- Conduit Matrix homeserver in LXC container
- Element Web client via uhttpd on port 8088
- HAProxy integration with SSL certificates
- Routes added to central secubox-route registry
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document the new secubox-route centralized WAF route management system
added in the previous commit.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implements Meshname DNS for Yggdrasil mesh networks with gossip-based
service discovery and dnsmasq integration.
New packages:
- secubox-app-meshname-dns: Core service with meshnamectl CLI
- luci-app-meshname-dns: LuCI dashboard for service management
Features:
- Services announce .ygg domains via gossip protocol (meshname_announce)
- dnsmasq integration via /tmp/hosts/meshname dynamic hosts file
- Cross-node resolution through gossip message propagation
- RPCD handler with 8 methods for LuCI integration
CLI commands: announce, revoke, resolve, list, sync, status, daemon
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox_analytics.py: Add 'strict' as alias for 'aggressive' in autoban
- Fix waf_bypass false positives on LuCI static resources
- Root cause: different analytics versions across mitmproxy instances
- Update HISTORY.md with OpenClaw Gemini fix and WAF tuning
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy haproxy_router.py:
- Return 404 instead of routing to LuCI (8081) for missing routes
- Block any routes that point to port 8081
- Add "WAF Says NO" themed 404 page with multi-layer WAF visual
HAProxy (deployed on router):
- Configure end_of_internet backend with custom errorfiles
- Add "End of Internet" themed error pages for 5xx errors
- Patched haproxyctl to include errorfile directives
New package: secubox-app-openclaw
- Personal AI assistant integration for SecuBox
- Supports Anthropic Claude, OpenAI, and Ollama providers
- Chat integrations (Telegram, Discord, Slack)
- Email/calendar automation support
- CLI tool: openclawctl
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
form.Map.render() returns a Promise, not a DOM element. Passing it
directly to KissTheme.wrap() caused "does not implement interface Node"
errors. Fixed by awaiting the Promise with .then() before wrapping.
Affected views:
- metablogizer/settings.js
- localai/settings.js
- domoticz/overview.js
- simplex/overview.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- MIME type fix for static assets
- 403 fix for /apps/ routes
- Signaling endpoint URL correction
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- luci.mailserver: Detect LXC containers for webmail status (not just Docker)
- docs: Add nginx static file fix and webmail detection to HISTORY/WIP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Deployed Yggdrasil on master (aarch64) and clone (x86_64)
- Connected to 2 public peers + LAN multicast auto-discovery
- Bidirectional ping6 and SSH over Yggdrasil working
- Fixed firewall zones: device="ygg0" required for nftables
- IPv6: master 201:e4d4:..., clone 201:a9d8:...
- Marks v1.1+ Yggdrasil overlay as complete
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix auth for Streamlit container (no ubus access)
- Use HTTP JSON-RPC to /ubus endpoint for authentication
- Add ALERTE.DEPOT app source to repo
- Update HISTORY.md with VoIP and auth fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Gitea as a service option in SecuBox Users UI
- Add Gitea checkbox in Add User modal
- Add Gitea service badge in status display
- Implement password sync to Gitea via API on password change
- Fix Gitea API call to include login_name parameter
- Add gitea to check_service() and get_status()
- Sync passwords to all enabled services (email, jabber, nextcloud, gitea)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto-republish to method_upload_file (was only in upload_finalize)
- Add Gitea push to cmd_publish when gitea.enabled=1
- Use haproxyctl reload instead of init.d (container-aware)
- Uploaded content now triggers full republish flow for emancipated sites
This fixes the issue where uploading new HTML content didn't update
the live site because republish wasn't triggered.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto Gitea push on emancipate and app rename
- Route emancipated instances through mitmproxy_inspector (WAF) by default
- Add mitmproxy route entries for domains
- Enhanced rename_app to actually rename folders/files
- Enhanced rename_instance to update HAProxy vhost and mitmproxy routes
- Display WAF badge in dashboard for exposed instances
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lxc_start_bg() and lxc_reload() functions for container management
- Replace all /etc/init.d/haproxy calls with container-aware functions
- Fix haproxy-sync-certs to use haproxyctl reload
- Host HAProxy init script disabled, container is sole handler
Resolves intermittent 404 errors caused by dual HAProxy instances.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Factory tab to Cloning Station with:
- Discovery Mode toggle (enable/disable zero-touch provisioning)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator (1-50 tokens with profile selection)
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
Implementation:
- 8 RPC declarations for factory methods
- 5 state properties for factory data
- 5 render functions, 6 event handlers
- Factory data polling in 5-second refresh cycle when on tab
- KISS theme UI components throughout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Roundcube IMAP "Internal error occurred" caused by Dovecot
running mail processes as uid 102 (Alpine default) instead of the
actual vmail user uid 5000.
Changes:
- configure_postfix: virtual_uid_maps/gid_maps 102/105 → 5000/5000
- configure_dovecot: mail_uid/gid, first_valid_uid, userdb args
- cmd_add_user: passwd file entries and ownership
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add inventory.sh for hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Add profiles.sh for profile management and device matching
- Add default.json profile template for auto-provisioned peers
- Add discovery mode to master-link.sh with pending queue and approval workflow
- Add bulk token generation (up to 100 tokens per batch)
- Enhance 50-secubox-clone-provision with inventory collection and discovery join
- Add 9 new RPCD methods to luci.cloner for factory provisioning
- Fix p2p-mesh.sh to be silent when sourced as library
- Add UCI options: discovery_mode, auto_approve_known, discovery_window, default_profile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
P2P Mesh Intelligence implementation:
- Add ZKP trust bonus (+20) for verified peers in IOC validation
- Create blockchain.sh for permanent threat_ioc and ioc_feedback blocks
- Create feedback.sh for IOC effectiveness tracking and reputation updates
- Enhance gossip.sh IOC handler with ZKP-validated trust checks
- Add SCORE_IOC_EFFECTIVE (+5) and SCORE_IOC_FALSE_POSITIVE (-8) to reputation
- Add zkp_trust_bonus and feedback config options
fix(mailserver): Correct vmail UID from 102 to 5000
Dovecot was using wrong UID (102/redis instead of 5000/vmail) causing
permission denied errors when accessing mailboxes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added entry #45 documenting the fix for 404 errors after MetaBlogizer
site upload/publish caused by missing original_backend field in HAProxy
vhost configs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upload workflow now works without needing to unpublish/expose again.
The reload_haproxy() function now calls mitmproxyctl sync-routes to
ensure mitmproxy picks up new routes immediately after vhost creation.
Root cause: Upload created HAProxy vhost and mitmproxy route file entry,
but mitmproxy never received a reload signal to activate the route.
Running emancipate fixed it because it called mitmproxyctl sync-routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
reads config from /etc/haproxy.cfg but config was only generated to
/srv/haproxy/config/haproxy.cfg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add convert_to_qcow2() function using qemu-img
- Add QCOW2_FILE output path variable
- Create proxmox-import.sh helper script for easy VM import
- Update distribution package to include QCOW2 and Proxmox script
- Add Proxmox VE instructions to README
- Update usage help with QCOW2 output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Multi-view portal with grid/list/compact modes
- Automatic site categorization (Intelligence, Dev, Finance, etc.)
- Iframe thumbnail previews of real site content
- Tag cloud and category tabs with emoji indicators
- Instant search by domain/name/category
- Auto-refresh via cron every 5 minutes
- Created explicit vhosts for 54 MetaBlogizer sites
- Fixed wildcard routing priority
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both create_site_from_upload and upload_and_create_site were missing
HAProxy vhost creation step (step 8 from create_site method).
Changes:
- Add vhost creation with backend=mitmproxy_inspector for WAF routing
- Add mitmproxy route to /srv/mitmproxy-in/haproxy-routes.json
- Apply same fix to original create_site method for consistency
This ensures all MetaBlogizer uploaded sites are immediately accessible
via HTTPS and all traffic passes through WAF inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add create_site_from_upload RPC method for chunked site creation
- Modify JS api to auto-chunk files >40KB (ubus message size limit)
- Upload chunks sequentially via upload_chunk, then finalize with
create_site_from_upload
- Add no_cache vhost option to haproxyctl for cache-control headers
- Fix large file upload failures caused by shell argument size limits
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New peertube-import script for importing from YouTube, Vimeo, 1000+ sites
- CGI endpoints for portal integration (peertube-import, peertube-import-status)
- Portal UI: Video Import card with progress tracking
- Multi-language subtitle download and PeerTube caption upload
- Fixed stdout/stderr separation for reliable function returns
- UCI config: uses peertube.admin.username/password
- Package version bumped to 1.2.0
- Added README.md with full documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- luci-app-webradio: Web radio management with Lyrion bridge tab
- luci-app-turn: TURN/STUN server UI for WebRTC (Jitsi integration)
- secubox-app-lyrion-bridge: Lyrion → Squeezelite → FFmpeg → Icecast pipeline
- secubox-app-squeezelite: Squeezelite audio player with FIFO output
- secubox-app-turn: TURN server with ACME SSL and Jitsi setup
- secubox-app-webradio: Icecast/ezstream web radio server
Features:
- HTTPS streaming via HAProxy (stream.gk2.secubox.in)
- Lyrion Music Server bridge for streaming playlists to Icecast
- TURN server with time-limited credential generation
- CrowdSec integration for WebRadio security
- Schedule-based radio programming with jingles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
