KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
17dcee7e526f3b288fd5d7d55165d1cc06ba92fc
football/QUICKSTART.md
Charles N Wyble 17dcee7e52 feat: add minimal Debian image build system with WireGuard-only networking 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00

2.0 KiB
Raw Blame History

Football Build Quick Reference

Build Steps

# 1. Install dependencies
sudo apt-get install debootstrap qemu-utils kpartx squashfs-tools

# 2. Generate WireGuard keys
wg genkey | tee client-private.key | wg pubkey > client-public.key

# 3. Edit build.sh with your configuration
nano build.sh
# Set: WG_ENDPOINT_IP, WG_ENDPOINT_PORT, WG_PRIVATE_KEY, WG_PUBLIC_KEY

# 4. Build the image
./build.sh

# 5. Deploy
# For VM:
qemu-system-x86_64 -m 2048 -drive file=output/football-vm.qcow2,format=qcow2

# For physical:
sudo dd if=output/football-physical.img of=/dev/sdX bs=4M status=progress

Key Configuration Variables (in build.sh)

WG_ENDPOINT_IP="192.0.2.1"        # WireGuard server IP
WG_ENDPOINT_PORT="51820"          # WireGuard server port
WG_PRIVATE_KEY="..."              # Client private key (from wg genkey)
WG_PUBLIC_KEY="..."               # Server public key

File Locations

  • Build script: ./build.sh
  • Package list: config/packages.list
  • Hardening script: config/harden.sh
  • User config: chroot-overlay/home/user/
  • System services: chroot-overlay/etc/systemd/system/
  • WireGuard config: chroot-overlay/etc/wireguard/

Quick Troubleshooting

Issue Command
WireGuard status sudo wg show
Firewall rules sudo iptables -L -n -v
System logs sudo journalctl -xe
Network status ip addr show

Security Checklist

  • Generated unique WireGuard keys
  • Changed default password (changeme)
  • Verified WireGuard endpoint connectivity
  • Configured Remmina profile for PAW
  • Enabled Secure Boot on physical hardware
  • Tested firewall rules
  • Verified no remote access services running

File Structure

football/
├── build.sh           # Run this to build
├── config/            # Build configuration
├── chroot-overlay/    # System files to overlay
├── output/            # Generated images (created after build)
└── README.md          # Full documentation
Reference in New Issue View Git Blame Copy Permalink