feat: Add core build scripts

- Add build-iso.sh with validation and build functions
- Add firewall-setup.sh with dynamic nftables configuration
- Add security-hardening.sh with comprehensive hardening functions
- All scripts follow strict mode and are executable

These provide the core functionality for the secure ISO build process.

💘 Generated with Crush

Assisted-by: GLM-4.6 via Crush <crush@charm.land>

src/build-iso.sh

@@ -0,0 +1,82 @@
+#!/bin/bash
+# Main ISO build script
+set -euo pipefail
+
+# Configuration variables
+readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
+readonly OUTPUT_DIR="${PROJECT_ROOT}/output"
+readonly CONFIG_DIR="${PROJECT_ROOT}/config"
+
+# Function to validate environment
+validate_environment() {
+    echo "Validating build environment..."
+    
+    # Check for required tools
+    local required_tools=("lb" "debootstrap" "mksquashfs")
+    for tool in "${required_tools[@]}"; do
+        if ! command -v "$tool" > /dev/null 2>&1; then
+            echo "Error: Required tool '$tool' not found"
+            exit 1
+        fi
+    done
+    
+    # Verify configuration directory
+    if [[ ! -d "$CONFIG_DIR" ]]; then
+        echo "Error: Configuration directory not found at $CONFIG_DIR"
+        exit 1
+    fi
+    
+    echo "Environment validation successful."
+}
+
+# Function to prepare build environment
+prepare_build() {
+    echo "Preparing build environment..."
+    
+    # Create output directory
+    mkdir -p "$OUTPUT_DIR"
+    
+    # Initialize live-build configuration
+    lb clean --purge
+    lb config
+    
+    echo "Build environment prepared."
+}
+
+# Function to build ISO
+build_iso() {
+    echo "Building secure Debian ISO..."
+    
+    # Execute live-build
+    lb build
+    
+    # Move output files to output directory
+    if [[ -f "binary.hybrid.iso" ]]; then
+        mv "binary.hybrid.iso" "${OUTPUT_DIR}/knel-football.iso"
+    else
+        echo "Error: ISO file not generated"
+        exit 1
+    fi
+    
+    # Generate checksum
+    cd "$OUTPUT_DIR"
+    sha256sum "knel-football.iso" > "knel-football.iso.sha256"
+    cd - > /dev/null
+    
+    echo "ISO build completed successfully."
+    echo "Output: ${OUTPUT_DIR}/knel-football.iso"
+}
+
+# Main execution
+main() {
+    echo "Starting KNEL-Football secure ISO build..."
+    
+    validate_environment
+    prepare_build
+    build_iso
+    
+    echo "Build process completed successfully!"
+}
+
+main "$@"

src/firewall-setup.sh

@@ -0,0 +1,81 @@
+#!/bin/bash
+# Dynamic firewall setup script
+set -euo pipefail
+
+# Function to parse WireGuard endpoint
+parse_wg_endpoint() {
+    local wg_config="${1:-/etc/wireguard/wg0.conf}"
+    
+    if [[ ! -f "$wg_config" ]]; then
+        echo "Error: WireGuard config not found at $wg_config"
+        return 1
+    fi
+    
+    grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
+        echo "Error: Could not parse endpoint from WireGuard config"
+        return 1
+    }
+}
+
+# Function to generate nftables rules
+generate_nftables_rules() {
+    local endpoint="$1"
+    local ip="${endpoint%:*}"
+    local port="${endpoint#*:}"
+    
+    cat << EOF
+#!/usr/sbin/nft -f
+# Secure firewall rules for WireGuard-only access
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        iif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Accept ping"
+    }
+    
+    chain forward {
+        type filter hook forward priority 0; policy drop
+    }
+    
+    chain output {
+        type filter hook output priority 0; policy drop
+        oif lo accept comment "Accept loopback"
+        udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
+        icmp type echo-request accept comment "Allow ping"
+    }
+}
+EOF
+}
+
+# Function to apply firewall configuration
+apply_firewall() {
+    local wg_config="${1:-/etc/wireguard/wg0.conf}"
+    
+    if [[ -f "$wg_config" ]]; then
+        endpoint=$(parse_wg_endpoint "$wg_config")
+        if [[ -n "$endpoint" ]]; then
+            generate_nftables_rules "$endpoint" > /etc/nftables.conf
+            systemctl enable nftables
+            systemctl restart nftables
+            echo "Firewall configured for endpoint: $endpoint"
+        else
+            echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
+        fi
+    else
+        echo "Warning: WireGuard config not found, using default deny policy"
+    fi
+}
+
+# Main setup
+main() {
+    echo "Setting up dynamic firewall..."
+    apply_firewall
+    echo "Firewall setup completed."
+}
+
+# Run main if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi

src/security-hardening.sh

@@ -0,0 +1,135 @@
+#!/bin/bash
+# Security hardening script
+set -euo pipefail
+
+# Function to create WiFi module blacklist
+create_wifi_blacklist() {
+    local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# WiFi module blacklisting
+blacklist cfg80211
+blacklist mac80211
+blacklist brcmfmac
+blacklist iwlwifi
+blacklist ath9k
+blacklist rt73usb
+EOF
+    
+    echo "WiFi blacklist created at $output_file"
+}
+
+# Function to create Bluetooth module blacklist
+create_bluetooth_blacklist() {
+    local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# Bluetooth module blacklisting
+blacklist btusb
+blacklist bluetooth
+blacklist btrtl
+blacklist btintel
+blacklist btbcm
+EOF
+    
+    echo "Bluetooth blacklist created at $output_file"
+}
+
+# Function to configure SSH
+configure_ssh() {
+    local output_file="${1:-/etc/ssh/sshd_config}"
+    
+    cat > "$output_file" << 'EOF'
+# SSH Security Configuration
+Protocol 2
+PermitRootLogin no
+PasswordAuthentication yes
+PubkeyAuthentication yes
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+X11Forwarding no
+MaxAuthTries 3
+ClientAliveInterval 300
+ClientAliveCountMax 2
+EOF
+    
+    echo "SSH configuration created at $output_file"
+}
+
+# Function to configure password policy
+configure_password_policy() {
+    local output_file="${1:-/etc/security/pwquality.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# Password quality requirements
+minlen = 14
+dcredit = -1
+ucredit = -1
+lcredit = -1
+ocredit = -1
+difok = 4
+maxrepeat = 3
+usercheck = 1
+dictcheck = 1
+EOF
+    
+    echo "Password policy configured at $output_file"
+}
+
+# Function to configure system limits
+configure_system_limits() {
+    local output_file="${1:-/etc/security/limits.d/security.conf}"
+    
+    cat > "$output_file" << 'EOF'
+# System security limits
+* hard core 0
+* soft nproc 1024
+* hard nproc 2048
+EOF
+    
+    echo "System limits configured at $output_file"
+}
+
+# Function to configure audit rules
+configure_audit_rules() {
+    local output_file="${1:-/etc/audit/rules.d/audit.rules}"
+    
+    cat > "$output_file" << 'EOF'
+# Audit rules for security compliance
+-w /etc/passwd -p wa -k identity
+-w /etc/shadow -p wa -k identity
+-w /etc/sudoers -p wa -k identity
+-w /etc/ssh/sshd_config -p wa -k sshd_config
+-w /var/log/audit/ -p wa -k log_audit
+-w /var/log/secure -p wa -k log_secure
+-w /etc/wireguard/ -p wa -k wireguard_config
+EOF
+    
+    echo "Audit rules configured at $output_file"
+}
+
+# Function to apply all security configurations
+apply_security_hardening() {
+    echo "Applying security hardening..."
+    
+    create_wifi_blacklist
+    create_bluetooth_blacklist
+    configure_ssh
+    configure_password_policy
+    configure_system_limits
+    configure_audit_rules
+    
+    echo "Security hardening completed."
+}
+
+# Main execution
+main() {
+    echo "Starting KNEL-Football security hardening..."
+    apply_security_hardening
+    echo "Security hardening completed successfully!"
+}
+
+# Run main if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi