LXC / Conception
Description
This badly named LXC container (docker containers, inception for nested virtualization) is responsible for running the majority of my services.
Configuration
Resources
| Hostname | CPU | Memory |
|---|---|---|
| conception.hermz | 4 vCPU | 4096MB |
Storage
| Mount Point | Source | Destination |
|---|---|---|
| mp0 | /storage/zpool10/downloads | /storage/downloads |
| mp1 | /storage/zpool10/downloads/incomplete | /storage/downloads/incomplete |
| mp2 | /storage/zpool10/media | /storage/media |
| mp3 | /storage/zpool10/services | /storage/services |
Networking
Interfaces
| ID | Name | Bridge | IP Address | Description |
|---|---|---|---|---|
| net0 | eth0 | vmbr1 | 10.0. |
Access to LAN and WAN |
| net1 | eth1 | vmbr2 | 192.168.0.2/24 | Private network for VPN |
Docker Networks
blackbox_containers (10.0.4.2/21)
All publically accessible containers should be part of this network. The idea is that Traefik receiveslistens publicfor HTTP(S) traffic forwarded from firewall.hermz and proxies it to the appropriate container through this network.
- Containers that are part of this network can directly
addressaccess other containers in this network using theirhostnamehostnames. - Using
goinghostnamesback through SSL or leaving theto networkhowevercontainstheyprovides an IP agnostic way to communicate while reducing overhead of SSL. - Containers in this network are
inaccessiblenotforpublicallyeveryoneaccessible,elseaccesswithoutisgoingcontrolledthrough thewith Traefikproxy.acting as a gatekeeper.
a_wireguarded (192.168.0.2/24)
All containers which should be run through VM / Shield to anonymize their traffic need to be connected to this network.
**NOTE** It is prefixed with a_ because networks are added to containers alphabetically and this must be added first to be assigned as the default gateway or else public bound traffic will not be routed over this network.
Installed Software
Services
See Services