startup=0 gpu_passthrough_intel=0 gpu_passthrough_nvidia=0 # Turning off seccomp filtering improves performance at the expense of security seccomp=1 # Use bridge networking to provide an isolated network namespace, # so nixos can manage firewall rules # Ensure to change br1 to the interface name you want to use # You may want to add additional options here, e.g. bind mounts systemd_nspawn_user_args=--network-bridge=br1 --bind-ro=./lxd.nix:/etc/nixos/lxd.nix # Script to run on the HOST before starting the jail pre_start_hook=#!/usr/bin/env bash set -euo pipefail echo 'PRE_START_HOOK' # If there's no machine-id then this we're about to start the jail for the first time if [ ! -e ./rootfs/etc/machine-id ]; then echo 'BEFORE_FIRST_BOOT' # Create empty nix module to satisfy import in default lxc configuration.nix echo '{ ... }:{}' > ./lxd.nix cp /etc/resolv.conf ./rootfs/etc/resolv.conf fi # Only used while creating the jail distro=nixos release=24.05 # # Example initial_setup which rebuild the system, # # for when you mount your own /etc/nixos/configuration.nix inside the jail # initial_setup=#!/run/current-system/sw/bin/bash # . /etc/bashrc # set -x # ifconfig # nixos-rebuild switch # echo "All Done" # You generally will not need to change the options below systemd_run_default_args=--property=KillMode=mixed --property=Type=notify --property=RestartForceExitStatus=133 --property=SuccessExitStatus=133 --property=Delegate=yes --property=TasksMax=infinity --collect --setenv=SYSTEMD_NSPAWN_LOCK=0 systemd_nspawn_default_args=--keep-unit --quiet --boot --bind-ro=/sys/module --inaccessible=/sys/module/apparmor