dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.
96 Commits 2 Branches 0 Tags 514 KiB
Shell 100%
0809224963
Go to file
Dominik Roth 0809224963 Update to Nebula v1.9.6 
Use latest stable release for improved performance and bug fixes
2025-08-24 20:32:05 +02:00
dotfiles Fix Python 3.13 pip and improve user installations 2025-08-18 22:35:37 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
cluster-setup.sh Update to Nebula v1.9.6 2025-08-24 20:32:05 +02:00
get.sh seperate install and get scripts... 2025-08-17 23:47:07 +02:00
icon_cluster.svg better icon for nullpoint cluster 2025-08-24 19:01:06 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.conf fixes (dropbear etc) 2025-08-18 00:10:29 +02:00
install.sh fixes (dropbear etc) 2025-08-18 00:10:29 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
post-install.sh Fix Python 3.13 pip and improve user installations 2025-08-18 22:35:37 +02:00
README.md README h3 -> h2 2025-08-24 18:47:00 +02:00

README.md

nullpoint


Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 for Hetzner Dedicated Servers.

Features

  • AlmaLinux Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • mdadm RAID1 + XFS (RHEL standard)
  • SSH key-only access with early boot SSH via dropbear
  • Best-in-class terminal: zsh + powerlevel10k + evil tmux

Unlock Strategy

  1. Automatic unlock via Tang/TPM (default):

    • Configure TPM2 and/or Tang servers in post-install.sh
    • System unlocks automatically if conditions are met
    • No manual intervention required

  2. Manual unlock via SSH (fallback):

    • SSH to server on port 22 (dropbear in early boot)
    • Enter LUKS passphrase when prompted (twice, once per disk)
    • Used when automatic unlock fails or is not configured

Install

Boot your Hetzner server into rescue mode and run:

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/get.sh | bash

The installer will:

  • Detect your SSH key from the current session
  • Ask for hostname and username
  • Generate a secure LUKS passphrase (SAVE IT!)
  • Download and configure everything
  • Run Hetzner's installimage automatically

nullpoint cluster


Encrypted network and storage pool using Nebula mesh VPN and GlusterFS distributed filesystem.

Features

  • Encrypted mesh network - All traffic encrypted via Nebula overlay (192.168.100.0/24)
  • Distributed storage - Data replicated across all storage nodes
  • Simple joining - Single preshared secret + lighthouse endpoint
  • Flexible nodes - Full nodes (replicate data) or remote nodes (no storage)

Setup

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/cluster-setup.sh | sudo bash

Choose your node type:

  • Full node - Runs GlusterFS server, contributes storage, acts as lighthouse
    • Use for servers in same datacenter/region with low latency
  • Remote node - GlusterFS client only, no storage contribution
    • Use for edge locations, different regions, or high-latency connections
    • Avoids replication delays since writes don't wait for this node

Storage mounted at /data/storage/ on all nodes.