I'm exclusively running unprivileged LXC containers and haven't had any issues regarding the firewall, neither with iptables nor nftables.

No, it is not like Docker. You can treat an LXC container pretty much like a VM in most instances, including firewall rules. To answer the question, you can use fail2ban just like you had done in your VM, meaning you can run it inside the LXC container, where fail2ban can change the firewall rules of that container as it sees fit.

You could give bubblewrap a try instead. It is quite similar to systemd-nspawn.

I understood that. My point was rather that in this particular case (a CPU bug that could be fixed via microcode, but AMD chose not to do so for certain CPUs), RISC-V wouldn't have been of any advantage, because there would be nothing to fix in the first place. Sure, one could introduce microcode for RISC-V and people have argued in favor of doing so for this exact reason, but the architecture was intentionally designed to not require microcode.

As much as I like RISC-V, it is kind of ironic to suggest RISC-V ist the solution to this. At least as it stands, because of RISC-V's simplicity, most if not all current RISC-V CPUs don't even run microcode, so there is nothing to update/fix in case of a CPU bug. There's even a very current example of this problem with that chinese RISC-V cpu that has this "GhostWrite" bug that allows every unpriviliged process to gain root access.

That's good, I never liked the clunky .home.arpa domain.

What does it offer that nginx doesnt?

Automatic HTTPS, you don't have to use certbot or something similar to get/renew certificates. Also, its configuration is really simple and straight forward.

IT-Tools - hands down one of the coolest self hosted tool sets you can use.

Looks similar to Cyberchef. Any reason to use that one over Cyberchef?

The guide mentions:

Your ISP will give you the first 64 bits, and your host machine will have the last 64 bits.

This isn't correct. While some ISPs do give you the first 64 bit (a /64 prefix), this isn't recommended and not terribly common either. An ISP should give its users prefixes with less than 64 bit. Typically a residential user will get a /56 and commercial users usually get a /48. With such a prefix the user can then generate multiple /64 networks which can be used on the local network as desired.

While you certainly can run AI models that require such a beefy GPU, there are plenty of models that run fine even on a CPU-only system. So it really depends on what exactly Ollama is going to be used for.

I wouldn't run it as a router due to its high power consumption, but it would be a fine computer for retro gaming for games up until ~2005 if you add a graphics card.

Edit: 75 LXC containers, 22VMs.

That's a lot of power draw for so few VMs and containers. Any particular applications running that justify such a setup?