diff --git a/package/secubox/luci-app-master-link/README.md b/package/secubox/luci-app-master-link/README.md new file mode 100644 index 00000000..962bc66a --- /dev/null +++ b/package/secubox/luci-app-master-link/README.md @@ -0,0 +1,63 @@ +# LuCI App Master-Link + +LuCI web interface for SecuBox Master-Link mesh management. + +## Installation + +```bash +opkg install luci-app-master-link +``` + +Requires `secubox-master-link` (pulled automatically as dependency). + +## Access + +**SecuBox > Mesh Management** in the LuCI menu. + +## Tabs + +### Overview + +Adapts to the node's role: + +- **Master**: Role badge, mesh stats (peers, depth, chain height), Generate Token button with QR-ready URL +- **Peer**: Role badge, upstream master info, own depth, sync status +- **Sub-master**: Upstream info + downstream peer count + +### Join Requests (master/sub-master only) + +- Table: hostname, IP, fingerprint, timestamp, status +- Actions: Approve, Reject, Promote to sub-master +- Auto-refresh every 10 seconds + +### Mesh Tree + +- Hierarchical view of master → peers → sub-masters → their peers +- Depth indicators and role badges +- Online/offline status per node + +## RPCD Methods + +All calls go through `luci.master_link` ubus object: + +| Method | Description | +|--------|-------------| +| `status` | Node status and mesh stats | +| `peers` | List all peers with join details | +| `tree` | Mesh topology tree | +| `token_generate` | Create one-time join token | +| `approve` | Approve, reject, or promote a peer | +| `token_cleanup` | Remove expired tokens | + +## Files + +| File | Purpose | +|------|---------| +| `root/usr/share/luci/menu.d/luci-app-master-link.json` | Menu entry | +| `root/usr/share/rpcd/acl.d/luci-app-master-link.json` | ACL permissions | +| `root/usr/libexec/rpcd/luci.master_link` | RPCD endpoint | +| `htdocs/luci-static/resources/view/secubox/master-link.js` | LuCI view | + +## License + +Apache-2.0 diff --git a/package/secubox/secubox-master-link/README.md b/package/secubox/secubox-master-link/README.md new file mode 100644 index 00000000..41e64919 --- /dev/null +++ b/package/secubox/secubox-master-link/README.md @@ -0,0 +1,98 @@ +# SecuBox Master-Link + +Secure mesh onboarding for SecuBox appliances. A master node generates one-time join tokens, serves the secubox IPK bundle, and approves new peers via blockchain-backed trust. Supports gigogne (nested) hierarchy where approved nodes can become sub-masters. + +## Overview + +``` + MASTER (depth 0) + ├── Peer A (depth 1) + ├── Sub-Master B (depth 1) + │ ├── Peer C (depth 2) + │ └── Peer D (depth 2) + └── Peer E (depth 1) +``` + +## Installation + +```bash +opkg install secubox-master-link luci-app-master-link +``` + +## Configuration + +```bash +# /etc/config/master-link + +config master-link 'main' + option enabled '1' + option role 'master' # master | peer | sub-master + option upstream '' # upstream master IP (peers/sub-masters) + option depth '0' # gigogne depth (0 = root master) + option max_depth '3' # max nesting depth + option token_ttl '3600' # token validity in seconds + option auto_approve '0' # auto-approve join requests + option ipk_path '/www/secubox-feed/secubox-master-link_*.ipk' +``` + +## Join Protocol + +1. **Master generates token** — one-time HMAC-SHA256 token with TTL +2. **New node opens landing page** — `http://:7331/master-link/?token=...` +3. **New node downloads IPK** — token-validated download via `/api/master-link/ipk` +4. **New node sends join request** — fingerprint + address submitted to master +5. **Master approves** — TOFU key exchange, blockchain block recorded, peer added to mesh +6. **Optional: promote to sub-master** — approved peer can onboard its own peers + +## CGI Endpoints + +All served on port 7331 under `/api/master-link/`. + +| Endpoint | Method | Auth | Description | +|----------|--------|------|-------------| +| `/token` | POST | Local only | Generate join token | +| `/join` | POST | Token | Submit join request | +| `/approve` | POST | Local only | Approve/reject peer | +| `/status` | GET | Public/Local | Mesh status | +| `/ipk` | POST | Token | Download secubox IPK | + +## RPCD API + +```bash +ubus call luci.master_link status '{}' +ubus call luci.master_link peers '{}' +ubus call luci.master_link tree '{}' +ubus call luci.master_link token_generate '{}' +ubus call luci.master_link approve '{"fingerprint":"...","action":"approve"}' +ubus call luci.master_link approve '{"fingerprint":"...","action":"reject","reason":"..."}' +ubus call luci.master_link approve '{"fingerprint":"...","action":"promote"}' +ubus call luci.master_link token_cleanup '{}' +``` + +## Blockchain Block Types + +| Type | Description | +|------|-------------| +| `join_request` | New node requesting to join | +| `peer_approved` | Master approved peer | +| `peer_rejected` | Master rejected peer | +| `peer_promoted` | Peer promoted to sub-master | +| `token_generated` | Audit: token was created | + +## Security + +- **Tokens**: HMAC-SHA256, one-time use, time-limited (default 1h) +- **TOFU**: First join establishes trust via fingerprint exchange +- **Depth limiting**: `max_depth` prevents unbounded nesting +- **Chain integrity**: All actions recorded as blockchain blocks +- **Audit trail**: Token lifecycle and peer events queryable via chain + +## Dependencies + +- `secubox-p2p` — mesh networking and blockchain +- `openssl-util` — HMAC token generation +- `curl` — peer notification + +## License + +Apache-2.0