For anyone curious, this is my final version:
pct create $(pvesh get /cluster/nextid) \
--description nixos-template \
--hostname nixos-template \
holodeck4:vztmpl/nixos-21.11-default_166445692_amd64.tar.xz \
--arch amd64 \
--ostype unmanaged \
--net0 name=eth0,ip=dhcp,bridge=vmbr0,firewall=1 \
--storage local-zfs \
--cmode console \
--features nesting=1 \
--unprivileged true \
--template true
lxc.init.cmd: /sbin/init doesn’t seem necessary. It works unprivileged + nesting.
cmode console seems to fix the console. I’m not quite sure why.