feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/default/rcS

@@ -0,0 +1,18 @@
+# Football Secure Access System
+# Minimal Debian image for privileged access workstation operations
+
+# Local user setup
+export LC_ALL=C
+
+# Minimal systemd target - graphical only
+default graphical.target
+
+# Disable remote access services
+ssh: NO
+telnet: NO
+ftp: NO
+smtp: NO
+
+# Enable only necessary services
+network-manager: YES
+display-manager: NO  # We'll use startx manually

chroot-overlay/etc/network/interfaces

@@ -0,0 +1,12 @@
+# Network interfaces configuration for football system
+# Minimal setup - only physical interface for WireGuard
+
+# Physical interface - use NetworkManager or static
+# This interface is ONLY for WireGuard connection
+
+# Example for DHCP (NetworkManager managed):
+# Physical interface will be configured by NetworkManager
+# No other network services allowed
+
+# WireGuard interface (tunnel - all traffic goes here)
+# This interface will be brought up by wg-quick

chroot-overlay/etc/systemd/system/block-remote-access.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Apply strict firewall - WireGuard only
+After=network.target wg-quick@wg0.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
+ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -0,0 +1,12 @@
+[Unit]
+Description=Autologin user session for IceWM
+After=systemd-user-sessions.service
+
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin user --noclear tty1 %I $TERM
+Type=idle
+Restart=always
+
+[Install]
+WantedBy=getty.target

chroot-overlay/etc/systemd/system/iptables-block-remote.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Firewall Rules to Block Remote Access
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

chroot-overlay/etc/wireguard/wg0.conf.template

@@ -0,0 +1,19 @@
+# WireGuard configuration for football system
+# ALL TRAFFIC MUST GO THROUGH THIS TUNNEL
+# Template - will be configured during build
+
+[Interface]
+# Private key - MUST be set during deployment
+PrivateKey = <PRIVATE_KEY_PLACEHOLDER>
+# WireGuard interface IP (within the VPN)
+Address = 10.100.0.2/24
+# DNS via VPN
+DNS = 10.100.0.1
+
+[Peer]
+# VPN server endpoint
+PublicKey = <PUBLIC_KEY_PLACEHOLDER>
+Endpoint = <ENDPOINT_IP>:<ENDPOINT_PORT>
+AllowedIPs = 0.0.0.0/0, ::/0
+# Keep connection alive
+PersistentKeepalive = 25

chroot-overlay/home/user/.bashrc

@@ -0,0 +1,26 @@
+# ~/.bashrc - Football secure access system
+# This script automatically starts IceWM and Remmina
+
+# Start X with IceWM on login
+if [ -z "$DISPLAY" ] && [ "$XDG_VTNR" = "1" ]; then
+    exec startx
+fi
+
+# Security aliases
+alias rm='rm -i'
+alias cp='cp -i'
+alias mv='mv -i'
+
+# PATH additions
+export PATH=$PATH:/usr/local/bin
+
+# Display security notice on login
+echo ""
+echo "================================================================"
+echo "  FOOTBALL - SECURE ACCESS SYSTEM"
+echo "================================================================"
+echo "  Remote access to this system is DISABLED."
+echo "  Local console access only."
+echo "  System is automatically starting IceWM + Remmina."
+echo "================================================================"
+echo ""

chroot-overlay/home/user/.icewm/preferences

@@ -0,0 +1,27 @@
+# IceWM configuration for football system
+
+# Window placement
+TaskBarShowClock=1
+TaskBarShowStartMenu=1
+TaskBarShowWindowListMenu=1
+TaskBarShowWorkspaces=0
+TaskBarShowWindows=0
+
+# Auto-start Remmina
+StartupCommand="remmina"
+
+# No desktop icons (clean interface)
+DesktopBackgroundCenter=1
+DesktopBackgroundColor="rgb:00/33/66"
+
+# Security - minimize features
+ShowLoginStatus=0
+ShowLogoutMenu=1
+ShowSettingsMenu=0
+ShowHelpMenu=0
+ShowRunProgram=0
+
+# Remmina should be main focus
+ClickToFocus=1
+FocusOnAppRaise=1
+RaiseOnFocus=1

chroot-overlay/home/user/.xinitrc

@@ -0,0 +1,19 @@
+#!/bin/bash
+# ~/.xinitrc - Automatically start IceWM and Remmina
+
+# Set keyboard layout if needed
+setxkbmap us
+
+# Set reasonable defaults for IceWM
+export ICEWM_PRIVCFG=$HOME/.icewm
+
+# Start IceWM
+icewm &
+ICEWM_PID=$!
+
+# Start Remmina (maximized)
+remmina &
+REMMINA_PID=$!
+
+# Wait for IceWM
+wait $ICEWM_PID

chroot-overlay/home/user/Desktop/README.txt

@@ -0,0 +1,42 @@
+# Football Secure Access System
+
+This system is configured for secure access to remote privileged access workstations through a WireGuard VPN tunnel.
+
+**SYSTEM CHARACTERISTICS:**
+- Remote access: DISABLED (no SSH, no network services)
+- Local console access only
+- Automatic IceWM window manager startup
+- Remmina remote desktop client
+- Secure Boot enforced
+- **ALL network traffic MUST go through WireGuard VPN**
+- **Direct network access BLOCKED - only WireGuard allowed**
+
+**NETWORK CONFIGURATION:**
+- Physical interface (eth0): ONLY allows WireGuard to configured endpoint
+- WireGuard tunnel (wg0): ALL outbound traffic goes through this tunnel
+- Inbound traffic: BLOCKED (except WireGuard keepalives)
+- DHCP: Allowed on eth0 only for initial IP acquisition
+
+**USAGE:**
+1. Login with local user account
+2. IceWM and Remmina start automatically
+3. WireGuard tunnel is established automatically
+4. Use Remmina to connect to PAW (Privileged Access Workstation) through VPN
+5. Close Remmina when done
+6. System locks automatically on inactivity
+
+**SECURITY:**
+- No remote administration permitted
+- All direct network connections blocked
+- Only WireGuard tunnel traffic allowed to configured endpoint
+- System logs all actions
+- Secure Boot verifies kernel integrity
+- Firewall strictly enforced
+
+**WIREGUARD ENDPOINT:**
+- Configured during build (see build script variables)
+- Only endpoint allowed: WG_ENDPOINT_IP:WG_ENDPOINT_PORT
+- All traffic routes through VPN after connection
+
+**CONTACT:**
+For system issues, contact infrastructure security team.