KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37b9ea7f9252926363285ee18bda788e13f1be60
football/chroot-overlay/home/user/Desktop/README.txt
Charles N Wyble 17dcee7e52 feat: add minimal Debian image build system with WireGuard-only networking 
Add complete build infrastructure for football secure access system:
- Minimal Debian base with only IceWM and Remmina
- WireGuard-only networking with strict firewall (eth0 allows only WireGuard)
- All network traffic routed through mandatory VPN tunnel
- Secure Boot enforced for physical deployments
- Zero remote access - SSH, telnet disabled and blocked
- AppArmor, auditd, and fail2ban for security hardening

Build system generates both VM (qcow2) and physical (raw) images.
WireGuard endpoint IP and port configurable via build script variables.

Includes:
- Package list with minimal dependencies
- System hardening scripts
- WireGuard client and server configuration tools
- Comprehensive documentation (README.md, QUICKSTART.md)
- systemd services for firewall enforcement
- User environment with automatic IceWM startup

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:11:18 -05:00

43 lines
1.5 KiB
Plaintext
Raw Blame History

# Football Secure Access System
This system is configured for secure access to remote privileged access workstations through a WireGuard VPN tunnel.
**SYSTEM CHARACTERISTICS:**
- Remote access: DISABLED (no SSH, no network services)
- Local console access only
- Automatic IceWM window manager startup
- Remmina remote desktop client
- Secure Boot enforced
- **ALL network traffic MUST go through WireGuard VPN**
- **Direct network access BLOCKED - only WireGuard allowed**
**NETWORK CONFIGURATION:**
- Physical interface (eth0): ONLY allows WireGuard to configured endpoint
- WireGuard tunnel (wg0): ALL outbound traffic goes through this tunnel
- Inbound traffic: BLOCKED (except WireGuard keepalives)
- DHCP: Allowed on eth0 only for initial IP acquisition
**USAGE:**
1. Login with local user account
2. IceWM and Remmina start automatically
3. WireGuard tunnel is established automatically
4. Use Remmina to connect to PAW (Privileged Access Workstation) through VPN
5. Close Remmina when done
6. System locks automatically on inactivity
**SECURITY:**
- No remote administration permitted
- All direct network connections blocked
- Only WireGuard tunnel traffic allowed to configured endpoint
- System logs all actions
- Secure Boot verifies kernel integrity
- Firewall strictly enforced
**WIREGUARD ENDPOINT:**
- Configured during build (see build script variables)
- Only endpoint allowed: WG_ENDPOINT_IP:WG_ENDPOINT_PORT
- All traffic routes through VPN after connection
**CONTACT:**
For system issues, contact infrastructure security team.
Reference in New Issue View Git Blame Copy Permalink