gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
c4a2601c11
secubox-openwrt/docs/wiki/Architecture.md
CyberMind-FR 01246a693d docs: Add comprehensive wiki and module documentation 
Wiki structure:
- Home.md: Main navigation with module categories
- Installation.md: Getting started guide
- Quick-Start.md: First-time setup walkthrough
- Architecture.md: 4-layer architecture overview
- Modules.md: Complete catalog of 80+ modules

Module documentation (docs/wiki/modules/):
- Security.md: 15 security modules (CrowdSec, WAF, Guardians)
- Network.md: 12 network modules (HAProxy, Bandwidth, Traffic)
- Mesh.md: 7 VPN/mesh modules (WireGuard, P2P, MirrorNet)
- DNS.md: 6 DNS modules (DNS Master, Vortex, Meshname)
- Apps.md: 20 application modules (Jellyfin, Nextcloud, Matrix)
- System.md: 14 system modules (Config Vault, Reporter, RTTY)
- AI.md: 8 AI modules (Gateway, LocalAI, Threat Analyst)

Updated:
- SCREENSHOTS.md: Expanded to 111 modules with all categories
- README.md: Added wiki links and module index

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-03-26 12:35:31 +01:00

222 lines
5.4 KiB
Markdown
Raw Blame History

# SecuBox Architecture
SecuBox is built on a 4-layer architecture designed for privacy, security, and decentralization.
---
## The 4 Layers (Les 4 Couches)
```
+--------------------------------------------------+
| Layer 4: Roadmap & Governance |
| Version milestones, certifications |
+--------------------------------------------------+
| Layer 3: MirrorNetworking |
| P2P gossip, mesh orchestration, CDN |
+--------------------------------------------------+
| Layer 2: AI Gateway |
| Data sovereignty, local inference, routing |
+--------------------------------------------------+
| Layer 1: Core Mesh |
| OpenWrt, WireGuard, CrowdSec, HAProxy |
+--------------------------------------------------+
```
---
## Layer 1: Core Mesh
The foundation layer running on OpenWrt 24.10.
### Components
| Component | Purpose |
|-----------|---------|
| **OpenWrt** | Base operating system |
| **WireGuard** | VPN tunnels for mesh |
| **CrowdSec** | IDS/IPS with threat intel |
| **HAProxy** | Reverse proxy, SSL termination |
| **mitmproxy** | WAF, TLS inspection |
| **dnsmasq** | DNS and DHCP |
| **LXC** | Container runtime |
### Mesh Daemon (`secuboxd`)
The mesh daemon handles:
- Peer discovery via mDNS (`_secubox._udp.local`)
- Topology management
- Gate election (weighted scoring)
- Cross-node telemetry
```
secubox-mesh/
├── secuboxd # Main daemon
├── secuboxctl # CLI interface
└── lib/
├── topology.sh # Topology management
├── discovery.sh # Peer discovery
├── election.sh # Gate election
└── telemetry.sh # Metrics collection
```
---
## Layer 2: AI Gateway
Data sovereignty engine for AI operations.
### Data Classification
| Tier | Description | Destination |
|------|-------------|-------------|
| **LOCAL_ONLY** | Raw network data, IPs, MACs | Never leaves device |
| **SANITIZED** | Anonymized patterns | Mistral EU (opt-in) |
| **CLOUD_DIRECT** | Generic queries | Claude/GPT (opt-in) |
### Provider Routing
Priority order for AI requests:
1. LocalAI (local inference)
2. Mistral (EU sovereign)
3. Claude
4. OpenAI GPT
5. Gemini
6. xAI
### AI Agents
| Agent | Function |
|-------|----------|
| Threat Analyst | CrowdSec alert analysis |
| DNS Guard | DNS anomaly detection |
| CVE Triage | Vulnerability prioritization |
| Network Anomaly | Traffic pattern analysis |
| Config Advisor | ANSSI compliance |
---
## Layer 3: MirrorNetworking
Decentralized mesh orchestration.
### Dual Transport
| Tier | Protocol | Purpose |
|------|----------|---------|
| Tier 1 | WireGuard | Known peers, trusted mesh |
| Tier 2 | Yggdrasil | Discovery, extended mesh |
### Gossip Protocol
Services synchronized across the mesh:
- **Threat Intel**: IoC signed gossip
- **Service Registry**: Published services
- **Configuration**: Distributed config sync
- **AI Inference**: Distributed model queries
### Punk Exposure Model
Three-verb service exposure:
1. **Peek**: Discover and scan services
2. **Poke**: Configure exposure channels
3. **Emancipate**: Activate exposure
Channels:
- **Tor**: `.onion` hidden services
- **DNS/SSL**: HTTPS via HAProxy + ACME
- **Mesh**: P2P service registry
---
## Layer 4: Roadmap
Version governance and certifications.
### Milestones
| Version | Status | Features |
|---------|--------|----------|
| v0.18 | Done | MirrorBox Core |
| v0.19 | Done | AI Expansion |
| v1.0 | Done | Full Stack |
| v1.1 | Done | Extended Mesh |
### Target Certifications
- **ANSSI CSPN**: French security certification
- **CE**: European conformity
- **GDPR**: Data protection compliance
- **NIS2**: Network security directive
---
## Network Architecture
```
Internet
┌──────────────┐
│ HAProxy │ ◄── SSL termination, routing
│ (LXC) │
└──────┬───────┘
┌──────────────┐
│ mitmproxy │ ◄── WAF, TLS inspection
│ (LXC) │
└──────┬───────┘
┌──────────────┐
│ CrowdSec │ ◄── IDS/IPS
│ (host) │
└──────┬───────┘
┌──────────────┐
│ Services │ ◄── Jellyfin, Nextcloud, etc.
│ (LXC) │
└──────────────┘
```
---
## Directory Structure
```
package/secubox/
├── secubox-core/ # Base utilities
├── secubox-mesh/ # Mesh daemon
├── secubox-p2p/ # P2P protocol
├── secubox-identity/ # DID/trust
├── secubox-ai-gateway/ # AI routing
├── luci-app-*/ # LuCI modules (80+)
├── luci-theme-secubox/ # CRT P31 theme
└── secubox-app-*/ # Service packages
```
---
## Key Configuration Files
| File | Purpose |
|------|---------|
| `/etc/config/secubox` | Main SecuBox config |
| `/etc/config/secubox-mesh` | Mesh settings |
| `/etc/config/wireguard_*` | VPN tunnels |
| `/etc/config/crowdsec` | IDS/IPS config |
| `/etc/config/haproxy` | Reverse proxy |
---
See also:
- [Module Implementation Guide](Module-Implementation.md)
- [API Reference](API.md)
- [Development Guidelines](Development.md)
---
*SecuBox v1.0.0*
Reference in New Issue View Git Blame Copy Permalink