- Rewrote method_get_vhosts() to use single-pass awk parsing
- Reduced execution time from 30+ seconds timeout to 0.24 seconds
- Added arm, armada, files42 routes to mitmproxy config
The previous implementation made 4 UCI calls per vhost (764 total)
causing the luci-tree page to timeout. New implementation parses
uci show output once with awk.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add route management commands:
- `mitmproxyctl route list` - List all routes
- `mitmproxyctl route add <domain> <ip> <port>` - Add manual route
- `mitmproxyctl route remove <domain>` - Remove route
- `mitmproxyctl route check` - Check for missing routes
- Improve sync-routes to scan MetaBlogizer and Streamlit services:
- Auto-detect enabled MetaBlogizer sites and add routes
- Auto-detect enabled Streamlit instances with matching vhosts
- Warn about mitmproxy_inspector vhosts with missing routes
- Update routes config with 188 routes
This fixes the issue where services using mitmproxy_inspector backend
would fall back to default because their routes were not configured.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Deployed Yggdrasil on master (aarch64) and clone (x86_64)
- Connected to 2 public peers + LAN multicast auto-discovery
- Bidirectional ping6 and SSH over Yggdrasil working
- Fixed firewall zones: device="ygg0" required for nftables
- IPv6: master 201:e4d4:..., clone 201:a9d8:...
- Marks v1.1+ Yggdrasil overlay as complete
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed _print_uci_userlist to use config_list_foreach
- Each user now gets separate "user ... password ..." line
- Fixes HAProxy basic auth with multiple users
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix auth for Streamlit container (no ubus access)
- Use HTTP JSON-RPC to /ubus endpoint for authentication
- Add ALERTE.DEPOT app source to repo
- Update HISTORY.md with VoIP and auth fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Shell 'local' keyword only works inside functions, not case statements
- Remove all 'local' declarations to fix RPCD handler execution
- Fixes "not in a function" error when calling trunk_test and other methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix active_calls and extensions count to output clean integers
- Remove tr -cd which was causing duplicate values in JSON
- Use simpler variable assignment with fallback to 0
- Prevents malformed JSON output from cmd_status()
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Gitea as a service option in SecuBox Users UI
- Add Gitea checkbox in Add User modal
- Add Gitea service badge in status display
- Implement password sync to Gitea via API on password change
- Fix Gitea API call to include login_name parameter
- Add gitea to check_service() and get_status()
- Sync passwords to all enabled services (email, jabber, nextcloud, gitea)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The bare `except:` clause catches SystemExit which is raised by
sys.exit(0), causing the script to fall through to sys.exit(1).
Changed to `except Exception:` which doesn't catch SystemExit,
allowing proper exit code propagation.
Also:
- Simplified Python extraction script
- Use double quotes for string literals (shell compatibility)
- Write Python script to temp file instead of heredoc (RPCD stdin conflict)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit upload now matches MetaBlogizer KISS pattern:
- Auto-detects ZIP files by magic bytes (PK header)
- Extracts app.py from ZIP archives automatically
- Adds UTF-8 encoding declaration to Python files
- Installs requirements.txt dependencies in background
- Restarts instance on re-upload for immediate update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Upload modal now defaults to replacing index.html
- "Set as index" checkbox checked by default
- Uncheck to use original filename (shows destination field)
- Fixes issue where uploads weren't updating main page
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed button logic from exp.vhost_exists to exp.emancipated
- Non-emancipated sites now correctly show "Expose" button
- Emancipated sites show "Unpublish" button
- vhost_exists was incorrectly true for some non-emancipated sites
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto-republish to method_upload_file (was only in upload_finalize)
- Add Gitea push to cmd_publish when gitea.enabled=1
- Use haproxyctl reload instead of init.d (container-aware)
- Uploaded content now triggers full republish flow for emancipated sites
This fixes the issue where uploading new HTML content didn't update
the live site because republish wasn't triggered.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New RPC method `change_password` in luci.secubox-users
- Verifies current password before allowing change
- Syncs new password to all enabled services (email, jabber, nextcloud)
- Matrix/PeerTube require manual password update (noted in response)
- Portal UI updates:
- New "Account" section with "Change Password" card
- Password change modal with current/new/confirm fields
- "My Services" card showing enabled services
- ACL updated to include new authentication methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI domain update BEFORE slow haproxyctl reload (prevents RPC timeout)
- Run HAProxy generate/reload/cert in background subshell
- Fix vhost name encoding: use tr '.-' '_' (matches streamlitctl)
- Use sed instead of jq for mitmproxy routes (jq may not be installed)
- Tested: domain edit returns immediately, UCI updated correctly
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Show domain column with editable input for non-exposed instances
- Show clickable domain link + edit button for exposed instances
- Add editDomain modal for changing domain on exposed instances
- Domain input pre-filled with default (id.gk2.secubox.in)
- Separate Status column for SSL/WAF badges
- Update API to support domain parameter in renameInstance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update _emancipate_haproxy() to use mitmproxy_inspector backend
- Add mitmproxy route entries for domain -> streamlit port
- Aligns CLI behavior with RPCD emancipate_instance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto Gitea push on emancipate and app rename
- Route emancipated instances through mitmproxy_inspector (WAF) by default
- Add mitmproxy route entries for domains
- Enhanced rename_app to actually rename folders/files
- Enhanced rename_instance to update HAProxy vhost and mitmproxy routes
- Display WAF badge in dashboard for exposed instances
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lxc_start_bg() and lxc_reload() functions for container management
- Replace all /etc/init.d/haproxy calls with container-aware functions
- Fix haproxy-sync-certs to use haproxyctl reload
- Host HAProxy init script disabled, container is sole handler
Resolves intermittent 404 errors caused by dual HAProxy instances.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replaces unreliable nohup-based remote flash with staged approach:
1. remote_prepare_flash: Upload image + store options
2. remote_confirm_flash: Execute sysupgrade directly
3. remote_flash_status: Check flash state
4. remote_cancel_flash: Abort pending flash
Key fixes:
- Use /tmp for firmware (large tmpfs vs small rootfs)
- Direct sysupgrade execution (no nohup, works on OpenWrt)
- Proper dbclient SSH without unavailable commands
- Background job with & instead of nohup
Tested: x86_64 VM successfully flashed from 24.10.5 to 24.10.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Factory tab to Cloning Station with:
- Discovery Mode toggle (enable/disable zero-touch provisioning)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator (1-50 tokens with profile selection)
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
Implementation:
- 8 RPC declarations for factory methods
- 5 state properties for factory data
- 5 render functions, 6 event handlers
- Factory data polling in 5-second refresh cycle when on tab
- KISS theme UI components throughout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Roundcube IMAP "Internal error occurred" caused by Dovecot
running mail processes as uid 102 (Alpine default) instead of the
actual vmail user uid 5000.
Changes:
- configure_postfix: virtual_uid_maps/gid_maps 102/105 → 5000/5000
- configure_dovecot: mail_uid/gid, first_valid_uid, userdb args
- cmd_add_user: passwd file entries and ownership
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add inventory.sh for hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Add profiles.sh for profile management and device matching
- Add default.json profile template for auto-provisioned peers
- Add discovery mode to master-link.sh with pending queue and approval workflow
- Add bulk token generation (up to 100 tokens per batch)
- Enhance 50-secubox-clone-provision with inventory collection and discovery join
- Add 9 new RPCD methods to luci.cloner for factory provisioning
- Fix p2p-mesh.sh to be silent when sourced as library
- Add UCI options: discovery_mode, auto_approve_known, discovery_window, default_profile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
P2P Mesh Intelligence implementation:
- Add ZKP trust bonus (+20) for verified peers in IOC validation
- Create blockchain.sh for permanent threat_ioc and ioc_feedback blocks
- Create feedback.sh for IOC effectiveness tracking and reputation updates
- Enhance gossip.sh IOC handler with ZKP-validated trust checks
- Add SCORE_IOC_EFFECTIVE (+5) and SCORE_IOC_FALSE_POSITIVE (-8) to reputation
- Add zkp_trust_bonus and feedback config options
fix(mailserver): Correct vmail UID from 102 to 5000
Dovecot was using wrong UID (102/redis instead of 5000/vmail) causing
permission denied errors when accessing mailboxes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed _check_interval from 10 to 1 to ensure new routes are picked up
immediately when the haproxy-routes.json file is updated.
This fixes the quick publish flow where new sites weren't accessible
immediately because mitmproxy only checked for route changes every
10 requests.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When MetaBlogizer creates HAProxy vhosts, it routes through mitmproxy_inspector
for WAF inspection. However, mitmproxyctl sync-routes needs the original_backend
field to determine where to forward traffic after WAF inspection.
Without original_backend, sites would return 404 after upload because mitmproxy
had no route to forward traffic to the actual backend.
This fix adds original_backend=$backend_name to all 3 vhost creation locations:
- method_create_site (line 491)
- method_emancipate_site (line 1210)
- method_upload_and_create_site (line 2001)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upload workflow now works without needing to unpublish/expose again.
The reload_haproxy() function now calls mitmproxyctl sync-routes to
ensure mitmproxy picks up new routes immediately after vhost creation.
Root cause: Upload created HAProxy vhost and mitmproxy route file entry,
but mitmproxy never received a reload signal to activate the route.
Running emancipate fixed it because it called mitmproxyctl sync-routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
reads config from /etc/haproxy.cfg but config was only generated to
/srv/haproxy/config/haproxy.cfg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy runs on the host, not in an LXC container. The LED pulse
script was incorrectly checking `lxc-attach -n haproxy -- pgrep haproxy`
which always failed, causing constant SPUNK ALERT red LED flashing.
Changed to check host process directly with `pgrep haproxy`.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move kiss-theme.js from luci-app-secubox-portal to theme package
- Bump theme version to 0.4.8
- Prevents file conflict between packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add convert_to_qcow2() function using qemu-img
- Add QCOW2_FILE output path variable
- Create proxmox-import.sh helper script for easy VM import
- Update distribution package to include QCOW2 and Proxmox script
- Add Proxmox VE instructions to README
- Update usage help with QCOW2 output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add extra_media_paths UCI option for additional bind mounts
- Supports both simple paths (/mnt/usb) and mapped paths (host:container)
- Automatically skips non-existent paths with info message
Example UCI config:
option extra_media_paths '/mnt/sdb1:/mnt/usb /mnt/nas:/mnt/nas'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove cgroup:mixed from mount.auto (incompatible with cgroup v2)
- Add lxc.net.0.type = none for proper host network sharing
- Add lxc.seccomp.profile = and lxc.autodev = 1 for cgroup v2
Fixes container startup failure with "Failed to mount /sys/fs/cgroup"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash's read command collapses consecutive tab delimiters,
causing the protected field to end up in the wrong variable.
Fix: Use "-" as placeholder for empty fields, then strip it when reading.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lock badge CSS for protected site cards
- Add login banner for unauthenticated users
- Detect auth_required flag from metablogizer UCI config
- Hide protected cards until sessionStorage token present
- Filter respects authentication state in search and category views
Works with secubox-core portal-auth system.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sites on *.gk2.secubox.in were failing because HAProxy couldn't match
the SNI to the correct certificate. New add_haproxy_cert() helper:
- Extracts base domain from subdomain
- Creates UCI cert entry mapping domain to wildcard cert file
- Applied to all vhost creation paths (create, upload, republish)
Sites now work immediately after one-click deploy without manual
certificate configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace fragile sed-based JSON manipulation with Python for adding
mitmproxy routes. The new add_mitmproxy_route() helper function:
- Updates both /srv/mitmproxy/ and /srv/mitmproxy-in/ routes files
- Uses proper JSON parsing instead of string substitution
- Ensures sites are immediately accessible after one-click deploy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When editing a site and changing its domain, automatically:
- Remove the old HAProxy vhost for the previous domain
- Create a new vhost for the new domain with priority=50
- Regenerate and reload HAProxy configuration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add inline Edit button for each site in the dashboard allowing users
to modify site name, domain, description, and enabled status directly
from the overview page without navigating to settings.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package secubox-app-talk-hpb:
- Docker-based signaling server and Janus WebRTC gateway
- Auto-generates TURN/SIGNALING/INTERNAL secrets
- Creates HAProxy vhost with SSL/ACME
- STUN/TURN server with UDP+TCP support
- CLI tool: talk-hpbctl setup/status/test/logs
Hub generator v5:
- Add PeerTube videos with thumbnails and duration badges
- Fix Streamlit instance detection (=instance vs =app)
- Total count now: sites + streamlit + videos
MetaBlogizer fix:
- Add priority=50 to new vhosts to prevent wildcard catch
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Multi-view portal with grid/list/compact modes
- Automatic site categorization (Intelligence, Dev, Finance, etc.)
- Iframe thumbnail previews of real site content
- Tag cloud and category tabs with emoji indicators
- Instant search by domain/name/category
- Auto-refresh via cron every 5 minutes
- Created explicit vhosts for 54 MetaBlogizer sites
- Fixed wildcard routing priority
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both create_site_from_upload and upload_and_create_site were missing
HAProxy vhost creation step (step 8 from create_site method).
Changes:
- Add vhost creation with backend=mitmproxy_inspector for WAF routing
- Add mitmproxy route to /srv/mitmproxy-in/haproxy-routes.json
- Apply same fix to original create_site method for consistency
This ensures all MetaBlogizer uploaded sites are immediately accessible
via HTTPS and all traffic passes through WAF inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add create_site_from_upload RPC method for chunked site creation
- Modify JS api to auto-chunk files >40KB (ubus message size limit)
- Upload chunks sequentially via upload_chunk, then finalize with
create_site_from_upload
- Add no_cache vhost option to haproxyctl for cache-control headers
- Fix large file upload failures caused by shell argument size limits
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed glob pattern from ${slug}*.vtt to *.vtt to catch all subtitle files
- Fixed language extraction regex to work with any filename format
- Redirected yt-dlp subtitle output to stderr
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New peertube-import script for importing from YouTube, Vimeo, 1000+ sites
- CGI endpoints for portal integration (peertube-import, peertube-import-status)
- Portal UI: Video Import card with progress tracking
- Multi-language subtitle download and PeerTube caption upload
- Fixed stdout/stderr separation for reliable function returns
- UCI config: uses peertube.admin.username/password
- Package version bumped to 1.2.0
- Added README.md with full documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
PeerTube videos don't include the automatic_captions field in their
yt-dlp JSON output. The jq filter was attempting (.automatic_captions | keys)
which fails with "null (null) has no keys" when the field is missing.
Fixed by adding null-coalescing: ((.automatic_captions // {}) | keys)
Also applied same fix to subtitles field for consistency.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New CLI: peertube-analyse
- Extract video metadata via yt-dlp
- Download existing PeerTube subtitles (VTT)
- Fallback to Whisper local transcription (medium model)
- Claude AI analysis with structured intelligence report
Features:
- POSIX-compatible (OpenWrt, Alpine, Debian)
- Modular pipeline with graceful degradation
- Colored terminal output with status indicators
- Configurable Whisper model and language
- Truncation for large transcripts (12k chars)
CLI flags:
--url <url> Video URL
--no-whisper Subtitles only
--force-whisper Force transcription
--no-analyse Skip Claude analysis
--model <name> Whisper model
--lang <code> Language code
Output structure:
./output/<slug>/
├── <slug>.meta.json
├── <slug>.transcript.txt
└── <slug>.analyse.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- luci-app-webradio: Web radio management with Lyrion bridge tab
- luci-app-turn: TURN/STUN server UI for WebRTC (Jitsi integration)
- secubox-app-lyrion-bridge: Lyrion → Squeezelite → FFmpeg → Icecast pipeline
- secubox-app-squeezelite: Squeezelite audio player with FIFO output
- secubox-app-turn: TURN server with ACME SSL and Jitsi setup
- secubox-app-webradio: Icecast/ezstream web radio server
Features:
- HTTPS streaming via HAProxy (stream.gk2.secubox.in)
- Lyrion Music Server bridge for streaming playlists to Icecast
- TURN server with time-limited credential generation
- CrowdSec integration for WebRadio security
- Schedule-based radio programming with jingles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use SecuBox blue cyberpunk theme (matching login.html)
- Check secubox_token for authentication, redirect to login.html if missing
- Add Guacamole to administration services
- Consistent styling across all portal pages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add login.html with RPCD authentication via luci.secubox-users
- Add reset.html for token-based password recovery
- Both pages use SecuBox cyberpunk dark theme
- Default password: Secubox@2026
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Portal login now authenticates against SecuBox users (UCI config)
instead of hardcoded credentials.
New RPCD methods in luci.secubox-users:
- authenticate: Verify username/password, return session token
- recover: Send password reset email
- reset_password: Set new password with recovery token
Portal pages:
- login.html: Login form with password recovery link
- reset.html: Password reset form (from email link)
Features:
- SHA256 password hashing
- Session tokens stored in /tmp/secubox-sessions/
- Email-based password recovery via mailctl
- Public ACL access (no LuCI login required)
- Passwords synced to services if sync_passwords=1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add upload_and_create_site: one-click deploy with auto HAProxy setup
- Add unpublish_site: remove HAProxy vhost while preserving content
- Add set_auth_required: toggle authentication requirement per site
- Add get_sites_exposure_status: exposure/cert status for all sites
- Simplify dashboard to KISS UI pattern with status badges
- Action buttons: Share, Upload, Expose/Unpublish, Lock/Unlock, Delete
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Reduce dashboard from ~1000 to ~400 lines following MetaBlogizer pattern:
- Replace cbi-value divs with simple status table
- Compact instances table with Enable/Disable/Expose/Delete actions
- Compact apps table with Edit/Delete actions
- Inline forms for adding instances and uploading files
- Remove Gitea section and rename functions
- Cleaner emancipate modal
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Videos imported via yt-dlp are now automatically uploaded to PeerTube:
- OAuth authentication using UCI-stored admin credentials
- Video upload via PeerTube REST API
- Real-time job status polling with import_job_status method
- Progress indicator in LuCI UI
- Automatic cleanup of temp files
New RPCD method: import_job_status for polling job progress.
Version bumped to 1.1.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The IP Blocklist backend package was missing from the feed.
Manually built and added the IPK since wget-ssl dependency
failed to build in the SDK.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace jsonfilter with grep for CrowdSec decision counting
- Add ipset existence check before listing blocked IPs
- Add safety fallbacks for empty/invalid counts
- Bump version to 0.5.2-r2
The jsonfilter -e '@[*]' approach failed with CrowdSec's
multi-line JSON output, causing exit code 251 errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Return Mbps as decimal strings instead of integers (shows 0.45 instead of 0)
- Replace iptables tracking with conntrack/nftables for per-client bytes
- Works with nftables kernel that has no iptables compatibility
Note: Add cron job for historical data: */5 * * * * ubus call luci.bandwidth-manager record_stats
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The CrowdSec dashboard was reading from /srv/mitmproxy/threats.log
but the WAF input instance writes to /srv/mitmproxy-in/threats.log.
Fixed paths:
- threats.log: /srv/mitmproxy -> /srv/mitmproxy-in
- autoban-processed.log: /srv/mitmproxy -> /srv/mitmproxy-in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Portal page with all service links using *.gk2.secubox.in format
- User guide with updated gk2 subdomain URLs
- Guide link added to login page bottom
- HAProxy vhost configured for portal.secubox.in
- WAF routing enabled through mitmproxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add upload.js wizard with multi-target publishing (HexoJS, Gitea, Streamlit, MetaBlogizer)
- Add submit.js for user content submission with moderation workflow
- Add moderation RPCD methods: submit_for_review, list_pending, approve_submission, reject_submission
- Update ACL with new moderation permissions
- Add menu entries for Upload and Submit & Moderate views
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add MixMonitor integration for automatic call recording
- Add voipctl rec commands: enable/disable/status/list/play/download/delete/cleanup
- Add recordings.js LuCI view with audio player and date filtering
- Add RPCD methods for recording management
- Add UCI config section for recording settings (format, retention)
- Fix OVH API signature to use openssl instead of sha1sum
- Improve PJSIP trunk config with realm and qualify settings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add luci-app-voip, luci-app-jabber, luci-app-jitsi, luci-app-mail,
luci-app-nextcloud, luci-app-webradio to AI & Communication category.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Jingle VoIP, SMS Relay, and Voicemail Notifications sections to
the Jabber overview.js. Expose 9 new RPC methods in api.js for VoIP
control. Also includes remaining VoIP package updates (dialer view,
asterisk-config.sh) from previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Asterisk was removed from Debian Bookworm main repositories.
Added Bullseye repo with pinning to install asterisk packages.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-voip: Asterisk PBX in LXC container
- luci-app-voip: Dashboard with extensions, trunks, click-to-call
VoIP features:
- voipctl CLI for container, extensions, trunks, calls, voicemail
- OVH Telephony API auto-provisioning for SIP trunks
- Click-to-call web interface with quick dial
- RPCD backend with 15 methods
Jabber VoIP integration:
- Jingle VoIP support (STUN/TURN via mod_external_services)
- SMS relay via OVH (messages to sms@domain)
- Voicemail notifications via Asterisk AMI → XMPP
- 9 new RPCD methods for VoIP features
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add webchat setup with Converse.js for browser-based chat access
- Fix Prosody HTTP binding to all interfaces (not just localhost)
- Add http_interfaces and https_interfaces to config
- Run Prosody as prosody user to avoid root permission issues
- Add /chat/ path for webchat served by Prosody http_files module
- Mount webchat directory in LXC container for easy customization
- Update install/emancipate output to show webchat URL
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Run Prosody as prosody user (not root) via su -s /bin/sh
- Fix process detection to look for lua.*prosody pattern
- Generate SSL certs using openssl instead of prosodyctl
- Remove deprecated cross_domain_websocket option
- Create config file before certificate generation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-jabber: LXC-based Prosody XMPP server with:
- Debian Bookworm container
- Full XMPP support (C2S, S2S, MUC, MAM)
- HTTP upload for file sharing
- BOSH and WebSocket for web clients
- SSL/TLS encryption
- User and room management via jabberctl
- luci-app-jabber: LuCI dashboard with:
- Status overview and service controls
- User management (add/delete)
- Emancipate workflow (HAProxy + SSL + DNS)
- Connection info display
- Log viewer
CLI commands:
jabberctl install/uninstall/start/stop/status
jabberctl user add/del/passwd/list
jabberctl room create/delete/list
jabberctl emancipate <domain>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Install yt-dlp in PeerTube LXC container for video downloads
- Add RPCD methods: import_video, import_status
- Add UI section with URL input and download button
- Support YouTube, Vimeo, and 1000+ video sites
- Download videos to import folder for PeerTube admin upload
- Show download status and video count
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security KISS Dashboard:
- Add ndpid (nDPI daemon) to RPCD status method
- Add ndpid to services monitoring array (6 services total)
APPS Portal:
- Add Streamlit to Services category (Python data apps)
- Add MetaBlogizer to Services category (AI blog generation)
Also includes secubox-cloner enhancements from earlier session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add wazuh_running status check to RPCD handler
- Display Wazuh alongside CrowdSec, netifyd, mitmproxy in dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Complete WebRadio management interface for OpenWrt:
- Dashboard with server status, listeners, now playing
- Icecast/Ezstream server configuration
- Playlist management with shuffle/upload
- Programming grid scheduler with jingle support
- Live audio input via DarkIce (ALSA)
- Security: SSL/TLS, rate limiting, CrowdSec integration
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both user_add and user_passwd functions now set correct permissions
(644 root:dovecot) after updating /etc/dovecot/users inside the
container. This prevents "Permission denied" errors on authentication
after adding users or changing passwords.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Ensure /etc/dovecot/users has 644 permissions and root:dovecot ownership
after adding a user. Without this, dovecot cannot read the passwd-file
and authentication fails with "Permission denied".
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create login/token-login/empty directories with correct ownership
- Set proper permissions for dovenull user on login directories
- Remove stale auth-token-secret.dat on startup (prevents "compromised token" errors)
- Increase sleep time after dovecot start for socket creation
- Fix permissions again after socket creation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The ^~ /apps/ location was taking precedence over static file regex
locations, causing SVG icons to return 404. The root location's
rewrite to index.php already handles app routing correctly.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The /apps/dashboard/ and other app paths were returning 403 Forbidden
because nginx was matching the directory via try_files before routing
to PHP. Added explicit location ^~ /apps/ to rewrite to index.php.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add permission fix for /etc/dovecot/users in startup script.
Without this, dovecot auth fails with "Permission denied" when
trying to read the passwd-file for LMTP delivery.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The firewall-setup command now adds:
- Input rules for ports 25, 143, 465, 587, 993 (accept from WAN)
- Forward rules for mail ports (WAN -> LAN mailserver)
- DNAT rules in firewall.user (excluding LAN subnet)
This ensures nftables input_wan and forward_wan chains allow
mail traffic to reach the mailserver container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux uses LMDB instead of Berkeley DB hash format.
Changed virtual_mailbox_maps from hash: to lmdb: prefix.
Also fixes:
- nftables forward_wan missing port 25 accept rule
- nftables input_wan missing port 25 accept rule
- gk2@secubox.in missing from vmailbox
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add dovecot run directory permission setup
- Add dovenull to dovecot group (fixes login directory access)
- Update HISTORY.md with changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix anvil-auth-penalty socket permission issues that caused
authentication failures. Ensures /run/dovecot has correct ownership
before and after dovecot starts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add list_users RPCD method to list Nextcloud users via OCC
- Add reset_password RPCD method for password reset via OCC
- Add Users tab in LuCI dashboard with user list
- Add password reset modal with confirmation
- Parse Nextcloud user:displayname JSON format
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use printf instead of echo to preserve $6$ hash prefix
- Write dovecot entry to temp file to avoid shell expansion
- Use correct uid:gid 102:105 for vmail user
- Add userdb_mail field to dovecot passwd format
- Use /var/mail path to match container layout
The SHA512-CRYPT hash ($6$...) was being corrupted when passed
through nested shell commands - the $6$ was interpreted as a
shell variable and removed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Autoconfig:
- Created config-v1.1.xml (Thunderbird), autodiscover.xml (Outlook),
email.mobileconfig (Apple) for automatic mail client configuration
- Added uhttpd instance on port 8025 to serve autoconfig files
- Added HAProxy backends with waf_bypass for autoconfig domains
- Added mailctl autoconfig-setup and autoconfig-status commands
LuCI Mailserver:
- Added user_repair method for mailbox repair (doveadm force-resync)
- Added repair button to user actions in overview
LuCI Nextcloud:
- Added list_users method to list Nextcloud users
- Added reset_password method for password reset via OCC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mailctl firewall-setup command to configure mail port forwarding
- Add mailctl firewall-clear command to remove mail firewall rules
- Firewall rules now use "! -s LAN_SUBNET" to exclude LAN clients
- LAN clients can reach external mail servers (OVH, Gmail, etc.)
- WAN traffic on mail ports redirected to local mailserver
Fixes SSL certificate errors when LAN clients connect to external IMAP/SMTP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix alias_add RPCD to read JSON from stdin (ubus compatibility)
- Add alias_del function to users.sh
- Add alias del command to mailctl
- Add alias_del RPCD method
Tested: alias_add, alias_list, alias_del all work via ubus call
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Nextcloud Overview and Settings tabs to kiss-theme sidebar for
consistent navigation across all SecuBox apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HexoJS tabs (Overview, Posts, Editor, Media, Deploy, Sync, Theme,
Settings) to kiss-theme.js nav config
- Remove duplicate inline tabs from overview.js
- Tabs now appear in sidebar when HexoJS is selected
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace inline CSS with shared secubox/kiss-theme module for simpler,
faster, more efficient rendering. Code reduced from 320 to 188 lines.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Completely rewrote overview.js with self-contained inline CSS following
the KISS design pattern. Dark theme with stats grid, quick actions,
instance cards with status badges, and clean backups table.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The listInstances and listBackups RPC declarations use expect which
unwraps the response array directly. Changed results[0].instances to
results[0] and results[3].backups to results[3].
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup/restore commands to hexoctl (backup, restore, backup list/delete)
- Add GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Add Gitea push support (hexoctl gitea push [instance] [message])
- Add quick-publish command (clean + build + publish in one step)
- Add 15 new RPCD methods for instance/backup/git management
- Rewrite LuCI dashboard with KISS theme:
- Multi-instance management with status cards
- Instance controls: start/stop, quick publish, backup, editor, preview
- GitHub/Gitea clone modals
- Backup table with restore/delete
- Stats grid: instances, posts, drafts, backups
- Update API with 12 new RPC declarations
- Update ACL with new permissions
Also includes DNS Master app created in previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added port 143 to RPCD port detection list
- Fixed KISS nav path for Nextcloud (admin/secubox/services/nextcloud)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of overview.js with full KISS theme styling
- 4-column stats grid (Status, Users, Storage, SSL)
- Port status cards with visual indicators
- Two-column layout: Users + Aliases tables
- Webmail card with status badge and quick actions
- Connection info panel with server details
- Live polling with 10s refresh
- Added fix_ports, alias_del methods to ACL
- Added Mail Server + Nextcloud to KISS nav sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change location / from try_files to rewrite for proper app URL handling
- Fixes 403 errors when accessing /apps/* URLs after authentication
- All URLs now properly route through index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change nginx to listen on ${NEXTCLOUD_HTTP_PORT:-8080} instead of hardcoded port 80
- Fix PHP-FPM socket path to use detected PHP version (php${PHP_VERSION}-fpm.sock)
- Avoids port conflict with HAProxy on port 80 when using host networking
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse HTML directory listing instead of non-existent index.json
- URL-encode colon in date path for LXC image server
- Add mount_chroot_fs/umount_chroot_fs helpers for proper chroot
- Mount /dev, /dev/pts, /proc, /sys before running apt
- Remove php-smbclient (not in base repos)
- Install gnupg/gpgv first for apt verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed RPCD handler to read from /srv/mitmproxy-in (WAF input)
- Previously read from /srv/mitmproxy which had no threat data
- Fixed threats_today, alerts, autobans stats
- Check mitmproxy-in and mitmproxy-out containers for running status
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a watchdog loop that checks every 60 seconds if wazuh-agentd
is running and automatically restarts the Wazuh service if it stops.
Fixes agent disconnection issues caused by wazuh-agentd process dying.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/
mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-peertube: Update default port to 9001, hostname to tube.gk2.secubox.in
- luci-app-secubox-portal: Add RPCD backend for dynamic tree generation
- get_tree: Auto-discovers luci-app-* packages grouped by category
- get_containers: Lists LXC containers with running state
- get_vhosts: Lists HAProxy virtual hosts
- luci-tree.js: Rewritten to use RPC for live data with refresh button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler (luci.peertube) with 11 methods: status, start, stop,
install, uninstall, update, logs, emancipate, live_enable,
live_disable, configure_haproxy
- ACL permissions for read (status, logs) and write operations
- Dashboard features:
- Install wizard with features and requirements
- Service status display with access URL
- Live streaming toggle with enable/disable buttons
- HAProxy configuration status
- Emancipate form for public exposure
- Logs viewer with refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New secubox-app-peertube package for self-hosted video streaming:
- LXC Debian container with PostgreSQL, Redis, Node.js, FFmpeg
- peertubectl control script with install/update/emancipate commands
- UCI configuration for server, transcoding, live streaming, storage
- procd init script with respawn support
- HAProxy integration with WebSocket and extended timeouts
- RTMP live streaming support (optional)
- S3/object storage support (configurable)
- Admin commands for user management
- Backup/restore functionality
Commands:
peertubectl install - Create LXC container with full stack
peertubectl emancipate <domain> - Full exposure with HAProxy + ACME
peertubectl admin create-user - Create user accounts
peertubectl live enable - Enable RTMP live streaming
peertubectl backup/restore - Database backup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After emancipating a service, automatically sync routes to mitmproxy
WAF to ensure traffic can be properly routed through the mitmproxy
containers without manual intervention.
The new _emancipate_mitmproxy() function calls mitmproxyctl sync-routes
after HAProxy configuration to keep mitmproxy routing table in sync.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RPCD handler now checks for both:
- /etc/dnsmasq.d/vortex-firewall.conf (dnsmasq mode)
- /etc/bind/zones/rpz.vortex.zone (BIND RPZ mode)
This fixes the "0 blocked domains" display when using BIND DNS server.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The mitmproxy service now uses separate containers:
- mitmproxy-in: External WAF (WAN protection)
- mitmproxy-out: Insider WAF (LAN threat detection)
Updated RPCD handler to check correct container names for status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite overview.js to use KissTheme wrapper
- Add health status cards for Agent, Manager, Indexer, CrowdSec
- Add alert statistics with color-coded counters
- Add security layers table (Firewall, IPS, SIEM, WAF)
- Add quick actions with restart agent button
- Include built IPK in secubox-feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Support xz, gz, and zst compression for data.tar in deb packages.
Modern Wazuh debs use data.tar.xz instead of data.tar.gz.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package secubox-wazuh-manager provides complete SIEM stack:
- Wazuh Manager: Agent management, log analysis, threat detection
- Wazuh Indexer: OpenSearch-based alert storage
- Wazuh Dashboard: Web UI for visualization (port 5601)
Features:
- Automated LXC container deployment with Debian 12
- HAProxy integration with waf_bypass for dashboard
- Agent management commands (list, info, remove)
- API access and token generation
- Log viewing for all components
- Shell access for administration
CLI: wazuh-managerctl with install/start/stop/status/configure-haproxy
Requirements: 4GB+ RAM, 20GB+ storage for production use
Complements secubox-app-wazuh agent for full SIEM deployment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add _emancipate_mitmproxy() to register domain in WAF routes
- Add _emancipate_path_acl() to create secubox.in/gk2/{name} path routing
- Auto-detect wildcard SSL coverage for *.gk2.secubox.in domains
- Restart mitmproxy-in container after adding routes
- Update help text with 7-step workflow
Emancipate now handles full deployment:
1. DNS A record (Gandi/OVH)
2. Vortex DNS mesh publication
3. HAProxy vhost + backend
4. WAF/mitmproxy integration
5. Path ACL (secubox.in/gk2/{name})
6. SSL certificate (or wildcard)
7. Zero-downtime reload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rebuilt secubox-app-jellyfin package with LXC controller
- Updated package feed with new Jellyfin ipk
- Synced all SecuBox packages to local feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Converted secubox-app-jellyfin, secubox-app-mailserver, and added
secubox-app-roundcube to use LXC containers instead of Docker.
Changes:
- jellyfinctl: Now uses LXC at 192.168.255.31
- mailserverctl: New controller for Alpine LXC with Postfix/Dovecot
- roundcubectl: New package for Roundcube webmail LXC
All controllers support:
- Bootstrap Alpine rootfs using static apk
- LXC configuration generation
- HAProxy integration with waf_bypass
- Start/stop/status commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Creates a landing page with links to public Mastodon clients
(Pinafore, Elk, Semaphore) pre-configured for the local GoToSocial
instance.
- pinaforectl install [instance] - Create client hub
- pinaforectl start/stop - Manage uhttpd server
- pinaforectl emancipate <domain> - Expose via HAProxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change db-address from /data/ to /srv/gotosocial/ for direct host mode
- Change storage path from /data/ to /srv/gotosocial/
- Fix --config to --config-path to match GoToSocial v0.17 CLI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The sync-routes command was only writing to the default /srv/mitmproxy
path. Now copies haproxy-routes.json to all configured instances
(mitmproxy-in, mitmproxy-out) so the HAProxy router addon can
properly route traffic.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The reload-autoban command was only writing to the default data path,
missing the mitmproxy-in and mitmproxy-out instances. Now iterates
over all configured instances to ensure autoban.json is updated
everywhere.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add rmempty=false to autoban enabled flag to prevent LuCI from
removing the option when saving the form. This fixes the issue
where saving settings would reset autoban to disabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove 'mozilla/5.0' from BOT_SIGNATURES - was flagging ALL modern
browsers as bots since this is the standard UA prefix
- Fix suspicious UA detection - no longer flags normal browsers
- Increase CrowdSec bruteforce threshold from 5/30s to 10/60s to reduce
false positives from normal login flows
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
SSRF detection was triggering on any request to internal IPs
(192.168.x.x, 10.x.x.x, etc.) because it was checking the target
URL itself. Now only checks query parameters and request body for
SSRF patterns, which is where actual SSRF attacks occur.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add `waf_enabled` and `waf_backend` options to haproxy.main config.
When waf_enabled=1, all vhost and path-based routing goes through
the WAF backend (default: mitmproxy_inspector) instead of directly
to service backends.
This enables global traffic inspection through mitmproxy WAF while
maintaining proper routing via haproxy_router addon.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Allow disabling HAProxy router mode per-instance via UCI option
`mitmproxy.<instance>.haproxy_router_enabled`. This prevents port
conflicts when running multiple mitmproxy instances (e.g., mitmproxy-out
on 8888 and mitmproxy-in on 8889) where only the inbound instance
needs HAProxy router mode.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: Use network.lan.ipaddr instead of 127.0.0.1 for server address
- service-registry: Same fix for emancipate function
- hexojs: Same fix for HAProxy backend creation
- gotosocial: Switch from LXC to direct execution mode
- v0.18.0 has cgroup bugs, using v0.17.0 instead
- Remove LXC container dependency
- Use /srv/gotosocial for binary and data
- Add proper PID file management
The HAProxy container cannot reach 127.0.0.1 on the host, so all HAProxy
backend servers must use the LAN IP (typically 192.168.255.1).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-gotosocial and luci-app-gotosocial for running a lightweight
ActivityPub social network server in LXC container.
Features:
- gotosocialctl CLI with install, start, stop, user management
- LXC container deployment (ARM64)
- HAProxy integration via emancipate command
- UCI configuration for instance, container, proxy, federation settings
- LuCI web interface with overview, users, and settings tabs
- Mesh integration support for auto-federation between SecuBox nodes
- Backup/restore functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove cgroup:mixed from lxc.mount.auto (causes "Failed to create
cgroup at_mnt" error on certain kernel configurations)
- Disable cgroup memory limit since cgroup is not mounted
- Fixes Gitea container failing to start with cgroup mount errors
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Skip IPv6 addresses and use active_address when available
- Filter out local node from shared services query
- Increase curl max-time to 10s for slow CGI responses
- Skip null/empty peer addresses
- Reduces response time from 48s to ~5s
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change service endpoint from port 8080 to /cgi-bin/p2p-services
- Exclude local node from shared services query
- Extract .services array from response JSON
- Add peer address to each shared service for attribution
- Handle empty/null responses gracefully
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- 1 second delay between I2C writes to prevent bus lockup
- Error detection with backoff
- Max 3 consecutive errors then stops
- 10 second update interval
- Commands: start, stop, status, test
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The emancipate function was checking for app folder existence using
instance name (e.g., "pix") instead of the actual app name
(e.g., "bazi_calculator"). Now properly resolves app from UCI config.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Simple tool to sync LuCI resources, views, RPCD handlers, ACLs and
menus from master node to all mesh peers. No IPK rebuild required.
Usage: mesh-sync-packages
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
BusyBox ash doesn't support 'local' keyword outside functions.
This was causing health_check RPC to hang with no response.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed P2PAPI.discoverPeers() to P2PAPI.discover() to match the
actual method exposed by the API module.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rename from admin/secubox/mirrorbox to admin/services/secubox-p2p
for consistent URL structure with other service apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add fdisk, resize2fs, partx-utils to ASU package list
- Enables partition expansion on first boot for fresh installs
- Addresses kernel limitation with online ext4 resize
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix build button being unclickable by properly handling disabled attribute
(only set when isBuilding is true, not undefined/false)
- Fix SSH host key mismatch errors in do_scp by cleaning stale known_hosts
entries from all possible locations (/root/.ssh, /.ssh, /overlay/upper/.ssh)
before transfers - prevents failures after device reflash
- Add cursor:pointer style to build button for better UX
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Four Pillars of Destiny (八字) calculator with French translations
- Dark theme styling: rgba backgrounds, light text colors
- Maître du Jour section with high contrast green accents
- Five Elements balance visualization
- Ten Gods relationships and yearly analysis
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 通書 Tong Shu almanac with Wu Yun Liu Qi calculations
- Dark theme compatible styling with transparent backgrounds
- French translations for zodiac animals and Chinese terms
- Uses st.html() for proper HTML rendering in Streamlit 1.33+
- Includes: Four Pillars, Day Quality, Clash/Directions, Activities
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove external CSS loading (dashboard.css)
- Convert impact cards to KISS grid with CSS variables
- Update proxy settings cards (AdGuard, CDN Cache, WPAD) to KISS styling
- Convert components grid and cards to KISS theme
- Update sync section and component details modal
- Use KissTheme.E() throughout with consistent styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- dashboard.js: KISS stats grid, source chips, type cards, recent devices table
- devices.js: KISS filter bar, device table with inline actions, edit/detail modals
- emulators.js: KISS emulator cards with status badges, mini tables
- mesh.js: KISS peer cards grid, remote devices table
Removes external CSS loading (cssLink pattern) and di-* class prefixes.
Uses KissTheme.E(), kiss-* classes, and CSS variables throughout.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Overview dashboard to use KissTheme:
- Removed external dashboard.css loading
- Replaced all hp- classes with kiss- classes
- Emergency banner with service status and controls
- Stats grid with vhosts, backends, certs counts
- System health grid with container/haproxy/config status
- Virtual hosts table preview
- Backends and certificates cards
- Quick actions grid (start/stop/reload/validate/regenerate/stats)
- Connection details with endpoints
- KISS toast notifications
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Statistics dashboard to use KissTheme:
- Removed CSS import via style element
- Replaced all hp- classes with kiss- classes
- Stats iframe with KISS-styled border
- Logs viewer with line count selector and refresh button
- Empty state for disabled stats or stopped service
- Consistent styling with vhosts.js and backends.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Backends dashboard to use KissTheme:
- Removed external dashboard.css dependency
- Replaced all hp- classes with kiss- classes and inline styles
- Self-contained inline CSS using KISS variables
- Backend cards with server lists, health check info
- Add backend form with mode, balance, health check options
- Add/edit server modals with quick service selector
- Delete confirmations and toast notifications
- Consistent styling with vhosts.js
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed LXC container status detection from lxc-ls to lxc-info:
- lxc-info -n mitmproxy -s provides direct state query
- More reliable than parsing lxc-ls --running output
- Fixed container name from secbx-mitmproxy to mitmproxy
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Rewrote HAProxy Virtual Hosts dashboard to use KissTheme:
- Self-contained inline CSS using KISS variables
- Removed external dashboard.css dependency
- Add vhost form with domain/backend/SSL inputs
- Vhosts table with status badges and actions
- Edit modal and delete confirmation dialogs
- Toast notifications for user feedback
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy evaluates ACL rules in order - first match wins. Wildcard
suffix rules (*.gk2.secubox.in) were catching all subdomains before
specific vhost rules could match.
Fix: Split vhost ACL generation into two passes:
1. First: exact and regex matches (specific domains)
2. Second: suffix matches (wildcards)
This ensures wanted.gk2.secubox.in matches before *.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
AI Insights Dashboard:
- Rewrite CSS with KISS cyberpunk theme (dark bg, neon accents, glowing effects)
- Fix CVE feed RPCD for OpenWrt/BusyBox compatibility (date format, JSON building)
- Add wget fallback for CVE fetch
Tor Shield:
- Add excluded_domains support for bypassing Tor routing
- Resolve domains via nslookup and add to iptables RETURN rules
- Default exclusions: openwrt.org, downloads.openwrt.org, services.nvd.nist.gov
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_cve_feed RPCD method fetching from NVD API
- Add CVE feed panel showing recent vulnerabilities with CVSS scores
- Cache CVE feed for 30 minutes to reduce API calls
- Link CVE IDs to NVD detail pages
- Color-code severity (critical/high/medium/low)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Convert packages string to proper JSON array format
- Add -dnsmasq to avoid conflict with dnsmasq-full
- Add rootfs_size_mb: 512 for larger package sets
- Trim default packages to fit in standard rootfs
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Same expect unwrapping bug was present in refresh() function,
causing stats to show counts but content to show "No items"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add build_progress RPCD method to track image build status
- Fix handleBuild() to handle RPC expect array unwrapping
- The expect: { devices: [] } unwraps the array, so data IS the array
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The build_progress RPCD method was missing from ACL, causing
"Access denied" (-32002) errors when polling build status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
