.claude/HISTORY.md

@@ -3,39 +3,6 @@
 
 ---
 
-## 2026-06-27 — LAN standardisé 192.168.10.0/24 + c3box/gk2 live Freebox + bump 1.10.0 (#760)
-
-Session terrain "c3box derrière Freebox" : la LAN SecuBox par défaut (`br-lan 192.168.1.1/24`)
-entrait en collision avec la LAN d'un routeur opérateur courant (Freebox/Livebox en
-`192.168.1.0/24`). En aval d'une Freebox, le WAN DHCP et la LAN se retrouvaient sur le **même
-sous-réseau** → route dupliquée, ARP ambigu, IP de management injoignable.
-
-### A. Constat live + remédiation immédiate
-- **c3box** (second MOCHAbin) derrière Freebox : WAN `eth2=192.168.1.94` (bail Freebox) +
-  `br-lan=192.168.1.1/24` → `.94` injoignable depuis le LAN. Corrigé live : `br-lan → 192.168.10.1/24`.
-  SSH root activé, webadmin `https://192.168.1.94/` OK, `/dev/sda1` (931 G) monté sur `/data`
-  (style gk2 : UUID + nofail), partition eMMC retirée (`emmc-data`).
-- **gk2** (live PoC) : uplink déplacé de `lan0` (DSA) vers le port cuivre WAN `eth2` ; netplan
-  réparé via **série** (gk2 hors-réseau le temps du switch) → `eth2 dhcp4: true`, `lan0` dépouillé.
-  Bail Freebox réservé sur le MAC eth2 `f0:ad:4e:27:88:9b` → gk2 reprend `192.168.1.200`. Persisté.
-
-### B. Standardisation source (LAN = 192.168.10.0/24, gw .10.1) — 17 fichiers
-- Netplans board : mochabin, espressobin-v7, espressobin-ultra, x64-vm, x64-live (`br-lan`),
-  + unification VM vm-x64/vm-arm64 (`192.168.100.1 → 192.168.10.1`).
-- Générateurs de netplan : `secubox-netmodes`, `secubox-hub` (preview), `secubox-net-detect`.
-- dnsmasq (`espressobin-v7.conf`) : `dhcp-range` + `option:router` + `option:dns-server`.
-- Scripts live-usb (mochabin/ebin) + SAN des certs auto-signés (`firstboot`, `build-image`,
-  `build-rpi-usb`, `build-live-usb`) → `IP:192.168.10.1`.
-- **Hors scope (intacts)** : `192.168.255.1` (whitelist mgmt/trusted-proxy WAF/mail/wg/mitm),
-  listes `GATEWAYS` de sonde WAN, exemples remote-ui/round + tests.
-
-### C. Release
-- Bump mineur (« medium ») **1.9.0 → 1.10.0** : `build-image.sh`, `build-live-usb.sh`,
-  `build-ebin-live-usb.sh`, `build-rpi-usb.sh` (mochabin-live reste sur sa piste 2.0.0).
-- Artefacts amd64 (x64) reconstruits depuis cette base.
-
----
-
 ## 2026-06-27 — Netboot live PROUVÉ + première install SecuBox Debian sur c3box (second MOCHAbin) (#748 #737)
 
 Grande session hardware : netboot gk2→c3box validé de bout en bout, premier SecuBox Debian installé

.github/workflows/build-packages.yml

@@ -63,11 +63,6 @@ jobs:
           # Build the flat {package, arch} matrix. Honour the workflow_dispatch
           # `arch` and `package` filters if set (empty on `push: tags` events).
           requested_arch="${REQUESTED_ARCH:-}"
-          # `both` means build every arch — same as the empty (push: tags)
-          # case. Without this the matrix filter (which only compares against
-          # amd64/arm64/empty) yields an EMPTY matrix, so no package builds and
-          # `collect` fails.
-          [ "$requested_arch" = "both" ] && requested_arch=""
           requested_pkg="${REQUESTED_PKG:-}"
 
           combos=$(find packages/secubox-* -path "*/debian/control" -not -path "*/debian/*/DEBIAN/control" \
@@ -157,12 +152,7 @@ jobs:
           sudo apt-get update -qq
           sudo apt-get install -y -qq \
             build-essential dpkg-dev debhelper devscripts fakeroot \
-            dh-python python3-all python3-setuptools golang-go
+            dh-python python3-all python3-setuptools
-          # golang-go satisfies Build-Depends of the pure-Go packages
-          # (secubox-dpi, secubox-toolbox-ng: CGO_ENABLED=0, GOARCH=arm64,
-          # -mod=vendor offline cross-compile). ubuntu-24.04 ships >= 1.22.
-          # Without it dpkg-checkbuilddeps aborts the arm64 build — this was
-          # the real cause of the "arm64 red" runs, not a CGO toolchain gap.
           # arm64 cross-toolchain — dh_strip and dh_makeshlibs invoke
           # aarch64-linux-gnu-{strip,objdump} when -a arm64 is passed.
           # Without these, arch-specific packages shipping prebuilt
@@ -223,18 +213,7 @@ jobs:
           # no-op; for arm64 jobs that don't compile native code (Python +
           # prebuilt arm64 binaries — like sentinelle-gsm), -a arm64 is
           # enough to cross-stamp the .deb.
-          #
+          dpkg-buildpackage -us -uc -b -a ${{ matrix.arch }}
-          # Pure-Go packages (CGO_ENABLED=0, GOARCH cross) only need the `go`
-          # toolchain, which is present via golang-1.22-go. But their
-          # `Build-Depends: golang-go (>= 1.22)` trips dpkg-checkbuilddeps
-          # because apt registers golang-1.22-go, not the golang-go
-          # metapackage, on the runner. Skip the dep check (-d) for just these
-          # — the compiler is there and the build is self-contained (-mod=vendor).
-          DEPFLAG=""
-          case "${{ matrix.package }}" in
-            secubox-dpi|secubox-toolbox-ng|secubox-waf-ng) DEPFLAG="-d" ;;
-          esac
-          dpkg-buildpackage -us -uc -b $DEPFLAG -a ${{ matrix.arch }}
 
           echo "✅ Build OK: ${{ matrix.package }} (${{ matrix.arch }})"
 

board/espressobin-ultra/netplan/00-secubox.yaml

@@ -19,7 +19,7 @@ network:
   bridges:
     br-lan:
       interfaces: [lan0, lan1, lan2, lan3]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

board/espressobin-v7/netplan/00-secubox.yaml

@@ -44,7 +44,7 @@ network:
   bridges:
     br-lan:
       interfaces: [lan0, lan1]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

board/mochabin/netplan/00-secubox.yaml

@@ -37,7 +37,7 @@ network:
     # Bridge LAN
     br-lan:
       interfaces: [eth1, eth3, eth4]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

board/vm-arm64/netplan/00-secubox.yaml

@@ -13,7 +13,7 @@ network:
 
     # LAN — Interface 2 QEMU (si configurée)
     enp0s2:
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.100.1/24]
       dhcp4: false
       optional: true
 

board/vm-x64/netplan/00-secubox.yaml

@@ -14,7 +14,7 @@ network:
 
     # LAN — Interface 2 VirtualBox (Internal Network ou Host-Only)
     enp0s8:
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.100.1/24]
       dhcp4: false
       optional: true
 

board/x64-live/netplan/00-secubox.yaml

@@ -64,7 +64,7 @@ network:
     br-lan:
       interfaces: []
       addresses:
-        - 192.168.10.1/24
+        - 192.168.1.1/24
       dhcp4: false
       optional: true
       parameters:

board/x64-vm/netplan/00-secubox.yaml

@@ -63,7 +63,7 @@ network:
   bridges:
     br-lan:
       interfaces: [enp0s8]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

image/build-ebin-live-usb.sh

@@ -10,7 +10,7 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"
 
 # ── Version & Build Info ──────────────────────────────────────────
-SECUBOX_VERSION="1.10.0"
+SECUBOX_VERSION="1.9.0"
 BUILD_DATE=$(date '+%Y-%m-%d')
 BUILD_TIMESTAMP=$(date '+%Y-%m-%d %H:%M')
 
@@ -310,7 +310,7 @@ network:
   bridges:
     br-lan:
       interfaces: [lan0, lan1]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

image/build-image.sh

@@ -26,7 +26,7 @@ LOCAL_REPO_PORT="8080"
 SLIPSTREAM_DEBS=1     # Intégrer les .deb locaux dans l'image (default: ON)
 
 # SecuBox versioning
-SECUBOX_VERSION="1.10.0"
+SECUBOX_VERSION="1.9.0"
 BUILD_TIMESTAMP=$(date '+%Y-%m-%d %H:%M')
 
 RED='\033[0;31m'; CYAN='\033[0;36m'; GOLD='\033[0;33m'
@@ -643,13 +643,7 @@ EOF
     SECUBOX_REPO_OK=1
     log "Repo local SecuBox configuré (trusted=yes)"
   fi
-elif curl -sf "${APT_SECUBOX}/secubox-keyring.gpg" 2>/dev/null \
+elif curl -sf "${APT_SECUBOX}/secubox-keyring.gpg" -o "${ROOTFS}/usr/share/keyrings/secubox.gpg" 2>/dev/null; then
-       | gpg --dearmor > "${ROOTFS}/usr/share/keyrings/secubox.gpg" 2>/dev/null \
-     && [ -s "${ROOTFS}/usr/share/keyrings/secubox.gpg" ]; then
-  # apt's signed-by= requires a DEARMORED (binary) keyring; the published
-  # secubox-keyring.gpg is ASCII-armored, so dearmor it on the way in.
-  # Feeding the armored file directly yields "NO_PUBKEY 44E50F0178E8BC7E
-  # / repository not signed" even though the key is correct.
   cat > "${ROOTFS}/etc/apt/sources.list.d/secubox.list" <<EOF
 deb [signed-by=/usr/share/keyrings/secubox.gpg] ${APT_SECUBOX} ${SUITE} main
 EOF
@@ -658,13 +652,7 @@ fi
 
 if [[ $SECUBOX_REPO_OK -eq 1 ]]; then
   chroot "${ROOTFS}" apt-get update -q
-  # Non-interactive conffile handling: secubox-mesh's mesh.toml triggers a dpkg
+  chroot "${ROOTFS}" apt-get install -y -q secubox-full || warn "secubox-full non disponible"
-  # conffile prompt that fails the headless chroot install (#USB-build). Keep
-  # the packaged conffile, never prompt.
-  chroot "${ROOTFS}" bash -c 'DEBIAN_FRONTEND=noninteractive apt-get install -y -q \
-    -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef secubox-full' \
-    || warn "secubox-full non disponible"
-  chroot "${ROOTFS}" dpkg --configure -a --force-confold 2>/dev/null || true
 else
   warn "APT repo SecuBox non disponible — skip (Phase 4)"
 fi
@@ -1001,7 +989,7 @@ openssl req -x509 -newkey rsa:2048 -days 365 \
   -keyout "${ROOTFS}/etc/secubox/tls/key.pem" \
   -out "${ROOTFS}/etc/secubox/tls/cert.pem" \
   -nodes -subj "/CN=secubox/O=CyberMind SecuBox/C=FR" \
-  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.10.1" \
+  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.1.1" \
   2>/dev/null
 
 if [[ -f "${ROOTFS}/etc/secubox/tls/cert.pem" ]]; then

image/build-installer-iso.sh

@@ -376,10 +376,7 @@ EOF
     SECUBOX_REPO_OK=1
     log "Local SecuBox repo configured (trusted=yes)"
   fi
-elif curl -sf "${APT_SECUBOX}/secubox-keyring.gpg" 2>/dev/null \
+elif curl -sf "${APT_SECUBOX}/secubox-keyring.gpg" -o "${ROOTFS}/usr/share/keyrings/secubox.gpg" 2>/dev/null; then
-       | gpg --dearmor > "${ROOTFS}/usr/share/keyrings/secubox.gpg" 2>/dev/null \
-     && [ -s "${ROOTFS}/usr/share/keyrings/secubox.gpg" ]; then
-  # apt signed-by= needs a DEARMORED keyring; published key is ASCII-armored.
   cat > "${ROOTFS}/etc/apt/sources.list.d/secubox.list" <<EOF
 deb [signed-by=/usr/share/keyrings/secubox.gpg] ${APT_SECUBOX} ${SUITE} main
 EOF

image/build-live-usb.sh

@@ -14,7 +14,7 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"
 
 # ── Version & Build Info ──────────────────────────────────────────
-SECUBOX_VERSION="1.10.0"
+SECUBOX_VERSION="1.9.0"
 BUILD_TIMESTAMP=$(date '+%Y-%m-%d %H:%M')
 BUILD_DATE=$(date '+%Y%m%d')
 
@@ -786,7 +786,7 @@ cat > "${ROOTFS}/etc/netplan/00-secubox.yaml" <<'NETPLAN'
 # and router-mode br-lan later via secubox-net-* tools.
 #
 # Earlier versions baked an empty `br-lan` bridge with a static
-# 192.168.10.1/24 address into the bootstrap. On bare-metal real
+# 192.168.1.1/24 address into the bootstrap. On bare-metal real
 # hardware the physical NIC went silent and only the phantom br-lan
 # showed an IP — networkd was honouring the static bridge but
 # something (predictable rename? secubox-net-detect leftover?)
@@ -1226,7 +1226,7 @@ openssl req -x509 -newkey rsa:2048 -days 365 \
   -keyout "${ROOTFS}/etc/secubox/tls/key.pem" \
   -out "${ROOTFS}/etc/secubox/tls/cert.pem" \
   -nodes -subj "/CN=secubox-live/O=CyberMind SecuBox/C=FR" \
-  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.10.1" \
+  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.1.1" \
   2>/dev/null
 
 if [[ -f "${ROOTFS}/etc/secubox/tls/cert.pem" ]]; then
@@ -1438,13 +1438,7 @@ else
 deb [trusted=yes] ${APT_SECUBOX} ${SUITE} main
 EOF
     chroot "${ROOTFS}" apt-get update -q
-    # Non-interactive conffile handling: secubox-mesh ships mesh.toml as a
+    chroot "${ROOTFS}" apt-get install -y -q secubox-full 2>/dev/null || true
-    # conffile and triggers a dpkg prompt (*** mesh.toml [Y/I/N/O/D/Z]) during
-    # configure, which fails the whole install in the headless chroot. Keep the
-    # packaged conffile and never prompt.
-    chroot "${ROOTFS}" bash -c 'DEBIAN_FRONTEND=noninteractive apt-get install -y -q \
-      -o Dpkg::Options::=--force-confold -o Dpkg::Options::=--force-confdef secubox-full' 2>/dev/null || true
-    chroot "${ROOTFS}" dpkg --configure -a --force-confold 2>/dev/null || true
 
     # Verify secubox-core installed (dependency of secubox-full)
     if ! chroot "${ROOTFS}" dpkg -l secubox-core 2>/dev/null | grep -q "^ii"; then

image/build-mochabin-live-usb.sh

@@ -331,7 +331,7 @@ network:
   bridges:
     br-lan:
       interfaces: [eth1, eth2, eth3, eth4]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

image/build-rpi-usb.sh

@@ -13,7 +13,7 @@ SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 REPO_DIR="$(dirname "$SCRIPT_DIR")"
 
 # ── Version ───────────────────────────────────────────────────────
-SECUBOX_VERSION="1.10.0"
+SECUBOX_VERSION="1.9.0"
 
 # ── Defaults ──────────────────────────────────────────────────────
 SUITE="bookworm"
@@ -702,7 +702,7 @@ openssl req -x509 -newkey rsa:2048 -days 365 \
   -keyout "${ROOTFS}/etc/secubox/tls/key.pem" \
   -out "${ROOTFS}/etc/secubox/tls/cert.pem" \
   -nodes -subj "/CN=secubox-rpi/O=CyberMind SecuBox/C=FR" \
-  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.10.1" \
+  -addext "subjectAltName=DNS:localhost,DNS:secubox.local,IP:127.0.0.1,IP:192.168.1.1" \
   2>/dev/null
 
 if [[ -f "${ROOTFS}/etc/secubox/tls/cert.pem" ]]; then

image/firstboot.sh

@@ -359,7 +359,7 @@ if [[ ! -f "${TLS_DIR}/cert.pem" ]]; then
     -keyout "${TLS_DIR}/key.pem" \
     -out    "${TLS_DIR}/cert.pem" \
     -nodes -subj "/CN=${HOSTNAME}/O=CyberMind SecuBox/C=FR" \
-    -addext "subjectAltName=DNS:${HOSTNAME},DNS:secubox.local,IP:192.168.10.1" \
+    -addext "subjectAltName=DNS:${HOSTNAME},DNS:secubox.local,IP:192.168.1.1" \
     2>/dev/null
   chown -R secubox:secubox "${TLS_DIR}"
   chmod 640 "${TLS_DIR}/key.pem"
@@ -378,7 +378,7 @@ log "=== Network Detection ==="
 # Short-circuit when the image was built with --static-ip: build-live-usb.sh
 # wrote a fixed netplan AND pre-touched /var/lib/secubox/.net-configured.
 # Running net-detect here would clobber the static config with router-mode
-# defaults (WAN + br-lan 192.168.10.1/24), the exact regression in #128.
+# defaults (WAN + br-lan 192.168.1.1/24), the exact regression in #128.
 if [[ -f /var/lib/secubox/.net-configured ]]; then
   log "Static netplan in effect (.net-configured present) — skipping net-detect"
 elif [[ -x /usr/sbin/secubox-net-detect ]]; then

image/profiles/espressobin-v7.conf

@@ -127,7 +127,7 @@ network:
   bridges:
     br-lan:
       interfaces: [lan0, lan1]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
 EOF
 
@@ -135,8 +135,8 @@ EOF
     cat > "$root/etc/dnsmasq.d/secubox.conf" << 'EOF'
 interface=br-lan
 bind-interfaces
-dhcp-range=192.168.10.100,192.168.10.250,24h
+dhcp-range=192.168.1.100,192.168.1.250,24h
-dhcp-option=option:router,192.168.10.1
+dhcp-option=option:router,192.168.1.1
-dhcp-option=option:dns-server,192.168.10.1
+dhcp-option=option:dns-server,192.168.1.1
 EOF
 }

image/sbin/secubox-net-detect

@@ -337,7 +337,7 @@ generate_netplan() {
                 bridges="  bridges:
     br-lan:
       interfaces: [${lan_array}]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       optional: true
       parameters:
@@ -346,7 +346,7 @@ generate_netplan() {
 "
             else
                 # No LAN interfaces — DON'T create an empty br-lan with
-                # 192.168.10.1/24. A member-less bridge with a static IP
+                # 192.168.1.1/24. A member-less bridge with a static IP
                 # squats the .1 address without routing anything, makes
                 # systemd-networkd think the interface is "configured",
                 # and frequently breaks DHCP on the real WAN NIC (the

packages/secubox-hub/api/main.py

@@ -1754,7 +1754,7 @@ async def preview_network_mode(mode: str, user=Depends(require_jwt)):
   bridges:
     br-lan:
       interfaces: [{lan_str}]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
 """
     elif mode in ("sniffer-inline", "sniffer-passive"):

packages/secubox-netmodes/api/main.py

@@ -526,7 +526,7 @@ network:
   bridges:
     br-lan:
       interfaces: [{lan_list}]
-      addresses: [192.168.10.1/24]
+      addresses: [192.168.1.1/24]
       dhcp4: false
       parameters:
         stp: false

packages/secubox-netmodes/templates/router.yaml.j2

@@ -9,13 +9,13 @@ network:
       dhcp6: false
     {{ lan | default('eth1') }}:
       addresses:
-        - 192.168.10.1/24
+        - 192.168.100.1/24
   bridges:
     br0:
       interfaces:
         - {{ lan | default('eth1') }}
       addresses:
-        - 192.168.10.1/24
+        - 192.168.100.1/24
       dhcp4: false
       parameters:
         stp: false

packages/secubox-p2p/api/main.py

@@ -628,10 +628,6 @@ async def get_status():
     threats = load_json(THREATS_FILE, {})
 
     peers = peers_data.get("peers", []) if isinstance(peers_data, dict) else peers_data
-    # A node is not its own peer — exclude the local entry from the counts
-    # (older versions persisted get_self_peer() into PEERS_FILE, inflating these).
-    local_id = get_node_id()
-    peers = [p for p in peers if not p.get("is_local") and p.get("id") != local_id]
     online_peers = [p for p in peers if p.get("status") == "online"]
 
     # Get master-link status
@@ -703,12 +699,13 @@ async def list_peers():
     peers_data = load_json(PEERS_FILE, {"peers": []})
     peers = peers_data.get("peers", []) if isinstance(peers_data, dict) else peers_data
 
-    # A node is not its own peer: never insert/persist the local node here.
+    # Ensure local node is in the list
-    # (Older versions did, which inflated peer_count and listed "<host> (local)"
-    # as a phantom peer.) Drop any self entry a prior version may have saved.
-    # Use /discover/self for the local node's announcement payload instead.
     local_id = get_node_id()
-    peers = [p for p in peers if not p.get("is_local") and p.get("id") != local_id]
+    has_local = any(p.get("id") == local_id or p.get("is_local") for p in peers)
+
+    if not has_local:
+        peers.insert(0, get_self_peer())
+        save_json(PEERS_FILE, {"peers": peers})
 
     return {"peers": peers, "count": len(peers)}
 

packages/secubox-p2p/debian/changelog

@@ -1,39 +1,3 @@
-secubox-p2p (1.7.5-1~bookworm1) bookworm; urgency=medium
-
-  * sbx-mesh-invite: re-own the master-link token store to secubox when run as
-    root. A root-owned tokens.json made the secubox-user services (incl. the
-    in-process aggregator) crash with EACCES, taking down the API.
-
- -- Gerald KERMA <devel@cybermind.fr>  Sun, 28 Jun 2026 07:30:00 +0000
-
-secubox-p2p (1.7.4-1~bookworm1) bookworm; urgency=medium
-
-  * Stop counting/listing the local node as a peer. /peers no longer inserts
-    and persists get_self_peer() into PEERS_FILE (it inflated peer_count and
-    showed "<host> (local)" as a phantom online peer); /status and /peers now
-    exclude the local entry. Use /discover/self for the local announcement.
-
- -- Gerald KERMA <devel@cybermind.fr>  Sun, 28 Jun 2026 07:00:00 +0000
-
-secubox-p2p (1.7.3-1~bookworm1) bookworm; urgency=medium
-
-  * Install the p2p + master-link web UIs to /usr/share/secubox/www/ (the
-    dashboard's served root, like every other module) instead of
-    /var/www/secubox/. They were unreachable -> the dashboard rendered
-    "Module Not Found" for /p2p/. nginx alias paths updated to match.
-
- -- Gerald KERMA <devel@cybermind.fr>  Sun, 28 Jun 2026 06:45:00 +0000
-
-secubox-p2p (1.7.2-1~bookworm1) bookworm; urgency=medium
-
-  * postinst: create /var/lib/secubox/p2p and master-link/ owned by secubox
-    (and repair pre-existing root-owned installs on upgrade). The master-link
-    init mkdir'd master-link/ and failed EACCES when p2p/ was root-owned,
-    500-ing /api/v1/p2p/status and blocking mesh enrollment. Does NOT chown
-    the shared /var/lib/secubox parent (#494/#511).
-
- -- Gerald KERMA <devel@cybermind.fr>  Sun, 28 Jun 2026 06:30:00 +0000
-
 secubox-p2p (1.7.1-1~bookworm1) bookworm; urgency=medium
 
   * #494/#511: postinst no longer chowns the shared parents /run/secubox and

packages/secubox-p2p/debian/postinst

@@ -18,16 +18,6 @@ case "$1" in
         mkdir -p /var/log/secubox
         install -d -o secubox -g secubox -m 0750 /var/log/secubox/p2p
 
-        # State dir: own p2p/ and the master-link store, but NEVER chown the
-        # shared /var/lib/secubox parent (#494/#511). The app's master-link
-        # init mkdir's master-link/ and fails EACCES when p2p/ is root-owned,
-        # 500-ing /api/v1/p2p/status and breaking mesh enrollment. chown too so
-        # pre-existing root-owned installs are repaired on upgrade.
-        mkdir -p /var/lib/secubox
-        install -d -o secubox -g secubox -m 0755 /var/lib/secubox/p2p
-        install -d -o secubox -g secubox -m 0755 /var/lib/secubox/p2p/master-link
-        chown secubox:secubox /var/lib/secubox/p2p /var/lib/secubox/p2p/master-link 2>/dev/null || true
-
         # Enable and start the service
         systemctl daemon-reload
         systemctl enable secubox-p2p.service

packages/secubox-p2p/debian/rules

@@ -9,12 +9,12 @@ override_dh_auto_install:
 	cp -r $(CURDIR)/api/* $(CURDIR)/debian/secubox-p2p/usr/lib/secubox/p2p/api/
 
 	# Install web interface
-	install -d $(CURDIR)/debian/secubox-p2p/usr/share/secubox/www/p2p
+	install -d $(CURDIR)/debian/secubox-p2p/var/www/secubox/p2p
-	cp -r $(CURDIR)/www/p2p/* $(CURDIR)/debian/secubox-p2p/usr/share/secubox/www/p2p/
+	cp -r $(CURDIR)/www/p2p/* $(CURDIR)/debian/secubox-p2p/var/www/secubox/p2p/
 
 	# Install master-link join page
-	install -d $(CURDIR)/debian/secubox-p2p/usr/share/secubox/www/master-link
+	install -d $(CURDIR)/debian/secubox-p2p/var/www/secubox/master-link
-	cp -r $(CURDIR)/www/master-link/* $(CURDIR)/debian/secubox-p2p/usr/share/secubox/www/master-link/
+	cp -r $(CURDIR)/www/master-link/* $(CURDIR)/debian/secubox-p2p/var/www/secubox/master-link/
 
 	# Install nginx configuration
 	install -d $(CURDIR)/debian/secubox-p2p/etc/nginx/secubox.d

packages/secubox-p2p/nginx/p2p.conf

@@ -16,14 +16,14 @@ location /api/v1/p2p/ {
 
 # P2P static files
 location /p2p/ {
-    alias /usr/share/secubox/www/p2p/;
+    alias /var/www/secubox/p2p/;
     index index.html;
     try_files $uri $uri/ /p2p/index.html;
 }
 
 # Master-Link join page (accessible without auth for new nodes)
 location /master-link/ {
-    alias /usr/share/secubox/www/master-link/;
+    alias /var/www/secubox/master-link/;
     index index.html;
     try_files $uri $uri/ /master-link/index.html;
 }

packages/secubox-p2p/scripts/sbx-mesh-invite

@@ -151,14 +151,6 @@ else
     echo "[$NEW_TOKEN]" > "$TOKENS_FILE"
 fi
 
-# secubox-p2p / the aggregator's in-process p2p run as user 'secubox' and read
-# this token store. sbx-mesh-invite is often run as root, which would leave
-# tokens.json root-owned -> the secubox services crash with EACCES (this took
-# down the in-process aggregator once). Re-own the store when running as root.
-if [ "$(id -u)" = "0" ]; then
-    chown -R secubox:secubox "$(dirname "$TOKENS_FILE")" 2>/dev/null || true
-fi
-
 # Output the invite
 echo ""
 echo "╔══════════════════════════════════════════════════════════════════╗"

scripts/validate-staged-repo.sh

@@ -47,8 +47,7 @@ if [[ -z "${SKIP_CHROOT:-}" ]]; then
       log "  debootstrap failed (network?) — skipping chroot test"
     else
       sudo install -d -m 0755 "$CHROOT/etc/apt/sources.list.d" "$CHROOT/usr/share/keyrings"
-      # dearmor: apt signed-by= needs a binary keyring, not the ASCII-armored export
+      sudo install -m 0644 "$OUT/secubox-keyring.gpg" "$CHROOT/usr/share/keyrings/secubox.gpg"
-      gpg --dearmor < "$OUT/secubox-keyring.gpg" | sudo tee "$CHROOT/usr/share/keyrings/secubox.gpg" >/dev/null
       echo "deb [signed-by=/usr/share/keyrings/secubox.gpg] file://$OUT $SUITE main" \
         | sudo tee "$CHROOT/etc/apt/sources.list.d/secubox.list" >/dev/null
       sudo mkdir -p "$CHROOT$OUT"