# LXC / contained

<img src="https://upload.wikimedia.org/wikipedia/commons/0/04/Debian_logo.png" class="machine hardware" />

## Description

A LXC container using nested virtualization responsible for running the majority of my services that run as docker containers.

## Configuration

### Resources
| Hostname  | CPU     | Memory |
|-----------|---------|--------|
| contained | 6 vCPU  | 24GB   |

### Storage

| Mount Point | Source | Mount Path | Size | Options |
|-------------|--------|------------|------|---------|
| rootfs | local-zfs:subvol-100-disk-0 | / | 8GB | noatime |
| mp0 | /storage/zpool10/downloads | /storage/downloads | - | noatime;nodev;noexec;nosuid
| mp1 | /storage/zpool10/downloads/incomplete | /storage/downloads/incomplete | - | noatime;nodev;noexec;nosuid |
| mp2 | /storage/zpool10/media | /storage/media | - | noatime;nodev;noexec;nosuid |
| mp3 | /storage/zpool10/services | /storage/services | - | |
| mp4 | vpool-zfs:subvol-100-disk-1 | /var/lib/docker | 384GB | noatime |

### Networking

### Interfaces

| ID | Type | Name | Link | IPv4 Address | IPv6 Address | Description |
|----|------|------|------|--------------|--------------|-------------|
| net0 | bridge | eth0 | vmbr3 | 10.0.8.2/21 | DHCPv6 | DMZ |
| net1 | bridge | eth2 | vmbr4 | - | - | WARP

### Docker Networks

A brief overview of how I have my networking setup for Docker.

#### blackbox_containers

| Type   | Gateway  | IP/Subnet   | IP Range    |
|--------|----------|-------------|-------------|
| bridge | - | - | - |

[Traefik](https://bookstack.swigg.net/books/blackboxhermz/page/traefik) binds to the host ports on [LXC / Contained](https://bookstack.swigg.net/books/blackboxhermz/page/lxc-contained) for HTTP(S) traffic that has been forwarded from [firewall](https://bookstack.swigg.net/books/firewall) and proxies it to the appropriate container using this bridge network.

- Containers that are part of this network can directly access other containers in this network using their hostnames and/or container names.
- Using hostnames to network containers provides an IP agnostic way to communicate while reducing overhead of SSL.
- Containers in this network are not publically accessible, access is controlled with Traefik acting as a gatekeeper.

**\*\*NOTE\*\*** All publically accessible containers should be part of the `blackbox_containers` network. 

##### Creation Command
```bash
docker network create --driver bridge blackbox_containers
```

#### a_warp

| Type    | Gateway     | IP/Subnet      | IP Range       |
|---------|-------------|----------------|----------------|
| macvlan | 10.0.9.1    | 10.0.9.2/24    | 10.0.9.128/25 |

All containers which need anonimity should be connected to this network so their traffic is automatically routed through a VPN. It is prefixed with `a_` because networks are added to containers alphabetically and this must be added first to be assigned as the default gateway.

<p class="callout info"><strong>**NOTE**</strong> All containers that want to mask the location of their traffic should be part of the <code>a_warp</code> network.</p>

##### Creation Command
```bash
docker network create --driver macvlan --subnet 10.0.9.2/24 --gateway 10.0.9.1 --ip-range 10.0.9.128/25 --opt parent=eth2 a_warp
```

### Installed Software

- [Docker](https://docker.com)
- [Netdata](https://www.netdata.cloud)