- Add /etc/config/metablogizer with default settings
- Update Makefile to install config as conffile
- Fixes 404 error when accessing MetaBlogizer in LuCI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- CrowdSec Dashboard: Add bouncer_count, geoip_enabled, acquisition_count,
scenario_count fields to get_overview and get_health_check RPCD functions
- MetaBlogizer: Fix menu path to admin/secubox/services/metablogizer
- Portal: Add MetaBlogizer and Gitea to apps registry for services section
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The dashboard was showing 0 decisions because `cscli decisions list`
only returns local decisions, not CAPI blocklist entries.
Fixed by:
- Parsing CAPI decision counts from `cscli metrics` output
- Added separate local_decisions and capi_decisions fields
- Updated overview to show "CAPI Blocklist" and "Local Bans" separately
- Fixed get_capi_metrics to use metrics parsing instead of decisions list
This correctly shows ~15,000 CAPI blocklist IPs instead of 0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change evt.Line contains -> evt.Line.Raw contains in parsers
(pipeline.Line type requires .Raw accessor for string operations)
- Remove invalid filter: field from acquisition configs
(filter belongs in parsers, not acquisition files)
Fixes CrowdSec v1.7.6 startup failures.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New luci-app-metablogizer package replacing metabolizer with simplified
static site publishing:
- RPCD backend with create/delete/sync site methods
- Auto HAProxy vhost creation with SSL/ACME
- Nginx LXC container integration for serving static files
- Git sync from Gitea repositories
- QR code generation for published URLs
- Social share buttons (Twitter, LinkedIn, Facebook, Telegram, WhatsApp, Email)
- Drag-and-drop file upload UI
- SecuBox light theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Bump CrowdSec version from 1.7.4 to 1.7.6
- Add modernc.org/sqlite v1.34.2 vendor module (Go 1.21 compatible)
- Patch strings.SplitSeq in hubtest for Go 1.23 compatibility
- Add replace directive for sqlite to use vendored version
Built and tested: crowdsec_1.7.6-r1_aarch64_cortex-a72.ipk (80MB)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- README.md: Update to v0.16.0 with all 38 modules categorized
- CHANGELOG.md: Create comprehensive changelog (v0.12.0-v0.16.0)
- CLAUDE.md: Add toolchain build rules for Go/CGO packages
- secubox-tools/README.md: Add SDK vs toolchain build guidance
- TODO-ANALYSE.md: Mark completed tasks, update health score
- HISTORY.md: Document ARM64 toolchain discovery, multi-instance
- dev-status-widget.js: Update stats (38 modules, 1500 commits)
SDK builds produce LSE atomics that crash on some ARM64 CPUs.
Go/CGO packages (crowdsec, netifyd) must use full toolchain.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec:
- Change LAPI default port from 8080 to 8180 (avoid Docker conflict)
- Update bouncer config, init script, and RPCD dashboard
- Fix port detection hex value (1FF4 for 8180)
Streamlit:
- Complete rewrite with folder-based app structure
- Multi-instance support (multiple apps on different ports)
- Gitea integration (clone, pull, setup commands)
- Auto-install requirements.txt with hash-based caching
HexoJS:
- Multi-instance support with folder structure
- Multiple blog instances on different ports
HAProxy:
- Auto-generate fallback backends (luci, apps, default_luci)
- Add --server letsencrypt to ACME commands
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add publish_to_www RPCD method to publish static files to /www/blog
- Add Build & Publish card in sync.js with configurable publish path
- Add generate RPC call for building site
- Fix file permissions for all RPCD scripts and init.d scripts
- Bump luci-app-hexojs to 1.0.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit Instances:
- Add Publish button with HAProxy integration (uses instance port)
- Add Edit dialog for modifying instance settings
- Replace enable/disable buttons with checkbox
- Get LAN IP dynamically from status data
- Bump luci-app-streamlit to r8
HAProxy:
- Add haproxy-acme-cron script for background cert processing
- Cron runs every 5 minutes to issue pending ACME certificates
- Prevents UI blocking during certificate issuance
- Bump secubox-app-haproxy to r19
RPCD:
- Fix json_error to return consistent format with json_success
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix enabled/disabled select showing wrong value
- Normalize memory limit values (1G/2G/4G -> 1024M/2048M/4096M)
- Fix boolean value handling for headless and usage stats
- Use Object.assign for conditional selected attribute
- Bump to r6
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Instances tab to LuCI Streamlit dashboard
- RPCD backend: list/add/remove/enable/disable instances
- API module: instance management methods
- UI: Instance table with status, port, enable/disable/remove actions
- Add Instance form with app selector and auto port assignment
- Apply & Restart button to apply instance changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move nested functions outside parent functions (ash doesn't support local functions)
- Fix _build_instance_entry and _print_instance_json syntax
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add multi-instance mode: run multiple apps on different ports
- New UCI config structure with 'instance' sections
- Container starts multiple streamlit processes via STREAMLIT_INSTANCES env
- CLI commands: instance list/add/remove/enable/disable
- Each instance has its own port, requirements auto-install
- Backward compatible: single-app mode still works
- Bumped to 1.0.0-r4
Example config:
config instance 'dashboard'
option app 'dashboard.py'
option port '8502'
option enabled '1'
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Auto-detect and install app-specific requirements on container start
- Supports: <app>.requirements.txt, <app>_requirements.txt, requirements.txt
- Uses hash-based caching to avoid reinstalling on each restart
- Bumped to 1.0.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes:
- HAProxy: Prevent duplicate server names when both inline and separate
server UCI sections exist for same backend
- Streamlit: Force --server.headless=true in start script (required for server)
- Dashboard: Optimize get_dashboard_data RPC call (6.56s → 0.09s) by using
fast catalog counting instead of slow appstore list command
- Exposure: Add themed dashboard with SecuBox styling
- ACL: Add missing RPCD permissions for various LuCI apps
Version bumps:
- luci-app-exposure: 1.0.0-r3
- secubox-core: 0.10.0-r5
- secubox-app-haproxy: 1.0.0-r18
- secubox-app-streamlit: 1.0.0-r2
- Portal: v0.15.51
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add cert_is_production() to detect Let's Encrypt staging certificates
- Add cert_validate_public() to verify certificate publicly via curl/openssl
- Add cert_info() to display certificate details (domain, issuer, dates)
- Add cmd_cert_verify command for on-demand certificate verification
- Update cmd_cert_list to show staging/production status with icons
- Update cmd_cert_add to warn about staging mode and verify after issuance
- Bump package release to r16
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace buttons with toggle switches for enabling/disabling exposures
- Show current exposure status with colored indicators
- Load and display Tor hidden services and SSL backends status
- Add stats cards for exposable services, Tor services, and SSL backends
- Modal dialogs for configuring exposure parameters on toggle
- Bump luci-app-exposure to 1.0.0-r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix HAProxy certificate key naming (.key -> .crt.key) for directory loading
- Add auto-fix in container startup script for existing certificates
- Add list_exposed_services RPC method to fetch services from secubox-exposure
- Add dynamic port scanning for running services discovery
- Add "Quick Select" dropdown in Add Server modal for service auto-fill
- Bump luci-app-haproxy to 1.0.0-r8
- Bump secubox-app-haproxy to 1.0.0-r15
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HAProxy overview: Add prominent emergency banner showing service status
with quick health indicators (Container/HAProxy/Config) and one-click
Restart/Start/Stop buttons
- SecuBox dashboard: Add Critical Services Quick Restart section with
buttons for HAProxy, CrowdSec, Tor Shield, and Gitea
- Metabolizer config: Fix portal_path to /www/blog
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Exposure Manager:
- Fix RPCD subshell issues in status and ssl_list methods
- Fix JS views to handle both array and object API responses
MagicMirror2:
- Change default port from 8082 to 8085 (avoid CyberFeed conflict)
- Update mm2ctl, RPCD, settings.js, dashboard.js, config
Tor Shield:
- Add restart method to RPCD and API
- Add health status minicard (Service, Bootstrap, DNS, Kill Switch)
Portal:
- Add 'active-ports' section for detected services
- Separate portal apps (Services) from detected ports (Active Ports)
Service Detection:
- Prioritize port-based identification over process name
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD: Use temp file for scan to avoid pipe subshell issues
- api.js: Use baseclass.extend() for proper LuCI module pattern
- Menu: Remove UCI dependency that caused 404
- Makefile: Make haproxy/tor optional dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New features in this release:
- Service Exposure integration in network section
- Security stats on dashboard (WAN drops, firewall rejects, CrowdSec)
- Threat Monitor in security cards
- Fixed http:// URLs for local services
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New app entry for service-exposure in portal network apps:
- Port conflict management
- Tor hidden services
- HAProxy SSL backends
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New unified tool for service exposure management:
- Port conflict detection and resolution (scan, conflicts, fix-port)
- Dynamic Tor hidden service management (tor add/list/remove)
- HAProxy SSL reverse proxy configuration (ssl add/list/remove)
Commands:
secubox-exposure scan # List listening services
secubox-exposure conflicts # Detect port collisions
secubox-exposure tor add gitea # Create .onion for service
secubox-exposure ssl add svc domain # Add HAProxy SSL backend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service detection now prioritizes process name matching over port-based
detection for more accurate identification of netifyd, streamlit,
cyberfeed, metabolizer, magicmirror, and picobrew services.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Services in LXC/Docker containers don't have SSL certificates,
so always use http:// instead of inheriting the browser's protocol.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add threat-monitor app to security section in portal.js
- Add security stats RPC call (get_security_stats)
- Display packets blocked and alerts on dashboard
- Add Threat Monitor to featured quick access apps
- Show WAN dropped + firewall rejects in events section
- Link to Threat Monitor dashboard from events
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security Stats:
- Add get_security_stats RPCD method for quick overview
- Track WAN drops, firewall rejects, CrowdSec bans
- Add secubox-stats CLI tool for quick stats check
Gitea Mirror Commands:
- Add mirror-sync to trigger mirror repository sync
- Add mirror-list to show all mirrored repos
- Add mirror-create to create new mirrors from GitHub URLs
- Add repo-list to list all repositories
- Requires API token: uci set gitea.main.api_token=<token>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- haproxy: Add explicit restart_service function
- tor-shield: Add explicit restart_service function
- wireguard-dashboard/qrcode.js: Use baseclass.extend() pattern
to fix "factory yields invalid constructor" error
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HAProxy requires certificate files to contain both the fullchain
(cert + intermediate CA) and the private key concatenated together.
Changes:
- haproxyctl: Fix cert_add to create combined .pem files
- haproxy-sync-certs: New script to sync ACME certs to HAProxy format
- haproxy.sh: ACME deploy hook for HAProxy
- init.d: Sync certs before starting HAProxy
- Makefile: Install new scripts, add cron job for cert sync
This fixes the "No Private Key found" error when HAProxy tries to
load certificates that only contain the fullchain without the key.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC expect clause unwraps responses - when `expect: { peers: [] }`
is used, the response `{peers: [...]}` gets unwrapped to just `[...]`.
Fixed:
- api.js: getAllData and getMonitoringData now handle both array
and object formats for peers, interfaces, and rates
- overview.js: render and polling functions now safely unwrap
data that may be array or nested object
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
RPCD backend:
- Fix critical json_init bug: variables must be extracted BEFORE
json_init() which wipes the loaded JSON. Affected functions:
save_settings, do_enable, set_bridges, add/remove_hidden_service
- Fix process detection: use pgrep instead of pid file
- Fix uptime calculation: get PID from pgrep, not pid file
- Fix RPC expect unwrapping in getDashboardData for presets
Init script:
- Remove PidFile directive (procd manages the process)
- Clean up stale files before starting to avoid permission issues
- Set proper ownership on torrc after generation
- Fix iptables chain creation to handle "already exists" gracefully
- Remove from OUTPUT chain before attempting chain deletion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC expect clause unwraps the response, so circuits data may be
an array directly rather than an object with circuits property.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix subshell bug in get_circuits (pipe loses JSON state)
- Add has_control flag to status for frontend awareness
- Fix UseBridges without bridge lines causing Tor to fail
- Fix hidden service directory ownership (tor:tor)
- Change log output from file to syslog
- Fix run directory ownership and permissions (700)
- Add CookieAuthentication for control socket auth
- Use socat instead of nc (BusyBox lacks Unix socket support)
- Add socat as package dependency
- Optimize duplicate curl calls in status check
- Use fallback IP services for real_ip detection
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_services RPCD method to detect listening TCP services
- Map known ports to service names, icons, and categories
- Display clickable service cards in portal Services tab
- Services link directly to their URLs (e.g., :3000 for Gitea)
- Filter to show only externally accessible services with URLs
- Add ACL permissions for portal and admin apps
Detected services include: Gitea, HexoJS, CyberFeed, Streamlit,
HAProxy Stats, Netifyd, LuCI, Lyrion, and more.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
HexoJS now serves dynamically on :4000 via HAProxy vhost routing.
- Disabled auto_publish in metabolizer
- Disabled portal in hexojs
- /www stays free for SecuBox portal and other apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add 'generate' as alias for 'build' command
- Rename cmd_publish for drafts to cmd_publish_draft
- Fix duplicate cmd_publish functions
- Add portal config section with /www/blog path
- publish draft <slug> for drafts, publish for portal
- Metabolizer integration now working
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD _add_backend now parses inline 'server' option format
- Servers embedded in backend response with inline flag
- update_server converts inline servers to separate UCI sections
- delete_server handles both inline and separate server sections
- API and UI pass inline flag for proper handling
Fixes server port editing in LuCI backends interface.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add showEditVhostModal() for editing virtual host properties
- Add showEditBackendModal() for editing backend configuration
- Add showEditServerModal() for editing server properties
- Modern card-based UI with inline edit/delete actions
- Toggle enable/disable for backends
- Fix haproxyctl to read server option from backend UCI sections
- Add debug logging to container startup script
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change all hardcoded /blog/ paths to use / as root:
Theme configuration:
- _config.yml: Menu paths now /cybersecurity/ instead of /blog/cybersecurity/
- Blog submenu path changed to /categories/
Layout templates:
- post.ejs: Category link uses url_for with root path
- index.ejs: "Voir le blog" links to /categories/
- category.ejs: Breadcrumb and back links use /categories/
Scripts:
- dynamic-blog.js: Category paths now /{slug}/ instead of /blog/{slug}/
- Menu blog path changed to /categories/
Presets:
- tech.yml: Menu paths updated
- portfolio.yml: Blog link updated
hexoctl:
- Default portal_path changed from /www/blog to /www
- Help text updated
This allows the blog to be served from the root URL with categories
at /{category}/ paths.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change pidfile from haproxy-lxc.pid to haproxy.pid for consistency
with the actual container name.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Change container references from 'haproxy-lxc' to 'haproxy' to match
the actual container name used by secubox-app-haproxy. This fixes
the LuCI status view showing container_running: false.
Fixes affected methods:
- method_status: container existence and state checks
- method_get_stats: container running check
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Templates now properly use Hexo's url_for() helper:
- apps.ejs: navigation links
- category.ejs: breadcrumb, apps, services, blog links
- showcase.ejs: contact, portfolio, apps, services links
This ensures all links work correctly when root is set to a
subdirectory (e.g., /blog/ instead of /)
Bumped release to r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Calculate web root from portal path (e.g., /www/blog → /blog/)
- Update _config.yml root setting before regenerating
- Run hexo clean && generate to apply new root
- Bumped release to r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Piped while loop runs in subshell, JSON additions don't persist
- Use temp file + redirect to avoid subshell issue
- Also fix list_backups with same pattern
- Bumped release to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Server now binds to 0.0.0.0 instead of localhost for external access
- Added publish command to copy static files to /www/blog/
- Startup script always regenerates to ensure correct binding
- Bumped release to r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add gitea_status, gitea_sync, gitea_clone, gitea_save_config RPCD methods
- Add Gitea section to sync.js with config form and sync buttons
- Update ACL for new Gitea methods
- Fix luci-app-metabolizer install section for RPCD executable
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove yaml import, use simple string parsing for front matter
- Remove dependency on host metabolizerctl
- Use environment variables for paths (METABOLIZER_CONTENT)
- Remove switch_page calls that fail in container
- CMS now works standalone inside Streamlit container
- Bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Export PATH at top of startup script for git binary
- Export HOME=/data for proper environment
- Set SCRIPT_TYPE=sh in app.ini (no bash in Alpine)
- Bump to r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Alpine's adduser wasn't creating the group properly, causing
chown git:git to fail with "unknown group".
- Add explicit addgroup -g 1000 git before adduser
- Use -G git flag to assign user to the group
- Bump to r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use /bin/sh instead of /bin/bash for git user shell
- Check for su-exec binary instead of marker file for deps
- Always recreate git user on startup (doesn't persist in container)
- Set explicit UID 1000 for git user
- Bump release to r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create /data, /opt, /run directories in rootfs during install
- Simplify mount entries (single /data mount)
- Ensure host data directories exist before creating LXC config
- Install dependencies (git, su-exec, etc.) on first container run
- Create required subdirectories in startup script
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add is_installed() and is_running() checks to init.d
- Show reason when service not running (disabled/not installed)
- Enable gitea by default in UCI config
- Require installation before starting
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Metabolizer Blog Pipeline - integrated CMS for SecuBox:
- Gitea: Mirror GitHub repos, store blog content
- Streamlit: CMS app with markdown editor and live preview
- HexoJS: Static site generator (clean → generate → publish)
- Webhooks: Auto-rebuild on git push
- Portal: Static blog served at /blog/
Pipeline: Edit in Streamlit CMS → Push to Gitea → Build with Hexo → Publish
Packages:
- secubox-app-streamlit: Streamlit server with LXC container
- luci-app-streamlit: LuCI dashboard for Streamlit apps
- secubox-app-metabolizer: CMS pipeline orchestrator
CMS Features:
- Two-column markdown editor with live preview
- YAML front matter editor
- Post management (drafts, publish, unpublish)
- Media library with image upload
- Git sync and Hexo build controls
- Cyberpunk theme styling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Amber (#ffb000) for titles, borders, hover effects
- Green (#33ff33) for dates, sources, navigation
- Gradient timeline line (amber → green → amber)
- Glow effects on text and borders
- Audio items highlighted in green
- Status bar with item count and sync time
- Emojified content from AWK parser preserved
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Left panel (1/3): CRT monitor style with:
- Phosphor green text with glow effect
- Scanlines overlay
- Screen curvature effect
- Power LED with pulse animation
- VT323 monospace font
- Scrollable latest 15 items
- Right panel (2/3): Standard cyberpunk timeline with:
- Vertical timeline with neon gradient line
- Date grouping
- Audio player support
- Source badges
- Responsive: stacks vertically on mobile (CRT on top)
- Auto-refresh every 3 minutes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Star Wars opening crawl style timeline with:
- Starfield background with twinkling stars
- "A long time ago in a network far, far away...." intro
- CYBERFEED logo zoom animation
- 3D perspective text crawl (rotateX transform)
- Yellow text (#ffd700) with cyan accents (#0ff)
- Auto-refresh every 3 minutes
- Controls: PAUSE, RESET, HOME, REFRESH
- Fix LuCI API array handling in getFeeds/getItems:
- RPC `expect` declarations auto-extract nested properties
- Response IS the array, not res.feeds/res.items
- Add Array.isArray check to handle both cases
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move emoji injection inside AWK parser to avoid corrupting JSON keys
- Use grep -o | wc -l for accurate item count on single-line JSON
- Emojis now only applied to title and desc fields, not URLs or keys
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rewrite RSS parser to use BusyBox-compatible AWK (no capture groups)
- Use extract_tag() helper with substr() instead of match() capture
- Use extract_attr() helper for XML attribute extraction
- Fix settings.js select elements to properly set initial value
- Use sel.value = ... instead of selected attribute
- Add new UCI config options for enhanced features:
- download_media, media_dir, history_file, generate_timeline
- Bump versions: secubox-app-cyberfeed 0.2.1, luci-app-cyberfeed 0.1.1
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Radio France presets (France Inter, France Culture, France Info, FIP, Mouv)
- Add international radio (BBC World, NPR)
- Add tech podcasts (Darknet Diaries, Changelog, Syntax.fm)
- Add 'radio' category to feed selector
- One-click quick-add buttons for all radio presets
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- get_feeds now returns {"feeds": [...]} instead of raw array
- get_items now returns {"items": [...]} instead of raw array
- Updated api.js to extract arrays from wrapped responses
- Fixes feed list not displaying in LuCI dashboard
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-cyberfeed: Core RSS aggregator service
- Pure shell script, OpenWrt compatible
- Cyberpunk emoji injection based on content keywords
- Caching with configurable TTL
- JSON and HTML output with neon/glitch effects
- RSS-Bridge support for social media (Facebook, Twitter, YouTube)
- luci-app-cyberfeed: LuCI dashboard with cyberpunk theme
- Dashboard with stats, quick actions, recent items
- Feed management with add/delete
- RSS-Bridge templates for easy social media setup
- Preview with category filtering
- Settings page for service configuration
Features:
- Auto-emojification (security, tech, mystical themes)
- Dark neon UI with scanlines and glitch effects
- RSS-Bridge integration for Facebook/Twitter/YouTube
- Category-based filtering
- Auto-refresh via cron (5 min default)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add pollRegistered flag to prevent duplicate poll registration
- Fix refreshDashboard to use replaceChild instead of dom.content
- Build content arrays explicitly to avoid null values in arrays
- Fix disabled attribute handling for action buttons
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fix TypeError "haproxy.api factory yields invalid constructor" by
refactoring api.js to use correct LuCI module pattern:
- Define RPC calls at module level with rpc.declare()
- Reference them in baseclass.extend() object
- Add getDashboardData helper function at module level
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-haproxy: LXC-containerized HAProxy service
- Alpine Linux container with HAProxy
- Multi-certificate SSL/TLS termination with SNI routing
- ACME/Let's Encrypt auto-renewal
- Virtual hosts management
- Backend health checks and load balancing
- Add luci-app-haproxy: Full LuCI web interface
- Overview dashboard with service status
- Virtual hosts management with SSL options
- Backends and servers configuration
- SSL certificate management (ACME + import)
- ACLs and URL-based routing rules
- Statistics dashboard and logs
- Settings for ports, timeouts, ACME
- Update luci-app-secubox-portal:
- Add Services category with HAProxy, HexoJS, PicoBrew,
Tor Shield, Jellyfin, Home Assistant, AdGuard Home, Nextcloud
- Make portal dynamic - only shows installed apps
- Add empty state UI for sections with no apps
- Remove 404 errors for uninstalled apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add start-hexo.sh script as container init command
- Set PATH properly for hexo CLI in lxc_exec()
- Container now starts Hexo server automatically on boot
- Falls back to tail -f /dev/null if no site exists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-app-hexojs: LXC-containerized Hexo service with Node.js
- hexoctl control script for container/site management
- Bundled CyberMind theme with dark/light mode
- Theme presets (minimal, tech, portfolio)
- Post/page scaffolds
- luci-app-hexojs: Full CMS dashboard
- Overview with stats and quick actions
- Post editor with Markdown toolbar and preview
- Media library browser
- Categories and tags management
- Apps portfolio for CyberMind theme
- Build and deploy to GitHub Pages
- GitHub Sync wizard (clone, pull, push)
- Theme configuration and presets
- Site settings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-tor (backend) and luci-app-tor-shield (frontend) packages
for Tor anonymization on OpenWrt.
Backend features:
- UCI configuration with presets (anonymous, selective, censored)
- procd init script with iptables transparent proxy
- torctl CLI tool for status, enable/disable, circuits, leak-test
- DNS over Tor and kill switch support
- Hidden services and bridge management
Frontend features:
- Modern purple/onion themed dashboard
- One-click master toggle with visual status
- Real-time circuit visualization (Guard -> Middle -> Exit)
- Hidden services (.onion) management with copy/QR
- Bridge configuration (obfs4, snowflake, meek-azure)
- Leak detection tests
- Advanced settings for ports and exit node restrictions
Note: LuCI package renamed to luci-app-tor-shield to avoid conflict
with existing luci-app-tor package in OpenWrt LuCI feeds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Flask 1.1.2 requires specific old versions of dependencies:
- Jinja2==2.11.3 (escape moved in 3.1)
- markupsafe==1.1.1
- itsdangerous==1.1.0 (json removed in 2.x)
- Werkzeug==1.0.1
- click==7.1.2
- pybeerxml<2.0.0 (Parser import changed in 2.x)
- marshmallow<4.0.0
Also:
- Use pip-installed package instead of git repo mount
- Simplify LXC mounts to just data directories
Tested and working on OpenWrt 24.10.5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add two new packages for self-hosted brewing controller support:
secubox-app-picobrew:
- LXC container-based PicoBrew Server installation
- Alpine Linux rootfs with Python/Flask environment
- UCI configuration for port, memory, brewing defaults
- procd service management with respawn
- Commands: install, uninstall, update, status, logs, shell
luci-app-picobrew:
- Modern dashboard UI with SecuBox styling
- Service controls (start/stop/restart/install/update)
- Real-time status monitoring and logs
- Settings page for server and brewing configuration
- RPCD backend with full API coverage
Supports PicoBrew Zymatic, Z, Pico C, and Pico Pro devices.
Repository: https://github.com/CyberMind-FR/picobrew-server
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The wizard.js was looking for a global QRCode object that doesn't exist.
Updated to import and use our qrcode module like other views do.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Changed from baseclass.extend() to simple object return pattern
to match other libraries (chart.js). The baseclass dependency
was causing the module to fail loading.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The JavaScript QR code fallback was limited to Version 5 (106 bytes max),
but WireGuard configs are typically 200-250 bytes. This caused QR code
generation to fail when the backend qrencode binary is not installed.
Changes:
- Auto-select optimal QR version (1-20) based on data length
- Support up to 858 bytes (Version 20)
- Proper Reed-Solomon error correction with dynamic generator polynomials
- Data interleaving for multiple EC blocks
- Alignment patterns for all versions
- Version info encoding for version 7+
- Quiet zone in SVG output
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Refactor CROWDSEC object to use luci.crowdsec-dashboard RPC instead of file.exec
- Add getNftablesStats() for accurate blocked IPs count from firewall bouncer
- Update updateDiskUsage() to use luci.system-hub.get_system_status RPC
- Update loadSystemLogs() to use luci.system-hub.get_logs RPC
- Add proper ACL permissions for luci.crowdsec-dashboard and luci.system-hub
- Bump version to 1.5.0-r3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Downgrade golang.org/x/net from v0.44.0 to v0.33.0 (Go 1.23 compatible)
- Patch out http.Protocols usage (Go 1.24+ feature) from:
- pkg/acquisition/modules/http/run.go
- pkg/acquisition/modules/appsec/config.go
- pkg/acquisition/modules/kubernetesaudit/config.go
- pkg/apiserver/apiserver.go
- Patch strings.SplitSeq to strings.Split (Go 1.24+ iterator feature) in:
- cmd/crowdsec-cli/clisetup/acquisition.go
- cmd/crowdsec/flags.go
This fixes the build failure caused by CrowdSec 1.7.4 using Go 1.24+
features while OpenWrt SDK ships Go 1.23.x.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The -x flag requires exact process name match which doesn't work
reliably on OpenWrt/BusyBox. Removed -x from all pgrep calls in:
- luci-app-bandwidth-manager
- luci-app-secubox-security-threats
- luci-app-auth-guardian
- luci-app-media-flow
- luci-app-vhost-manager
- luci-app-network-modes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add RPC call to fetch CrowdSec nftables statistics
- Replace Security Modules widget with IPs Blocked widget
- Show active/inactive status based on firewall bouncer health
- Add detailed breakdown in System Overview (IPv4/IPv6, CAPI/local)
- Gracefully handle missing CrowdSec dashboard package
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove -q (quiet) flag from wget to show download errors
- Use architecture-specific tarball (60MB) instead of multi-arch (126MB)
- Add fallback to multi-arch tarball if ARM download fails
- Add explicit error messages for download and extraction failures
- Verify download file exists and is non-empty before extraction
The previous -q flag was hiding the actual wget error, making it
difficult to diagnose download failures in the chroot environment.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- lxc_create_rootfs now checks for Lyrion installation (slimserver.pl)
instead of just Alpine (alpine-release) to detect complete installs
- Auto-cleanup incomplete installations where Alpine downloaded but
Lyrion failed to install (e.g., network issues during chroot)
- Add verification after installation to confirm Lyrion was installed
- Add 'destroy' command to manually clean up failed installations
- Bump version to 2.0.1
This fixes the issue where 'lyrionctl install' would report success
when Alpine was downloaded but the chroot setup script failed silently.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use L.url() for proper ubus endpoint URL
- Pass messages as array instead of JSON string
- Add credentials and better error handling
- Fix AbortController error handling
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Change default API port from 8080 to 8081
- Increase chat API timeout to 120 seconds (LLMs can be slow on ARM)
- Use custom fetch-based chat call with AbortController for timeout control
- Fix wget/curl timeout for RPCD backend
Resolves "XHR request timed out" errors when using chat with TinyLlama.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace Docker/LXC-based approach with direct binary download
- Download LocalAI v2.25.0 binary from GitHub releases
- Add localaictl CLI for install, model management, and service control
- Change default port to 8081 (avoid CrowdSec conflict on 8080)
- Remove secubox-app-localai-wb (merged into secubox-app-localai)
- Add model presets: tinyllama, phi2, mistral
Usage:
localaictl install
localaictl model-install tinyllama
/etc/init.d/localai enable && /etc/init.d/localai start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New package for building LocalAI from source with llama-cpp backend:
- localai-wb-ctl: On-device build management
- check: Verify build prerequisites
- install-deps: Install build dependencies
- build: Compile LocalAI with llama-cpp
- Model management, service control
- build-sdk.sh: Cross-compile script for SDK
- Uses OpenWrt toolchain for ARM64
- Produces optimized binary with llama-cpp
Alternative to Docker-based secubox-app-localai for native builds.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New LuCI application for Ollama management:
- Dashboard with service status and controls
- Model management (pull, remove, list)
- Chat interface with model selection
- Settings page for configuration
Files:
- RPCD backend (luci.ollama)
- Dashboard, Models, Chat, Settings views
- ACL and menu definitions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Download Docker image layers directly via Registry API
- No dockerd or podman daemon required anymore
- Same approach as mitmproxy and magicmirror2 packages
- All backends included (llama-cpp, whisper, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Updated default version from v2.25.0 to v3.10.0
- Fixed binary URL format: local-ai-v3.10.0-linux-arm64
- Updated Docker image tag to v3.10.0-ffmpeg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add runtime_is_working() to verify daemon connectivity
- Falls back to standalone binary with helpful message if daemon not running
- Provides hint: /etc/init.d/dockerd start
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When using `localaictl install --lxc`:
1. If podman/docker available: extracts rootfs from Docker image
- Includes ALL backends (llama-cpp, whisper, etc.)
- Creates LXC container with full LocalAI capabilities
2. If no docker/podman: falls back to standalone binary
- Limited backend support
This gives the best of both worlds:
- LXC lightweight container management
- Full Docker image backends
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- is_running() now checks LXC with lxc-info before Docker/Podman
- get_status() calculates uptime from LXC container PID
- Order: LXC -> Podman -> Docker -> native process
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update is_running() to detect Docker/Podman containers
- Fix get_status() uptime calculation for containers
- Improve do_chat() with better error messages and logging
- Use curl if available for API calls (more reliable than wget POST)
- Add debug logging to syslog (logger -t localai-chat)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
LocalAI changes:
- Rewrite localaictl to use Docker/Podman instead of standalone binary
- Use localai/localai:v2.25.0-ffmpeg image with all backends included
- Fix llama-cpp backend not found issue
- Auto-detect podman or docker runtime
- Update UCI config with Docker settings
New Ollama package:
- Add secubox-app-ollama as lighter alternative to LocalAI
- Native ARM64 support with backends included
- Simple CLI: ollamactl pull/run/list
- Docker image ~1GB vs 2-4GB for LocalAI
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The LuCI rpc.declare with expect: { models: [] } returns the array
directly, not wrapped in {models: [...]}. Fixed all views to handle
this correctly.
- models.js: Check Array.isArray(data) first
- dashboard.js: Extract array from results[1] directly
- chat.js: Same array handling fix
Version: 0.1.0-r12
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add secubox-app-localai package with LXC container support for LocalAI service
- Add luci-app-localai with dashboard, chat, models and settings views
- Implement RPCD backend for LocalAI API integration via /v1/models and /v1/chat/completions
- Use direct RPC declarations in LuCI views for reliable frontend communication
- Add LocalAI and Glances to secubox-portal services page
- Move Glances from services to monitoring section
Packages:
- secubox-app-localai: 0.1.0-r1
- luci-app-localai: 0.1.0-r8
- luci-app-secubox-portal: 0.6.0-r5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Improve Services tab with pgrep-based status detection
- Add service enable/disable toggle buttons
- Add port forwards table to Firewall tab
- Add process list to System tab
- Add CrowdSec alerts table
- Reorganize quick actions into grouped layout
- Add Flush DNS, Sync NTP, and LuCI Admin shortcuts
- Change URL path from /secubox-dashboard/ to /secubox/
- Bump version to 1.4.1 (v2.4)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use separate -B and -p args for bind address and port
- Add hostname resolution by populating /etc/hosts dynamically
- Add --disable-autodiscover and --disable-check-update flags
- Fixes DNS resolution errors causing immediate container exit
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add secubox-app-glances and luci-app-glances packages:
secubox-app-glances:
- LXC container with nicolargo/glances:latest-full Docker image
- Web UI on port 61208, API on port 61209
- UCI configuration for monitoring options and alert thresholds
- glancesctl management script
luci-app-glances:
- Dashboard view with service status and quick actions
- Embedded Web UI view with iframe
- Settings view for configuration
- RPCD backend with proper ACL permissions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token to RPCD ACL permissions (was missing, causing 403)
- Add fallback token retrieval from container via lxc-attach
- Improve token capture regex to support alphanumeric tokens
- Fix startup script with background process + tee for reliable capture
- Add IP forwarding enablement for transparent proxy mode
- Fix bypass rule for traffic destined to router itself
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Consider sync OK when CAPI blocklists are active (capi_elements > 0)
even if local decisions = 0
- Add capi_elements_count to health response
- Fixes false "Out of sync" warning when using community blocklists
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- install_module now uses mmpmctl if available (has module registry)
- Fallback to manual git clone only with explicit URLs
- Add proper Node.js PATH for npm commands
- update_module also uses mmpmctl when available
- Fix npm PATH in both install and update functions
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Use `mmpm ui --start/--stop/--status` instead of `mmpm ui --port --host`
- MMPM v4 manages GUI via pm2, not direct execution
- Update status command to check pm2 status and get URL from mmpm
- Auto-install UI if not present when starting service
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add NODE_PATH variable for container npm/pm2 access
- Add run_mmpm helper function with proper PATH export
- Fix module install/remove/upgrade/search/list commands
- Fix MMPM GUI service start with proper PATH
- Fix list command to use --installed flag
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update module list to match portal.js apps
- Add MagicMirror2 and MMPM to modules
- Add changelog entries for v0.15.0-alpha1 to alpha3
- Update roadmap with Certification CE/FCC and Phase 2 funding (2027)
- Update version badge to v0.15.0-alpha3
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix pip install with --break-system-packages for Debian Trixie PEP 668
- Fix MMPM binary path detection (/usr/local/bin/mmpm)
- Fix RPCD backend to detect MMPM UI status with correct PATH
- Add Services section to portal navigation
- Update MMPM commands to use full path in container
- Configure MMPM environment for /opt/magic_mirror
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add symlink from modules/default to __modules/default (Docker entrypoint logic)
- Copy CSS files from __css to css directory on startup
- Fix shebang escaping issue by using printf instead of heredoc for #!/bin/sh
- Bump release to 0.4.0-r7
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-magicmirror2 (0.4.0): MagicMirror² smart display platform
- LXC container with Docker image extraction
- mm2ctl CLI for management
- Support for gzip/zstd compressed layers
- Default port 8082
- luci-app-magicmirror2 (0.4.0): LuCI web interface
- Dashboard, modules, webui, settings views
- RPCD backend for service control
- Module management integration
- secubox-app-mmpm (0.2.0): MMPM package manager
- Installs MMPM in MagicMirror2 container
- mmpmctl CLI for module management
- Web GUI on port 7891
- luci-app-mmpm (0.2.0): LuCI interface for MMPM
- Dashboard with install/update controls
- Module search and management
- Embedded web GUI view
Portal integration:
- Added MagicMirror² and MMPM to Services section
- Portal version bumped to 0.6.0
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add PYTHONUNBUFFERED=1 to ensure mitmweb output is not buffered
- Use inline while loop to capture authentication token from startup output
- Fix RPCD backend to read token from correct path ($DATA_DIR/.mitmproxy_token)
- Add proper shell detection and symlink creation in Docker rootfs extraction
- Remove unnecessary exec in pipeline that prevented output capture
The mitmweb authentication token is now properly captured and available
to the LuCI Web UI view for iframe embedding.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The previous pipe approach didn't work because the while loop
runs in a subshell. Now using a background job to poll the log
file for the token while tee outputs to both console and log.
Bump release to r13.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_web_token RPCD method to retrieve auth token
- Create webui.js view that embeds mitmweb in an iframe
- Capture auth token at startup and save to file
- Add Web UI navigation to all mitmproxy views
- Fix PATH for /usr/local/bin in Docker image
- Change default port from 8080 to 8888 (avoid CrowdSec conflict)
secubox-app-mitmproxy: bump to r12
luci-app-mitmproxy: bump to r2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Recent mitmproxy versions require web authentication by default.
Disable it with --set web_password= for easier LAN access.
Bump release to r11.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Port 8080 conflicts with CrowdSec API. Using 8888 as default.
Also removes --flow-detail option not available in latest mitmproxy.
Bump release to r10.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Extract rootfs directly from mitmproxy/mitmproxy Docker image.
This provides the latest mitmproxy with all Rust components pre-compiled.
No more version compatibility issues - uses whatever version is in
the official Docker image.
Bump release to r8.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 7.0.4 doesn't support the --flow-detail option which was
causing the startup script to fail.
Bump release to r7.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 8.x has dataclass compatibility issues with Python 3.11
in the grpc contentviews module.
Bump release to r6.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
werkzeug 3.0+ removed url_quote from werkzeug.urls which breaks
Flask imports in mitmproxy 8.1.1.
Bump release to r5.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
zstandard requires gcc to compile. Added build-base and dev packages
for compilation, then remove them after pip install to save space.
Bump release to r4.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- mitmproxy 9.x requires mitmproxy-wireguard (Rust)
- mitmproxy 10.x requires mitmproxy_rs (Rust)
- mitmproxy 8.1.1 is the last version without any Rust dependencies
Bump release to r3.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.x requires mitmproxy_rs which needs Rust compilation.
mitmproxy 9.0.1 is the last pure-Python version that works in Alpine
chroot without /proc mounted.
Bump release to r2.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust 1.80+, but
Alpine 3.19 only has Rust 1.76. Using mitmproxy 10.1.6 which is the
last pure-Python version without Rust requirements.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy 10.2+ requires mitmproxy_rs which needs Rust.
Install rust and cargo from Alpine packages, compile mitmproxy,
then remove build deps to save space.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
mitmproxy_rs now requires Rust compilation which fails in chroot
environment without /proc mounted. Switch to Alpine's pre-built
mitmproxy package from the community repository.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add nftables transparent mode support with automatic REDIRECT rules
- Create SecuBox Python filter addon for CDN/Media/Ad tracking
- Add whitelist/bypass configuration for IPs and domains
- Expand UCI config with transparent, whitelist, filtering sections
- Update RPCD backend with new config methods and firewall control
- Update LuCI settings view with all new configuration options
- Add new API methods: firewall_setup, firewall_clear, list management
Features:
- Transparent proxy with nftables integration
- CDN tracking (Cloudflare, Akamai, Fastly, etc.)
- Media streaming tracking (YouTube, Netflix, Spotify)
- Ad/tracker blocking
- IP and domain whitelist bypass
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move UCI defaults script for auto-registration to cs-firewall-bouncer
- Remove redundant secubox-app-crowdsec-bouncer wrapper package
- Update luci-app-crowdsec-dashboard reference to new package name
- Increment PKG_RELEASE to 3
The defaults script handles:
- Automatic bouncer registration with CrowdSec LAPI
- Interface detection for LAN/WAN
- API key generation and UCI config update
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
luci-app-crowdsec-dashboard is more complete with:
- Overview, Setup Wizard, WAF/AppSec, Metrics views
- Proper location in SecuBox > Security menu
- Bouncers management
luci-app-secubox-crowdsec was a simpler duplicate in Services menu.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create mitmproxyctl script with LXC container management
- Alpine Linux rootfs with Python and mitmproxy via pip
- Support for regular, transparent, upstream, and reverse proxy modes
- UCI configuration for proxy_port, web_port, memory_limit, etc.
- procd init script for service management
- Update luci-app-mitmproxy RPCD backend for LXC container status
Ports:
- 8080: Proxy port
- 8081: Web interface (mitmweb)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add perl-template-toolkit and perl-file-slurp dependencies
- Remove bundled Template.pm (conflicts with system version 3.101)
- Add Devel::Peek stub module for runtime inspection
- Fix lxc_logs() to read logs from container via lxc-attach
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update Lyrion download URLs to downloads.lms-community.org
- Switch from noCPAN to full tarball (noCPAN missing modules)
- Replace perl-image-scale with perl-gd + imagemagick (Alpine)
- Remove conflicting bundled CPAN modules (DBD::SQLite, XML::Parser, YAML, DBI)
- Add Image::Scale stub module for artwork resizing
- Fix permissions for nobody user on /config and /var/log/lyrion
- Add missing perl-digest-sha1 and perl-sub-name dependencies
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Removed unrealistic items (AI Threat Detection, Mobile App, Cloud) and
replaced with practical goals based on current module progress:
- Network Modes 1.0 (currently at 35%)
- SecuBox Hub 1.0 (currently at 31%)
- Multi-WAN Failover
- Documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed incorrect year (2025 -> 2026) in changelog dates
- Added v0.15.0-rc2 changelog entry for CrowdSec firewall bouncer fix
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The init script created nftables sets and chains but never added the
actual DROP rules to block traffic from blacklisted IPs. This caused
the bouncer to populate sets correctly but traffic was never blocked.
Added DROP rules for:
- IPv4 input chain (crowdsec-blacklists)
- IPv4 forward chain (crowdsec-blacklists)
- IPv6 input chain (crowdsec6-blacklists)
- IPv6 forward chain (crowdsec6-blacklists)
Each rule respects the deny_log and deny_action configuration options.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Rename crowdsec-firewall-bouncer to secubox-app-cs-firewall-bouncer
- Rename secubox-auth-logger to secubox-app-auth-logger
- Delete secubox-crowdsec-setup (merged into other packages)
- Fix circular dependencies in luci-app-secubox-crowdsec
- Fix dependency chain in secubox-app-crowdsec-bouncer
- Add consolidated get_overview API to crowdsec-dashboard
- Improve crowdsec-dashboard overview performance
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The new get_overview RPC method was missing from the ACL file,
causing "Access denied" errors in the frontend.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Consolidate multiple dashboard API calls into a single get_overview RPC
method to reduce network overhead and improve page load performance.
The frontend now transforms the consolidated response to maintain
compatibility with existing view logic. Also increases poll interval
from 30s to 60s.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix typo seccubox_logs -> secubox_logs
- Get country data from alerts (source.cn) instead of decisions
- Display CrowdSec logs instead of non-existent secubox.log
- Rename "SecuBox Log Tail" to "CrowdSec Logs"
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec decisions don't contain country data. GeoIP enricher adds
country info to alerts (source.cn or source.country field).
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Adds "Connexion" link at the end of the public menu to redirect
to the admin authentication page.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace github.com/gkerma/secubox-openwrt with
github.com/CyberMind-FR/secubox-openwrt across all files.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add devstatus.js with modules list, roadmap, and changelog
- Reorder public pages: Crowdfunding (10), Bug Bounty (20), Dev Status (30)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The 403 error was caused by missing ACL file. Added
luci-app-secubox-portal.json with read permissions for
luci.secubox and luci.system-hub ubus methods.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Move Debug Console from Client Guardian to System Hub
- Add Auto-Zoning Rules dedicated view in Client Guardian
- Add public pages for Bug Bounty and Crowdfunding (no ACL)
- Fix auth-logger to only detect real login attempts
- Add private IP whitelist for CrowdSec (RFC1918 ranges)
- Update navigation menus across all apps
- Bump secubox-auth-logger to v1.2.2
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v2.0.0: Multi-runtime support with auto-detection
- LXC preferred when available (150MB RAM vs 300MB for Docker)
- New lyrionctl commands: runtime, shell
- Alpine Linux rootfs creation for LXC
- UCI config: runtime option (auto/docker/lxc)
- Memory limit configuration via cgroups
- Updated plugin manifest with runtime info
Runtime selection:
option runtime 'auto' - Auto-detect (LXC preferred)
option runtime 'docker' - Force Docker
option runtime 'lxc' - Force LXC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add explicit 644 permissions for overview.js and dashboard.css
- Fixes HTTP 403 error when accessing the view
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add sync command to synchronize packages from package/secubox to local-feed
- Add local-feed deletion to clean-all command
- Add missing packages to package/secubox:
- luci-app-secubox-crowdsec
- secubox-crowdsec-setup
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- v1.2.1: Remove timestamp generation (ucode time functions unavailable)
- Use simple format: secubox-auth[1]: authentication failure for...
- Update parser to use raw line parsing with custom label type
- Change acquisition from type:syslog to type:secubox-auth
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- secubox-auth-logger v1.2.0: Patch LuCI ucode dispatcher.uc to log
authentication failures server-side instead of relying on JS hooks
- crowdsec-firewall-bouncer: Add helper function for UCI list reading
and default to eth1, br-lan, br-wan interfaces to ensure WAN traffic
is checked against the blocklist
- Update postrm to properly restore dispatcher backup on uninstall
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add CGI hook to capture client IP during failed auth attempts
- Add JavaScript hook to intercept ubus session.login failures
- Add rpcd plugin for ubus-based auth logging
- Update CrowdSec parser for case-insensitive matching
- Inject JS hook into LuCI theme headers on install
This enables CrowdSec to detect and block brute-force attacks
on the LuCI web interface, which previously only logged
successful authentications.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Local Protection Mode banner when CAPI unavailable (LAPI still works)
- Save enrollment key to UCI config for future repairs
- Improve text contrast in wizard (better readability)
- Simplify LAPI repair function based on official OpenWrt approach
- Never delete CAPI credentials to avoid rate-limiting
- Add get_settings/save_settings RPC methods
- Bump version to 0.7.0-r27
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add automatic restart after successful console enrollment
- Update wizard UI to inform user about validation on app.crowdsec.net
- Service must restart after enrollment is validated on CrowdSec Console
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Service restarts during bouncer registration and service start can
cause XHR connections to abort. Treat these as success since the
operation likely completed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New wizard approach:
- Automatic health check on load (LAPI, CAPI, Bouncer, nftables, collections)
- Single configuration page with all options visible
- Only repairs what's broken
- No hub update without CAPI connection
- Single "Apply Configuration" button at the end
- Progress bar during apply
- Summary of what was done at completion
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The RPC method was returning "Access denied" because it was missing
from the rpcd ACL configuration.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Large package feed files exceed GitHub's 100MB limit.
These are build artifacts that should be generated locally.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add get_public_ips method to secubox-core rpcd backend
- Fetch public IPs from multiple services with fallback
- Display in new "Public IP Addresses" panel on dashboard
- Auto-update IPs on poll refresh
- Bump luci-app-secubox to 0.7.1-r2
- Bump secubox-core to 0.10.0-r4
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Treat XHR abort as success when CrowdSec restarts after acquisition config
- Auto-advance to Step 5 after brief delay
- Bump to 0.7.0-r21
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- repair_lapi() now removes stale online_api_credentials.yaml and retries
- New repair_capi() function for dedicated CAPI repair
- console_enroll() handles CAPI credential cleanup before retry
- Added repairCapi API method in frontend
- Bump luci-app-crowdsec-dashboard to 0.7.0-r20
- Add openwrt-luci-bf.yaml scenario for LuCI brute force detection
- Add secubox-auth-acquis.yaml acquisition config
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The serviceWarning variable was null when CrowdSec is running, and
LuCI's E() function rendered it as literal "null" text. Fixed by
using empty fragment when no warning needed.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The refreshView() call was aborting the pending configureAcquisition
XHR request by triggering new API calls. Now only updates the button
state without a full view refresh.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
CrowdSec on OpenWrt doesn't support "source: command" acquisition.
Changed to file-based acquisition reading /var/log/messages.
Also configures busybox syslog to write to file automatically.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
When SSH logging is enabled in the wizard, automatically:
- Set dropbear.@dropbear[0].verbose=1 to log auth failures
- Restart dropbear to apply changes
This ensures CrowdSec can detect SSH brute force attempts.
Without verbose mode, Dropbear doesn't log failed auth to syslog.
Also enable uhttpd syslog when HTTP logging is enabled.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
