KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

refactor: Complete directory cleanup

Browse Source 
Finalizes directory cleanup by removing obsolete files:
- All old debootstrap build scripts (docker-*.sh, final-simple-build.sh)
- All old documentation from root (BUILD-*.md, DOCKER-*.md)
- Obsolete Dockerfiles (Dockerfile, Dockerfile.build)
- Obsolete chroot-overlay/ directory (now using preseed.cfg)
- Old build.sh (replaced by scripts/build-iso.sh)

All files are now in proper directories:
- scripts/: Build and test scripts
- docs/: All documentation
- config/: Configuration files
- logs/: Log files
- keys/: WireGuard keys

Repository is clean and ready for production.

💘 Generated with Crush

Assisted-by: Gemini 2.5 Flash via Crush <crush@charm.land>
This commit is contained in:
Charles N Wyble
2026-01-20 12:01:10 -05:00
parent 2225244ca3
commit 54d988477f
39 changed files with 3 additions and 7487 deletions
Download Patch File Download Diff File Expand all files Collapse all files

155
chroot-overlay/etc/aide.conf
View File

@@ -1,155 +0,0 @@
# CIS Benchmark - AIDE Configuration
# File Integrity Monitoring for CMMC/FedRAMP compliance
# Database location
database=file:/var/lib/aide/aide.db
database_out=file:/var/lib/aide/aide.db.new
# Default configuration
All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160
# Define file types
Normal=p+i+n+u+g+s+m+c+md5+sha1
Binaries=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160
Config=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs
Logs=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux
Dynamic=p+i+n+u+g+s+m+c+md5+sha1+acl+xattrs+selinux
# ============================================================================
# Directories to Monitor (CIS 4.2.2)
# ============================================================================
# System binaries
/bin All
/sbin All
/usr/bin All
/usr/sbin All
/usr/local/bin All
/usr/local/sbin All
# System configuration
/etc Config
# Libraries
/lib All
/lib64 All
/usr/lib All
/usr/lib64 All
/usr/local/lib All
# Kernel modules
/lib/modules Binaries
# Boot files
/boot Config
# System services
/etc/systemd Config
/lib/systemd Binaries
# Security configuration
/etc/pam.d Config
/etc/security Config
# Network configuration
/etc/network Config
/etc/wireguard Config
# Firewall rules
/etc/iptables Config
# Audit configuration
/etc/audit Config
# AppArmor profiles
/etc/apparmor Config
# Sudo configuration
/etc/sudoers Config
/etc/sudoers.d Config
# ============================================================================
# Directories to Exclude (due to high volatility)
# ============================================================================
!/proc
!/sys
!/dev
!/tmp
!/var/tmp
!/run
!/var/run
# Exclude logs (monitored separately)
!/var/log
# Exclude spool directories
!/var/spool
# Exclude cache
!/var/cache
# Exclude lock files
!/var/lock
# Exclude AIDE database
!/var/lib/aide/aide.db
# Exclude volatile system files
!/etc/mtab
!/etc/fstab.backup
# Exclude user-specific volatile files
!/home/user/.cache
!/home/user/.local/share/Trash
# Exclude IceWM and Remmina cache
!/home/user/.icewm/.cache
!/home/user/.local/share/remmina/*.log
# ============================================================================
# Monitor critical system files for compliance
# ============================================================================
# Password and shadow files
/etc/passwd Normal
/etc/shadow Config
/etc/group Normal
/etc/gshadow Config
# Login configuration
/etc/login.defs Config
/etc/securetty Config
# Hosts configuration
/etc/hosts Config
/etc/hostname Config
# Time configuration
/etc/localtime Config
/etc/timezone Config
# Cron configuration
/etc/crontab Config
# Startup scripts
/etc/init.d Config
# Package management
/var/lib/dpkg Config
# Kernel parameters
/etc/sysctl.d Config
# ============================================================================
# Additional Security Rules
# ============================================================================
# Monitor for SUID/SGID files
+s+a+xattr
# Monitor for world-writable files
+dir+w+u+g+s
# Monitor for SUID root files
All=p+i+n+u+g+s+m+c+md5+sha1+tiger+rmd160+xattrs

113
chroot-overlay/etc/audit/rules.d/cis-audit.rules
View File

@@ -1,113 +0,0 @@
# CIS Benchmark - System Audit Rules
# Implements CIS Debian Benchmark Section 4.1.2-4.1.17
# Delete all existing rules
-D
# Set buffer size
-b 8192
# Set failure mode
-f 1
# ============================================================================
# Monitor System Calls (CIS 4.1.10-4.1.17)
# ============================================================================
# Monitor for use of administration commands (CIS 4.1.10)
-a always,exit -F arch=b64 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
-a always,exit -F arch=b32 -S execve -C euid!=uid -F auid>=1000 -F auid!=4294967295 -k admin_cmd
# Monitor for unauthorized access attempts to files (CIS 4.1.11)
-a always,exit -F arch=b64 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S open,openat,truncate,ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
# Monitor for use of privileged commands (CIS 4.1.12)
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/useradd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
-a always,exit -F path=/usr/sbin/usermod -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged_cmd
# Monitor for changes to system network configuration (CIS 4.1.13)
-a always,exit -F arch=b64 -S sethostname,setdomainname -k system-locale
-a always,exit -F arch=b64 -S /etc/issue -k system-locale
-a always,exit -F path=/etc/hosts -F perm=wa -k system-locale
-a always,exit -F path=/etc/network/ -F perm=wa -k system-locale
# Monitor for changes to user/group information (CIS 4.1.14)
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
# Monitor for changes to sudoers files (CIS 4.1.15)
-w /etc/sudoers -p wa -k identity
-w /etc/sudoers.d/ -p wa -k identity
# Monitor for changes to system scheduling (CIS 4.1.16)
-w /etc/crontab -p wa -k cron
-w /etc/cron.hourly/ -p wa -k cron
-w /etc/cron.daily/ -p wa -k cron
-w /etc/cron.weekly/ -p wa -k cron
-w /etc/cron.monthly/ -p wa -k cron
-w /var/spool/cron/ -p wa -k cron
-w /etc/cron.d/ -p wa -k cron
# Monitor for changes to time settings (CIS 4.1.17)
-w /etc/localtime -p wa -k time-change
-w /etc/timezone -p wa -k time-change
# ============================================================================
# Monitor for File Deletion by User
# ============================================================================
-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -k delete
# ============================================================================
# Monitor for kernel module loading
# ============================================================================
-a always,exit -F arch=b64 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
-a always,exit -F arch=b32 -S init_module -F auid>=1000 -F auid!=4294967295 -k modules
# ============================================================================
# Monitor for changes to login configuration
# ============================================================================
-w /etc/login.defs -p wa -k logins
-w /etc/securetty -p wa -k logins
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# ============================================================================
# Monitor for system initialization
# ============================================================================
-w /etc/inittab -p wa -k init
-w /etc/init.d/ -p wa -k init
-w /etc/init/ -p wa -k init
-w /etc/systemd/ -p wa -k init
# ============================================================================
# Monitor for mandatory access control (MAC) events
# ============================================================================
-w /etc/apparmor/ -p wa -k MAC-policy
-w /etc/apparmor.d/ -p wa -k MAC-policy
# ============================================================================
# Audit Log Configuration
# ============================================================================
# Prevent auditd from being killed
-a never,exit -F arch=b64 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
-a never,exit -F arch=b32 -S kill -F auid>=1000 -F auid!=4294967295 -k auditd
# Monitor for changes to audit configuration
-w /etc/audit/ -p wa -k audit_config
-w /etc/libaudit.conf -p wa -k audit_config
-w /etc/audisp/ -p wa -k audit_config

18
chroot-overlay/etc/default/rcS
View File

@@ -1,18 +0,0 @@
# Football Secure Access System
# Minimal Debian image for privileged access workstation operations
# Local user setup
export LC_ALL=C
# Minimal systemd target - graphical only
default graphical.target
# Disable remote access services
ssh: NO
telnet: NO
ftp: NO
smtp: NO
# Enable only necessary services
network-manager: YES
display-manager: NO # We'll use startx manually

65
chroot-overlay/etc/login.defs
View File

@@ -1,65 +0,0 @@
# CIS Benchmark Login Configuration
# Implements CIS Debian Benchmark Section 5.4.2
# ============================================================================
# Password Aging
# ============================================================================
# Maximum password age (days)
PASS_MAX_DAYS 90
# Minimum password age (days)
PASS_MIN_DAYS 1
# Password warning period (days)
PASS_WARN_AGE 7
# ============================================================================
# Login Settings
# ============================================================================
# Number of failed logins before account lock
FAILLOG_ENAB yes
# Maximum number of login retries
LOGIN_RETRIES 5
# Delay in seconds before next login after failure
LOGIN_TIMEOUT 60
# Enable lastlog
LASTLOG_ENAB yes
# ============================================================================
# UID/GID Settings
# ============================================================================
# System user range
SYS_UID_MIN 100
SYS_UID_MAX 999
SYS_GID_MIN 100
SYS_GID_MAX 999
# ============================================================================
# Home Directory
# ============================================================================
# Create home directory if it doesn't exist
CREATE_HOME yes
# Default umask
UMASK 077
# ============================================================================
# Other Security Settings
# ============================================================================
# Enable logging
LOG_UNKFAIL_ENAB yes
LOG_OK_LOGINS yes
# Silence last login message
HUSHLOGIN_FILE .hushlogin
# Use SHA512 for password hashes
ENCRYPT_METHOD SHA512

177
chroot-overlay/etc/logrotate.d/cis-logs
View File

@@ -1,177 +0,0 @@
# CIS Benchmark - Logrotate Configuration
# Implements CIS Debian Benchmark Section 4.2.1.3
# Rotate daily
daily
# Keep logs for 365 days (CMMC/FedRAMP requirement)
rotate 365
# Create new log files
create
# Compress old logs
compress
# Use gzip compression
compresscmd /usr/bin/gzip
# Uncompress with gunzip
uncompresscmd /usr/bin/gunzip
# Compression options
compressoptions -9
# Don't compress if recent
delaycompress
# Don't compress empty logs
notifempty
# Don't rotate if missing
missingok
# Rotate if size exceeds 100M
size 100M
# ============================================================================
# Specific Log Rotation Rules
# ============================================================================
# System logs
/var/log/auth.log
/var/log/kern.log
/var/log/syslog
/var/log/messages
/var/log/debug
/var/log/user.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Security logs (keep longer for compliance)
/var/log/audit/audit.log
/var/log/security.log
/var/log/access.log
/var/log/change.log
/var/log/admin.log
{
rotate 365
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
sharedscripts
postrotate
systemctl reload auditd > /dev/null 2>&1 || true
systemctl reload rsyslog > /dev/null 2>&1 || true
endscript
}
# Sudo logs
/var/log/sudo.log
{
rotate 365
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Firewall and network logs
/var/log/firewall.log
/var/log/wireguard.log
/var/log/network.log
{
rotate 90
daily
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Cron logs
/var/log/cron.log
{
rotate 60
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Boot logs
/var/log/boot.log
{
rotate 30
weekly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# Package manager logs
/var/log/dpkg.log
/var/log/apt/
{
rotate 90
monthly
compress
delaycompress
missingok
notifempty
create 0640 root adm
}
# System startup/shutdown logs
/var/log/wtmp
{
rotate 30
monthly
compress
missingok
notifempty
create 0644 root utmp
}
# Failed login attempts
/var/log/btmp
{
rotate 90
monthly
compress
missingok
notifempty
create 0640 root utmp
}
# Last login logs
/var/log/lastlog
{
rotate 30
monthly
compress
missingok
notifempty
create 0640 root utmp
}

12
chroot-overlay/etc/network/interfaces
View File

@@ -1,12 +0,0 @@
# Network interfaces configuration for football system
# Minimal setup - only physical interface for WireGuard
# Physical interface - use NetworkManager or static
# This interface is ONLY for WireGuard connection
# Example for DHCP (NetworkManager managed):
# Physical interface will be configured by NetworkManager
# No other network services allowed
# WireGuard interface (tunnel - all traffic goes here)
# This interface will be brought up by wg-quick

25
chroot-overlay/etc/pam.d/common-password-cis
View File

@@ -1,25 +0,0 @@
# CIS Benchmark PAM Password Configuration
# This file enforces password quality requirements
# Enforce strong passwords
password required pam_pwquality.so retry=3 enforce_for_root
# Use SHA512 for password hashing
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
# Lock account after failed attempts
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so nullok_secure
auth required pam_faillock.so authfail audit deny=5 unlock_time=900
# Last successful login display
session required pam_lastlog.so showfailed
# Limit resource usage
session required pam_limits.so
# Set secure umask
session optional pam_umask.so umask=077
# No delay for successful login, delay for failed
auth optional pam_faildelay.so delay=4000000

119
chroot-overlay/etc/rsyslog.d/50-cis-logging.conf
View File

@@ -1,119 +0,0 @@
# CIS Benchmark - Centralized Logging Configuration
# Implements CIS Debian Benchmark Section 4.2
# ============================================================================
# Global Directives
# ============================================================================
# Use RFC 5424 format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# Set file permissions
$FileOwner root
$FileGroup adm
$FileCreateMode 0640
$DirCreateMode 0755
$Umask 0022
# Rate limiting to prevent log flooding
$SystemLogRateLimitInterval 5
$SystemLogRateLimitBurst 500
# ============================================================================
# Modules
# ============================================================================
# Load kernel module
$ModLoad imklog
# Load Mark module for periodic timestamps
$ModLoad immark
# Load UDP module for remote logging (disabled for security)
# $ModLoad imudp
# Load TCP module for remote logging (disabled for security)
# $ModLoad imtcp
# ============================================================================
# Log Destinations (Local Only - Remote Logging Disabled)
# ============================================================================
# Kernel messages
kern.* -/var/log/kern.log
# Authentication logs (CIS 4.2.1)
auth,authpriv.* -/var/log/auth.log
# System mail
mail.* -/var/log/mail.log
# Cron logs
cron.* -/var/log/cron.log
# User messages
*.=info;*.=notice;*.=warn -/var/log/messages
# Emergency messages
*.emerg :omusrmsg:*
# ============================================================================
# Security-Specific Logging
# ============================================================================
# Sudo command logging
if $programname == 'sudo' then -/var/log/sudo.log
& stop
# Audit logging
if $programname == 'auditd' then -/var/log/audit/audit.log
& stop
# Security events
if $programname contains 'security' then -/var/log/security.log
& stop
# Network events
if $programname contains 'network' then -/var/log/network.log
& stop
# WireGuard logs
if $programname == 'wg-quick' or $programname == 'wireguard' then -/var/log/wireguard.log
& stop
# Firewall logs
if $programname == 'iptables' then -/var/log/firewall.log
& stop
# ============================================================================
# Compliance Logging (CMMC/FedRAMP Requirements)
# ============================================================================
# All administrative actions
if $syslogseverity-text == 'info' and $msg contains 'user' then -/var/log/admin.log
& stop
# Failed access attempts
if $msg contains 'failure' or $msg contains 'failed' or $msg contains 'denied' then -/var/log/access.log
& stop
# System changes
if $msg contains 'changed' or $msg contains 'modified' then -/var/log/change.log
& stop
# ============================================================================
# Rate Limiting Per Facility
# ============================================================================
# Rate limit syslog messages
$Ruleset remote
$ActionQueueType LinkedList
$ActionQueueSize 100000
*.* :omusrmsg:*
# ============================================================================
# Discard Messages
# ============================================================================
# Discard debug messages
*.=debug ~

42
chroot-overlay/etc/security/pwquality.conf
View File

@@ -1,42 +0,0 @@
# CIS Benchmark Password Policy
# Implements CIS Debian Benchmark Section 5.4.1
# ============================================================================
# PAM Quality Requirements
# ============================================================================
# Minimum password length
minlen = 14
# Minimum number of lowercase characters
lcredit = -1
# Minimum number of uppercase characters
ucredit = -1
# Minimum number of digits
dcredit = -1
# Minimum number of special characters
ocredit = -1
# Maximum number of consecutive characters
maxclassrepeat = 3
# Maximum number of same consecutive characters
maxrepeat = 3
# Reject passwords containing the username
usercheck = 1
# Reject passwords containing common patterns
enforce_for_root
# Minimum number of character changes
difok = 3
# Check for common passwords
dictcheck = 1
# Reject passwords in dictionary
authtok_type =

54
chroot-overlay/etc/sudoers.d/cis-hardening
View File

@@ -1,54 +0,0 @@
# CIS Benchmark Sudo Configuration
# Implements least privilege principle
# ============================================================================
# Defaults
# ============================================================================
# Use lecture mode
Defaults lecture = always
Defaults lecture_file = /etc/sudoers.d/lecture
# Log all sudo commands
Defaults logfile = /var/log/sudo.log
Defaults log_input, log_output
# Secure path
Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Ignore duplicate passwords in terminal
Defaults !tty_tickets
# Require password for sudo
Defaults !targetpw
# Set timestamp timeout (5 minutes)
Defaults timestamp_timeout = 5
# Require authentication
Defaults !authenticate
# No insults
Defaults !insults
# ============================================================================
# User Permissions
# ============================================================================
# User account can run sudo with password
user ALL=(ALL:ALL) ALL
# ============================================================================
# Security Restrictions
# ============================================================================
# No root login via sudo
root ALL=(ALL) ALL
# Disable ability to run commands as other users without password
Defaults env_reset
Defaults env_delete = "EDITOR VISUAL PAGER DISPLAY XAUTHORITY"
Defaults !env_editor
# Disable running as specific users
Defaults!/usr/bin/su !root

111
chroot-overlay/etc/sysctl.d/99-cis-hardening.conf
View File

@@ -1,111 +0,0 @@
# CIS Benchmark Kernel Hardening for Debian
# Implements CIS Debian Benchmark controls related to kernel parameters
# ============================================================================
# Network Parameters
# ============================================================================
# Disable IP packet forwarding (not a router)
net.ipv4.ip_forward = 0
net.ipv6.conf.all.forwarding = 0
# Disable source routing
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv6.conf.all.accept_source_route = 0
net.ipv6.conf.default.accept_source_route = 0
# Disable ICMP redirects
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# Ignore ICMP broadcast requests
net.ipv4.icmp_echo_ignore_broadcasts = 1
# Ignore bogus ICMP error responses
net.ipv4.icmp_ignore_bogus_error_responses = 1
# Enable TCP SYN cookies protection
net.ipv4.tcp_syncookies = 1
# Enable TCP reverse path filtering (source verification)
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
# Log martian packets
net.ipv4.conf.all.log_martians = 1
# Disable IPv6 if not used (enabled but strictly controlled via firewall)
# net.ipv6.conf.all.disable_ipv6 = 1
# ============================================================================
# System Hardening
# ============================================================================
# Disable magic sysrq key
kernel.sysrq = 0
# Address space layout randomization
kernel.randomize_va_space = 2
# Restrict core dumps
kernel.core_pattern = |/bin/false
# Enable hard link and symlink protection
fs.protected_hardlinks = 1
fs.protected_symlinks = 1
# Enable ptrace restrictions (only allow ptrace from descendants)
kernel.yama.ptrace_scope = 1
# Disable unprivileged BPF
kernel.unprivileged_bpf_disabled = 1
# Disable user namespaces
user.max_user_namespaces = 0
# ============================================================================
# Network Stack Hardening
# ============================================================================
# Enable TCP timestamps for protection against spoofing
net.ipv4.tcp_timestamps = 1
# Reduce TCP timeout for closing connections
net.ipv4.tcp_fin_timeout = 30
# Maximum number of SYN backlog queue
net.ipv4.tcp_max_syn_backlog = 2048
# Minimum, default, and maximum TCP buffer sizes
net.ipv4.tcp_rmem = 4096 87380 16777216
net.ipv4.tcp_wmem = 4096 65536 16777216
# ============================================================================
# ARP Hardening
# ============================================================================
# Ignore ARP requests on all interfaces
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.default.arp_ignore = 1
# Enable ARP filtering
net.ipv4.conf.all.arp_filter = 1
net.ipv4.conf.default.arp_filter = 1
# ============================================================================
# ICMP Rate Limiting
# ============================================================================
# Rate limit ICMP messages
net.ipv4.icmp_ratelimit = 100
# ============================================================================
# Memory Overcommit
# ============================================================================
# Disable overcommit (conservative memory allocation)
vm.overcommit_memory = 2
vm.overcommit_ratio = 80

14
chroot-overlay/etc/systemd/system/block-remote-access.service
View File

@@ -1,14 +0,0 @@
[Unit]
Description=Apply strict firewall - WireGuard only
After=network.target wg-quick@wg0.service
[Service]
Type=oneshot
ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

12
chroot-overlay/etc/systemd/system/getty@tty1.service.d/override.conf
View File

@@ -1,12 +0,0 @@
[Unit]
Description=Autologin user session for IceWM
After=systemd-user-sessions.service
[Service]
ExecStart=
ExecStart=-/sbin/agetty --autologin user --noclear tty1 %I $TERM
Type=idle
Restart=always
[Install]
WantedBy=getty.target

13
chroot-overlay/etc/systemd/system/iptables-block-remote.service
View File

@@ -1,13 +0,0 @@
[Unit]
Description=Firewall Rules to Block Remote Access
Before=network-pre.target
Wants=network-pre.target
[Service]
Type=oneshot
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target

19
chroot-overlay/etc/wireguard/wg0.conf.template
View File

@@ -1,19 +0,0 @@
# WireGuard configuration for football system
# ALL TRAFFIC MUST GO THROUGH THIS TUNNEL
# Template - will be configured during build
[Interface]
# Private key - MUST be set during deployment
PrivateKey = <PRIVATE_KEY_PLACEHOLDER>
# WireGuard interface IP (within the VPN)
Address = 10.100.0.2/24
# DNS via VPN
DNS = 10.100.0.1
[Peer]
# VPN server endpoint
PublicKey = <PUBLIC_KEY_PLACEHOLDER>
Endpoint = <ENDPOINT_IP>:<ENDPOINT_PORT>
AllowedIPs = 0.0.0.0/0, ::/0
# Keep connection alive
PersistentKeepalive = 25