With Proxmox in place, I started work on LXC containers. They really are wonderful. Fast to start up, way lower memory footprint, and much easier configuration in general. Without the long wait for VMs to fully install, I have a lot more motivation to set up some stuff I've been planning.
First up is Wireguard. Wireguard required some fiddling because Proxmox's Linux kernel has not integrated the kernel module. While I could've achieved this on a virtual machine without altering my hypervisor, I felt Wireguard was worth it. Wireguard is so easy to set up and comes with an extremely low latency cost. Now that my Android device is always routed through Wireguard, I have a lot more options to secure and experiment with its networking.
Next up is a popular favourite, Pi-Hole. I've always been hesitant about installing Pi-Hole on a physical device like a RPi or a VM because it felt like overkill for such a simple application. A containerized environment is just perfect. I've also wired devices connected to my Wireguard instance to use Pi-Hole as the DNS server. It was enlightening knowing what my devices are doing. Side note: Firefox's telemetry service is pretty aggressive if you leave it on.
The last application is Apache Guacamole. This is a rather "heavy" application because it runs on Java Tomcat, but Guac is seriously amazing. If you've always been worried about securing entry to your devices, fear no more. With Guac, you can use your browser as the remote gateway to your internal network. I've never wanted to expose my SSH jumper to the ravages of the Internet, so Guac allows me to have 2-factor authentication and easy access to my internal network while I'm not at home. Why not connect to my Wireguard instance you say? Mainly because I have not automated adding devices to my Wireguard instance, so the manual work is still slightly cumbersome. Also, Guac does not require any specialized remote tools such as OpenSSH or PuTTY; It only requires a browser that supports SSL.
Perhaps the largest drawbacks of LXC containers when compared to Docker, is the "full Linux stack" available in each container. While some container templates (Alpine) are slimmer than others, most of my containers run on Debian. There is work needed to keep them up-to-date, so this perfectly sets up the environment for me to pick up more advanced config management. Ansible Level 2, here I come.
Do not pity the dead, Harry, pity the living. And above all, those who live without love.
- Albus Dumbledore