Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.
| dotfiles | ||
| .gitignore | ||
| icon.svg | ||
| install.conf | ||
| install.sh | ||
| MASTER_README.md | ||
| post-install.sh | ||
| README.md | ||
nullpoint
Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.
Features
- AlmaLinux Server base
- Full disk encryption with LUKS (native Hetzner support)
- Remote unlock via Tang server
- TPM-based boot verification
- mdadm RAID1 + XFS (RHEL standard)
- SSH key-only access with early boot SSH via dropbear
- Automated provisioning using Hetzner installimage
- Modern development environment with dotfiles
If you need a dead man's switch to go along with it check out raven.
Security Model
Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
- Primary Method: TPM2 + Tang server
- TPM2 verifies boot integrity
- Tang server provides remote unlock capability
- Both must succeed for automatic unlock
- Fallback Method: Manual passphrase
- Available via SSH before LUKS unlock
- Uses dropbear for early SSH access
- Can be used for recovery or maintenance
Unlock Strategy
The system supports multiple unlock methods:
- Manual unlock via SSH (default):
- SSH to server on port 22 (dropbear in early boot)
- Enter LUKS passphrase when prompted (twice, once per disk)
- System continues normal boot
- Automatic unlock (optional):
- Configure TPM2 and/or Tang servers in post-install.sh
- System unlocks automatically if conditions are met
- Falls back to manual unlock if automatic fails
Quick Install
Boot your Hetzner server into rescue mode and run:
wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/install.sh | bash
The installer will:
- Detect your SSH key from the current session
- Ask for hostname and username
- Generate a secure LUKS passphrase (SAVE IT!)
- Download and configure everything
- Run Hetzner's installimage automatically
Manual Setup
If you prefer to configure manually:
-
Boot into Hetzner Rescue Mode
- Log into Hetzner Robot
- Select your server → Rescue tab
- Choose "Linux 64 bit" and activate
- SSH into rescue system
-
Download Configuration
git clone https://git.dominik-roth.eu/dodox/nullpoint.git cd nullpoint -
Configure
- Edit
install.confand changeCRYPTPASSWORD - Edit
post-install.shand set your SSH key (REQUIRED!) - Optionally configure Tang servers and TPM settings
- Edit
-
Install
installimage -a -c install.conf -s post-install.sh
What Gets Installed
Hetzner installimage will:
- Set up mdadm RAID1 across both drives
- Create LUKS encryption with your passphrase
- Install AlmaLinux with XFS filesystem
- Single root partition (no LVM complexity)
post-install.sh will configure:
- User account with SSH key and zsh shell
- oh-my-zsh with powerlevel10k theme
- Dotfiles (zsh, tmux, p10k configs)
- Clevis for TPM/Tang unlock (if configured)
- Dropbear for remote unlock
- Modern CLI tools (lsd, bat, neovim)
- Security hardening (SELinux, SSH)
Post-Installation
-
First Boot
- Enter LUKS passphrase twice (once per disk)
- System will boot into AlmaLinux
-
Verify Installation
ssh null@your-server systemctl status clevis-luks-askpass lsblk cat /proc/mdstat # Check RAID1 status df -h # Check filesystem