dodox/nullpoint
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for (Hetzner) Dedicated Servers.
20 Commits 2 Branches 0 Tags 145 KiB
Shell 100%
f4795c232a
Go to file
Dominik Roth f4795c232a better README
2025-05-18 18:39:22 +02:00
.gitignore rewrote everything 2025-05-18 18:31:20 +02:00
icon.svg fixed the iucon 2025-05-18 16:09:51 +02:00
install.sh dont null whole disk 2025-05-18 18:39:15 +02:00
MASTER_README.md check out raven 2025-05-13 21:23:55 +02:00
README.md better README 2025-05-18 18:39:22 +02:00

README.md

nullpoint


Secure Fedora Server setup with LUKS encryption, TPM, and BTRFS RAID1 for Hetzner Dedicated Servers.

Features

  • Fedora Server base
  • Full disk encryption with LUKS
  • Remote unlock via Tang server
  • TPM-based boot verification
  • BTRFS RAID1 for data redundancy
  • Dedicated database subvolume with nodatacow and noatime
  • Enhanced shell environment with zsh, Oh My Zsh, Powerlevel10k, and an amazing custom theme
  • SSH key-only access with early boot SSH via dropbear

If you need a dead man's switch to go along with it check out raven.

Security Model

Unlock Methods

The system uses multiple methods to unlock the LUKS volumes:

  1. Primary Method: TPM2 + Tang server
    • TPM2 verifies boot integrity
    • Tang server provides remote unlock capability
    • Both must succeed for automatic unlock
  2. Fallback Method: Manual passphrase
    • Available via SSH before LUKS unlock
    • Uses dropbear for early SSH access
    • Can be used for recovery or maintenance

TPM Updates

After firmware updates (UEFI/BIOS), the TPM bindings need to be updated: (otherwise the system will not be able to boot without recovery phrase)

  1. Use the provided script: sudo /root/update-tpm-bindings.py
  2. The script will:
    • Show current PCR values
    • Update TPM bindings to match new measurements
    • Verify all bindings are correct
  3. Manual passphrase is available in /root/luks-passphrase.txt if needed

Setup

  1. Configure Installer

    # Edit the variables at the top of install.sh:
vim install.sh

    Set your:

    • Tang server URLs and thumbprints
    • TPM PCR settings
    • Fedora version
    • SSH public key for the default user

  2. Install on Hetzner Server

    • Log into Hetzner Robot
    • Select your server
    • Go to "Rescue" tab
    • Choose "Linux" and "64 bit"
    • Activate Rescue System
    • Upload the installer: 
      scp install.sh root@your-server:/root/
    • SSH into Rescue System: 
      ssh root@your-server
  • Make it executable and run: 
    chmod +x install.sh
./install.sh
  • Wait for installation to complete
  • Reboot the server
  1. Verify Installation 
    ssh null@your-server
systemctl status clevis-luks-askpass
lsblk
btrfs filesystem show  # Check RAID1 status
clevis-luks-list -d /dev/sda2