lmlsna · February 5, 2025 04:08
diff --git a/container-to-host-proxy.yaml b/container-to-host-proxy.yaml
 # The best way to access the host is through the exec command using sockets, but you can also add limited
 # network connectivity between the host and container on specified ports with lxd proxy devices.
 #
 # This is an example profile giving the host access to port 8080 of the containers network.
 #
 name: container-to-host-proxy
 description: "Give the host access (on the host's localhost:8080) to container's port 8080"
 config: {}
 devices:
  webproxy:
    bind: host
    connect: tcp:0.0.0.0:8080
    listen: tcp:127.0.0.1:8080
    type: proxy
 used-by: []
diff --git a/default-wg0.yaml b/default-wg0.yaml
 # This profile acts as an alternative to the default lxd/incus profile that provides a wireguard
 # interface as the only network connectivity for the container's namespace.
 #
 # This is useful in cases where you want the container to fail closed if the wireguard interface is
 # not available and/or when you don't want any of the host's normal traffic going out over wg0.
 #
 # You need to bring up the wireguard interface before attaching it to the container. Becuase we use the
 # physical nictype option, wg0 will disappear from the hosts network namespace completely once added. It
 # will be returned to the host after the container shuts down, though typically no longer in a functionally
 # configured state (not exactly sure why or how, I generally just tear it down after the container stops).
 #
 # This profile also includes a user.network-config which automatically set up the correct IPs and routes
 # inside the container. This is optional and can be removed if you want to set the IPs some other way.
 # You will need to change the static IPs (addresses:) and gateways (via:) to match the wireguard 
 # interface, you should also set the DNS (nameservers:) to something functional.
 #
 name: default-wg0
 description: Alternative default profile with a wireguard network interface
 config:
  user.network-config: |
    network:
      version: 2
      ethernets:
        eth0:
          dhcp4: false
          addresses: [ 10.69.0.2/32, fdad:69::2/128 ]
          routes:
            - to: 0.0.0.0/0
              via: 10.69.0.1
              on-link: true
            - to: ::/0
              via: fdad:69::1
              on-link: true
          nameservers:
            addresses: [ 127.0.0.1 ]
 devices:
  eth0:
    name: eth0
    nictype: physical
    parent: wg0
    type: nic
  root:
    path: /
    pool: default
    type: disk
 used_by: []
diff --git a/host-to-container.yaml b/host-to-container.yaml
 # This is an example profile giving the container access to port 8081 of the hosts network. It binds
 # to localhost inside the container on port 8080 and proxies out to the hosts network port 8081.
 #
 name: host-to-container-proxy
 description: "Give the container access (on the container's localhost:8081) to hosts's port 8081"
 config: {}
 devices:
  webproxy:
    connect: tcp:127.0.0.1:8080
    listen: tcp:0.0.0.0:8080
    type: proxy
 used-by: []
	# The best way to access the host is through the exec command using sockets, but you can also add limited
	# network connectivity between the host and container on specified ports with lxd proxy devices.
	#
	# This is an example profile giving the host access to port 8080 of the containers network.
	#
	name: container-to-host-proxy
	description: "Give the host access (on the host's localhost:8080) to container's port 8080"
	config: {}
	devices:
	webproxy:
	bind: host
	connect: tcp:0.0.0.0:8080
	listen: tcp:127.0.0.1:8080
	type: proxy
	used-by: []
	# This profile acts as an alternative to the default lxd/incus profile that provides a wireguard
	# interface as the only network connectivity for the container's namespace.
	#
	# This is useful in cases where you want the container to fail closed if the wireguard interface is
	# not available and/or when you don't want any of the host's normal traffic going out over wg0.
	#
	# You need to bring up the wireguard interface before attaching it to the container. Becuase we use the
	# physical nictype option, wg0 will disappear from the hosts network namespace completely once added. It
	# will be returned to the host after the container shuts down, though typically no longer in a functionally
	# configured state (not exactly sure why or how, I generally just tear it down after the container stops).
	#
	# This profile also includes a user.network-config which automatically set up the correct IPs and routes
	# inside the container. This is optional and can be removed if you want to set the IPs some other way.
	# You will need to change the static IPs (addresses:) and gateways (via:) to match the wireguard
	# interface, you should also set the DNS (nameservers:) to something functional.
	#
	name: default-wg0
	description: Alternative default profile with a wireguard network interface
	config:
	user.network-config: \|
	network:
	version: 2
	ethernets:
	eth0:
	dhcp4: false
	addresses: [ 10.69.0.2/32, fdad:69::2/128 ]
	routes:
	- to: 0.0.0.0/0
	via: 10.69.0.1
	on-link: true
	- to: ::/0
	via: fdad:69::1
	on-link: true
	nameservers:
	addresses: [ 127.0.0.1 ]
	devices:
	eth0:
	name: eth0
	nictype: physical
	parent: wg0
	type: nic
	root:
	path: /
	pool: default
	type: disk
	used_by: []
	# This is an example profile giving the container access to port 8081 of the hosts network. It binds
	# to localhost inside the container on port 8080 and proxies out to the hosts network port 8081.
	#
	name: host-to-container-proxy
	description: "Give the container access (on the container's localhost:8081) to hosts's port 8081"
	config: {}
	devices:
	webproxy:
	connect: tcp:127.0.0.1:8080
	listen: tcp:0.0.0.0:8080
	type: proxy
	used-by: []