feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>

config/preseed.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Debootstrap preseed configuration for minimal Debian installation
+
+# Non-interactive frontend
+export DEBIAN_FRONTEND=noninteractive
+
+# Minimal base system without recommended packages
+cat << 'EOF' > /usr/local/sbin/debootstrap-minimal
+#!/bin/bash
+# Arguments: SUITE TARGET MIRROR
+set -e
+
+SUITE=${1:-bookworm}
+TARGET=${2}
+MIRROR=${3:-http://deb.debian.org/debian}
+
+echo "Bootstrapping minimal Debian $SUITE..."
+
+debootstrap --variant=minbase --arch=amd64 $SUITE $TARGET $MIRROR
+
+echo "Minimal bootstrap complete."
+EOF
+
+chmod +x /usr/local/sbin/debootstrap-minimal