LXC / Conception
Description
This badly named LXC container (docker containers, inception for nested virtualization) is responsible for running the majority of my services.services that run as docker containers.
Configuration
Resources
| Hostname | CPU | Memory |
|---|---|---|
| conception.hermz | 4 vCPU | 4096MB |
Storage
| Mount Point | Source | Destination |
|---|---|---|
| mp0 | /storage/zpool10/downloads | /storage/downloads |
| mp1 | /storage/zpool10/downloads/incomplete | /storage/downloads/incomplete |
| mp2 | /storage/zpool10/media | /storage/media |
| mp3 | /storage/zpool10/services | /storage/services |
Networking
Interfaces
| ID | Name | Bridge | IP Address | Description |
|---|---|---|---|---|
| net0 | eth0 | vmbr1 | 10.0.4.2/21 | Access to LAN and WAN |
| net1 | eth1 | vmbr2 | 192.168.0.2/24 | Private network for VPN |
Docker Networks
blackbox_containers (10.0.4.2/21)
Traefik binds to the host ports on LXC / Conception for HTTP(S) traffic that has been forwarded from firewall.hermz and proxies it to the appropriate container using this network.
- Containers that are part of this network can directly access other containers in this network using their hostnames.
- Using hostnames to network contains provides an IP agnostic way to communicate while reducing overhead of SSL.
- Containers in this network are not publically accessible, access is controlled with Traefik acting as a gatekeeper.
**NOTE** All publically accessible containers should be part of the blackbox_containers network.
a_wireguarded (192.168.0.2/24)
All containers which should be run through VM / Shield to anonymize their traffic need to be connected to this network. It is prefixed with a_ because networks are added to containers alphabetically and this must be added first to be assigned as the default gateway or else public bound traffic will not be routed over this network.
**NOTE** All containers that want to mask the location of their traffic should be party of the a_wireguarded network.
Installed Software
Services
See Services