feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00
parent 230c4f2d3d
commit 17dcee7e52
21 changed files with 1403 additions and 2 deletions
--- a/config/setup-wg-server.sh
+++ b/config/setup-wg-server.sh
@@ -0,0 +1,79 @@
+#!/bin/bash
+# WireGuard server setup script
+# This script helps set up the VPN server that football systems connect to
+
+set -e
+
+echo "============================================="
+echo "WireGuard VPN Server Setup for Football"
+echo "============================================="
+echo ""
+
+# Check if running as root
+if [ "$EUID" -ne 0 ]; then
+    echo "Please run as root"
+    exit 1
+fi
+
+# Install WireGuard
+echo "Installing WireGuard..."
+apt-get update
+apt-get install -y wireguard wireguard-tools iptables-persistent
+
+# Generate server keys
+echo ""
+echo "Generating server keys..."
+SERVER_PRIVATE=$(wg genkey)
+SERVER_PUBLIC=$(echo "$SERVER_PRIVATE" | wg pubkey)
+
+echo "Server Public Key: $SERVER_PUBLIC"
+echo "Server Private Key: $SERVER_PRIVATE"
+
+# Create config directory
+mkdir -p /etc/wireguard
+
+# Create server configuration
+cat > /etc/wireguard/wg0.conf << EOF
+[Interface]
+PrivateKey = $SERVER_PRIVATE
+Address = 10.100.0.1/24
+ListenPort = 51820
+SaveConfig = true
+
+# Enable IP forwarding
+EOF
+
+# Enable IP forwarding
+echo "Enabling IP forwarding..."
+sysctl -w net.ipv4.ip_forward=1
+echo "net.ipv4.ip_forward=1" >> /etc/sysctl.conf
+
+# Configure NAT
+echo "Configuring NAT rules..."
+iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o $(ip route | grep default | awk '{print $5}') -j MASQUERADE
+iptables-save > /etc/iptables/rules.v4
+
+# Allow WireGuard port
+iptables -A INPUT -p udp --dport 51820 -j ACCEPT
+iptables-save > /etc/iptables/rules.v4
+
+echo ""
+echo "============================================="
+echo "Server setup complete!"
+echo "============================================="
+echo ""
+echo "Server Public Key: $SERVER_PUBLIC"
+echo ""
+echo "Next steps:"
+echo "1. Add clients to /etc/wireguard/wg0.conf with their public keys"
+echo "2. Enable the interface: systemctl enable wg-quick@wg0"
+echo "3. Start the interface: systemctl start wg-quick@wg0"
+echo "4. Configure firewall to allow UDP 51820"
+echo ""
+echo "Example client configuration:"
+echo ""
+echo "[Peer]"
+echo "# Football Client 1"
+echo "PublicKey = <CLIENT_PUBLIC_KEY>"
+echo "AllowedIPs = 10.100.0.2/32"
+echo ""