- Run Lyrion as nobody (uid 65534) via LXC init.uid/gid settings
- Use cgroup2 memory limit format (lxc.cgroup2.memory.max)
- Convert memory limit string (1G, 256M) to bytes for cgroup2
- Skip opkg install if LXC binaries already exist
- Set proper file ownership during rootfs creation
- Remove su command from start.sh (handled by LXC config)
Fixes the container crash loop caused by Lyrion refusing to run as root.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Tor Shield:
- Store current_preset in UCI when enabling with preset
- Return current_preset in status response
- Initialize currentPreset from stored UCI value on page load
Security Threats:
- Fix get_security_stats() firewall packet counting
- Use correct nftables chain names (input_wan, handle_reject)
- Fix grep -c exit code issue (returns 1 when no matches)
- Improve numeric validation (use tr -cd to strip non-digits)
- Add fallbacks for HAProxy socket paths
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- refresh_ips now fetches reverse DNS for exit IP
- Status includes exit_hostname from cache
- Dashboard displays hostname below exit IP
- get_exit_ip also returns hostname
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The expect: { success: false } was causing LuCI RPC to return false
instead of the actual response. Changed all expect declarations to
empty objects to get raw API responses.
Also improved error messages to show actual response for debugging.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Clicking a preset card now enables/restarts Tor with that preset
- Previously it only selected the preset for next toggle
- Added better error handling for toggle and preset changes
- Page reloads after successful preset change
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The toggle handler was receiving status captured at render time which
could be stale due to polling. Now fetches fresh status before deciding
to enable or disable, and does a full page reload after action.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The cumulative impact summary was showing zeros because it only checked
the plugins catalog. Now also counts:
- HAProxy vhosts directly from UCI
- Running LXC containers
- Running Docker containers
- Firewall WAN ACCEPT rules with ports
- DNSmasq entries
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix disabled buttons in Network Tweaks using conditional rendering
- Change AdGuard Home ports to avoid conflicts (web: 3003, dns: 5353)
- Add DNS & Proxy link from Tor Shield to Network Tweaks
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add always-visible toggle switch at top of dashboard
- Clear visual indication: green when protected, red when exposed
- Shows protection status text and toggle switch
- Easier one-click enable/disable of Tor protection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add AdGuard Home status card with enable/disable and Open UI button
- Add setAdGuardEnabled RPCD method for Docker container control
- Rename section to "DNS & Proxy Services"
- Responsive grid layout for 3 service cards
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CDN cache status card with enable/disable and restart buttons
- Add WPAD auto-proxy card with enable/disable toggle
- Add getProxyStatus, getWpadStatus, setWpadEnabled RPCD methods
- Move menu to Services section
- Update ACL for CDN cache and WPAD control
Also fixes:
- security-threats: Fix HAProxy socket path for connection stats
- tor-shield: Add missing ACL methods for excluded destinations
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_excluded_destinations() method to list bypassed destinations
- Add add_excluded_destination() to exclude IPs/CIDRs/domains from Tor
- Add remove_excluded_destination() to remove exclusions
- Add apply_exclusions() to restart tor-shield with new rules
- Domain resolution attempts to get IP for iptables compatibility
- Existing private network CIDRs (192.168/10/172.16/127) are default excluded
Also includes metablogizer fixes:
- reload_haproxy() helper function
- Server address uses 127.0.0.1 for uhttpd backends
- fix_permissions() on file uploads
PKG_RELEASE: tor-shield=3, metablogizer=3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add reload_haproxy() helper function for consistent reloads
- Use 127.0.0.1 for uhttpd backend address instead of 192.168.255.1
- Call fix_permissions() on upload_file to ensure correct file access
- Update delete_site to use reload_haproxy helper
- Bump PKG_RELEASE to 3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BREAKING: Default policy changed from quarantine to open
- Disabled by default (was enabled)
- Default policy: open (was quarantine - blocked new devices!)
- Auto-zoning: disabled by default
- Auto-parking zone: lan_private (was guest)
- Night block schedule: disabled by default
- Threat auto-ban: disabled by default
Safety mechanisms added:
- MAX_BLOCKED_DEVICES limit (10) prevents mass blocking
- check_safety_limit() function validates before blocking
- clear_all_cg_rules() emergency function via RPCD
- safety_status RPCD method to check current state
UI improvements:
- Added warnings for restrictive policies
- Reordered options (safe options first)
- Clearer descriptions of consequences
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Move 9 service apps from admin/secubox/services/ to admin/services/:
- localai, lyrion, magicmirror2, mailinabox, mmpm
- nextcloud, ollama, vhost-manager, mitmproxy
Services now appear under standard LuCI Services menu for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix LAPI status check to dynamically read port from config
- Previously hardcoded wrong port (8080 vs 8180)
- Add comprehensive SecuBox feed documentation to README
- Document opkg configuration, HAProxy publishing, troubleshooting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_network_info RPCD method:
- Public IPv4/IPv6 detection via external services
- Reverse DNS hostname lookup
- External port accessibility test (upstream router/ISP check)
- Enhance check_service_health:
- Compare DNS resolution against actual public IP
- Detect private IP misconfiguration (192.168.x.x pointing)
- Test external port reachability
- Add Network Connectivity panel to dashboard:
- Shows public IPs with hostnames
- External port 80/443 accessibility status
- Local firewall and HAProxy status
- Improve URL Readiness Checker:
- Display public IP info
- Show specific recommendations with IP addresses
- Detect and explain DNS pointing to private IP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document all features including:
- Health monitoring and URL readiness checker
- Service publishing workflow
- Health check API usage
- Troubleshooting guide for common issues
- UCI configuration reference
- RPCD methods reference
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health check RPCD methods:
- check_service_health: Check DNS, cert, firewall for single domain
- check_all_health: Batch check all published services
- Add URL Readiness Checker wizard card to dashboard:
- Check if domain DNS resolves correctly
- Verify firewall ports 80/443 are open
- Check SSL certificate status
- Show actionable recommendations
- Display inline health status badges on service rows:
- DNS resolution status (ok/failed)
- Certificate expiry (ok/warning/critical/expired)
- Add health summary bar showing overall system status
- Add per-service health check button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Automatically creates firewall rules for HAProxy when:
- Requesting a certificate (haproxyctl cert add)
- Publishing a service with a domain (service-registry)
Added firewall rules:
- HAProxy-HTTP: Allow port 80 from WAN (ACME challenges)
- HAProxy-HTTPS: Allow port 443 from WAN (HTTPS traffic)
Rules are only created if they don't exist, preventing duplicates.
Firewall reloads automatically after rule creation.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Certificate issuance now uses webroot mode instead of standalone:
- HAProxy routes /.well-known/acme-challenge/ to local ACME webserver
- Added acme_challenge backend on port 8402
- Uses busybox httpd to serve challenge files
- No HAProxy restart required during certificate requests
- Config auto-regenerates before cert request to ensure ACME backend
This eliminates downtime during certificate issuance and allows
multiple concurrent certificate requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy Certificates:
- Add async certificate request API (start_cert_request, get_cert_task)
- Non-blocking ACME requests with background processing
- Real-time progress tracking with phases (starting → validating → requesting → verifying → complete)
- Add staging vs production mode toggle for ACME
- New modern UI with visual progress indicators
- Task persistence and polling support
Service Registry:
- Fix QR codes using api.qrserver.com (Google Charts deprecated)
- Fix form prefill with proper _new section selectors
- Add change event dispatch for LuCI form bindings
- Update landing page generator with working QR API
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove expect clause from RPC declarations to get raw response
- Add proper error handling with catch blocks for all RPC calls
- Fix landing page generator to chmod 644 after generation
- Fixes "No Services Found" issue in dashboard
- Fixes "Forbidden" error when accessing landing page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Implement Service Registry LuCI app for unified service management:
- RPCD backend aggregating services from HAProxy, Tor, netstat, LXC
- One-click publish to clearnet (HAProxy+ACME) and/or Tor hidden service
- Static landing page generator with QR codes for all URLs
- LuCI dashboard with service grid, quick publish form
- CLI tool (secubox-registry) for command-line management
- Share buttons for X, Telegram, WhatsApp
RPCD methods: list_services, publish_service, unpublish_service,
generate_landing_page, get_qr_data, list_categories
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix tor-shield/api.js: Use baseclass.extend() pattern correctly
- Fix tor-shield ACL: Add missing 'restart' write permission
- Fix secubox-app-tor: Disable conflicting default tor init in postinst
- Move metablogizer menu from secubox/services to admin/services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC declaration with `expect: { sites: [] }` extracts the array
directly, so data[1] IS the sites array, not an object with .sites property.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add /etc/config/metablogizer with default settings
- Update Makefile to install config as conffile
- Fixes 404 error when accessing MetaBlogizer in LuCI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CrowdSec Dashboard: Add bouncer_count, geoip_enabled, acquisition_count,
scenario_count fields to get_overview and get_health_check RPCD functions
- MetaBlogizer: Fix menu path to admin/secubox/services/metablogizer
- Portal: Add MetaBlogizer and Gitea to apps registry for services section
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The dashboard was showing 0 decisions because `cscli decisions list`
only returns local decisions, not CAPI blocklist entries.
Fixed by:
- Parsing CAPI decision counts from `cscli metrics` output
- Added separate local_decisions and capi_decisions fields
- Updated overview to show "CAPI Blocklist" and "Local Bans" separately
- Fixed get_capi_metrics to use metrics parsing instead of decisions list
This correctly shows ~15,000 CAPI blocklist IPs instead of 0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change evt.Line contains -> evt.Line.Raw contains in parsers
(pipeline.Line type requires .Raw accessor for string operations)
- Remove invalid filter: field from acquisition configs
(filter belongs in parsers, not acquisition files)
Fixes CrowdSec v1.7.6 startup failures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-metablogizer package replacing metabolizer with simplified
static site publishing:
- RPCD backend with create/delete/sync site methods
- Auto HAProxy vhost creation with SSL/ACME
- Nginx LXC container integration for serving static files
- Git sync from Gitea repositories
- QR code generation for published URLs
- Social share buttons (Twitter, LinkedIn, Facebook, Telegram, WhatsApp, Email)
- Drag-and-drop file upload UI
- SecuBox light theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Bump CrowdSec version from 1.7.4 to 1.7.6
- Add modernc.org/sqlite v1.34.2 vendor module (Go 1.21 compatible)
- Patch strings.SplitSeq in hubtest for Go 1.23 compatibility
- Add replace directive for sqlite to use vendored version
Built and tested: crowdsec_1.7.6-r1_aarch64_cortex-a72.ipk (80MB)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- README.md: Update to v0.16.0 with all 38 modules categorized
- CHANGELOG.md: Create comprehensive changelog (v0.12.0-v0.16.0)
- CLAUDE.md: Add toolchain build rules for Go/CGO packages
- secubox-tools/README.md: Add SDK vs toolchain build guidance
- TODO-ANALYSE.md: Mark completed tasks, update health score
- HISTORY.md: Document ARM64 toolchain discovery, multi-instance
- dev-status-widget.js: Update stats (38 modules, 1500 commits)
SDK builds produce LSE atomics that crash on some ARM64 CPUs.
Go/CGO packages (crowdsec, netifyd) must use full toolchain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec:
- Change LAPI default port from 8080 to 8180 (avoid Docker conflict)
- Update bouncer config, init script, and RPCD dashboard
- Fix port detection hex value (1FF4 for 8180)
Streamlit:
- Complete rewrite with folder-based app structure
- Multi-instance support (multiple apps on different ports)
- Gitea integration (clone, pull, setup commands)
- Auto-install requirements.txt with hash-based caching
HexoJS:
- Multi-instance support with folder structure
- Multiple blog instances on different ports
HAProxy:
- Auto-generate fallback backends (luci, apps, default_luci)
- Add --server letsencrypt to ACME commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add publish_to_www RPCD method to publish static files to /www/blog
- Add Build & Publish card in sync.js with configurable publish path
- Add generate RPC call for building site
- Fix file permissions for all RPCD scripts and init.d scripts
- Bump luci-app-hexojs to 1.0.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit Instances:
- Add Publish button with HAProxy integration (uses instance port)
- Add Edit dialog for modifying instance settings
- Replace enable/disable buttons with checkbox
- Get LAN IP dynamically from status data
- Bump luci-app-streamlit to r8
HAProxy:
- Add haproxy-acme-cron script for background cert processing
- Cron runs every 5 minutes to issue pending ACME certificates
- Prevents UI blocking during certificate issuance
- Bump secubox-app-haproxy to r19
RPCD:
- Fix json_error to return consistent format with json_success
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix enabled/disabled select showing wrong value
- Normalize memory limit values (1G/2G/4G -> 1024M/2048M/4096M)
- Fix boolean value handling for headless and usage stats
- Use Object.assign for conditional selected attribute
- Bump to r6
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Instances tab to LuCI Streamlit dashboard
- RPCD backend: list/add/remove/enable/disable instances
- API module: instance management methods
- UI: Instance table with status, port, enable/disable/remove actions
- Add Instance form with app selector and auto port assignment
- Apply & Restart button to apply instance changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move nested functions outside parent functions (ash doesn't support local functions)
- Fix _build_instance_entry and _print_instance_json syntax
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add multi-instance mode: run multiple apps on different ports
- New UCI config structure with 'instance' sections
- Container starts multiple streamlit processes via STREAMLIT_INSTANCES env
- CLI commands: instance list/add/remove/enable/disable
- Each instance has its own port, requirements auto-install
- Backward compatible: single-app mode still works
- Bumped to 1.0.0-r4
Example config:
config instance 'dashboard'
option app 'dashboard.py'
option port '8502'
option enabled '1'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Auto-detect and install app-specific requirements on container start
- Supports: <app>.requirements.txt, <app>_requirements.txt, requirements.txt
- Uses hash-based caching to avoid reinstalling on each restart
- Bumped to 1.0.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes:
- HAProxy: Prevent duplicate server names when both inline and separate
server UCI sections exist for same backend
- Streamlit: Force --server.headless=true in start script (required for server)
- Dashboard: Optimize get_dashboard_data RPC call (6.56s → 0.09s) by using
fast catalog counting instead of slow appstore list command
- Exposure: Add themed dashboard with SecuBox styling
- ACL: Add missing RPCD permissions for various LuCI apps
Version bumps:
- luci-app-exposure: 1.0.0-r3
- secubox-core: 0.10.0-r5
- secubox-app-haproxy: 1.0.0-r18
- secubox-app-streamlit: 1.0.0-r2
- Portal: v0.15.51
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add cert_is_production() to detect Let's Encrypt staging certificates
- Add cert_validate_public() to verify certificate publicly via curl/openssl
- Add cert_info() to display certificate details (domain, issuer, dates)
- Add cmd_cert_verify command for on-demand certificate verification
- Update cmd_cert_list to show staging/production status with icons
- Update cmd_cert_add to warn about staging mode and verify after issuance
- Bump package release to r16
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace buttons with toggle switches for enabling/disabling exposures
- Show current exposure status with colored indicators
- Load and display Tor hidden services and SSL backends status
- Add stats cards for exposable services, Tor services, and SSL backends
- Modal dialogs for configuring exposure parameters on toggle
- Bump luci-app-exposure to 1.0.0-r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix HAProxy certificate key naming (.key -> .crt.key) for directory loading
- Add auto-fix in container startup script for existing certificates
- Add list_exposed_services RPC method to fetch services from secubox-exposure
- Add dynamic port scanning for running services discovery
- Add "Quick Select" dropdown in Add Server modal for service auto-fill
- Bump luci-app-haproxy to 1.0.0-r8
- Bump secubox-app-haproxy to 1.0.0-r15
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HAProxy overview: Add prominent emergency banner showing service status
with quick health indicators (Container/HAProxy/Config) and one-click
Restart/Start/Stop buttons
- SecuBox dashboard: Add Critical Services Quick Restart section with
buttons for HAProxy, CrowdSec, Tor Shield, and Gitea
- Metabolizer config: Fix portal_path to /www/blog
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Exposure Manager:
- Fix RPCD subshell issues in status and ssl_list methods
- Fix JS views to handle both array and object API responses
MagicMirror2:
- Change default port from 8082 to 8085 (avoid CyberFeed conflict)
- Update mm2ctl, RPCD, settings.js, dashboard.js, config
Tor Shield:
- Add restart method to RPCD and API
- Add health status minicard (Service, Bootstrap, DNS, Kill Switch)
Portal:
- Add 'active-ports' section for detected services
- Separate portal apps (Services) from detected ports (Active Ports)
Service Detection:
- Prioritize port-based identification over process name
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD: Use temp file for scan to avoid pipe subshell issues
- api.js: Use baseclass.extend() for proper LuCI module pattern
- Menu: Remove UCI dependency that caused 404
- Makefile: Make haproxy/tor optional dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features in this release:
- Service Exposure integration in network section
- Security stats on dashboard (WAN drops, firewall rejects, CrowdSec)
- Threat Monitor in security cards
- Fixed http:// URLs for local services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New app entry for service-exposure in portal network apps:
- Port conflict management
- Tor hidden services
- HAProxy SSL backends
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New unified tool for service exposure management:
- Port conflict detection and resolution (scan, conflicts, fix-port)
- Dynamic Tor hidden service management (tor add/list/remove)
- HAProxy SSL reverse proxy configuration (ssl add/list/remove)
Commands:
secubox-exposure scan # List listening services
secubox-exposure conflicts # Detect port collisions
secubox-exposure tor add gitea # Create .onion for service
secubox-exposure ssl add svc domain # Add HAProxy SSL backend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service detection now prioritizes process name matching over port-based
detection for more accurate identification of netifyd, streamlit,
cyberfeed, metabolizer, magicmirror, and picobrew services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Services in LXC/Docker containers don't have SSL certificates,
so always use http:// instead of inheriting the browser's protocol.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add threat-monitor app to security section in portal.js
- Add security stats RPC call (get_security_stats)
- Display packets blocked and alerts on dashboard
- Add Threat Monitor to featured quick access apps
- Show WAN dropped + firewall rejects in events section
- Link to Threat Monitor dashboard from events
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security Stats:
- Add get_security_stats RPCD method for quick overview
- Track WAN drops, firewall rejects, CrowdSec bans
- Add secubox-stats CLI tool for quick stats check
Gitea Mirror Commands:
- Add mirror-sync to trigger mirror repository sync
- Add mirror-list to show all mirrored repos
- Add mirror-create to create new mirrors from GitHub URLs
- Add repo-list to list all repositories
- Requires API token: uci set gitea.main.api_token=<token>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- haproxy: Add explicit restart_service function
- tor-shield: Add explicit restart_service function
- wireguard-dashboard/qrcode.js: Use baseclass.extend() pattern
to fix "factory yields invalid constructor" error
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy requires certificate files to contain both the fullchain
(cert + intermediate CA) and the private key concatenated together.
Changes:
- haproxyctl: Fix cert_add to create combined .pem files
- haproxy-sync-certs: New script to sync ACME certs to HAProxy format
- haproxy.sh: ACME deploy hook for HAProxy
- init.d: Sync certs before starting HAProxy
- Makefile: Install new scripts, add cron job for cert sync
This fixes the "No Private Key found" error when HAProxy tries to
load certificates that only contain the fullchain without the key.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC expect clause unwraps responses - when `expect: { peers: [] }`
is used, the response `{peers: [...]}` gets unwrapped to just `[...]`.
Fixed:
- api.js: getAllData and getMonitoringData now handle both array
and object formats for peers, interfaces, and rates
- overview.js: render and polling functions now safely unwrap
data that may be array or nested object
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RPCD backend:
- Fix critical json_init bug: variables must be extracted BEFORE
json_init() which wipes the loaded JSON. Affected functions:
save_settings, do_enable, set_bridges, add/remove_hidden_service
- Fix process detection: use pgrep instead of pid file
- Fix uptime calculation: get PID from pgrep, not pid file
- Fix RPC expect unwrapping in getDashboardData for presets
Init script:
- Remove PidFile directive (procd manages the process)
- Clean up stale files before starting to avoid permission issues
- Set proper ownership on torrc after generation
- Fix iptables chain creation to handle "already exists" gracefully
- Remove from OUTPUT chain before attempting chain deletion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC expect clause unwraps the response, so circuits data may be
an array directly rather than an object with circuits property.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix subshell bug in get_circuits (pipe loses JSON state)
- Add has_control flag to status for frontend awareness
- Fix UseBridges without bridge lines causing Tor to fail
- Fix hidden service directory ownership (tor:tor)
- Change log output from file to syslog
- Fix run directory ownership and permissions (700)
- Add CookieAuthentication for control socket auth
- Use socat instead of nc (BusyBox lacks Unix socket support)
- Add socat as package dependency
- Optimize duplicate curl calls in status check
- Use fallback IP services for real_ip detection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_services RPCD method to detect listening TCP services
- Map known ports to service names, icons, and categories
- Display clickable service cards in portal Services tab
- Services link directly to their URLs (e.g., :3000 for Gitea)
- Filter to show only externally accessible services with URLs
- Add ACL permissions for portal and admin apps
Detected services include: Gitea, HexoJS, CyberFeed, Streamlit,
HAProxy Stats, Netifyd, LuCI, Lyrion, and more.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HexoJS now serves dynamically on :4000 via HAProxy vhost routing.
- Disabled auto_publish in metabolizer
- Disabled portal in hexojs
- /www stays free for SecuBox portal and other apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 'generate' as alias for 'build' command
- Rename cmd_publish for drafts to cmd_publish_draft
- Fix duplicate cmd_publish functions
- Add portal config section with /www/blog path
- publish draft <slug> for drafts, publish for portal
- Metabolizer integration now working
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD _add_backend now parses inline 'server' option format
- Servers embedded in backend response with inline flag
- update_server converts inline servers to separate UCI sections
- delete_server handles both inline and separate server sections
- API and UI pass inline flag for proper handling
Fixes server port editing in LuCI backends interface.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add showEditVhostModal() for editing virtual host properties
- Add showEditBackendModal() for editing backend configuration
- Add showEditServerModal() for editing server properties
- Modern card-based UI with inline edit/delete actions
- Toggle enable/disable for backends
- Fix haproxyctl to read server option from backend UCI sections
- Add debug logging to container startup script
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change all hardcoded /blog/ paths to use / as root:
Theme configuration:
- _config.yml: Menu paths now /cybersecurity/ instead of /blog/cybersecurity/
- Blog submenu path changed to /categories/
Layout templates:
- post.ejs: Category link uses url_for with root path
- index.ejs: "Voir le blog" links to /categories/
- category.ejs: Breadcrumb and back links use /categories/
Scripts:
- dynamic-blog.js: Category paths now /{slug}/ instead of /blog/{slug}/
- Menu blog path changed to /categories/
Presets:
- tech.yml: Menu paths updated
- portfolio.yml: Blog link updated
hexoctl:
- Default portal_path changed from /www/blog to /www
- Help text updated
This allows the blog to be served from the root URL with categories
at /{category}/ paths.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change pidfile from haproxy-lxc.pid to haproxy.pid for consistency
with the actual container name.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change container references from 'haproxy-lxc' to 'haproxy' to match
the actual container name used by secubox-app-haproxy. This fixes
the LuCI status view showing container_running: false.
Fixes affected methods:
- method_status: container existence and state checks
- method_get_stats: container running check
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Templates now properly use Hexo's url_for() helper:
- apps.ejs: navigation links
- category.ejs: breadcrumb, apps, services, blog links
- showcase.ejs: contact, portfolio, apps, services links
This ensures all links work correctly when root is set to a
subdirectory (e.g., /blog/ instead of /)
Bumped release to r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Calculate web root from portal path (e.g., /www/blog → /blog/)
- Update _config.yml root setting before regenerating
- Run hexo clean && generate to apply new root
- Bumped release to r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Piped while loop runs in subshell, JSON additions don't persist
- Use temp file + redirect to avoid subshell issue
- Also fix list_backups with same pattern
- Bumped release to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Server now binds to 0.0.0.0 instead of localhost for external access
- Added publish command to copy static files to /www/blog/
- Startup script always regenerates to ensure correct binding
- Bumped release to r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add gitea_status, gitea_sync, gitea_clone, gitea_save_config RPCD methods
- Add Gitea section to sync.js with config form and sync buttons
- Update ACL for new Gitea methods
- Fix luci-app-metabolizer install section for RPCD executable
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove yaml import, use simple string parsing for front matter
- Remove dependency on host metabolizerctl
- Use environment variables for paths (METABOLIZER_CONTENT)
- Remove switch_page calls that fail in container
- CMS now works standalone inside Streamlit container
- Bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Export PATH at top of startup script for git binary
- Export HOME=/data for proper environment
- Set SCRIPT_TYPE=sh in app.ini (no bash in Alpine)
- Bump to r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine's adduser wasn't creating the group properly, causing
chown git:git to fail with "unknown group".
- Add explicit addgroup -g 1000 git before adduser
- Use -G git flag to assign user to the group
- Bump to r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use /bin/sh instead of /bin/bash for git user shell
- Check for su-exec binary instead of marker file for deps
- Always recreate git user on startup (doesn't persist in container)
- Set explicit UID 1000 for git user
- Bump release to r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /data, /opt, /run directories in rootfs during install
- Simplify mount entries (single /data mount)
- Ensure host data directories exist before creating LXC config
- Install dependencies (git, su-exec, etc.) on first container run
- Create required subdirectories in startup script
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add is_installed() and is_running() checks to init.d
- Show reason when service not running (disabled/not installed)
- Enable gitea by default in UCI config
- Require installation before starting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Metabolizer Blog Pipeline - integrated CMS for SecuBox:
- Gitea: Mirror GitHub repos, store blog content
- Streamlit: CMS app with markdown editor and live preview
- HexoJS: Static site generator (clean → generate → publish)
- Webhooks: Auto-rebuild on git push
- Portal: Static blog served at /blog/
Pipeline: Edit in Streamlit CMS → Push to Gitea → Build with Hexo → Publish
Packages:
- secubox-app-streamlit: Streamlit server with LXC container
- luci-app-streamlit: LuCI dashboard for Streamlit apps
- secubox-app-metabolizer: CMS pipeline orchestrator
CMS Features:
- Two-column markdown editor with live preview
- YAML front matter editor
- Post management (drafts, publish, unpublish)
- Media library with image upload
- Git sync and Hexo build controls
- Cyberpunk theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Amber (#ffb000) for titles, borders, hover effects
- Green (#33ff33) for dates, sources, navigation
- Gradient timeline line (amber → green → amber)
- Glow effects on text and borders
- Audio items highlighted in green
- Status bar with item count and sync time
- Emojified content from AWK parser preserved
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Left panel (1/3): CRT monitor style with:
- Phosphor green text with glow effect
- Scanlines overlay
- Screen curvature effect
- Power LED with pulse animation
- VT323 monospace font
- Scrollable latest 15 items
- Right panel (2/3): Standard cyberpunk timeline with:
- Vertical timeline with neon gradient line
- Date grouping
- Audio player support
- Source badges
- Responsive: stacks vertically on mobile (CRT on top)
- Auto-refresh every 3 minutes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Star Wars opening crawl style timeline with:
- Starfield background with twinkling stars
- "A long time ago in a network far, far away...." intro
- CYBERFEED logo zoom animation
- 3D perspective text crawl (rotateX transform)
- Yellow text (#ffd700) with cyan accents (#0ff)
- Auto-refresh every 3 minutes
- Controls: PAUSE, RESET, HOME, REFRESH
- Fix LuCI API array handling in getFeeds/getItems:
- RPC `expect` declarations auto-extract nested properties
- Response IS the array, not res.feeds/res.items
- Add Array.isArray check to handle both cases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move emoji injection inside AWK parser to avoid corrupting JSON keys
- Use grep -o | wc -l for accurate item count on single-line JSON
- Emojis now only applied to title and desc fields, not URLs or keys
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite RSS parser to use BusyBox-compatible AWK (no capture groups)
- Use extract_tag() helper with substr() instead of match() capture
- Use extract_attr() helper for XML attribute extraction
- Fix settings.js select elements to properly set initial value
- Use sel.value = ... instead of selected attribute
- Add new UCI config options for enhanced features:
- download_media, media_dir, history_file, generate_timeline
- Bump versions: secubox-app-cyberfeed 0.2.1, luci-app-cyberfeed 0.1.1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Radio France presets (France Inter, France Culture, France Info, FIP, Mouv)
- Add international radio (BBC World, NPR)
- Add tech podcasts (Darknet Diaries, Changelog, Syntax.fm)
- Add 'radio' category to feed selector
- One-click quick-add buttons for all radio presets
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- get_feeds now returns {"feeds": [...]} instead of raw array
- get_items now returns {"items": [...]} instead of raw array
- Updated api.js to extract arrays from wrapped responses
- Fixes feed list not displaying in LuCI dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-cyberfeed: Core RSS aggregator service
- Pure shell script, OpenWrt compatible
- Cyberpunk emoji injection based on content keywords
- Caching with configurable TTL
- JSON and HTML output with neon/glitch effects
- RSS-Bridge support for social media (Facebook, Twitter, YouTube)
- luci-app-cyberfeed: LuCI dashboard with cyberpunk theme
- Dashboard with stats, quick actions, recent items
- Feed management with add/delete
- RSS-Bridge templates for easy social media setup
- Preview with category filtering
- Settings page for service configuration
Features:
- Auto-emojification (security, tech, mystical themes)
- Dark neon UI with scanlines and glitch effects
- RSS-Bridge integration for Facebook/Twitter/YouTube
- Category-based filtering
- Auto-refresh via cron (5 min default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add pollRegistered flag to prevent duplicate poll registration
- Fix refreshDashboard to use replaceChild instead of dom.content
- Build content arrays explicitly to avoid null values in arrays
- Fix disabled attribute handling for action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix TypeError "haproxy.api factory yields invalid constructor" by
refactoring api.js to use correct LuCI module pattern:
- Define RPC calls at module level with rpc.declare()
- Reference them in baseclass.extend() object
- Add getDashboardData helper function at module level
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-haproxy: LXC-containerized HAProxy service
- Alpine Linux container with HAProxy
- Multi-certificate SSL/TLS termination with SNI routing
- ACME/Let's Encrypt auto-renewal
- Virtual hosts management
- Backend health checks and load balancing
- Add luci-app-haproxy: Full LuCI web interface
- Overview dashboard with service status
- Virtual hosts management with SSL options
- Backends and servers configuration
- SSL certificate management (ACME + import)
- ACLs and URL-based routing rules
- Statistics dashboard and logs
- Settings for ports, timeouts, ACME
- Update luci-app-secubox-portal:
- Add Services category with HAProxy, HexoJS, PicoBrew,
Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud
- Make portal dynamic - only shows installed apps
- Add empty state UI for sections with no apps
- Remove 404 errors for uninstalled apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add start-hexo.sh script as container init command
- Set PATH properly for hexo CLI in lxc_exec()
- Container now starts Hexo server automatically on boot
- Falls back to tail -f /dev/null if no site exists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-hexojs: LXC-containerized Hexo service with Node.js
- hexoctl control script for container/site management
- Bundled CyberMind theme with dark/light mode
- Theme presets (minimal, tech, portfolio)
- Post/page scaffolds
- luci-app-hexojs: Full CMS dashboard
- Overview with stats and quick actions
- Post editor with Markdown toolbar and preview
- Media library browser
- Categories and tags management
- Apps portfolio for CyberMind theme
- Build and deploy to GitHub Pages
- GitHub Sync wizard (clone, pull, push)
- Theme configuration and presets
- Site settings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-tor (backend) and luci-app-tor-shield (frontend) packages
for Tor anonymization on OpenWrt.
Backend features:
- UCI configuration with presets (anonymous, selective, censored)
- procd init script with iptables transparent proxy
- torctl CLI tool for status, enable/disable, circuits, leak-test
- DNS over Tor and kill switch support
- Hidden services and bridge management
Frontend features:
- Modern purple/onion themed dashboard
- One-click master toggle with visual status
- Real-time circuit visualization (Guard -> Middle -> Exit)
- Hidden services (.onion) management with copy/QR
- Bridge configuration (obfs4, snowflake, meek-azure)
- Leak detection tests
- Advanced settings for ports and exit node restrictions
Note: LuCI package renamed to luci-app-tor-shield to avoid conflict
with existing luci-app-tor package in OpenWrt LuCI feeds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Flask 1.1.2 requires specific old versions of dependencies:
- Jinja2==2.11.3 (escape moved in 3.1)
- markupsafe==1.1.1
- itsdangerous==1.1.0 (json removed in 2.x)
- Werkzeug==1.0.1
- click==7.1.2
- pybeerxml<2.0.0 (Parser import changed in 2.x)
- marshmallow<4.0.0
Also:
- Use pip-installed package instead of git repo mount
- Simplify LXC mounts to just data directories
Tested and working on OpenWrt 24.10.5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add two new packages for self-hosted brewing controller support:
secubox-app-picobrew:
- LXC container-based PicoBrew Server installation
- Alpine Linux rootfs with Python/Flask environment
- UCI configuration for port, memory, brewing defaults
- procd service management with respawn
- Commands: install, uninstall, update, status, logs, shell
luci-app-picobrew:
- Modern dashboard UI with SecuBox styling
- Service controls (start/stop/restart/install/update)
- Real-time status monitoring and logs
- Settings page for server and brewing configuration
- RPCD backend with full API coverage
Supports PicoBrew Zymatic, Z, Pico C, and Pico Pro devices.
Repository: https://github.com/CyberMind-FR/picobrew-server
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The wizard.js was looking for a global QRCode object that doesn't exist.
Updated to import and use our qrcode module like other views do.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed from baseclass.extend() to simple object return pattern
to match other libraries (chart.js). The baseclass dependency
was causing the module to fail loading.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The JavaScript QR code fallback was limited to Version 5 (106 bytes max),
but WireGuard configs are typically 200-250 bytes. This caused QR code
generation to fail when the backend qrencode binary is not installed.
Changes:
- Auto-select optimal QR version (1-20) based on data length
- Support up to 858 bytes (Version 20)
- Proper Reed-Solomon error correction with dynamic generator polynomials
- Data interleaving for multiple EC blocks
- Alignment patterns for all versions
- Version info encoding for version 7+
- Quiet zone in SVG output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Refactor CROWDSEC object to use luci.crowdsec-dashboard RPC instead of file.exec
- Add getNftablesStats() for accurate blocked IPs count from firewall bouncer
- Update updateDiskUsage() to use luci.system-hub.get_system_status RPC
- Update loadSystemLogs() to use luci.system-hub.get_logs RPC
- Add proper ACL permissions for luci.crowdsec-dashboard and luci.system-hub
- Bump version to 1.5.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Downgrade golang.org/x/net from v0.44.0 to v0.33.0 (Go 1.23 compatible)
- Patch out http.Protocols usage (Go 1.24+ feature) from:
- pkg/acquisition/modules/http/run.go
- pkg/acquisition/modules/appsec/config.go
- pkg/acquisition/modules/kubernetesaudit/config.go
- pkg/apiserver/apiserver.go
- Patch strings.SplitSeq to strings.Split (Go 1.24+ iterator feature) in:
- cmd/crowdsec-cli/clisetup/acquisition.go
- cmd/crowdsec/flags.go
This fixes the build failure caused by CrowdSec 1.7.4 using Go 1.24+
features while OpenWrt SDK ships Go 1.23.x.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The -x flag requires exact process name match which doesn't work
reliably on OpenWrt/BusyBox. Removed -x from all pgrep calls in:
- luci-app-bandwidth-manager
- luci-app-secubox-security-threats
- luci-app-auth-guardian
- luci-app-media-flow
- luci-app-vhost-manager
- luci-app-network-modes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RPC call to fetch CrowdSec nftables statistics
- Replace Security Modules widget with IPs Blocked widget
- Show active/inactive status based on firewall bouncer health
- Add detailed breakdown in System Overview (IPv4/IPv6, CAPI/local)
- Gracefully handle missing CrowdSec dashboard package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove -q (quiet) flag from wget to show download errors
- Use architecture-specific tarball (60MB) instead of multi-arch (126MB)
- Add fallback to multi-arch tarball if ARM download fails
- Add explicit error messages for download and extraction failures
- Verify download file exists and is non-empty before extraction
The previous -q flag was hiding the actual wget error, making it
difficult to diagnose download failures in the chroot environment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- lxc_create_rootfs now checks for Lyrion installation (slimserver.pl)
instead of just Alpine (alpine-release) to detect complete installs
- Auto-cleanup incomplete installations where Alpine downloaded but
Lyrion failed to install (e.g., network issues during chroot)
- Add verification after installation to confirm Lyrion was installed
- Add 'destroy' command to manually clean up failed installations
- Bump version to 2.0.1
This fixes the issue where 'lyrionctl install' would report success
when Alpine was downloaded but the chroot setup script failed silently.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use L.url() for proper ubus endpoint URL
- Pass messages as array instead of JSON string
- Add credentials and better error handling
- Fix AbortController error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change default API port from 8080 to 8081
- Increase chat API timeout to 120 seconds (LLMs can be slow on ARM)
- Use custom fetch-based chat call with AbortController for timeout control
- Fix wget/curl timeout for RPCD backend
Resolves "XHR request timed out" errors when using chat with TinyLlama.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace Docker/LXC-based approach with direct binary download
- Download LocalAI v2.25.0 binary from GitHub releases
- Add localaictl CLI for install, model management, and service control
- Change default port to 8081 (avoid CrowdSec conflict on 8080)
- Remove secubox-app-localai-wb (merged into secubox-app-localai)
- Add model presets: tinyllama, phi2, mistral
Usage:
localaictl install
localaictl model-install tinyllama
/etc/init.d/localai enable && /etc/init.d/localai start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package for building LocalAI from source with llama-cpp backend:
- localai-wb-ctl: On-device build management
- check: Verify build prerequisites
- install-deps: Install build dependencies
- build: Compile LocalAI with llama-cpp
- Model management, service control
- build-sdk.sh: Cross-compile script for SDK
- Uses OpenWrt toolchain for ARM64
- Produces optimized binary with llama-cpp
Alternative to Docker-based secubox-app-localai for native builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New LuCI application for Ollama management:
- Dashboard with service status and controls
- Model management (pull, remove, list)
- Chat interface with model selection
- Settings page for configuration
Files:
- RPCD backend (luci.ollama)
- Dashboard, Models, Chat, Settings views
- ACL and menu definitions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download Docker image layers directly via Registry API
- No dockerd or podman daemon required anymore
- Same approach as mitmproxy and magicmirror2 packages
- All backends included (llama-cpp, whisper, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated default version from v2.25.0 to v3.10.0
- Fixed binary URL format: local-ai-v3.10.0-linux-arm64
- Updated Docker image tag to v3.10.0-ffmpeg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add runtime_is_working() to verify daemon connectivity
- Falls back to standalone binary with helpful message if daemon not running
- Provides hint: /etc/init.d/dockerd start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When using `localaictl install --lxc`:
1. If podman/docker available: extracts rootfs from Docker image
- Includes ALL backends (llama-cpp, whisper, etc.)
- Creates LXC container with full LocalAI capabilities
2. If no docker/podman: falls back to standalone binary
- Limited backend support
This gives the best of both worlds:
- LXC lightweight container management
- Full Docker image backends
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- is_running() now checks LXC with lxc-info before Docker/Podman
- get_status() calculates uptime from LXC container PID
- Order: LXC -> Podman -> Docker -> native process
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update is_running() to detect Docker/Podman containers
- Fix get_status() uptime calculation for containers
- Improve do_chat() with better error messages and logging
- Use curl if available for API calls (more reliable than wget POST)
- Add debug logging to syslog (logger -t localai-chat)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LocalAI changes:
- Rewrite localaictl to use Docker/Podman instead of standalone binary
- Use localai/localai:v2.25.0-ffmpeg image with all backends included
- Fix llama-cpp backend not found issue
- Auto-detect podman or docker runtime
- Update UCI config with Docker settings
New Ollama package:
- Add secubox-app-ollama as lighter alternative to LocalAI
- Native ARM64 support with backends included
- Simple CLI: ollamactl pull/run/list
- Docker image ~1GB vs 2-4GB for LocalAI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The LuCI rpc.declare with expect: { models: [] } returns the array
directly, not wrapped in {models: [...]}. Fixed all views to handle
this correctly.
- models.js: Check Array.isArray(data) first
- dashboard.js: Extract array from results[1] directly
- chat.js: Same array handling fix
Version: 0.1.0-r12
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-localai package with LXC container support for LocalAI service
- Add luci-app-localai with dashboard, chat, models and settings views
- Implement RPCD backend for LocalAI API integration via /v1/models and /v1/chat/completions
- Use direct RPC declarations in LuCI views for reliable frontend communication
- Add LocalAI and Glances to secubox-portal services page
- Move Glances from services to monitoring section
Packages:
- secubox-app-localai: 0.1.0-r1
- luci-app-localai: 0.1.0-r8
- luci-app-secubox-portal: 0.6.0-r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Improve Services tab with pgrep-based status detection
- Add service enable/disable toggle buttons
- Add port forwards table to Firewall tab
- Add process list to System tab
- Add CrowdSec alerts table
- Reorganize quick actions into grouped layout
- Add Flush DNS, Sync NTP, and LuCI Admin shortcuts
- Change URL path from /secubox-dashboard/ to /secubox/
- Bump version to 1.4.1 (v2.4)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use separate -B and -p args for bind address and port
- Add hostname resolution by populating /etc/hosts dynamically
- Add --disable-autodiscover and --disable-check-update flags
- Fixes DNS resolution errors causing immediate container exit
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-glances and luci-app-glances packages:
secubox-app-glances:
- LXC container with nicolargo/glances:latest-full Docker image
- Web UI on port 61208, API on port 61209
- UCI configuration for monitoring options and alert thresholds
- glancesctl management script
luci-app-glances:
- Dashboard view with service status and quick actions
- Embedded Web UI view with iframe
- Settings view for configuration
- RPCD backend with proper ACL permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Consider sync OK when CAPI blocklists are active (capi_elements > 0)
even if local decisions = 0
- Add capi_elements_count to health response
- Fixes false "Out of sync" warning when using community blocklists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- install_module now uses mmpmctl if available (has module registry)
- Fallback to manual git clone only with explicit URLs
- Add proper Node.js PATH for npm commands
- update_module also uses mmpmctl when available
- Fix npm PATH in both install and update functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use `mmpm ui --start/--stop/--status` instead of `mmpm ui --port --host`
- MMPM v4 manages GUI via pm2, not direct execution
- Update status command to check pm2 status and get URL from mmpm
- Auto-install UI if not present when starting service
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add NODE_PATH variable for container npm/pm2 access
- Add run_mmpm helper function with proper PATH export
- Fix module install/remove/upgrade/search/list commands
- Fix MMPM GUI service start with proper PATH
- Fix list command to use --installed flag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update module list to match portal.js apps
- Add MagicMirror2 and MMPM to modules
- Add changelog entries for v0.15.0-alpha1 to alpha3
- Update roadmap with Certification CE/FCC and Phase 2 funding (2027)
- Update version badge to v0.15.0-alpha3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix pip install with --break-system-packages for Debian Trixie PEP 668
- Fix MMPM binary path detection (/usr/local/bin/mmpm)
- Fix RPCD backend to detect MMPM UI status with correct PATH
- Add Services section to portal navigation
- Update MMPM commands to use full path in container
- Configure MMPM environment for /opt/magic_mirror
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add symlink from modules/default to __modules/default (Docker entrypoint logic)
- Copy CSS files from __css to css directory on startup
- Fix shebang escaping issue by using printf instead of heredoc for #!/bin/sh
- Bump release to 0.4.0-r7
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-magicmirror2 (0.4.0): MagicMirror² smart display platform
- LXC container with Docker image extraction
- mm2ctl CLI for management
- Support for gzip/zstd compressed layers
- Default port 8082
- luci-app-magicmirror2 (0.4.0): LuCI web interface
- Dashboard, modules, webui, settings views
- RPCD backend for service control
- Module management integration
- secubox-app-mmpm (0.2.0): MMPM package manager
- Installs MMPM in MagicMirror2 container
- mmpmctl CLI for module management
- Web GUI on port 7891
- luci-app-mmpm (0.2.0): LuCI interface for MMPM
- Dashboard with install/update controls
- Module search and management
- Embedded web GUI view
Portal integration:
- Added MagicMirror² and MMPM to Services section
- Portal version bumped to 0.6.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered
- Use inline while loop to capture authentication token from startup output
- Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token)
- Add proper shell detection and symlink creation in Docker rootfs extraction
- Remove unnecessary exec in pipeline that prevented output capture
The mitmweb authentication token is now properly captured and available
to the LuCI Web UI view for iframe embedding.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous pipe approach didn't work because the while loop
runs in a subshell. Now using a background job to poll the log
file for the token while tee outputs to both console and log.
Bump release to r13.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token RPCD method to retrieve auth token
- Create webui.js view that embeds mitmweb in an iframe
- Capture auth token at startup and save to file
- Add Web UI navigation to all mitmproxy views
- Fix PATH for /usr/local/bin in Docker image
- Change default port from 8080 to 8888 (avoid CrowdSec conflict)
secubox-app-mitmproxy: bump to r12
luci-app-mitmproxy: bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Recent mitmproxy versions require web authentication by default.
Disable it with --set web_password= for easier LAN access.
Bump release to r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Port 8080 conflicts with CrowdSec API. Using 8888 as default.
Also removes --flow-detail option not available in latest mitmproxy.
Bump release to r10.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract rootfs directly from mitmproxy/mitmproxy Docker image.
This provides the latest mitmproxy with all Rust components pre-compiled.
No more version compatibility issues - uses whatever version is in
the official Docker image.
Bump release to r8.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 7.0.4 doesn't support the --flow-detail option which was
causing the startup script to fail.
Bump release to r7.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 8.x has dataclass compatibility issues with Python 3.11
in the grpc contentviews module.
Bump release to r6.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
werkzeug 3.0+ removed url_quote from werkzeug.urls which breaks
Flask imports in mitmproxy 8.1.1.
Bump release to r5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
zstandard requires gcc to compile. Added build-base and dev packages
for compilation, then remove them after pip install to save space.
Bump release to r4.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mitmproxy 9.x requires mitmproxy-wireguard (Rust)
- mitmproxy 10.x requires mitmproxy_rs (Rust)
- mitmproxy 8.1.1 is the last version without any Rust dependencies
Bump release to r3.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy_rs which needs Rust compilation.
mitmproxy 9.0.1 is the last pure-Python version that works in Alpine
chroot without /proc mounted.
Bump release to r2.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust 1.80+, but
Alpine 3.19 only has Rust 1.76. Using mitmproxy 10.1.6 which is the
last pure-Python version without Rust requirements.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust.
Install rust and cargo from Alpine packages, compile mitmproxy,
then remove build deps to save space.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy_rs now requires Rust compilation which fails in chroot
environment without /proc mounted. Switch to Alpine's pre-built
mitmproxy package from the community repository.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add nftables transparent mode support with automatic REDIRECT rules
- Create SecuBox Python filter addon for CDN/Media/Ad tracking
- Add whitelist/bypass configuration for IPs and domains
- Expand UCI config with transparent, whitelist, filtering sections
- Update RPCD backend with new config methods and firewall control
- Update LuCI settings view with all new configuration options
- Add new API methods: firewall_setup, firewall_clear, list management
Features:
- Transparent proxy with nftables integration
- CDN tracking (Cloudflare, Akamai, Fastly, etc.)
- Media streaming tracking (YouTube, Netflix, Spotify)
- Ad/tracker blocking
- IP and domain whitelist bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3
The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
luci-app-crowdsec-dashboard is more complete with:
- Overview, Setup Wizard, WAF/AppSec, Metrics views
- Proper location in SecuBox > Security menu
- Bouncers management
luci-app-secubox-crowdsec was a simpler duplicate in Services menu.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create mitmproxyctl script with LXC container management
- Alpine Linux rootfs with Python and mitmproxy via pip
- Support for regular, transparent, upstream, and reverse proxy modes
- UCI configuration for proxy_port, web_port, memory_limit, etc.
- procd init script for service management
- Update luci-app-mitmproxy RPCD backend for LXC container status
Ports:
- 8080: Proxy port
- 8081: Web interface (mitmweb)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add perl-template-toolkit and perl-file-slurp dependencies
- Remove bundled Template.pm (conflicts with system version 3.101)
- Add Devel::Peek stub module for runtime inspection
- Fix lxc_logs() to read logs from container via lxc-attach
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Lyrion download URLs to downloads.lms-community.org
- Switch from noCPAN to full tarball (noCPAN missing modules)
- Replace perl-image-scale with perl-gd + imagemagick (Alpine)
- Remove conflicting bundled CPAN modules (DBD::SQLite, XML::Parser, YAML, DBI)
- Add Image::Scale stub module for artwork resizing
- Fix permissions for nobody user on /config and /var/log/lyrion
- Add missing perl-digest-sha1 and perl-sub-name dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed unrealistic items (AI Threat Detection, Mobile App, Cloud) and
replaced with practical goals based on current module progress:
- Network Modes 1.0 (currently at 35%)
- SecuBox Hub 1.0 (currently at 31%)
- Multi-WAN Failover
- Documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed incorrect year (2025 -> 2026) in changelog dates
- Added v0.15.0-rc2 changelog entry for CrowdSec firewall bouncer fix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The init script created nftables sets and chains but never added the
actual DROP rules to block traffic from blacklisted IPs. This caused
the bouncer to populate sets correctly but traffic was never blocked.
Added DROP rules for:
- IPv4 input chain (crowdsec-blacklists)
- IPv4 forward chain (crowdsec-blacklists)
- IPv6 input chain (crowdsec6-blacklists)
- IPv6 forward chain (crowdsec6-blacklists)
Each rule respects the deny_log and deny_action configuration options.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename crowdsec-firewall-bouncer to secubox-app-cs-firewall-bouncer
- Rename secubox-auth-logger to secubox-app-auth-logger
- Delete secubox-crowdsec-setup (merged into other packages)
- Fix circular dependencies in luci-app-secubox-crowdsec
- Fix dependency chain in secubox-app-crowdsec-bouncer
- Add consolidated get_overview API to crowdsec-dashboard
- Improve crowdsec-dashboard overview performance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The new get_overview RPC method was missing from the ACL file,
causing "Access denied" errors in the frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consolidate multiple dashboard API calls into a single get_overview RPC
method to reduce network overhead and improve page load performance.
The frontend now transforms the consolidated response to maintain
compatibility with existing view logic. Also increases poll interval
from 30s to 60s.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo seccubox_logs -> secubox_logs
- Get country data from alerts (source.cn) instead of decisions
- Display CrowdSec logs instead of non-existent secubox.log
- Rename "SecuBox Log Tail" to "CrowdSec Logs"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec decisions don't contain country data. GeoIP enricher adds
country info to alerts (source.cn or source.country field).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds "Connexion" link at the end of the public menu to redirect
to the admin authentication page.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace github.com/gkerma/secubox-openwrt with
github.com/CyberMind-FR/secubox-openwrt across all files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add devstatus.js with modules list, roadmap, and changelog
- Reorder public pages: Crowdfunding (10), Bug Bounty (20), Dev Status (30)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The 403 error was caused by missing ACL file. Added
luci-app-secubox-portal.json with read permissions for
luci.secubox and luci.system-hub ubus methods.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move Debug Console from Client Guardian to System Hub
- Add Auto-Zoning Rules dedicated view in Client Guardian
- Add public pages for Bug Bounty and Crowdfunding (no ACL)
- Fix auth-logger to only detect real login attempts
- Add private IP whitelist for CrowdSec (RFC1918 ranges)
- Update navigation menus across all apps
- Bump secubox-auth-logger to v1.2.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v2.0.0: Multi-runtime support with auto-detection
- LXC preferred when available (150MB RAM vs 300MB for Docker)
- New lyrionctl commands: runtime, shell
- Alpine Linux rootfs creation for LXC
- UCI config: runtime option (auto/docker/lxc)
- Memory limit configuration via cgroups
- Updated plugin manifest with runtime info
Runtime selection:
option runtime 'auto' - Auto-detect (LXC preferred)
option runtime 'docker' - Force Docker
option runtime 'lxc' - Force LXC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add explicit 644 permissions for overview.js and dashboard.css
- Fixes HTTP 403 error when accessing the view
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sync command to synchronize packages from package/secubox to local-feed
- Add local-feed deletion to clean-all command
- Add missing packages to package/secubox:
- luci-app-secubox-crowdsec
- secubox-crowdsec-setup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v1.2.1: Remove timestamp generation (ucode time functions unavailable)
- Use simple format: secubox-auth[1]: authentication failure for...
- Update parser to use raw line parsing with custom label type
- Change acquisition from type:syslog to type:secubox-auth
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-auth-logger v1.2.0: Patch LuCI ucode dispatcher.uc to log
authentication failures server-side instead of relying on JS hooks
- crowdsec-firewall-bouncer: Add helper function for UCI list reading
and default to eth1, br-lan, br-wan interfaces to ensure WAN traffic
is checked against the blocklist
- Update postrm to properly restore dispatcher backup on uninstall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CGI hook to capture client IP during failed auth attempts
- Add JavaScript hook to intercept ubus session.login failures
- Add rpcd plugin for ubus-based auth logging
- Update CrowdSec parser for case-insensitive matching
- Inject JS hook into LuCI theme headers on install
This enables CrowdSec to detect and block brute-force attacks
on the LuCI web interface, which previously only logged
successful authentications.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Local Protection Mode banner when CAPI unavailable (LAPI still works)
- Save enrollment key to UCI config for future repairs
- Improve text contrast in wizard (better readability)
- Simplify LAPI repair function based on official OpenWrt approach
- Never delete CAPI credentials to avoid rate-limiting
- Add get_settings/save_settings RPC methods
- Bump version to 0.7.0-r27
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic restart after successful console enrollment
- Update wizard UI to inform user about validation on app.crowdsec.net
- Service must restart after enrollment is validated on CrowdSec Console
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service restarts during bouncer registration and service start can
cause XHR connections to abort. Treat these as success since the
operation likely completed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New wizard approach:
- Automatic health check on load (LAPI, CAPI, Bouncer, nftables, collections)
- Single configuration page with all options visible
- Only repairs what's broken
- No hub update without CAPI connection
- Single "Apply Configuration" button at the end
- Progress bar during apply
- Summary of what was done at completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC method was returning "Access denied" because it was missing
from the rpcd ACL configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Large package feed files exceed GitHub's 100MB limit.
These are build artifacts that should be generated locally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_public_ips method to secubox-core rpcd backend
- Fetch public IPs from multiple services with fallback
- Display in new "Public IP Addresses" panel on dashboard
- Auto-update IPs on poll refresh
- Bump luci-app-secubox to 0.7.1-r2
- Bump secubox-core to 0.10.0-r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Treat XHR abort as success when CrowdSec restarts after acquisition config
- Auto-advance to Step 5 after brief delay
- Bump to 0.7.0-r21
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- repair_lapi() now removes stale online_api_credentials.yaml and retries
- New repair_capi() function for dedicated CAPI repair
- console_enroll() handles CAPI credential cleanup before retry
- Added repairCapi API method in frontend
- Bump luci-app-crowdsec-dashboard to 0.7.0-r20
- Add openwrt-luci-bf.yaml scenario for LuCI brute force detection
- Add secubox-auth-acquis.yaml acquisition config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The serviceWarning variable was null when CrowdSec is running, and
LuCI's E() function rendered it as literal "null" text. Fixed by
using empty fragment when no warning needed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The refreshView() call was aborting the pending configureAcquisition
XHR request by triggering new API calls. Now only updates the button
state without a full view refresh.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec on OpenWrt doesn't support "source: command" acquisition.
Changed to file-based acquisition reading /var/log/messages.
Also configures busybox syslog to write to file automatically.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When SSH logging is enabled in the wizard, automatically:
- Set dropbear.@dropbear[0].verbose=1 to log auth failures
- Restart dropbear to apply changes
This ensures CrowdSec can detect SSH brute force attempts.
Without verbose mode, Dropbear doesn't log failed auth to syslog.
Also enable uhttpd syslog when HTTP logging is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse ndpid-apps.json array format [{name: "TLS.YouTube", ...}]
- Use jq contains() instead of test() regex (ONIGURUMA not available on OpenWrt)
- Filter streaming services: YouTube, Netflix, Spotify, AppleiTunes, etc.
- Aggregate streams by app name (combine TLS.YouTube + QUIC.YouTube)
- Estimate quality based on data volume (SD/HD/FHD)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add SecuBox dark theme initialization to all views (dashboard, alerts,
clients, services, history)
- Fix flow count detection by using jsonfilter instead of jq (OpenWrt native)
- Prioritize /var/run/netifyd/status.json for ndpid-compat flow data
- Remove filtering expect{} from API.getActiveStreams() RPC declaration
- Update CLAUDE.md with jsonfilter usage guidelines for OpenWrt
The dashboard now correctly displays:
- Total Flows count from nDPId via ndpid-compat
- nDPId/Netifyd status indicators
- SecuBox dark theme with portal header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change 'config main' to 'config ndpid main' for proper section naming
- Change 'config compat' to 'config ndpid compat'
- Enable ndpid by default (enabled='1')
- Init scripts expect named sections, not typed sections
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Scan ALL nftables sets (CAPI, cscli, etc.) instead of just base set
- Display blocked IPs count by origin (Community vs Local)
- Show sample of blocked IPs with Unban button
- Add ipv4_capi_count, ipv4_cscli_count, ipv4_total_count to API response
- Support for 14,000+ community blocklist IPs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add health_check API with LAPI/CAPI/Console status verification
- Add capi_metrics API for community blocklist statistics
- Add hub_available, install_hub_item, remove_hub_item APIs
- Add System Health panel to overview with visual status indicators
- Add CAPI Blocklist section showing community vs local decisions
- Add Installed Collections card with version display
- Fix settings.js syntax error (missing comma)
- Fix metrics.js null display in acquisition statistics
- Update ACL file with new RPC method permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt all luci-app-* and secubox-app-* packages for aarch64-cortex-a72
- Updated local-build.sh with FORCE=1 to bypass rsync prereq check
- Removed packages that failed SDK build (require full buildroot)
- Updated Packages index and apps-local.json manifest
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Include all built .ipk packages in luci-app-secubox-bonus
- Generate Packages index and apps-local.json manifest
- Remove .gitignore to allow package tracking
- Enables offline package installation via SecuBox > Local Packages
Packages included:
- 27 luci-app-* packages
- 11 secubox-app-* packages
- luci-theme-secubox
- secubox-core
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /etc/opkg/customfeeds.conf with secubox feed pre-configured
- Install file via Makefile instead of postinst script
- Mark as conffile to preserve user modifications on upgrade
- Add .gitignore to exclude built .ipk files from git tracking
(packages are embedded at build time by embed_local_feed)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add embed_local_feed() to local-build.sh that copies built packages
into bonus app as /www/secubox-feed/ for offline installation
- Generate Packages index and apps-local.json manifest for opkg
- Add RPCD backend (luci.secubox-store) for package install/remove
- Add LuCI view for browsing and managing local packages
- Fix OPENWRT_ONLY_PACKAGES to allow secubox-app-* wrappers in SDK build
- Remove experimental python3-* packages (unfinished mitmproxy native plan)
- Set rootfs partition size to 16GB for larger overlay
- Bump luci-app-secubox-bonus to v0.2.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package: crowdsec-firewall-bouncer (v0.0.34)
- Based on official OpenWrt package from openwrt/packages
- Full nftables integration with IPv4/IPv6 support
- Timeout-based sets for automatic ban expiration
- Input and forward chain filtering
- Interface-based filtering
- procd service management with ujail support
- UCI configuration
Init script features:
- Creates nftables tables: crowdsec (IPv4), crowdsec6 (IPv6)
- Creates timeout-enabled sets for blocklists
- Generates YAML config from UCI settings
- Automatic cleanup on service stop
Updated secubox-app-crowdsec-bouncer to v0.0.32
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features:
- New RPCD method: acquisition_metrics for detailed stats
- Realtime metrics display with 10-second polling
- Visual stat cards: lines read, parsed, unparsed, buckets
- Parse rate progress bar with color coding
- Active acquisition sources badges
- Rate calculation (events/sec) between polls
- Live update indicator with timestamp
API changes:
- Added getAcquisitionMetrics() to API layer
- Added acquisition_metrics to ACL permissions
Bumped version to 0.7.0-17
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
