profiles: add presets and wizard integration

2025-12-29 17:22:34 +01:00 · 2025-12-29 17:22:34 +01:00 · 3c0003614d
commit 3c0003614d
parent eab24f9609
15 changed files with 504 additions and 3 deletions
--- a/DOCS/ARCHITECTURE_NOTES.md
+++ b/DOCS/ARCHITECTURE_NOTES.md
@ -22,6 +22,8 @@ These notes summarize the repository structure, conventions, and supporting tool
  - `DOCS/` + `docs/`: mirrored, versioned documentation tree (design system, prompts, module templates, validation, permissions, etc.).
  - `EXAMPLES/` and `templates/`: snippets and scaffolding.
  - CI workflows live in `.github/workflows/` (referenced from README badges).
 - **Profiles & App Manifests**
  - App manifests (`/usr/share/secubox/plugins/`) and profile presets (`/usr/share/secubox/profiles/`) feed both the SecuBox wizard UI and the `secubox-app` CLI for automated installs.
 ---
--- a/DOCS/DOCUMENTATION-INDEX.md
+++ b/DOCS/DOCUMENTATION-INDEX.md
@ -223,6 +223,11 @@ Pointer: see `docs/embedded/vhost-manager.md` for the canonical version.
 Pointer: see `docs/embedded/app-store.md` for the canonical version.
 #### **embedded/wizard-profiles.md** 🧭
 *First-run wizard and OS-like profiles.*
 Pointer: see `docs/embedded/wizard-profiles.md` for the canonical version.
 ---
 ### 5. Tools & Scripts Documentation
--- a/DOCS/embedded/wizard-profiles.md
+++ b/DOCS/embedded/wizard-profiles.md
@ -0,0 +1,74 @@
 # SecuBox Wizard & Profiles
 **Version:** 1.0.0  
 **Last Updated:** 2025-12-28  
 **Status:** Active
 The SecuBox hub now includes a guided setup wizard (LuCI → SecuBox → Wizard) and profile system. Use them to finish the first-run checklist, review app manifests, and apply predefined OS-like configurations (Home, Lab, Hardened, Gateway + DMZ).
 ---
 ## First-Run Checklist
 The wizard queries `luci.secubox`’s `first_run_status` ubus method to determine whether critical items are configured:
 1. **Administrator password** – links to the LuCI password page.  
 2. **Timezone** – dropdown populated with common timezones; applying calls `apply_first_run` with `{ timezone: "Europe/Paris" }`.  
 3. **Storage path** – defaults to `/srv/secubox`; prepares the directory and stores it in `uci set secubox.main.storage_path`.  
 4. **Network mode** – uses the existing Network Modes RPC to switch between `router` and `dmz` presets.
 Each action can be run independently and is idempotent.
 ---
 ## App Wizards (Manifests)
 Apps ship manifests under `/usr/share/secubox/plugins/<id>/manifest.json`. `secubox-app` (installed at `/usr/sbin/secubox-app`) uses the same manifests for CLI installs, and the wizard consumes the `wizard.fields` section to build forms. Example snippet:
 ```json
 {
  "id": "zigbee2mqtt",
  "wizard": {
    "uci": { "config": "zigbee2mqtt", "section": "main" },
    "fields": [
      { "id": "serial_port", "label": "Serial Port", "uci_option": "serial_port" },
      { "id": "mqtt_host", "label": "MQTT Host", "uci_option": "mqtt_host" }
    ]
  }
 }
 ```
 Clicking “Configure” opens a modal that writes the provided values into the specified UCI section.
 ---
 ## Profiles
 Profiles are stored as JSON in `/usr/share/secubox/profiles/` and can bundle:
 - `network_mode`: target SecuBox network mode (`router`, `dmz`, …)  
 - `apps`: manifest IDs to install via `secubox-app install <id>`  
 - `packages`: additional packages to ensure via opkg/apk  
 - `uci`: array of `{config, section, option, value}` entries applied via UCI
 Baseline profiles:
 | ID | Description | Highlights |
 |----|-------------|------------|
 | `home` | Home router + Zigbee2MQTT | Router mode, installs Zigbee2MQTT + Netdata |
 | `lab` | Monitoring lab | Router mode, ensures Netifyd & Bandwidth Manager |
 | `hardened` | Security-focused | Enables CrowdSec + Client Guardian |
 | `gateway_dmz` | Router + DMZ segment | Switches to DMZ mode and enables VHost manager |
 `apply_profile` automatically tars `/etc/config` to `/etc/secubox-profiles/backups/` before modifying settings, so the **Rollback last profile** button (or `rollback_profile` RPC) instantly restores prior UCI files.
 ---
 ## CLI References
 - `secubox-app list|install|status` – manage app manifests (installed by `luci-app-secubox`).  
 - `ubus call luci.secubox list_profiles` – enumerate available profile manifests.  
 - `ubus call luci.secubox apply_profile '{"profile_id":"home"}'` – apply a preset programmatically.  
 - `secubox-app` respects `SECUBOX_PLUGINS_DIR` if you need to point to custom manifest trees.
 Combine the wizard UI with these commands to automate deployments or build higher-level orchestration (e.g., App Store pages, onboarding scripts).
--- a/docs/ARCHITECTURE_NOTES.md
+++ b/docs/ARCHITECTURE_NOTES.md
@ -28,6 +28,9 @@ These notes capture the current repository structure, conventions, and supportin
 - **Docs**  
  Two mirrored trees (`docs/` and uppercase `DOCS/`) feed MkDocs and the GitHub wiki. All Markdown follows the metadata template defined in `docs/documentation-index.md`.
 - **Profiles & App Manifests**  
  App manifests now live under `/usr/share/secubox/plugins/`, profiles under `/usr/share/secubox/profiles/`. `luci-app-secubox` exposes both through the wizard (UI) and `secubox-app` CLI (automation).
 ---
 ## 2. Target Platforms & Build System
--- a/docs/documentation-index.md
+++ b/docs/documentation-index.md
@ -247,6 +247,18 @@ Follow this template when creating or revising documentation:
 **Size:** Short (~120 lines)
 #### **embedded/wizard-profiles.md** 🧭
 *First-run wizard + OS-like profiles.*
 **Contents:**
 - First-run checklist (password, timezone, storage, network mode)
 - Using manifest-driven app wizards
 - Baseline profiles (Home, Lab, Hardened, Gateway+DMZ) and rollback mechanics
 **When to use:** Guiding new deployments or applying pre-made bundles.
 **Size:** Short (~130 lines)
 ---
 ### 5. Tools & Scripts Documentation
--- a/docs/embedded/wizard-profiles.md
+++ b/docs/embedded/wizard-profiles.md
@ -0,0 +1,74 @@
 # SecuBox Wizard & Profiles
 **Version:** 1.0.0  
 **Last Updated:** 2025-12-28  
 **Status:** Active
 The SecuBox hub now includes a guided setup wizard (LuCI → SecuBox → Wizard) and profile system. Use them to finish the first-run checklist, review app manifests, and apply predefined OS-like configurations (Home, Lab, Hardened, Gateway + DMZ).
 ---
 ## First-Run Checklist
 The wizard queries `luci.secubox`’s `first_run_status` ubus method to determine whether critical items are configured:
 1. **Administrator password** – links to the LuCI password page.  
 2. **Timezone** – dropdown populated with common timezones; applying calls `apply_first_run` with `{ timezone: "Europe/Paris" }`.  
 3. **Storage path** – defaults to `/srv/secubox`; prepares the directory and stores it in `uci set secubox.main.storage_path`.  
 4. **Network mode** – uses the existing Network Modes RPC to switch between `router` and `dmz` presets.
 Each action can be run independently and is idempotent.
 ---
 ## App Wizards (Manifests)
 Apps ship manifests under `/usr/share/secubox/plugins/<id>/manifest.json`. `secubox-app` (installed at `/usr/sbin/secubox-app`) uses the same manifests for CLI installs, and the wizard consumes the `wizard.fields` section to build forms. Example snippet:
 ```json
 {
  "id": "zigbee2mqtt",
  "wizard": {
    "uci": { "config": "zigbee2mqtt", "section": "main" },
    "fields": [
      { "id": "serial_port", "label": "Serial Port", "uci_option": "serial_port" },
      { "id": "mqtt_host", "label": "MQTT Host", "uci_option": "mqtt_host" }
    ]
  }
 }
 ```
 Clicking “Configure” opens a modal that writes the provided values into the specified UCI section.
 ---
 ## Profiles
 Profiles are stored as JSON in `/usr/share/secubox/profiles/` and can bundle:
 - `network_mode`: target SecuBox network mode (`router`, `dmz`, …)  
 - `apps`: manifest IDs to install via `secubox-app install <id>`  
 - `packages`: additional packages to ensure via opkg/apk  
 - `uci`: array of `{config, section, option, value}` entries applied via UCI
 Baseline profiles:
 | ID | Description | Highlights |
 |----|-------------|------------|
 | `home` | Home router + Zigbee2MQTT | Router mode, installs Zigbee2MQTT + Netdata |
 | `lab` | Monitoring lab | Router mode, ensures Netifyd & Bandwidth Manager |
 | `hardened` | Security-focused | Enables CrowdSec + Client Guardian |
 | `gateway_dmz` | Router + DMZ segment | Switches to DMZ mode and enables VHost manager |
 `apply_profile` automatically tars `/etc/config` to `/etc/secubox-profiles/backups/` before modifying settings, so the **Rollback last profile** button (or `rollback_profile` RPC) instantly restores prior UCI files.
 ---
 ## CLI References
 - `secubox-app list|install|status` – manage app manifests (installed by `luci-app-secubox`).  
 - `ubus call luci.secubox list_profiles` – enumerate available profile manifests.  
 - `ubus call luci.secubox apply_profile '{"profile_id":"home"}'` – apply a preset programmatically.  
 - `secubox-app` respects `SECUBOX_PLUGINS_DIR` if you need to point to custom manifest trees.
 Combine the wizard UI with these commands to automate deployments or build higher-level orchestration (e.g., App Store pages, onboarding scripts).
--- a/luci-app-secubox/Makefile
+++ b/luci-app-secubox/Makefile
@ -26,6 +26,10 @@ define Package/$(PKG_NAME)/install
 	$(call Package/luci/install,$(1))
 	$(INSTALL_DIR) $(1)/usr/share/secubox/plugins/zigbee2mqtt
 	$(INSTALL_DATA) $(CURDIR)/../plugins/zigbee2mqtt/manifest.json $(1)/usr/share/secubox/plugins/zigbee2mqtt/manifest.json
 	$(INSTALL_DIR) $(1)/usr/share/secubox/profiles
 	for file in $(CURDIR)/../profiles/*.json; do \
 		$(INSTALL_DATA) $$file $(1)/usr/share/secubox/profiles/$$(basename $$file); \
 	done
 	$(INSTALL_DIR) $(1)/usr/sbin
 	$(INSTALL_BIN) $(CURDIR)/../secubox-tools/secubox-app $(1)/usr/sbin/secubox-app
 endef
--- a/luci-app-secubox/htdocs/luci-static/resources/secubox/api.js
+++ b/luci-app-secubox/htdocs/luci-static/resources/secubox/api.js
@ -174,6 +174,23 @@ var callApplyAppWizard = rpc.declare({
 	params: ['app_id', 'values']
 });
 var callListProfiles = rpc.declare({
 	object: 'luci.secubox',
 	method: 'list_profiles',
 	expect: { profiles: [] }
 });
 var callApplyProfile = rpc.declare({
 	object: 'luci.secubox',
 	method: 'apply_profile',
 	params: ['profile_id']
 });
 var callRollbackProfile = rpc.declare({
 	object: 'luci.secubox',
 	method: 'rollback_profile'
 });
 function formatUptime(seconds) {
 	if (!seconds) return '0s';
 	var d = Math.floor(seconds / 86400);
@ -222,6 +239,9 @@ return baseclass.extend({
 	listApps: callListApps,
 	getAppManifest: callGetAppManifest,
 	applyAppWizard: callApplyAppWizard,
 	listProfiles: callListProfiles,
 	applyProfile: callApplyProfile,
 	rollbackProfile: callRollbackProfile,
 	// Utilities
 	formatUptime: formatUptime,
 	formatBytes: formatBytes
--- a/luci-app-secubox/htdocs/luci-static/resources/view/secubox/wizard.js
+++ b/luci-app-secubox/htdocs/luci-static/resources/view/secubox/wizard.js
@ -22,18 +22,21 @@ return view.extend({
 	load: function() {
 		return Promise.all([
 			API.getFirstRunStatus(),
-			API.listApps()
+			API.listApps(),
 			API.listProfiles()
 		]);
 	},
 	render: function(payload) {
 		this.firstRun = payload[0] || {};
 		this.appList = (payload[1] && payload[1].apps) || [];
 		this.profileList = (payload[2] && payload[2].profiles) || [];
 		var container = E('div', { 'class': 'secubox-wizard-page' }, [
 			E('link', { 'rel': 'stylesheet', 'href': L.resource('secubox/common.css') }),
 			SecuNav.renderTabs('wizard'),
 			this.renderHeader(),
 			this.renderFirstRunCard(),
 			this.renderProfilesCard(),
 			this.renderAppsCard()
 		]);
 		return container;
@ -142,6 +145,44 @@ return view.extend({
 		]);
 	},
 	renderProfilesCard: function() {
 		var profiles = this.profileList || [];
 		return E('div', { 'class': 'sb-wizard-card' }, [
 			E('div', { 'class': 'sb-wizard-title' }, ['🧱 ', _('Profiles')]),
 			profiles.length ? E('div', { 'class': 'sb-app-grid' }, profiles.map(this.renderProfileCard, this)) :
 			E('div', { 'class': 'secubox-empty-state' }, [
 				E('div', { 'class': 'secubox-empty-icon' }, '📭'),
 				E('div', { 'class': 'secubox-empty-title' }, _('No profiles available')),
 				E('div', { 'class': 'secubox-empty-text' }, _('Profiles are stored in /usr/share/secubox/profiles/.'))
 			]),
 			profiles.length ? E('div', { 'class': 'right', 'style': 'margin-top:12px;' }, [
 				E('button', {
 					'class': 'cbi-button cbi-button-action',
 					'click': this.rollbackProfile.bind(this)
 				}, _('Rollback last profile'))
 			]) : ''
 		]);
 	},
 	renderProfileCard: function(profile) {
 		var apps = profile.apps || [];
 		return E('div', { 'class': 'sb-app-card' }, [
 			E('div', { 'class': 'sb-app-card-info' }, [
 				E('div', { 'class': 'sb-app-name' }, [profile.name || profile.id]),
 				E('div', { 'class': 'sb-app-desc' }, profile.description || ''),
 				E('div', { 'class': 'sb-app-desc' }, _('Network mode: %s').format(profile.network_mode || '—')),
 				apps.length ? E('div', { 'class': 'sb-app-desc' }, _('Apps: %s').format(apps.join(', '))) : ''
 			]),
 			E('div', { 'class': 'sb-app-actions' }, [
 				E('span', { 'class': 'sb-app-state' + (profile.state === 'installed' ? ' ok' : '') }, profile.state || 'n/a'),
 				E('button', {
 					'class': 'cbi-button cbi-button-action',
 					'click': this.applyProfile.bind(this, profile.id)
 				}, _('Apply'))
 			])
 		]);
 	},
 	renderAppCard: function(app) {
 		return E('div', { 'class': 'sb-app-card' }, [
 			E('div', { 'class': 'sb-app-card-info' }, [
@ -241,5 +282,31 @@ return view.extend({
 				ui.addNotification(null, E('p', {}, _('Failed to apply wizard.')), 'error');
 			}
 		}).catch(this.showError);
 	},
 	applyProfile: function(profileId) {
 		if (!profileId)
 			return;
 		ui.showModal(_('Applying profile…'), [E('div', { 'class': 'spinning' })]);
 		API.applyProfile(profileId).then(function(result) {
 			ui.hideModal();
 			if (result && result.success) {
 				ui.addNotification(null, E('p', {}, _('Profile applied. A reboot may be required.')), 'info');
 			} else {
 				ui.addNotification(null, E('p', {}, (result && result.error) || _('Failed to apply profile')), 'error');
 			}
 		}).catch(this.showError);
 	},
 	rollbackProfile: function() {
 		ui.showModal(_('Rolling back…'), [E('div', { 'class': 'spinning' })]);
 		API.rollbackProfile().then(function(result) {
 			ui.hideModal();
 			if (result && result.success) {
 				ui.addNotification(null, E('p', {}, result.message || _('Rollback completed.')), 'info');
 			} else {
 				ui.addNotification(null, E('p', {}, (result && result.error) || _('Rollback failed.')), 'error');
 			}
 		}).catch(this.showError);
 	}
 });
--- a/luci-app-secubox/root/usr/libexec/rpcd/luci.secubox
+++ b/luci-app-secubox/root/usr/libexec/rpcd/luci.secubox
@ -55,7 +55,11 @@ get_pkg_version() {
 PKG_VERSION="$(get_pkg_version)"
 PLUGIN_DIR="/usr/share/secubox/plugins"
 PROFILE_DIR="/usr/share/secubox/profiles"
 PROFILE_BACKUP_DIR="/etc/secubox-profiles/backups"
 DEFAULT_STORAGE_PATH="/srv/secubox"
 SECOBOX_APP="/usr/sbin/secubox-app"
 OPKG_UPDATED=0
 # Module registry - auto-detected from /usr/libexec/rpcd/
 detect_modules() {
@ -127,6 +131,34 @@ ensure_directory() {
 	[ -d "$dir" ] || mkdir -p "$dir"
 }
 apply_network_mode() {
 	local mode="$1"
 	[ -n "$mode" ] || return
 	if command -v ubus >/dev/null 2>&1; then
 		if ubus call luci.network-modes set_mode "{\"mode\":\"$mode\"}" >/dev/null 2>&1; then
 			ubus call luci.network-modes apply_mode >/dev/null 2>&1
 		fi
 	fi
 }
 ensure_opkg_updated() {
 	[ "$OPKG_UPDATED" -eq 1 ] && return
 	if command -v opkg >/dev/null 2>&1; then
 		opkg update >/dev/null 2>&1 && OPKG_UPDATED=1
 	fi
 }
 install_package_if_missing() {
 	local pkg="$1"
 	package_installed "$pkg" && return
 	if command -v opkg >/dev/null 2>&1; then
 		ensure_opkg_updated
 		opkg install "$pkg" >/dev/null 2>&1
 	elif command -v apk >/dev/null 2>&1; then
 		apk add "$pkg" >/dev/null 2>&1
 	fi
 }
 # Check if a module is installed (supports both opkg and apk)
 check_module_installed() {
 	local module="$1"
@ -1324,6 +1356,136 @@ apply_app_wizard() {
 	json_add_boolean "success" 1
 	json_dump
 }
 list_profiles() {
 	ensure_directory "$PROFILE_DIR"
 	json_init
 	json_add_array "profiles"
 	local profile_file
 	for profile_file in "$PROFILE_DIR"/*.json; do
 		[ -f "$profile_file" ] || continue
 		local profile_json id name description network_mode apps state
 		profile_json=$(cat "$profile_file")
 		id=$(jsonfilter -s "$profile_json" -e '@.id' 2>/dev/null)
 		name=$(jsonfilter -s "$profile_json" -e '@.name' 2>/dev/null)
 		description=$(jsonfilter -s "$profile_json" -e '@.description' 2>/dev/null)
 		network_mode=$(jsonfilter -s "$profile_json" -e '@.network_mode' 2>/dev/null)
 		apps=$(jsonfilter -s "$profile_json" -e '@.apps[*]' 2>/dev/null)
 		state=$(packages_state "$profile_json")
 		[ -n "$id" ] || continue
 		json_add_object
 		json_add_string "id" "$id"
 		json_add_string "name" "$name"
 		json_add_string "description" "$description"
 		json_add_string "network_mode" "$network_mode"
 		json_add_string "state" "$state"
 		json_add_array "apps"
 		for app in $apps; do
 			json_add_string "" "$app"
 		done
 		json_close_array
 		json_close_object
 	done
 	json_close_array
 	json_dump
 }
 apply_profile() {
 	local input profile_id profile_file profile_json network_mode packages apps backup_file notes=""
 	read input
 	json_load "$input"
 	json_get_var profile_id profile_id
 	json_cleanup
 	[ -n "$profile_id" ] || {
 		json_init; json_add_boolean "success" 0; json_add_string "error" "profile_id required"; json_dump; return;
 	}
 	profile_file="$PROFILE_DIR/$profile_id.json"
 	if [ ! -f "$profile_file" ]; then
 		json_init; json_add_boolean "success" 0; json_add_string "error" "Profile not found"; json_dump; return;
 	fi
 	profile_json=$(cat "$profile_file")
 	ensure_directory "$PROFILE_BACKUP_DIR"
 	local timestamp=$(date +%Y%m%d_%H%M%S)
 	backup_file="$PROFILE_BACKUP_DIR/profile_${profile_id}_${timestamp}.tar.gz"
 	tar -czf "$backup_file" /etc/config 2>/dev/null
 	notes="${notes}Backup saved to $backup_file\n"
 	uci set secubox.profile.last_backup="$backup_file"
 	uci set secubox.profile.last_profile="$profile_id"
 	uci commit secubox
 	network_mode=$(jsonfilter -s "$profile_json" -e '@.network_mode' 2>/dev/null)
 	if [ -n "$network_mode" ]; then
 		notes="${notes}Switched network mode to $network_mode\n"
 		apply_network_mode "$network_mode"
 	fi
 	packages=$(jsonfilter -s "$profile_json" -e '@.packages[*]' 2>/dev/null)
 	for pkg in $packages; do
 		install_package_if_missing "$pkg"
 		notes="${notes}Ensured package $pkg\n"
 	done
 	apps=$(jsonfilter -s "$profile_json" -e '@.apps[*]' 2>/dev/null)
 	for app in $apps; do
 		if [ -x "$SECOBOX_APP" ]; then
 			$SECOBOX_APP install "$app" >/dev/null 2>&1 && notes="${notes}Installed app $app\n"
 		fi
 	done
 	json_load "$profile_json"
 	local uci_configs=""
 	if json_select uci >/dev/null 2>&1; then
 		local entries
 		json_get_keys entries
 		for entry in $entries; do
 			json_select "$entry"
 			local cfg section option value
 			json_get_var cfg config
 			json_get_var section section
 			json_get_var option option
 			json_get_var value value
 			section=${section:-main}
 			if [ -n "$cfg" ] && [ -n "$option" ]; then
 				uci set ${cfg}.${section}.${option}="$value"
 				uci_configs="${uci_configs} $cfg"
 				notes="${notes}Set ${cfg}.${section}.${option}=${value}\n"
 			fi
 			json_select ..
 		done
 		json_select ..
 	fi
 	json_cleanup
 	local committed=""
 	for cfg in $uci_configs; do
 		case " $committed " in
 			*" $cfg "*) continue;;
 		esac
 		uci commit "$cfg"
 		committed="$committed $cfg"
 	done
 	json_init
 	json_add_boolean "success" 1
 	json_add_array "messages"
 	printf '%b' "$notes" | while IFS= read -r line; do
 		[ -n "$line" ] && json_add_string "" "$line"
 	done
 	json_close_array
 	json_add_string "backup" "$backup_file"
 	json_dump
 }
 rollback_profile() {
 	local latest_backup
 	latest_backup=$(ls -t "$PROFILE_BACKUP_DIR"/profile_*.tar.gz 2>/dev/null | head -1)
 	if [ -z "$latest_backup" ]; then
 		json_init; json_add_boolean "success" 0; json_add_string "error" "No backups available"; json_dump; return;
 	fi
 	cd /
 	tar -xzf "$latest_backup" 2>/dev/null
 	/etc/init.d/network reload >/dev/null 2>&1
 	/etc/init.d/firewall reload >/dev/null 2>&1
 	/etc/init.d/dnsmasq reload >/dev/null 2>&1
 	json_init
 	json_add_boolean "success" 1
 	json_add_string "message" "Restored $latest_backup"
 	json_dump
 }
 case "$1" in
 	list)
 		json_init
@ -1392,6 +1554,25 @@ case "$1" in
 		json_add_object "apply_app_wizard"
 		json_add_string "app_id" "string"
 		json_close_object
 		json_add_object "list_profiles"
 		json_close_object
 		json_add_object "apply_profile"
 		json_add_string "profile_id" "string"
 		json_close_object
 		json_add_object "rollback_profile"
 		json_close_object
 		json_add_object "first_run_status"
 		json_close_object
 		json_add_object "apply_first_run"
 		json_close_object
 		json_add_object "list_apps"
 		json_close_object
 		json_add_object "get_app_manifest"
 		json_add_string "app_id" "string"
 		json_close_object
 		json_add_object "apply_app_wizard"
 		json_add_string "app_id" "string"
 		json_close_object
 		json_dump
 		;;
 	call)
@ -1507,6 +1688,15 @@ case "$1" in
 		apply_app_wizard)
 			apply_app_wizard
 			;;
 		list_profiles)
 			list_profiles
 			;;
 		apply_profile)
 			apply_profile
 			;;
 		rollback_profile)
 			rollback_profile
 			;;
 			*)
 				echo '{"error":"Unknown method"}'
 				;;
--- a/luci-app-secubox/root/usr/share/rpcd/acl.d/luci-app-secubox.json
+++ b/luci-app-secubox/root/usr/share/rpcd/acl.d/luci-app-secubox.json
@ -17,7 +17,8 @@
 					"get_theme",
 					"first_run_status",
 					"list_apps",
-					"get_app_manifest"
+					"get_app_manifest",
 					"list_profiles"
 				],
                "uci": [
                    "get",
@ -42,7 +43,9 @@
 					"clear_alerts",
 					"fix_permissions",
 					"apply_first_run",
-					"apply_app_wizard"
+					"apply_app_wizard",
 					"apply_profile",
 					"rollback_profile"
 				],
                "uci": [
                    "set",
--- a/profiles/gateway_dmz.json
+++ b/profiles/gateway_dmz.json
@ -0,0 +1,11 @@
 {
  "id": "gateway_dmz",
  "name": "Gateway + DMZ",
  "description": "Router with isolated DMZ segment for exposed services.",
  "network_mode": "dmz",
  "apps": ["zigbee2mqtt"],
  "packages": ["luci-app-vhost-manager"],
  "uci": [
    { "config": "secubox", "section": "vhost_manager", "option": "enabled", "value": "1" }
  ]
 }
--- a/profiles/hardened.json
+++ b/profiles/hardened.json
@ -0,0 +1,12 @@
 {
  "id": "hardened",
  "name": "Hardened",
  "description": "Security-focused preset enabling CrowdSec and Client Guardian.",
  "network_mode": "router",
  "apps": [],
  "packages": ["luci-app-crowdsec-dashboard", "luci-app-client-guardian"],
  "uci": [
    { "config": "secubox", "section": "crowdsec", "option": "enabled", "value": "1" },
    { "config": "secubox", "section": "client_guardian", "option": "enabled", "value": "1" }
  ]
 }
--- a/profiles/home.json
+++ b/profiles/home.json
@ -0,0 +1,12 @@
 {
  "id": "home",
  "name": "Home",
  "description": "Default home router with Zigbee and monitoring enabled.",
  "network_mode": "router",
  "apps": ["zigbee2mqtt"],
  "packages": ["luci-app-netdata-dashboard"],
  "uci": [
    { "config": "secubox", "section": "netdata", "option": "enabled", "value": "1" },
    { "config": "secubox", "section": "zigbee2mqtt", "option": "enabled", "value": "1" }
  ]
 }
--- a/profiles/lab.json
+++ b/profiles/lab.json
@ -0,0 +1,12 @@
 {
  "id": "lab",
  "name": "Lab",
  "description": "Extended monitoring and DPI for test environments.",
  "network_mode": "router",
  "apps": [],
  "packages": ["luci-app-netifyd-dashboard", "luci-app-netdata-dashboard"],
  "uci": [
    { "config": "secubox", "section": "netifyd", "option": "enabled", "value": "1" },
    { "config": "secubox", "section": "bandwidth_manager", "option": "enabled", "value": "1" }
  ]
 }