dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.
86 Commits 2 Branches 0 Tags 514 KiB
Shell 100%
1d48721308
Go to file
Dominik Roth 1d48721308 Simplify Nebula setup with DNS-based lighthouse discovery 
- Use DNS domain for lighthouse discovery (works with HAProxy/Keepalived)
- All nodes are lighthouses by default for full redundancy
- Remove static_host_map complexity - DNS handles everything
- Ask for lighthouse domain during setup
- Allow disabling lighthouse mode for remote/edge nodes
- Simplified cluster secret: domain:port:ca_cert

This allows using existing HA infrastructure (DNS pointing to alive nodes)
instead of complex IP tracking and manual updates.
2025-08-24 18:18:37 +02:00
dotfiles Fix Python 3.13 pip and improve user installations 2025-08-18 22:35:37 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
cluster-setup.sh Simplify Nebula setup with DNS-based lighthouse discovery 2025-08-24 18:18:37 +02:00
get.sh seperate install and get scripts... 2025-08-17 23:47:07 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.conf fixes (dropbear etc) 2025-08-18 00:10:29 +02:00
install.sh fixes (dropbear etc) 2025-08-18 00:10:29 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
post-install.sh Fix Python 3.13 pip and improve user installations 2025-08-18 22:35:37 +02:00
README.md Simplify Nebula setup with DNS-based lighthouse discovery 2025-08-24 18:18:37 +02:00

README.md

nullpoint


Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 for Hetzner Dedicated Servers.

Features

  • AlmaLinux Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • mdadm RAID1 + XFS (RHEL standard)
  • SSH key-only access with early boot SSH via dropbear
  • Best-in-class terminal: zsh + powerlevel10k + evil tmux

Unlock Strategy

  1. Automatic unlock via Tang/TPM (default):

    • Configure TPM2 and/or Tang servers in post-install.sh
    • System unlocks automatically if conditions are met
    • No manual intervention required

  2. Manual unlock via SSH (fallback):

    • SSH to server on port 22 (dropbear in early boot)
    • Enter LUKS passphrase when prompted (twice, once per disk)
    • Used when automatic unlock fails or is not configured

Install

Boot your Hetzner server into rescue mode and run:

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/get.sh | bash

The installer will:

  • Detect your SSH key from the current session
  • Ask for hostname and username
  • Generate a secure LUKS passphrase (SAVE IT!)
  • Download and configure everything
  • Run Hetzner's installimage automatically

Nullpoint Cluster

Create or join a distributed storage cluster with Nebula mesh networking and GlusterFS. Start with a single node and scale up by adding more servers.

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/cluster-setup.sh | sudo bash
  • Storage mounted at: /data/storage/ - all data replicated to all nodes
  • Nebula mesh network - encrypted overlay with certificate-based trust
  • DNS-based discovery - use your existing HA setup (HAProxy/Keepalived)
  • All nodes are lighthouses - full redundancy, no single point of failure
  • Simple secret sharing - just domain:port:ca_cert to join