dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
35571c4c44
nullpoint/README.md

117 lines
3.3 KiB
Markdown
Raw Blame History

<div align="center">
<img src='./icon.svg' width="150px">
<h2>nullpoint</h2>
<br>
</div>
Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.
## Features
- AlmaLinux Server base
- Full disk encryption with LUKS (native Hetzner support)
- Remote unlock via Tang server
- TPM-based boot verification
- mdadm RAID1 + XFS (RHEL standard)
- SSH key-only access with early boot SSH via dropbear
- Automated provisioning using Hetzner installimage
- Modern development environment with dotfiles
If you need a dead man's switch to go along with it check out [raven](https://git.dominik-roth.eu/dodox/raven).
## Security Model
### Unlock Methods
The system uses multiple methods to unlock the LUKS volumes:
1. **Primary Method**: TPM2 + Tang server
- TPM2 verifies boot integrity
- Tang server provides remote unlock capability
- Both must succeed for automatic unlock
2. **Fallback Method**: Manual passphrase
- Available via SSH before LUKS unlock
- Uses dropbear for early SSH access
- Can be used for recovery or maintenance
### Unlock Strategy
The system supports multiple unlock methods:
1. **Manual unlock via SSH** (default):
- SSH to server on port 22 (dropbear in early boot)
- Enter LUKS passphrase when prompted (twice, once per disk)
- System continues normal boot
2. **Automatic unlock** (optional):
- Configure TPM2 and/or Tang servers in post-install.sh
- System unlocks automatically if conditions are met
- Falls back to manual unlock if automatic fails
## Quick Install
Boot your Hetzner server into rescue mode and run:
```bash
wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/install.sh | bash
```
The installer will:
- Detect your SSH key from the current session
- Ask for hostname and username
- Generate a secure LUKS passphrase (SAVE IT!)
- Download and configure everything
- Run Hetzner's installimage automatically
## Manual Setup
If you prefer to configure manually:
1. **Boot into Hetzner Rescue Mode**
- Log into Hetzner Robot
- Select your server → Rescue tab
- Choose "Linux 64 bit" and activate
- SSH into rescue system
2. **Download Configuration**
```bash
git clone https://git.dominik-roth.eu/dodox/nullpoint.git
cd nullpoint
```
3. **Configure**
- Edit `install.conf` and change `CRYPTPASSWORD`
- Edit `post-install.sh` and set your SSH key (REQUIRED!)
- Optionally configure Tang servers and TPM settings
4. **Install**
```bash
installimage -a -c install.conf -s post-install.sh
```
## What Gets Installed
Hetzner installimage will:
- Set up mdadm RAID1 across both drives
- Create LUKS encryption with your passphrase
- Install AlmaLinux with XFS filesystem
- Single root partition (no LVM complexity)
post-install.sh will configure:
- User account with SSH key and zsh shell
- oh-my-zsh with powerlevel10k theme
- Dotfiles (zsh, tmux, p10k configs)
- Clevis for TPM/Tang unlock (if configured)
- Dropbear for remote unlock
- Modern CLI tools (lsd, bat, neovim)
- Security hardening (SELinux, SSH)
## Post-Installation
1. **First Boot**
- Enter LUKS passphrase twice (once per disk)
- System will boot into AlmaLinux
2. **Verify Installation**
```bash
ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
cat /proc/mdstat # Check RAID1 status
df -h # Check filesystem
```
Reference in New Issue View Git Blame Copy Permalink