refactor: Restructure project for Docker compliance and documentation

- Move documentation to docs/ directory for better organization - Add bin/ directory for utility scripts - Add lib/ for shared library functions - Update all build scripts to ensure strict Docker compliance - Enhance AGENTS.md with Docker container requirements - Create comprehensive compliance and security documentation - Reorganize test suite with improved structure - Remove obsolete Dockerfile and archive documentation - Add final security compliance report BREAKING CHANGE: Restructured project layout with moved documentation directories 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 15:37:03 -05:00
parent 6cd53bc7ba
commit 67c106a3b6
39 changed files with 2070 additions and 2338 deletions
--- a/config/hooks/installed/disable-package-management.sh
+++ b/config/hooks/installed/disable-package-management.sh
@@ -21,4 +21,4 @@ rm -rf /var/lib/apt/* /var/lib/dpkg/*
 mkdir -p /var/lib/apt /var/lib/dpkg
 chattr +i /var/lib/apt /var/lib/dpkg

-echo "Package management disabled successfully."
+echo "Package management disabled successfully."
--- a/config/hooks/installed/install-scripts.sh
+++ b/config/hooks/installed/install-scripts.sh
@@ -9,7 +9,7 @@ install -m 755 /workspace/src/firewall-setup.sh /usr/local/bin/
 install -m 755 /workspace/src/security-hardening.sh /usr/local/bin/

 # Create VPN configuration apply script
-cat > /usr/local/bin/apply-vpn-config.sh << 'EOF'
+cat >/usr/local/bin/apply-vpn-config.sh <<'EOF'
 #!/bin/bash
 # Apply VPN configuration and update firewall
 set -euo pipefail
@@ -35,7 +35,7 @@ chmod +x /usr/local/bin/apply-vpn-config.sh
 mkdir -p /usr/share/applications

 # WireGuard Configuration Editor shortcut
-cat > /usr/share/applications/wg-config.desktop << EOF
+cat >/usr/share/applications/wg-config.desktop <<EOF
 [Desktop Entry]
 Name=WireGuard Configuration
 Comment=Edit WireGuard configuration
@@ -47,7 +47,7 @@ Categories=Network;System;
 EOF

 # VPN Configuration Apply shortcut
-cat > /usr/share/applications/apply-vpn.desktop << EOF
+cat >/usr/share/applications/apply-vpn.desktop <<EOF
 [Desktop Entry]
 Name=Apply VPN Configuration
 Comment=Apply WireGuard configuration and start VPN
@@ -58,4 +58,22 @@ Type=Application
 Categories=Network;System;
 EOF

-echo "Source scripts installed successfully."
+# WireGuard QR Code Import shortcut
+cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
+[Desktop Entry]
+Name=Import WireGuard QR Code
+Comment=Scan QR code to import WireGuard configuration
+Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
+Icon=camera-web
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+# Create WireGuard configuration directory
+mkdir -p /etc/wireguard
+
+# Add kneluser to appropriate groups
+usermod -a -G sudo,audio,video,plugdev,input,cdrom,floppy kneluser 2>/dev/null || true
+
+echo "Source scripts installed successfully."
--- a/config/hooks/live/firewall-setup.sh
+++ b/config/hooks/live/firewall-setup.sh
@@ -2,10 +2,38 @@
 # Dynamic firewall setup hook
 set -euo pipefail

-# Install firewall setup script
-install -m 755 /usr/local/bin/firewall-setup.sh
+echo "Setting up firewall configuration..."
+
+# Load firewall setup functions from proper volume path
+# shellcheck source=/build/src/firewall-setup.sh
+source /build/src/firewall-setup.sh
+
+# Install nftables rules (default deny policy)
+cat >/etc/nftables.conf <<'EOF'
+#!/usr/sbin/nft -f
+# Default secure firewall rules for KNEL-Football
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        iif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Accept ping"
+    }
+    
+    chain forward {
+        type filter hook forward priority 0; policy drop
+    }
+    
+    chain output {
+        type filter hook output priority 0; policy drop
+        oif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Allow ping"
+    }
+}
+EOF

 # Enable nftables service
 systemctl enable nftables

-echo "Firewall setup hook completed."
+echo "Firewall setup hook completed."
--- a/config/hooks/live/qr-code-import.sh
+++ b/config/hooks/live/qr-code-import.sh
@@ -10,7 +10,7 @@ apt-get install -y zbar-tools python3-pil
 apt-get clean

 # Create QR code scanning script
-cat > /usr/local/bin/scan-wireguard-qr.sh << 'EOF'
+cat >/usr/local/bin/scan-wireguard-qr.sh <<'EOF'
 #!/bin/bash
 # Scan WireGuard QR code and update configuration
 set -euo pipefail
@@ -90,7 +90,7 @@ chmod +x /usr/local/bin/scan-wireguard-qr.sh

 # Create desktop shortcut
 mkdir -p /usr/share/applications
-cat > /usr/share/applications/scan-wireguard-qr.desktop << EOF
+cat >/usr/share/applications/scan-wireguard-qr.desktop <<EOF
 [Desktop Entry]
 Name=Import WireGuard QR Code
 Comment=Scan QR code to import WireGuard configuration
@@ -101,4 +101,4 @@ Type=Application
 Categories=Network;System;
 EOF

-echo "QR code scanning tools installed successfully."
+echo "QR code scanning tools installed successfully."
--- a/config/hooks/live/security-hardening.sh
+++ b/config/hooks/live/security-hardening.sh
@@ -4,10 +4,29 @@ set -euo pipefail

 echo "Applying security hardening..."

-# Apply security hardening from source script
-/usr/local/bin/security-hardening.sh
+# Apply security hardening functions from proper volume path
+# shellcheck source=/build/src/security-hardening.sh
+source /build/src/security-hardening.sh

-# Configure auditd
+# Create WiFi module blacklist
+create_wifi_blacklist
+
+# Create Bluetooth module blacklist
+create_bluetooth_blacklist
+
+# Configure SSH
+configure_ssh
+
+# Configure password policy
+configure_password_policy
+
+# Configure system limits
+configure_system_limits
+
+# Configure audit rules
+configure_audit_rules
+
+# Enable auditd service
 systemctl enable auditd

-echo "Security hardening completed."
+echo "Security hardening completed."