dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
2 Commits 2 Branches 0 Tags 145 KiB
Shell 100%
007e011089
Go to file
Dominik Roth 007e011089 Update README & add icon
2025-05-13 14:22:45 +02:00
.gitignore Initial commit 2025-05-13 14:12:54 +02:00
build-config.yaml.example Initial commit 2025-05-13 14:12:54 +02:00
build.py Initial commit 2025-05-13 14:12:54 +02:00
deploy-config.yaml.example Initial commit 2025-05-13 14:12:54 +02:00
deploy.py Initial commit 2025-05-13 14:12:54 +02:00
icon.svg Update README & add icon 2025-05-13 14:22:45 +02:00
MASTER_README.md Initial commit 2025-05-13 14:12:54 +02:00
README.md Update README & add icon 2025-05-13 14:22:45 +02:00
requirements.txt Initial commit 2025-05-13 14:12:54 +02:00

README.md

nullpoint

Secure Fedora CoreOS server setup with LUKS encryption, TPM, and BTRFS RAID1 with focus on Hetzner Infra.

Features

  • Fedora CoreOS base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 storage
  • Automated deployment to Hetzner

Security Model

Tang Server Operation

The Tang server provides secure remote unlocking of LUKS volumes:

  1. First connection: Client verifies Tang's public key advertisement
  2. Boot time: Client sends encrypted challenge to Tang
  3. Tang proves identity by decrypting challenge
  4. Client receives key to unlock LUKS volume

TPM Integration

  • TPM2 chip verifies boot integrity
  • PCR measurements ensure system hasn't been tampered with
  • Combined with Tang for defense in depth

Repository Structure

.
├── deploy.sh            # Deployment script for Hetzner
├── generate_ignition.py # Python-based Ignition config generator
├── MASTER_README.md     # Tang server setup documentation
├── README.md            # Main project documentation
├── requirements.txt     # Python dependencies
└── settings.yaml        # Configuration settings

Prerequisites

# Install tools
curl -fsSL https://raw.githubusercontent.com/hetznercloud/cli/master/install.sh | bash
go install github.com/hetznercloud/hcloud-upload-image@latest
dnf install jq coreos-installer python3-pyyaml

# Configure Hetzner
export HCLOUD_TOKEN="your-token-here"
hcloud ssh-key create --name "fedora-coreos-hetzner" --public-key "$(cat ~/.ssh/id_ed25519.pub)"

Setup

  1. Configure Build Settings

    cp build-config.yaml.example build-config.yaml
vim build-config.yaml  # Edit LUKS, storage, and image settings

  2. Build Base Image (one-time setup)

    python3 build.py  # Creates and uploads FCOS image to Hetzner

  3. Configure Deployment Settings

    cp deploy-config.yaml.example deploy-config.yaml
vim deploy-config.yaml  # Edit server type, location, and hostname settings

  4. Deploy Server

    python3 deploy.py  # Creates new server from base image

  5. Verify

    ssh core@your-server
systemctl status clevis-luks-askpass
lsblk
clevis-luks-list -d /dev/sda2