# WARNING: EXPERIMENTAL CONFIG TEMPLATE!
startup=0
gpu_passthrough_intel=0
gpu_passthrough_nvidia=0
# Turning off seccomp filtering improves performance at the expense of security
# TODO: don't disable seccomp but specify which syscalls should be allowed
seccomp=0

# Use bridge networking to provide an isolated network namespace,
# so lxd can manage firewall rules
# Alternatively use --network-macvlan=eno1 instead of --network-bridge
# Ensure to change eno1/br1 to the interface name you want to use
# You may want to add additional options here, e.g. bind mounts
# TODO: don't use --capability=all but specify only the required capabilities
systemd_nspawn_user_args=--network-bridge=br1
    --resolv-conf=bind-host
    --capability=all
    --bind=/dev/fuse
    --bind=/dev/kvm
    --bind=/dev/vsock
    --bind=/dev/vhost-vsock

# Script to run on the HOST before starting the jail
# Load kernel module and config kernel settings required for lxd
pre_start_hook=#!/usr/bin/bash
    set -euo pipefail
    echo 'PRE_START_HOOK'
    echo 1 > /proc/sys/net/ipv4/ip_forward
    modprobe br_netfilter
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-iptables
    echo 1 > /proc/sys/net/bridge/bridge-nf-call-ip6tables
    modprobe vhost_vsock

# Only used while creating the jail
distro=ubuntu
release=noble

initial_setup=#!/usr/bin/bash
    set -euo pipefail
    # https://discuss.linuxcontainers.org/t/snap-inside-privileged-lxd-container/13691/8
    ln -sf /bin/true /usr/local/bin/udevadm
    apt-get update
    apt-get install -y --no-install-recommends snapd
    snap install lxd

# You generally will not need to change the options below
systemd_run_default_args=--property=KillMode=mixed
    --property=Type=notify
    --property=RestartForceExitStatus=133
    --property=SuccessExitStatus=133
    --property=Delegate=yes
    --property=TasksMax=infinity
    --collect
    --setenv=SYSTEMD_NSPAWN_LOCK=0

systemd_nspawn_default_args=--keep-unit
    --quiet
    --boot
    --bind-ro=/sys/module
    --inaccessible=/sys/module/apparmor