KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add minimal Debian image build system with WireGuard-only networking

Browse Source 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-13 12:11:18 -05:00
parent 230c4f2d3d
commit 17dcee7e52
21 changed files with 1403 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

45
config/wg-server-config-example.conf Normal file
View File

@@ -0,0 +1,45 @@
# Sample WireGuard Server Configuration
# This is the configuration for the WireGuard VPN server
# that football systems will connect to.
#
# Usage: Copy this to /etc/wireguard/wg0.conf on the VPN server
# and adjust as needed for your environment.
[Interface]
# Private key of the VPN server
# Generate with: wg genkey
PrivateKey = <SERVER_PRIVATE_KEY>
# VPN network address (this server)
Address = 10.100.0.1/24
# Port to listen on (UDP)
ListenPort = 51820
# DNS for VPN clients
DNS = 10.100.0.1
# Enable IP forwarding on the server
# Add this to /etc/sysctl.conf: net.ipv4.ip_forward=1
# Then run: sysctl -p
# NAT configuration (POSTROUTING)
# iptables -t nat -A POSTROUTING -s 10.100.0.0/24 -o eth0 -j MASQUERADE
[Peer]
# Client: football-1
# Public key generated on client with: wg pubkey < client-private.key
PublicKey = <CLIENT_1_PUBLIC_KEY>
AllowedIPs = 10.100.0.2/32
[Peer]
# Client: football-2
PublicKey = <CLIENT_2_PUBLIC_KEY>
AllowedIPs = 10.100.0.3/32
[Peer]
# Client: football-3
PublicKey = <CLIENT_3_PUBLIC_KEY>
AllowedIPs = 10.100.0.4/32
# Add more [Peer] sections as needed for additional football clients