I will describe and demonstrate Boundery, a Debian derivative to allow non-technical users (including those who have no idea what Linux or Debian are) to securely host server applications in their home using cheap hardware. Example server applications are a complete email server, a Wordpress blog (complete with ActivityPub support), and more.
Using a read-only rootfs and containers, we provide an install, administration and update model that is similar to that of smart phone OSes.
Breaking applications into subcontainers allows better isolation and security. For example, in an email server application, SMTP, spasassassin, clamav, IMAP and webmail can all be separate containers. Further, stateless containers like SMTP, spamassassin and clamav can be torn down and rebuilt for every incoming email, making compromising those services far less impactful to your privacy and security. Private services, like webmail and IMAP are only accessible via VPN, managed transparently for the user.