dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
master
nullpoint/README.md
Dominik Roth fbc558877c Upd README
2025-05-19 17:07:20 +02:00

101 lines
3.1 KiB
Markdown
Raw Permalink Blame History

<div align="center">
<img src='./icon.svg' width="150px">
<h2>nullpoint</h2>
<br>
</div>
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
> [!NOTE]
> This project is still WIP, having some issues with networking of the installeer / installed instance.
## Features
- Fedora Server base
- Full disk encryption with LUKS
- Remote unlock via Tang server
- TPM-based boot verification
- BTRFS RAID1 for data redundancy
- Dedicated database subvolume with `nodatacow` and `noatime`
- SSH key-only access with early boot SSH via dropbear
If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).
## Security Model
### Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
- TPM2 verifies boot integrity
- Tang server provides remote unlock capability
- Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
- Available via SSH before LUKS unlock
- Uses dropbear for early SSH access
- Can be used for recovery or maintenance
### TPM Updates
After firmware updates (UEFI/BIOS), the TPM bindings need to be updated:
(otherwise the system will not be able to boot without recovery phrase)
1. Use the provided script: `sudo /root/update-tpm-bindings.py`
2. The script will:
- Show current PCR values
- Update TPM bindings to match new measurements
- Verify all bindings are correct
3. Manual passphrase is available in `/root/luks-passphrase.txt` if needed
## Setup
1. **Configure Installer**
```bash
# Edit the variables at the top of install.sh:
vim install.sh
```
Set your:
- Tang server URLs and thumbprints
- TPM PCR settings
- Fedora version
- SSH public key for the default user
2. **Install on Hetzner Server**
- Log into Hetzner Robot
- Select your server
- Go to "Rescue" tab
- Choose "Linux" and "64 bit"
- Activate Rescue System
- Upload the installer:
```bash
scp install.sh root@your-server:/root/
```
- SSH into Rescue System:
```bash
ssh root@your-server
```
- Make it executable and run:
```bash
chmod +x install.sh
./install.sh
```
- If the script tells you that no TPM is available, you'll need to make a support ticket to get KVM access and enable TPM in the BIOS.
- The script will:
- Generate and display a LUKS passphrase (save this!)
- Download and prepare the Fedora installer
- Configure networking for Hetzner's unusual setup
- Start the Fedora installer
- You can monitor the installation via SSH on port 2222:
```bash
ssh -p 2222 root@your-server
```
- During the Fedora installation:
- Disk encryption and RAID will be configured
- TPM and Tang bindings will be set up
- Network configuration will be applied
3. **Verify Installation**
```bash
ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show # Check RAID1 status
clevis-luks-list -d /dev/sda3 # Note: sda3 is the LUKS partition
```
Reference in New Issue View Git Blame Copy Permalink