<div align="center">
  <img src='./icon.svg' width="150px">
  <h2>nullpoint</h2>
  <br>
</div>

Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for Hetzner Dedicated Servers.

## Features

- Fedora Server base
- Full disk encryption with LUKS
- Remote unlock via Tang server
- TPM-based boot verification
- BTRFS RAID1 for data redundancy
- Dedicated database subvolume with `nodatacow` and `noatime`
- SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).

## Security Model

### Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
   - TPM2 verifies boot integrity
   - Tang server provides remote unlock capability
   - Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
   - Available via SSH before LUKS unlock
   - Uses dropbear for early SSH access
   - Can be used for recovery or maintenance

### TPM Updates
After firmware updates (UEFI/BIOS), the TPM bindings need to be updated:
(otherwise the system will not be able to boot without recovery phrase)
1. Use the provided script: `sudo /root/update-tpm-bindings.py`
2. The script will:
   - Show current PCR values
   - Update TPM bindings to match new measurements
   - Verify all bindings are correct
3. Manual passphrase is available in `/root/luks-passphrase.txt` if needed

## Setup

1. **Configure Installer**
   ```bash
   # Edit the variables at the top of install.sh:
   vim install.sh
   ```
   Set your:
   - Tang server URLs and thumbprints
   - TPM PCR settings
   - Fedora version
   - SSH public key for the default user

2. **Install on Hetzner Server**
   - Log into Hetzner Robot
   - Select your server
   - Go to "Rescue" tab
   - Choose "Linux" and "64 bit"
   - Activate Rescue System
   - Upload the installer:
     ```bash
     scp install.sh root@your-server:/root/
     ```
   - SSH into Rescue System:
     ```bash
     ssh root@your-server
     ```
   - Make it executable and run:
     ```bash
     chmod +x install.sh
     ./install.sh
     ```
   - If the script tells you that no TPM is available, you'll need to make a support ticket to get KVM access and enable TPM in the BIOS.
   - The script will:
     - Generate and display a LUKS passphrase (save this!)
     - Download and prepare the Fedora installer
     - Configure networking for Hetzner's unusual setup
     - Start the Fedora installer
   - You can monitor the installation via SSH on port 2222:
     ```bash
     ssh -p 2222 root@your-server
     ```
   - During the Fedora installation:
     - Disk encryption and RAID will be configured
     - TPM and Tang bindings will be set up
     - Network configuration will be applied

3. **Verify Installation**
   ```bash
   ssh null@your-server
   systemctl status clevis-luks-askpass
   lsblk
   btrfs filesystem show  # Check RAID1 status
   clevis-luks-list -d /dev/sda3  # Note: sda3 is the LUKS partition
   ```