https://projects.knownelement.com/issues/179
+https://github.com/apache/apisix.git
+
+#https://projects.knownelement.com/issues/204
+https://github.com/target/goalert.git
+
+#https://projects.knownelement.com/issues/189
+https://github.com/consuldemocracy/consuldemocracy.git
+
+#https://projects.knownelement.com/issues/195
+https://github.com/fleetdm/fleet.git
+
+#https://projects.knownelement.com/issues/227
+https://github.com/fonoster/fonoster.git
+
+#https://projects.knownelement.com/issues/192
+https://github.com/healthchecks/healthchecks.git
+
+#https://projects.knownelement.com/issues/209
+https://github.com/juspay/hyperswitch
+
+#https://projects.knownelement.com/issues/201
+https://github.com/netbox-community/netbox-docker.git
+
+# https://projects.knownelement.com/issues/205 
+https://github.com/openboxes/openboxes-docker.git
+
+#https://projects.knownelement.com/issues/316
+https://github.com/openfiletax/openfile.git
+
+#https://projects.knownelement.com/issues/211
+https://github.com/GemGeorge/SniperPhish-Docker.git
+
+#https://projects.knownelement.com/issues/309
+https://github.com/datahub-project/datahub.git
+
+#https://projects.knownelement.com/issues/54
+https://github.com/wiredlush/easy-gate.git
+
+#https://projects.knownelement.com/issues/208
+https://github.com/Payroll-Engine/PayrollEngine.git
+
+#https://projects.knownelement.com/issues/194
+https://github.com/huginn/huginn.git
+
+#https://projects.knownelement.com/issues/191
+https://github.com/gristlabs/grist-core
+
+#https://projects.knownelement.com/issues/277
+https://github.com/jhpyle/docassemble.git
+
+#https://projects.knownelement.com/issues/273
+https://github.com/kazhuravlev/database-gateway.git
+
+#https://projects.knownelement.com/issues/217
+https://github.com/rundeck/rundeck.git
+
+#https://projects.knownelement.com/issues/222
+https://github.com/SchedMD/slurm.git
+https://github.com/giovtorres/slurm-docker-cluster.git
+
+#https://projects.knownelement.com/issues/225
+https://github.com/rathole-org/rathole.git
+
+#https://projects.knownelement.com/issues/234
+https://github.com/jenkinsci/jenkins.git
+
+#https://projects.knownelement.com/issues/322
+https://github.com/runmedev/runme.git
+
+#https://projects.knownelement.com/issues/301
+https://github.com/apache/seatunnel
+
+#https://projects.knownelement.com/issues/271
+https://github.com/thecatlady/docker-webhook
+
+####################
+# CTO Stuff
+####################
+
+#https://projects.knownelement.com/issues/173
+https://github.com/inventree/InvenTree.git
+
+#https://projects.knownelement.com/issues/180
+https://github.com/Cloud-RF/tak-server
+
+#https://projects.knownelement.com/issues/178
+https://github.com/midday-ai/midday.git
+
+#https://projects.knownelement.com/issues/181
+https://github.com/killbill/killbill.git
+
+#https://projects.knownelement.com/issues/184
+https://github.com/chirpstack/chirpstack.git
+
+#https://projects.knownelement.com/issues/185
+https://github.com/CraigChat/craig.git
+
+#https://projects.knownelement.com/issues/188
+https://github.com/elabftw/elabftw.git
+
+#https://projects.knownelement.com/issues/196
+https://github.com/jamovi/jamovi.git
+
+#https://projects.knownelement.com/issues/197
+https://github.com/INTI-CMNB/KiBot.git
+
+#https://projects.knownelement.com/issues/214
+https://github.com/Resgrid/Core
+
+#https://projects.knownelement.com/issues/216
+https://github.com/reviewboard/reviewboard.git
+
+#https://projects.knownelement.com/issues/218
+https://gitlab.com/librespacefoundation/satnogs/docker-kaitai.git
+https://gitlab.com/librespacefoundation/satnogs/docker-satnogs-webgui.git
+
+#https://projects.knownelement.com/issues/219
+https://github.com/f4exb/sdrangel-docker
+
+#https://projects.knownelement.com/issues/221
+https://github.com/SigNoz/signoz.git
+
+#https://projects.knownelement.com/issues/228
+https://github.com/sebo-b/warp.git
+
+#https://projects.knownelement.com/issues/272
+https://github.com/jgraph/docker-drawio
+
+#https://projects.knownelement.com/issues/274
+https://github.com/openblocks-dev/openblocks.git
+
+#https://projects.knownelement.com/issues/276
+https://github.com/wireviz/wireviz-web.git
+
+#https://projects.knownelement.com/issues/278
+https://github.com/opulo-inc/autobom.git
+
+#https://projects.knownelement.com/issues/279
+https://github.com/PLMore/PLMore
+
+#https://projects.knownelement.com/issues/282
+https://github.com/manyfold3d/manyfold.git
+
+#https://projects.knownelement.com/issues/283
+https://github.com/langfuse/oss-llmops-stack.git
+
+#https://projects.knownelement.com/issues/286
+https://github.com/HeyPuter/puter.git
+
+#https://projects.knownelement.com/issues/285
+https://github.com/windmill-labs/windmill.git
+
+#https://projects.knownelement.com/issues/326
+https://github.com/sbabic/swupdate.git
+
+#https://projects.knownelement.com/issues/300
+https://github.com/mendersoftware/mender-server.git
+
+#https://projects.knownelement.com/issues/50
+https://github.com/vanila-io/wireflow.git
+
+#https://projects.knownelement.com/issues/226
+https://github.com/nautechsystems/nautilus_trader.git
+
+#TBD
+https://github.com/funmusicplace/mirlo.git
+
+)
+
+WORKDIR="$(cd "$(dirname "$0")" && pwd)"
+TARGET_DIR="${WORKDIR}/Docker"
+mkdir -p "$TARGET_DIR"
+
+# If REPOS.txt exists, read additional repos (lines; ignore # and blanks)
+EXTRA_REPOS_FILE="${WORKDIR}/REPOS.txt"
+if [[ -f "$EXTRA_REPOS_FILE" ]]; then
+  mapfile -t EXTRA_REPOS < <(sed -e 's/#.*$//' -e '/^\s*$/d' "$EXTRA_REPOS_FILE")
+else
+  EXTRA_REPOS=()
+fi
+
+ALL_REPOS=("${GIT_REPO_LIST[@]}" "${EXTRA_REPOS[@]}")
+
+echo "Cloning to: $TARGET_DIR"
+printf ' - %s\n' "${ALL_REPOS[@]}"
+
+cd "$TARGET_DIR"
+
+# Parallel clones (default 4 jobs). Avoid failing the whole script on single failures.
+JOBS="${JOBS:-4}"
+printf '%s\n' "${ALL_REPOS[@]}" | xargs -n1 -P "$JOBS" -I{} bash -lc 'repo="{}"; name=$(basename -s .git "$repo"); if [[ -d "$name/.git" ]]; then echo "exists: $name"; else git clone --depth 1 "$repo" "$name" || echo "failed: $repo"; fi'

PackagingForCloudronWorkspace/UpstreamVendor-Update.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+
+export PS4='(${BASH_SOURCE}:${LINENO}): - [${SHLVL},${BASH_SUBSHELL},$?] $ '
+
+function error_out()
+{
+        echo "Bailing out. See above for reason...."
+        exit 1
+}
+
+function handle_failure() {
+  local lineno=$1
+  local fn=$2
+  local exitstatus=$3
+  local msg=$4
+  local lineno_fns=${0% 0}
+  if [[ "$lineno_fns" != "-1" ]] ; then
+    lineno="${lineno} ${lineno_fns}"
+  fi
+  echo "${BASH_SOURCE[0]}: Function: ${fn} Line Number : [${lineno}] Failed with status ${exitstatus}: $msg"
+}
+
+trap 'handle_failure "${BASH_LINENO[*]}" "$LINENO" "${FUNCNAME[*]:-script}" "$?" "$BASH_COMMAND"' ERR
+
+set -o errexit
+set -o nounset
+set -o pipefail
+set -o functrace
+
+WORKDIR="$(cd "$(dirname "$0")" && pwd)"
+TARGET_DIR="${WORKDIR}/Docker"
+
+cd "$TARGET_DIR"
+
+# Iterate only over directories that are git repos
+while IFS= read -r -d '' repo_dir; do
+  echo "Updating: ${repo_dir}"
+  pushd "$repo_dir" >/dev/null
+  if [[ -d .git ]]; then
+    git -c advice.detachedHead=false fetch --all --prune || true
+    # Fast-forward only to avoid unintended merges
+    git -c advice.detachedHead=false pull --ff-only || true
+  else
+    echo "Skipping (not a git repo): ${repo_dir}"
+  fi
+  popd >/dev/null
+done < <(find . -mindepth 1 -maxdepth 1 -type d -print0)

README.md

@@ -1,13 +1,117 @@
-# TSYS Production docker compose files
+# KNEL Production Containers (Streamlined)
 
-Docker compose files for everything running on cosmos/coolify (that isn't from the marketplace)
+Single-branch, streamlined repository for container work at KNEL. The focus is Cloudron app packaging and a small set of non‑Cloudron artifacts. All work happens directly on `main`.
 
-Anything that is in HEAD is considered in flux. Only use compose files from versioned tags. 
+## Layout
 
-No support is offered for anything in this repository. It’s provided as a service to the community. 
+- `CloudronPackages/`
+  - Empty scaffold for Cloudron app packages. Create a subfolder per app and add your packaging files there.
+  - Tracked with `.gitkeep` so the directory exists in a clean repo.
+- `PackagingForCloudronWorkspace/`
+  - Helper scripts and a workspace for interacting with upstream sources.
+  - Subfolders `Docker/` and `NonDocker/` are ignored by git (see `.gitignore`).
+  - Scripts: `UpstreamVendor-Clone.sh`, `UpstreamVendor-Update.sh`.
+- `NonCloudron/`
+  - Non‑Cloudron experiments and orchestration notes.
+- `.gitignore`, `LICENSE`, `README.md`
 
-## Repo issue
-https://projects.knownelement.com/project/reachableceo-vptechnicaloperations/timeline
+## Workflow (single branch)
 
-## Repo Discussion
-https://community.turnsys.com/c/chiefoperationsandfinanceofficer/vptechnicaloperations/20
+- Branching: use only `main`.
+- Commit small, focused changes; push directly to `origin/main`.
+- No integration/feature branch dance; avoid long‑lived branches.
+
+## No Host Pollution (containers only)
+
+- Host requirements: `docker`, `git` (and optionally `tea`). Nothing else.
+- All packaging work runs inside the packaging container. Do not install build tools on the host.
+- Use the scripts provided:
+  - `scripts/packaging-up.sh` – build/run the packaging container (mounts repo, docker socket)
+  - `scripts/packaging-enter.sh` – open a shell inside the container
+  - `scripts/packaging-exec.sh <cmd>` – run a command inside the container
+  - `scripts/workspace-clone.sh` – run upstream clone inside the container
+  - `scripts/workspace-update.sh` – run upstream update inside the container
+
+The container image includes Docker CLI and Cloudron CLI, and accesses the host Docker via `/var/run/docker.sock`.
+
+Quick start:
+```
+# Start container
+scripts/packaging-up.sh
+
+# Enter container shell
+scripts/packaging-enter.sh
+
+# Clone upstreams inside container
+scripts/workspace-clone.sh
+```
+
+## Add a new Cloudron package
+
+1) Create the package folder
+- `mkdir -p CloudronPackages/<AppName>`
+
+2) Add the required files
+- `CloudronManifest.json` – app metadata and addon requirements
+- `Dockerfile` – image build instructions (use cloudron/base as appropriate)
+- `start.sh` – container entry script
+- Optional: `nginx.conf`, `supervisord.conf`, `config.yaml`, `logo.png`, build notes
+
+3) Build/test locally (example)
+- `docker build -t <app>:dev CloudronPackages/<AppName>`
+- `docker run --rm -p 8080:8080 <app>:dev`
+
+4) Commit and push
+- `git add CloudronPackages/<AppName>/`
+- `git commit -m "feat(<app>): initial Cloudron package"`
+- `git push origin main`
+
+## Packaging workspace tips
+
+- The workspace under `PackagingForCloudronWorkspace/` is for local convenience and upstream sync.
+- `Docker/` and `NonDocker/` inside that directory are intentionally gitignored to keep the repo slim.
+- Keep scripts and minimal config tracked; keep large clones and build outputs out of git.
+
+## Notes
+
+- This repo was reset to a simplified structure; historical multi‑branch workflows and extensive docs were removed to reduce friction.
+- If you need legacy materials, refer to your local history/tags or the remote history prior to this cleanup.
+
+### For KNEL Team Members
+1. Review [PLAN.md](PLAN.md) for current priorities
+2. Check [TASKS.md](TASKS.md) for available applications
+3. Follow the packaging workflow above
+4. Update documentation as you work
+5. Create feature branches for each application
+
+### Code Review Checklist
+- [ ] Dockerfile follows Cloudron conventions
+- [ ] All required files present and properly configured
+- [ ] Health checks implemented
+- [ ] Logging configured to stdout/stderr
+- [ ] Security best practices followed
+- [ ] Documentation updated
+- [ ] Build notes include testing steps
+
+## 🐛 Troubleshooting
+
+### Common Issues
+- **Container won't start**: Check logs with `cloudron logs --app [appname]`
+- **Database connection fails**: Verify addon environment variables
+- **Static files not served**: Check nginx configuration and file permissions
+- **Health check fails**: Verify health check endpoint returns 200 OK
+
+### Getting Help
+- Check build notes in `CloudronPackages/[AppName]/`
+- Review Cloudron documentation
+- Examine working examples (EasyGate, InvenTree)
+- Use `cloudron debug --app [appname]` for interactive debugging
+
+## 📝 License
+
+See [LICENSE](LICENSE) file for details.
+
+---
+
+**Last Updated**: 2025-01-04  
+**Maintainers**: KNEL/TSYS Development Team

coolify/serverless/serverless.md

@@ -1 +0,0 @@
-Serverless notes 

cosmos/apigw/apigw.md

@@ -1,2 +0,0 @@
-API gateway notes 
-

cosmos/boinc/docker-compose.yml

@@ -1,3 +0,0 @@
-# boinc docker compose for tsys
-
-# https://boinc.berkeley.edu/trac/wiki/BoincDocker

cosmos/certmgr/docker-compose.yml

@@ -1,3 +0,0 @@
-#certmgr docker compose for tsys
-
-#git subtree add --prefix upstream/cloudflare-certmgr https://github.com/cloudflare/certmgr.git master --squash

cosmos/cfssl/docker-compose.yml

@@ -1,3 +0,0 @@
-#cfssl docker compose for tsys
-
-#git subtree add --prefix upstream/cloudflare-cfssl  https://github.com/rjrivero/docker-cfssl.git master --squash

cosmos/cloudDevENv/CloudDev.mf

@@ -1,18 +0,0 @@
-# Cloud dev at tsys 
-
-## Desired architecute
-
-(essentially the lap.dev architecure)
-
-- control plane running as a web app on cosmos 
-- agent that spins up ephermeral containers on runner hosts
-
-
-## Contenders 
-
-- strong.network
-- lap.dev (dont like that it only supports github/gitlab oautg) (also that it doesnt appear to be dockerized)
-
-## Links 
-
-- https://github.com/strong-network/images

cosmos/easy-gate/docker-compose.yml

@@ -1,10 +0,0 @@
-version: '3.3'
-services:
-    easy-gate:
-        container_name: easy-gate
-        ports:
-            - '1002:8080'
-        volumes:
-            - '/docker/ConHost/Overhead/easy-gate/easy-gate.json:/etc/easy-gate/easy-gate.json'
-        restart: unless-stopped
-        image: r7wx/easy-gate

cosmos/easy-gate/easy-gate.json

@@ -1,167 +0,0 @@
-{
-    "addr": "0.0.0.0:1001",
-    "use_tls": false,
-    "cert_file": "",
-    "key_file": "",
-    "behind_proxy": true,
-    "title": "TSYS Global IT Dashboard",
-    "icon": "fa-solid fa-cubes",
-    "motd": "TSYS Global IT Dashboard - Brought to you by Known Element Enterprises",
-    "theme": {
-        "background": "#FFFFFF",
-        "foreground": "#000000"
-    },
-    "groups": [
-        {
-            "name": "internal",
-            "subnet": "10.251.0.0/16"
-        },
-        {
-            "name": "vpn",
-            "subnet": "10.49.1.0/24"
-        }
-    ],
-    "services": [
-        {
-            "icon": "fa-brands fa-git-square",
-            "name": "Git",
-            "url": "https://git.knownelement.com",
-            "groups": [
-                "internal,vpn"
-            ]
-        },
-        {
-            "icon": "fa-brands fa-docker",
-            "name": "Portainer",
-            "url": "https://portainer.knownelement.com",
-            "groups": [
-                "internal,vpn"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-folder-open",
-            "name": "Files",
-            "url": "https://files.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-box-archive",
-            "name": "Archive",
-            "url": "https://archive.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-chart-line",
-            "name": "Kibana",
-            "url": "https://kibana.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-download",
-            "name": "Transmission",
-            "url": "https://transmission.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-bookmark",
-            "name": "Bookmarks",
-            "url": "https://bookmarks.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-book",
-            "name": "Calibre",
-            "url": "https://calibre.example.internal",
-            "groups": [
-                "internal"
-            ]
-        },
-        {
-            "icon": "fa-solid fa-comment",
-            "name": "Webchat",
-            "url": "https://chat.example.internal",
-            "groups": []
-        },
-        {
-            "icon": "fa-solid fa-cloud",
-            "name": "Owncloud",
-            "url": "https://owncloud.example.internal",
-            "groups": [
-                "internal",
-                "vpn"
-            ]
-        },
-        {
-            "icon": "fa-brands fa-wikipedia-w",
-            "name": "Wiki",
-            "url": "https://wiki.example.internal",
-            "groups": [
-                "internal",
-                "vpn"
-            ]
-        },
-        {
-            "icon": "fa-brands fa-mastodon",
-            "name": "Mastodon",
-            "url": "https://mastodon.example.internal",
-            "groups": [
-                "internal",
-                "vpn"
-            ]
-        },
-        {
-            "icon": "fa-brands fa-google",
-            "name": "Google",
-            "url": "https://www.google.com",
-            "groups": []
-        },
-        {
-            "icon": "fa-brands fa-youtube",
-            "name": "Youtube",
-            "url": "https://www.youtube.com",
-            "groups": []
-        },
-        {
-            "icon": "fa-brands fa-stack-overflow",
-            "name": "Stackoverflow",
-            "url": "https://stackoverflow.com",
-            "groups": []
-        }
-    ],
-    "notes": [
-        {
-            "name": "Simple note",
-            "text": "This is a simple note for vpn users",
-            "groups": [
-                "vpn"
-            ]
-        },
-        {
-            "name": "Global note",
-            "text": "This note will be visible to everyone",
-            "groups": []
-        },
-        {
-            "name": "How to use our internal services",
-            "text": "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Donec nec arcu purus. Maecenas ut erat ut tellus vulputate pellentesque sit amet quis metus. Praesent sollicitudin ultricies leo. Sed ornare libero non vehicula cursus. Aliquam vulputate pulvinar elit, sit amet tempus justo condimentum in. Orci varius natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus",
-            "groups": []
-        },
-        {
-            "name": "Another note",
-            "text": "Another note for internal network users only",
-            "groups": [
-                "internal"
-            ]
-        }
-    ]
-}

cosmos/elabftw/docker-compose.yml

@@ -1 +0,0 @@
-#elabftw docker compose for tsys

cosmos/grafana-oncall/docker-compose.yml

@@ -1 +0,0 @@
-# grafana oncall docker compose file for tays 

cosmos/graylog/docker-compose.yml

@@ -1 +0,0 @@
-#graylog docker compose for tsys 

cosmos/grist/docker-compose.yml

@@ -1 +0,0 @@
-#grist docker compose for tsys

cosmos/homechart/docker-compose.yml

@@ -1 +0,0 @@
-#homechart docker compose for tsys

cosmos/huginn/docker-compose.yml

@@ -1 +0,0 @@
-#huginn docker compose for tsys

cosmos/inventree/docker-compose.yml

@@ -1 +0,0 @@
-#inventree docker compose for tsys

cosmos/killbill/docker-compose.yml

@@ -1 +0,0 @@
-#killbill docker compose for tsys

cosmos/librenms/docker-compose.yml

@@ -1 +0,0 @@
-#librenms docker compose for tsys

cosmos/mailman/docker-compose.yml

@@ -1 +0,0 @@
-#mailman docker compose for tsys

cosmos/mailpile/docker-compose.yml

@@ -1 +0,0 @@
-#mailpile docker compose for tsys

cosmos/netdata/docker-compose.yml

@@ -1 +0,0 @@
-#netdata server docker compose for tsys

cosmos/opensearch/docker-compose.yml

@@ -1 +0,0 @@
-#opensearch docker compose file for tsys

cosmos/openvas/docker-compose.yml

@@ -1,236 +0,0 @@
-#openvas docker compose for tsys
-
-#git subtree add --prefix upstream/openvas https://github.com/mikesplain/openvas-docker.git  master --squash
-
-#        greenbone/vulnerability-tests \
-#        greenbone/notus-data \
-#        greenbone/scap-data \
-#        securecompliance/gvm:debian-master-data-full \
-#        securecompliance/gvm:debian-master-data \
-#        securecompliance/gvm:debian-master-full \
-#        securecompliance/gvm:debian-master \
-
-services:
-  vulnerability-tests:
-    image: registry.community.greenbone.net/community/vulnerability-tests
-    environment:
-      STORAGE_PATH: /var/lib/openvas/22.04/vt-data/nasl
-    volumes:
-      - vt_data_vol:/mnt
-
-  notus-data:
-    image: registry.community.greenbone.net/community/notus-data
-    volumes:
-      - notus_data_vol:/mnt
-
-  scap-data:
-    image: registry.community.greenbone.net/community/scap-data
-    volumes:
-      - scap_data_vol:/mnt
-
-  cert-bund-data:
-    image: registry.community.greenbone.net/community/cert-bund-data
-    volumes:
-      - cert_data_vol:/mnt
-
-  dfn-cert-data:
-    image: registry.community.greenbone.net/community/dfn-cert-data
-    volumes:
-      - cert_data_vol:/mnt
-    depends_on:
-      - cert-bund-data
-
-  data-objects:
-    image: registry.community.greenbone.net/community/data-objects
-    volumes:
-      - data_objects_vol:/mnt
-
-  report-formats:
-    image: registry.community.greenbone.net/community/report-formats
-    volumes:
-      - data_objects_vol:/mnt
-    depends_on:
-      - data-objects
-
-  gpg-data:
-    image: registry.community.greenbone.net/community/gpg-data
-    volumes:
-      - gpg_data_vol:/mnt
-
-  redis-server:
-    image: registry.community.greenbone.net/community/redis-server
-    restart: on-failure
-    volumes:
-      - redis_socket_vol:/run/redis/
-
-  pg-gvm:
-    image: registry.community.greenbone.net/community/pg-gvm:stable
-    restart: on-failure
-    volumes:
-      - psql_data_vol:/var/lib/postgresql
-      - psql_socket_vol:/var/run/postgresql
-
-  gvmd:
-    image: registry.community.greenbone.net/community/gvmd:stable
-    restart: on-failure
-    volumes:
-      - gvmd_data_vol:/var/lib/gvm
-      - scap_data_vol:/var/lib/gvm/scap-data/
-      - cert_data_vol:/var/lib/gvm/cert-data
-      - data_objects_vol:/var/lib/gvm/data-objects/gvmd
-      - vt_data_vol:/var/lib/openvas/plugins
-      - psql_data_vol:/var/lib/postgresql
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-      - psql_socket_vol:/var/run/postgresql
-    depends_on:
-      pg-gvm:
-        condition: service_started
-      scap-data:
-        condition: service_completed_successfully
-      cert-bund-data:
-        condition: service_completed_successfully
-      dfn-cert-data:
-        condition: service_completed_successfully
-      data-objects:
-        condition: service_completed_successfully
-      report-formats:
-        condition: service_completed_successfully
-
-  gsa:
-    image: registry.community.greenbone.net/community/gsa:stable
-    restart: on-failure
-    ports:
-      - 127.0.0.1:9392:80
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-    depends_on:
-      - gvmd
-  # Sets log level of openvas to the set LOG_LEVEL within the env
-  # and changes log output to /var/log/openvas instead /var/log/gvm
-  # to reduce likelyhood of unwanted log interferences
-  configure-openvas:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    volumes:
-      - openvas_data_vol:/mnt
-      - openvas_log_data_vol:/var/log/openvas
-    command:
-      - /bin/sh
-      - -c
-      - |
-        printf "table_driven_lsc = yes\nopenvasd_server = http://openvasd:80\n" > /mnt/openvas.conf
-        sed "s/127/128/" /etc/openvas/openvas_log.conf | sed 's/gvm/openvas/' > /mnt/openvas_log.conf
-        chmod 644 /mnt/openvas.conf
-        chmod 644 /mnt/openvas_log.conf
-        touch /var/log/openvas/openvas.log
-        chmod 666 /var/log/openvas/openvas.log
-
-  # shows logs of openvas
-  openvas:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    restart: on-failure
-    volumes:
-      - openvas_data_vol:/etc/openvas
-      - openvas_log_data_vol:/var/log/openvas
-    command:
-      - /bin/sh
-      - -c
-      - |
-        cat /etc/openvas/openvas.conf
-        tail -f /var/log/openvas/openvas.log
-    depends_on:
-      configure-openvas:
-        condition: service_completed_successfully
-
-  openvasd:
-    image: registry.community.greenbone.net/community/openvas-scanner:stable
-    restart: on-failure
-    environment:
-      # `service_notus` is set to disable everything but notus,
-      # if you want to utilize openvasd directly removed `OPENVASD_MODE`
-      OPENVASD_MODE: service_notus
-      GNUPGHOME: /etc/openvas/gnupg
-      LISTENING: 0.0.0.0:80
-    volumes:
-      - openvas_data_vol:/etc/openvas
-      - openvas_log_data_vol:/var/log/openvas
-      - gpg_data_vol:/etc/openvas/gnupg
-      - notus_data_vol:/var/lib/notus
-    # enable port forwarding when you want to use the http api from your host machine
-    # ports:
-    #   - 127.0.0.1:3000:80
-    depends_on:
-      vulnerability-tests:
-        condition: service_completed_successfully
-      configure-openvas:
-        condition: service_completed_successfully
-      gpg-data:
-        condition: service_completed_successfully
-    networks:
-      default:
-        aliases:
-          - openvasd
-
-  ospd-openvas:
-    image: registry.community.greenbone.net/community/ospd-openvas:stable
-    restart: on-failure
-    hostname: ospd-openvas.local
-    cap_add:
-      - NET_ADMIN # for capturing packages in promiscuous mode
-      - NET_RAW # for raw sockets e.g. used for the boreas alive detection
-    security_opt:
-      - seccomp=unconfined
-      - apparmor=unconfined
-    command:
-      [
-        "ospd-openvas",
-        "-f",
-        "--config",
-        "/etc/gvm/ospd-openvas.conf",
-        "--notus-feed-dir",
-        "/var/lib/notus/advisories",
-        "-m",
-        "666"
-      ]
-    volumes:
-      - gpg_data_vol:/etc/openvas/gnupg
-      - vt_data_vol:/var/lib/openvas/plugins
-      - notus_data_vol:/var/lib/notus
-      - ospd_openvas_socket_vol:/run/ospd
-      - redis_socket_vol:/run/redis/
-      - openvas_data_vol:/etc/openvas/
-      - openvas_log_data_vol:/var/log/openvas
-    depends_on:
-      redis-server:
-        condition: service_started
-      gpg-data:
-        condition: service_completed_successfully
-      vulnerability-tests:
-        condition: service_completed_successfully
-      configure-openvas:
-        condition: service_completed_successfully
-
-  gvm-tools:
-    image: registry.community.greenbone.net/community/gvm-tools
-    volumes:
-      - gvmd_socket_vol:/run/gvmd
-      - ospd_openvas_socket_vol:/run/ospd
-    depends_on:
-      - gvmd
-      - ospd-openvas
-
-volumes:
-  gpg_data_vol:
-  scap_data_vol:
-  cert_data_vol:
-  data_objects_vol:
-  gvmd_data_vol:
-  psql_data_vol:
-  vt_data_vol:
-  notus_data_vol:
-  psql_socket_vol:
-  gvmd_socket_vol:
-  ospd_openvas_socket_vol:
-  redis_socket_vol:
-  openvas_data_vol:
-  openvas_log_data_vol:

cosmos/pihole/docker-compose.yml

@@ -1 +0,0 @@
-#pihole docker compose for tsys

cosmos/reactive-resume/docker-compose.yml

@@ -1,113 +0,0 @@
-# In this Docker Compose example, it assumes that you maintain a reverse proxy externally (or chose not to).
-# The only two exposed ports here are from minio (:9000) and the app itself (:3000).
-# If these ports are changed, ensure that the env vars passed to the app are also changed accordingly.
-
-services:
-  # Database (Postgres)
-  reactiveresume-postgres:
-    image: postgres:16-alpine
-    restart: unless-stopped
-    container_name: reactiveresume-postgres
-    volumes:
-      - reactiveresume-postgres_data:/var/lib/postgresql/data
-    environment:
-      POSTGRES_DB: postgres
-      POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
-      interval: 10s
-      timeout: 5s
-      retries: 5
-
-  # Storage (for image uploads)
-  reactiveresume-minio:
-    image: minio/minio
-    restart: unless-stopped
-    container_name: reactiveresume-minio
-    command: server /data
-    ports:
-      - "1000:9000"
-    volumes:
-      - reactiveresume-minio_data:/data
-    environment:
-      MINIO_ROOT_USER: minioadmin
-      MINIO_ROOT_PASSWORD: minioadmin
-
-  # Chrome Browser (for printing and previews)
-  reactiveresume-chrome:
-    image: ghcr.io/browserless/chromium:latest
-    restart: unless-stopped
-    container_name: reactiveresume-chrome
-    environment:
-      TIMEOUT: 10000
-      CONCURRENT: 10
-      TOKEN: chrome_token
-      EXIT_ON_HEALTH_FAILURE: true
-      PRE_REQUEST_HEALTH_CHECK: true
-
-  reactiveresume-app:
-    image: amruthpillai/reactive-resume:latest
-    restart: unless-stopped
-    container_name: reactiveresume-app
-    ports:
-      - "1001:3000"
-    depends_on:
-      - reactiveresume-postgres
-      - reactiveresume-minio
-      - reactiveresume-chrome
-    environment:
-      # -- Environment Variables --
-      PORT: 1001
-      NODE_ENV: production
-
-      # -- URLs --
-      PUBLIC_URL: http://localhost:1001
-      STORAGE_URL: http://localhost:1000/default
-
-      # -- Printer (Chrome) --
-      CHROME_TOKEN: chrome_token
-      CHROME_URL: ws://reactiveresume-chrome:1001
-
-      # -- Database (Postgres) --
-      DATABASE_URL: postgresql://postgres:postgres@reactiveresume-postgres:5432/postgres
-
-      # -- Auth --
-      ACCESS_TOKEN_SECRET: access_token_secret
-      REFRESH_TOKEN_SECRET: refresh_token_secret
-
-      # -- Emails --
-      MAIL_FROM: noreply@localhost
-      # SMTP_URL: smtp://user:pass@smtp:587 # Optional
-
-      # -- Storage (Minio) --
-      STORAGE_ENDPOINT: reactiveresume-minio
-      STORAGE_PORT: 1000
-      STORAGE_REGION: us-east-1 # Optional
-      STORAGE_BUCKET: default
-      STORAGE_ACCESS_KEY: minioadmin
-      STORAGE_SECRET_KEY: minioadmin
-      STORAGE_USE_SSL: false
-      STORAGE_SKIP_BUCKET_CHECK: false
-
-      # -- Crowdin (Optional) --
-      # CROWDIN_PROJECT_ID:
-      # CROWDIN_PERSONAL_TOKEN:
-
-      # -- Email (Optional) --
-      # DISABLE_SIGNUPS: false
-      # DISABLE_EMAIL_AUTH: false
-
-      # -- GitHub (Optional) --
-      # GITHUB_CLIENT_ID: github_client_id
-      # GITHUB_CLIENT_SECRET: github_client_secret
-      # GITHUB_CALLBACK_URL: http://localhost:3000/api/auth/github/callback
-
-      # -- Google (Optional) --
-      # GOOGLE_CLIENT_ID: google_client_id
-      # GOOGLE_CLIENT_SECRET: google_client_secret
-      # GOOGLE_CALLBACK_URL: http://localhost:3000/api/auth/google/callback
-
-volumes:
-  reactiveresume-minio_data:
-  reactiveresume-postgres_data:

cosmos/reviewboard/docker-compose.yml

@@ -1 +0,0 @@
-#reviewboard docker compose for tsys

cosmos/rundeck/docker-compose.yml

@@ -1 +0,0 @@
-#rundeck docker compose for tsys

cosmos/signoz/docker-compose.yml

@@ -1 +0,0 @@
-#signoz docker compose for tsys

cosmos/slurm/docker-compose.yml

@@ -1,3 +0,0 @@
-#slurm docker compose for tsys 
-
-# https://github.com/giovtorres/slurm-docker-cluster

cosmos/watchtower/docker-compose.yml

@@ -1 +0,0 @@
-#watchtower docker compose for tsys

docker/packaging/Dockerfile

@@ -0,0 +1,17 @@
+FROM docker:26-cli
+
+# Install tools needed for Cloudron packaging inside the container
+RUN apk add --no-cache \
+    bash git curl jq \
+    build-base \
+    nodejs npm \
+    openssh-client
+
+# Cloudron CLI (used for packaging commands)
+RUN npm i -g cloudron
+
+WORKDIR /workspace
+
+# Default command keeps the container running
+CMD ["sh", "-lc", "tail -f /dev/null"]
+

scripts/new-package.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Usage: scripts/new-package.sh <AppName> [--id <com.example.app>] [--title <Title>] [--port <port>]
+
+Creates CloudronPackages/<AppName> from PackageTemplate and replaces placeholders:
+  __APP_ID__, __APP_TITLE__, __HTTP_PORT__
+
+Examples:
+  scripts/new-package.sh MyApp --id com.example.myapp --title "My App" --port 3000
+EOF
+}
+
+if [[ $# -lt 1 ]]; then
+  usage; exit 1
+fi
+
+APP_NAME="$1"; shift
+APP_ID="com.example.${APP_NAME,,}"
+APP_TITLE="$APP_NAME"
+HTTP_PORT="3000"
+BASE_TAG="5.0.0"
+
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --id) APP_ID="$2"; shift 2;;
+    --title) APP_TITLE="$2"; shift 2;;
+    --port) HTTP_PORT="$2"; shift 2;;
+    --base) BASE_TAG="$2"; shift 2;;
+    -h|--help) usage; exit 0;;
+    *) echo "Unknown argument: $1"; usage; exit 1;;
+  esac
+done
+
+SRC_DIR="CloudronPackages/PackageTemplate"
+DEST_DIR="CloudronPackages/${APP_NAME}"
+
+[[ -d "$SRC_DIR" ]] || { echo "Template not found: $SRC_DIR"; exit 1; }
+[[ -e "$DEST_DIR" ]] && { echo "Destination already exists: $DEST_DIR"; exit 1; }
+
+mkdir -p "$DEST_DIR"
+cp -a "$SRC_DIR"/. "$DEST_DIR"/
+
+# Replace placeholders in text files
+find "$DEST_DIR" -type f \( -name "*" ! -name "*.png" \) -print0 | while IFS= read -r -d '' f; do
+  sed -i "s#__APP_ID__#${APP_ID}#g" "$f"
+  sed -i "s#__APP_TITLE__#${APP_TITLE}#g" "$f"
+  sed -i "s#__HTTP_PORT__#${HTTP_PORT}#g" "$f"
+  sed -i "s#__CLOUDRON_BASE__#${BASE_TAG}#g" "$f"
+done
+
+echo "Created package at: $DEST_DIR"
+echo "Next steps: edit Dockerfile and start.sh to run your app. Add logo.png if desired."

scripts/packaging-enter.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+set -euo pipefail
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+
+if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+  scripts/packaging-up.sh >/dev/null
+fi
+
+exec docker exec -it "$NAME" bash
+

scripts/packaging-exec.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+set -euo pipefail
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+
+if [[ $# -lt 1 ]]; then
+  echo "Usage: scripts/packaging-exec.sh <command...>" >&2
+  exit 1
+fi
+
+if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+  scripts/packaging-up.sh >/dev/null
+fi
+
+exec docker exec -it "$NAME" sh -lc "$*"
+

scripts/packaging-up.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+NAME=${PACKAGING_CONTAINER_NAME:-tsys-cloudron-packaging}
+IMAGE=${PACKAGING_IMAGE:-knel/packaging:latest}
+DOCKERFILE=${PACKAGING_DOCKERFILE:-docker/packaging/Dockerfile}
+
+if ! docker image inspect "$IMAGE" >/dev/null 2>&1; then
+  echo "Building packaging image: $IMAGE"
+  docker build -t "$IMAGE" -f "$DOCKERFILE" .
+fi
+
+if ! docker ps -a --format '{{.Names}}' | grep -qx "$NAME"; then
+  echo "Creating container: $NAME"
+  docker run -d \
+    --name "$NAME" \
+    -v "$PWD":/workspace \
+    -w /workspace \
+    -v /var/run/docker.sock:/var/run/docker.sock \
+    "$IMAGE"
+else
+  # Ensure it is running
+  if ! docker ps --format '{{.Names}}' | grep -qx "$NAME"; then
+    echo "Starting container: $NAME"
+    docker start "$NAME"
+  fi
+fi
+
+echo "Packaging container ready: $NAME (image: $IMAGE)"
+

scripts/workspace-clone.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run the clone script inside the packaging container
+scripts/packaging-exec.sh "cd PackagingForCloudronWorkspace && chmod +x *.sh && ./UpstreamVendor-Clone.sh"
+

scripts/workspace-update.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Run the update script inside the packaging container
+scripts/packaging-exec.sh "cd PackagingForCloudronWorkspace && chmod +x *.sh && ./UpstreamVendor-Update.sh"
+