mirror of
https://git.sr.ht/~magic_rb/dotfiles
synced 2024-11-26 01:56:13 +01:00
Setup VSCode in ANP devbox
Signed-off-by: magic_rb <magic_rb@redalder.org>
This commit is contained in:
parent
8965d75a04
commit
49fea0bdf2
|
@ -357,6 +357,7 @@
|
|||
hostapd.hostapd-2_10-lar-2 = patches/hostapd-2.10-lar.patch;
|
||||
terraform-provider-nomad.allow-null-in-authMountTuneSchema = patches/vault-provider-Allow-null-in-authMountTuneSchema.patch;
|
||||
systemd.override-cgroup-hierarchy = patches/0001-Add-env-SYSTEMD_UNIFIED_CGROUP_HIERARCHY.patch;
|
||||
bubblewrap.dont-bail-on-caps = patches/0001-Don-t-bail-if-we-have-capabilities-in-non-setuid-cas.patch;
|
||||
};
|
||||
|
||||
systems = [
|
||||
|
|
|
@ -32,6 +32,10 @@ in {
|
|||
hostPath = "/mnt/kyle/infrastructure/ywecur/";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/etc/ssh" = {
|
||||
hostPath = "/mnt/kyle/infrastructure/ywecur/.ssh-system";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/dev/net/tap" = {
|
||||
hostPath = "/dev/net/tap";
|
||||
isReadOnly = false;
|
||||
|
@ -49,6 +53,7 @@ in {
|
|||
config = {
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}: {
|
||||
boot.isContainer = true;
|
||||
|
@ -57,8 +62,25 @@ in {
|
|||
environment.systemPackages = with pkgs; [
|
||||
git
|
||||
tcpdump
|
||||
vscode-fhs
|
||||
];
|
||||
|
||||
nixpkgs.config.allowUnfreePredicate = pkg:
|
||||
builtins.elem (lib.getName pkg) [
|
||||
"code"
|
||||
"vscode"
|
||||
];
|
||||
|
||||
nixpkgs.overlays = [
|
||||
(final: prev: {
|
||||
bubblewrap = prev.bubblewrap.overrideAttrs (final': prev': {
|
||||
patches = [inputs'.self.patches.bubblewrap.dont-bail-on-caps] ++ prev'.patches or [];
|
||||
});
|
||||
})
|
||||
];
|
||||
|
||||
programs.nix-ld.enable = true;
|
||||
|
||||
services.openssh = {
|
||||
enable = true;
|
||||
settings = {
|
||||
|
|
|
@ -0,0 +1,31 @@
|
|||
From c5f36683a04d5e8418a4ba5b27d369c04cf5610f Mon Sep 17 00:00:00 2001
|
||||
From: magic_rb <richard@brezak.sk>
|
||||
Date: Tue, 17 Sep 2024 23:54:36 +0200
|
||||
Subject: [PATCH] Don't bail if we have capabilities in non-setuid case
|
||||
|
||||
Signed-off-by: magic_rb <richard@brezak.sk>
|
||||
---
|
||||
bubblewrap.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/bubblewrap.c b/bubblewrap.c
|
||||
index bc75da4..027dfd4 100644
|
||||
--- a/bubblewrap.c
|
||||
+++ b/bubblewrap.c
|
||||
@@ -872,13 +872,6 @@ acquire_privs (void)
|
||||
/* Keep only the required capabilities for setup */
|
||||
set_required_caps ();
|
||||
}
|
||||
- else if (real_uid != 0 && has_caps ())
|
||||
- {
|
||||
- /* We have some capabilities in the non-setuid case, which should not happen.
|
||||
- Probably caused by the binary being setcap instead of setuid which we
|
||||
- don't support anymore */
|
||||
- die ("Unexpected capabilities but not setuid, old file caps config?");
|
||||
- }
|
||||
else if (real_uid == 0)
|
||||
{
|
||||
/* If our uid is 0, default to inheriting all caps; the caller
|
||||
--
|
||||
2.46.0
|
||||
|
Loading…
Reference in a new issue