neovim-ide/docker-compose.yml

services:
  arch-dev:
    build:
      context: .
      args:
        # Match host UID/GID for clean /workspace permissions
        # Set via: UID=$(id -u) GID=$(id -g) docker compose build
        # Or .env file in repo root
        USER_UID: ${UID:-1000}
        USER_GID: ${GID:-1000}
    image: arch-dev:latest
    container_name: arch-dev
    hostname: arch-dev
    stdin_open: true
    tty: true

    volumes:
      # Project files — bind mount, host-visible, host-UID-owned
      - ./workspace:/workspace

      # Stateful home — named volume, survives --rm
      # Reset with: docker volume rm <project>_arch-dev-home
      - arch-dev-home:/home/dev

    environment:
      - TERM=xterm-256color
      - MOBILE=${MOBILE:-0}
      - GIT_AUTHOR_NAME=${GIT_NAME:-dev}
      - GIT_AUTHOR_EMAIL=${GIT_EMAIL:-dev@localhost}
      - GIT_COMMITTER_NAME=${GIT_NAME:-dev}
      - GIT_COMMITTER_EMAIL=${GIT_EMAIL:-dev@localhost}

    # Capability set built up through testing —
    # cap_drop ALL then re-add only what's needed.
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE   # mosh, bind <1024
      - SETUID             # sudo
      - SETGID             # sudo
      - AUDIT_WRITE        # sudoers_audit plugin
      - NET_ADMIN          # tailscale
      - NET_RAW            # tailscale
      - CHOWN              # pacman temp dir ownership
      - DAC_OVERRIDE       # pacman lock files
      - FOWNER             # pacman package ownership

    # Tailscale needs tun device for kernel-mode networking
    devices:
      - /dev/net/tun:/dev/net/tun

volumes:
  arch-dev-home:
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00			`services:`
			`arch-dev:`
v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`build:`
			`context: .`
			`args:`
			`# Match host UID/GID for clean /workspace permissions`
			`# Set via: UID=$(id -u) GID=$(id -g) docker compose build`
			`# Or .env file in repo root`
			`USER_UID: ${UID:-1000}`
			`USER_GID: ${GID:-1000}`
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00			`image: arch-dev:latest`
			`container_name: arch-dev`
			`hostname: arch-dev`
			`stdin_open: true`
			`tty: true`

			`volumes:`
v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`# Project files — bind mount, host-visible, host-UID-owned`
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00			`- ./workspace:/workspace`

			`# Stateful home — named volume, survives --rm`
v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`# Reset with: docker volume rm <project>_arch-dev-home`
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00			`- arch-dev-home:/home/dev`

			`environment:`
			`- TERM=xterm-256color`
			`- MOBILE=${MOBILE:-0}`
			`- GIT_AUTHOR_NAME=${GIT_NAME:-dev}`
			`- GIT_AUTHOR_EMAIL=${GIT_EMAIL:-dev@localhost}`
			`- GIT_COMMITTER_NAME=${GIT_NAME:-dev}`
			`- GIT_COMMITTER_EMAIL=${GIT_EMAIL:-dev@localhost}`

v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`# Capability set built up through testing —`
			`# cap_drop ALL then re-add only what's needed.`
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00			`cap_drop:`
			`- ALL`
			`cap_add:`
v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`- NET_BIND_SERVICE # mosh, bind <1024`
			`- SETUID # sudo`
			`- SETGID # sudo`
			`- AUDIT_WRITE # sudoers_audit plugin`
			`- NET_ADMIN # tailscale`
			`- NET_RAW # tailscale`
			`- CHOWN # pacman temp dir ownership`
			`- DAC_OVERRIDE # pacman lock files`
			`- FOWNER # pacman package ownership`
v2.2: bake in tailscale (AUR) + tun device + NET_ADMIN cap 2026-04-27 22:34:44 -04:00
v2.0: UID/GID matching, nvm, go, gh, full cap set 2026-05-10 23:07:03 -04:00			`# Tailscale needs tun device for kernel-mode networking`
v2.2: bake in tailscale (AUR) + tun device + NET_ADMIN cap 2026-04-27 22:34:44 -04:00			`devices:`
			`- /dev/net/tun:/dev/net/tun`
v1.7: stateful home with git-backed snapshot/rollback 2026-04-27 11:41:59 -04:00
			`volumes:`
			`arch-dev-home:`