New package secubox-wazuh-manager provides complete SIEM stack:
- Wazuh Manager: Agent management, log analysis, threat detection
- Wazuh Indexer: OpenSearch-based alert storage
- Wazuh Dashboard: Web UI for visualization (port 5601)
Features:
- Automated LXC container deployment with Debian 12
- HAProxy integration with waf_bypass for dashboard
- Agent management commands (list, info, remove)
- API access and token generation
- Log viewing for all components
- Shell access for administration
CLI: wazuh-managerctl with install/start/stop/status/configure-haproxy
Requirements: 4GB+ RAM, 20GB+ storage for production use
Complements secubox-app-wazuh agent for full SIEM deployment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add _emancipate_mitmproxy() to register domain in WAF routes
- Add _emancipate_path_acl() to create secubox.in/gk2/{name} path routing
- Auto-detect wildcard SSL coverage for *.gk2.secubox.in domains
- Restart mitmproxy-in container after adding routes
- Update help text with 7-step workflow
Emancipate now handles full deployment:
1. DNS A record (Gandi/OVH)
2. Vortex DNS mesh publication
3. HAProxy vhost + backend
4. WAF/mitmproxy integration
5. Path ACL (secubox.in/gk2/{name})
6. SSL certificate (or wildcard)
7. Zero-downtime reload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Converted secubox-app-jellyfin, secubox-app-mailserver, and added
secubox-app-roundcube to use LXC containers instead of Docker.
Changes:
- jellyfinctl: Now uses LXC at 192.168.255.31
- mailserverctl: New controller for Alpine LXC with Postfix/Dovecot
- roundcubectl: New package for Roundcube webmail LXC
All controllers support:
- Bootstrap Alpine rootfs using static apk
- LXC configuration generation
- HAProxy integration with waf_bypass
- Start/stop/status commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates a landing page with links to public Mastodon clients
(Pinafore, Elk, Semaphore) pre-configured for the local GoToSocial
instance.
- pinaforectl install [instance] - Create client hub
- pinaforectl start/stop - Manage uhttpd server
- pinaforectl emancipate <domain> - Expose via HAProxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change db-address from /data/ to /srv/gotosocial/ for direct host mode
- Change storage path from /data/ to /srv/gotosocial/
- Fix --config to --config-path to match GoToSocial v0.17 CLI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The sync-routes command was only writing to the default /srv/mitmproxy
path. Now copies haproxy-routes.json to all configured instances
(mitmproxy-in, mitmproxy-out) so the HAProxy router addon can
properly route traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The reload-autoban command was only writing to the default data path,
missing the mitmproxy-in and mitmproxy-out instances. Now iterates
over all configured instances to ensure autoban.json is updated
everywhere.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add rmempty=false to autoban enabled flag to prevent LuCI from
removing the option when saving the form. This fixes the issue
where saving settings would reset autoban to disabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `waf_enabled` and `waf_backend` options to haproxy.main config.
When waf_enabled=1, all vhost and path-based routing goes through
the WAF backend (default: mitmproxy_inspector) instead of directly
to service backends.
This enables global traffic inspection through mitmproxy WAF while
maintaining proper routing via haproxy_router addon.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allow disabling HAProxy router mode per-instance via UCI option
`mitmproxy.<instance>.haproxy_router_enabled`. This prevents port
conflicts when running multiple mitmproxy instances (e.g., mitmproxy-out
on 8888 and mitmproxy-in on 8889) where only the inbound instance
needs HAProxy router mode.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: Use network.lan.ipaddr instead of 127.0.0.1 for server address
- service-registry: Same fix for emancipate function
- hexojs: Same fix for HAProxy backend creation
- gotosocial: Switch from LXC to direct execution mode
- v0.18.0 has cgroup bugs, using v0.17.0 instead
- Remove LXC container dependency
- Use /srv/gotosocial for binary and data
- Add proper PID file management
The HAProxy container cannot reach 127.0.0.1 on the host, so all HAProxy
backend servers must use the LAN IP (typically 192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-gotosocial and luci-app-gotosocial for running a lightweight
ActivityPub social network server in LXC container.
Features:
- gotosocialctl CLI with install, start, stop, user management
- LXC container deployment (ARM64)
- HAProxy integration via emancipate command
- UCI configuration for instance, container, proxy, federation settings
- LuCI web interface with overview, users, and settings tabs
- Mesh integration support for auto-federation between SecuBox nodes
- Backup/restore functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove cgroup:mixed from lxc.mount.auto (causes "Failed to create
cgroup at_mnt" error on certain kernel configurations)
- Disable cgroup memory limit since cgroup is not mounted
- Fixes Gitea container failing to start with cgroup mount errors
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip IPv6 addresses and use active_address when available
- Filter out local node from shared services query
- Increase curl max-time to 10s for slow CGI responses
- Skip null/empty peer addresses
- Reduces response time from 48s to ~5s
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change service endpoint from port 8080 to /cgi-bin/p2p-services
- Exclude local node from shared services query
- Extract .services array from response JSON
- Add peer address to each shared service for attribution
- Handle empty/null responses gracefully
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- 1 second delay between I2C writes to prevent bus lockup
- Error detection with backoff
- Max 3 consecutive errors then stops
- 10 second update interval
- Commands: start, stop, status, test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The emancipate function was checking for app folder existence using
instance name (e.g., "pix") instead of the actual app name
(e.g., "bazi_calculator"). Now properly resolves app from UCI config.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simple tool to sync LuCI resources, views, RPCD handlers, ACLs and
menus from master node to all mesh peers. No IPK rebuild required.
Usage: mesh-sync-packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash doesn't support 'local' keyword outside functions.
This was causing health_check RPC to hang with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed P2PAPI.discoverPeers() to P2PAPI.discover() to match the
actual method exposed by the API module.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename from admin/secubox/mirrorbox to admin/services/secubox-p2p
for consistent URL structure with other service apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add fdisk, resize2fs, partx-utils to ASU package list
- Enables partition expansion on first boot for fresh installs
- Addresses kernel limitation with online ext4 resize
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix build button being unclickable by properly handling disabled attribute
(only set when isBuilding is true, not undefined/false)
- Fix SSH host key mismatch errors in do_scp by cleaning stale known_hosts
entries from all possible locations (/root/.ssh, /.ssh, /overlay/upper/.ssh)
before transfers - prevents failures after device reflash
- Add cursor:pointer style to build button for better UX
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Four Pillars of Destiny (八字) calculator with French translations
- Dark theme styling: rgba backgrounds, light text colors
- Maître du Jour section with high contrast green accents
- Five Elements balance visualization
- Ten Gods relationships and yearly analysis
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 通書 Tong Shu almanac with Wu Yun Liu Qi calculations
- Dark theme compatible styling with transparent backgrounds
- French translations for zodiac animals and Chinese terms
- Uses st.html() for proper HTML rendering in Streamlit 1.33+
- Includes: Four Pillars, Day Quality, Clash/Directions, Activities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove external CSS loading (dashboard.css)
- Convert impact cards to KISS grid with CSS variables
- Update proxy settings cards (AdGuard, CDN Cache, WPAD) to KISS styling
- Convert components grid and cards to KISS theme
- Update sync section and component details modal
- Use KissTheme.E() throughout with consistent styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- dashboard.js: KISS stats grid, source chips, type cards, recent devices table
- devices.js: KISS filter bar, device table with inline actions, edit/detail modals
- emulators.js: KISS emulator cards with status badges, mini tables
- mesh.js: KISS peer cards grid, remote devices table
Removes external CSS loading (cssLink pattern) and di-* class prefixes.
Uses KissTheme.E(), kiss-* classes, and CSS variables throughout.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Overview dashboard to use KissTheme:
- Removed external dashboard.css loading
- Replaced all hp- classes with kiss- classes
- Emergency banner with service status and controls
- Stats grid with vhosts, backends, certs counts
- System health grid with container/haproxy/config status
- Virtual hosts table preview
- Backends and certificates cards
- Quick actions grid (start/stop/reload/validate/regenerate/stats)
- Connection details with endpoints
- KISS toast notifications
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Statistics dashboard to use KissTheme:
- Removed CSS import via style element
- Replaced all hp- classes with kiss- classes
- Stats iframe with KISS-styled border
- Logs viewer with line count selector and refresh button
- Empty state for disabled stats or stopped service
- Consistent styling with vhosts.js and backends.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Backends dashboard to use KissTheme:
- Removed external dashboard.css dependency
- Replaced all hp- classes with kiss- classes and inline styles
- Self-contained inline CSS using KISS variables
- Backend cards with server lists, health check info
- Add backend form with mode, balance, health check options
- Add/edit server modals with quick service selector
- Delete confirmations and toast notifications
- Consistent styling with vhosts.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed LXC container status detection from lxc-ls to lxc-info:
- lxc-info -n mitmproxy -s provides direct state query
- More reliable than parsing lxc-ls --running output
- Fixed container name from secbx-mitmproxy to mitmproxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Virtual Hosts dashboard to use KissTheme:
- Self-contained inline CSS using KISS variables
- Removed external dashboard.css dependency
- Add vhost form with domain/backend/SSL inputs
- Vhosts table with status badges and actions
- Edit modal and delete confirmation dialogs
- Toast notifications for user feedback
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy evaluates ACL rules in order - first match wins. Wildcard
suffix rules (*.gk2.secubox.in) were catching all subdomains before
specific vhost rules could match.
Fix: Split vhost ACL generation into two passes:
1. First: exact and regex matches (specific domains)
2. Second: suffix matches (wildcards)
This ensures wanted.gk2.secubox.in matches before *.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
AI Insights Dashboard:
- Rewrite CSS with KISS cyberpunk theme (dark bg, neon accents, glowing effects)
- Fix CVE feed RPCD for OpenWrt/BusyBox compatibility (date format, JSON building)
- Add wget fallback for CVE fetch
Tor Shield:
- Add excluded_domains support for bypassing Tor routing
- Resolve domains via nslookup and add to iptables RETURN rules
- Default exclusions: openwrt.org, downloads.openwrt.org, services.nvd.nist.gov
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_cve_feed RPCD method fetching from NVD API
- Add CVE feed panel showing recent vulnerabilities with CVSS scores
- Cache CVE feed for 30 minutes to reduce API calls
- Link CVE IDs to NVD detail pages
- Color-code severity (critical/high/medium/low)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
