KNEL/football
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d9eb08c9fde9b64f14b94fe268e78a2d9b5a718c
football/build.sh
Charles N Wyble 336089a1c5 feat: upgrade to Debian 13 (trixie) 
- Update build script to use Debian 13 trixie
- Update APT sources for Debian 13
- Update documentation references to Debian 13
- Update compliance standards to include CMMC Level 3

This upgrade provides:
- Latest security patches
- Improved kernel hardening capabilities
- Enhanced package management
- Better compatibility with modern security standards

References:
- CIS Debian 13 Benchmark
- CMMC Level 3
- FedRAMP Moderate

💘 Generated with Crush

Assisted-by: GLM-4.7 via Crush <crush@charm.land>
2026-01-13 12:32:57 -05:00

312 lines
10 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Build script for football minimal Debian image
# Creates hardened Debian system with WireGuard-only network access
set -e
# ============================================================================
# CONFIGURATION VARIABLES - ADJUST THESE FOR YOUR ENVIRONMENT
# ============================================================================
# Debian version
DEBIAN_VERSION="trixie"
# WireGuard endpoint configuration
WG_ENDPOINT_IP="192.0.2.1" # REPLACE with your WireGuard server IP
WG_ENDPOINT_PORT="51820" # REPLACE with your WireGuard server port
WG_PRIVATE_KEY="" # REQUIRED: Private key for this client
WG_PUBLIC_KEY="" # REQUIRED: Public key of VPN server
# Build configuration
BUILD_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CHROOT_DIR="$BUILD_DIR/chroot"
OUTPUT_DIR="$BUILD_DIR/output"
IMAGE_NAME="football"
# Image sizes (in MB)
DISK_SIZE_MB=8192 # 8GB for minimal install
# ============================================================================
# VALIDATION
# ============================================================================
echo "============================================="
echo "Football Minimal Debian Image Build Script"
echo "============================================="
if [ -z "$WG_PRIVATE_KEY" ] || [ -z "$WG_PUBLIC_KEY" ]; then
echo ""
echo "ERROR: WireGuard keys not configured!"
echo ""
echo "You must set the following variables in this script:"
echo " - WG_ENDPOINT_IP: Your WireGuard server IP"
echo " - WG_ENDPOINT_PORT: Your WireGuard server port"
echo " - WG_PRIVATE_KEY: This client's WireGuard private key"
echo " - WG_PUBLIC_KEY: VPN server's WireGuard public key"
echo ""
echo "To generate keys for this client:"
echo " wg genkey | tee private.key | wg pubkey > public.key"
echo ""
exit 1
fi
echo "WireGuard endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
# ============================================================================
# PREPARE BUILD ENVIRONMENT
# ============================================================================
echo ""
echo "[1/9] Preparing build environment..."
# Clean up previous builds
if [ -d "$CHROOT_DIR" ]; then
echo "Removing previous chroot directory..."
sudo rm -rf "$CHROOT_DIR"
fi
mkdir -p "$CHROOT_DIR"
mkdir -p "$OUTPUT_DIR"
# Install required tools
sudo apt-get update
sudo apt-get install -y debootstrap qemu-utils kpartx squashfs-tools
# ============================================================================
# BOOTSTRAP MINIMAL DEBIAN SYSTEM
# ============================================================================
echo ""
echo "[2/9] Bootstrapping minimal Debian $DEBIAN_VERSION (Debian 13 Trixie)..."
sudo debootstrap \
--arch=amd64 \
--variant=minbase \
$DEBIAN_VERSION \
"$CHROOT_DIR" \
http://deb.debian.org/debian
# ============================================================================
# CONFIGURE APT SOURCES
# ============================================================================
echo ""
echo "[3/9] Configuring APT sources..."
cat << 'EOF' | sudo tee "$CHROOT_DIR/etc/apt/sources.list"
deb http://deb.debian.org/debian trixie main contrib non-free non-free-firmware
deb http://security.debian.org/debian-security trixie-security main contrib non-free non-free-firmware
EOF
# ============================================================================
# INSTALL PACKAGES
# ============================================================================
echo ""
echo "[4/9] Installing packages..."
# Mount necessary filesystems for chroot
sudo mount -t proc /proc "$CHROOT_DIR/proc"
sudo mount -t sysfs /sys "$CHROOT_DIR/sys"
sudo mount -o bind /dev "$CHROOT_DIR/dev"
# Copy package list to chroot
sudo cp "$BUILD_DIR/config/packages.list" "$CHROOT_DIR/tmp/packages.list"
# Install packages in chroot
sudo chroot "$CHROOT_DIR" bash -c "
export DEBIAN_FRONTEND=noninteractive
apt-get update
apt-get install -y $(cat /tmp/packages.list | grep -v '^#' | grep -v '^$' | tr '\n' ' ')
rm /tmp/packages.list
"
# ============================================================================
# APPLY CHROOT OVERLAY
# ============================================================================
echo ""
echo "[5/9] Applying chroot overlay..."
# Copy overlay files
sudo cp -r "$BUILD_DIR/chroot-overlay/"* "$CHROOT_DIR/"
# Set up user account
sudo chroot "$CHROOT_DIR" bash -c "
useradd -m -s /bin/bash user
echo 'user:changeme' | chpasswd
mkdir -p /home/user/.icewm
"
# ============================================================================
# CONFIGURE WIREGUARD
# ============================================================================
echo ""
echo "[6/9] Configuring WireGuard..."
# Setup WireGuard configuration with keys
sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
WG_PRIVATE_KEY="$WG_PRIVATE_KEY" \
WG_PUBLIC_KEY="$WG_PUBLIC_KEY" \
chroot "$CHROOT_DIR" bash -c '
# Replace placeholders in WireGuard config
sed -e "s|<PRIVATE_KEY_PLACEHOLDER>|$WG_PRIVATE_KEY|g" \
-e "s|<PUBLIC_KEY_PLACEHOLDER>|$WG_PUBLIC_KEY|g" \
-e "s|<ENDPOINT_IP>|$WG_ENDPOINT_IP|g" \
-e "s|<ENDPOINT_PORT>|$WG_ENDPOINT_PORT|g" \
/etc/wireguard/wg0.conf.template > /etc/wireguard/wg0.conf
# Secure the configuration
chmod 600 /etc/wireguard/wg0.conf
echo "WireGuard configured for endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
'
# ============================================================================
# RUN HARDENING SCRIPT
# ============================================================================
echo ""
echo "[7/9] Running hardening script..."
sudo WG_ENDPOINT_IP="$WG_ENDPOINT_IP" \
WG_ENDPOINT_PORT="$WG_ENDPOINT_PORT" \
chroot "$CHROOT_DIR" bash /tmp/harden.sh
# Copy hardening script to chroot first
sudo cp "$BUILD_DIR/config/harden.sh" "$CHROOT_DIR/tmp/harden.sh"
sudo chroot "$CHROOT_DIR" bash -c "
export WG_ENDPOINT_IP=$WG_ENDPOINT_IP
export WG_ENDPOINT_PORT=$WG_ENDPOINT_PORT
bash /tmp/harden.sh
rm /tmp/harden.sh
"
# ============================================================================
# ENABLE SYSTEMD SERVICES
# ============================================================================
echo ""
echo "[8/9] Configuring systemd services..."
sudo chroot "$CHROOT_DIR" bash -c "
systemctl enable block-remote-access.service
systemctl enable wg-quick@wg0
systemctl set-default graphical.target
"
# ============================================================================
# CLEANUP
# ============================================================================
echo ""
echo "Cleaning up..."
# Unmount filesystems
sudo umount "$CHROOT_DIR/dev" || true
sudo umount "$CHROOT_DIR/proc" || true
sudo umount "$CHROOT_DIR/sys" || true
# Clean apt cache
sudo rm -rf "$CHROOT_DIR/var/cache/apt/archives/"*
sudo rm -rf "$CHROOT_DIR/tmp/"*
# ============================================================================
# CREATE IMAGES
# ============================================================================
echo ""
echo "[9/9] Creating disk images..."
# Create raw disk image for physical system
RAW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-physical.img"
echo "Creating raw image: $RAW_IMAGE"
qemu-img create -f raw "$RAW_IMAGE" ${DISK_SIZE_MB}M
# Setup partition table
sudo sfdisk "$RAW_IMAGE" << EOF
label: gpt
unit: sectors
size=512MiB,type=C12A7328-F81F-11D2-BA4B-00A0C93EC93B
type=0FC63DAF-8483-4772-8E79-3D69D8477DE4
EOF
# Setup loop device
LOOP_DEV=$(sudo losetup -f --show -P "$RAW_IMAGE")
echo "Using loop device: $LOOP_DEV"
# Create filesystems
sudo mkfs.vfat -F32 "${LOOP_DEV}p1"
sudo mkfs.ext4 "${LOOP_DEV}p2"
# Mount and copy files
sudo mkdir -p "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root"
sudo mount "${LOOP_DEV}p1" "$BUILD_DIR/mount/efi"
sudo mount "${LOOP_DEV}p2" "$BUILD_DIR/mount/root"
# Copy chroot contents
sudo cp -a "$CHROOT_DIR"/. "$BUILD_DIR/mount/root/"
# Install GRUB - use device mapping for proper installation
sudo kpartx -av "$RAW_IMAGE"
GRUB_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p2"
EFI_DEVICE="/dev/mapper/$(basename $LOOP_DEV)p1"
# Bind mounts needed for GRUB install
sudo mount --bind /dev "$BUILD_DIR/mount/root/dev"
sudo mount --bind /proc "$BUILD_DIR/mount/root/proc"
sudo mount --bind /sys "$BUILD_DIR/mount/root/sys"
# Create /boot/efi mount point
sudo mkdir -p "$BUILD_DIR/mount/root/boot/efi"
sudo mount -t vfat "$EFI_DEVICE" "$BUILD_DIR/mount/root/boot/efi"
# Install GRUB
sudo chroot "$BUILD_DIR/mount/root" grub-install --target=x86_64-efi \
--efi-directory=/boot/efi --bootloader-id=debian --no-floppy /dev/sda
sudo chroot "$BUILD_DIR/mount/root" update-grub
# Cleanup mounts
sudo umount "$BUILD_DIR/mount/root/boot/efi" || true
sudo umount "$BUILD_DIR/mount/root/sys" || true
sudo umount "$BUILD_DIR/mount/root/proc" || true
sudo umount "$BUILD_DIR/mount/root/dev" || true
sudo kpartx -dv "$RAW_IMAGE"
# Unmount
sudo umount "$BUILD_DIR/mount/efi" "$BUILD_DIR/mount/root"
sudo losetup -d "$LOOP_DEV"
sudo rm -rf "$BUILD_DIR/mount"
# Create qcow2 image for VM
QCOW_IMAGE="$OUTPUT_DIR/${IMAGE_NAME}-vm.qcow2"
echo "Creating qcow2 image: $QCOW_IMAGE"
qemu-img convert -f raw -O qcow2 "$RAW_IMAGE" "$QCOW_IMAGE"
# ============================================================================
# SUMMARY
# ============================================================================
echo ""
echo "============================================="
echo "BUILD COMPLETE"
echo "============================================="
echo ""
echo "Images created:"
echo " Physical system: $RAW_IMAGE"
echo " Virtual Machine: $QCOW_IMAGE"
echo ""
echo "WireGuard configuration:"
echo " Endpoint: $WG_ENDPOINT_IP:$WG_ENDPOINT_PORT"
echo ""
echo "IMPORTANT SECURITY NOTES:"
echo " 1. All network traffic MUST go through WireGuard"
echo " 2. Direct network access is BLOCKED"
echo " 3. Change default user password: 'changeme'"
echo " 4. Configure Secure Boot keys for physical deployment"
echo " 5. Test WireGuard connection before deployment"
echo ""
echo "For VM: qemu-system-x86_64 -m 2048 -drive file=$QCOW_IMAGE,format=qcow2"
echo ""
Reference in New Issue View Git Blame Copy Permalink