KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
football/config/setup-wireguard.sh
Charles N Wyble 17dcee7e52 feat: add minimal Debian image build system with WireGuard-only networking 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00

46 lines
1.3 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
# WireGuard configuration script for football system
# This script sets up WireGuard with provided keys
set -e
# Variables - these will be passed from build script
WG_ENDPOINT_IP="${WG_ENDPOINT_IP:-192.0.2.1}"
WG_ENDPOINT_PORT="${WG_ENDPOINT_PORT:-51820}"
WG_PRIVATE_KEY="${WG_PRIVATE_KEY}"
WG_PUBLIC_KEY="${WG_PUBLIC_KEY}"
if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then
echo "ERROR: WireGuard keys not provided"
echo "Set WG_PRIVATE_KEY and WG_PUBLIC_KEY environment variables"
exit 1
fi
echo "Configuring WireGuard..."
# Replace placeholders in template
sed -e "s|<PRIVATE_KEY_PLACEHOLDER>|$WG_PRIVATE_KEY|g" \
-e "s|<PUBLIC_KEY_PLACEHOLDER>|$WG_PUBLIC_KEY|g" \
-e "s|<ENDPOINT_IP>|$WG_ENDPOINT_IP|g" \
-e "s|<ENDPOINT_PORT>|$WG_ENDPOINT_PORT|g" \
/etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf
# Secure the configuration
chmod 600 /etc/wireguard/wg0.conf
# Enable and start WireGuard
systemctl enable wg-quick@wg0
systemctl start wg-quick@wg0
# Verify connection
sleep 2
if ip link show wg0 >/dev/null 2>&1; then
echo "WireGuard interface wg0 is UP"
echo "All network traffic now routed through VPN"
else
echo "WARNING: WireGuard interface not detected"
exit 1
fi
echo "WireGuard configuration complete"
Reference in New Issue View Git Blame Copy Permalink