(in case you were wondering: yes, this page was served from inside that AS.)

Christian Hofstede-Kuhn

A FreeBSD-shaped person doing Linux things for a living.

I run my own Autonomous System (AS201379) on the public internet, peer at LocIX and FogIXP, and host basically everything I use on FreeBSD jails. By day, Senior Consultant at Red Hat, working on RHEL, Ansible, FreeIPA and Keycloak.

What I run AS201379
Christian Hofstede-Kuhn

About Me

Certifications & Credentials

RHCSA Red Hat Certified System Administrator
LPIC-1 Linux Professional Institute Certification
IPv6 Certified Network Specialist

What I'm Running

The infrastructure behind this page, in case you were wondering.

AS201379

Public-internet IPv6-only network

  • 4x FreeBSD edge routers running FRR
  • /48 2a06:9801:1c::/48
  • IXPs: LocIX DĂĽsseldorf, FogIXP ZĂĽrich
  • Direct: BGP session with Hetzner (AS24940)
  • Home: MikroTik speaking iBGP, /64 from the /48
FreeBSD FRR RPKI IPv6-only

AS4242422539 / DN42

The hobbyist parallel internet

  • Border: MikroTik CHR (bhyve), 3x WireGuard peers
  • BGP: import/export filters, per-peer local-pref
  • DNS: FreeBSD bastille jail, PowerDNS authoritative for chofstede.dn42
  • Why: BGP is what people in this line of work do instead of model railways
DN42 WireGuard RouterOS

Self-Hosted, All The Way Down

FreeBSD jails on ZFS, inside AS201379

  • This site + the blog (Pelican, static)
  • Mastodon: burningboard.net
  • Mail: Postfix + Dovecot
  • DNS: PowerDNS, Unbound
  • Git: Forgejo + Quadlets, Forgejo CI
  • Home Assistant, Cryptpad, Keycloak, FreeIPA
Jails ZFS Bastille cdist

Day Job: The Red Hat Stack

What customers actually pay me for

  • RHEL 7-10, hardening, lifecycle, ZFS-on-root for the brave
  • Ansible + AAP, Execution Environments, collections
  • FreeIPA / IdM, Kerberos, LDAP, SSSD, SSO
  • Satellite, content lifecycle at scale
  • Keycloak, OIDC, SAML, federation
RHCSA RHEL AAP

Networking, Done Properly

IPv6 first, IPv4 grudgingly

  • BGP: FRR on FreeBSD, BIRD where it fits
  • Filtering: pf, ipfw, GeoIP rules, RPKI valid-or-undefined
  • VPN: WireGuard, IPsec
  • HTTP/3: QUIC on nginx + FreeBSD, because why not
IPv6 Certified BGP FRR

Code & Automation

If I do it twice, it gets a playbook

  • Ansible (since the early days), roles, collections, EE images
  • cdist for FreeBSD jails, because it just works
  • Python, Bash, a bit of Rust when it matters
  • Podman + Quadlets, Java past life still occasionally useful
Ansible Python Podman

How I Got Here

Apr 2026 - Present

Senior Consultant, Red Hat GmbH

Same Red Hat stack as before, more autonomy on the engagements: RHEL, Ansible Automation Platform, FreeIPA / IdM, Satellite, Keycloak. I deliver hands-on across the full lifecycle, from the first whiteboard session to the playbook that survives 3 AM.

RHEL Ansible FreeIPA Satellite Keycloak
Jan 2023 - Mar 2026

Cloud Consultant, Red Hat GmbH

Implementing Red Hat solutions at customer sites: Ansible Automation Platform rollouts, RHEL fleets, FreeIPA / IdM, Satellite for content lifecycle, Keycloak for SSO. The work that taught me most of what I know about scaling automation past the proof-of-concept stage.

RHEL Ansible FreeIPA Satellite Keycloak
Aug 2019 - Dec 2022

IT Engineer, Noventi Health SE

200+ RHEL servers in a healthcare context, with everything that implies: tight change windows, GDPR for actual patient data, and very little tolerance for cleverness. Built out the Ansible automation that ran the fleet, ran Kubernetes for the containerised apps, and learned the difference between an outage and an incident.

RHEL Ansible Kubernetes
Jan 2012 - Aug 2019

Systems Administrator, awitna GmbH

Linux sysadmin work for a mixed bag of customer environments. The job where I picked up Ansible early enough that the docs still fit on one page, and where I started replacing every shell-script-and-cron contraption I saw with playbooks.

Linux Ansible Infrastructure
Apr 2010 - Jan 2012

Java Developer, Medpex GmbH

Backend Java for a busy online pharmacy. Wrote a lot of code, broke a lot of code, and started developing strong opinions about how the box underneath the JVM should behave. That second part eventually won.

Jul 2007 - Apr 2010

Team Lead, Pro-Medisoft AG

Promoted out of the apprenticeship into running a small Java team building eCommerce for healthcare clients. First time I had to care about other people's code reviews, deadlines, and three-day debugging sessions. Useful, not always fun.

Sep 2004 - Jul 2007

Apprenticeship, Pro-Medisoft AG

Three years of German Fachinformatiker apprenticeship: Java, databases, and the full Berufsschule routine. The years where I figured out that computers were going to be the job, not the hobby that pays the bills.

Things I've Built or Run

A few of them are even on the public internet.

ansible_jailexec

An Ansible connection plugin I wrote so you don't have to run sshd inside every FreeBSD jail. SSHs to the host, then jexecs into the jail. The way you'd do it manually, just automated. 

# inventory
web-jail  ansible_connection=jailexec \
          ansible_jail_host=jailbox.example.com
Source on GitHub

AS201379

My own Autonomous System on the public internet. Four FreeBSD edge routers, FRR, IPv6-only, peering at LocIX and FogIXP, direct BGP with Hetzner. Documented on the blog in four parts (so far).

Peering & Policy

burningboard.net

A small German-speaking Mastodon instance I run for friends and the local tech crowd. Multi-jail FreeBSD setup, documented on the blog. Tooting since 2022, still here.

@larvitz@burningboard.net

DN42 / AS4242422539

Same prefixes, different planet. A stub AS in the DN42 hobbyist mesh: MikroTik border, three WireGuard peerings, FreeBSD bastille jail running PowerDNS authoritative for chofstede.dn42.

Read the writeup

Forgejo on Podman Quadlets

A Forgejo deployment running entirely on rootless Podman + Quadlets, fronted by Traefik. The setup I run for my own git, written up so others don't have to repeat the pain.

Read the guide

blog.hofstede.it

50+ long-form posts on FreeBSD, BGP, jails, Ansible, ZFS, identity management. Pelican-generated, served by nginx in a jail, inside AS201379. The thing this whole setup actually exists for.

Read the blog

From the Blog

Long-form notes from the lab. Mostly FreeBSD, BGP, and infrastructure I'd want to read about myself.

2026-04-24

Joining DN42: WireGuard, BGP, and a FreeBSD Jail

Registering AS4242422539, three WireGuard peerings on a MikroTik border, and a FreeBSD bastille jail running PowerDNS authoritative for chofstede.dn42.

Read Article →
2026-04-16

AS201379 Part 4: Direct Hetzner Peering

A fourth FreeBSD edge router at iFog, a direct BGP session with Hetzner on FogIXP, and bringing the home LAN into the /48 via an iBGP-speaking MikroTik.

Read Article →
2026-03-23

Dual-FIB Policy Routing on FreeBSD

Two completely independent uplinks on one server, using FreeBSD's dual-FIB routing tables and pf's rtable / reply-to directives. Zero confusion, eventually.

Read Article →
2026-02-14

RHEL on ZFS Root: An Unholy Experiment

Running RHEL on ZFS root is not supported. I did it anyway. Here's how this cursed configuration came to be, why you shouldn't replicate it, and what the proper alternative looks like.

Read Article →
Visit the Blog →

Get in Touch

Mail: info@hofstede.it. PGP key on Keyoxide. I usually answer within a day or two.

Peering: peering@hofstede.it (see the AS201379 page for policy).

Legal Notice

Information according to § 5 TMG

Name: Christian Hofstede-Kuhn

Address: Seebacher Str. 6
67112 Mutterstadt
Deutschland

Contact: info@hofstede.it

Back to Home