fix(hub): resolve netstats import crash-loop

hub/api/main.py imported netstats as a top-level module, but netstats.py
ships inside the api/ package and the service runs uvicorn api.main:app
with WorkingDirectory=/usr/lib/secubox/hub — so the import failed with
ModuleNotFoundError and secubox-hub crash-looped (~9000 restarts on the
live USB image). Use a relative import with a top-level fallback (the
collector adds api/ to sys.path explicitly, so it keeps working).

Bumps secubox-hub 1.5.0 -> 1.5.1.

packages/secubox-authelia/debian/changelog

@@ -1,3 +1,21 @@
+secubox-authelia (1.0.10-1~bookworm1) bookworm; urgency=medium
+
+  * Remove Authelia SSO entirely.
+    - nginx/authelia.conf: reduced to a permissive no-op gate. The
+      /__sbx_auth_verify auth_request endpoint now returns 200 for every
+      request; @sbx_auth_login is a harmless fallback to the app root.
+      Retained only because grafana/lyrion/yacy/rustdesk/fmrelay/zigbee/
+      nextcloud vhosts still reference these two named locations — without
+      them nginx fails to load. No SSO portal, no session check, no
+      Authelia socket dependency. Fixes the dead-portal 302 that produced
+      a password prompt on LAN clients.
+    - debian/postinst: stop enabling the FastAPI daemon; disable + mask
+      secubox-authelia.service so it cannot be resurrected.
+    - Apps keep their own native auth; LAN/exposure boundaries are
+      enforced by HAProxy + the WAF, not by this layer.
+
+ -- Gerald KERMA <devel@cybermind.fr>  Mon, 29 Jun 2026 10:00:00 +0200
+
 secubox-authelia (1.0.9-1~bookworm1) bookworm; urgency=medium
 
   * Split SSO portal from operator dashboard (#310):

packages/secubox-authelia/debian/postinst

@@ -25,10 +25,12 @@ case "$1" in
             nginx -t >/dev/null 2>&1 && systemctl reload nginx 2>/dev/null || true
         fi
 
+        # Authelia SSO removed: never start/enable the daemon. Mask it so a
+        # stale unit or sibling dependency cannot resurrect it. The nginx
+        # gate is now a permissive no-op (see nginx/authelia.conf).
         systemctl daemon-reload 2>/dev/null || true
-        systemctl enable secubox-authelia.service 2>/dev/null || true
-        # Do not start the FastAPI before the LXC is provisioned;
-        # `autheliactl install` will start the service after the LXC is up.
+        systemctl disable --now secubox-authelia.service 2>/dev/null || true
+        systemctl mask secubox-authelia.service 2>/dev/null || true
         ;;
 esac
 

packages/secubox-authelia/nginx/authelia.conf

@@ -1,66 +1,26 @@
-# /etc/nginx/secubox.d/authelia.conf + /etc/nginx/secubox-routes.d/authelia.conf
-# Installed by secubox-authelia (#239, split per #310)
+# /etc/nginx/secubox.d/authelia.conf
 #
-# Authelia exposes:
-#   /api/v1/authelia/   → host FastAPI on Unix socket (CTL surface + /verify)
-#   /auth/              → SecuBox AUTH config module (static dashboard)
-#                         — control / status / metrics. NOT the portal.
+# Authelia SSO has been REMOVED from SecuBox. This file is retained as a
+# permissive no-op only because several app vhosts (grafana, lyrion, yacy,
+# rustdesk, fmrelay, zigbee, nextcloud) still carry the directives
+#   auth_request /__sbx_auth_verify;
+#   error_page 401 = @sbx_auth_login;
+# in their location blocks. Without the two named locations below, nginx
+# would fail to load. The gate now allows every request unconditionally —
+# there is no SSO portal, no session check, no Authelia socket dependency.
 #
-# The actual Authelia portal lives on its own public vhost at
-# sso.gk2.secubox.in (see /etc/nginx/sites-available/authelia.conf).
-# Sibling SSO-gated apps redirect to sso.gk2.secubox.in/?rd=… for login.
+# Apps keep their own native authentication (Grafana login, Nextcloud
+# login, etc.). LAN/exposure boundaries are enforced by HAProxy + the WAF,
+# not by this layer.
 
-# Host control-plane API. Drives the SecuBox AUTH config UI below.
-location /api/v1/authelia/ {
-    rewrite ^/api/v1/authelia/(.*)$ /$1 break;
-    proxy_pass http://unix:/run/secubox/authelia.sock;
-    include /etc/nginx/snippets/secubox-proxy.conf;
-}
-
-# SecuBox AUTH config module — static dashboard (control + status metrics).
-# Calls /api/v1/authelia/* for sessions, components, access policy etc.,
-# and offers an "Open SSO Portal →" button to https://sso.gk2.secubox.in/.
-location /auth/ {
-    alias /usr/share/secubox/www/authelia/;
-    try_files $uri $uri/ /auth/index.html;
-}
-
-# nginx `auth_request` endpoint for SSO-less backends (yacy, rustdesk-web,
-# mitmproxy-web). Backends include `auth_request /__sbx_auth_verify;` in
-# their location blocks.
-#
-# LAN bypass: clients on trusted internal networks (LAN, LXC bridges,
-# localhost) are allowed without an Authelia session — short-circuit
-# with `return 200`. The `$lan_client` variable is defined by
-# /etc/nginx/conf.d/secubox-lan-geo.conf (shipped by this package).
-#
-# Authelia's /api/verify needs the original URL/host to (a) pick the right
-# session.cookies[] entry for session lookup (Authelia is multi-cookie:
-# maegia.tv + the SecuBox hub domain) and (b) apply access_control rules.
-# Without X-Original-URL the verify call defaults to the first cookies[]
-# entry — the session created under the second domain is not found and
-# Authelia returns 401 → infinite redirect loop with /auth/?rd=…
+# Always-allow gate. auth_request succeeds for every request.
 location = /__sbx_auth_verify {
     internal;
-    if ($lan_client) { return 200; }
-    proxy_pass http://unix:/run/secubox/authelia.sock:/verify;
-    proxy_pass_request_body off;
-    proxy_set_header Content-Length "";
-    proxy_set_header Cookie $http_cookie;
-    proxy_set_header Authorization $http_authorization;
-    proxy_set_header X-Original-URL https://$host$request_uri;
-    proxy_set_header X-Forwarded-Method $request_method;
-    proxy_set_header X-Forwarded-Proto https;
-    proxy_set_header X-Forwarded-Host $host;
-    proxy_set_header X-Forwarded-Uri $request_uri;
-    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    return 200;
 }
 
-# Named location consumed by every SSO-gated backend on the canonical hub
-# vhost (zigbee, lyrion, future apps) via `error_page 401 = @sbx_auth_login;`.
-# 401 from auth_request → 302 to the public Authelia portal vhost
-# (sso.gk2.secubox.in), carrying the original URL in `rd` so the user
-# lands back where they started post-login.
+# Fallback target for any lingering `error_page 401`. Never reached while
+# the gate above returns 200; sends the user back to the app root.
 location @sbx_auth_login {
-    return 302 https://sso.gk2.secubox.in/?rd=https://$host$request_uri;
+    return 302 https://$host/;
 }

packages/secubox-hub/api/main.py

@@ -14,6 +14,9 @@ import asyncio
 import os
 import time
 from pathlib import Path
+try:
+    from . import netstats          # uvicorn `api.main:app` / aggregator import
+except ImportError:                 # standalone with api/ on sys.path (collector)
     import netstats  # #758 — shared collector/reader module
 
 app = FastAPI(title="secubox-hub", version="1.7.0", root_path="/api/v1/hub")

packages/secubox-hub/debian/changelog

@@ -1,3 +1,15 @@
+secubox-hub (1.5.1-1~bookworm1) bookworm; urgency=medium
+
+  * fix(#758): hub crash-loop — `import netstats` could not resolve.
+    netstats.py ships in the api/ package, but the service runs
+    `uvicorn api.main:app` with WorkingDirectory=/usr/lib/secubox/hub,
+    so the bare top-level import failed with ModuleNotFoundError and the
+    unit restarted ~9000 times. main.py now does `from . import netstats`
+    with a fallback to the top-level import (kept for the collector, which
+    adds api/ to sys.path explicitly). No API change.
+
+ -- Gerald KERMA <devel@cybermind.fr>  Mon, 29 Jun 2026 10:30:00 +0200
+
 secubox-hub (1.5.0-1~bookworm1) bookworm; urgency=medium
 
   * feat(#758): nft-based network-stats collector — root oneshot+timer samples