The embedded IoT crowd would like to refute your claim that there are no operating systems that you can install and forget.

The collective would like to stress that any operating system can be installed and forgotten. Please note, that usefulness and security may be impacted.

/s

Also, to be technical there is CollapseOS which is an install once and forget sort of thing.

My first new computer was an Acer Aspire One netbook with Windows 7 starters. I quickly realized what “starter” meant and discovered Ubuntu 10.10 Netbook Remix. The rest is history.

Not sure, currently have 8 nodes and 40 apps running

Use tailscale for host nodes, use tailscale docker container in a compose stack with an app that you sidecar to. That way that app is on your tailnet as if it is its own computer. Use tailscale serve for reverse proxying support of the apps. Then, setup a vps node (I use linodes $5 node) with tailscale and configure that to be your DMZ into your tailnet.

For DMZ, use Caddy, UFW, and fail2ban. Also take advantage of ACLs in the Tailscale admin console to only have the VPS able to route traffic to specific apps you want to expose. My current project is to work in Authelia into this setup so a user logs into one exposed app and is able to traverse to other exposed apps through header / token authentication.

Oh also, segment the tailnet using different authentication keys. Each host node should have its own key, all the apps on a host node should have a shared key, and all public facing clients should have a common shared key. That way in case of compromise you can revoke the affected keys without bringing down your network.

When you end up having a mini homelab look into komo.do for container orchestration over the overkill options like kubernetes or portainer