- luci.mailserver: Detect LXC containers for webmail status (not just Docker)
- docs: Add nginx static file fix and webmail detection to HISTORY/WIP
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fix auth for Streamlit container (no ubus access)
- Use HTTP JSON-RPC to /ubus endpoint for authentication
- Add ALERTE.DEPOT app source to repo
- Update HISTORY.md with VoIP and auth fixes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add Gitea as a service option in SecuBox Users UI
- Add Gitea checkbox in Add User modal
- Add Gitea service badge in status display
- Implement password sync to Gitea via API on password change
- Fix Gitea API call to include login_name parameter
- Add gitea to check_service() and get_status()
- Sync passwords to all enabled services (email, jabber, nextcloud, gitea)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto-republish to method_upload_file (was only in upload_finalize)
- Add Gitea push to cmd_publish when gitea.enabled=1
- Use haproxyctl reload instead of init.d (container-aware)
- Uploaded content now triggers full republish flow for emancipated sites
This fixes the issue where uploading new HTML content didn't update
the live site because republish wasn't triggered.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add auto Gitea push on emancipate and app rename
- Route emancipated instances through mitmproxy_inspector (WAF) by default
- Add mitmproxy route entries for domains
- Enhanced rename_app to actually rename folders/files
- Enhanced rename_instance to update HAProxy vhost and mitmproxy routes
- Display WAF badge in dashboard for exposed instances
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add lxc_start_bg() and lxc_reload() functions for container management
- Replace all /etc/init.d/haproxy calls with container-aware functions
- Fix haproxy-sync-certs to use haproxyctl reload
- Host HAProxy init script disabled, container is sole handler
Resolves intermittent 404 errors caused by dual HAProxy instances.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add --version and --profile CLI options to secubox-cloner build command
- Add versions command to list available OpenWrt releases (24.10.5, 24.10.0, 23.05.5, 23.05.4)
- Add package profiles: slim (minimal), core (mesh essentials), full (clone current device)
- Add list_versions and list_build_profiles RPCD methods for LuCI
- Update build_image RPCD to accept version and profile parameters
- Update ACL permissions for new read methods
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Factory tab to Cloning Station with:
- Discovery Mode toggle (enable/disable zero-touch provisioning)
- Pending Devices list with approve/reject and profile assignment
- Bulk Token Generator (1-50 tokens with profile selection)
- Hardware Inventory table (MAC, Model, CPU, RAM, Storage)
Implementation:
- 8 RPC declarations for factory methods
- 5 state properties for factory data
- 5 render functions, 6 event handlers
- Factory data polling in 5-second refresh cycle when on tab
- KISS theme UI components throughout
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixes Roundcube IMAP "Internal error occurred" caused by Dovecot
running mail processes as uid 102 (Alpine default) instead of the
actual vmail user uid 5000.
Changes:
- configure_postfix: virtual_uid_maps/gid_maps 102/105 → 5000/5000
- configure_dovecot: mail_uid/gid, first_valid_uid, userdb args
- cmd_add_user: passwd file entries and ownership
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add inventory.sh for hardware inventory collection (MAC, serial, model, CPU, RAM, storage)
- Add profiles.sh for profile management and device matching
- Add default.json profile template for auto-provisioned peers
- Add discovery mode to master-link.sh with pending queue and approval workflow
- Add bulk token generation (up to 100 tokens per batch)
- Enhance 50-secubox-clone-provision with inventory collection and discovery join
- Add 9 new RPCD methods to luci.cloner for factory provisioning
- Fix p2p-mesh.sh to be silent when sourced as library
- Add UCI options: discovery_mode, auto_approve_known, discovery_window, default_profile
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Added entry #45 documenting the fix for 404 errors after MetaBlogizer
site upload/publish caused by missing original_backend field in HAProxy
vhost configs.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Upload workflow now works without needing to unpublish/expose again.
The reload_haproxy() function now calls mitmproxyctl sync-routes to
ensure mitmproxy picks up new routes immediately after vhost creation.
Root cause: Upload created HAProxy vhost and mitmproxy route file entry,
but mitmproxy never received a reload signal to activate the route.
Running emancipate fixed it because it called mitmproxyctl sync-routes.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- metablogizer: reload_haproxy() now copies config to /etc/haproxy.cfg
- haproxyctl: generate_config() syncs to /etc/haproxy.cfg after generation
- Fixes issue where newly uploaded sites return 404 because HAProxy
reads config from /etc/haproxy.cfg but config was only generated to
/srv/haproxy/config/haproxy.cfg
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Multi-view portal with grid/list/compact modes
- Automatic site categorization (Intelligence, Dev, Finance, etc.)
- Iframe thumbnail previews of real site content
- Tag cloud and category tabs with emoji indicators
- Instant search by domain/name/category
- Auto-refresh via cron every 5 minutes
- Created explicit vhosts for 54 MetaBlogizer sites
- Fixed wildcard routing priority
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Both create_site_from_upload and upload_and_create_site were missing
HAProxy vhost creation step (step 8 from create_site method).
Changes:
- Add vhost creation with backend=mitmproxy_inspector for WAF routing
- Add mitmproxy route to /srv/mitmproxy-in/haproxy-routes.json
- Apply same fix to original create_site method for consistency
This ensures all MetaBlogizer uploaded sites are immediately accessible
via HTTPS and all traffic passes through WAF inspection.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New peertube-import script for importing from YouTube, Vimeo, 1000+ sites
- CGI endpoints for portal integration (peertube-import, peertube-import-status)
- Portal UI: Video Import card with progress tracking
- Multi-language subtitle download and PeerTube caption upload
- Fixed stdout/stderr separation for reliable function returns
- UCI config: uses peertube.admin.username/password
- Package version bumped to 1.2.0
- Added README.md with full documentation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- luci-app-webradio: Web radio management with Lyrion bridge tab
- luci-app-turn: TURN/STUN server UI for WebRTC (Jitsi integration)
- secubox-app-lyrion-bridge: Lyrion → Squeezelite → FFmpeg → Icecast pipeline
- secubox-app-squeezelite: Squeezelite audio player with FIFO output
- secubox-app-turn: TURN server with ACME SSL and Jitsi setup
- secubox-app-webradio: Icecast/ezstream web radio server
Features:
- HTTPS streaming via HAProxy (stream.gk2.secubox.in)
- Lyrion Music Server bridge for streaming playlists to Icecast
- TURN server with time-limited credential generation
- CrowdSec integration for WebRadio security
- Schedule-based radio programming with jingles
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Videos imported via yt-dlp are now automatically uploaded to PeerTube:
- OAuth authentication using UCI-stored admin credentials
- Video upload via PeerTube REST API
- Real-time job status polling with import_job_status method
- Progress indicator in LuCI UI
- Automatic cleanup of temp files
New RPCD method: import_job_status for polling job progress.
Version bumped to 1.1.0.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replace jsonfilter with grep for CrowdSec decision counting
- Add ipset existence check before listing blocked IPs
- Add safety fallbacks for empty/invalid counts
- Bump version to 0.5.2-r2
The jsonfilter -e '@[*]' approach failed with CrowdSec's
multi-line JSON output, causing exit code 251 errors.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add MixMonitor integration for automatic call recording
- Add voipctl rec commands: enable/disable/status/list/play/download/delete/cleanup
- Add recordings.js LuCI view with audio player and date filtering
- Add RPCD methods for recording management
- Add UCI config section for recording settings (format, retention)
- Fix OVH API signature to use openssl instead of sha1sum
- Improve PJSIP trunk config with realm and qualify settings
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add Jingle VoIP, SMS Relay, and Voicemail Notifications sections to
the Jabber overview.js. Expose 9 new RPC methods in api.js for VoIP
control. Also includes remaining VoIP package updates (dialer view,
asterisk-config.sh) from previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added 4 new WAF categories: voip (12), xmpp (10), cve_voip (9), cve_xmpp (8)
- Self-hosted Jitsi Meet deployed at meet.gk2.secubox.in
- Full LXC container with Prosody/Jicofo/JVB/Nginx
- Webchat updated to use self-hosted Jitsi
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
New packages:
- secubox-app-voip: Asterisk PBX in LXC container
- luci-app-voip: Dashboard with extensions, trunks, click-to-call
VoIP features:
- voipctl CLI for container, extensions, trunks, calls, voicemail
- OVH Telephony API auto-provisioning for SIP trunks
- Click-to-call web interface with quick dial
- RPCD backend with 15 methods
Jabber VoIP integration:
- Jingle VoIP support (STUN/TURN via mod_external_services)
- SMS relay via OVH (messages to sms@domain)
- Voicemail notifications via Asterisk AMI → XMPP
- 9 new RPCD methods for VoIP features
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Replaced unstable Alpine container with Debian 12 Bookworm
- Fixed persistent Dovecot permission issues (UID/GID mismatch)
- Postfix + Dovecot properly configured for Debian
- Mail data and SSL certificates preserved
- Webmail now working reliably
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Security KISS Dashboard:
- Add ndpid (nDPI daemon) to RPCD status method
- Add ndpid to services monitoring array (6 services total)
APPS Portal:
- Add Streamlit to Services category (Python data apps)
- Add MetaBlogizer to Services category (AI blog generation)
Also includes secubox-cloner enhancements from earlier session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Nextcloud upgraded from 30.0.17 to 31.0.14
- mailctl firewall_setup now persists UCI rules for mail ports
- All apps updated (mail, tasks, external, spreed/Talk)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add dovecot run directory permission setup
- Add dovenull to dovecot group (fixes login directory access)
- Update HISTORY.md with changes
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Autoconfig:
- Created config-v1.1.xml (Thunderbird), autodiscover.xml (Outlook),
email.mobileconfig (Apple) for automatic mail client configuration
- Added uhttpd instance on port 8025 to serve autoconfig files
- Added HAProxy backends with waf_bypass for autoconfig domains
- Added mailctl autoconfig-setup and autoconfig-status commands
LuCI Mailserver:
- Added user_repair method for mailbox repair (doveadm force-resync)
- Added repair button to user actions in overview
LuCI Nextcloud:
- Added list_users method to list Nextcloud users
- Added reset_password method for password reset via OCC
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup/restore commands to hexoctl (backup, restore, backup list/delete)
- Add GitHub clone support (hexoctl github clone <url> [instance] [branch])
- Add Gitea push support (hexoctl gitea push [instance] [message])
- Add quick-publish command (clean + build + publish in one step)
- Add 15 new RPCD methods for instance/backup/git management
- Rewrite LuCI dashboard with KISS theme:
- Multi-instance management with status cards
- Instance controls: start/stop, quick publish, backup, editor, preview
- GitHub/Gitea clone modals
- Backup table with restore/delete
- Stats grid: instances, posts, drafts, backups
- Update API with 12 new RPC declarations
- Update ACL with new permissions
Also includes DNS Master app created in previous session.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Complete rewrite of overview.js with full KISS theme styling
- 4-column stats grid (Status, Users, Storage, SSL)
- Port status cards with visual indicators
- Two-column layout: Users + Aliases tables
- Webmail card with status badge and quick actions
- Connection info panel with server details
- Live polling with 10s refresh
- Added fix_ports, alias_del methods to ACL
- Added Mail Server + Nextcloud to KISS nav sidebar
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Nextcloud production deploy with HAProxy SSL
- WAF rules for Nextcloud & Roundcube CVEs
- Mail client autoconfig DNS and XML endpoint
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Added mitmproxy WAF data path fix to WIP.md and HISTORY.md
- RPCD now reads from /srv/mitmproxy-in for correct threat stats
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
haproxyctl:
- Copy generated config to /etc/haproxy/ inside container before reload
- HAProxy reads from /etc/haproxy/haproxy.cfg, not /opt/haproxy/config/
mitmproxy haproxy_router.py:
- Save original Host header before setting backend destination
- Restore Host header after routing to preserve it for backend validation
- Fixes PeerTube OAuth and other apps that validate Host header
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- RPCD handler (luci.peertube) with 11 methods: status, start, stop,
install, uninstall, update, logs, emancipate, live_enable,
live_disable, configure_haproxy
- ACL permissions for read (status, logs) and write operations
- Dashboard features:
- Install wizard with features and requirements
- Service status display with access URL
- Live streaming toggle with enable/disable buttons
- HAProxy configuration status
- Emancipate form for public exposure
- Logs viewer with refresh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Support both "*.domain" and ".domain" wildcard formats in haproxy_router.py
- Sort wildcards by length (longest first) for correct specificity matching
- Add auto-reload: check routes file mtime every 10 requests
- Update metablogizerctl to use mitmproxyctl sync-routes
Also fix luci-app-wazuh api.js to use baseclass.extend
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed sdlc.gk2.secubox.in showing GK2 Hub template instead of original
"Les Seigneurs de La Chambre" cinematic presentation
- Restored content via git checkout from preserved history
- Documented Streamlit WebSocket incompatibility with MITM proxy
- All 20 Streamlit apps require waf_bypass for WebSocket functionality
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Migrated services from Docker to LXC:
- mailserver: Postfix/Dovecot on Alpine (192.168.255.30)
- roundcube: Webmail on Alpine with nginx/PHP (port 8027)
- jellyfin: Media server on Debian (192.168.255.31)
All Docker containers removed, auto-start via /etc/init.d/secubox-lxc
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Streamlit apps require WebSocket connections that mitmproxy WAF
doesn't handle properly. Added waf_bypass UCI option to allow
specific vhosts to route directly to backends while other
services still get WAF protection.
- Add waf_bypass option check in haproxyctl
- Vhosts with waf_bypass=1 skip mitmproxy_inspector
- Fixes blank page issue with Streamlit apps
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- HISTORY.md: Entry #60 documenting GoToSocial v0.17.0 deployment
- WIP.md: Added to Just Completed section
- Includes HAProxy exposure, admin user setup, key fixes
Live at https://social.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add remote device management: scan_network, list_remotes, add_remote,
remove_remote, remote_status, remote_upload, remote_flash RPCD methods
- Add secubox-asu-clone script for on-the-fly firmware generation via
OpenWrt ASU (Attended Sysupgrade) API
- Include full LuCI packages in ASU builds (luci-base, luci-mod-admin-full,
luci-mod-network, luci-mod-status, luci-mod-system, etc.)
- Add partition expansion script (10-expand-rootfs) to use full SD card/eMMC
with proper UUID and boot config handling for both MBR and GPT
- Add robust provisioning script (99-secubox-provision) with network retry,
firewall handling, and SecuBox package installation from local feed
- Use dropbear's dbclient for SSH operations (OpenWrt native)
- Support mochabin, espressobin-v7, espressobin-ultra, x86-64 devices
- Default to OpenWrt version 24.10.5
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Remove old secubox-theme and secubox-portal/header dependencies
- Remove external dashboard.css stylesheet
- Replace ndpid/api with direct RPC declarations
- Use KISS classes (kiss-card, kiss-stat, kiss-table, kiss-badge, kiss-btn)
- Add consistent navigation tabs
- Add poll toggle for auto-refresh control
- Use CSS variables (--kiss-blue, --kiss-green, --kiss-muted, etc.)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Dashboard with status cards: device, TFTP, tokens, clones
- Quick actions: Build Image, Start/Stop TFTP, Token generation
- Clone images table with size and TFTP-ready status
- Token management with auto-approve option
- U-Boot flash commands display when TFTP is running
- RPCD handler with 10 methods for full cloner management
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- New "🚀 Devel" tab with live GitHub commit activity (1-min cache)
- Metrics: Commits Today, This Week, Contributors, Stars
- Commit type distribution (feat/fix/docs/refactor/chore)
- Recent commits list with hash, message, author, relative time
- Repository stats: forks, watchers, open issues
- Cyberpunk-themed commit cards with color-coding
- Pulsing live indicator animation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fixed port conflict (console 8515, yijing360 8521)
- Deployed yijing-360.zip with generator.py
- Emancipated at yijing360.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
All 4 phases implemented:
- Stats collectors with 17 JSON cache files
- Landing page JSON symlinks for gk2.secubox.in
- Widget Fabricator with live data
- Full integration verified
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Secondary domain for La Livrée d'Hermès gallery
- OVH DNS + Let's Encrypt SSL
- Same backend as lldh.gk2.secubox.in
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Fabricator pages now use actual UCI/JSON data (bfd2ed7c)
- La Livrée d'Hermès gallery deployed with YouTube music
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add extract_zip_flatten() to Streamlit RPCD for nested ZIP handling
- Add bot whitelist to mitmproxy WAF (Facebook, Google, Bing crawlers)
- Skip threat detection for whitelisted legitimate crawlers
- Track Fabricator app and stats evolution in HISTORY.md
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Create cyberpunk-style End of Internet page for unknown domains
- Add http-request UCI option support in haproxyctl generator
- Support path rewriting backends with http-request set-path
- Configure end_of_internet as default backend for both frontends
- Update docs with HAProxy enhancements (entry #59)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
