feat: Add core build scripts

- Add build-iso.sh with validation and build functions - Add firewall-setup.sh with dynamic nftables configuration - Add security-hardening.sh with comprehensive hardening functions - All scripts follow strict mode and are executable These provide the core functionality for the secure ISO build process. 💘 Generated with Crush Assisted-by: GLM-4.6 via Crush <crush@charm.land>
2026-01-21 10:24:11 -05:00
parent 01d1921dcf
commit ca08f9a259
3 changed files with 298 additions and 0 deletions
--- a/src/build-iso.sh
+++ b/src/build-iso.sh
@@ -0,0 +1,82 @@
 #!/bin/bash
 # Main ISO build script
 set -euo pipefail
 # Configuration variables
 readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 readonly PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
 readonly OUTPUT_DIR="${PROJECT_ROOT}/output"
 readonly CONFIG_DIR="${PROJECT_ROOT}/config"
 # Function to validate environment
 validate_environment() {
    echo "Validating build environment..."
    # Check for required tools
    local required_tools=("lb" "debootstrap" "mksquashfs")
    for tool in "${required_tools[@]}"; do
        if ! command -v "$tool" > /dev/null 2>&1; then
            echo "Error: Required tool '$tool' not found"
            exit 1
        fi
    done
    # Verify configuration directory
    if [[ ! -d "$CONFIG_DIR" ]]; then
        echo "Error: Configuration directory not found at $CONFIG_DIR"
        exit 1
    fi
    echo "Environment validation successful."
 }
 # Function to prepare build environment
 prepare_build() {
    echo "Preparing build environment..."
    # Create output directory
    mkdir -p "$OUTPUT_DIR"
    # Initialize live-build configuration
    lb clean --purge
    lb config
    echo "Build environment prepared."
 }
 # Function to build ISO
 build_iso() {
    echo "Building secure Debian ISO..."
    # Execute live-build
    lb build
    # Move output files to output directory
    if [[ -f "binary.hybrid.iso" ]]; then
        mv "binary.hybrid.iso" "${OUTPUT_DIR}/knel-football.iso"
    else
        echo "Error: ISO file not generated"
        exit 1
    fi
    # Generate checksum
    cd "$OUTPUT_DIR"
    sha256sum "knel-football.iso" > "knel-football.iso.sha256"
    cd - > /dev/null
    echo "ISO build completed successfully."
    echo "Output: ${OUTPUT_DIR}/knel-football.iso"
 }
 # Main execution
 main() {
    echo "Starting KNEL-Football secure ISO build..."
    validate_environment
    prepare_build
    build_iso
    echo "Build process completed successfully!"
 }
 main "$@"
--- a/src/firewall-setup.sh
+++ b/src/firewall-setup.sh
@@ -0,0 +1,81 @@
 #!/bin/bash
 # Dynamic firewall setup script
 set -euo pipefail
 # Function to parse WireGuard endpoint
 parse_wg_endpoint() {
    local wg_config="${1:-/etc/wireguard/wg0.conf}"
    if [[ ! -f "$wg_config" ]]; then
        echo "Error: WireGuard config not found at $wg_config"
        return 1
    fi
    grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || {
        echo "Error: Could not parse endpoint from WireGuard config"
        return 1
    }
 }
 # Function to generate nftables rules
 generate_nftables_rules() {
    local endpoint="$1"
    local ip="${endpoint%:*}"
    local port="${endpoint#*:}"
    cat << EOF
 #!/usr/sbin/nft -f
 # Secure firewall rules for WireGuard-only access
 flush ruleset
 table inet filter {
    chain input {
        type filter hook input priority 0; policy drop
        iif lo accept comment "Accept loopback"
        icmp type echo-request accept comment "Accept ping"
    }
    chain forward {
        type filter hook forward priority 0; policy drop
    }
    chain output {
        type filter hook output priority 0; policy drop
        oif lo accept comment "Accept loopback"
        udp dport "$port" ip daddr "$ip" accept comment "Allow WireGuard traffic"
        icmp type echo-request accept comment "Allow ping"
    }
 }
 EOF
 }
 # Function to apply firewall configuration
 apply_firewall() {
    local wg_config="${1:-/etc/wireguard/wg0.conf}"
    if [[ -f "$wg_config" ]]; then
        endpoint=$(parse_wg_endpoint "$wg_config")
        if [[ -n "$endpoint" ]]; then
            generate_nftables_rules "$endpoint" > /etc/nftables.conf
            systemctl enable nftables
            systemctl restart nftables
            echo "Firewall configured for endpoint: $endpoint"
        else
            echo "Warning: Could not parse WireGuard endpoint, using default deny policy"
        fi
    else
        echo "Warning: WireGuard config not found, using default deny policy"
    fi
 }
 # Main setup
 main() {
    echo "Setting up dynamic firewall..."
    apply_firewall
    echo "Firewall setup completed."
 }
 # Run main if script is executed directly
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    main "$@"
 fi
--- a/src/security-hardening.sh
+++ b/src/security-hardening.sh
@@ -0,0 +1,135 @@
 #!/bin/bash
 # Security hardening script
 set -euo pipefail
 # Function to create WiFi module blacklist
 create_wifi_blacklist() {
    local output_file="${1:-/etc/modprobe.d/blacklist-wifi.conf}"
    cat > "$output_file" << 'EOF'
 # WiFi module blacklisting
 blacklist cfg80211
 blacklist mac80211
 blacklist brcmfmac
 blacklist iwlwifi
 blacklist ath9k
 blacklist rt73usb
 EOF
    echo "WiFi blacklist created at $output_file"
 }
 # Function to create Bluetooth module blacklist
 create_bluetooth_blacklist() {
    local output_file="${1:-/etc/modprobe.d/blacklist-bluetooth.conf}"
    cat > "$output_file" << 'EOF'
 # Bluetooth module blacklisting
 blacklist btusb
 blacklist bluetooth
 blacklist btrtl
 blacklist btintel
 blacklist btbcm
 EOF
    echo "Bluetooth blacklist created at $output_file"
 }
 # Function to configure SSH
 configure_ssh() {
    local output_file="${1:-/etc/ssh/sshd_config}"
    cat > "$output_file" << 'EOF'
 # SSH Security Configuration
 Protocol 2
 PermitRootLogin no
 PasswordAuthentication yes
 PubkeyAuthentication yes
 PermitEmptyPasswords no
 ChallengeResponseAuthentication no
 X11Forwarding no
 MaxAuthTries 3
 ClientAliveInterval 300
 ClientAliveCountMax 2
 EOF
    echo "SSH configuration created at $output_file"
 }
 # Function to configure password policy
 configure_password_policy() {
    local output_file="${1:-/etc/security/pwquality.conf}"
    cat > "$output_file" << 'EOF'
 # Password quality requirements
 minlen = 14
 dcredit = -1
 ucredit = -1
 lcredit = -1
 ocredit = -1
 difok = 4
 maxrepeat = 3
 usercheck = 1
 dictcheck = 1
 EOF
    echo "Password policy configured at $output_file"
 }
 # Function to configure system limits
 configure_system_limits() {
    local output_file="${1:-/etc/security/limits.d/security.conf}"
    cat > "$output_file" << 'EOF'
 # System security limits
 * hard core 0
 * soft nproc 1024
 * hard nproc 2048
 EOF
    echo "System limits configured at $output_file"
 }
 # Function to configure audit rules
 configure_audit_rules() {
    local output_file="${1:-/etc/audit/rules.d/audit.rules}"
    cat > "$output_file" << 'EOF'
 # Audit rules for security compliance
 -w /etc/passwd -p wa -k identity
 -w /etc/shadow -p wa -k identity
 -w /etc/sudoers -p wa -k identity
 -w /etc/ssh/sshd_config -p wa -k sshd_config
 -w /var/log/audit/ -p wa -k log_audit
 -w /var/log/secure -p wa -k log_secure
 -w /etc/wireguard/ -p wa -k wireguard_config
 EOF
    echo "Audit rules configured at $output_file"
 }
 # Function to apply all security configurations
 apply_security_hardening() {
    echo "Applying security hardening..."
    create_wifi_blacklist
    create_bluetooth_blacklist
    configure_ssh
    configure_password_policy
    configure_system_limits
    configure_audit_rules
    echo "Security hardening completed."
 }
 # Main execution
 main() {
    echo "Starting KNEL-Football security hardening..."
    apply_security_hardening
    echo "Security hardening completed successfully!"
 }
 # Run main if script is executed directly
 if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    main "$@"
 fi