nixos-configuration/lxc.nix

{ config, lib, pkgs, ... }: 

let
  dnsmasq = pkgs.dnsmasq;
  stateDir = "/var/lib/dnsmasq";
  dnsmasqConf = pkgs.writeText "dnsmasq-lxc.conf" ''
    dhcp-leasefile=${stateDir}/dnsmasq-lxc.leases
    strict-order
    bind-interfaces
    listen-address=10.0.3.1
    dhcp-range=10.0.3.2,10.0.3.254
    dhcp-lease-max=253
    dhcp-no-override
    dhcp-authoritative
    domain=develop.sys.tradebyte.com
    local=/develop.sys.tradebyte.com/
    dns-loop-detect
    neg-ttl=5
    server=127.0.0.1
  '';
in
{
  virtualisation = {
    lxc.enable = true;
    lxc.defaultConfig = ''
      lxc.net.0.type = veth
      lxc.net.0.link = lxcbr0
      lxc.net.0.flags = up
      lxc.net.0.hwaddr = 00:16:3e:xx:xx:xx
      lxc.apparmor.profile = lxc-default-with-nesting
      lxc.apparmor.allow_nesting = 1

      # For LXC version is 4.0.0 or later
      lxc.mount.auto = cgroup:rw:force
    '';
  };
  networking = {
    bridges.lxcbr0 = {
      interfaces = [ ];
    };
    interfaces.lxcbr0.ipv4.addresses = [{ address = "10.0.3.1"; prefixLength = 24; }];
    firewall.interfaces.lxcbr0 = {
      allowedTCPPorts = [
        53 # DNS
      ];
      allowedUDPPorts = [
        53 # DNS
        67 # DHCP
      ];
    };
    firewall.extraCommands = ''
      iptables -t mangle -A POSTROUTING -o lxcbr0 -p udp -j CHECKSUM --checksum-fill
      '';
    networkmanager.unmanaged = ["lxcbr0"];
    nat = {
      enable = true;
      internalInterfaces = ["lxcbr0"];
      internalIPs = ["10.0.3.1"];
    };
  };

  systemd.services."dnsmasq-lxc" = {
      description = "Dnsmasq Daemon for LXC";
      after = [ "network.target" "systemd-resolved.service" ];
      wantedBy = [ "multi-user.target" ];
      path = [ dnsmasq ];
      preStart = ''
        mkdir -m 755 -p ${stateDir}
        touch ${stateDir}/dnsmasq-lxc.leases
        dnsmasq --test -C ${dnsmasqConf}
      '';
      #chown -R dnsmasq ${stateDir}
      #touch /etc/dnsmasq-{conf,resolv}.conf
      serviceConfig = {
        Type = "dbus";
        BusName = "uk.org.thekelleys.dnsmasq-lxc";
        ExecStart = "${dnsmasq}/bin/dnsmasq -k --enable-dbus --user=dnsmasq -C ${dnsmasqConf}";
        ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
        PrivateTmp = true;
        ProtectSystem = true;
        ProtectHome = true;
        Restart = "on-failure";
      };
      #restartTriggers = [ config.environment.etc.hosts.source ];
  };

  boot.kernelModules = [ "fuse" "kvm-intel" "coretemp" ];
}