football/PreFlightDiscussion-02.md

Pre-Flight Discussion - Round 2

Follow-up Questions Based on Your Feedback:

1. Compliance Framework Clarification

• Your Feedback: Entry point to tier0 infrastructure supporting ITAR/SECRET systems, CMMC Level 2/3 downstream, LI-SaaS for RackRental.net
• Questions:
  • Should we target CMMC Level 3 for this system since it supports Level 2/3 downstream?
  • For STIG vs CIS: DISA STIGs are military requirements, CIS Benchmarks are industry best practices. Given your use case (tier0, ITAR/SECRET), I recommend DISA STIGs. Do you agree?
  • Should we implement the "Debian 13 STIG" or the more comprehensive "General Operating System STIG"?

2. QR Code Import Implementation

• Your Feedback: Want QR code import capability using webcam
• Questions:
  • Which QR code library should we use? (qrencode for generation, zbar for scanning)
  • Should we create a desktop shortcut for QR scanning, or integrate it into the WireGuard config management?
  • What QR code format should we support? (Standard WireGuard QR format?)

3. Testing Strategy Clarification

• Your Feedback: Test suite runs on installed system, not in build environment
• Questions:
  • Should we include the test suite in the ISO itself for post-install validation?
  • Or keep tests separate for QA/validation before deployment?
  • How should the tests be triggered on the installed system? (Desktop shortcut, command line?)

4. Package Management Strategy

• Your Feedback: Very minimal packages, re-image quarterly rather than update
• Questions:
  • Should we remove apt/apt-get entirely to prevent accidental updates?
  • Or keep it but disable network access?
  • What's your preference for package management tools on the final system?

5. Preseed Configuration Details

• Your Feedback: Only install target, root password, non-root user/password are manual
• Questions:
  • What timezone should we default to?
  • What keyboard layout should we default to?
  • Should we enforce password complexity in the preseed itself, or handle that post-install?

6. Secure Boot Implementation

• Your Feedback: Must use secure boot, refuse to boot if altered
• Questions:
  • Should we include Secure Boot keys in the ISO or use standard Microsoft keys?
  • Do you want UEFI-only boot, or support Legacy BIOS as well?
  • Should we implement measured boot or just standard Secure Boot?

7. Documentation Approach

• Your Feedback: No user guides in ISO
• Questions:
  • Should we create minimal inline help for the desktop shortcuts?
  • Or assume users are trained and don't need any documentation?
  • Where should we store technical documentation? (Project repo only?)

Clarifications Received:

✅ Test Environment: Keep tests separate from build environment, use shellcheck/shellfmt only in build

✅ ISO Size: Not a concern, add to .gitignore

✅ Updates: Re-image quarterly, no internet updates

✅ Hardware: Standard Debian 13 kernel works on target hardware

✅ User Experience: No user guides needed

✅ Minimal Packages: Start minimal and iterate

Remaining High Priority Items to Resolve:

1. Compliance Framework: CMMC level + STIG vs CIS decision
2. QR Code Implementation: Library choice and integration approach
3. Testing Strategy: In-ISO tests vs separate validation
4. Package Management: Remove or disable apt?
5. Preseed Details: Timezone, keyboard, password enforcement
6. Secure Boot: Key management and boot mode
7. Documentation: Minimal help vs none

---

Status: Awaiting your responses to the above questions Next Action: Update specification based on your decisions Ready for Implementation: Getting closer - need to resolve these remaining items