systemd-nspawn Advent Calendar 2017 25日目の記事です。
ユニットファイルの書き方はこちらが参考になるかと思います
個人的には以下のように書いています。
[Unit]
Description=Container %i
Documentation=man:systemd-nspawn(1)
PartOf=machines.target
Before=machines.target
After=multi-user.target
[Service]
ExecStart=/usr/bin/systemd-nspawn --quiet --keep-unit --boot --link-journal=try-guest --network-bridge=br0 --machine=%i
KillMode=mixed
Type=notify
RestartForceExitStatus=133
SuccessExitStatus=133
Slice=machine.slice
Delegate=yes
TasksMax=8192
# Enforce a strict device policy, similar to the one nspawn configures
# when it allocates its own scope unit. Make sure to keep these
# policies in sync if you change them!
DevicePolicy=strict
DeviceAllow=/dev/null rwm
DeviceAllow=/dev/zero rwm
DeviceAllow=/dev/full rwm
DeviceAllow=/dev/random rwm
DeviceAllow=/dev/urandom rwm
DeviceAllow=/dev/tty rwm
DeviceAllow=/dev/tty0 rwm
DeviceAllow=/dev/tty1 rwm
DeviceAllow=/dev/tty2 rwm
DeviceAllow=/dev/tty3 rwm
DeviceAllow=/dev/tty4 rwm
DeviceAllow=/dev/tty5 rwm
DeviceAllow=/dev/tty6 rwm
DeviceAllow=/dev/tty7 rwm
DeviceAllow=/dev/tty8 rwm
DeviceAllow=/dev/tty9 rwm
DeviceAllow=/dev/net/tun rwm
DeviceAllow=/dev/pts/ptmx rw
DeviceAllow=char-pts rw
# nspawn itself needs access to /dev/loop-control and /dev/loop, to
# implement the --image= option. Add these here, too.
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rw
DeviceAllow=block-blkext rw
[Install]
WantedBy=machines.target