LXC / Contained (out-of-date)

Description

A LXC container using nested virtualization responsible for running the majority of my services that run as docker containers.

Configuration

Resources

Hostname	CPU	Memory
contained	6 vCPU	24GB

Storage

Mount Point	Source	~~Destination~~Mount Path	Size	Options
rootfs	local-zfs:subvol-100-disk-0	/	8GB	noatime
mp0	/storage/zpool10/downloads	/storage/downloads	-	noatime;nodev;noexec;nosuid
mp1	/storage/zpool10/downloads/incomplete	/storage/downloads/incomplete	-	noatime;nodev;noexec;nosuid
mp2	/storage/zpool10/media	/storage/media	-	noatime;nodev;noexec;nosuid
mp3	/storage/zpool10/services	/storage/services	-
mp4	~~/storage/zpool10/services/plex~~vpool-zfs:subvol-100-disk-1	/~~storage/services/plex~~
~~mp5~~var/lib/docker	~~/storage/zpool10/services/piwigo~~384GB	~~/storage/services/piwigo~~noatime

~~NOTE:~~ mp4 ~~and~~ mp5 ~~are exlpicitly listed because LXC doesn't support recursively mounting any nested mountpoints need to be specified.~~

Networking

Interfaces

~~networkfor VPN~~

ID	Type	Name	~~Bridge~~Link	IPIPv4 Address	IPv6 Address	Description
net0	bridge	eth0	vmbr3	10.0.8.2/21	DHCPv6	DMZ
net1	~~eth1~~bridge	~~vmbr2~~eth2	~~192.168.0.2/24~~vmbr4	~~Private~~-	-	WARP

Docker Networks

A brief overview of how I have my networking setup for Docker.

blackbox_containers

Type	Gateway	IP/Subnet	IP Range
~~10.0.2.1~~bridge	~~10.0.4.2/21~~-	~~10.0.4.0/24~~-	-

Traefik binds to the host ports on LXC / Contained for HTTP(S) traffic that has been forwarded from firewall and proxies it to the appropriate container using this bridge network.

Containers that are part of this network can directly access other containers in this network using their hostnames and/or container names.
Using hostnames to network containers provides an IP agnostic way to communicate while reducing overhead of SSL.
Containers in this network are not publically accessible, access is controlled with Traefik acting as a gatekeeper.

**NOTE** All publically accessible containers should be part of the blackbox_containers network.

a_wireguardeda_transport

Type	Gateway	IP/Subnet	IP Range
~~192.168.~~macvlan	10.0.9.1	~~192.168.~~10.0.9.2/24	~~192.168.~~10.0.~~2/24~~9.128/25

All containers which ~~should be run through~~ ~~VM / Shield~~ ~~to anonymize their traffic~~ need toanonimity should be connected to this ~~network.~~network so their traffic is automatically routed through a VPN. It is prefixed with a_ because networks are added to containers alphabetically and this must be added first to be assigned as the default ~~gateway or else public bound traffic will not be routed over this network.~~gateway.

**NOTE** All containers that want to mask the location of their traffic should be ~~party~~part of the a_wireguardeda_transport network.

a_host_macvlan (10.0.2.64/27)

~~Gateway~~	~~IP/Subnet~~	~~IP Range~~
~~10.0.2.1~~	~~10.0.4.64/27~~	~~10.0.4.64/27~~

~~This is a macvlan network that very few containers should need since its purpose is to expose containers to the LAN.~~

Installed Software

Services

See Services