football/build.sh

#!/bin/bash
# Build script for football minimal Debian image
# Creates hardened Debian system with WireGuard-only network access

set -e

# ============================================================================
# CONFIGURATION VARIABLES - ADJUST THESE FOR YOUR ENVIRONMENT
# ============================================================================

# Debian version
DEBIAN_VERSION="bookworm"

# WireGuard endpoint configuration
WG_ENDPOINT_IP="192.0.2.1"        # REPLACE with your WireGuard server IP
WG_ENDPOINT_PORT="51820"          # REPLACE with your WireGuard server port
WG_PRIVATE_KEY=""                 # REQUIRED: Private key for this client
WG_PUBLIC_KEY=""                  # REQUIRED: Public key of VPN server

# Build configuration
BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CHROOT_DIR="$BUILD_DIR/chroot"
OUTPUT_DIR="$BUILD_DIR/output"
IMAGE_NAME="football"

# Image sizes (in MB)
DISK_SIZE_MB=8192  # 8GB for minimal install

# ============================================================================
# VALIDATION
# ============================================================================

echo "============================================="
echo "Football Minimal Debian Image Build Script"
echo "============================================="

if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then
    echo ""
    echo "ERROR: WireGuard keys not configured!"
    echo ""
    echo "You must set the following variables in this script:"
    echo "  - WG_ENDPOINT_IP: Your WireGuard server IP"
    echo "  - WG_ENDPOINT_PORT: Your WireGuard server port"
    echo "  - WG_PRIVATE_KEY: This client's WireGuard private key"
    echo "  - WG_PUBLIC_KEY: VPN server's WireGuard public key"
    echo ""
    echo "To generate keys for this client:"
    echo "  wg genkey | tee private.key | wg pubkey > public.key"
    echo ""
    exit 1
fi

echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"

# ============================================================================
# PREPARE BUILD ENVIRONMENT
# ============================================================================

echo ""
echo "[1/9] Preparing build environment..."

# Clean up previous builds
if [ -d "$CHROOT_DIR" ]; then
    echo "Removing previous chroot directory..."
    sudo rm -rf "$CHROOT_DIR"
fi

mkdir -p "$CHROOT_DIR"
mkdir -p "$OUTPUT_DIR"

# Install required tools
sudo apt-get update
sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools

# ============================================================================
# BOOTSTRAP MINIMAL DEBIAN SYSTEM
# ============================================================================

echo ""
echo "[2/9] Bootstrapping minimal Debian $DEBIAN_VERSION..."

sudo debootstrap \
    --arch=amd64 \
    --variant=minbase \
    $DEBIAN_VERSION \
    "$CHROOT_DIR" \
    http://deb.debian.org/debian

# ============================================================================
# CONFIGURE APT SOURCES
# ============================================================================

echo ""
echo "[3/9] Configuring APT sources..."

cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list"
deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security bookworm-security main contrib non-free non-free-firmware
EOF

# ============================================================================
# INSTALL PACKAGES
# ============================================================================

echo ""
echo "[4/9] Installing packages..."

# Mount necessary filesystems for chroot
sudo mount -t proc /proc "$CHROOT_DIR/proc"
sudo mount -t sysfs /sys "$CHROOT_DIR/sys"
sudo mount -o bind /dev "$CHROOT_DIR/dev"

# Copy package list to chroot
sudo cp "$BUILD_DIR/config/packages.list" "$CHROOT_DIR/tmp/packages.list"

# Install packages in chroot
sudo chroot "$CHROOT_DIR" bash -c "
    export DEBIAN_FRONTEND=noninteractive
    apt-get update
    apt-get install -y $(cat /tmp/packages.list | grep -v '^#' | grep -v '^$' | tr '\n' ' ')
    rm /tmp/packages.list
"

# ============================================================================
# APPLY CHROOT OVERLAY
# ============================================================================

echo ""
echo "[5/9] Applying chroot overlay..."

# Copy overlay files
sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/"

# Set up user account
sudo chroot "$CHROOT_DIR" bash -c "
    useradd -m -s /bin/bash user
    echo 'user:changeme' | chpasswd
    mkdir -p /home/user/.icewm
"

# ============================================================================
# CONFIGURE WIREGUARD
# ============================================================================

echo ""
echo "[6/9] Configuring WireGuard..."

# Setup WireGuard configuration with keys
sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
     WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
     WG_PRIVATE_KEY="$WG_PRIVATE_KEY" \
     WG_PUBLIC_KEY="$WG_PUBLIC_KEY" \
     chroot "$CHROOT_DIR" bash -c '
    # Replace placeholders in WireGuard config
    sed -e "s|<PRIVATE_KEY_PLACEHOLDER>|$WG_PRIVATE_KEY|g" \
        -e "s|<PUBLIC_KEY_PLACEHOLDER>|$WG_PUBLIC_KEY|g" \
        -e "s|<ENDPOINT_IP>|$WG_ENDPOINT_IP|g" \
        -e "s|<ENDPOINT_PORT>|$WG_ENDPOINT_PORT|g" \
        /etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf

    # Secure the configuration
    chmod 600 /etc/wireguard/wg0.conf
    echo "WireGuard configured for endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
'

# ============================================================================
# RUN HARDENING SCRIPT
# ============================================================================

echo ""
echo "[7/9] Running hardening script..."

sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
     WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
     chroot "$CHROOT_DIR" bash /tmp/harden.sh

# Copy hardening script to chroot first
sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh"
sudo chroot "$CHROOT_DIR" bash -c "
    export WG_ENDPOINT_IP=$WG_ENDPOINT_IP
    export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT
    bash /tmp/harden.sh
    rm /tmp/harden.sh
"

# ============================================================================
# ENABLE SYSTEMD SERVICES
# ============================================================================

echo ""
echo "[8/9] Configuring systemd services..."

sudo chroot "$CHROOT_DIR" bash -c "
    systemctl enable block-remote-access.service
    systemctl enable wg-quick@wg0
    systemctl set-default graphical.target
"

# ============================================================================
# CLEANUP
# ============================================================================

echo ""
echo "Cleaning up..."

# Unmount filesystems
sudo umount "$CHROOT_DIR/dev" || true
sudo umount "$CHROOT_DIR/proc" || true
sudo umount "$CHROOT_DIR/sys" || true

# Clean apt cache
sudo rm -rf "$CHROOT_DIR/var/cache/apt/archives/"*
sudo rm -rf "$CHROOT_DIR/tmp/"*

# ============================================================================
# CREATE IMAGES
# ============================================================================

echo ""
echo "[9/9] Creating disk images..."

# Create raw disk image for physical system
RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img"
echo "Creating raw image: $RAW_IMAGE"
qemu-img create -f raw "$RAW_IMAGE" ${DISK_SIZE_MB}M

# Setup partition table
sudo sfdisk "$RAW_IMAGE" << EOF
label: gpt
unit: sectors
size=512MiB,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B
type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
EOF

# Setup loop device
LOOP_DEV=$(sudo losetup -f --show -P "$RAW_IMAGE")
echo "Using loop device: $LOOP_DEV"

# Create filesystems
sudo mkfs.vfat -F32 "${LOOP_DEV}p1"
sudo mkfs.ext4 "${LOOP_DEV}p2"

# Mount and copy files
sudo mkdir -p "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root"
sudo mount "${LOOP_DEV}p1" "$BUILD_DIR/mount/efi"
sudo mount "${LOOP_DEV}p2" "$BUILD_DIR/mount/root"

# Copy chroot contents
sudo cp -a "$CHROOT_DIR"/. "$BUILD_DIR/mount/root/"

# Install GRUB - use device mapping for proper installation
sudo kpartx -av "$RAW_IMAGE"
GRUB_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p2"
EFI_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p1"

# Bind mounts needed for GRUB install
sudo mount --bind /dev "$BUILD_DIR/mount/root/dev"
sudo mount --bind /proc "$BUILD_DIR/mount/root/proc"
sudo mount --bind /sys "$BUILD_DIR/mount/root/sys"

# Create /boot/efi mount point
sudo mkdir -p "$BUILD_DIR/mount/root/boot/efi"
sudo mount -t vfat "$EFI_DEVICE" "$BUILD_DIR/mount/root/boot/efi"

# Install GRUB
sudo chroot "$BUILD_DIR/mount/root" grub-install --target=x86_64-efi \
    --efi-directory=/boot/efi --bootloader-id=debian --no-floppy /dev/sda
sudo chroot "$BUILD_DIR/mount/root" update-grub

# Cleanup mounts
sudo umount "$BUILD_DIR/mount/root/boot/efi" || true
sudo umount "$BUILD_DIR/mount/root/sys" || true
sudo umount "$BUILD_DIR/mount/root/proc" || true
sudo umount "$BUILD_DIR/mount/root/dev" || true
sudo kpartx -dv "$RAW_IMAGE"

# Unmount
sudo umount "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root"
sudo losetup -d "$LOOP_DEV"
sudo rm -rf "$BUILD_DIR/mount"

# Create qcow2 image for VM
QCOW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-vm.qcow2"
echo "Creating qcow2 image: $QCOW_IMAGE"
qemu-img convert -f raw -O qcow2 "$RAW_IMAGE" "$QCOW_IMAGE"

# ============================================================================
# SUMMARY
# ============================================================================

echo ""
echo "============================================="
echo "BUILD COMPLETE"
echo "============================================="
echo ""
echo "Images created:"
echo "  Physical system: $RAW_IMAGE"
echo "  Virtual Machine: $QCOW_IMAGE"
echo ""
echo "WireGuard configuration:"
echo "  Endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
echo ""
echo "IMPORTANT SECURITY NOTES:"
echo "  1. All network traffic MUST go through WireGuard"
echo "  2. Direct network access is BLOCKED"
echo "  3. Change default user password: 'changeme'"
echo "  4. Configure Secure Boot keys for physical deployment"
echo "  5. Test WireGuard connection before deployment"
echo ""
echo "For VM: qemu-system-x86_64 -m 2048 -drive file=$QCOW_IMAGE,format=qcow2"
echo ""