<div align="center">
  <img src='./icon.svg' width="150px">
  <h2>nullpoint</h2>
  <br>
</div>

Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for Hetzner Dedicated Servers.

## Features

- Fedora Server base
- Full disk encryption with LUKS
- Remote unlock via Tang server
- TPM-based boot verification
- BTRFS RAID1 for data redundancy
- Dedicated database subvolume with `nodatacow` and `noatime`
- Enhanced shell environment with zsh, Oh My Zsh, Powerlevel10k, and an amazing custom theme
- SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).

## Security Model

### Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
   - TPM2 verifies boot integrity
   - Tang server provides remote unlock capability
   - Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
   - Available via SSH before LUKS unlock
   - Uses dropbear for early SSH access
   - Can be used for recovery or maintenance

### TPM Updates
After firmware updates (UEFI/BIOS), the TPM bindings need to be updated:
(otherwise the system will not be able to boot without recovery phrase)
1. Use the provided script: `sudo /root/update-tpm-bindings.py`
2. The script will:
   - Show current PCR values
   - Update TPM bindings to match new measurements
   - Verify all bindings are correct
3. Manual passphrase is available in `/root/luks-passphrase.txt` if needed

## Setup

1. **Configure Installer**
   ```bash
   # Edit the variables at the top of install.sh:
   vim install.sh
   ```
   Set your:
   - Tang server URLs and thumbprints
   - TPM PCR settings
   - Fedora version
   - SSH public key for the default user

2. **Install on Hetzner Server**
   - Log into Hetzner Robot
   - Select your server
   - Go to "Rescue" tab
   - Choose "Linux" and "64 bit"
   - Activate Rescue System
   - Upload the installer:
     ```bash
     scp install.sh root@your-server:/root/
     ```
   - SSH into Rescue System:
     ```bash
     ssh root@your-server
     ```
  - Make it executable and run:
     ```bash
     chmod +x install.sh
     ./install.sh
     ```
   - Wait for installation to complete
   - Reboot the server

3. **Verify Installation**
   ```bash
   ssh root@your-server
   systemctl status clevis-luks-askpass
   lsblk
   btrfs filesystem show  # Check RAID1 status
   clevis-luks-list -d /dev/sda2
   ```

## Recovery

If you need to recover the system:

1. **Using Rescue System**
   - Boot into Rescue System
   - Mount the encrypted volumes:
     ```bash
     cryptsetup luksOpen /dev/sda2 root_a
     cryptsetup luksOpen /dev/sdb2 root_b
     mount /dev/mapper/root_a /mnt
     ```
   - Access your data at `/mnt`

2. **Using Tang Server**
   - Ensure your Tang server is accessible
   - The system should automatically unlock if TPM measurements match

3. **Using Manual Passphrase**
   - Connect via SSH during early boot (dropbear)
   - Enter the LUKS passphrase when prompted
   - The passphrase is stored in `/root/luks-passphrase.txt` on the installed system