Remotely configuring NixOS-based Proxmox containers

This gets me closer to my goal of declarative/reproducible self-hosted services. If my home server dies, I want to just be able to rebuild and re-deploy replacement containers/virtual machines.

Steps to set up and remotely configure NixOS-based Proxmox containers

Setup

First, ensure that you have Nix installed and available to your user. On Debian, this could be as simple as:

1. sudo apt install nix
2. adduser <your user> nixbld
3. nix-channel --add https://channels.nixos.org/nixos-25.11 (or other desired release)
4. nix-channel --update

Next, make sure you have the NixOS Proxmox LXC template downloaded (on Proxmox). Based on the NixOS Wiki instructions:

1. Go to https://hydra.nixos.org/project/nixos
2. Navigate to the release (e.g. 25.11)
3. Open "Jobs"
4. Search for "nixos.proxmoxLXC"
5. Select latest successful
6. Under build products, copy the .tar.xz file
7. Download using the "CT Templates" UI in Proxmox

Example I used (which will become out of date): https://hydra.nixos.org/build/326737339/download/1/nixos-image-lxc-proxmox-25.11pre-git-x86_64-linux.tar.xz

Creating the container

Use the Proxmox "Create CT" UI to create the container:

• Set a hostname (I'm using nix-container1 as an example below)
• Supply an SSH public key
• Use the previously-downloaded template
• Enable DHCP so the container gets an IP address
• Start the container once created

At this point, you should be able to SSH into the container using its hostname or IP address (as root, e.g. root@nix-container1 or using the IP address, if host names can't be resolved on your network).

Configuring the container

In order to configure the container, you'll need the nixos-rebuild tool. Fortunately, you can get it from Nix: nix-shell -p nixos-rebuild.

Let's assume you have a configuration in configuration.nix. My best attempt at a minimal config looks like this:

{ config, modulesPath, pkgs, ... }:
{
    # Proxmox LXC support
    imports = [ (modulesPath + "/virtualisation/proxmox-lxc.nix") ];
    nix.settings = { sandbox = false; };
    services.fstrim.enable = false;

    # Ensure SSH server is running
    services.openssh = {
        enable = true;
        settings = { PasswordAuthentication = false; };
    };

    # Packages
    environment.systemPackages = with pkgs; [
        # TODO: Put what you actually want here!
    ];

    # Note: this should match the release you're using!
    system.stateVersion = "25.11";
}

To apply this configuration:

nixos-rebuild switch -I nixos-config=configuration.nix --target-host root@nix-container1

This will build everything locally and then deploy it to the container.

Future work

Eventually, I hope to add services (calendar, photos, media, notes) that run (only) on a VPN, likely using Tailscale.