dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Upd README

Browse Source
This commit is contained in:
Dominik Moritz Roth 2025-07-26 21:50:17 +02:00
parent 35571c4c44
commit e2309551c3
1 changed files with 9 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
README.md
View File

@ -9,7 +9,7 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
## Features ## Features
- AlmaLinux Server base - AlmaLinux Server base
- Full disk encryption with LUKS (native Hetzner support) - Full disk encryption with LUKS
- Remote unlock via Tang server - Remote unlock via Tang server
- TPM-based boot verification - TPM-based boot verification
- mdadm RAID1 + XFS (RHEL standard) - mdadm RAID1 + XFS (RHEL standard)
@ -19,29 +19,17 @@ Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Het
If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven). If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).
## Security Model ## Unlock Strategy
### Unlock Methods 1. **Automatic unlock via Tang/TPM** (default):
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
- TPM2 verifies boot integrity
- Tang server provides remote unlock capability
- Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
- Available via SSH before LUKS unlock
- Uses dropbear for early SSH access
- Can be used for recovery or maintenance
### Unlock Strategy
The system supports multiple unlock methods:
1. **Manual unlock via SSH** (default):
- SSH to server on port 22 (dropbear in early boot)
- Enter LUKS passphrase when prompted (twice, once per disk)
- System continues normal boot
2. **Automatic unlock** (optional):
- Configure TPM2 and/or Tang servers in post-install.sh - Configure TPM2 and/or Tang servers in post-install.sh
- System unlocks automatically if conditions are met - System unlocks automatically if conditions are met
- Falls back to manual unlock if automatic fails - No manual intervention required
2. **Manual unlock via SSH** (fallback):
- SSH to server on port 22 (dropbear in early boot)
- Enter LUKS passphrase when prompted (twice, once per disk)
- Used when automatic unlock fails or is not configured
## Quick Install ## Quick Install
@ -84,22 +72,6 @@ If you prefer to configure manually:
installimage -a -c install.conf -s post-install.sh installimage -a -c install.conf -s post-install.sh
``` ```
## What Gets Installed
Hetzner installimage will:
- Set up mdadm RAID1 across both drives
- Create LUKS encryption with your passphrase
- Install AlmaLinux with XFS filesystem
- Single root partition (no LVM complexity)
post-install.sh will configure:
- User account with SSH key and zsh shell
- oh-my-zsh with powerlevel10k theme
- Dotfiles (zsh, tmux, p10k configs)
- Clevis for TPM/Tang unlock (if configured)
- Dropbear for remote unlock
- Modern CLI tools (lsd, bat, neovim)
- Security hardening (SELinux, SSH)
## Post-Installation ## Post-Installation