nix-config/config/lxc-container.nix

{ hostRegistry, config, pkgs, lib, modulesPath, ... }:

{
  imports = [
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/docker-container.nix")
  ];

  boot = {
    isContainer = true;
    loader = {
      grub.enable = false;
      # /sbin/init
      initScript.enable = true;
    };
  };

  environment.etc."resolv.conf".text = lib.concatMapStrings (ns: ''
    nameserver ${ns}
  '') config.networking.nameservers;

  fileSystems."/" = {
    fsType = "rootfs";
    device = "rootfs";
  };

  nix = {
    useSandbox = false;
    maxJobs = lib.mkDefault 1;
    buildCores = lib.mkDefault 4;
  };

  networking = {
    interfaces.eth0 = {
      useDHCP = false;
      tempAddress = "disabled";
    };
    nameservers = with hostRegistry.hosts.dnscache; [
      ip4
      ip6
      "9.9.9.9"
    ];
    networkmanager.dns = "unbound";
    useDHCP = false;
    useHostResolvConf = false;
    useNetworkd = true;
  };

  services = {
    journalbeat = {
      enable = false;
      tags = [ "container" ];
      extraConfig = ''
        journalbeat.inputs:
          # Paths that should be crawled and fetched. Possible values files and directories.
          # When setting a directory, all journals under it are merged.
          # When empty starts to read from local journal.
          - paths: []
        journalbeat:
          seek_position: cursor
          cursor_seek_fallback: tail
          write_cursor_state: true
          cursor_flush_period: 5s
          clean_field_names: true
          convert_to_numbers: false
          move_metadata_to_field: journal
          default_type: journal
          kernel: true
        output.logstash:
          # Boolean flag to enable or disable the output module.
          enabled: true
          hosts: ["${config.c3d2.hosts.logging.ip4}:5044"]
      '';
    };
    # Required for remote deployment
    openssh.enable = true;
    resolved.enable = false;
  };

  # Create a few files early before packing tarball for Proxmox architecture/OS detection.
  system.extraSystemBuilderCmds = ''
    mkdir -m 0755 -p $out/bin
    ln -s ${pkgs.bash}/bin/bash $out/bin/sh
    mkdir -m 0755 -p $out/sbin
    ln -s ../init $out/sbin/init
  '';

  systemd.network.networks."40-eth0".networkConfig = {
    IPv6AcceptRA = true;
    LinkLocalAddressing = "ipv6";
  };
}