dropbear ssh

README.md

@@ -15,7 +15,6 @@ Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus
 - BTRFS RAID1 for data redundancy
 - Dedicated database subvolume with `nodatacow` and `noatime`
 - Automated deployment to Hetzner
-- Kickstart-based automated installation
 
 ## Security Model
 
@@ -26,7 +25,8 @@ The system uses multiple methods to unlock the LUKS volumes:
    - Tang server provides remote unlock capability
    - Both must succeed for automatic unlock
 2. **Fallback Method**: Manual passphrase
-   - Available via SSH if primary method fails
+   - Available via SSH before LUKS unlock
+   - Uses dropbear for early SSH access
    - Can be used for recovery or maintenance
 
 ### TPM Updates

build.py

@@ -323,6 +323,7 @@ systemd
 curl
 shim-x64
 grub2-efi-x64
+dropbear
 %end
 
 # Pre-installation script
@@ -382,6 +383,16 @@ UUID=$BTRFS_UUID /home btrfs subvol=@home,compress=zstd,raid1 0 0
 UUID=$BTRFS_UUID /db btrfs subvol=@db,nodatacow,noatime,compress=zstd,raid1 0 0
 EOF
 
+    # Configure dropbear for early SSH access
+    printf "Configuring early SSH access...\r\n" > /dev/tty1
+    mkdir -p /etc/dropbear
+    echo "{config['admin_ssh_key']}" > /etc/dropbear/authorized_keys
+    chmod 600 /etc/dropbear/authorized_keys
+    
+    # Enable dropbear for early SSH
+    systemctl enable dropbear
+    systemctl enable dropbear.socket
+
     # Enable services
     printf "Enabling system services...\r\n" > /dev/tty1
     systemctl enable clevis-luks-askpass.service