<div align="center">
  <img src='./icon.svg' width="150px">
  <h2>nullpoint</h2>
  <br>
</div>

Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.

## Features

- AlmaLinux Server base
- Full disk encryption with LUKS (native Hetzner support)
- Remote unlock via Tang server
- TPM-based boot verification
- mdadm RAID1 + XFS (RHEL standard)
- SSH key-only access with early boot SSH via dropbear
- Automated provisioning using Hetzner installimage
- Modern development environment with dotfiles

If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).

## Security Model

### Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
   - TPM2 verifies boot integrity
   - Tang server provides remote unlock capability
   - Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
   - Available via SSH before LUKS unlock
   - Uses dropbear for early SSH access
   - Can be used for recovery or maintenance

### Unlock Strategy
The system supports multiple unlock methods:
1. **Manual unlock via SSH** (default):
   - SSH to server on port 22 (dropbear in early boot)
   - Enter LUKS passphrase when prompted (twice, once per disk)
   - System continues normal boot
2. **Automatic unlock** (optional):
   - Configure TPM2 and/or Tang servers in post-install.sh
   - System unlocks automatically if conditions are met
   - Falls back to manual unlock if automatic fails

## Quick Install

Boot your Hetzner server into rescue mode and run:

```bash
wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/install.sh | bash
```

The installer will:
- Detect your SSH key from the current session
- Ask for hostname and username
- Generate a secure LUKS passphrase (SAVE IT!)
- Download and configure everything
- Run Hetzner's installimage automatically

## Manual Setup

If you prefer to configure manually:

1. **Boot into Hetzner Rescue Mode**
   - Log into Hetzner Robot
   - Select your server → Rescue tab
   - Choose "Linux 64 bit" and activate
   - SSH into rescue system

2. **Download Configuration**
   ```bash
   git clone https://git.dominik-roth.eu/dodox/nullpoint.git
   cd nullpoint
   ```

3. **Configure**
   - Edit `install.conf` and change `CRYPTPASSWORD`
   - Edit `post-install.sh` and set your SSH key (REQUIRED!)
   - Optionally configure Tang servers and TPM settings

4. **Install**
   ```bash
   installimage -a -c install.conf -s post-install.sh
   ```

## What Gets Installed

Hetzner installimage will:
- Set up mdadm RAID1 across both drives
- Create LUKS encryption with your passphrase
- Install AlmaLinux with XFS filesystem
- Single root partition (no LVM complexity)

post-install.sh will configure:
- User account with SSH key and zsh shell
- oh-my-zsh with powerlevel10k theme
- Dotfiles (zsh, tmux, p10k configs)
- Clevis for TPM/Tang unlock (if configured)
- Dropbear for remote unlock
- Modern CLI tools (lsd, bat, neovim)
- Security hardening (SELinux, SSH)

## Post-Installation

1. **First Boot**
   - Enter LUKS passphrase twice (once per disk)
   - System will boot into AlmaLinux

2. **Verify Installation**
   ```bash
   ssh null@your-server
   systemctl status clevis-luks-askpass
   lsblk
   cat /proc/mdstat  # Check RAID1 status
   df -h  # Check filesystem
   ```