I’m exclusively running unprivileged LXC containers and haven’t had any issues regarding the firewall, neither with iptables nor nftables.
I’m exclusively running unprivileged LXC containers and haven’t had any issues regarding the firewall, neither with iptables nor nftables.
No, it is not like Docker. You can treat an LXC container pretty much like a VM in most instances, including firewall rules. To answer the question, you can use fail2ban just like you had done in your VM, meaning you can run it inside the LXC container, where fail2ban can change the firewall rules of that container as it sees fit.
You could give bubblewrap a try instead. It is quite similar to systemd-nspawn.
What does it offer that nginx doesnt?
Automatic HTTPS, you don’t have to use certbot or something similar to get/renew certificates. Also, its configuration is really simple and straight forward.
The guide mentions:
Your ISP will give you the first 64 bits, and your host machine will have the last 64 bits.
This isn’t correct. While some ISPs do give you the first 64 bit (a /64 prefix), this isn’t recommended and not terribly common either. An ISP should give its users prefixes with less than 64 bit. Typically a residential user will get a /56 and commercial users usually get a /48. With such a prefix the user can then generate multiple /64 networks which can be used on the local network as desired.
While you certainly can run AI models that require such a beefy GPU, there are plenty of models that run fine even on a CPU-only system. So it really depends on what exactly Ollama is going to be used for.
Edit: 75 LXC containers, 22VMs.
That’s a lot of power draw for so few VMs and containers. Any particular applications running that justify such a setup?
I would advice against using SSDs for storage of media and such. Not only because of their higher price, but also because flash memory cells tend to fade over time, causing read speeds to decrease considerably over time. This is particularily the case for mostly read-only workloads. For each read operation the flash memory cell being read loses a bit of its charge. Eventually the margin for the controller to be able to read the data will be so small, that it takes the controller lots of read operations to figure out the correct data. In the worst case this can lead to the SSD controller being unable to read some data alltogether.