feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/default/rcS

@@ -0,0 +1,18 @@
+# Football Secure Access System
+# Minimal Debian image for privileged access workstation operations
+
+# Local user setup
+export LC_ALL=C
+
+# Minimal systemd target - graphical only
+default graphical.target
+
+# Disable remote access services
+ssh: NO
+telnet: NO
+ftp: NO
+smtp: NO
+
+# Enable only necessary services
+network-manager: YES
+display-manager: NO  # We'll use startx manually

chroot-overlay/etc/network/interfaces

@@ -0,0 +1,12 @@
+# Network interfaces configuration for football system
+# Minimal setup - only physical interface for WireGuard
+
+# Physical interface - use NetworkManager or static
+# This interface is ONLY for WireGuard connection
+
+# Example for DHCP (NetworkManager managed):
+# Physical interface will be configured by NetworkManager
+# No other network services allowed
+
+# WireGuard interface (tunnel - all traffic goes here)
+# This interface will be brought up by wg-quick

chroot-overlay/etc/systemd/system/block-remote-access.service

@@ -0,0 +1,14 @@
+[Unit]
+Description=Apply strict firewall - WireGuard only
+After=network.target wg-quick@wg0.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
+ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf

@@ -0,0 +1,12 @@
+[Unit]
+Description=Autologin user session for IceWM
+After=systemd-user-sessions.service
+
+[Service]
+ExecStart=
+ExecStart=-/sbin/agetty --autologin user --noclear tty1 %I $TERM
+Type=idle
+Restart=always
+
+[Install]
+WantedBy=getty.target

chroot-overlay/etc/systemd/system/iptables-block-remote.service

@@ -0,0 +1,13 @@
+[Unit]
+Description=Firewall Rules to Block Remote Access
+Before=network-pre.target
+Wants=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
+ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target

chroot-overlay/etc/wireguard/wg0.conf.template

@@ -0,0 +1,19 @@
+# WireGuard configuration for football system
+# ALL TRAFFIC MUST GO THROUGH THIS TUNNEL
+# Template - will be configured during build
+
+[Interface]
+# Private key - MUST be set during deployment
+PrivateKey = <PRIVATE_KEY_PLACEHOLDER>
+# WireGuard interface IP (within the VPN)
+Address = 10.100.0.2/24
+# DNS via VPN
+DNS = 10.100.0.1
+
+[Peer]
+# VPN server endpoint
+PublicKey = <PUBLIC_KEY_PLACEHOLDER>
+Endpoint = <ENDPOINT_IP>:<ENDPOINT_PORT>
+AllowedIPs = 0.0.0.0/0, ::/0
+# Keep connection alive
+PersistentKeepalive = 25