add wireguard-on-spawn

docs/posts/wireguard-on-nspawn.md

@@ -0,0 +1,38 @@
+---
+title: "Wireguard on Nspawn"
+date: 2025-01-30
+draft: false
+tags: ["Wireguard", "linux", "nspawn", "container", "systemd", "Debian", "bookworm", "Arch"]
+authors: ["trent"]
+post: 35
+---
+date: 2025-01-30
+
+## Introduction
+Have you ever been thinking about `systemd-nspawn` containers and thought wouldn't
+it be awesome if you could just wireguard outa there as easily as you can with a
+virtual machine?
+
+You can do it!
+
+I have tested this with a Debian 12 `nspawn` container on a Debian 12 host, as well
+as both Arch Linux and Debian 12 containers on an Arch Linux host.
+
+## install wireguard-tools in container
+*mask unwanted dependencies with a trailing `-`*
+
+`apt install wireguard-tools linux-base-`
+
+You can now configure with `wg-quick` and start using `wireguard`.
+
+## unpacking the install
+The trick is to avoid installing the dependencies of `wireguard` that you
+don't need inside a container.  You don't need a kernel, busybox,
+initramfs, wireguard-modules, or dkms.
+
+We mask `linux-base-` by adding a `-` after it, and the result is that only
+`wireguard-tools` are installed, without `wireguard` or a bunch of other dependencies.
+
+## what about LXD containers?
+I'm curious if this will work in LXD containers, but don't really have
+a testing environment set up for that right now.