diff --git a/nix/nixos-module/server/lxc-containers.nix b/nix/nixos-module/server/lxc-containers.nix
index d20252b..311f0bb 100644
--- a/nix/nixos-module/server/lxc-containers.nix
+++ b/nix/nixos-module/server/lxc-containers.nix
@@ -138,6 +138,16 @@ let
       set -e
     done
   '';
+
+  enable-script = pkgs.writeScriptBin "enable-containers" ''
+    touch /etc/start-containers
+    systemctl start lxc-containers.target
+  '';
+
+  disable-script = pkgs.writeScriptBin "disable-containers" ''
+    rm /etc/start-containers
+    systemctl stop lxc-containers.target lxc@\*.service
+  '';
 in
 {
   boot.kernel.sysctl = lib.mkIf enabled {
@@ -160,7 +170,12 @@ in
     '';
   };
 
-  environment.systemPackages = [ lxc build-script ];
+  environment.systemPackages = [
+    # `lxc-attach` et al
+    lxc build-script
+    # User scripts
+    enable-script disable-script
+  ];
 
   # Create lxc.container.conf files
   environment.etc =
@@ -211,7 +226,10 @@ in
   systemd.services."lxc@" = {
     description = "LXC container '%i'";
     after = [ "network.target" ];
-    unitConfig.ConditionPathExists = "/var/lib/lxc/%i/rootfs/init";
+    unitConfig.ConditionPathExists = [
+      "/var/lib/lxc/%i/rootfs/init"
+      "/etc/start-containers"
+    ];
     serviceConfig = {
       Type = "simple";
       ExecStart = "${lxc}/bin/lxc-start -F -C -n %i";