feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

chroot-overlay/etc/network/interfaces

@@ -0,0 +1,12 @@
+# Network interfaces configuration for football system
+# Minimal setup - only physical interface for WireGuard
+
+# Physical interface - use NetworkManager or static
+# This interface is ONLY for WireGuard connection
+
+# Example for DHCP (NetworkManager managed):
+# Physical interface will be configured by NetworkManager
+# No other network services allowed
+
+# WireGuard interface (tunnel - all traffic goes here)
+# This interface will be brought up by wg-quick