Just a note for myself about how to put together a LXC template.
Assuming you've created a CT, based on Debian
apt update
apt dist-upgrade -y
apt install -y curl git jq stow unattended-upgrades vim sudo
update-alternatives --set editor /usr/bin/vim.basic
# todo : setup mail forwarding
useradd -d /home/ptomli -U -G sudo -m -s /bin/bash ptomli
passwd ptomli --stdin
su - ptomli
mkdir -m 0700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 0600 ~/.ssh/authorized_keys
# copy id_blah.pub into ~/.ssh/authorized_keys
##############################################################################
# optionally: install the lab configuration
# add local ssh key for git access
ssh-keygen -N '' -t ed25519 -f ~/.ssh/id_ed25519
cat ~/.ssh/id_ed25519.pub
# manually install that key into git hosting
git clone git@git.ptomli.dev:ptomli/lab.ptomli.dev /srv
##############################################################################
exit
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
apt clean
apt autoclean
apt autoremove
rm /etc/resolv.conf
rm /etc/hostname
rm /etc/machine-id
rm /etc/ssh/ssh_host_*key*
# lock the root account, because we probably
# used password auth for setup on the console
passwd -l
rm /root/.bash_history
Now the CT is in the sort of state you'd like to be able to replicate, we can turn it into a template.
- Delete the Ethernet interface.
- Create a backup.
It will be saved in
/var/lib/vz/dump/, eg:/var/lib/vz/dump/vzdump-lxc-999-2026_04_11-08_26_51.tar.zst - Copy the backup to the template directory.
For it to be available as a CT template, it needs to be in
/var/lib/vz/template/cache/.cp /var/lib/vz/dump/vzdump-lxc-999-2026_04_11-08_26_51.tar.zst /var/lib/vz/template/cache/debian-13-2026-04-11.tar.zst
You should probably delete the CT you used to create the template, and next time you want to update it, just create a new one from the template and repeat the process.
There is also a decent walk through, using the CLI no less, over here, from which I pilfered some details.
Yes, this could be some playbook or something, but it's like 50 lines, and I'd have to know more than 50 lines of the documentation for any of the infra-deployment tools. :meh:
You can probably spot that I use git based config system for the lab
containers. It's just a tree of services with configuration and an
install script that uses stow. Services are typically running on
podman via quadlets, and one service, or suite per CT.
I run an Unraid server for production stuff at the house, like Immich and Jellyfin, which I do through the quite awesome Docker support. But for lab stuff where I break things while playing around, I prefer the isolation of a distinct CT. And yes, I know running podman/docker in a CT is not "offically supported", but it works for me and I prefer it to VMs. There's no comment section here anyway, so :man-sticking-tongue-out: