Add permission fix for /etc/dovecot/users in startup script.
Without this, dovecot auth fails with "Permission denied" when
trying to read the passwd-file for LMTP delivery.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The firewall-setup command now adds:
- Input rules for ports 25, 143, 465, 587, 993 (accept from WAN)
- Forward rules for mail ports (WAN -> LAN mailserver)
- DNAT rules in firewall.user (excluding LAN subnet)
This ensures nftables input_wan and forward_wan chains allow
mail traffic to reach the mailserver container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine Linux uses LMDB instead of Berkeley DB hash format.
Changed virtual_mailbox_maps from hash: to lmdb: prefix.
Also fixes:
- nftables forward_wan missing port 25 accept rule
- nftables input_wan missing port 25 accept rule
- gk2@secubox.in missing from vmailbox
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add dovecot run directory permission setup
- Add dovenull to dovecot group (fixes login directory access)
- Update HISTORY.md with changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix anvil-auth-penalty socket permission issues that caused
authentication failures. Ensures /run/dovecot has correct ownership
before and after dovecot starts.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add list_users RPCD method to list Nextcloud users via OCC
- Add reset_password RPCD method for password reset via OCC
- Add Users tab in LuCI dashboard with user list
- Add password reset modal with confirmation
- Parse Nextcloud user:displayname JSON format
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use printf instead of echo to preserve $6$ hash prefix
- Write dovecot entry to temp file to avoid shell expansion
- Use correct uid:gid 102:105 for vmail user
- Add userdb_mail field to dovecot passwd format
- Use /var/mail path to match container layout
The SHA512-CRYPT hash ($6$...) was being corrupted when passed
through nested shell commands - the $6$ was interpreted as a
shell variable and removed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Autoconfig:
- Created config-v1.1.xml (Thunderbird), autodiscover.xml (Outlook),
email.mobileconfig (Apple) for automatic mail client configuration
- Added uhttpd instance on port 8025 to serve autoconfig files
- Added HAProxy backends with waf_bypass for autoconfig domains
- Added mailctl autoconfig-setup and autoconfig-status commands
LuCI Mailserver:
- Added user_repair method for mailbox repair (doveadm force-resync)
- Added repair button to user actions in overview
LuCI Nextcloud:
- Added list_users method to list Nextcloud users
- Added reset_password method for password reset via OCC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add mailctl firewall-setup command to configure mail port forwarding
- Add mailctl firewall-clear command to remove mail firewall rules
- Firewall rules now use "! -s LAN_SUBNET" to exclude LAN clients
- LAN clients can reach external mail servers (OVH, Gmail, etc.)
- WAN traffic on mail ports redirected to local mailserver
Fixes SSL certificate errors when LAN clients connect to external IMAP/SMTP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix alias_add RPCD to read JSON from stdin (ubus compatibility)
- Add alias_del function to users.sh
- Add alias del command to mailctl
- Add alias_del RPCD method
Tested: alias_add, alias_list, alias_del all work via ubus call
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Nextcloud Overview and Settings tabs to kiss-theme sidebar for
consistent navigation across all SecuBox apps.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add HexoJS tabs (Overview, Posts, Editor, Media, Deploy, Sync, Theme,
Settings) to kiss-theme.js nav config
- Remove duplicate inline tabs from overview.js
- Tabs now appear in sidebar when HexoJS is selected
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace inline CSS with shared secubox/kiss-theme module for simpler,
faster, more efficient rendering. Code reduced from 320 to 188 lines.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Completely rewrote overview.js with self-contained inline CSS following
the KISS design pattern. Dark theme with stats grid, quick actions,
instance cards with status badges, and clean backups table.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The listInstances and listBackups RPC declarations use expect which
unwraps the response array directly. Changed results[0].instances to
results[0] and results[3].backups to results[3].
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup/restore commands to hexoctl (backup, restore, backup list/delete)
- Add GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Add Gitea push support (hexoctl gitea push [instance] [message])
- Add quick-publish command (clean + build + publish in one step)
- Add 15 new RPCD methods for instance/backup/git management
- Rewrite LuCI dashboard with KISS theme:
- Multi-instance management with status cards
- Instance controls: start/stop, quick publish, backup, editor, preview
- GitHub/Gitea clone modals
- Backup table with restore/delete
- Stats grid: instances, posts, drafts, backups
- Update API with 12 new RPC declarations
- Update ACL with new permissions
Also includes DNS Master app created in previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added port 143 to RPCD port detection list
- Fixed KISS nav path for Nextcloud (admin/secubox/services/nextcloud)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of overview.js with full KISS theme styling
- 4-column stats grid (Status, Users, Storage, SSL)
- Port status cards with visual indicators
- Two-column layout: Users + Aliases tables
- Webmail card with status badge and quick actions
- Connection info panel with server details
- Live polling with 10s refresh
- Added fix_ports, alias_del methods to ACL
- Added Mail Server + Nextcloud to KISS nav sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Nextcloud production deploy with HAProxy SSL
- WAF rules for Nextcloud & Roundcube CVEs
- Mail client autoconfig DNS and XML endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change location / from try_files to rewrite for proper app URL handling
- Fixes 403 errors when accessing /apps/* URLs after authentication
- All URLs now properly route through index.php
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change nginx to listen on ${NEXTCLOUD_HTTP_PORT:-8080} instead of hardcoded port 80
- Fix PHP-FPM socket path to use detected PHP version (php${PHP_VERSION}-fpm.sock)
- Avoids port conflict with HAProxy on port 80 when using host networking
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Parse HTML directory listing instead of non-existent index.json
- URL-encode colon in date path for LXC image server
- Add mount_chroot_fs/umount_chroot_fs helpers for proper chroot
- Mount /dev, /dev/pts, /proc, /sys before running apt
- Remove php-smbclient (not in base repos)
- Install gnupg/gpgv first for apt verification
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added mitmproxy WAF data path fix to WIP.md and HISTORY.md
- RPCD now reads from /srv/mitmproxy-in for correct threat stats
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed RPCD handler to read from /srv/mitmproxy-in (WAF input)
- Previously read from /srv/mitmproxy which had no threat data
- Fixed threats_today, alerts, autobans stats
- Check mitmproxy-in and mitmproxy-out containers for running status
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds a watchdog loop that checks every 60 seconds if wazuh-agentd
is running and automatically restarts the Wazuh service if it stops.
Fixes agent disconnection issues caused by wazuh-agentd process dying.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/
mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-peertube: Update default port to 9001, hostname to tube.gk2.secubox.in
- luci-app-secubox-portal: Add RPCD backend for dynamic tree generation
- get_tree: Auto-discovers luci-app-* packages grouped by category
- get_containers: Lists LXC containers with running state
- get_vhosts: Lists HAProxy virtual hosts
- luci-tree.js: Rewritten to use RPC for live data with refresh button
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler (luci.peertube) with 11 methods: status, start, stop,
install, uninstall, update, logs, emancipate, live_enable,
live_disable, configure_haproxy
- ACL permissions for read (status, logs) and write operations
- Dashboard features:
- Install wizard with features and requirements
- Service status display with access URL
- Live streaming toggle with enable/disable buttons
- HAProxy configuration status
- Emancipate form for public exposure
- Logs viewer with refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New secubox-app-peertube package for self-hosted video streaming:
- LXC Debian container with PostgreSQL, Redis, Node.js, FFmpeg
- peertubectl control script with install/update/emancipate commands
- UCI configuration for server, transcoding, live streaming, storage
- procd init script with respawn support
- HAProxy integration with WebSocket and extended timeouts
- RTMP live streaming support (optional)
- S3/object storage support (configurable)
- Admin commands for user management
- Backup/restore functionality
Commands:
peertubectl install - Create LXC container with full stack
peertubectl emancipate <domain> - Full exposure with HAProxy + ACME
peertubectl admin create-user - Create user accounts
peertubectl live enable - Enable RTMP live streaming
peertubectl backup/restore - Database backup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
After emancipating a service, automatically sync routes to mitmproxy
WAF to ensure traffic can be properly routed through the mitmproxy
containers without manual intervention.
The new _emancipate_mitmproxy() function calls mitmproxyctl sync-routes
after HAProxy configuration to keep mitmproxy routing table in sync.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RPCD handler now checks for both:
- /etc/dnsmasq.d/vortex-firewall.conf (dnsmasq mode)
- /etc/bind/zones/rpz.vortex.zone (BIND RPZ mode)
This fixes the "0 blocked domains" display when using BIND DNS server.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The mitmproxy service now uses separate containers:
- mitmproxy-in: External WAF (WAN protection)
- mitmproxy-out: Insider WAF (LAN threat detection)
Updated RPCD handler to check correct container names for status.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Regenerated Packages index with proper Filename fields for all ipk files.
Updated all package versions to latest builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite overview.js to use KissTheme wrapper
- Add health status cards for Agent, Manager, Indexer, CrowdSec
- Add alert statistics with color-coded counters
- Add security layers table (Firewall, IPS, SIEM, WAF)
- Add quick actions with restart agent button
- Include built IPK in secubox-feed
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Support xz, gz, and zst compression for data.tar in deb packages.
Modern Wazuh debs use data.tar.xz instead of data.tar.gz.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package secubox-wazuh-manager provides complete SIEM stack:
- Wazuh Manager: Agent management, log analysis, threat detection
- Wazuh Indexer: OpenSearch-based alert storage
- Wazuh Dashboard: Web UI for visualization (port 5601)
Features:
- Automated LXC container deployment with Debian 12
- HAProxy integration with waf_bypass for dashboard
- Agent management commands (list, info, remove)
- API access and token generation
- Log viewing for all components
- Shell access for administration
CLI: wazuh-managerctl with install/start/stop/status/configure-haproxy
Requirements: 4GB+ RAM, 20GB+ storage for production use
Complements secubox-app-wazuh agent for full SIEM deployment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add _emancipate_mitmproxy() to register domain in WAF routes
- Add _emancipate_path_acl() to create secubox.in/gk2/{name} path routing
- Auto-detect wildcard SSL coverage for *.gk2.secubox.in domains
- Restart mitmproxy-in container after adding routes
- Update help text with 7-step workflow
Emancipate now handles full deployment:
1. DNS A record (Gandi/OVH)
2. Vortex DNS mesh publication
3. HAProxy vhost + backend
4. WAF/mitmproxy integration
5. Path ACL (secubox.in/gk2/{name})
6. SSL certificate (or wildcard)
7. Zero-downtime reload
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed sdlc.gk2.secubox.in showing GK2 Hub template instead of original
"Les Seigneurs de La Chambre" cinematic presentation
- Restored content via git checkout from preserved history
- Documented Streamlit WebSocket incompatibility with MITM proxy
- All 20 Streamlit apps require waf_bypass for WebSocket functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
