# system/lxc.nix
{ config, pkgs, ... }: {
  virtualisation.lxc = {
    enable = true;
    lxcfs.enable = true;
  };

  networking.networkmanager.unmanaged = [ "br0" ];

  virtualisation.lxc.defaultConfig = ''
    lxc.net.0.type = veth
    lxc.net.0.link = br0
    lxc.net.0.flags = up
    lxc.apparmor.profile = unconfined
    lxc.cgroup.relative = 1
  '';

  networking.bridges.br0.interfaces = [];
  networking.interfaces.br0.ipv4.addresses = [{
    address = "10.100.0.1";
    prefixLength = 24;
  }];

  # wildcard masquerade — no need to specify external interface per host
  networking.nat.enable = false;
  networking.nftables.enable = true;
  networking.nftables.tables.lab-nat = {
    family = "ip";
    content = ''
      chain postrouting {
        type nat hook postrouting priority 100;
        ip saddr 10.100.0.0/24 oifname != "br0" masquerade
      }
    '';
  };

  # IP forwarding
  boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

  # DHCP for containers on the bridge
  services.dnsmasq = {
    enable = true;
    settings = {
      interface = "br0";
      bind-interfaces = true;
      dhcp-range = "10.100.0.10,10.100.0.200,24h";
      dhcp-option = [ "3,10.100.0.1" "6,8.8.8.8,1.1.1.1" ];
    };
  };

  # labmates get dropped into their container
  services.openssh.extraConfig = ''
    Match Group labmates
      ForceCommand /run/current-system/sw/bin/lxc-login
      AllowTcpForwarding no
      X11Forwarding no
  '';

  users.groups.labmates = {};

  environment.systemPackages = with pkgs; [
    lxc
    # lxc-templates
    wget
    gnupg
    debootstrap
    bridge-utils
    (writeShellScriptBin "lxc-login" (builtins.readFile ../home/scripts/lxc/lxc-login.sh))
  ];

  environment.etc."lxc/default.conf".text = ''
    lxc.net.0.type = veth
    lxc.net.0.link = br0
    lxc.net.0.flags = up
    lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
    lxc.apparmor.profile = unconfined
  '';

  environment.etc."local/bin/lxc-login".source = ../home/scripts/lxc/lxc-login.sh;
  environment.etc."local/bin/lxc-login".mode = "0755";
}