1 Configuration

CyberMind-FR edited this page 2026-04-06 10:04:52 +02:00

Table of Contents

• SecuBox Configuration
• Configuration Files
• Main Configuration
• secubox.toml
• Module Configuration
• Example: CrowdSec
• Example: WireGuard
• Environment Variables
• Applying Changes
• Double-Buffer System (CSPN)
• Workflow
• See Also

SecuBox Configuration

English | Français | 中文

Configuration Files

SecuBox uses TOML configuration files located in /etc/secubox/.

Main Configuration

/etc/secubox/
├── secubox.toml          # Main configuration
├── modules/              # Per-module configs
│   ├── crowdsec.toml
│   ├── wireguard.toml
│   ├── dpi.toml
│   └── ...
├── tls/                  # TLS certificates
│   ├── cert.pem
│   └── key.pem
└── secrets/              # Sensitive data (chmod 600)
    └── jwt.key

secubox.toml

[general]
hostname = "secubox"
timezone = "Europe/Paris"
locale = "en_US.UTF-8"

[network]
wan_interface = "eth0"
lan_interfaces = ["lan0", "lan1"]
bridge_name = "br-lan"
lan_ip = "192.168.1.1"
lan_netmask = "255.255.255.0"
dhcp_enabled = true
dhcp_range_start = "192.168.1.100"
dhcp_range_end = "192.168.1.200"

[security]
firewall_enabled = true
default_policy = "drop"
crowdsec_enabled = true
waf_enabled = true

[services]
nginx_enabled = true
haproxy_enabled = true
ssh_enabled = true
ssh_port = 22

Module Configuration

Each module has its own configuration file in /etc/secubox/modules/.

Example: CrowdSec

# /etc/secubox/modules/crowdsec.toml
[crowdsec]
enabled = true
api_url = "http://127.0.0.1:8080"
log_level = "info"

[bouncers]
firewall = true
nginx = true

[scenarios]
ssh_bruteforce = true
http_bad_user_agent = true

Example: WireGuard

# /etc/secubox/modules/wireguard.toml
[wireguard]
enabled = true
interface = "wg0"
listen_port = 51820
private_key_file = "/etc/secubox/secrets/wg_private.key"

[peers]
# Peers are managed via API

Environment Variables

Some settings can be overridden via environment variables:

SECUBOX_DEBUG=1              # Enable debug mode
SECUBOX_LOG_LEVEL=debug      # Set log level
SECUBOX_CONFIG=/path/to/cfg  # Custom config path

Applying Changes

After modifying configuration:

# Validate configuration
secubox-config validate

# Apply changes
secubox-config apply

# Or restart specific module
systemctl restart secubox-<module>

Double-Buffer System (CSPN)

For security-critical changes, SecuBox uses a double-buffer system:

/etc/secubox/
├── active/     # Current live config (read-only)
├── shadow/     # Pending changes (editable)
└── rollback/   # 4 previous versions (R1-R4)

Workflow

1. Edit in shadow/
2. Validate: secubox-config validate --shadow
3. Swap: secubox-config swap
4. Rollback if needed: secubox-config rollback R1

See Also

• Installation — Initial setup
• API-Reference — REST API documentation
• Modules — Available modules
• Troubleshooting — Common issues

SecuBox | FR | DE | 中文 | v2.2.4-pre1

---

Projet

• Home
• Architecture
• Hardware-Matrix
• Roadmap

Soutenir

• Financing-Model
• Support
• Sponsor-a-Port
• Acknowledgments
• Fiscal-Notes

---

🔴 BOOT — Démarrer

• Multiboot ⭐
• Live-USB-VirtualBox run-vbox.sh
• Live-USB-QEMU run-qemu.sh
• Live-USB | FR | DE | 中文
• Installation | FR | DE | 中文
• ARM-Installation | FR | DE | 中文
• ESPRESSObin | FR | DE | 中文
• Eye-Remote 📡
• Android-ToolBox 📱 one-tap R3
• Browser-Extension 🧩 cartographie
• QEMU-ARM64 🖥️

🟢 ROOT — Configuration

• Configuration | FR | DE | 中文
• Troubleshooting | FR | DE | 中文

🟣 MIND — Modules

• Anti-Track 🛡️ bloque · empoisonne · anonymise
• ThreatMesh 🛰️ blocklist souveraine (feeds + mesh, sans CAPI) | FR
• MODULES-EN 🇬🇧
• MODULES-FR 🇫🇷
• MODULES-DE 🇩🇪
• MODULES-ZH 🇨🇳

🔵 MESH — Référence

• API-Reference | FR | DE | 中文
• UI-COMPARISON

🟠 WALL — Matériel

• Device-Categories
• Smart-Strip

🤖 Workflow Agents

• Multi-Agent-Worktree — un agent · une issue · une branche

---

Liens

• Releases
• Issues

SecuBox-Deb · Licence : CMSD-1.0 (Source-Disclosed) Contact : CyberMind · Gérald Kerma · Notre-Dame-du-Cruet, Savoie Hardware-Matrix · Acknowledgments · Wiki v2.5.0