Hello,
I have an idea but first I want to run it through more experienced people than me just to make sure it is the right way to do it. I have a home server where I host a couple of services (deluge, jackett, plex), some programs (mkvtools, filebot) and want to run a few extra things (pfSense, OpenVPN, reverse proxy, etc.). All these things used to run directly on my home server, I had to upgrade my server completely and basically it’s time to install (almost) everything from scratch. Most things are pretty simple but for others I have to manually reconfigure them, even though migrating to a new server doesn’t happen very often (maybe once every 5 years), I was thinking that maybe trying lxc would save me some time in the future. I’ve also heard about ansible and while it’s not the same thing as lxc, it might be a tool that helps me migrate everything from one server to another more easily, this is where I want advise, I’m holding a hammer and everything looks like a nail right now.
The main task assigned to the server is to be a centralized storage for all my data, this is achieved through a combination of ZFS and SMB to share the directories (this will become relevant ahead), along with some clever ACLs, users and groups to achieve a system compliant with the principle of least privilege. Everything else is just an add-on to the server.
I played around with LXC to see how it would fit into this idea, first creating privileged containers (which are unsuitable if I ever decide to open the server to the internet in lieu of openvpn) and then used unprivileged containers. The advantages or privileged containers is that mounting directories (remember ZFS?) is a breeze, configuration is minimal and granting the container RW access is almost transparent. Unprivileged containers while more secure by design have a very hard time with mounts.
It feels like going through the motions of properly configuring the containers to work as I want to is just not worth it. Creating users and groups for the containers, creating mounts specific to each container so they have RW but only to the directories they need, the LXC configuration related to unprivileged containers and all that just to achieve what I could do on bare metal seems too much work, with the small advantage of being able to (almost) copy paste the container into the new server or a new machine with minimal effort, which doesn’t happen very often.
So, maybe I’m using the wrong tool for the job, maybe I’m using the tool incorrectly, maybe there are some tools I’m missing in my solution, or my solution is just trash, but it feels like reinventing the wheel just for the sake of a home server. I’m also considering that maybe not everything has to be a container, some things should run on bare metal, some others as a privileged container and others as an unprivileged container.
I’m not afraid of learning new tools or getting my hands dirty, actually, learning is part of this big hobby, but it seems like I’ve reached kind of a dead end and I’m not sure which direction would be the most appropriate one, so I come to you looking for the expertise I’m lacking in the subject.
Hope I’ve provided enough information and I didn’t bore you too much with my post.
Looking forward to your suggestions.
Thanks!