gandalf/secubox-openwrt
gandalf/secubox-openwrt
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
689 Commits 3 Branches 203 Tags 12 MiB
master
Commit Graph

12 Commits

Author SHA1 Message Date
CyberMind-FR
a23038f779 fix(crowdsec): Patch Go 1.24+ features for OpenWrt Go 1.23 compatibility 
- Downgrade golang.org/x/net from v0.44.0 to v0.33.0 (Go 1.23 compatible)
- Patch out http.Protocols usage (Go 1.24+ feature) from:
  - pkg/acquisition/modules/http/run.go
  - pkg/acquisition/modules/appsec/config.go
  - pkg/acquisition/modules/kubernetesaudit/config.go
  - pkg/apiserver/apiserver.go
- Patch strings.SplitSeq to strings.Split (Go 1.24+ iterator feature) in:
  - cmd/crowdsec-cli/clisetup/acquisition.go
  - cmd/crowdsec/flags.go

This fixes the build failure caused by CrowdSec 1.7.4 using Go 1.24+
features while OpenWrt SDK ships Go 1.23.x.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-22 14:02:00 +01:00
CyberMind-FR
27da0bb48c fix: Auto-configure syslog file logging for CrowdSec 
OpenWrt uses logd by default which doesn't write to files.
CrowdSec file-based acquisition needs /var/log/messages to exist.

Changes:
- Init script: setup_syslog() configures log_file before each start
- Defaults script: setup_syslog_file() configures at install time
- openwrt-syslog.yaml: Remove non-existent /var/log/syslog reference

The init script sets:
  uci set system.@system[0].log_file='/var/log/messages'
  uci set system.@system[0].log_size='512'

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-11 07:23:25 +01:00
CyberMind-FR
675b2d164e feat: Portal service detection, nDPId compat layer, CrowdSec/Netifyd packages 
Portal (luci-app-secubox-portal):
- Fix service status showing 0/9 by checking if init scripts exist
- Only count installed services in status display
- Use pgrep fallback when init script status fails

nDPId Dashboard (luci-app-ndpid):
- Add default /etc/config/ndpid configuration
- Add /etc/init.d/ndpid-compat init script
- Enable compat service in postinst for app detection
- Fix Makefile to install init script and config

CrowdSec Dashboard:
- Add CLAUDE.md with OpenWrt-specific guidelines (pgrep without -x)
- CSS fixes for hiding LuCI left menu in all views
- LAPI repair improvements with retry logic

New Packages:
- secubox-app-crowdsec: OpenWrt-native CrowdSec package
- secubox-app-netifyd: Netifyd DPI integration
- luci-app-secubox: Core SecuBox hub
- luci-theme-secubox: Custom theme

Removed:
- luci-app-secubox-crowdsec (replaced by crowdsec-dashboard)
- secubox-crowdsec-setup (functionality moved to dashboard)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-10 13:51:40 +01:00
CyberMind-FR
a6a306b021 fix: Remove duplicate packages and disable sheeva64 device 
- Remove secubox-app-crowdsec (conflicts with feeds/packages/crowdsec)
- Remove secubox-app-netifyd (conflicts with feeds/packages/netifyd)
- Fix Makefile dependencies: crowdsec-firewall-bouncer, syslog-ng
- Fix luci-app-secubox-portal Makefile (correct luci.mk path)
- Fix luci-app-secubox-security-threats (add BuildPackage)
- Disable sheeva64 device in GitHub Actions and local-build.sh
- Update documentation with correct package names

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 20:02:45 +01:00
CyberMind-FR
252341e045 feat: Add complete CrowdSec integration for OpenWrt 24.10+ 
New packages:
- secubox-crowdsec-setup: Automated installation script with:
  - Prerequisites verification (RAM, flash, OpenWrt version)
  - syslog-ng4 configuration for log forwarding
  - CAPI registration and hub setup
  - nftables firewall bouncer configuration
  - Backup/rollback, repair, and uninstall modes

- luci-app-secubox-crowdsec: LuCI dashboard with:
  - Service status and statistics dashboard
  - Active decisions (bans) management
  - Security alerts viewer
  - Collections and bouncers management
  - UCI-based settings configuration

Enhanced existing packages:
- luci-app-crowdsec-dashboard: Added acquisition configuration wizard
- secubox-app-crowdsec: Improved defaults and configuration

Documentation:
- CROWDSEC-OPENWRT-24.md with architecture, installation, and troubleshooting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
 2026-01-09 17:58:17 +01:00
CyberMind-FR
8d5e4275f6 fix: CrowdSec CAPI registration and enable threat intelligence 
CrowdSec Central API (CAPI) Fixed:
- Removed code that disabled online_client on install
- Added proper CAPI registration in crowdsec.defaults
- Registration now works (previous 403 errors were transient)
- Graceful fallback if CAPI registration fails

CAPI Features Now Working:
- Threat intelligence sharing enabled
- Pulling community blocklist (14,997+ IPs)
- Hub updates working without 403 errors
- SSH bruteforce: 12,388 bans from CAPI
- Generic scans: 1,176 bans from CAPI
- SSH exploits: 1,433 bans from CAPI

Registration Flow:
1. Create /etc/machine-id if missing
2. Register local API machine
3. Register with Central API (CAPI)
4. On CAPI failure, create minimal credentials file
5. Update hub index
6. Install default collections

Benefits of CAPI Integration:
- Real-time threat intelligence from global network
- Community-contributed IP blocklists
- Automatic updates for detection scenarios
- Signal sharing to help protect others
- Enhanced protection without manual IP list management

NetIfyd Dashboard Improvements:
- Added data caching for smoother updates
- Application aggregation function
- Fallback stats when data temporarily unavailable
- Better handling of undefined values

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-06 18:33:23 +01:00
CyberMind-FR
2168d76f96 fix: CrowdSec defaults - disable CAPI & improve setup robustness 
Package Installation Improvements:
- Automatically create /etc/machine-id from UUID if missing
- Disable Central API (CAPI) by default in config.yaml
- Create minimal online_api_credentials.yaml to prevent errors
- Add fallback curl download for hub index (works around 403 errors)
- Make all setup commands non-fatal with || true

CAPI Status:
- Disabled by default due to HTTP 403 errors from api.crowdsec.net
- Custom User-Agent (crowdsec/v1.7.4-openwrt-*) appears blocked
- Can be manually enabled with: cscli console enroll <key>
- Local-only mode provides full SSH brute-force protection

Hub Updates:
- Manual curl download works (HTTP 200)
- cscli hub update fails (HTTP 403)
- Weekly auto-update via curl in defaults script

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-06 16:49:45 +01:00
CyberMind-FR
0402282d8b chore(secubox): rename netifyd package 2026-01-06 09:54:41 +01:00
CyberMind-FR
e7c9411d79 feat: Release v0.8.2 - Admin Control Center, Documentation Mirror & Docker Automation 
This release adds major new features for SecuBox management and deployment:

## New Features

### 1. LuCI Admin Control Center (luci-app-secubox-admin)
- Unified admin dashboard for managing all SecuBox appstore plugins
- **Control Panel**: Real-time stats, system health, alerts, quick actions
- **Apps Manager**: Browse catalog, install/remove apps with search & filtering
- **App Settings**: Per-app configuration, start/stop controls
- **System Health**: Live monitoring (CPU, RAM, disk) with auto-refresh
- **System Logs**: Centralized log viewer with download capability
- Fully integrated with existing RPCD backend (luci.secubox)
- Mobile-responsive design with polished UI components

### 2. Documentation Mirror in SecuBox Bonus
- Integrated complete development documentation into luci-app-secubox-bonus
- 64+ documentation files now available offline at /luci-static/secubox/docs/
- Beautiful landing page (index-main.html) with 4 sections:
  - Development guides & references
  - Live module demos
  - Tutorials & blog posts
  - Marketing campaign pages
- Accessible locally on router without internet connection

### 3. Automated Docker Plugin Installation
- Enhanced secubox-appstore CLI with full Docker automation
- One-click installation from web UI now fully automated:
  - Auto-detects Docker runtime from catalog
  - Discovers and executes control scripts (*ctl install)
  - Pulls Docker images automatically
  - Creates directories and configures UCI
  - Enables init services
- No manual CLI steps required for Docker apps
- Works for all Docker apps: AdGuard Home, Mail-in-a-Box, Nextcloud, etc.

### 4. Mail-in-a-Box Plugin
- New Docker-based email server plugin (secubox-app-mailinabox)
- Complete package with:
  - UCI configuration (8 port mappings, feature flags)
  - Control script (mailinaboxctl) with install/check/update/status/logs
  - Procd init script with auto-restart
  - Catalog manifest (category: hosting, maturity: beta)
- Network mode: host (required for mail server)
- Persistent storage: mail, SSL, data, DNS volumes

## Improvements

### Build System
- Updated local-build.sh to include luci-app-* packages from package/secubox/
- Now automatically discovers and builds luci-app-secubox-admin and similar packages
- Fixed Makefile include paths for feed structure

### Package Releases
- Incremented PKG_RELEASE for all 31 SecuBox packages
- Ensures clean upgrade path from previous versions

### Catalog Updates
- Mail-in-a-Box entry moved from "productivity" to "hosting" category
- Status changed to "beta" reflecting community Docker image maturity
- Storage requirement increased: 1024MB → 2048MB
- Added port 25 accessibility note

## Files Changed

### New Packages (2)
- package/secubox/luci-app-secubox-admin/ (12 files)
- package/secubox/secubox-app-mailinabox/ (4 files)

### Enhanced Packages (1)
- package/secubox/luci-app-secubox-bonus/ (65 new docs files)

### Modified Core (3)
- package/secubox/secubox-core/root/usr/sbin/secubox-appstore
- package/secubox/secubox-core/root/usr/share/secubox/catalog.json
- secubox-tools/local-build.sh

### All Makefiles (31 packages)
- Incremented PKG_RELEASE for clean upgrade path

## Technical Details

**Admin Control Center Architecture:**
- Frontend: 5 views (dashboard, apps, settings, health, logs)
- API: Wrapper around luci.secubox RPCD methods
- Components: Reusable UI library (cards, badges, alerts, loaders)
- Styling: Common + admin-specific CSS with responsive design
- Auto-refresh: Polling for live updates (5-30s intervals)

**Docker Automation Flow:**
```
Web UI → RPCD → secubox-appstore CLI → opkg install → *ctl install →
docker pull → directories → UCI config → init enable → ✓ Ready
```

**Access Points:**
- Admin Control: http://router/cgi-bin/luci/admin/secubox/admin/
- Documentation: http://router/luci-static/secubox/index-main.html
- Demos: http://router/luci-static/secubox/demo-*.html

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-04 08:29:31 +01:00
CyberMind-FR
4325197e35 fix(packages): add PKG_ARCH:=all and resolve build conflicts 
- Add PKG_ARCH:=all to all 29 SecuBox packages for architecture independence
- Fix secubox-core: remove /var directory creation (conflicts with OpenWRT symlink)
- Fix luci-app-secubox: remove PKG_FILE_MODES causing build errors
- Refactor luci-app-network-tweaks: migrate files/ to root/ structure
- Set correct permissions on fix-permissions.sh (755)

Fixes:
- secubox-core now builds successfully (no /var conflict)
- luci-app-secubox installs without file conflicts
- All packages properly marked as architecture-independent

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
 2026-01-02 07:45:37 +01:00
CyberMind-FR
280dd91798 release: bump secubox hub to 0.6.1-0 2025-12-30 14:42:45 +01:00
CyberMind-FR
029b1796d4 feat(crowdsec): add secubox-app daemon 2025-12-30 13:00:59 +01:00