nixos-server/home/scripts/lxc/lab-create.sh

#!/usr/bin/env bash
set -euo pipefail

USER="$1"
KEYFILE="$2"
CONTAINER="lxc-${USER}"

echo "Creating LXC container ${CONTAINER}..."
# lxc-create -n "$CONTAINER" -t download -- -d ubuntu -r noble -a amd64
lxc-create -n "$CONTAINER" -f /etc/lxc/default.conf -t download -- -d ubuntu -r noble -a amd64


# configure DHCP before first boot
mkdir -p "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan"
cat > "/var/lib/lxc/${CONTAINER}/rootfs/etc/netplan/10-dhcp.yaml" <<EOF
network:
  version: 2
  ethernets:
    eth0:
      dhcp4: true
      nameservers:
        addresses: [8.8.8.8, 1.1.1.1]
EOF

# start it
lxc-start -n "$CONTAINER"

# wait for networking
sleep 5

# set root password, install SSH, inject key
lxc-attach -n "$CONTAINER" -- /bin/bash -c "
  export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  apt-get update && apt-get install -y openssh-server
  mkdir -p /root/.ssh
  chmod 700 /root/.ssh
  sed -i 's/#PermitRootLogin.*/PermitRootLogin prohibit-password/' /etc/ssh/sshd_config
  systemctl enable ssh
  systemctl restart ssh
"

# push the key in
cat "$KEYFILE" | lxc-attach -n "$CONTAINER" -- /bin/bash -c "
  export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
  tee /root/.ssh/authorized_keys > /dev/null
  chmod 600 /root/.ssh/authorized_keys
"

# auto-start on boot
echo "lxc.start.auto = 1" >> "/var/lib/lxc/${CONTAINER}/config"

# get container IP
CONTAINER_IP=$(lxc-info -n "$CONTAINER" -iH | head -1)

# create host user that maps to this container
useradd -m -s /bin/bash -G labmates "$USER" 2>/dev/null || true
mkdir -p "/home/${USER}/.ssh"
cp "$KEYFILE" "/home/${USER}/.ssh/authorized_keys"
chown -R "${USER}:${USER}" "/home/${USER}/.ssh"
chmod 700 "/home/${USER}/.ssh"

# store mapping
echo "$CONTAINER" > "/home/${USER}/.lxc-container"

echo "Done. ${USER} SSH -> root@${CONTAINER} (${CONTAINER_IP})"