<div align="center">
  <img src='./icon.svg' width="150px">
  <h2>nullpoint</h2>
  <br>
</div>

Secure Fedora CoreOS server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus on Hetzner Infra.

## Features

- Fedora CoreOS base
- Full disk encryption with LUKS
- Remote unlock via Tang server
- TPM-based boot verification
- BTRFS RAID1 storage
- Automated deployment to Hetzner

## Security Model

### Tang Server Operation
The Tang server provides secure remote unlocking of LUKS volumes:
1. First connection: Client verifies Tang's public key advertisement
2. Boot time: Client sends encrypted challenge to Tang
3. Tang proves identity by decrypting challenge
4. Client receives key to unlock LUKS volume

### TPM Integration
- TPM2 chip verifies boot integrity
- PCR measurements ensure system hasn't been tampered with
- Combined with Tang for defense in depth

## Repository Structure
```
.
├── deploy.sh            # Deployment script for Hetzner
├── generate_ignition.py # Python-based Ignition config generator
├── MASTER_README.md     # Tang server setup documentation
├── README.md            # Main project documentation
├── requirements.txt     # Python dependencies
└── settings.yaml        # Configuration settings
```

## Prerequisites

```bash
# Install tools
curl -fsSL https://raw.githubusercontent.com/hetznercloud/cli/master/install.sh | bash
go install github.com/hetznercloud/hcloud-upload-image@latest
dnf install jq coreos-installer python3-pyyaml

# Configure Hetzner
export HCLOUD_TOKEN="your-token-here"
hcloud ssh-key create --name "fedora-coreos-hetzner" --public-key "$(cat ~/.ssh/id_ed25519.pub)"
```

## Setup

1. **Configure Build Settings**
   ```bash
   cp build-config.yaml.example build-config.yaml
   vim build-config.yaml  # Edit LUKS, storage, and image settings
   ```

2. **Build Base Image** (one-time setup)
   ```bash
   python3 build.py  # Creates and uploads FCOS image to Hetzner
   ```

3. **Configure Deployment Settings**
   ```bash
   cp deploy-config.yaml.example deploy-config.yaml
   vim deploy-config.yaml  # Edit server type, location, and hostname settings
   ```

4. **Deploy Server**
   ```bash
   python3 deploy.py  # Creates new server from base image
   ```

5. **Verify**
   ```bash
   ssh core@your-server
   systemctl status clevis-luks-askpass
   lsblk
   clevis-luks-list -d /dev/sda2
   ```