feat: Add core build scripts

- Add build-iso.sh with validation and build functions - Add firewall-setup.sh with dynamic nftables configuration - Add security-hardening.sh with comprehensive hardening functions - All scripts follow strict mode and are executable These provide the core functionality for the secure ISO build process. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 10:24:11 -05:00
parent 01d1921dcf
commit ca08f9a259
3 changed files with 298 additions and 0 deletions
--- a/src/firewall-setup.sh
+++ b/src/firewall-setup.sh
@@ -0,0 +1,81 @@
+#!/bin/bash
+# Dynamic firewall setup script
+set -euo pipefail
+
+# Function to parse WireGuard endpoint
+parse_wg_endpoint() {
+    local wg_config="${1:-/etc/wireguard/wg0.conf}"
+    
+    if [[ ! -f "$wg_config" ]]; then
+        echo "Error: WireGuard config not found at $wg_config"
+        return 1
+    fi
+    
+    grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
+        echo "Error: Could not parse endpoint from WireGuard config"
+        return 1
+    }
+}
+
+# Function to generate nftables rules
+generate_nftables_rules() {
+    local endpoint="$1"
+    local ip="${endpoint%:*}"
+    local port="${endpoint#*:}"
+    
+    cat << EOF
+#!/usr/sbin/nft -f
+# Secure firewall rules for WireGuard-only access
+flush ruleset
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop
+        iif lo accept comment "Accept loopback"
+        icmp type echo-request accept comment "Accept ping"
+    }
+    
+    chain forward {
+        type filter hook forward priority 0; policy drop
+    }
+    
+    chain output {
+        type filter hook output priority 0; policy drop
+        oif lo accept comment "Accept loopback"
+        udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
+        icmp type echo-request accept comment "Allow ping"
+    }
+}
+EOF
+}
+
+# Function to apply firewall configuration
+apply_firewall() {
+    local wg_config="${1:-/etc/wireguard/wg0.conf}"
+    
+    if [[ -f "$wg_config" ]]; then
+        endpoint=$(parse_wg_endpoint "$wg_config")
+        if [[ -n "$endpoint" ]]; then
+            generate_nftables_rules "$endpoint" > /etc/nftables.conf
+            systemctl enable nftables
+            systemctl restart nftables
+            echo "Firewall configured for endpoint: $endpoint"
+        else
+            echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
+        fi
+    else
+        echo "Warning: WireGuard config not found, using default deny policy"
+    fi
+}
+
+# Main setup
+main() {
+    echo "Setting up dynamic firewall..."
+    apply_firewall
+    echo "Firewall setup completed."
+}
+
+# Run main if script is executed directly
+if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
+    main "$@"
+fi