Setup VSCode in ANP devbox

Signed-off-by: magic_rb <magic_rb@redalder.org>
2024-11-22 08:04:20 +01:00 · 2024-09-18 00:44:35 +02:00 · 2024-09-18 00:44:35 +02:00 · 49fea0bdf2
parent 8965d75a04
commit 49fea0bdf2
3 changed files with 54 additions and 0 deletions
--- a/flake.nix
+++ b/flake.nix
@ -357,6 +357,7 @@
        hostapd.hostapd-2_10-lar-2 = patches/hostapd-2.10-lar.patch;
        terraform-provider-nomad.allow-null-in-authMountTuneSchema = patches/vault-provider-Allow-null-in-authMountTuneSchema.patch;
        systemd.override-cgroup-hierarchy = patches/0001-Add-env-SYSTEMD_UNIFIED_CGROUP_HIERARCHY.patch;
+        bubblewrap.dont-bail-on-caps = patches/0001-Don-t-bail-if-we-have-capabilities-in-non-setuid-cas.patch;
      };

      systems = [
--- a/nixos/systems/blowhole/ywecur-anp.nix
+++ b/nixos/systems/blowhole/ywecur-anp.nix
@ -32,6 +32,10 @@ in {
        hostPath = "/mnt/kyle/infrastructure/ywecur/";
        isReadOnly = false;
      };
+      "/etc/ssh" = {
+        hostPath = "/mnt/kyle/infrastructure/ywecur/.ssh-system";
+        isReadOnly = false;
+      };
      "/dev/net/tap" = {
        hostPath = "/dev/net/tap";
        isReadOnly = false;
@ -49,6 +53,7 @@ in {
    config = {
      config,
      pkgs,
+      lib,
      ...
    }: {
      boot.isContainer = true;
@ -57,8 +62,25 @@ in {
      environment.systemPackages = with pkgs; [
        git
        tcpdump
+        vscode-fhs
      ];

+      nixpkgs.config.allowUnfreePredicate = pkg:
+        builtins.elem (lib.getName pkg) [
+          "code"
+          "vscode"
+        ];
+
+      nixpkgs.overlays = [
+        (final: prev: {
+          bubblewrap = prev.bubblewrap.overrideAttrs (final': prev': {
+            patches = [inputs'.self.patches.bubblewrap.dont-bail-on-caps] ++ prev'.patches or [];
+          });
+        })
+      ];
+
+      programs.nix-ld.enable = true;
+
      services.openssh = {
        enable = true;
        settings = {
--- a/patches/0001-Don-t-bail-if-we-have-capabilities-in-non-setuid-cas.patch
+++ b/patches/0001-Don-t-bail-if-we-have-capabilities-in-non-setuid-cas.patch
@ -0,0 +1,31 @@
+From c5f36683a04d5e8418a4ba5b27d369c04cf5610f Mon Sep 17 00:00:00 2001
+From: magic_rb <richard@brezak.sk>
+Date: Tue, 17 Sep 2024 23:54:36 +0200
+Subject: [PATCH] Don't bail if we have capabilities in non-setuid case
+
+Signed-off-by: magic_rb <richard@brezak.sk>
+---
+ bubblewrap.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+diff --git a/bubblewrap.c b/bubblewrap.c
+index bc75da4..027dfd4 100644
+--- a/bubblewrap.c
+++ b/bubblewrap.c
+@@ -872,13 +872,6 @@ acquire_privs (void)
+       /* Keep only the required capabilities for setup */
+       set_required_caps ();
+     }
+-  else if (real_uid != 0 && has_caps ())
+-    {
+-      /* We have some capabilities in the non-setuid case, which should not happen.
+-         Probably caused by the binary being setcap instead of setuid which we
+-         don't support anymore */
+-      die ("Unexpected capabilities but not setuid, old file caps config?");
+-    }
+   else if (real_uid == 0)
+     {
+       /* If our uid is 0, default to inheriting all caps; the caller
+-- 
+2.46.0
+