nullpoint/README.md

nullpoint

Secure AlmaLinux (RHEL) Server setup with LUKS encryption, Tang, TPM and RAID1 for Hetzner Dedicated Servers.

Features

• AlmaLinux Server base
• Full disk encryption with LUKS
• Remote unlock via Tang server
• TPM-based boot verification
• mdadm RAID1 + XFS (RHEL standard)
• SSH key-only access with early boot SSH via dropbear
• Best-in-class terminal: zsh + powerlevel10k + evil tmux

Unlock Strategy

1. Automatic unlock via Tang/TPM (default):

   • Configure TPM2 and/or Tang servers in post-install.sh
   • System unlocks automatically if conditions are met
   • No manual intervention required

2. Manual unlock via SSH (fallback):

   • SSH to server on port 22 (dropbear in early boot)
   • Enter LUKS passphrase when prompted (twice, once per disk)
   • Used when automatic unlock fails or is not configured

Install

Boot your Hetzner server into rescue mode and run:

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/get.sh | bash

The installer will:

• Detect your SSH key from the current session
• Ask for hostname and username
• Generate a secure LUKS passphrase (SAVE IT!)
• Download and configure everything
• Run Hetzner's installimage automatically

---

nullpoint cluster

Encrypted network and storage pool using Nebula mesh VPN and GlusterFS distributed filesystem.

Features

• Encrypted mesh network - All traffic encrypted via Nebula overlay (192.168.100.0/24)
• Distributed storage - Data replicated across all storage nodes
• Simple joining - Single preshared secret + lighthouse endpoint
• Flexible nodes - Full nodes (replicate data) or remote nodes (no storage)

Setup

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/cluster-setup.sh | sudo bash

Choose your node type:

• Full node - Contributes storage, becomes lighthouse, read/write access
• Remote node - Full read/write access, no local storage contribution

Storage mounted at /data/storage/ on all nodes.