revv

Nope. It just maps a single user and group from the container to a regular user on the host. With the above config, root in the container has the "real" UID of 100000. It can't make changes to anything any other unprivileged user can. A privileged container otoh runs root as root. It can do a lot of damage. By running privileged containers you're kind of throwing out a good portion of LXC's benefits.

The user and group mapping for lxc is easy(ish) once you understand it.

The above breaks out as follows: lxc.idmap: [user/group] [beginning host UID/GID] [number of sequential IDs to map]

lxc.idmap: u 0 100000 1000 [maps LXC UIDs 0-999 to host UIDs 100000-100999]

lxc.idmap: g 0 100000 1000 [maps LXC GIDs 0-999 to host GIDs 100000-100999]

lxc.idmap: u 1000 1000 1 [maps LXC UID 1000 to host UID 1000]

lxc.idmap: g 1000 1000 1 [maps LXC GID 1000 to host GID 1000]

lxc.idmap: u 1001 101001 64535 [maps LXC UIDs 1001-65535 to host UIDs 101001-165535]

lxc.idmap: g 1001 101001 64535 [maps LXC GIDs 1001-65535 to host GIDs 101001-165535]

The last two lines are needed because a running Linux system needs access to a minimum of 65336 UIDs/GIDs (zero-indexed).

You can basically think of LXC as running everything on the host system itself, but running it all as UID/GID 100000-65535 by default. In an unprivileged container, you have to remap these to give access to resources not owned by that range.

This is pretty much how I'm hosting a similar set of services to you. I have a couple of dirt cheap VPSs ($10/yr via racknerd) which serve as public access points. One provides a wireguard tunnel and port forwarding to a mailinabox instance serving mail for my various domains, the other runs a wireguard tunnel and nginx reverse proxy for all my public-facing services. A little fiddly to set up the port forwarding, but it's been rock solid since I set it up.

Re: email, it's not too hard, but it is unforgiving. Mailinabox makes it much, much easier to set up an email server that doesn't automatically go to spam. Basically though, if you have your SPF, DKIM, DMARC and RDNS set up correctly, your golden. Mailinabox takes care of all of it except RDNS.

InnerTune. No ads, no account. Minimize/do what you want.

Didn't our little Free Speech Absolutist™️ ban the "slurs" cis and cisgender while also banning folks who misgender cis folks while supporting those who do the same to trans folks? (To say nothing of the removal of lots and lots of other legal speech that he did not like. If that's what unbiased looks like to you, I think that you may want to examine your own biases.

That sounds awesome! Any chance you'd be willing to share your code?