

archlinux + podman / libvirtd + nomad (libvirt and docker plugins) + ansible / terraform + vault / consul sometimes
UPD:
archlinux - base os. You never need change major version and that is great. I update core systems every weekend.
podman / libvirtd - 2 types of core abstractions. podman - docker containers management, libvirtd - VM management.
nomad - Hashicorp orcestrator. You can run exec, java application, container or virtual machine on one way with that. Can integrate with podman and libvirtd.
ansible - VM configuration playbooks + core system updates
terraform - engine for deploy nomad jobs (docker containers. VMs. execs or something else)
Vault - K/V storage. I save here secrets for containers and VMs
consul - service networking solution if you need realy hard network layer
As a result, I’m not really sure if it’s a simple level or a complex one, but it’s very flexible and convenient for me.
UPD2: As a result, I described the applications level, but in fact it is 1 very thick server on AMD Epic with archlinux. XD By the way, the lemmy node from which I write is just on it. =) And yes, it’s still selfhosted.
Enable packet forwarding via interfaces:
# cat /etc/sysctl.d/01-forward.conf net.ipv4.ip_forward = 1 net.ipv6.conf.all.forwarding = 1 net.ipv6.conf.default.forwarding = 1
Then install isc-dhcp-server and configure ipv4 and ipv6 dhcp server. (only on local ports or you internet prowider will be angry)
short example:
# cat /etc/dhcpd.conf ddns-update-style interim; ddns-updates on; ddns-domainname "my.local"; ddns-rev-domainname "in-addr.arpa"; allow client-updates; update-conflict-detection true; update-optimization true; authoritative; default-lease-time 86400; preferred-lifetime 80000; max-lease-time 86400; allow leasequery; option domain-name "my.local"; option domain-name-servers 192.168.1.1; lease-file-name "/var/lib/dhcp/dhcpd.leases";
# cat /etc/dhcpd6.conf ddns-update-style interim; ddns-updates on; ddns-domainname "my.local"; ddns-rev-domainname "ip6.arpa"; allow client-updates; update-conflict-detection true; update-optimization true; authoritative; default-lease-time 86400; preferred-lifetime 80000; max-lease-time 86400; allow leasequery; option domain-name "my.local"; option dhcp6.name-servers fd00:1::1; option dhcp6.domain-search "my.local"; option dhcp6.preference 255; dhcpv6-lease-file-name "/var/lib/dhcp/dhcpd6.leases";
don’t forget start dhcpd@lan and dhcpd6@lan
Then install radvd and configure RA ipv6 broadcasting. (only on local ports or you internet prowider will be angry)
# cat /etc/radvd.conf interface br0 { AdvSendAdvert on; MinRtrAdvInterval 3; MaxRtrAdvInterval 10; AdvDefaultPreference low; AdvHomeAgentFlag off; prefix fd00:1::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr off; }; RDNSS fd00:1::1 { AdvRDNSSLifetime 30; }; DNSSL my.local { AdvDNSSLLifetime 30; }; };
Then install iptables-persistent and configure ipv4 and ipv6 rules in /etc/iptables/ . Change lan and internet to you real interfaces.
# cat /etc/iptables/rules.v4 # Generated by iptables-save v1.6.1 on Mon Dec 30 18:53:43 2019 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o internet -j MASQUERADE COMMIT # Completed on Mon Dec 30 18:53:43 2019 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] #UNBRICK IF YOU WANT ACCESS FROM INTERNET -A INPUT -s x.x.x.x -j ACCEPT -A INPUT -s y.y.y.y -j ACCEPT #BASE -A INPUT -i lo -j ACCEPT -A INPUT -i lan -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT
# cat /etc/iptables/rules.v6 # Generated by ip6tables-save v1.6.0 on Thu Sep 8 13:29:11 2016 *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o internet -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] #BASE INPUT -A INPUT -i lo -j ACCEPT -A INPUT -i lan -j ACCEPT -A INPUT -p ipv6-icmp -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i lan -j ACCEPT -A FORWARD -p ipv6-icmp -j ACCEPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT COMMIT
Then install dns relay. I user bind, but that some overkill. But anyway:
install named / bind9
# cat /etc/named.conf ... acl "lan" { 192.168.1.0/24; 127.0.0.1; fd00:1::/64; ::1/128; }; tls google-DoT { ca-file "/var/named/google.crt"; //SET google cert path here remote-hostname "dns.google"; }; tls local-cert { //if you want local SSL requests cert-file "/etc/letsencrypt/live/local/cert.pem"; key-file "/etc/letsencrypt/live/local/privkey.pem"; }; options { directory "/var/named"; pid-file "/run/named/named.pid"; forwarders port 853 tls google-DoT { 8.8.8.8; 8.8.4.4; }; // Uncomment these to enable IPv6 connections support // IPv4 will still work: //listen-on-v6 { any; }; // Add this for no IPv4: //listen-on { any; }; listen-on-v6 { fd00:1::1; ::1; }; listen-on { 192.168.1.1; 127.0.0.1; }; listen-on-v6 tls local-cert { fd00:1::1; ::1; }; //if you want local SSL requests listen-on tls local-cert { 192.168.1.1; 127.0.0.1; }; //if you want local SSL requests allow-recursion { lan; }; allow-recursion-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; }; allow-transfer { none; }; allow-update { none; }; allow-query { lan; }; allow-query-cache { lan; }; allow-query-cache-on { 192.168.1.1; fd00:1::1; 127.0.0.1; ::1; }; version "DNS Server 1"; hostname "interesting server"; server-id "realy interesting server"; dnssec-validation auto; empty-zones-enable no; minimal-responses yes; http-port 8888; listen-on http local tls none { any; }; listen-on-v6 http local tls none { any; }; auth-nxdomain no; # conform to RFC1035 }; ...
All done.