#!/bin/bash # Install source scripts and configure system set -euo pipefail echo "Installing source scripts..." # Install firewall-setup script (embedded - /workspace not available in installed system) cat >/usr/local/bin/firewall-setup.sh <<'FIREWALL_SCRIPT' #!/bin/bash set -euo pipefail parse_wg_endpoint() { local wg_config="${1:-/etc/wireguard/wg0.conf}" if [[ ! -f $wg_config ]]; then echo "Error: WireGuard config not found at $wg_config" return 1 fi grep -oP 'Endpoint = \K[0-9.]+:[0-9]+' "$wg_config" || { echo "Error: Could not parse endpoint from WireGuard config" return 1 } } generate_nftables_rules() { local endpoint="$1" local ip="${endpoint%:*}" local port="${endpoint#*:}" cat </etc/nftables.conf systemctl enable nftables systemctl restart nftables echo "Firewall configured for endpoint: $endpoint" else echo "Warning: Could not parse WireGuard endpoint, using default deny policy" fi else echo "Warning: WireGuard config not found, using default deny policy" fi } main() { echo "Setting up dynamic firewall..." apply_firewall "$@" echo "Firewall setup completed." } if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then main "$@" fi FIREWALL_SCRIPT chmod +x /usr/local/bin/firewall-setup.sh # Install security-hardening script (embedded) cat >/usr/local/bin/security-hardening.sh <<'HARDENING_SCRIPT' #!/bin/bash # KNEL-Football Security Hardening Utility (installed system) # Re-applies security hardening or checks current status set -euo pipefail check_encryption_status() { echo "Checking encryption status..." if command -v cryptsetup >/dev/null 2>&1; then for dev in /dev/mapper/*; do if [ -e "$dev" ]; then echo "Encrypted device: $dev" cryptsetup status "$dev" 2>/dev/null | head -5 || true fi done else echo "WARNING: cryptsetup not found" fi } check_kernel_hardening() { echo "Checking kernel hardening..." local params="kernel.randomize_va_space kernel.yama.ptrace_scope kernel.kptr_restrict kernel.dmesg_restrict" for param in $params; do local val val=$(sysctl -n "$param" 2>/dev/null || echo "N/A") echo " $param = $val" done } check_firewall() { echo "Checking firewall status..." if command -v nft >/dev/null 2>&1; then nft list ruleset 2>/dev/null | head -20 || echo " No nftables rules loaded" else echo " WARNING: nft not found" fi } check_services() { echo "Checking disabled services..." for svc in avahi-daemon cups bluetooth ModemManager; do if systemctl is-enabled "$svc" 2>/dev/null | grep -q "masked\|disabled"; then echo " $svc: DISABLED (OK)" else echo " $svc: WARNING - may be enabled" fi done } main() { echo "KNEL-Football Security Hardening Utility" echo "=========================================" echo "" check_encryption_status echo "" check_kernel_hardening echo "" check_firewall echo "" check_services echo "" echo "Security check completed." } if [[ ${BASH_SOURCE[0]} == "${0}" ]]; then main "$@" fi HARDENING_SCRIPT chmod +x /usr/local/bin/security-hardening.sh # Create VPN configuration apply script cat >/usr/local/bin/apply-vpn-config.sh <<'EOF' #!/bin/bash # Apply VPN configuration and update firewall set -euo pipefail # Apply firewall configuration /usr/local/bin/firewall-setup.sh # Start WireGuard if configuration exists if [[ -f "/etc/wireguard/wg0.conf" ]]; then systemctl enable wg-quick@wg0 systemctl start wg-quick@wg0 echo "WireGuard started successfully." else echo "Warning: WireGuard configuration not found." fi echo "VPN configuration applied successfully." EOF chmod +x /usr/local/bin/apply-vpn-config.sh # Create desktop shortcuts mkdir -p /usr/share/applications # WireGuard Configuration Editor shortcut cat >/usr/share/applications/wg-config.desktop </usr/share/applications/apply-vpn.desktop </usr/share/applications/scan-wireguard-qr.desktop </dev/null || true echo "Source scripts installed successfully."