Add Incus container support to sandboxed workspaces

- Add incus.nix module for fully declarative Incus/LXC containers - Build NixOS LXC images using nixpkgs.lib.nixosSystem - Ephemeral containers: recreated on each start, cleaned up on stop - Use flock to serialize concurrent container operations - Deterministic MAC addresses via lib.mkMac to prevent ARP cache issues - Add veth* to NetworkManager unmanaged interfaces - Update CLAUDE.md with coding conventions and shared lib docs
2026-02-08 14:55:48 -08:00
parent 5178ea6835
commit cf71b74d6f
8 changed files with 252 additions and 13 deletions
--- a/lib/default.nix
+++ b/lib/default.nix
@@ -53,4 +53,13 @@ with lib;
      getElem = x: y: elemAt (elemAt ll y) x;
    in
    genList (y: genList (x: f x y (getElem x y)) innerSize) outerSize;
+
+  # Generate a deterministic MAC address from a name
+  # Uses locally administered unicast range (02:xx:xx:xx:xx:xx)
+  mkMac = name:
+    let
+      hash = builtins.hashString "sha256" name;
+      octets = map (i: builtins.substring i 2 hash) [ 0 2 4 6 8 ];
+    in
+    "02:${builtins.concatStringsSep ":" octets}";
 }