# See also: # # startup=0 gpu_passthrough_intel=0 gpu_passthrough_nvidia=0 # Turning off seccomp filtering improves performance at the expense of security seccomp=1 # Use bridge networking to provide an isolated network namespace # Alternatively use --network-macvlan=eno1 instead of --network-bridge # Ensure to change br0 to the HOST interface name you want to use # and br1 to the SECONDARY interface name you want to prepare # Substitute your own dnsmasq.d and TFTP dataset bindings systemd_nspawn_user_args=--network-bridge=br0 --network-veth-extra=ve-router-1:vee-1 --resolv-conf=bind-host --system-call-filter='add_key keyctl bpf' --bind=/mnt/pool/subnet/dnsmasq.d:/etc/dnsmasq.d --bind-ro=/mnt/pool/subnet/tftpboot:/tftp # Script to run on the HOST before starting the jail # Load kernel module and config kernel settings required for podman pre_start_hook=#!/usr/bin/bash set -euo pipefail echo 'PRE_START_HOOK' echo 1 > /proc/sys/net/ipv4/ip_forward modprobe br_netfilter echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables modprobe iptable_nat modprobe iptable_filter # Script to run on the HOST after starting the jail # For example to attach to multiple bridge interfaces post_start_hook=#!/usr/bin/bash set -euo pipefail echo 'POST_START_HOOK' ip link set dev ve-router-1 master br1 ip link set dev ve-router-1 up #ip link set dev eth2 master br1 # Only used while creating the jail distro=debian release=bookworm # Install and configure within the jail initial_setup=#!/usr/bin/bash set -euo pipefail # Catch up on updates apt-get update && apt-get full-upgrade -y # Configure worker LAN interface with static IP sh -c 'cat < /etc/systemd/network/80-container-vee-1.network [Match] Virtualization=container Name=vee-1 [Network] DHCP=false Address=10.3.14.202/24 EOF' systemctl restart systemd-networkd.service # Configure routing from LAN clients apt-get install nftables -y nft add table nat nft add chain nat prerouting { type nat hook prerouting priority 0 \; } nft add chain nat postrouting { type nat hook postrouting priority 100 \; } nft add rule nat postrouting masquerade mkdir -p /etc/nftables.d nft list table nat >/etc/nftables.d/nat.conf ( echo ; echo 'include "/etc/nftables.d/*.conf"' ) >>/etc/nftables.conf # Install dnsmasq alongside local resolver sed -i -e 's/^#DNSStubListener=yes$/DNSStubListener=no/' /etc/systemd/resolved.conf systemctl restart systemd-resolved.service apt-get install dnsmasq -y sed -i -e 's/^#DNS=$/DNS=127.0.0.1/' /etc/systemd/resolved.conf systemctl restart systemd-resolved.service systemctl restart dnsmasq.service