From 6cd53bc7ba1a1e2cd2e1f01af11556eb6ff90083 Mon Sep 17 00:00:00 2001
From: Charles N Wyble <reachableceo@turnsys.com>
Date: Wed, 21 Jan 2026 10:25:16 -0500
Subject: [PATCH] feat: Add live-build hooks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add security-hardening.sh for system hardening
- Add firewall-setup.sh for nftables configuration
- Add qr-code-import.sh for WireGuard QR scanning
- Add disable-package-management.sh to secure package tools
- Add install-scripts.sh to install source utilities

These hooks implement core security and functionality requirements.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>
---
 .../installed/disable-package-management.sh   |  24 ++++
 config/hooks/installed/install-scripts.sh     |  61 ++++++++++
 config/hooks/live/firewall-setup.sh           |  11 ++
 config/hooks/live/qr-code-import.sh           | 104 ++++++++++++++++++
 config/hooks/live/security-hardening.sh       |  13 +++
 5 files changed, 213 insertions(+)
 create mode 100755 config/hooks/installed/disable-package-management.sh
 create mode 100755 config/hooks/installed/install-scripts.sh
 create mode 100755 config/hooks/live/firewall-setup.sh
 create mode 100755 config/hooks/live/qr-code-import.sh
 create mode 100755 config/hooks/live/security-hardening.sh

diff --git a/config/hooks/installed/disable-package-management.sh b/config/hooks/installed/disable-package-management.sh
new file mode 100755
index 0000000..1486518
--- /dev/null
+++ b/config/hooks/installed/disable-package-management.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+# Disable package management after installation
+set -euo pipefail
+
+echo "Disabling package management..."
+
+# Remove execute permissions from package management tools
+chmod -x /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chmod -x /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chmod -x /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Make immutable
+chattr +i /usr/bin/apt /usr/bin/apt-get /usr/bin/dpkg
+chattr +i /usr/bin/apt-cache /usr/bin/apt-key /usr/bin/dpkg-deb
+chattr +i /usr/bin/dpkg-query /usr/bin/dpkg-split /usr/bin/dpkg-trigger
+
+# Remove package metadata directories
+rm -rf /var/lib/apt/* /var/lib/dpkg/*
+
+# Create immutable empty directories to prevent recreation
+mkdir -p /var/lib/apt /var/lib/dpkg
+chattr +i /var/lib/apt /var/lib/dpkg
+
+echo "Package management disabled successfully."
\ No newline at end of file
diff --git a/config/hooks/installed/install-scripts.sh b/config/hooks/installed/install-scripts.sh
new file mode 100755
index 0000000..4301d6d
--- /dev/null
+++ b/config/hooks/installed/install-scripts.sh
@@ -0,0 +1,61 @@
+#!/bin/bash
+# Install source scripts and configure system
+set -euo pipefail
+
+echo "Installing source scripts..."
+
+# Install source scripts
+install -m 755 /workspace/src/firewall-setup.sh /usr/local/bin/
+install -m 755 /workspace/src/security-hardening.sh /usr/local/bin/
+
+# Create VPN configuration apply script
+cat > /usr/local/bin/apply-vpn-config.sh << 'EOF'
+#!/bin/bash
+# Apply VPN configuration and update firewall
+set -euo pipefail
+
+# Apply firewall configuration
+/usr/local/bin/firewall-setup.sh
+
+# Start WireGuard if configuration exists
+if [[ -f "/etc/wireguard/wg0.conf" ]]; then
+    systemctl enable wg-quick@wg0
+    systemctl start wg-quick@wg0
+    echo "WireGuard started successfully."
+else
+    echo "Warning: WireGuard configuration not found."
+fi
+
+echo "VPN configuration applied successfully."
+EOF
+
+chmod +x /usr/local/bin/apply-vpn-config.sh
+
+# Create desktop shortcuts
+mkdir -p /usr/share/applications
+
+# WireGuard Configuration Editor shortcut
+cat > /usr/share/applications/wg-config.desktop << EOF
+[Desktop Entry]
+Name=WireGuard Configuration
+Comment=Edit WireGuard configuration
+Exec=pkexec mousepad /etc/wireguard/wg0.conf
+Icon=network-vpn
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+# VPN Configuration Apply shortcut
+cat > /usr/share/applications/apply-vpn.desktop << EOF
+[Desktop Entry]
+Name=Apply VPN Configuration
+Comment=Apply WireGuard configuration and start VPN
+Exec=pkexec /usr/local/bin/apply-vpn-config.sh
+Icon=network-vpn
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+echo "Source scripts installed successfully."
\ No newline at end of file
diff --git a/config/hooks/live/firewall-setup.sh b/config/hooks/live/firewall-setup.sh
new file mode 100755
index 0000000..f1f92f3
--- /dev/null
+++ b/config/hooks/live/firewall-setup.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+# Dynamic firewall setup hook
+set -euo pipefail
+
+# Install firewall setup script
+install -m 755 /usr/local/bin/firewall-setup.sh
+
+# Enable nftables service
+systemctl enable nftables
+
+echo "Firewall setup hook completed."
\ No newline at end of file
diff --git a/config/hooks/live/qr-code-import.sh b/config/hooks/live/qr-code-import.sh
new file mode 100755
index 0000000..778e76b
--- /dev/null
+++ b/config/hooks/live/qr-code-import.sh
@@ -0,0 +1,104 @@
+#!/bin/bash
+# Install QR code scanning tools for WireGuard
+set -euo pipefail
+
+echo "Installing QR code scanning tools..."
+
+# Install zbar for QR code scanning
+apt-get update
+apt-get install -y zbar-tools python3-pil
+apt-get clean
+
+# Create QR code scanning script
+cat > /usr/local/bin/scan-wireguard-qr.sh << 'EOF'
+#!/bin/bash
+# Scan WireGuard QR code and update configuration
+set -euo pipefail
+
+# Check if webcam is available
+if ! ls /dev/video* >/dev/null 2>&1; then
+    echo "Error: No webcam device found"
+    exit 1
+fi
+
+# Create temporary file for QR data
+qr_data=$(mktemp)
+trap "rm -f $qr_data" EXIT
+
+# Scan QR code
+echo "Scanning QR code..."
+zbarcam --raw --prescale=320x240 /dev/video0 > "$qr_data" &
+zbar_pid=$!
+
+# Wait for user to stop scanning
+echo "Press Enter to stop scanning..."
+read -r
+kill $zbar_pid 2>/dev/null || true
+
+# Parse QR data and update WireGuard config
+if [[ -s "$qr_data" ]]; then
+    # Validate QR data format (basic WireGuard format)
+    if grep -q "private_key\|endpoint\|allowed_ips" "$qr_data"; then
+        # Backup existing config
+        if [[ -f "/etc/wireguard/wg0.conf" ]]; then
+            cp /etc/wireguard/wg0.conf "/etc/wireguard/wg0.conf.bak.$(date +%Y%m%d_%H%M%S)"
+        fi
+        
+        # Convert QR data to WireGuard config format
+        python3 << 'PYTHON_EOF' "$qr_data"
+import sys
+import re
+
+qr_data = sys.argv[1]
+
+# Simple QR to WireGuard config conversion
+config_lines = ["[Interface]"]
+private_key = ""
+address = ""
+
+for line in open(qr_data):
+    if "private_key=" in line.lower():
+        private_key = line.strip()
+    elif "address=" in line.lower():
+        address = line.strip()
+
+if private_key:
+    config_lines.append(f"PrivateKey = {private_key.split('=')[1].strip()}")
+if address:
+    config_lines.append(f"Address = {address.split('=')[1].strip()}")
+
+# Add basic peer template
+config_lines.append("")
+config_lines.append("[Peer]")
+config_lines.append("# Add PublicKey, Endpoint, and AllowedIPs manually")
+
+print("\n".join(config_lines))
+PYTHON_EOF
+        
+        echo "QR code scanned successfully. Please edit /etc/wireguard/wg0.conf to complete configuration."
+    else
+        echo "Error: Invalid WireGuard QR code format"
+        exit 1
+    fi
+else
+    echo "Error: No QR code data captured"
+    exit 1
+fi
+EOF
+
+chmod +x /usr/local/bin/scan-wireguard-qr.sh
+
+# Create desktop shortcut
+mkdir -p /usr/share/applications
+cat > /usr/share/applications/scan-wireguard-qr.desktop << EOF
+[Desktop Entry]
+Name=Import WireGuard QR Code
+Comment=Scan QR code to import WireGuard configuration
+Exec=pkexec /usr/local/bin/scan-wireguard-qr.sh
+Icon=camera-web
+Terminal=true
+Type=Application
+Categories=Network;System;
+EOF
+
+echo "QR code scanning tools installed successfully."
\ No newline at end of file
diff --git a/config/hooks/live/security-hardening.sh b/config/hooks/live/security-hardening.sh
new file mode 100755
index 0000000..ca824e3
--- /dev/null
+++ b/config/hooks/live/security-hardening.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+# Security hardening hook for live system
+set -euo pipefail
+
+echo "Applying security hardening..."
+
+# Apply security hardening from source script
+/usr/local/bin/security-hardening.sh
+
+# Configure auditd
+systemctl enable auditd
+
+echo "Security hardening completed."
\ No newline at end of file