- luci.mailserver: Detect LXC containers for webmail status (not just Docker)
- docs: Add nginx static file fix and webmail detection to HISTORY/WIP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace per-site UCI calls with single-pass awk parsing
- Pre-fetch listening ports, HAProxy backends, and Tor services
- Fix getline variable corruption that produced invalid JSON
- Reduce execution time from 30+ seconds to 0.23 seconds
- Update signaling.gk2.secubox.in route to port 8083 (LXC)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added routes for:
- pf.gk2.secubox.in (Streamlit prompt_forge, port 8502)
- secubox.maegia.tv (LuCI, port 8081)
- meet.maegia.tv (Jitsi, port 8088)
- xchat.gk2.secubox.in (XMPP, port 5280)
- fan.gk2.secubox.in (Streamlit, port 8529)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrote method_get_vhosts() to use single-pass awk parsing
- Reduced execution time from 30+ seconds timeout to 0.24 seconds
- Added arm, armada, files42 routes to mitmproxy config
The previous implementation made 4 UCI calls per vhost (764 total)
causing the luci-tree page to timeout. New implementation parses
uci show output once with awk.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add route management commands:
- `mitmproxyctl route list` - List all routes
- `mitmproxyctl route add <domain> <ip> <port>` - Add manual route
- `mitmproxyctl route remove <domain>` - Remove route
- `mitmproxyctl route check` - Check for missing routes
- Improve sync-routes to scan MetaBlogizer and Streamlit services:
- Auto-detect enabled MetaBlogizer sites and add routes
- Auto-detect enabled Streamlit instances with matching vhosts
- Warn about mitmproxy_inspector vhosts with missing routes
- Update routes config with 188 routes
This fixes the issue where services using mitmproxy_inspector backend
would fall back to default because their routes were not configured.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Deployed Yggdrasil on master (aarch64) and clone (x86_64)
- Connected to 2 public peers + LAN multicast auto-discovery
- Bidirectional ping6 and SSH over Yggdrasil working
- Fixed firewall zones: device="ygg0" required for nftables
- IPv6: master 201:e4d4:..., clone 201:a9d8:...
- Marks v1.1+ Yggdrasil overlay as complete
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed _print_uci_userlist to use config_list_foreach
- Each user now gets separate "user ... password ..." line
- Fixes HAProxy basic auth with multiple users
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix auth for Streamlit container (no ubus access)
- Use HTTP JSON-RPC to /ubus endpoint for authentication
- Add ALERTE.DEPOT app source to repo
- Update HISTORY.md with VoIP and auth fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Shell 'local' keyword only works inside functions, not case statements
- Remove all 'local' declarations to fix RPCD handler execution
- Fixes "not in a function" error when calling trunk_test and other methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix active_calls and extensions count to output clean integers
- Remove tr -cd which was causing duplicate values in JSON
- Use simpler variable assignment with fallback to 0
- Prevents malformed JSON output from cmd_status()
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Gitea as a service option in SecuBox Users UI
- Add Gitea checkbox in Add User modal
- Add Gitea service badge in status display
- Implement password sync to Gitea via API on password change
- Fix Gitea API call to include login_name parameter
- Add gitea to check_service() and get_status()
- Sync passwords to all enabled services (email, jabber, nextcloud, gitea)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The bare `except:` clause catches SystemExit which is raised by
sys.exit(0), causing the script to fall through to sys.exit(1).
Changed to `except Exception:` which doesn't catch SystemExit,
allowing proper exit code propagation.
Also:
- Simplified Python extraction script
- Use double quotes for string literals (shell compatibility)
- Write Python script to temp file instead of heredoc (RPCD stdin conflict)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit upload now matches MetaBlogizer KISS pattern:
- Auto-detects ZIP files by magic bytes (PK header)
- Extracts app.py from ZIP archives automatically
- Adds UTF-8 encoding declaration to Python files
- Installs requirements.txt dependencies in background
- Restarts instance on re-upload for immediate update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Upload modal now defaults to replacing index.html
- "Set as index" checkbox checked by default
- Uncheck to use original filename (shows destination field)
- Fixes issue where uploads weren't updating main page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed button logic from exp.vhost_exists to exp.emancipated
- Non-emancipated sites now correctly show "Expose" button
- Emancipated sites show "Unpublish" button
- vhost_exists was incorrectly true for some non-emancipated sites
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto-republish to method_upload_file (was only in upload_finalize)
- Add Gitea push to cmd_publish when gitea.enabled=1
- Use haproxyctl reload instead of init.d (container-aware)
- Uploaded content now triggers full republish flow for emancipated sites
This fixes the issue where uploading new HTML content didn't update
the live site because republish wasn't triggered.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New RPC method `change_password` in luci.secubox-users
- Verifies current password before allowing change
- Syncs new password to all enabled services (email, jabber, nextcloud)
- Matrix/PeerTube require manual password update (noted in response)
- Portal UI updates:
- New "Account" section with "Change Password" card
- Password change modal with current/new/confirm fields
- "My Services" card showing enabled services
- ACL updated to include new authentication methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI domain update BEFORE slow haproxyctl reload (prevents RPC timeout)
- Run HAProxy generate/reload/cert in background subshell
- Fix vhost name encoding: use tr '.-' '_' (matches streamlitctl)
- Use sed instead of jq for mitmproxy routes (jq may not be installed)
- Tested: domain edit returns immediately, UCI updated correctly
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Show domain column with editable input for non-exposed instances
- Show clickable domain link + edit button for exposed instances
- Add editDomain modal for changing domain on exposed instances
- Domain input pre-filled with default (id.gk2.secubox.in)
- Separate Status column for SSL/WAF badges
- Update API to support domain parameter in renameInstance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update _emancipate_haproxy() to use mitmproxy_inspector backend
- Add mitmproxy route entries for domain -> streamlit port
- Aligns CLI behavior with RPCD emancipate_instance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto Gitea push on emancipate and app rename
- Route emancipated instances through mitmproxy_inspector (WAF) by default
- Add mitmproxy route entries for domains
- Enhanced rename_app to actually rename folders/files
- Enhanced rename_instance to update HAProxy vhost and mitmproxy routes
- Display WAF badge in dashboard for exposed instances
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lxc_start_bg() and lxc_reload() functions for container management
- Replace all /etc/init.d/haproxy calls with container-aware functions
- Fix haproxy-sync-certs to use haproxyctl reload
- Host HAProxy init script disabled, container is sole handler
Resolves intermittent 404 errors caused by dual HAProxy instances.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replaces unreliable nohup-based remote flash with staged approach:
1. remote_prepare_flash: Upload image + store options
2. remote_confirm_flash: Execute sysupgrade directly
3. remote_flash_status: Check flash state
4. remote_cancel_flash: Abort pending flash
Key fixes:
- Use /tmp for firmware (large tmpfs vs small rootfs)
- Direct sysupgrade execution (no nohup, works on OpenWrt)
- Proper dbclient SSH without unavailable commands
- Background job with & instead of nohup
Tested: x86_64 VM successfully flashed from 24.10.5 to 24.10.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Factory tab to Cloning Station with:
- Discovery Mode toggle (enable/disable zero-touch provisioning)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator (1-50 tokens with profile selection)
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
Implementation:
- 8 RPC declarations for factory methods
- 5 state properties for factory data
- 5 render functions, 6 event handlers
- Factory data polling in 5-second refresh cycle when on tab
- KISS theme UI components throughout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Roundcube IMAP "Internal error occurred" caused by Dovecot
running mail processes as uid 102 (Alpine default) instead of the
actual vmail user uid 5000.
Changes:
- configure_postfix: virtual_uid_maps/gid_maps 102/105 → 5000/5000
- configure_dovecot: mail_uid/gid, first_valid_uid, userdb args
- cmd_add_user: passwd file entries and ownership
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add inventory.sh for hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Add profiles.sh for profile management and device matching
- Add default.json profile template for auto-provisioned peers
- Add discovery mode to master-link.sh with pending queue and approval workflow
- Add bulk token generation (up to 100 tokens per batch)
- Enhance 50-secubox-clone-provision with inventory collection and discovery join
- Add 9 new RPCD methods to luci.cloner for factory provisioning
- Fix p2p-mesh.sh to be silent when sourced as library
- Add UCI options: discovery_mode, auto_approve_known, discovery_window, default_profile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
P2P Mesh Intelligence implementation:
- Add ZKP trust bonus (+20) for verified peers in IOC validation
- Create blockchain.sh for permanent threat_ioc and ioc_feedback blocks
- Create feedback.sh for IOC effectiveness tracking and reputation updates
- Enhance gossip.sh IOC handler with ZKP-validated trust checks
- Add SCORE_IOC_EFFECTIVE (+5) and SCORE_IOC_FALSE_POSITIVE (-8) to reputation
- Add zkp_trust_bonus and feedback config options
fix(mailserver): Correct vmail UID from 102 to 5000
Dovecot was using wrong UID (102/redis instead of 5000/vmail) causing
permission denied errors when accessing mailboxes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed _check_interval from 10 to 1 to ensure new routes are picked up
immediately when the haproxy-routes.json file is updated.
This fixes the quick publish flow where new sites weren't accessible
immediately because mitmproxy only checked for route changes every
10 requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added entry #45 documenting the fix for 404 errors after MetaBlogizer
site upload/publish caused by missing original_backend field in HAProxy
vhost configs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When MetaBlogizer creates HAProxy vhosts, it routes through mitmproxy_inspector
for WAF inspection. However, mitmproxyctl sync-routes needs the original_backend
field to determine where to forward traffic after WAF inspection.
Without original_backend, sites would return 404 after upload because mitmproxy
had no route to forward traffic to the actual backend.
This fix adds original_backend=$backend_name to all 3 vhost creation locations:
- method_create_site (line 491)
- method_emancipate_site (line 1210)
- method_upload_and_create_site (line 2001)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upload workflow now works without needing to unpublish/expose again.
The reload_haproxy() function now calls mitmproxyctl sync-routes to
ensure mitmproxy picks up new routes immediately after vhost creation.
Root cause: Upload created HAProxy vhost and mitmproxy route file entry,
but mitmproxy never received a reload signal to activate the route.
Running emancipate fixed it because it called mitmproxyctl sync-routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
