I have managed to do this, albeit in a somewhat degraded way. The key was to enable cgroups v2 in both host and container and allowing some system calls and some other settings:
# cgroups v2
systemd.enableUnifiedCgroupHierarchy = true;
containers.example = {
...
enableTun = true;
additionalCapabilities = ["all"];
allowedDevices = [
{ node = "/dev/fuse"; modifier = "rwm"; }
{ node = "/dev/mapper/control"; modifier = "rwm"; }
];
bindMounts.dev-fuse = { hostPath = "/dev/fuse"; mountPoint = "/dev/fuse"; };
bindMounts.dev-fuse = { hostPath = "/dev/mapper"; mountPoint = "/dev/mapper"; };
};
# enable cgroups v2 in the container
systemd.services."container@example".environment.SYSTEMD_NSPAWN_UNIFIED_HIERARCHY = "1";
# allow syscalls via an nspawn config file, because arguments with spaces work bad with containers.example.extraArgs
environment.etc."systemd/nspawn/example.nspawn".text = ''
[Exec]
SystemCallFilter=add_key keyctl bpf
'';
This is extracted from my current config, so I’m unsure if all is needed, but it works for me with both podman and docker. The one thing that does not work is privileged containers, but otherwise it seems to handle the containers I run.