54 lines
1.6 KiB
YAML
54 lines
1.6 KiB
YAML
services:
|
|
arch-dev:
|
|
build:
|
|
context: .
|
|
args:
|
|
# Match host UID/GID for clean /workspace permissions
|
|
# Set via: UID=$(id -u) GID=$(id -g) docker compose build
|
|
# Or .env file in repo root
|
|
USER_UID: ${UID:-1000}
|
|
USER_GID: ${GID:-1000}
|
|
image: arch-dev:latest
|
|
container_name: arch-dev
|
|
hostname: arch-dev
|
|
stdin_open: true
|
|
tty: true
|
|
|
|
volumes:
|
|
# Project files — bind mount, host-visible, host-UID-owned
|
|
- ./workspace:/workspace
|
|
|
|
# Stateful home — named volume, survives --rm
|
|
# Reset with: docker volume rm <project>_arch-dev-home
|
|
- arch-dev-home:/home/dev
|
|
|
|
environment:
|
|
- TERM=xterm-256color
|
|
- MOBILE=${MOBILE:-0}
|
|
- GIT_AUTHOR_NAME=${GIT_NAME:-dev}
|
|
- GIT_AUTHOR_EMAIL=${GIT_EMAIL:-dev@localhost}
|
|
- GIT_COMMITTER_NAME=${GIT_NAME:-dev}
|
|
- GIT_COMMITTER_EMAIL=${GIT_EMAIL:-dev@localhost}
|
|
|
|
# Capability set built up through testing —
|
|
# cap_drop ALL then re-add only what's needed.
|
|
cap_drop:
|
|
- ALL
|
|
cap_add:
|
|
- NET_BIND_SERVICE # mosh, bind <1024
|
|
- SETUID # sudo
|
|
- SETGID # sudo
|
|
- AUDIT_WRITE # sudoers_audit plugin
|
|
- NET_ADMIN # tailscale
|
|
- NET_RAW # tailscale
|
|
- CHOWN # pacman temp dir ownership
|
|
- DAC_OVERRIDE # pacman lock files
|
|
- FOWNER # pacman package ownership
|
|
|
|
# Tailscale needs tun device for kernel-mode networking
|
|
devices:
|
|
- /dev/net/tun:/dev/net/tun
|
|
|
|
volumes:
|
|
arch-dev-home:
|