#!/bin/bash # Build script for football minimal Debian image # Creates hardened Debian system with WireGuard-only network access set -e # ============================================================================ # CONFIGURATION VARIABLES - ADJUST THESE FOR YOUR ENVIRONMENT # ============================================================================ # Debian version DEBIAN_VERSION="trixie" # WireGuard endpoint configuration WG_ENDPOINT_IP="192.0.2.1" # REPLACE with your WireGuard server IP WG_ENDPOINT_PORT="51820" # REPLACE with your WireGuard server port WG_PRIVATE_KEY="" # REQUIRED: Private key for this client WG_PUBLIC_KEY="" # REQUIRED: Public key of VPN server # Build configuration BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" CHROOT_DIR="$BUILD_DIR/chroot" OUTPUT_DIR="$BUILD_DIR/output" IMAGE_NAME="football" # Image sizes (in MB) DISK_SIZE_MB=8192 # 8GB for minimal install # ============================================================================ # VALIDATION # ============================================================================ echo "=============================================" echo "Football Minimal Debian Image Build Script" echo "=============================================" if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then echo "" echo "ERROR: WireGuard keys not configured!" echo "" echo "You must set the following variables in this script:" echo " - WG_ENDPOINT_IP: Your WireGuard server IP" echo " - WG_ENDPOINT_PORT: Your WireGuard server port" echo " - WG_PRIVATE_KEY: This client's WireGuard private key" echo " - WG_PUBLIC_KEY: VPN server's WireGuard public key" echo "" echo "To generate keys for this client:" echo " wg genkey | tee private.key | wg pubkey > public.key" echo "" exit 1 fi echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" # ============================================================================ # PREPARE BUILD ENVIRONMENT # ============================================================================ echo "" echo "[1/11] Preparing build environment..." # Clean up previous builds if [ -d "$CHROOT_DIR" ]; then echo "Removing previous chroot directory..." sudo rm -rf "$CHROOT_DIR" fi mkdir -p "$CHROOT_DIR" mkdir -p "$OUTPUT_DIR" # Install required tools sudo apt-get update sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools # ============================================================================ # BOOTSTRAP MINIMAL DEBIAN SYSTEM # ============================================================================ echo "" echo "[2/11] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..." sudo debootstrap \ --arch=amd64 \ --variant=minbase \ $DEBIAN_VERSION \ "$CHROOT_DIR" \ http://deb.debian.org/debian # ============================================================================ # CONFIGURE APT SOURCES # ============================================================================ echo "" echo "[3/11] Configuring APT sources..." cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list" deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware EOF # ============================================================================ # INSTALL PACKAGES # ============================================================================ echo "" echo "[4/11] Installing packages..." # Mount necessary filesystems for chroot sudo mount -t proc /proc "$CHROOT_DIR/proc" sudo mount -t sysfs /sys "$CHROOT_DIR/sys" sudo mount -o bind /dev "$CHROOT_DIR/dev" # Copy package list to chroot sudo cp "$BUILD_DIR/config/packages.list" "$CHROOT_DIR/tmp/packages.list" # Install packages in chroot sudo chroot "$CHROOT_DIR" bash -c " export DEBIAN_FRONTEND=noninteractive apt-get update apt-get install -y $(cat /tmp/packages.list | grep -v '^#' | grep -v '^$' | tr '\n' ' ') rm /tmp/packages.list " # ============================================================================ # APPLY CHROOT OVERLAY # ============================================================================ echo "" echo "[5/11] Applying chroot overlay..." # Copy overlay files sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/" # Set up user account sudo chroot "$CHROOT_DIR" bash -c " useradd -m -s /bin/bash user echo 'user:changeme' | chpasswd mkdir -p /home/user/.icewm " # ============================================================================ # CONFIGURE WIREGUARD # ============================================================================ echo "" echo "[6/11] Configuring WireGuard..." # Setup WireGuard configuration with keys sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \ WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \ WG_PRIVATE_KEY="$WG_PRIVATE_KEY" \ WG_PUBLIC_KEY="$WG_PUBLIC_KEY" \ chroot "$CHROOT_DIR" bash -c ' # Replace placeholders in WireGuard config sed -e "s||$WG_PRIVATE_KEY|g" \ -e "s||$WG_PUBLIC_KEY|g" \ -e "s||$WG_ENDPOINT_IP|g" \ -e "s||$WG_ENDPOINT_PORT|g" \ /etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf # Secure the configuration chmod 600 /etc/wireguard/wg0.conf echo "WireGuard configured for endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" ' # ============================================================================ # RUN HARDENING SCRIPT # ============================================================================ echo "" echo "[7/11] Running hardening script..." # Copy hardening script to chroot first sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh" sudo cp "$BUILD_DIR/config/secureboot.sh" "$CHROOT_DIR/tmp/secureboot.sh" sudo cp "$BUILD_DIR/config/setup-wireguard.sh" "$CHROOT_DIR/tmp/setup-wireguard.sh" sudo chroot "$CHROOT_DIR" bash -c " export WG_ENDPOINT_IP=$WG_ENDPOINT_IP export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT bash /tmp/harden.sh rm /tmp/harden.sh " # ============================================================================ # CONFIGURE PAM # ============================================================================ echo "" echo "[8/11] Configuring PAM authentication..." # Configure PAM with CIS password policy if [ -f "$CHROOT_DIR/etc/pam.d/common-password-cis" ]; then sudo cp "$CHROOT_DIR/etc/pam.d/common-password-cis" "$CHROOT_DIR/etc/pam.d/common-password" echo "PAM password policy configured" else echo "Warning: CIS PAM configuration not found" fi # Configure faillock for account lockout sudo chroot "$CHROOT_DIR" bash -c " mkdir -p /etc/security cat > /etc/security/faillock.conf << 'EOF' deny = 5 unlock_time = 900 even_deny_root root_unlock_time = 900 EOF " # ============================================================================ # INITIALIZE AIDE DATABASE # ============================================================================ echo "" echo "[9/11] Initializing AIDE database..." sudo chroot "$CHROOT_DIR" bash -c " # Initialize AIDE database aide --init 2>/dev/null || echo 'AIDE init returned error code $?' if [ -f /var/lib/aide/aide.db.new ]; then mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db chmod 600 /var/lib/aide/aide.db chown root:root /var/lib/aide/aide.db echo 'AIDE database initialized' else echo 'Warning: AIDE database not created' fi " # ============================================================================ # CONFIGURE SECURE BOOT # ============================================================================ echo "" echo "[10/11] Configuring Secure Boot..." sudo chroot "$CHROOT_DIR" bash -c " if [ -f /tmp/secureboot.sh ]; then bash /tmp/secureboot.sh rm /tmp/secureboot.sh fi " # ============================================================================ # ENABLE SYSTEMD SERVICES # ============================================================================ echo "" echo "[11/11] Configuring systemd services..." sudo chroot "$CHROOT_DIR" bash -c " systemctl enable block-remote-access.service systemctl enable wg-quick@wg0 systemctl enable auditd systemctl enable rsyslog systemctl enable apparmor systemctl enable aide-check.timer systemctl set-default graphical.target echo 'Systemd services configured' " # ============================================================================ # CLEANUP # ============================================================================ echo "" echo "Cleaning up..." # Unmount filesystems sudo umount "$CHROOT_DIR/dev" || true sudo umount "$CHROOT_DIR/proc" || true sudo umount "$CHROOT_DIR/sys" || true # Clean apt cache sudo rm -rf "$CHROOT_DIR/var/cache/apt/archives/"* sudo rm -rf "$CHROOT_DIR/tmp/"* # ============================================================================ # CREATE IMAGES # ============================================================================ echo "" echo "[11/11] Creating disk images..." # Create raw disk image for physical system RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img" echo "Creating raw image: $RAW_IMAGE" qemu-img create -f raw "$RAW_IMAGE" ${DISK_SIZE_MB}M # Setup partition table sudo sfdisk "$RAW_IMAGE" << EOF label: gpt unit: sectors size=512MiB,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B type=0FC63DAF-8483-4772-8E79-3D69D8477DE4 EOF # Setup loop device LOOP_DEV=$(sudo losetup -f --show -P "$RAW_IMAGE") echo "Using loop device: $LOOP_DEV" # Create filesystems sudo mkfs.vfat -F32 "${LOOP_DEV}p1" sudo mkfs.ext4 "${LOOP_DEV}p2" # Mount and copy files sudo mkdir -p "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root" sudo mount "${LOOP_DEV}p1" "$BUILD_DIR/mount/efi" sudo mount "${LOOP_DEV}p2" "$BUILD_DIR/mount/root" # Copy chroot contents sudo cp -a "$CHROOT_DIR"/. "$BUILD_DIR/mount/root/" # Install GRUB - use device mapping for proper installation sudo kpartx -av "$RAW_IMAGE" GRUB_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p2" EFI_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p1" # Bind mounts needed for GRUB install sudo mount --bind /dev "$BUILD_DIR/mount/root/dev" sudo mount --bind /proc "$BUILD_DIR/mount/root/proc" sudo mount --bind /sys "$BUILD_DIR/mount/root/sys" # Create /boot/efi mount point sudo mkdir -p "$BUILD_DIR/mount/root/boot/efi" sudo mount -t vfat "$EFI_DEVICE" "$BUILD_DIR/mount/root/boot/efi" # Install GRUB sudo chroot "$BUILD_DIR/mount/root" grub-install --target=x86_64-efi \ --efi-directory=/boot/efi --bootloader-id=debian --no-floppy /dev/sda sudo chroot "$BUILD_DIR/mount/root" update-grub # Cleanup mounts sudo umount "$BUILD_DIR/mount/root/boot/efi" || true sudo umount "$BUILD_DIR/mount/root/sys" || true sudo umount "$BUILD_DIR/mount/root/proc" || true sudo umount "$BUILD_DIR/mount/root/dev" || true sudo kpartx -dv "$RAW_IMAGE" # Unmount sudo umount "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root" sudo losetup -d "$LOOP_DEV" sudo rm -rf "$BUILD_DIR/mount" # Create qcow2 image for VM QCOW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-vm.qcow2" echo "Creating qcow2 image: $QCOW_IMAGE" qemu-img convert -f raw -O qcow2 "$RAW_IMAGE" "$QCOW_IMAGE" # ============================================================================ # SUMMARY # ============================================================================ echo "" echo "=============================================" echo "BUILD COMPLETE" echo "=============================================" echo "" echo "Images created:" echo " Physical system: $RAW_IMAGE" echo " Virtual Machine: $QCOW_IMAGE" echo "" echo "WireGuard configuration:" echo " Endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT" echo "" echo "IMPORTANT SECURITY NOTES:" echo " 1. All network traffic MUST go through WireGuard" echo " 2. Direct network access is BLOCKED" echo " 3. Change default user password: 'changeme'" echo " 4. Configure Secure Boot keys for physical deployment" echo " 5. Test WireGuard connection before deployment" echo "" echo "For VM: qemu-system-x86_64 -m 2048 -drive file=$QCOW_IMAGE,format=qcow2" echo ""