CyberMind-FR
5b3ee567c5
- New build-secubox-vm.yml for ready-to-use SecuBox VM images - Uses OpenWrt 24.10.5 (latest stable release) - Builds VMDK, VDI, QCOW2 formats for all VM platforms - Includes all SecuBox LuCI packages pre-installed - Docker support enabled (dockerd, docker-compose) - Virtio drivers and QEMU guest tools for KVM/Proxmox - Configurable rootfs size (512MB-4GB) - Manual dispatch + automatic on version tags Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
462 lines
16 KiB
YAML
462 lines
16 KiB
YAML
name: Build SecuBox VM Image (x86_64)
|
|
|
|
on:
|
|
# Manual trigger
|
|
workflow_dispatch:
|
|
inputs:
|
|
openwrt_version:
|
|
description: 'OpenWrt version'
|
|
required: true
|
|
default: '24.10.5'
|
|
type: choice
|
|
options:
|
|
- '24.10.5'
|
|
- '23.05.5'
|
|
- 'SNAPSHOT'
|
|
image_format:
|
|
description: 'VM image format'
|
|
required: true
|
|
default: 'all'
|
|
type: choice
|
|
options:
|
|
- all
|
|
- vmdk
|
|
- vdi
|
|
- qcow2
|
|
rootfs_size:
|
|
description: 'Root filesystem size (MB)'
|
|
required: true
|
|
default: '1024'
|
|
type: choice
|
|
options:
|
|
- '512'
|
|
- '1024'
|
|
- '2048'
|
|
- '4096'
|
|
|
|
# Automatic trigger on version tags
|
|
push:
|
|
tags:
|
|
- 'v*.*.*'
|
|
- 'v*.*.*-vm'
|
|
|
|
env:
|
|
OPENWRT_VERSION: ${{ github.event.inputs.openwrt_version || '24.10.5' }}
|
|
ROOTFS_SIZE: ${{ github.event.inputs.rootfs_size || '1024' }}
|
|
|
|
permissions:
|
|
contents: write
|
|
|
|
jobs:
|
|
# ============================================
|
|
# Build x86_64 VM firmware with SecuBox
|
|
# ============================================
|
|
build-vm:
|
|
runs-on: ubuntu-latest
|
|
name: SecuBox VM (x86_64)
|
|
|
|
steps:
|
|
- name: Checkout SecuBox packages
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Free disk space
|
|
run: |
|
|
echo "🧹 Cleaning up disk space..."
|
|
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc
|
|
sudo docker image prune --all --force
|
|
df -h
|
|
|
|
- name: Install dependencies
|
|
run: |
|
|
sudo apt-get update
|
|
sudo apt-get install -y \
|
|
build-essential clang flex bison g++ gawk \
|
|
gcc-multilib g++-multilib gettext git libncurses5-dev \
|
|
libssl-dev python3-setuptools python3-dev rsync \
|
|
swig unzip zlib1g-dev file wget curl qemu-utils ninja-build
|
|
|
|
- name: Clone OpenWrt
|
|
run: |
|
|
if [[ "${{ env.OPENWRT_VERSION }}" == "SNAPSHOT" ]]; then
|
|
git clone --depth 1 https://github.com/openwrt/openwrt.git openwrt
|
|
else
|
|
git clone --depth 1 --branch v${{ env.OPENWRT_VERSION }} \
|
|
https://github.com/openwrt/openwrt.git openwrt
|
|
fi
|
|
|
|
- name: Update feeds
|
|
run: |
|
|
cd openwrt
|
|
|
|
# Remove unwanted feeds
|
|
if [[ -f "feeds.conf.default" ]]; then
|
|
sed -i '/telephony/d' feeds.conf.default
|
|
sed -i '/routing/d' feeds.conf.default
|
|
echo "✅ Removed telephony and routing from feeds.conf.default"
|
|
fi
|
|
|
|
echo "🔄 Updating feeds..."
|
|
if ! ./scripts/feeds update -a 2>&1 | tee feed-update.log; then
|
|
echo "⚠️ Feed update had errors:"
|
|
tail -30 feed-update.log
|
|
echo "Continuing anyway..."
|
|
fi
|
|
|
|
echo "📦 Installing feeds..."
|
|
if ! ./scripts/feeds install -a 2>&1 | tee feed-install.log; then
|
|
echo "⚠️ Feed install had warnings, checking directories..."
|
|
fi
|
|
|
|
# Verify feeds
|
|
echo "🔍 Verifying feeds..."
|
|
for feed in packages luci; do
|
|
if [[ -d "feeds/$feed" ]]; then
|
|
FEED_SIZE=$(du -sh "feeds/$feed" 2>/dev/null | cut -f1 || echo "?")
|
|
echo " ✅ feeds/$feed ($FEED_SIZE)"
|
|
else
|
|
echo " ❌ feeds/$feed missing!"
|
|
exit 1
|
|
fi
|
|
done
|
|
|
|
- name: Copy SecuBox packages
|
|
run: |
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "📦 COPYING SECUBOX PACKAGES"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
|
|
mkdir -p openwrt/package/secubox
|
|
PKG_COUNT=0
|
|
|
|
# Copy top-level luci-app-* packages
|
|
for pkg in luci-app-*/; do
|
|
if [[ -d "$pkg" ]]; then
|
|
PKG_NAME=$(basename "$pkg")
|
|
echo " ✅ $PKG_NAME"
|
|
cp -r "$pkg" openwrt/package/secubox/
|
|
|
|
# Fix Makefile include path
|
|
if [[ -f "openwrt/package/secubox/$PKG_NAME/Makefile" ]]; then
|
|
sed -i 's|include.*luci\.mk|include $(TOPDIR)/feeds/luci/luci.mk|' "openwrt/package/secubox/$PKG_NAME/Makefile"
|
|
fi
|
|
PKG_COUNT=$((PKG_COUNT + 1))
|
|
fi
|
|
done
|
|
|
|
# Copy package/secubox/* packages
|
|
for pkg in package/secubox/*/; do
|
|
if [[ -d "$pkg" ]]; then
|
|
PKG_NAME=$(basename "$pkg")
|
|
echo " ✅ $PKG_NAME (package/secubox)"
|
|
cp -r "$pkg" openwrt/package/secubox/
|
|
|
|
# Fix Makefile include path for luci packages
|
|
if [[ -f "openwrt/package/secubox/$PKG_NAME/Makefile" ]]; then
|
|
sed -i 's|include.*luci\.mk|include $(TOPDIR)/feeds/luci/luci.mk|' "openwrt/package/secubox/$PKG_NAME/Makefile"
|
|
fi
|
|
PKG_COUNT=$((PKG_COUNT + 1))
|
|
fi
|
|
done
|
|
|
|
# Copy luci-theme-secubox
|
|
if [[ -d "luci-theme-secubox" ]]; then
|
|
echo " ✅ luci-theme-secubox"
|
|
cp -r luci-theme-secubox openwrt/package/secubox/
|
|
sed -i 's|include.*luci\.mk|include $(TOPDIR)/feeds/luci/luci.mk|' "openwrt/package/secubox/luci-theme-secubox/Makefile"
|
|
PKG_COUNT=$((PKG_COUNT + 1))
|
|
fi
|
|
|
|
echo ""
|
|
echo "📊 Total: $PKG_COUNT SecuBox packages copied"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
|
|
- name: Generate VM configuration
|
|
run: |
|
|
cd openwrt
|
|
|
|
cat > .config << EOF
|
|
# ============================================
|
|
# SecuBox VM x86_64 Configuration
|
|
# ============================================
|
|
|
|
# Target: x86_64 (generic)
|
|
CONFIG_TARGET_x86=y
|
|
CONFIG_TARGET_x86_64=y
|
|
CONFIG_TARGET_x86_64_DEVICE_generic=y
|
|
|
|
# Image settings
|
|
CONFIG_TARGET_ROOTFS_SQUASHFS=y
|
|
CONFIG_TARGET_ROOTFS_EXT4FS=y
|
|
CONFIG_TARGET_KERNEL_PARTSIZE=32
|
|
CONFIG_TARGET_ROOTFS_PARTSIZE=${{ env.ROOTFS_SIZE }}
|
|
|
|
# VM image formats
|
|
CONFIG_VMDK_IMAGES=y
|
|
CONFIG_VDI_IMAGES=y
|
|
CONFIG_QCOW2_IMAGES=y
|
|
CONFIG_GRUB_EFI_IMAGES=y
|
|
CONFIG_GRUB_IMAGES=y
|
|
|
|
# Disable GDB
|
|
# CONFIG_GDB is not set
|
|
CONFIG_BUILD_LOG=y
|
|
|
|
# ============================================
|
|
# Base System
|
|
# ============================================
|
|
|
|
# LuCI
|
|
CONFIG_PACKAGE_luci=y
|
|
CONFIG_PACKAGE_luci-ssl=y
|
|
CONFIG_PACKAGE_luci-app-opkg=y
|
|
CONFIG_PACKAGE_luci-theme-openwrt-2020=y
|
|
CONFIG_PACKAGE_luci-theme-secubox=y
|
|
|
|
# DNS (dnsmasq-full only)
|
|
# CONFIG_PACKAGE_dnsmasq is not set
|
|
CONFIG_PACKAGE_dnsmasq-full=y
|
|
|
|
# Networking
|
|
CONFIG_PACKAGE_curl=y
|
|
CONFIG_PACKAGE_wget-ssl=y
|
|
CONFIG_PACKAGE_iptables=y
|
|
CONFIG_PACKAGE_ip6tables=y
|
|
CONFIG_PACKAGE_kmod-nft-core=y
|
|
|
|
# VM Guest Tools
|
|
CONFIG_PACKAGE_qemu-ga=y
|
|
|
|
# Storage
|
|
CONFIG_PACKAGE_kmod-fs-ext4=y
|
|
CONFIG_PACKAGE_kmod-fs-vfat=y
|
|
CONFIG_PACKAGE_block-mount=y
|
|
CONFIG_PACKAGE_e2fsprogs=y
|
|
CONFIG_PACKAGE_fdisk=y
|
|
|
|
# Virtualization drivers
|
|
CONFIG_PACKAGE_kmod-virtio-net=y
|
|
CONFIG_PACKAGE_kmod-virtio-balloon=y
|
|
CONFIG_PACKAGE_kmod-virtio-blk=y
|
|
CONFIG_PACKAGE_kmod-virtio-pci=y
|
|
CONFIG_PACKAGE_kmod-e1000=y
|
|
CONFIG_PACKAGE_kmod-e1000e=y
|
|
CONFIG_PACKAGE_kmod-vmxnet3=y
|
|
|
|
# Monitoring
|
|
CONFIG_PACKAGE_htop=y
|
|
CONFIG_PACKAGE_iftop=y
|
|
CONFIG_PACKAGE_tcpdump=y
|
|
CONFIG_PACKAGE_netstat-nat=y
|
|
|
|
# SSH
|
|
CONFIG_PACKAGE_openssh-sftp-server=y
|
|
|
|
# ============================================
|
|
# SecuBox Core Packages
|
|
# ============================================
|
|
CONFIG_PACKAGE_secubox-app=y
|
|
CONFIG_PACKAGE_luci-app-secubox=y
|
|
CONFIG_PACKAGE_luci-app-system-hub=y
|
|
CONFIG_PACKAGE_luci-app-metrics-dashboard=y
|
|
|
|
# ============================================
|
|
# Security & Monitoring
|
|
# ============================================
|
|
CONFIG_PACKAGE_luci-app-crowdsec-dashboard=y
|
|
CONFIG_PACKAGE_luci-app-netdata-dashboard=y
|
|
|
|
# ============================================
|
|
# Network Intelligence
|
|
# ============================================
|
|
CONFIG_PACKAGE_luci-app-netifyd-dashboard=y
|
|
CONFIG_PACKAGE_luci-app-network-modes=y
|
|
|
|
# ============================================
|
|
# VPN & Access Control
|
|
# ============================================
|
|
CONFIG_PACKAGE_wireguard-tools=y
|
|
CONFIG_PACKAGE_kmod-wireguard=y
|
|
CONFIG_PACKAGE_luci-app-wireguard-dashboard=y
|
|
CONFIG_PACKAGE_qrencode=y
|
|
CONFIG_PACKAGE_luci-app-client-guardian=y
|
|
|
|
# ============================================
|
|
# Bandwidth & Traffic
|
|
# ============================================
|
|
CONFIG_PACKAGE_luci-app-bandwidth-manager=y
|
|
CONFIG_PACKAGE_luci-app-media-flow=y
|
|
|
|
# ============================================
|
|
# Services
|
|
# ============================================
|
|
CONFIG_PACKAGE_luci-app-cdn-cache=y
|
|
CONFIG_PACKAGE_luci-app-vhost-manager=y
|
|
|
|
# ============================================
|
|
# Docker Support (optional for VM)
|
|
# ============================================
|
|
CONFIG_PACKAGE_docker=y
|
|
CONFIG_PACKAGE_dockerd=y
|
|
CONFIG_PACKAGE_docker-compose=y
|
|
CONFIG_PACKAGE_luci-app-dockerman=y
|
|
EOF
|
|
|
|
- name: Apply configuration
|
|
run: |
|
|
cd openwrt
|
|
make defconfig
|
|
|
|
echo ""
|
|
echo "📋 Final configuration:"
|
|
grep -E "^CONFIG_TARGET|^CONFIG_PACKAGE_(luci-app|secubox|docker)" .config | head -50
|
|
|
|
- name: Download sources
|
|
run: |
|
|
cd openwrt
|
|
echo "📥 Downloading source packages..."
|
|
make download -j$(nproc) V=s || make download -j1 V=s
|
|
|
|
- name: Build firmware
|
|
run: |
|
|
cd openwrt
|
|
echo ""
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "🔨 Building SecuBox VM Firmware"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo "Target: x86_64"
|
|
echo "OpenWrt: ${{ env.OPENWRT_VERSION }}"
|
|
echo "Root FS: ${{ env.ROOTFS_SIZE }}MB"
|
|
echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
|
|
echo ""
|
|
|
|
# Build with all CPUs
|
|
make -j$(nproc) V=s 2>&1 | tee build.log || {
|
|
echo "⚠️ Parallel build failed, retrying with single thread..."
|
|
make -j1 V=s 2>&1 | tee build-retry.log
|
|
}
|
|
|
|
- name: Prepare release artifacts
|
|
run: |
|
|
mkdir -p release
|
|
|
|
echo "📦 Collecting VM images..."
|
|
|
|
# Copy all x86_64 images
|
|
for img in openwrt/bin/targets/x86/64/*.img.gz \
|
|
openwrt/bin/targets/x86/64/*.vmdk \
|
|
openwrt/bin/targets/x86/64/*.vdi \
|
|
openwrt/bin/targets/x86/64/*.qcow2; do
|
|
if [[ -f "$img" ]]; then
|
|
echo " ✅ $(basename "$img")"
|
|
cp "$img" release/
|
|
fi
|
|
done
|
|
|
|
# Copy SHA256SUMS
|
|
if [[ -f "openwrt/bin/targets/x86/64/sha256sums" ]]; then
|
|
cp openwrt/bin/targets/x86/64/sha256sums release/
|
|
fi
|
|
|
|
# Generate manifest
|
|
cat > release/MANIFEST.md << EOF
|
|
# SecuBox VM Image - OpenWrt ${{ env.OPENWRT_VERSION }}
|
|
|
|
## Build Information
|
|
- **Date**: $(date -u +%Y-%m-%dT%H:%M:%SZ)
|
|
- **OpenWrt Version**: ${{ env.OPENWRT_VERSION }}
|
|
- **Target**: x86_64
|
|
- **Root FS Size**: ${{ env.ROOTFS_SIZE }}MB
|
|
|
|
## Included SecuBox Packages
|
|
- luci-app-secubox (Core dashboard)
|
|
- luci-app-system-hub (System management)
|
|
- luci-app-metrics-dashboard (Real-time metrics)
|
|
- luci-app-crowdsec-dashboard (Security monitoring)
|
|
- luci-app-wireguard-dashboard (VPN management)
|
|
- luci-app-network-modes (Network configuration)
|
|
- luci-app-bandwidth-manager (Traffic control)
|
|
- luci-app-vhost-manager (Virtual hosts)
|
|
- luci-theme-secubox (Dark theme)
|
|
- Docker support (dockerd, docker-compose)
|
|
|
|
## Quick Start
|
|
|
|
### VMware
|
|
1. Import the \`.vmdk\` file as a new VM
|
|
2. Configure 2+ CPU cores, 2GB+ RAM
|
|
3. Add network adapters (NAT + Host-only recommended)
|
|
4. Boot and access LuCI at http://192.168.1.1
|
|
|
|
### VirtualBox
|
|
1. Create new VM (Linux, Other 64-bit)
|
|
2. Use existing disk: select the \`.vdi\` file
|
|
3. Configure 2+ CPU cores, 2GB+ RAM
|
|
4. Add network adapters
|
|
5. Boot and access LuCI at http://192.168.1.1
|
|
|
|
### QEMU/KVM
|
|
\`\`\`bash
|
|
qemu-system-x86_64 \\
|
|
-m 2048 \\
|
|
-smp 2 \\
|
|
-drive file=secubox-*.qcow2,format=qcow2 \\
|
|
-netdev user,id=net0,hostfwd=tcp::8080-:80,hostfwd=tcp::8443-:443 \\
|
|
-device virtio-net-pci,netdev=net0 \\
|
|
-nographic
|
|
\`\`\`
|
|
|
|
### Proxmox
|
|
\`\`\`bash
|
|
qm create 100 --name secubox --memory 2048 --cores 2 --net0 virtio,bridge=vmbr0
|
|
qm importdisk 100 secubox-*.qcow2 local-lvm
|
|
qm set 100 --scsi0 local-lvm:vm-100-disk-0
|
|
qm set 100 --boot order=scsi0
|
|
qm start 100
|
|
\`\`\`
|
|
|
|
## Default Credentials
|
|
- **Username**: root
|
|
- **Password**: (none - set on first login)
|
|
|
|
## Documentation
|
|
- [SecuBox Documentation](https://github.com/secubox/secubox-openwrt)
|
|
EOF
|
|
|
|
echo ""
|
|
echo "📋 Release artifacts:"
|
|
ls -lh release/
|
|
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: secubox-vm-x86_64-${{ env.OPENWRT_VERSION }}
|
|
path: release/
|
|
retention-days: 30
|
|
|
|
- name: Create Release
|
|
if: startsWith(github.ref, 'refs/tags/')
|
|
uses: softprops/action-gh-release@v1
|
|
with:
|
|
files: release/*
|
|
body_path: release/MANIFEST.md
|
|
draft: false
|
|
prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-beta') }}
|
|
env:
|
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build summary
|
|
run: |
|
|
echo "## 🎉 SecuBox VM Build Complete" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Property | Value |" >> $GITHUB_STEP_SUMMARY
|
|
echo "|----------|-------|" >> $GITHUB_STEP_SUMMARY
|
|
echo "| OpenWrt Version | ${{ env.OPENWRT_VERSION }} |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Target | x86_64 |" >> $GITHUB_STEP_SUMMARY
|
|
echo "| Root FS Size | ${{ env.ROOTFS_SIZE }}MB |" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
echo "### 📦 Generated Images" >> $GITHUB_STEP_SUMMARY
|
|
echo "" >> $GITHUB_STEP_SUMMARY
|
|
ls -lh release/ | while read line; do
|
|
echo "- $line" >> $GITHUB_STEP_SUMMARY
|
|
done
|