The following devices are recommended when deploying each Sovereign Stack data center location.
Your perimeter firewall plays a critical role in the operation of Sovereign Stack. It provides all the base networking functions for the network underlay. It also provides the basis for isolating your various devices and enforcing network policy.
A good example device includes Protectli Vault – 6 Port. Consider buying directly from the manufacturer to minimize supply chain risks. Also, depending on your budget, buy the Pro version that comes with support and additional security features such as coreboot.
Get something that has AT LEAST SIX network interfaces. More is better for future use cases. Each port essentially represents one or more physical security domains that network policy (i.e., firewall rules) can be applied and enforced. Note that each port MAY carry multiple VLANs, each of which can represents a DMZ.
Get something that has a reasonable amount of RAM. 16GB+ is probably sufficient unless you plan on using your firewall for more computationally-intensive operations. For the purposes of Sovereign Stack, we just use basic services (e.g,. DHCP, DNS, DDNS, DNS over TLS).
Any VLAN-capable Ethernet switch capable of being remotely managed can be used with Sovereign Stack. Better if it supports VLAN tagging (trunk mode 802.1q) for future wireless use cases and other uses. There's lots of old switches on ebay or places like Goodwill even! Make sure your access ports are AT LEAST 1 Gbps. Whatever switch you get, ensure you load the latest firmware on it!
Any x64 device like a Intel NUC or Librem Mini (RECOMMENDED) with a MINIMUM of 1 TB SSD/nVME and at least 32 GB memory is recommended for most use cases. However, you can choose any device you want. At the end of the day, Sovereign Stack software runs within Hardware-based Virtual Machines, so your device MUST support creating Type-1 VMs.
Each cluster host MUST have AT LEAST ONE physical network connection. If you have more physical connections you can you can isolate the management plane (i.e., SSH and LXD API over TLS) to an isolated interface. TODO Link to instructions.
You will learn how to prepare a new cluster host for Sovereign Stack in a later post.
TODO: provide cost: compute + cables + wireless + time + management machine = total cost. +++
Appreciate that Sovereign Stack lets you implement these use cases? Consider donating to our monthly crowdfund.