services:
  arch-dev:
    build:
      context: .
      args:
        # Match host UID/GID for clean /workspace permissions
        # Set via: UID=$(id -u) GID=$(id -g) docker compose build
        # Or .env file in repo root
        USER_UID: ${UID:-1000}
        USER_GID: ${GID:-1000}
    image: arch-dev:latest
    container_name: arch-dev
    hostname: arch-dev
    stdin_open: true
    tty: true

    volumes:
      # Project files — bind mount, host-visible, host-UID-owned
      - ./workspace:/workspace

      # Stateful home — named volume, survives --rm
      # Reset with: docker volume rm <project>_arch-dev-home
      - arch-dev-home:/home/dev

    environment:
      - TERM=xterm-256color
      - MOBILE=${MOBILE:-0}
      - GIT_AUTHOR_NAME=${GIT_NAME:-dev}
      - GIT_AUTHOR_EMAIL=${GIT_EMAIL:-dev@localhost}
      - GIT_COMMITTER_NAME=${GIT_NAME:-dev}
      - GIT_COMMITTER_EMAIL=${GIT_EMAIL:-dev@localhost}

    # Capability set built up through testing —
    # cap_drop ALL then re-add only what's needed.
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE   # mosh, bind <1024
      - SETUID             # sudo
      - SETGID             # sudo
      - AUDIT_WRITE        # sudoers_audit plugin
      - NET_ADMIN          # tailscale
      - NET_RAW            # tailscale
      - CHOWN              # pacman temp dir ownership
      - DAC_OVERRIDE       # pacman lock files
      - FOWNER             # pacman package ownership

    # Tailscale needs tun device for kernel-mode networking
    devices:
      - /dev/net/tun:/dev/net/tun

volumes:
  arch-dev-home: