nullpoint


Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers. ## Features - AlmaLinux Server base - Full disk encryption with LUKS - Remote unlock via Tang server - TPM-based boot verification - mdadm RAID1 + XFS (RHEL standard) - SSH key-only access with early boot SSH via dropbear - Automated provisioning using Hetzner installimage - Modern development environment with dotfiles If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven). ## Unlock Strategy 1. **Automatic unlock via Tang/TPM** (default): - Configure TPM2 and/or Tang servers in post-install.sh - System unlocks automatically if conditions are met - No manual intervention required 2. **Manual unlock via SSH** (fallback): - SSH to server on port 22 (dropbear in early boot) - Enter LUKS passphrase when prompted (twice, once per disk) - Used when automatic unlock fails or is not configured ## Quick Install Boot your Hetzner server into rescue mode and run: ```bash wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/install.sh | bash ``` The installer will: - Detect your SSH key from the current session - Ask for hostname and username - Generate a secure LUKS passphrase (SAVE IT!) - Download and configure everything - Run Hetzner's installimage automatically ## Manual Setup If you prefer to configure manually: 1. **Boot into Hetzner Rescue Mode** - Log into Hetzner Robot - Select your server → Rescue tab - Choose "Linux 64 bit" and activate - SSH into rescue system 2. **Download Configuration** ```bash git clone https://git.dominik-roth.eu/dodox/nullpoint.git cd nullpoint ``` 3. **Configure** - Edit `install.conf` and change `CRYPTPASSWORD` - Edit `post-install.sh` and set your SSH key (REQUIRED!) - Optionally configure Tang servers and TPM settings 4. **Install** ```bash installimage -a -c install.conf -s post-install.sh