- Update _emancipate_haproxy() to use mitmproxy_inspector backend
- Add mitmproxy route entries for domain -> streamlit port
- Aligns CLI behavior with RPCD emancipate_instance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto Gitea push on emancipate and app rename
- Route emancipated instances through mitmproxy_inspector (WAF) by default
- Add mitmproxy route entries for domains
- Enhanced rename_app to actually rename folders/files
- Enhanced rename_instance to update HAProxy vhost and mitmproxy routes
- Display WAF badge in dashboard for exposed instances
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lxc_start_bg() and lxc_reload() functions for container management
- Replace all /etc/init.d/haproxy calls with container-aware functions
- Fix haproxy-sync-certs to use haproxyctl reload
- Host HAProxy init script disabled, container is sole handler
Resolves intermittent 404 errors caused by dual HAProxy instances.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replaces unreliable nohup-based remote flash with staged approach:
1. remote_prepare_flash: Upload image + store options
2. remote_confirm_flash: Execute sysupgrade directly
3. remote_flash_status: Check flash state
4. remote_cancel_flash: Abort pending flash
Key fixes:
- Use /tmp for firmware (large tmpfs vs small rootfs)
- Direct sysupgrade execution (no nohup, works on OpenWrt)
- Proper dbclient SSH without unavailable commands
- Background job with & instead of nohup
Tested: x86_64 VM successfully flashed from 24.10.5 to 24.10.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Factory tab to Cloning Station with:
- Discovery Mode toggle (enable/disable zero-touch provisioning)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator (1-50 tokens with profile selection)
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
Implementation:
- 8 RPC declarations for factory methods
- 5 state properties for factory data
- 5 render functions, 6 event handlers
- Factory data polling in 5-second refresh cycle when on tab
- KISS theme UI components throughout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Roundcube IMAP "Internal error occurred" caused by Dovecot
running mail processes as uid 102 (Alpine default) instead of the
actual vmail user uid 5000.
Changes:
- configure_postfix: virtual_uid_maps/gid_maps 102/105 → 5000/5000
- configure_dovecot: mail_uid/gid, first_valid_uid, userdb args
- cmd_add_user: passwd file entries and ownership
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add inventory.sh for hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Add profiles.sh for profile management and device matching
- Add default.json profile template for auto-provisioned peers
- Add discovery mode to master-link.sh with pending queue and approval workflow
- Add bulk token generation (up to 100 tokens per batch)
- Enhance 50-secubox-clone-provision with inventory collection and discovery join
- Add 9 new RPCD methods to luci.cloner for factory provisioning
- Fix p2p-mesh.sh to be silent when sourced as library
- Add UCI options: discovery_mode, auto_approve_known, discovery_window, default_profile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
P2P Mesh Intelligence implementation:
- Add ZKP trust bonus (+20) for verified peers in IOC validation
- Create blockchain.sh for permanent threat_ioc and ioc_feedback blocks
- Create feedback.sh for IOC effectiveness tracking and reputation updates
- Enhance gossip.sh IOC handler with ZKP-validated trust checks
- Add SCORE_IOC_EFFECTIVE (+5) and SCORE_IOC_FALSE_POSITIVE (-8) to reputation
- Add zkp_trust_bonus and feedback config options
fix(mailserver): Correct vmail UID from 102 to 5000
Dovecot was using wrong UID (102/redis instead of 5000/vmail) causing
permission denied errors when accessing mailboxes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed _check_interval from 10 to 1 to ensure new routes are picked up
immediately when the haproxy-routes.json file is updated.
This fixes the quick publish flow where new sites weren't accessible
immediately because mitmproxy only checked for route changes every
10 requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When MetaBlogizer creates HAProxy vhosts, it routes through mitmproxy_inspector
for WAF inspection. However, mitmproxyctl sync-routes needs the original_backend
field to determine where to forward traffic after WAF inspection.
Without original_backend, sites would return 404 after upload because mitmproxy
had no route to forward traffic to the actual backend.
This fix adds original_backend=$backend_name to all 3 vhost creation locations:
- method_create_site (line 491)
- method_emancipate_site (line 1210)
- method_upload_and_create_site (line 2001)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upload workflow now works without needing to unpublish/expose again.
The reload_haproxy() function now calls mitmproxyctl sync-routes to
ensure mitmproxy picks up new routes immediately after vhost creation.
Root cause: Upload created HAProxy vhost and mitmproxy route file entry,
but mitmproxy never received a reload signal to activate the route.
Running emancipate fixed it because it called mitmproxyctl sync-routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
reads config from /etc/haproxy.cfg but config was only generated to
/srv/haproxy/config/haproxy.cfg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy runs on the host, not in an LXC container. The LED pulse
script was incorrectly checking `lxc-attach -n haproxy -- pgrep haproxy`
which always failed, causing constant SPUNK ALERT red LED flashing.
Changed to check host process directly with `pgrep haproxy`.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move kiss-theme.js from luci-app-secubox-portal to theme package
- Bump theme version to 0.4.8
- Prevents file conflict between packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add convert_to_qcow2() function using qemu-img
- Add QCOW2_FILE output path variable
- Create proxmox-import.sh helper script for easy VM import
- Update distribution package to include QCOW2 and Proxmox script
- Add Proxmox VE instructions to README
- Update usage help with QCOW2 output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add extra_media_paths UCI option for additional bind mounts
- Supports both simple paths (/mnt/usb) and mapped paths (host:container)
- Automatically skips non-existent paths with info message
Example UCI config:
option extra_media_paths '/mnt/sdb1:/mnt/usb /mnt/nas:/mnt/nas'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove cgroup:mixed from mount.auto (incompatible with cgroup v2)
- Add lxc.net.0.type = none for proper host network sharing
- Add lxc.seccomp.profile = and lxc.autodev = 1 for cgroup v2
Fixes container startup failure with "Failed to mount /sys/fs/cgroup"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash's read command collapses consecutive tab delimiters,
causing the protected field to end up in the wrong variable.
Fix: Use "-" as placeholder for empty fields, then strip it when reading.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lock badge CSS for protected site cards
- Add login banner for unauthenticated users
- Detect auth_required flag from metablogizer UCI config
- Hide protected cards until sessionStorage token present
- Filter respects authentication state in search and category views
Works with secubox-core portal-auth system.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sites on *.gk2.secubox.in were failing because HAProxy couldn't match
the SNI to the correct certificate. New add_haproxy_cert() helper:
- Extracts base domain from subdomain
- Creates UCI cert entry mapping domain to wildcard cert file
- Applied to all vhost creation paths (create, upload, republish)
Sites now work immediately after one-click deploy without manual
certificate configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace fragile sed-based JSON manipulation with Python for adding
mitmproxy routes. The new add_mitmproxy_route() helper function:
- Updates both /srv/mitmproxy/ and /srv/mitmproxy-in/ routes files
- Uses proper JSON parsing instead of string substitution
- Ensures sites are immediately accessible after one-click deploy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When editing a site and changing its domain, automatically:
- Remove the old HAProxy vhost for the previous domain
- Create a new vhost for the new domain with priority=50
- Regenerate and reload HAProxy configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add inline Edit button for each site in the dashboard allowing users
to modify site name, domain, description, and enabled status directly
from the overview page without navigating to settings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package secubox-app-talk-hpb:
- Docker-based signaling server and Janus WebRTC gateway
- Auto-generates TURN/SIGNALING/INTERNAL secrets
- Creates HAProxy vhost with SSL/ACME
- STUN/TURN server with UDP+TCP support
- CLI tool: talk-hpbctl setup/status/test/logs
Hub generator v5:
- Add PeerTube videos with thumbnails and duration badges
- Fix Streamlit instance detection (=instance vs =app)
- Total count now: sites + streamlit + videos
MetaBlogizer fix:
- Add priority=50 to new vhosts to prevent wildcard catch
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Multi-view portal with grid/list/compact modes
- Automatic site categorization (Intelligence, Dev, Finance, etc.)
- Iframe thumbnail previews of real site content
- Tag cloud and category tabs with emoji indicators
- Instant search by domain/name/category
- Auto-refresh via cron every 5 minutes
- Created explicit vhosts for 54 MetaBlogizer sites
- Fixed wildcard routing priority
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both create_site_from_upload and upload_and_create_site were missing
HAProxy vhost creation step (step 8 from create_site method).
Changes:
- Add vhost creation with backend=mitmproxy_inspector for WAF routing
- Add mitmproxy route to /srv/mitmproxy-in/haproxy-routes.json
- Apply same fix to original create_site method for consistency
This ensures all MetaBlogizer uploaded sites are immediately accessible
via HTTPS and all traffic passes through WAF inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add create_site_from_upload RPC method for chunked site creation
- Modify JS api to auto-chunk files >40KB (ubus message size limit)
- Upload chunks sequentially via upload_chunk, then finalize with
create_site_from_upload
- Add no_cache vhost option to haproxyctl for cache-control headers
- Fix large file upload failures caused by shell argument size limits
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed glob pattern from ${slug}*.vtt to *.vtt to catch all subtitle files
- Fixed language extraction regex to work with any filename format
- Redirected yt-dlp subtitle output to stderr
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New peertube-import script for importing from YouTube, Vimeo, 1000+ sites
- CGI endpoints for portal integration (peertube-import, peertube-import-status)
- Portal UI: Video Import card with progress tracking
- Multi-language subtitle download and PeerTube caption upload
- Fixed stdout/stderr separation for reliable function returns
- UCI config: uses peertube.admin.username/password
- Package version bumped to 1.2.0
- Added README.md with full documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
PeerTube videos don't include the automatic_captions field in their
yt-dlp JSON output. The jq filter was attempting (.automatic_captions | keys)
which fails with "null (null) has no keys" when the field is missing.
Fixed by adding null-coalescing: ((.automatic_captions // {}) | keys)
Also applied same fix to subtitles field for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New CLI: peertube-analyse
- Extract video metadata via yt-dlp
- Download existing PeerTube subtitles (VTT)
- Fallback to Whisper local transcription (medium model)
- Claude AI analysis with structured intelligence report
Features:
- POSIX-compatible (OpenWrt, Alpine, Debian)
- Modular pipeline with graceful degradation
- Colored terminal output with status indicators
- Configurable Whisper model and language
- Truncation for large transcripts (12k chars)
CLI flags:
--url <url> Video URL
--no-whisper Subtitles only
--force-whisper Force transcription
--no-analyse Skip Claude analysis
--model <name> Whisper model
--lang <code> Language code
Output structure:
./output/<slug>/
├── <slug>.meta.json
├── <slug>.transcript.txt
└── <slug>.analyse.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- luci-app-webradio: Web radio management with Lyrion bridge tab
- luci-app-turn: TURN/STUN server UI for WebRTC (Jitsi integration)
- secubox-app-lyrion-bridge: Lyrion → Squeezelite → FFmpeg → Icecast pipeline
- secubox-app-squeezelite: Squeezelite audio player with FIFO output
- secubox-app-turn: TURN server with ACME SSL and Jitsi setup
- secubox-app-webradio: Icecast/ezstream web radio server
Features:
- HTTPS streaming via HAProxy (stream.gk2.secubox.in)
- Lyrion Music Server bridge for streaming playlists to Icecast
- TURN server with time-limited credential generation
- CrowdSec integration for WebRadio security
- Schedule-based radio programming with jingles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use SecuBox blue cyberpunk theme (matching login.html)
- Check secubox_token for authentication, redirect to login.html if missing
- Add Guacamole to administration services
- Consistent styling across all portal pages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add login.html with RPCD authentication via luci.secubox-users
- Add reset.html for token-based password recovery
- Both pages use SecuBox cyberpunk dark theme
- Default password: Secubox@2026
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
