gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
1,537 Commits 4 Branches 293 Tags 320 MiB
dd18e5c4aa
Commit Graph

17 Commits

Author SHA1 Message Date
CyberMind-FR
21a8f06058 chore(secubox-app-bonus): Rebuild local feed with repo packages 
- Add secubox-app-repo and luci-app-repo to local feed
- Regenerate Packages index
- Update all embedded packages

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-03-18 12:54:11 +01:00
CyberMind-FR
79775faa6e fix(luci): Add web UI URL link to Lyrion dashboard 
- Move Web Interface section to top for visibility
- Always show Open Lyrion Web UI button with dynamic URL
- Display URL text next to button

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-03-15 18:39:03 +01:00
CyberMind-FR
66b58c74d6 feat(catalog): Add Streamlit Forge and RezApp Forge to KISS Apps 
- luci-app-streamlit-forge: Streamlit app publishing platform
  - Category: productivity, runtime: lxc
  - Templates, SSL exposure, mesh publishing

- luci-app-rezapp: Docker to LXC app converter
  - Category: system, runtime: native
  - Catalog browsing, package generation

- Updated new_releases section
- Total plugins: 37 → 39

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-03-11 09:44:08 +01:00
CyberMind-FR
8769a60275 feat(sbom): Add CRA Annex I compliant SBOM pipeline 
Implements comprehensive Software Bill of Materials generation for
EU Cyber Resilience Act compliance with ANSSI CSPN certification path.

SBOM Pipeline:
- scripts/check-sbom-prereqs.sh: Prerequisites validation (OpenWrt, tools, Kconfig)
- scripts/sbom-generate.sh: Multi-source SBOM generation (native, feed, rootfs, firmware)
- scripts/sbom-audit-feed.sh: PKG_HASH/PKG_LICENSE feed audit with MANIFEST.md
- Makefile: SBOM targets (sbom, sbom-quick, sbom-validate, sbom-scan, sbom-audit)
- .github/workflows/sbom-release.yml: CI with CVE gating and auto-security issues

Documentation:
- SECURITY.md: CRA Art. 13 §6 compliant vulnerability disclosure policy
- docs/sbom-pipeline.md: Architecture, CRA mapping, ANSSI CSPN guidance

AI Gateway (bonus feed):
- secubox-ai-gateway: 3-tier data classification (LOCAL_ONLY/SANITIZED/CLOUD_DIRECT)
- luci-app-ai-gateway: LuCI dashboard with provider management and audit logging

Output formats: CycloneDX 1.6 (primary) + SPDX 2.3 (secondary)
Tools: syft, grype, cyclonedx-cli (auto-installed if missing)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-03-04 08:01:00 +01:00
CyberMind-FR
4a0ab9530f feat(mesh): Yggdrasil extended peer discovery + bugfixes 
## New Features
- secubox-app-yggdrasil-discovery: Mesh peer discovery via gossip protocol
  - yggctl CLI: status, self, peers, announce, discover, bootstrap
  - Auto-peering with trust verification (master-link fingerprint)
  - Daemon for periodic announcements

## Bug Fixes
- tor-shield: Fix opkg downloads failing when Tor active
  - DNS over Tor disabled by default
  - Auto-exclude public DNS servers from iptables rules
  - Excluded domains bypass list (openwrt.org, pool.ntp.org, etc.)

- haproxy: Fix portal 503 "End of Internet" error
  - Corrected malformed vhost backend configuration
  - Regenerated HAProxy config from UCI

- luci-app-nextcloud: Fix users list showing empty
  - RPC expect clause was extracting array, render expected object

## Updated
- Bonus feed: All IPKs rebuilt
- Documentation: HISTORY.md, WIP.md, TODO.md updated

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-28 17:32:41 +01:00
CyberMind-FR
5d905c23ac feat(openclaw): Add Google Gemini API support 
- Added gemini provider with models: gemini-1.5-flash, gemini-1.5-pro, gemini-pro
- Updated RPCD handler with Gemini API endpoint
- Updated settings.js with Google AI Studio link
- Updated chat.js to parse Gemini response format
- Changed Ollama default URL to LocalAI (port 8091)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-27 11:47:17 +01:00
CyberMind-FR
29e2eac616 fix(haproxy): Sync generated config to /etc/haproxy.cfg 
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
  reads config from /etc/haproxy.cfg but config was only generated to
  /srv/haproxy/config/haproxy.cfg

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-24 08:02:42 +01:00
CyberMind-FR
08ebaefafb feat(portal): Add login and password reset pages for SSO 
- Add login.html with RPCD authentication via luci.secubox-users
- Add reset.html for token-based password recovery
- Both pages use SecuBox cyberpunk dark theme
- Default password: Secubox@2026

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-21 13:21:15 +01:00
CyberMind-FR
b2ec879814 fix(feed): Add missing secubox-app-ipblocklist backend package 
The IP Blocklist backend package was missing from the feed.
Manually built and added the IPK since wget-ssl dependency
failed to build in the SDK.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-21 07:52:09 +01:00
CyberMind-FR
f9f2be9252 fix(system-hub): Fix get_denoise_stats RPCD returning no response 
- Replace jsonfilter with grep for CrowdSec decision counting
- Add ipset existence check before listing blocked IPs
- Add safety fallbacks for empty/invalid counts
- Bump version to 0.5.2-r2

The jsonfilter -e '@[*]' approach failed with CrowdSec's
multi-line JSON output, causing exit code 251 errors.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-21 07:05:24 +01:00
CyberMind-FR
58220065b5 feat(v0.23.0): Matrix homeserver, SaaS Relay CDN caching, Media Hub dashboard 
Matrix Homeserver (Conduit):
- E2EE mesh messaging using Conduit v0.10.12 in LXC container
- matrixctl CLI: install/uninstall, user/room management, federation
- luci-app-matrix: status cards, user form, emancipate, mesh publish
- RPCD backend with 17 methods
- Identity (DID) integration and P2P mesh publication

SaaS Relay CDN Caching & Session Replay:
- CDN cache profiles: minimal, gandalf (default), aggressive
- Session replay modes: shared, per_user, master
- saasctl cache/session commands for management
- Enhanced mitmproxy addon (415 lines) with response caching

Media Services Hub Dashboard:
- Unified dashboard at /admin/services/media-hub
- Category-organized cards (streaming, conferencing, apps, etc.)
- Service status indicators with start/stop/restart controls
- RPCD backend querying 8 media services

Also includes:
- HexoJS static upload workflow and multi-user auth
- Jitsi config.js Promise handling fix
- Feed package updates

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-20 11:44:26 +01:00
CyberMind-FR
b6747c197e feat(security): Add instant ban feature and user management 
- Add enhanced instant ban for critical threats (SQL injection, CVE exploits, RCE)
  - CrowdSec trigger scenario for single-hit bans on severity=critical
  - Instant ban daemon (10s polling) for rapid response
  - UCI options: instant_ban_enabled, instant_ban_duration (48h default)
  - WAF addon updated to route critical threats to instant-ban.log

- Add centralized user management (secubox-core-users, luci-app-secubox-users)
  - CLI tool: secubox-users add/del/passwd/list/sync/status
  - LuCI dashboard under System > SecuBox Users
  - Unified user provisioning across Nextcloud, PeerTube, Matrix, Jabber, Email

- Add Matrix/Conduit integration (secubox-app-matrix, luci-app-matrix)
  - LXC-based Conduit homeserver deployment
  - Full RPCD handler with user/room management
  - HAProxy integration for federation

- Add provision-users.sh script for bulk user creation
- Update secubox-feed with new IPKs

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-19 20:17:28 +01:00
CyberMind-FR
b78ea3b683 fix(nextcloud): Fix LXC rootfs download and chroot mounts 
- Parse HTML directory listing instead of non-existent index.json
- URL-encode colon in date path for LXC image server
- Add mount_chroot_fs/umount_chroot_fs helpers for proper chroot
- Mount /dev, /dev/pts, /proc, /sys before running apt
- Remove php-smbclient (not in base repos)
- Install gnupg/gpgv first for apt verification

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-16 08:02:01 +01:00
CyberMind-FR
ffb9fe3785 fix(peertube): Change default port from 9000 to 9001 
Port 9000 is used by Lyrion music server.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-15 06:04:25 +01:00
CyberMind-FR
54d555206b chore(feed): Update secubox-app-bonus local feed packages 
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-14 17:18:02 +01:00
CyberMind-FR
cd53d508fa feat(jellyfin): Update to v3.0.0 with LXC-based deployment 
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-14 09:48:51 +01:00
CyberMind-FR
cac9fa3e4f fix(mitmproxy): Fix false positives for legitimate browsers 
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
  browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
  false positives from normal login flows

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-02-14 05:51:53 +01:00