re: nice solution! Some questions: Should nginx be installed on the base lxc container or directly on the host vm? If I update the base container ...

I usually put the proxy on the host so that I don't have to worry about iptable rules.

Base OS update does not update containers. You'll have to create new container or run the update inside the container.

Kernel updates will be reflected because LXC containers like all other containers use the underlying host kernel.

