17dcee7e52
Add complete build infrastructure for football secure access system: - Minimal Debian base with only IceWM and Remmina - WireGuard-only networking with strict firewall (eth0 allows only WireGuard) - All network traffic routed through mandatory VPN tunnel - Secure Boot enforced for physical deployments - Zero remote access - SSH, telnet disabled and blocked - AppArmor, auditd, and fail2ban for security hardening Build system generates both VM (qcow2) and physical (raw) images. WireGuard endpoint IP and port configurable via build script variables. Includes: - Package list with minimal dependencies - System hardening scripts - WireGuard client and server configuration tools - Comprehensive documentation (README.md, QUICKSTART.md) - systemd services for firewall enforcement - User environment with automatic IceWM startup 💘 Generated with Crush Assisted-by: GLM-4.7 via Crush <crush@charm.land>
15 lines
487 B
Desktop File
15 lines
487 B
Desktop File
[Unit]
|
|
Description=Apply strict firewall - WireGuard only
|
|
After=network.target wg-quick@wg0.service
|
|
|
|
[Service]
|
|
Type=oneshot
|
|
ExecStart=/bin/systemctl mask ssh.service sshd.service telnet.socket 2>/dev/null || true
|
|
ExecStart=/bin/systemctl stop ssh.service sshd.service 2>/dev/null || true
|
|
ExecStart=/usr/sbin/iptables-restore /etc/iptables/rules.v4
|
|
ExecStart=/usr/sbin/ip6tables-restore /etc/iptables/rules.v6 2>/dev/null || true
|
|
RemainAfterExit=yes
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|