mooooore stuffs

system/lxc.nix

@@ -0,0 +1,68 @@
+# system/lxc.nix
+{ config, pkgs, ... }: {
+  virtualisation.lxc = {
+    enable = true;
+    lxcfs.enable = true;
+  };
+
+  networking.bridges.br0.interfaces = [];
+  networking.interfaces.br0.ipv4.addresses = [{
+    address = "10.100.0.1";
+    prefixLength = 24;
+  }];
+
+  # wildcard masquerade — no need to specify external interface per host
+  networking.nat.enable = false;
+  networking.nftables.enable = true;
+  networking.nftables.tables.lab-nat = {
+    family = "ip";
+    content = ''
+      chain postrouting {
+        type nat hook postrouting priority 100;
+        ip saddr 10.100.0.0/24 oifname != "br0" masquerade
+      }
+    '';
+  };
+
+  # IP forwarding
+  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
+
+  # DHCP for containers on the bridge
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      interface = "br0";
+      bind-interfaces = true;
+      dhcp-range = "10.100.0.10,10.100.0.200,24h";
+      dhcp-option = [ "3,10.100.0.1" "6,8.8.8.8,1.1.1.1" ];
+    };
+  };
+
+  # labmates get dropped into their container
+  services.openssh.extraConfig = ''
+    Match Group labmates
+      ForceCommand /usr/local/bin/lxc-login
+      AllowTcpForwarding no
+      X11Forwarding no
+  '';
+
+  users.groups.labmates = {};
+
+  environment.systemPackages = with pkgs; [
+    lxc
+    lxc-templates
+    debootstrap
+    bridge-utils
+  ];
+
+  environment.etc."lxc/default.conf".text = ''
+    lxc.net.0.type = veth
+    lxc.net.0.link = br0
+    lxc.net.0.flags = up
+    lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
+    lxc.apparmor.profile = unconfined
+  '';
+
+  environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
+  environment.etc."local/bin/lxc-login".mode = "0755";
+}