feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00
parent 230c4f2d3d
commit 17dcee7e52
21 changed files with 1403 additions and 2 deletions
--- a/config/harden.sh
+++ b/config/harden.sh
@@ -0,0 +1,127 @@
+#!/bin/bash
+# Post-installation hardening script for football system
+# This script configures strict firewall with WireGuard-only access
+# All traffic must go through WireGuard tunnel
+
+set -e
+
+echo "Hardening football system with WireGuard-only access..."
+
+# Disable and remove all remote access services
+systemctl disable ssh 2>/dev/null || true
+systemctl disable sshd 2>/dev/null || true
+systemctl disable telnet 2>/dev/null || true
+systemctl disable rsh 2>/dev/null || true
+
+# Mask services to prevent them from being started
+systemctl mask ssh 2>/dev/null || true
+systemctl mask sshd 2>/dev/null || true
+systemctl mask telnet 2>/dev/null || true
+systemctl mask rsh 2>/dev/null || true
+
+# Remove remote access packages if any were installed
+apt-get purge -y openssh-server telnetd rsh-server 2>/dev/null || true
+
+# STRICT FIREWALL RULES - WireGuard ONLY
+# Read WireGuard endpoint configuration
+WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}"
+WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}"
+
+echo "Configuring strict firewall: only WireGuard to $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT allowed on eth0"
+
+# Flush all existing rules
+iptables -F
+iptables -X
+iptables -t nat -F
+iptables -t nat -X
+iptables -t mangle -F
+iptables -t mangle -X
+
+# Default policies - DROP everything
+iptables -P INPUT DROP
+iptables -P FORWARD DROP
+iptables -P OUTPUT DROP
+
+# Allow loopback
+iptables -A INPUT -i lo -j ACCEPT
+iptables -A OUTPUT -o lo -j ACCEPT
+
+# Allow ONLY WireGuard on physical interface (eth0)
+# Only UDP to WireGuard endpoint allowed
+iptables -A OUTPUT -o eth0 -d $WG_ENDPOINT_IP -p udp --dport $WG_ENDPOINT_PORT -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i eth0 -s $WG_ENDPOINT_IP -p udp --sport $WG_ENDPOINT_PORT -m state --state ESTABLISHED -j ACCEPT
+
+# Allow all traffic through WireGuard interface (wg0)
+iptables -A INPUT -i wg0 -j ACCEPT
+iptables -A OUTPUT -o wg0 -j ACCEPT
+
+# Allow DHCP on eth0 to get initial IP
+iptables -A OUTPUT -o eth0 -p udp --dport 67 -m state --state NEW,ESTABLISHED -j ACCEPT
+iptables -A INPUT -i eth0 -p udp --sport 67 -m state --state ESTABLISHED -j ACCEPT
+
+# Save rules
+mkdir -p /etc/iptables
+iptables-save > /etc/iptables/rules.v4
+
+# Same strict rules for IPv6
+ip6tables -F 2>/dev/null || true
+ip6tables -X 2>/dev/null || true
+ip6tables -P INPUT DROP 2>/dev/null || true
+ip6tables -P FORWARD DROP 2>/dev/null || true
+ip6tables -P OUTPUT DROP 2>/dev/null || true
+ip6tables -A INPUT -i lo -j ACCEPT 2>/dev/null || true
+ip6tables -A OUTPUT -o lo -j ACCEPT 2>/dev/null || true
+ip6tables-save > /etc/iptables/rules.v6 2>/dev/null || true
+
+# Configure network to reject incoming connections
+echo "hardening football - disable remote access" > /etc/issue
+echo "" >> /etc/issue
+echo "No remote access is permitted on this system." >> /etc/issue
+echo "Local console access only." >> /etc/issue
+
+# Disable all network filesystem mounts
+echo "disable network filesystem mounts" > /etc/modprobe.d/no-network-fs.conf
+echo "install nfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
+echo "install nfs4 /bin/true" >> /etc/modprobe.d/no-network-fs.conf
+echo "install cifs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
+echo "install smbfs /bin/true" >> /etc/modprobe.d/no-network-fs.conf
+
+# Secure SSH configuration (even though service is disabled)
+mkdir -p /etc/ssh
+cat > /etc/ssh/sshd_config.d/99-hardening.conf << 'EOF'
+PasswordAuthentication no
+PermitRootLogin no
+X11Forwarding no
+AllowTcpForwarding no
+GatewayPorts no
+EOF
+
+# Configure AppArmor to enforce
+echo "Enforce AppArmor profiles" > /etc/apparmor.d/tunables/global.d/force_enforce
+
+# Disable unnecessary kernel modules
+echo "disable bluetooth" > /etc/modprobe.d/disable-bluetooth.conf
+echo "install bluetooth /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf
+echo "install btusb /bin/true" >> /etc/modprobe.d/disable-bluetooth.conf
+
+# Disable wireless if on wired-only system
+echo "disable wireless" > /etc/modprobe.d/disable-wireless.conf
+echo "install cfg80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf
+echo "install mac80211 /bin/true" >> /etc/modprobe.d/disable-wireless.conf
+
+# Disable unnecessary services
+systemctl disable bluetooth 2>/dev/null || true
+systemctl mask bluetooth 2>/dev/null || true
+
+# Set secure umask
+echo "umask 077" >> /etc/profile
+echo "umask 077" >> /etc/bash.bashrc
+
+# Disable core dumps
+echo "* hard core 0" >> /etc/security/limits.conf
+echo "* soft core 0" >> /etc/security/limits.conf
+
+# Enable auditd
+systemctl enable auditd 2>/dev/null || true
+
+echo "Hardening complete - remote access disabled"