# Football Secure Access System

This system is configured for secure access to remote privileged access workstations through a WireGuard VPN tunnel.

**SYSTEM CHARACTERISTICS:**
- Remote access: DISABLED (no SSH, no network services)
- Local console access only
- Automatic IceWM window manager startup
- Remmina remote desktop client
- Secure Boot enforced
- **ALL network traffic MUST go through WireGuard VPN**
- **Direct network access BLOCKED - only WireGuard allowed**

**NETWORK CONFIGURATION:**
- Physical interface (eth0): ONLY allows WireGuard to configured endpoint
- WireGuard tunnel (wg0): ALL outbound traffic goes through this tunnel
- Inbound traffic: BLOCKED (except WireGuard keepalives)
- DHCP: Allowed on eth0 only for initial IP acquisition

**USAGE:**
1. Login with local user account
2. IceWM and Remmina start automatically
3. WireGuard tunnel is established automatically
4. Use Remmina to connect to PAW (Privileged Access Workstation) through VPN
5. Close Remmina when done
6. System locks automatically on inactivity

**SECURITY:**
- No remote administration permitted
- All direct network connections blocked
- Only WireGuard tunnel traffic allowed to configured endpoint
- System logs all actions
- Secure Boot verifies kernel integrity
- Firewall strictly enforced

**WIREGUARD ENDPOINT:**
- Configured during build (see build script variables)
- Only endpoint allowed: WG_ENDPOINT_IP:WG_ENDPOINT_PORT
- All traffic routes through VPN after connection

**CONTACT:**
For system issues, contact infrastructure security team.