mirror of
https://github.com/CyberMind-FR/secubox-deb.git
synced 2026-07-01 13:06:54 +00:00
Compare commits
2 Commits
198fecea11
...
46dfd781d3
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
46dfd781d3 | ||
| cf3aef48c8 |
22
.github/workflows/build-android-apk.yml
vendored
22
.github/workflows/build-android-apk.yml
vendored
|
|
@ -16,7 +16,7 @@ on:
|
||||||
workflow_dispatch:
|
workflow_dispatch:
|
||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: write # needed to attach the APK to a release on tags
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|
@ -44,9 +44,27 @@ jobs:
|
||||||
- name: Build debug APK
|
- name: Build debug APK
|
||||||
run: gradle :app:assembleDebug --no-daemon --stacktrace
|
run: gradle :app:assembleDebug --no-daemon --stacktrace
|
||||||
|
|
||||||
- name: Upload APK
|
- name: Upload APK artifact
|
||||||
uses: actions/upload-artifact@v4
|
uses: actions/upload-artifact@v4
|
||||||
with:
|
with:
|
||||||
name: secubox-toolbox-android-debug
|
name: secubox-toolbox-android-debug
|
||||||
path: clients/android-toolbox/app/build/outputs/apk/debug/*.apk
|
path: clients/android-toolbox/app/build/outputs/apk/debug/*.apk
|
||||||
if-no-files-found: error
|
if-no-files-found: error
|
||||||
|
|
||||||
|
# On android-v* tags, publish the APK as a release asset under the
|
||||||
|
# stable name the toolbox fetch helper + /wg/toolbox.apk expect
|
||||||
|
# (#536). `latest/download/secubox-toolbox-android.apk` resolves to
|
||||||
|
# whichever release is newest.
|
||||||
|
- name: Stage release asset
|
||||||
|
if: startsWith(github.ref, 'refs/tags/android-v')
|
||||||
|
run: |
|
||||||
|
mkdir -p "$GITHUB_WORKSPACE/release"
|
||||||
|
cp app/build/outputs/apk/debug/app-debug.apk \
|
||||||
|
"$GITHUB_WORKSPACE/release/secubox-toolbox-android.apk"
|
||||||
|
|
||||||
|
- name: Publish release
|
||||||
|
if: startsWith(github.ref, 'refs/tags/android-v')
|
||||||
|
uses: softprops/action-gh-release@v2
|
||||||
|
with:
|
||||||
|
files: release/secubox-toolbox-android.apk
|
||||||
|
fail_on_unmatched_files: true
|
||||||
|
|
|
||||||
|
|
@ -1,3 +1,21 @@
|
||||||
|
secubox-toolbox (2.6.13-1~bookworm1) bookworm; urgency=medium
|
||||||
|
|
||||||
|
* Serve the Android ToolBox APK from the toolbox (#536, follow-up #531).
|
||||||
|
- api.py GET /wg/toolbox.apk : serves the local APK
|
||||||
|
(/var/lib/secubox/toolbox/android/village3b-toolbox.apk) with
|
||||||
|
content-type application/vnd.android.package-archive ; if absent,
|
||||||
|
302 → the latest public GitHub release asset (button never
|
||||||
|
dead-ends, offline-capable once fetched).
|
||||||
|
- /wg/onboard Android panel (both the inline + the _install_panels
|
||||||
|
variants) : new "📱 Installer l'app ToolBoX (1-tap)" button.
|
||||||
|
- sbin/secubox-toolbox-fetch-apk : pulls the latest release asset
|
||||||
|
into the serve path (best-effort, APK-magic sanity check).
|
||||||
|
- postinst : create the android serve dir + best-effort first fetch.
|
||||||
|
- build-android-apk.yml : on android-v* tags, publish the APK as a
|
||||||
|
release asset named secubox-toolbox-android.apk (contents:write).
|
||||||
|
|
||||||
|
-- Gerald KERMA <devel@cybermind.fr> Thu, 12 Jun 2026 14:30:00 +0200
|
||||||
|
|
||||||
secubox-toolbox (2.6.12-1~bookworm1) bookworm; urgency=medium
|
secubox-toolbox (2.6.12-1~bookworm1) bookworm; urgency=medium
|
||||||
|
|
||||||
* fix(threat_intel) #530 — ThreatFox ingested 0 IOCs for weeks because
|
* fix(threat_intel) #530 — ThreatFox ingested 0 IOCs for weeks because
|
||||||
|
|
|
||||||
|
|
@ -44,6 +44,14 @@ case "$1" in
|
||||||
|
|
||||||
# 4. Storage dir (SQLite + future PDF reports)
|
# 4. Storage dir (SQLite + future PDF reports)
|
||||||
install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox
|
install -d -m 0750 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox
|
||||||
|
# #536 : Android APK serve dir + best-effort fetch of the latest
|
||||||
|
# release asset (so GET /wg/toolbox.apk serves it locally/offline).
|
||||||
|
# Non-blocking : if there's no release yet / no network, the endpoint
|
||||||
|
# falls back to redirecting to the public release.
|
||||||
|
install -d -m 0755 -o secubox-toolbox -g secubox-toolbox /var/lib/secubox/toolbox/android
|
||||||
|
if [ -x /usr/sbin/secubox-toolbox-fetch-apk ]; then
|
||||||
|
/usr/sbin/secubox-toolbox-fetch-apk 2>&1 | head -2 || true
|
||||||
|
fi
|
||||||
# /var/log/secubox is a SHARED parent traversed by many service users
|
# /var/log/secubox is a SHARED parent traversed by many service users
|
||||||
# (the aggregator runs as `secubox` and reads waf-threats.log under
|
# (the aggregator runs as `secubox` and reads waf-threats.log under
|
||||||
# here). It MUST be 0755 — a 0750 owned by secubox-toolbox silently
|
# here). It MUST be 0755 — a 0750 owned by secubox-toolbox silently
|
||||||
|
|
|
||||||
|
|
@ -102,6 +102,9 @@ execute_after_dh_auto_install:
|
||||||
debian/secubox-toolbox/lib/systemd/system/
|
debian/secubox-toolbox/lib/systemd/system/
|
||||||
install -m 0644 systemd/secubox-escalate.timer \
|
install -m 0644 systemd/secubox-escalate.timer \
|
||||||
debian/secubox-toolbox/lib/systemd/system/
|
debian/secubox-toolbox/lib/systemd/system/
|
||||||
|
# #536 : Android APK fetch helper.
|
||||||
|
install -m 0755 sbin/secubox-toolbox-fetch-apk \
|
||||||
|
debian/secubox-toolbox/usr/sbin/
|
||||||
install -m 0755 sbin/secubox-toolbox-wg-restore \
|
install -m 0755 sbin/secubox-toolbox-wg-restore \
|
||||||
debian/secubox-toolbox/usr/sbin/
|
debian/secubox-toolbox/usr/sbin/
|
||||||
install -m 0644 systemd/secubox-toolbox-wg-restore.service \
|
install -m 0644 systemd/secubox-toolbox-wg-restore.service \
|
||||||
|
|
|
||||||
44
packages/secubox-toolbox/sbin/secubox-toolbox-fetch-apk
Normal file
44
packages/secubox-toolbox/sbin/secubox-toolbox-fetch-apk
Normal file
|
|
@ -0,0 +1,44 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
# SPDX-License-Identifier: LicenseRef-CMSD-1.0
|
||||||
|
# Copyright (c) 2026 CyberMind — Gérald Kerma <devel@cybermind.fr>
|
||||||
|
#
|
||||||
|
# SecuBox-Deb :: secubox-toolbox-fetch-apk (#536)
|
||||||
|
#
|
||||||
|
# Pull the latest Android ToolBox APK (published as a GitHub release
|
||||||
|
# asset by build-android-apk.yml on android-v* tags) into the toolbox
|
||||||
|
# serve path, so GET /wg/toolbox.apk serves it locally (offline-capable
|
||||||
|
# sideload from the cabine). Best-effort : a failure leaves any existing
|
||||||
|
# APK in place ; the endpoint falls back to the public release redirect.
|
||||||
|
set -euo pipefail
|
||||||
|
readonly MODULE="secubox-toolbox-fetch-apk"
|
||||||
|
|
||||||
|
DEST_DIR="/var/lib/secubox/toolbox/android"
|
||||||
|
DEST="${DEST_DIR}/village3b-toolbox.apk"
|
||||||
|
RELEASE_URL="https://github.com/CyberMind-FR/secubox-deb/releases/latest/download/secubox-toolbox-android.apk"
|
||||||
|
|
||||||
|
log() { logger -t "$MODULE" -- "$*" 2>/dev/null || echo "[$MODULE] $*" >&2; }
|
||||||
|
|
||||||
|
install -d -m 0755 -o secubox-toolbox -g secubox-toolbox "$DEST_DIR" 2>/dev/null \
|
||||||
|
|| mkdir -p "$DEST_DIR"
|
||||||
|
|
||||||
|
TMP=$(mktemp --suffix=.apk)
|
||||||
|
trap 'rm -f "$TMP"' EXIT
|
||||||
|
|
||||||
|
if command -v wget >/dev/null 2>&1; then
|
||||||
|
if wget -q --timeout=20 --tries=2 "$RELEASE_URL" -O "$TMP" && [ -s "$TMP" ]; then
|
||||||
|
# Sanity : APK is a ZIP — must start with PK\x03\x04.
|
||||||
|
if head -c 2 "$TMP" | grep -q "PK"; then
|
||||||
|
install -m 0644 "$TMP" "$DEST"
|
||||||
|
chown secubox-toolbox:secubox-toolbox "$DEST" 2>/dev/null || true
|
||||||
|
log "fetched APK -> ${DEST} ($(stat -c%s "$DEST" 2>/dev/null) bytes)"
|
||||||
|
exit 0
|
||||||
|
else
|
||||||
|
log "downloaded file is not an APK (no release asset yet?) — keeping existing"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log "fetch failed (no release yet / network) — /wg/toolbox.apk will redirect to the release"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
log "wget missing — cannot fetch APK"
|
||||||
|
fi
|
||||||
|
exit 0
|
||||||
|
|
@ -621,6 +621,11 @@ pre{background:#1a1a25;color:var(--phos-hot);padding:0.6rem 0.8rem;border-radius
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div class="tab-content" data-content=android>
|
<div class="tab-content" data-content=android>
|
||||||
|
<a href="/wg/toolbox.apk" class="btn btn-go">📱 Installer l'app ToolBoX (1-tap)</a>
|
||||||
|
<div class=warn style="margin-top:0.5rem">
|
||||||
|
✨ <b>Le plus simple</b> : l'app fait tout (CA + tunnel + vérif) en 5 étapes.
|
||||||
|
Active « sources inconnues » à l'installation. Sinon, méthode manuelle ci-dessous :
|
||||||
|
</div>
|
||||||
<a href="/wg/ca.crt" class="btn btn-warn">📥 Télécharger CA (.crt format Android)</a>
|
<a href="/wg/ca.crt" class="btn btn-warn">📥 Télécharger CA (.crt format Android)</a>
|
||||||
<div class=warn>
|
<div class=warn>
|
||||||
⚠ Chrome ne peut PAS installer un CA directement (sécurité Android 11+).
|
⚠ Chrome ne peut PAS installer un CA directement (sécurité Android 11+).
|
||||||
|
|
@ -1185,6 +1190,9 @@ _ONBOARD_BODY = {
|
||||||
<p class=note>Si rien ne se passe : Réglages → Batterie → désactive le mode économie (il coupe parfois les VPN).</p>
|
<p class=note>Si rien ne se passe : Réglages → Batterie → désactive le mode économie (il coupe parfois les VPN).</p>
|
||||||
""",
|
""",
|
||||||
"android": """
|
"android": """
|
||||||
|
<p><b>✨ Le plus simple — l'app ToolBoX fait tout :</b></p>
|
||||||
|
<a class=btn href="/wg/toolbox.apk">📱 Installer l'app ToolBoX (.apk, 1-tap)</a>
|
||||||
|
<p class=note>Active « sources inconnues » à l'installation. L'app installe le CA, importe le tunnel et vérifie le R3 en 5 étapes. Sinon, méthode manuelle :</p>
|
||||||
<ol>
|
<ol>
|
||||||
<li>Installe l'app <a class=btn href="https://play.google.com/store/apps/details?id=com.wireguard.android" target=_blank rel=noopener>WireGuard</a> depuis le Play Store.</li>
|
<li>Installe l'app <a class=btn href="https://play.google.com/store/apps/details?id=com.wireguard.android" target=_blank rel=noopener>WireGuard</a> depuis le Play Store.</li>
|
||||||
<li>Dans l'app, tap "+" → "Scan from QR code" → scanne ton QR :<br><img src="/wg/qr.png" alt="QR code" style="width:240px;max-width:100%;margin:0.5rem 0;border-radius:6px"></li>
|
<li>Dans l'app, tap "+" → "Scan from QR code" → scanne ton QR :<br><img src="/wg/qr.png" alt="QR code" style="width:240px;max-width:100%;margin:0.5rem 0;border-radius:6px"></li>
|
||||||
|
|
@ -1326,6 +1334,37 @@ async def wg_ca_der() -> Response:
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# Android ToolBox app (#531/#536). CI publishes the APK as a GitHub
|
||||||
|
# release asset on `android-v*` tags ; secubox-toolbox-fetch-apk pulls it
|
||||||
|
# into the serve path below. If absent, we redirect to the public
|
||||||
|
# release so the button always works.
|
||||||
|
_ANDROID_APK = Path("/var/lib/secubox/toolbox/android/village3b-toolbox.apk")
|
||||||
|
_ANDROID_APK_RELEASE = (
|
||||||
|
"https://github.com/CyberMind-FR/secubox-deb/releases/latest/download/"
|
||||||
|
"secubox-toolbox-android.apk"
|
||||||
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@router.get("/wg/toolbox.apk")
|
||||||
|
async def wg_toolbox_apk() -> Response:
|
||||||
|
"""Serve the Android ToolBox installer APK (#536).
|
||||||
|
|
||||||
|
Local file first (sideload from the cabine, works offline) ; if it
|
||||||
|
hasn't been fetched yet, 302 to the latest public GitHub release
|
||||||
|
asset so the onboard button never dead-ends.
|
||||||
|
"""
|
||||||
|
if _ANDROID_APK.exists() and _ANDROID_APK.stat().st_size > 0:
|
||||||
|
return Response(
|
||||||
|
content=_ANDROID_APK.read_bytes(),
|
||||||
|
media_type="application/vnd.android.package-archive",
|
||||||
|
headers={
|
||||||
|
"Content-Disposition": "attachment; filename=village3b-toolbox.apk",
|
||||||
|
"Cache-Control": "public, max-age=300",
|
||||||
|
},
|
||||||
|
)
|
||||||
|
return RedirectResponse(url=_ANDROID_APK_RELEASE, status_code=302)
|
||||||
|
|
||||||
|
|
||||||
@router.get("/wg/ca.mobileconfig")
|
@router.get("/wg/ca.mobileconfig")
|
||||||
async def wg_ca_mobileconfig() -> Response:
|
async def wg_ca_mobileconfig() -> Response:
|
||||||
"""iOS profile that installs the mitm-wg CA in trust store."""
|
"""iOS profile that installs the mitm-wg CA in trust store."""
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue
Block a user