nixos-server/home/scripts/lxc/lab-create.sh

#!/usr/bin/env bash
set -euo pipefail

USER="$1"
KEYFILE="$2"
CONTAINER="lxc-${USER}"

# pick next available IP
LAST=$(grep -rh 'lxc.net.0.ipv4.address' /var/lib/lxc/*/config 2>/dev/null \
  | grep -oP '10\.100\.0\.\K\d+' | sort -n | tail -1 || true)

NEXT_OCTET=$(( ${LAST:-9} + 1 ))
CONTAINER_IP="10.100.0.${NEXT_OCTET}"

echo "Creating LXC container ${CONTAINER} (${CONTAINER_IP})..."
lxc-create -n "$CONTAINER" -f /etc/lxc/default.conf -t download -- -d ubuntu -r noble -a amd64

# assign static IP via LXC config (host-side, always works)
cat >> "/var/lib/lxc/${CONTAINER}/config" <<EOF
lxc.net.0.ipv4.address = ${CONTAINER_IP}/24
lxc.net.0.ipv4.gateway = 10.100.0.1
lxc.start.auto = 1
EOF

# write resolv.conf into rootfs before boot
echo "nameserver 8.8.8.8" > "/var/lib/lxc/${CONTAINER}/rootfs/etc/resolv.conf"

# disable any in-container networking that might fight us
rm -f "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan/"*.yaml 2>/dev/null
mkdir -p "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan"
cat > "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan/10-lxc.yaml" <<EOF
network:
  version: 2
  renderer: networkd
  ethernets:
    eth0:
      dhcp4: false
EOF

# start it
lxc-start -n "$CONTAINER"
sleep 5

# install SSH, inject key
lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "
  export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  apt-get update && apt-get install -y openssh-server
  mkdir -p /root/.ssh
  chmod 700 /root/.ssh
  sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
  systemctl enable ssh
  systemctl restart ssh
"

cat "$KEYFILE" | lxc-attach --clear-env -n "$CONTAINER" -- /bin/bash -c "
  export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  tee /root/.ssh/authorized_keys > /dev/null
  chmod 600 /root/.ssh/authorized_keys
"

# create host user
useradd -m -s /bin/bash -G labmates "$USER" 2>/dev/null || true
mkdir -p "/home/${USER}/.ssh"
cp "$KEYFILE" "/home/${USER}/.ssh/authorized_keys"
chown -R "${USER}:${USER}" "/home/${USER}/.ssh"
chmod 700 "/home/${USER}/.ssh"

echo "$CONTAINER" > "/home/${USER}/.lxc-container"
echo "Done. ${USER} SSH -> root@${CONTAINER} (${CONTAINER_IP})"