dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e2309551c3
nullpoint/README.md
Dominik Roth e2309551c3 Upd README
2025-07-26 21:50:17 +02:00

2.4 KiB
Raw Blame History

nullpoint


Secure AlmaLinux Server setup with LUKS encryption, TPM, and mdadm RAID1 for Hetzner Dedicated Servers.

Features

  • AlmaLinux Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • mdadm RAID1 + XFS (RHEL standard)
  • SSH key-only access with early boot SSH via dropbear
  • Automated provisioning using Hetzner installimage
  • Modern development environment with dotfiles

If you need a dead man's switch to go along with it check out raven.

Unlock Strategy

  1. Automatic unlock via Tang/TPM (default):

    • Configure TPM2 and/or Tang servers in post-install.sh
    • System unlocks automatically if conditions are met
    • No manual intervention required

  2. Manual unlock via SSH (fallback):

    • SSH to server on port 22 (dropbear in early boot)
    • Enter LUKS passphrase when prompted (twice, once per disk)
    • Used when automatic unlock fails or is not configured

Quick Install

Boot your Hetzner server into rescue mode and run:

wget -qO- https://git.dominik-roth.eu/dodox/nullpoint/raw/branch/master/install.sh | bash

The installer will:

  • Detect your SSH key from the current session
  • Ask for hostname and username
  • Generate a secure LUKS passphrase (SAVE IT!)
  • Download and configure everything
  • Run Hetzner's installimage automatically

Manual Setup

If you prefer to configure manually:

  1. Boot into Hetzner Rescue Mode

    • Log into Hetzner Robot
    • Select your server → Rescue tab
    • Choose "Linux 64 bit" and activate
    • SSH into rescue system

  2. Download Configuration

    git clone https://git.dominik-roth.eu/dodox/nullpoint.git
cd nullpoint

  3. Configure

    • Edit install.conf and change CRYPTPASSWORD
    • Edit post-install.sh and set your SSH key (REQUIRED!)
    • Optionally configure Tang servers and TPM settings

  4. Install

    installimage -a -c install.conf -s post-install.sh

Post-Installation

  1. First Boot

    • Enter LUKS passphrase twice (once per disk)
    • System will boot into AlmaLinux

  2. Verify Installation

    ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
cat /proc/mdstat  # Check RAID1 status
df -h  # Check filesystem