feat: add minimal Debian image build system with WireGuard-only networking
Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
73
QUICKSTART.md
Normal file
73
QUICKSTART.md
Normal file
@@ -0,0 +1,73 @@
|
||||
# Football Build Quick Reference
|
||||
|
||||
## Build Steps
|
||||
|
||||
```bash
|
||||
# 1. Install dependencies
|
||||
sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools
|
||||
|
||||
# 2. Generate WireGuard keys
|
||||
wg genkey | tee client-private.key | wg pubkey > client-public.key
|
||||
|
||||
# 3. Edit build.sh with your configuration
|
||||
nano build.sh
|
||||
# Set: WG_ENDPOINT_IP, WG_ENDPOINT_PORT, WG_PRIVATE_KEY, WG_PUBLIC_KEY
|
||||
|
||||
# 4. Build the image
|
||||
./build.sh
|
||||
|
||||
# 5. Deploy
|
||||
# For VM:
|
||||
qemu-system-x86_64 -m 2048 -drive file=output/football-vm.qcow2,format=qcow2
|
||||
|
||||
# For physical:
|
||||
sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress
|
||||
```
|
||||
|
||||
## Key Configuration Variables (in build.sh)
|
||||
|
||||
```bash
|
||||
WG_ENDPOINT_IP="192.0.2.1" # WireGuard server IP
|
||||
WG_ENDPOINT_PORT="51820" # WireGuard server port
|
||||
WG_PRIVATE_KEY="..." # Client private key (from wg genkey)
|
||||
WG_PUBLIC_KEY="..." # Server public key
|
||||
```
|
||||
|
||||
## File Locations
|
||||
|
||||
- Build script: `./build.sh`
|
||||
- Package list: `config/packages.list`
|
||||
- Hardening script: `config/harden.sh`
|
||||
- User config: `chroot-overlay/home/user/`
|
||||
- System services: `chroot-overlay/etc/systemd/system/`
|
||||
- WireGuard config: `chroot-overlay/etc/wireguard/`
|
||||
|
||||
## Quick Troubleshooting
|
||||
|
||||
| Issue | Command |
|
||||
|-------|---------|
|
||||
| WireGuard status | `sudo wg show` |
|
||||
| Firewall rules | `sudo iptables -L -n -v` |
|
||||
| System logs | `sudo journalctl -xe` |
|
||||
| Network status | `ip addr show` |
|
||||
|
||||
## Security Checklist
|
||||
|
||||
- [ ] Generated unique WireGuard keys
|
||||
- [ ] Changed default password (`changeme`)
|
||||
- [ ] Verified WireGuard endpoint connectivity
|
||||
- [ ] Configured Remmina profile for PAW
|
||||
- [ ] Enabled Secure Boot on physical hardware
|
||||
- [ ] Tested firewall rules
|
||||
- [ ] Verified no remote access services running
|
||||
|
||||
## File Structure
|
||||
|
||||
```
|
||||
football/
|
||||
├── build.sh # Run this to build
|
||||
├── config/ # Build configuration
|
||||
├── chroot-overlay/ # System files to overlay
|
||||
├── output/ # Generated images (created after build)
|
||||
└── README.md # Full documentation
|
||||
```
|
||||
Reference in New Issue
Block a user