mooooore stuffs

system/disko-config.nix

@@ -1,37 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      main = {
-        type = "disk";
-        device = "/dev/sda"; 
-        content = {
-          type = "gpt";
-          partitions = {
-            boot = {
-              size = "1M";
-              type = "EF02"; 
-              priority = 1; 
-            };
-            ESP = {
-              size = "512M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "filesystem";
-                format = "ext4";
-                mountpoint = "/";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

system/lxc-default.conf

@@ -0,0 +1,5 @@
+lxc.net.0.type = veth
+lxc.net.0.link = br0
+lxc.net.0.flags = up
+lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
+lxc.apparmor.profile = unconfined

system/lxc.nix

@@ -0,0 +1,68 @@
+# system/lxc.nix
+{ config, pkgs, ... }: {
+  virtualisation.lxc = {
+    enable = true;
+    lxcfs.enable = true;
+  };
+
+  networking.bridges.br0.interfaces = [];
+  networking.interfaces.br0.ipv4.addresses = [{
+    address = "10.100.0.1";
+    prefixLength = 24;
+  }];
+
+  # wildcard masquerade — no need to specify external interface per host
+  networking.nat.enable = false;
+  networking.nftables.enable = true;
+  networking.nftables.tables.lab-nat = {
+    family = "ip";
+    content = ''
+      chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 10.100.0.0/24 oifname != "br0" masquerade
+      }
+    '';
+  };
+
+  # IP forwarding
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+  # DHCP for containers on the bridge
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "br0";
+      bind-interfaces = true;
+      dhcp-range = "10.100.0.10,10.100.0.200,24h";
+      dhcp-option = [ "3,10.100.0.1" "6,8.8.8.8,1.1.1.1" ];
+    };
+  };
+
+  # labmates get dropped into their container
+  services.openssh.extraConfig = ''
+    Match Group labmates
+      ForceCommand /usr/local/bin/lxc-login
+      AllowTcpForwarding no
+      X11Forwarding no
+  '';
+
+  users.groups.labmates = {};
+
+  environment.systemPackages = with pkgs; [
+    lxc
+    lxc-templates
+    debootstrap
+    bridge-utils
+  ];
+
+  environment.etc."lxc/default.conf".text = ''
+    lxc.net.0.type = veth
+    lxc.net.0.link = br0
+    lxc.net.0.flags = up
+    lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
+    lxc.apparmor.profile = unconfined
+  '';
+
+  environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
+  environment.etc."local/bin/lxc-login".mode = "0755";
+}

system/system.nix

@@ -5,7 +5,8 @@
 }: {
   imports = [
     ./ssh.nix
-    ./disko-config.nix
+    ./lxc.nix
+    # ./disko-config.nix
   ];
 
   # Set your time zone.