What the hell is this?
In short, we are trying to restructure Project Segfault to make it more secure.
This includes separating things into multiple VMs, and deleting old & unused configs, containers etc.
There are 5 VMs, CoreVM, DatabaseVM, DockerVM, ContainVM, BackwardsVM.
CoreVM is the VM that hosts our webserver, caddy. It is meant to be an "entrypoint" to the other VMs.
Only ssh for core will be forwarded for security, so you need to ssh into it first before SSHing into the others.
All traffic going to all other VMs will go through this.
CoreVM will be the only restructure VM other than BackwardsVM which has access to the LAN network (so that we can do port forward).
It will be connected to both the NATs of restructure VMs (vmbr1) and the Pubnix (vmbr2).
It runs on Debian but might be changed to something else if our security needs grows bigger.
DatabaseVM (DBVM) is the VM that hosts all the databases for the docker containers.
It will host PostgreSQL (preferred) & MariaDB (for services that need it).
The separation of the DBVM is so that we can do more optimizations to the DB and use the hardware to its fullest.
This VM will not have internet access at all other than during updates when the IPTables rule will be temporarily disabled.
It also runs on Debian and uses the official PostgreSQL & MySQL repositories instead of the Debian one.
DockerVM is the VM that hosts all the docker containers for our services.
It is primarily managed using the Docker CLI with compose but also has Portainer available for quick tasks.
It also runs Debian and will use the official docker repository instead of the Debian one.
ContainVM is the VM that hosts all the LXC containers used for our services.
It will not have a WebUI and will be fully managed from the CLI alone.
This will host the Wiki and other services to come in the near future.
BackwardsVM is the VM that hosts all the non-HTTP services.
It is the only other VM which has access to the LAN.
It was formalized later on when we realized that forwarding the ports via something like HAProxy would mean we wouldn't be able to retrieve IPs of connecting entities, which may cause issues for the programs, like in the case of TURN, or make moderation an extreme hassle.
HAProxy does have an option for Transparent Proxying (TPROXY) which remediates this issue, but this is not enabled in Debian's kernel, and we did not want to compile and maintain our own custom kernel for the same.
BackwardsVM is basically a second DockerVM, though it also hosts some things non-docker like our Ejabberd XMPP server and the turnserver used by it and matrix.