- Create login/token-login/empty directories with correct ownership
- Set proper permissions for dovenull user on login directories
- Remove stale auth-token-secret.dat on startup (prevents "compromised token" errors)
- Increase sleep time after dovecot start for socket creation
- Fix permissions again after socket creation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The ^~ /apps/ location was taking precedence over static file regex
locations, causing SVG icons to return 404. The root location's
rewrite to index.php already handles app routing correctly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The /apps/dashboard/ and other app paths were returning 403 Forbidden
because nginx was matching the directory via try_files before routing
to PHP. Added explicit location ^~ /apps/ to rewrite to index.php.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add permission fix for /etc/dovecot/users in startup script.
Without this, dovecot auth fails with "Permission denied" when
trying to read the passwd-file for LMTP delivery.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The firewall-setup command now adds:
- Input rules for ports 25, 143, 465, 587, 993 (accept from WAN)
- Forward rules for mail ports (WAN -> LAN mailserver)
- DNAT rules in firewall.user (excluding LAN subnet)
This ensures nftables input_wan and forward_wan chains allow
mail traffic to reach the mailserver container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux uses LMDB instead of Berkeley DB hash format.
Changed virtual_mailbox_maps from hash: to lmdb: prefix.
Also fixes:
- nftables forward_wan missing port 25 accept rule
- nftables input_wan missing port 25 accept rule
- gk2@secubox.in missing from vmailbox
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add dovecot run directory permission setup
- Add dovenull to dovecot group (fixes login directory access)
- Update HISTORY.md with changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix anvil-auth-penalty socket permission issues that caused
authentication failures. Ensures /run/dovecot has correct ownership
before and after dovecot starts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add list_users RPCD method to list Nextcloud users via OCC
- Add reset_password RPCD method for password reset via OCC
- Add Users tab in LuCI dashboard with user list
- Add password reset modal with confirmation
- Parse Nextcloud user:displayname JSON format
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use printf instead of echo to preserve $6$ hash prefix
- Write dovecot entry to temp file to avoid shell expansion
- Use correct uid:gid 102:105 for vmail user
- Add userdb_mail field to dovecot passwd format
- Use /var/mail path to match container layout
The SHA512-CRYPT hash ($6$...) was being corrupted when passed
through nested shell commands - the $6$ was interpreted as a
shell variable and removed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Autoconfig:
- Created config-v1.1.xml (Thunderbird), autodiscover.xml (Outlook),
email.mobileconfig (Apple) for automatic mail client configuration
- Added uhttpd instance on port 8025 to serve autoconfig files
- Added HAProxy backends with waf_bypass for autoconfig domains
- Added mailctl autoconfig-setup and autoconfig-status commands
LuCI Mailserver:
- Added user_repair method for mailbox repair (doveadm force-resync)
- Added repair button to user actions in overview
LuCI Nextcloud:
- Added list_users method to list Nextcloud users
- Added reset_password method for password reset via OCC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mailctl firewall-setup command to configure mail port forwarding
- Add mailctl firewall-clear command to remove mail firewall rules
- Firewall rules now use "! -s LAN_SUBNET" to exclude LAN clients
- LAN clients can reach external mail servers (OVH, Gmail, etc.)
- WAN traffic on mail ports redirected to local mailserver
Fixes SSL certificate errors when LAN clients connect to external IMAP/SMTP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix alias_add RPCD to read JSON from stdin (ubus compatibility)
- Add alias_del function to users.sh
- Add alias del command to mailctl
- Add alias_del RPCD method
Tested: alias_add, alias_list, alias_del all work via ubus call
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Nextcloud Overview and Settings tabs to kiss-theme sidebar for
consistent navigation across all SecuBox apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HexoJS tabs (Overview, Posts, Editor, Media, Deploy, Sync, Theme,
Settings) to kiss-theme.js nav config
- Remove duplicate inline tabs from overview.js
- Tabs now appear in sidebar when HexoJS is selected
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace inline CSS with shared secubox/kiss-theme module for simpler,
faster, more efficient rendering. Code reduced from 320 to 188 lines.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Completely rewrote overview.js with self-contained inline CSS following
the KISS design pattern. Dark theme with stats grid, quick actions,
instance cards with status badges, and clean backups table.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The listInstances and listBackups RPC declarations use expect which
unwraps the response array directly. Changed results[0].instances to
results[0] and results[3].backups to results[3].
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup/restore commands to hexoctl (backup, restore, backup list/delete)
- Add GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Add Gitea push support (hexoctl gitea push [instance] [message])
- Add quick-publish command (clean + build + publish in one step)
- Add 15 new RPCD methods for instance/backup/git management
- Rewrite LuCI dashboard with KISS theme:
- Multi-instance management with status cards
- Instance controls: start/stop, quick publish, backup, editor, preview
- GitHub/Gitea clone modals
- Backup table with restore/delete
- Stats grid: instances, posts, drafts, backups
- Update API with 12 new RPC declarations
- Update ACL with new permissions
Also includes DNS Master app created in previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added port 143 to RPCD port detection list
- Fixed KISS nav path for Nextcloud (admin/secubox/services/nextcloud)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of overview.js with full KISS theme styling
- 4-column stats grid (Status, Users, Storage, SSL)
- Port status cards with visual indicators
- Two-column layout: Users + Aliases tables
- Webmail card with status badge and quick actions
- Connection info panel with server details
- Live polling with 10s refresh
- Added fix_ports, alias_del methods to ACL
- Added Mail Server + Nextcloud to KISS nav sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change location / from try_files to rewrite for proper app URL handling
- Fixes 403 errors when accessing /apps/* URLs after authentication
- All URLs now properly route through index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change nginx to listen on ${NEXTCLOUD_HTTP_PORT:-8080} instead of hardcoded port 80
- Fix PHP-FPM socket path to use detected PHP version (php${PHP_VERSION}-fpm.sock)
- Avoids port conflict with HAProxy on port 80 when using host networking
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse HTML directory listing instead of non-existent index.json
- URL-encode colon in date path for LXC image server
- Add mount_chroot_fs/umount_chroot_fs helpers for proper chroot
- Mount /dev, /dev/pts, /proc, /sys before running apt
- Remove php-smbclient (not in base repos)
- Install gnupg/gpgv first for apt verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed RPCD handler to read from /srv/mitmproxy-in (WAF input)
- Previously read from /srv/mitmproxy which had no threat data
- Fixed threats_today, alerts, autobans stats
- Check mitmproxy-in and mitmproxy-out containers for running status
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a watchdog loop that checks every 60 seconds if wazuh-agentd
is running and automatically restarts the Wazuh service if it stops.
Fixes agent disconnection issues caused by wazuh-agentd process dying.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/
mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-peertube: Update default port to 9001, hostname to tube.gk2.secubox.in
- luci-app-secubox-portal: Add RPCD backend for dynamic tree generation
- get_tree: Auto-discovers luci-app-* packages grouped by category
- get_containers: Lists LXC containers with running state
- get_vhosts: Lists HAProxy virtual hosts
- luci-tree.js: Rewritten to use RPC for live data with refresh button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler (luci.peertube) with 11 methods: status, start, stop,
install, uninstall, update, logs, emancipate, live_enable,
live_disable, configure_haproxy
- ACL permissions for read (status, logs) and write operations
- Dashboard features:
- Install wizard with features and requirements
- Service status display with access URL
- Live streaming toggle with enable/disable buttons
- HAProxy configuration status
- Emancipate form for public exposure
- Logs viewer with refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New secubox-app-peertube package for self-hosted video streaming:
- LXC Debian container with PostgreSQL, Redis, Node.js, FFmpeg
- peertubectl control script with install/update/emancipate commands
- UCI configuration for server, transcoding, live streaming, storage
- procd init script with respawn support
- HAProxy integration with WebSocket and extended timeouts
- RTMP live streaming support (optional)
- S3/object storage support (configurable)
- Admin commands for user management
- Backup/restore functionality
Commands:
peertubectl install - Create LXC container with full stack
peertubectl emancipate <domain> - Full exposure with HAProxy + ACME
peertubectl admin create-user - Create user accounts
peertubectl live enable - Enable RTMP live streaming
peertubectl backup/restore - Database backup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After emancipating a service, automatically sync routes to mitmproxy
WAF to ensure traffic can be properly routed through the mitmproxy
containers without manual intervention.
The new _emancipate_mitmproxy() function calls mitmproxyctl sync-routes
after HAProxy configuration to keep mitmproxy routing table in sync.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RPCD handler now checks for both:
- /etc/dnsmasq.d/vortex-firewall.conf (dnsmasq mode)
- /etc/bind/zones/rpz.vortex.zone (BIND RPZ mode)
This fixes the "0 blocked domains" display when using BIND DNS server.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The mitmproxy service now uses separate containers:
- mitmproxy-in: External WAF (WAN protection)
- mitmproxy-out: Insider WAF (LAN threat detection)
Updated RPCD handler to check correct container names for status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite overview.js to use KissTheme wrapper
- Add health status cards for Agent, Manager, Indexer, CrowdSec
- Add alert statistics with color-coded counters
- Add security layers table (Firewall, IPS, SIEM, WAF)
- Add quick actions with restart agent button
- Include built IPK in secubox-feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Support xz, gz, and zst compression for data.tar in deb packages.
Modern Wazuh debs use data.tar.xz instead of data.tar.gz.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package secubox-wazuh-manager provides complete SIEM stack:
- Wazuh Manager: Agent management, log analysis, threat detection
- Wazuh Indexer: OpenSearch-based alert storage
- Wazuh Dashboard: Web UI for visualization (port 5601)
Features:
- Automated LXC container deployment with Debian 12
- HAProxy integration with waf_bypass for dashboard
- Agent management commands (list, info, remove)
- API access and token generation
- Log viewing for all components
- Shell access for administration
CLI: wazuh-managerctl with install/start/stop/status/configure-haproxy
Requirements: 4GB+ RAM, 20GB+ storage for production use
Complements secubox-app-wazuh agent for full SIEM deployment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add _emancipate_mitmproxy() to register domain in WAF routes
- Add _emancipate_path_acl() to create secubox.in/gk2/{name} path routing
- Auto-detect wildcard SSL coverage for *.gk2.secubox.in domains
- Restart mitmproxy-in container after adding routes
- Update help text with 7-step workflow
Emancipate now handles full deployment:
1. DNS A record (Gandi/OVH)
2. Vortex DNS mesh publication
3. HAProxy vhost + backend
4. WAF/mitmproxy integration
5. Path ACL (secubox.in/gk2/{name})
6. SSL certificate (or wildcard)
7. Zero-downtime reload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Converted secubox-app-jellyfin, secubox-app-mailserver, and added
secubox-app-roundcube to use LXC containers instead of Docker.
Changes:
- jellyfinctl: Now uses LXC at 192.168.255.31
- mailserverctl: New controller for Alpine LXC with Postfix/Dovecot
- roundcubectl: New package for Roundcube webmail LXC
All controllers support:
- Bootstrap Alpine rootfs using static apk
- LXC configuration generation
- HAProxy integration with waf_bypass
- Start/stop/status commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates a landing page with links to public Mastodon clients
(Pinafore, Elk, Semaphore) pre-configured for the local GoToSocial
instance.
- pinaforectl install [instance] - Create client hub
- pinaforectl start/stop - Manage uhttpd server
- pinaforectl emancipate <domain> - Expose via HAProxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change db-address from /data/ to /srv/gotosocial/ for direct host mode
- Change storage path from /data/ to /srv/gotosocial/
- Fix --config to --config-path to match GoToSocial v0.17 CLI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The sync-routes command was only writing to the default /srv/mitmproxy
path. Now copies haproxy-routes.json to all configured instances
(mitmproxy-in, mitmproxy-out) so the HAProxy router addon can
properly route traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The reload-autoban command was only writing to the default data path,
missing the mitmproxy-in and mitmproxy-out instances. Now iterates
over all configured instances to ensure autoban.json is updated
everywhere.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add rmempty=false to autoban enabled flag to prevent LuCI from
removing the option when saving the form. This fixes the issue
where saving settings would reset autoban to disabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `waf_enabled` and `waf_backend` options to haproxy.main config.
When waf_enabled=1, all vhost and path-based routing goes through
the WAF backend (default: mitmproxy_inspector) instead of directly
to service backends.
This enables global traffic inspection through mitmproxy WAF while
maintaining proper routing via haproxy_router addon.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allow disabling HAProxy router mode per-instance via UCI option
`mitmproxy.<instance>.haproxy_router_enabled`. This prevents port
conflicts when running multiple mitmproxy instances (e.g., mitmproxy-out
on 8888 and mitmproxy-in on 8889) where only the inbound instance
needs HAProxy router mode.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: Use network.lan.ipaddr instead of 127.0.0.1 for server address
- service-registry: Same fix for emancipate function
- hexojs: Same fix for HAProxy backend creation
- gotosocial: Switch from LXC to direct execution mode
- v0.18.0 has cgroup bugs, using v0.17.0 instead
- Remove LXC container dependency
- Use /srv/gotosocial for binary and data
- Add proper PID file management
The HAProxy container cannot reach 127.0.0.1 on the host, so all HAProxy
backend servers must use the LAN IP (typically 192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-gotosocial and luci-app-gotosocial for running a lightweight
ActivityPub social network server in LXC container.
Features:
- gotosocialctl CLI with install, start, stop, user management
- LXC container deployment (ARM64)
- HAProxy integration via emancipate command
- UCI configuration for instance, container, proxy, federation settings
- LuCI web interface with overview, users, and settings tabs
- Mesh integration support for auto-federation between SecuBox nodes
- Backup/restore functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove cgroup:mixed from lxc.mount.auto (causes "Failed to create
cgroup at_mnt" error on certain kernel configurations)
- Disable cgroup memory limit since cgroup is not mounted
- Fixes Gitea container failing to start with cgroup mount errors
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip IPv6 addresses and use active_address when available
- Filter out local node from shared services query
- Increase curl max-time to 10s for slow CGI responses
- Skip null/empty peer addresses
- Reduces response time from 48s to ~5s
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change service endpoint from port 8080 to /cgi-bin/p2p-services
- Exclude local node from shared services query
- Extract .services array from response JSON
- Add peer address to each shared service for attribution
- Handle empty/null responses gracefully
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- 1 second delay between I2C writes to prevent bus lockup
- Error detection with backoff
- Max 3 consecutive errors then stops
- 10 second update interval
- Commands: start, stop, status, test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The emancipate function was checking for app folder existence using
instance name (e.g., "pix") instead of the actual app name
(e.g., "bazi_calculator"). Now properly resolves app from UCI config.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simple tool to sync LuCI resources, views, RPCD handlers, ACLs and
menus from master node to all mesh peers. No IPK rebuild required.
Usage: mesh-sync-packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash doesn't support 'local' keyword outside functions.
This was causing health_check RPC to hang with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed P2PAPI.discoverPeers() to P2PAPI.discover() to match the
actual method exposed by the API module.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename from admin/secubox/mirrorbox to admin/services/secubox-p2p
for consistent URL structure with other service apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add fdisk, resize2fs, partx-utils to ASU package list
- Enables partition expansion on first boot for fresh installs
- Addresses kernel limitation with online ext4 resize
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix build button being unclickable by properly handling disabled attribute
(only set when isBuilding is true, not undefined/false)
- Fix SSH host key mismatch errors in do_scp by cleaning stale known_hosts
entries from all possible locations (/root/.ssh, /.ssh, /overlay/upper/.ssh)
before transfers - prevents failures after device reflash
- Add cursor:pointer style to build button for better UX
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Four Pillars of Destiny (八字) calculator with French translations
- Dark theme styling: rgba backgrounds, light text colors
- Maître du Jour section with high contrast green accents
- Five Elements balance visualization
- Ten Gods relationships and yearly analysis
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 通書 Tong Shu almanac with Wu Yun Liu Qi calculations
- Dark theme compatible styling with transparent backgrounds
- French translations for zodiac animals and Chinese terms
- Uses st.html() for proper HTML rendering in Streamlit 1.33+
- Includes: Four Pillars, Day Quality, Clash/Directions, Activities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove external CSS loading (dashboard.css)
- Convert impact cards to KISS grid with CSS variables
- Update proxy settings cards (AdGuard, CDN Cache, WPAD) to KISS styling
- Convert components grid and cards to KISS theme
- Update sync section and component details modal
- Use KissTheme.E() throughout with consistent styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- dashboard.js: KISS stats grid, source chips, type cards, recent devices table
- devices.js: KISS filter bar, device table with inline actions, edit/detail modals
- emulators.js: KISS emulator cards with status badges, mini tables
- mesh.js: KISS peer cards grid, remote devices table
Removes external CSS loading (cssLink pattern) and di-* class prefixes.
Uses KissTheme.E(), kiss-* classes, and CSS variables throughout.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Overview dashboard to use KissTheme:
- Removed external dashboard.css loading
- Replaced all hp- classes with kiss- classes
- Emergency banner with service status and controls
- Stats grid with vhosts, backends, certs counts
- System health grid with container/haproxy/config status
- Virtual hosts table preview
- Backends and certificates cards
- Quick actions grid (start/stop/reload/validate/regenerate/stats)
- Connection details with endpoints
- KISS toast notifications
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Statistics dashboard to use KissTheme:
- Removed CSS import via style element
- Replaced all hp- classes with kiss- classes
- Stats iframe with KISS-styled border
- Logs viewer with line count selector and refresh button
- Empty state for disabled stats or stopped service
- Consistent styling with vhosts.js and backends.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Backends dashboard to use KissTheme:
- Removed external dashboard.css dependency
- Replaced all hp- classes with kiss- classes and inline styles
- Self-contained inline CSS using KISS variables
- Backend cards with server lists, health check info
- Add backend form with mode, balance, health check options
- Add/edit server modals with quick service selector
- Delete confirmations and toast notifications
- Consistent styling with vhosts.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed LXC container status detection from lxc-ls to lxc-info:
- lxc-info -n mitmproxy -s provides direct state query
- More reliable than parsing lxc-ls --running output
- Fixed container name from secbx-mitmproxy to mitmproxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Virtual Hosts dashboard to use KissTheme:
- Self-contained inline CSS using KISS variables
- Removed external dashboard.css dependency
- Add vhost form with domain/backend/SSL inputs
- Vhosts table with status badges and actions
- Edit modal and delete confirmation dialogs
- Toast notifications for user feedback
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy evaluates ACL rules in order - first match wins. Wildcard
suffix rules (*.gk2.secubox.in) were catching all subdomains before
specific vhost rules could match.
Fix: Split vhost ACL generation into two passes:
1. First: exact and regex matches (specific domains)
2. Second: suffix matches (wildcards)
This ensures wanted.gk2.secubox.in matches before *.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
AI Insights Dashboard:
- Rewrite CSS with KISS cyberpunk theme (dark bg, neon accents, glowing effects)
- Fix CVE feed RPCD for OpenWrt/BusyBox compatibility (date format, JSON building)
- Add wget fallback for CVE fetch
Tor Shield:
- Add excluded_domains support for bypassing Tor routing
- Resolve domains via nslookup and add to iptables RETURN rules
- Default exclusions: openwrt.org, downloads.openwrt.org, services.nvd.nist.gov
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_cve_feed RPCD method fetching from NVD API
- Add CVE feed panel showing recent vulnerabilities with CVSS scores
- Cache CVE feed for 30 minutes to reduce API calls
- Link CVE IDs to NVD detail pages
- Color-code severity (critical/high/medium/low)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Convert packages string to proper JSON array format
- Add -dnsmasq to avoid conflict with dnsmasq-full
- Add rootfs_size_mb: 512 for larger package sets
- Trim default packages to fit in standard rootfs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Same expect unwrapping bug was present in refresh() function,
causing stats to show counts but content to show "No items"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add build_progress RPCD method to track image build status
- Fix handleBuild() to handle RPC expect array unwrapping
- The expect: { devices: [] } unwraps the array, so data IS the array
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The build_progress RPCD method was missing from ACL, causing
"Access denied" (-32002) errors when polling build status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add gitea push to upload_app (small files)
- Add gitea push to upload_zip
- Add gitea push to save_source (edit)
- Chunked upload already had gitea push
Every app creation/update now automatically:
1. Creates Gitea repo if not exists (streamlit-<name>)
2. Pushes changes to the repo
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
KISS Theme:
- Add expandable sub-tabs under active sidebar items
- Apps with multiple views show nested tabs when active
- Support for CrowdSec, HAProxy, WireGuard, Ollama, Tor Shield,
CDN Cache, InterceptoR, mitmproxy, Client Guardian
Cloner:
- Full KISS theme rewrite with stats grid, quick actions
- TFTP boot commands with copy button
- Progress tracking for image builds
Streamlit:
- Fix reupload not applying changes - auto-restart service after upload
- Show "Restarting..." spinner during service reload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add full-width overrides for LuCI containers
- Main content area now uses calc(100% - 220px) width
- Override max-width constraints on body, maincontent, containers
- Better responsive breakpoints for mobile
- Minimized mode uses full width
- Improved table/card sizing at smaller breakpoints
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New Streamlit category with external app links
- France TV, Yijing Oracle, Fabricator, Bazi Complete, SecuBox Control
- External links open in new tab with ↗ indicator
- Support for both internal paths and external URLs in nav items
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- KISS Theme v2.1: Collapsible nav sections with icons, auto-expand active
- Add comprehensive navigation with all SecuBox apps organized by category
- Fix Client Guardian path to admin/secubox/security/guardian
- Fix Cookie Tracker path to admin/secubox/interceptor/cookies
- Ollama: Add system resources card (RAM/disk usage with progress bars)
- Ollama: Add API endpoints card with copy-to-clipboard
- Ollama: Add container logs viewer with refresh
- Ollama: Add system_info, logs, model_info RPCD methods
- Ollama: Update stats to show RAM/disk usage
- Fix Vortex Firewall menu path to admin/secubox/security
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add two toggle buttons in bottom-right corner
- 📐/📏 button: Toggle sidebar & top bar on/off
- 👁️ button: Switch between KISS and LuCI mode
- Three viewing modes: Full KISS, Content Only, LuCI
- Add .kiss-chrome-hidden class for minimized mode
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add fixed top bar with hamburger menu, logo, breadcrumb, logout
- Collapsible sidebar with scrolling for long menus
- Expanded navigation: Dashboard, Security, Services, Apps, System
- Preserve #tabmenu for internal view tab navigation
- Mobile overlay backdrop for sidebar
- Responsive breakpoints: 1024px, 768px, 480px
- Toggle button moved to bottom-right corner
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Emergency banner stacks vertically on mobile
- Quick actions use CSS grid (3-col → 2-col)
- Tables get horizontal scroll on narrow screens
- Health grid adapts to 3-col → 2-col on mobile
- Stats grid compact layout on small screens
- Reduced padding and font sizes for mobile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add batch IP lookup via ip-api.com for org/ISP info
- Display organization column between Source and Country
- Cache org lookups to avoid repeated requests
- Include organization in search filter
- Skip private IP ranges (192.168.x, 10.x, 127.x)
fix(mitmproxy): Fix null text appearing in status table
- Use concat([]) pattern instead of ternary null returns
- Prevents "null" text from rendering in DOM
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update RPCD get_public_ips to return 4 IP fields:
- lan_ipv4: br-lan interface IP
- wan_ipv4: br-wan interface IP
- public_ipv4: Real public IP (cached from ipify.org)
- public_ipv6: Global IPv6 from br-wan
- Update dashboard to display 4-column IP grid with icons
- Add responsive CSS for 2x2 layout on small screens
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Whitelist trusted crawlers to prevent false positive SSRF alerts:
- Facebook/Meta: 69.171.x, 173.252.x, 31.13.x, 157.240.x, etc.
- Ahrefs SEO: 54.39.210.x, 167.114.139.x, 54.36.x
Changed from ip/cidr format to expression format for CrowdSec
compatibility on OpenWrt.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add setKissMode(), toggleKissMode(), isKissMode() methods to theme.js
- Add initKissMode() for automatic initialization from localStorage
- Add _injectKissCSS() for dark theme styling
- Add _injectKissSidebar() for C3BOX navigation
- Add _hideChrome()/_showChrome() for toggling LuCI UI elements
- Add kiss-loader.js for standalone auto-initialization
- KISS mode persists via localStorage across all pages
Usage:
1. Click the eye toggle (👁️) on any SecuBox page
2. Or call Theme.setKissMode(true) from JS console
3. Mode persists across page navigation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- InterceptoR: Refactor to use shared KissTheme.wrap() module
- Remove duplicate inline CSS (~200 lines)
- Use shared theme for sidebar navigation
- IoT Guard: Update to KISS dark theme styling
- Use KissTheme.wrap() with sidebar
- Update stat cards to use KISS classes
- Update device chips and anomaly table styling
- mitmproxy: Add KISS theme wrapper
- Add KissTheme.wrap() for sidebar navigation
- Update info card styling to match theme
- System Hub: Update to KISS theme
- Add KissTheme.wrap() for sidebar navigation
- Update quick actions to use kiss-btn class
- Inject KISS-compatible extra styles for cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add shared navigation config in kiss-theme.js
- Add renderSidebar() method for reusable sidebar
- Add wrap() helper for full page with sidebar
- Update InterceptoR to use sidebar layout
- Responsive: collapses on mobile, icons-only on tablet
Other views can use: KissTheme.wrap([content], 'active/path')
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add shared kiss-theme.js module for consistent dark theme across views
- Add eye toggle button (👁️) to switch between KISS and LuCI modes
- Add git repo status methods to luci.gitea RPCD:
- get_repo_status: branch, ahead/behind, staged/modified files
- get_commit_history: recent commits with stats
- get_commit_stats: daily commit counts for graphs
- Update InterceptoR overview with KISS styling and responsive grid
- Fix quick links paths (network-tweaks → admin/network/)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Remove 'local' keyword from case statement block where it's not
allowed in POSIX shell. Replace && block conditions with proper
if/then/fi statements for health score calculation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add login/logout button in topbar (detects session state)
- Add collapsible LuCI Quick Nav tree in left sidebar
- Add LuCI Tree screen with grid view of all module links
- 7 categories: Core, Security, Network, Services, Monitoring, System, P2P
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add /etc/config/iot-guard with default settings so the Settings
page loads without RPC errors. Includes main config, zone policy,
allowlist, and blocklist sections.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite using standard LuCI view pattern matching other portal views
- Use simple data array structure instead of nested objects
- Add proper event listener for search filter
- Organize 90+ links into 17 categories
- Fix JavaScript errors on public endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Async progressive cache: instant render from localStorage, async RPC updates
- Public ACL: unauthenticated access for secubox-public/portal route
- Progressive DOM updates via updateText() helpers
- No blocking Promise.all - each fetch updates its section on completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Auto-detects DNS server (BIND vs dnsmasq) and generates appropriate
blocklist format:
- BIND: Response Policy Zone (RPZ) with NXDOMAIN responses
- dnsmasq: addn-hosts sinkhole file (existing)
Tested with 46,067 blocked domains on BIND named server.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The handler was looking for dns-guard.detector_${det}.enabled but
UCI config uses dns-guard.${det}.enabled (without detector_ prefix).
This caused all detectors to show as Disabled in the dashboard.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace defunct malwaredomains feed with ThreatFox (abuse.ch)
- Add is_valid_domain() function to validate domain format
- Optimize intel_merge() with batch SQL transactions
- Previous: 765 domains with invalid entries (HTML parsing artifacts)
- Now: 46,056 valid domains from 3 feeds (URLhaus, OpenPhish, ThreatFox)
Performance: Batch import completes in seconds vs minutes for 45K+ domains.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
KISS-style dashboard for Vortex DNS Firewall with:
- Status cards: Active state, Blocked Domains, Total Blocks, x47 Impact
- Quick actions: Update Feeds, Block Domain, Search Domain
- Threat intelligence feeds table with domain counts and update times
- Top blocked domains table with threat badges
- Threat distribution visualization
- Live polling (10s) for real-time stats updates
- Dark mode support
Menu: Services > Vortex DNS Firewall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Phase 1 implementation of Vortex DNS Firewall - SecuBox's first line
of defense blocking threats at DNS level BEFORE any connection is
established.
Features:
- Threat intel aggregator (URLhaus, OpenPhish, Malware Domains)
- SQLite-based blocklist database with domain deduplication
- dnsmasq integration via sinkhole hosts file
- x47 vitality multiplier concept (each DNS block prevents ~47 connections)
- RPCD handler for LuCI integration with 8 methods
- CLI tool: vortex-firewall intel/stats/start/stop
Tested with 765 blocked domains across 3 threat feeds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support building images for: mochabin, espressobin-v7, espressobin-ultra, x86-64
- New CLI: secubox-cloner build --device espressobin-v7
- New CLI: secubox-cloner devices (list supported devices)
- RPCD: list_devices method, build_image accepts device_type param
- LuCI: Device selection dropdown in build modal
- LuCI: Device column in images table with badges
- Each device type has its own TFTP image file
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Dashboard with status cards: device, TFTP, tokens, clones
- Quick actions: Build Image, Start/Stop TFTP, Token generation
- Clone images table with size and TFTP-ready status
- Token management with auto-approve option
- U-Boot flash commands display when TFTP is running
- RPCD handler with 10 methods for full cloner management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Pipe | while runs in subshell, json_add calls don't affect parent
- Use temp files to avoid subshell: write data to file, then read
- Fixed https_visitors, top_endpoints, recent_visitors arrays
- All arrays now properly populated with visitor data
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace --no-api + jsonfilter with jq length for counting
- jsonfilter cannot properly count JSON arrays
- --no-api flag returns empty results
- Applied fix to both get_overview() and stats functions
- Active Bans now shows correct count (was showing 0)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add poll.add() for continuous 3-second updates
- Use data-attributes for efficient DOM targeting
- Add CSS pulse animation on value changes
- Add live indicator with timestamp
- Implement updateValue, updateBar, updateList methods
- No page rebuilds - direct element text updates
- KISS and fast real-time metrics
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_active_sessions RPCD method to dashboard module
- Display session counts: Tor circuits, HTTPS, Streamlit, Mitmproxy, SSH
- Add ACTIVE SESSIONS panel with yellow/gold theme
- Add RECENT VISITORS panel showing visitor IPs and countries
- Add TOP ENDPOINTS panel showing accessed paths
- Add ACL permissions for get_active_sessions
- Auto-refresh with other metrics every 10 seconds
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove --no-api flag which returned empty results
- Use jq length instead of jsonfilter for counting arrays
- Add grep fallback when jq is not available
- Count all decisions, alerts, and bouncers correctly
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add callGetVisitStats RPC from security-threats API
- Add WEB TRAFFIC section with total requests, bots/humans counts
- Display country flags and visit counts for top 8 countries
- Add TOP HOSTS section showing top 5 visited hosts
- Green color theme for traffic sections
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_visit_stats RPCD method parsing mitmproxy threats.log
- Returns total requests, by_country, by_host, by_type, by_severity,
bots_vs_humans breakdown, and top_urls (all top 10)
- Add callGetVisitStats RPC declaration to api.js
- Add renderVisitStats function to dashboard with traffic analytics grid
- Shows traffic breakdown by country, host, and URL patterns
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed default visibility from public to private for new Gitea
repositories created by metablogizerctl and streamlitctl.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
MetaBlogizer uses per-site uhttpd instances, not LXC containers.
The watchdog was incorrectly treating it as an LXC service and
constantly trying to restart a non-existent container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic Gitea push after upload_finalize in Streamlit RPCD
- Add automatic Gitea push after upload_finalize in MetaBlogizer RPCD
- Fix MetaBlogizer to use site name instead of UCI section ID for push
- Fix metablogizerctl to read Gitea config from dedicated gitea section
Uploaded files via LuCI are now automatically synced to Gitea repos.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit:
- App create/deploy now auto-pushes to Gitea when enabled
- Add 'gitea init-all' command to initialize repos for all existing apps
- Scans all app directories and creates Gitea repos
MetaBlogizer:
- Site create now auto-pushes to Gitea when token configured
- Add 'gitea init-all' command to initialize repos for all existing sites
- Iterates over UCI site configs and syncs to Gitea
Usage:
# Configure Gitea once
uci set streamlit.gitea.enabled=1
uci set streamlit.gitea.url='http://192.168.255.1:3000'
uci set streamlit.gitea.user='admin'
uci set streamlit.gitea.token='<token>'
uci commit streamlit
# Initialize all existing apps/sites
streamlitctl gitea init-all
metablogizerctl gitea init-all
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit/MetaBlogizer:
- Add 'gitea push <name>' command to both streamlitctl and metablogizerctl
- Auto-creates Gitea repo via API if it doesn't exist
- Initializes git, commits all files, and pushes to Gitea
- Stores repo reference in UCI for future syncs
Tor Shield:
- Add 'wan_input_allow' option for server preset
- Server mode now properly allows WAN inbound (ports 80, 443, 8443)
- Uses nftables rules to integrate with OpenWrt firewall4
- Outbound traffic still routed through Tor (kill_switch)
- Cleanup nftables rules on stop/disable
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
