feat: add minimal Debian image build system with WireGuard-only networking

Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00
parent 230c4f2d3d
commit 17dcee7e52
21 changed files with 1403 additions and 2 deletions
--- a/config/setup-wireguard.sh
+++ b/config/setup-wireguard.sh
@@ -0,0 +1,45 @@
+#!/bin/bash
+# WireGuard configuration script for football system
+# This script sets up WireGuard with provided keys
+
+set -e
+
+# Variables - these will be passed from build script
+WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}"
+WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}"
+WG_PRIVATE_KEY="${WG_PRIVATE_KEY}"
+WG_PUBLIC_KEY="${WG_PUBLIC_KEY}"
+
+if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then
+    echo "ERROR: WireGuard keys not provided"
+    echo "Set WG_PRIVATE_KEY and WG_PUBLIC_KEY environment variables"
+    exit 1
+fi
+
+echo "Configuring WireGuard..."
+
+# Replace placeholders in template
+sed -e "s|<PRIVATE_KEY_PLACEHOLDER>|$WG_PRIVATE_KEY|g" \
+    -e "s|<PUBLIC_KEY_PLACEHOLDER>|$WG_PUBLIC_KEY|g" \
+    -e "s|<ENDPOINT_IP>|$WG_ENDPOINT_IP|g" \
+    -e "s|<ENDPOINT_PORT>|$WG_ENDPOINT_PORT|g" \
+    /etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf
+
+# Secure the configuration
+chmod 600 /etc/wireguard/wg0.conf
+
+# Enable and start WireGuard
+systemctl enable wg-quick@wg0
+systemctl start wg-quick@wg0
+
+# Verify connection
+sleep 2
+if ip link show wg0 >/dev/null 2>&1; then
+    echo "WireGuard interface wg0 is UP"
+    echo "All network traffic now routed through VPN"
+else
+    echo "WARNING: WireGuard interface not detected"
+    exit 1
+fi
+
+echo "WireGuard configuration complete"