EGroupware 26 Collaboration Suite on Ubuntu 24.04 on Azure User Guide
Overview
EGroupware is a mature open source collaboration and groupware suite used by businesses, public sector bodies, schools and non profit organisations to run shared calendars, contacts, projects and documents on infrastructure they control. It brings together a group calendar with resource booking, address books, InfoLog for tasks and tickets, a versioned file manager, project manager, time sheet, wiki, bookmarks and news, all behind one sign in with fine grained per group access control. Calendars and contacts synchronise to phones, tablets and desktop clients over CalDAV and CardDAV, and the mail app connects to an IMAP server you already run. The cloudimg image ships EGroupware 26 served by Apache and PHP 8.3 on a hardened, fully patched Ubuntu 24.04 LTS base, together with a bundled local MariaDB server so the appliance is complete and useful on its own. The installer is pre completed and the setup console is locked away, so the suite is ready the moment the instance boots. The bundled MariaDB listens only on the loopback interface (127.0.0.1:3306) and keeps its data on a dedicated Azure data disk. A unique administrator password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.
What is included:
- EGroupware 26 served by Apache with PHP 8.3, managed by systemd
- A bundled MariaDB server holding the EGroupware database, already installed and ready
- The installer pre completed and the setup console locked away behind a denial, so no installer is ever exposed
- A per VM administrator password generated on first boot and recorded in a root only file
- No shipped default login: every password ships rotated to a discarded random and the real per VM values are set on first boot
- MariaDB bound to
127.0.0.1only, never exposed to the network - A dedicated Azure data disk carrying both the MariaDB database and EGroupware's file store
- An address agnostic configuration, so the suite works on the public IP, a private address or your own DNS name with nothing to reconfigure
- Host only session cookies, so sign in works whether you browse by IP or by a DNS name
apache2.serviceandmariadb.serviceas enabled systemd units- An unauthenticated
/healthzendpoint for Azure Load Balancer health probes - 24/7 cloudimg support
Prerequisites
An active Azure subscription, an SSH key pair, and a VNet plus subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a sensible starting point for a team; move up to Standard_D2s_v3 or larger for many concurrent users, large file stores or heavy calendar use. NSG inbound: allow 22/tcp from your management network, 80/tcp for the application and 443/tcp if you terminate TLS on the VM. The bundled MariaDB is never exposed: it listens on 127.0.0.1 only, so port 3306 stays off the network.
Step 1 - Deploy from the Azure Marketplace
In the Azure portal choose Create a resource, search for EGroupware 26 Collaboration Suite on Ubuntu 24.04 LTS by cloudimg, and select Create. Pick your subscription, resource group and region, choose the Standard_B2s size, select SSH public key authentication with the username azureuser, and allow inbound 22, 80 and 443. The image attaches its own 30 GiB data disk for your database and file store, so you do not need to add one.
Step 2 - Deploy from the Azure CLI
az vm create \
--resource-group <your-rg> \
--name egroupware \
--image <marketplace-image-urn> \
--size Standard_B2s \
--admin-username azureuser \
--generate-ssh-keys \
--public-ip-sku Standard
Then open ports 80 and 443:
az vm open-port --resource-group <your-rg> --name egroupware --port 80,443
Step 3 - Confirm the services are running
SSH to the VM as azureuser and confirm Apache and MariaDB are active. Note that MariaDB is bound to 127.0.0.1:3306 only, while Apache serves on port 80.
systemctl is-active apache2 mariadb
The first boot service is a one shot job rather than a long running service, so ask it for its result rather than whether it is active. It reports success once it has generated this VM's credentials:
systemctl show egroupware-firstboot --property=Result --value
It is normal and correct for systemctl is-active egroupware-firstboot to report inactive after the job has run, and especially after a reboot: the unit is guarded by a sentinel file so that it generates your credentials exactly once and never overwrites them on a later boot. Result=success is the answer that matters.
ss -tlnp | grep -E ':80 |:3306 ' | sed 's/ */ /g'

Step 4 - Retrieve the per VM administrator password
The first boot service generates an administrator password unique to your VM and writes it to a root only file. Read it over SSH:
sudo cat /root/egroupware-credentials.txt

Unlike many web applications, this image bakes no address into its configuration: EGroupware is configured with a relative web server URL, so it works unchanged on the VM's public IP, on its private address, on a DNS name, or behind a TLS terminating proxy. There is nothing to reconfigure when your address changes.
Step 5 - Sign in
Browse to http://<vm-ip>/egroupware/ and sign in with the username admin and the password from the credentials file. Browsing http://<vm-ip>/ redirects you there.

After signing in you land in the suite with the application bar across the top, a search box, and the calendar open. EGroupware may offer to start a working time entry on your first sign in; answer No or Don't ask again! if you do not use the time sheet.
Step 6 - The calendar
The calendar is EGroupware's centrepiece. It opens on the current day with a month picker, your favourites and an open ToDo panel alongside. You can switch between day, week, month and year views, book resources and meeting rooms, invite other users and see their free or busy time, and set up recurring appointments. Calendars are shared according to the access control you grant each group, and they synchronise to phones and desktop clients over CalDAV.

Step 7 - The address book
Address Book holds your shared and personal contacts, with business and home fields, organisations, distribution lists and categories. A fresh instance contains the administrator's own contact and EGroupware's internal SiteMgr record. Contacts sync to phones and desktop clients over CardDAV, and they link through to InfoLog entries, calendar events and projects.

Step 8 - InfoLog for tasks and tickets
InfoLog is EGroupware's tracker for tasks, notes, phone calls and tickets. A fresh instance starts empty, as shown below. Entries carry a type, status, priority, start and due dates, an owner and a responsible user, and they can be linked to a contact, a calendar event or a project so everything about a piece of work stays together. The filters down the page let you build and save views such as your own open tasks or everything due this week.

Step 9 - Connect your own mail server
EGroupware's mail app is a client, not a mail server: this image deliberately ships no SMTP or IMAP daemon, so nothing is listening on a mail port and there is no relay to secure. Sign in as the administrator and go to Admin > Mail accounts to point the mail app at an IMAP and SMTP server you already run, or at a hosted provider. The rest of the suite, including the calendar, address book, InfoLog, file manager and project manager, works fully without any mail server configured. The same Admin area connects EGroupware to LDAP or Active Directory if you would rather authenticate against your existing directory than the bundled database.
Step 10 - No known or default credentials
This image ships with no usable login. Every password baked at build time, the administrator, the database, and the setup console credentials, is rotated to a random value that is discarded and never recorded, and the first boot service sets fresh values unique to your VM before EGroupware serves a single request. The check below confirms that the per VM administrator authenticates through EGroupware's own authentication path while a blank password and common weak guesses are all rejected.
sudo mariadb --protocol=socket -uroot -N -e "SELECT CONCAT(account_lid,' (',account_type,')') FROM egroupware.egw_accounts WHERE account_type='u'"
sudo bash /usr/local/sbin/egroupware-cred-roundtrip.sh

The listing above shows a second account named anonymous alongside admin. That account is not a login for you or your users: EGroupware creates it during installation and uses it internally to serve file manager share links to people who are not signed in. It is created with a random password of EGroupware's own making, this image rotates that password again to a fresh random value unique to your VM on first boot, and the check above confirms it rejects every guessable credential. admin is the only account intended to sign in on a new instance; create your real users under Admin > User accounts.
Change the administrator password to one of your own under Preferences > Password once you have signed in for the first time.
Step 11 - Verify the stack and where your data lives
Confirm the installed release, the health endpoint and the data disk layout. Both the MariaDB database and EGroupware's file store, which holds every file your users upload, live on the dedicated data disk, bind mounted into place, so your data is kept off the operating system disk.
grep -oE "maintenance_release'\] = '[^']+'" /var/www/egroupware/api/setup/setup.inc.php | sed "s/.*'\(.*\)'/EGroupware \1/"
curl -sI http://127.0.0.1/healthz | sed -n 1p
findmnt -no SOURCE,TARGET,FSTYPE,SIZE /data; findmnt -no SOURCE,TARGET /var/lib/mysql; findmnt -no SOURCE,TARGET /var/www/egroupware/files

EGroupware reports two version numbers and both are correct: the release above is the shipped maintenance release, while the database records a separate internal schema version that only changes when the table layout does.
Adding your own domain and TLS
Point a DNS A record at the VM's public IP, then issue a certificate with Certbot. Install it and request a certificate for your domain:
sudo apt-get update && sudo apt-get install -y certbot python3-certbot-apache
sudo certbot --apache -d groupware.your-domain.example --agree-tos -m you@your-domain.example --redirect
Certbot configures Apache for HTTPS and installs a renewal timer. Because EGroupware is configured with a relative web server URL, there is nothing to change inside the application afterwards: it picks up your domain automatically.
Backing up
Everything worth keeping is on the data disk: the MariaDB database and the file store. For a full machine level backup, take an Azure snapshot of the data disk, or dump the database and archive the file store:
sudo mysqldump --protocol=socket -uroot --single-transaction egroupware > /var/tmp/egroupware-backup.sql
sudo tar -czf /var/tmp/egroupware-files.tar.gz -C /data/egroupware files
Store both off the VM. The simplest scheduled option is an Azure Backup policy on the VM plus its data disk. EGroupware also has its own backup export under the setup console, which writes a portable dump of a domain.
Security notes
- The setup console is denied at the web server, so the installer can never be reached or re run against your instance. If you ever need it for a major version upgrade, re enable it temporarily with
sudo a2disconf cloudimg-egroupware-lockdown && sudo systemctl reload apache2, then put it back immediately afterwards. header.inc.php, which holds the database password and the setup console credentials, is denied at the web server and is0640 root:www-dataon disk, so it can be fetched neither over HTTP nor by an unprivileged user on the VM.- EGroupware's file store is denied at the web server: uploaded files are served only through the file manager, which applies your access control, never as static files.
- The bundled MariaDB listens on
127.0.0.1:3306only. Keep port 3306 closed in your NSG; nothing outside the VM needs it. - The administrator, database and setup console passwords are unique to your VM, generated on first boot, and written only to
/root/egroupware-credentials.txtwith0600 root:rootpermissions. - Session cookies are issued host only, so sign in behaves correctly whether you browse the instance by IP or through a DNS name.
- Serve the suite over HTTPS before you put real data in it, and restrict
22/tcpto your management network. - The base OS is fully patched at build time and unattended security upgrades remain enabled on your VM.
Trademark
EGroupware is a trademark of its respective owner. cloudimg is not affiliated with, endorsed by, or sponsored by EGroupware GmbH or the EGroupware project. This image packages the open source EGroupware community software, which is distributed under the GNU General Public License version 2 or later, and all product and company names are the property of their respective holders.
Support
cloudimg provides 24/7 technical support for this image by email (support@cloudimg.co.uk) and live chat, covering deployment, configuration, upgrades, performance tuning and MariaDB administration. Critical issues receive a one hour average response time.