41 lines
1.2 KiB
Bash
41 lines
1.2 KiB
Bash
#!/usr/bin/env bash
|
|
|
|
# 1. Resolve the absolute path of opencode from your Nix environment
|
|
OPENCODE_PATH=$(command -v opencode)
|
|
|
|
if [ -z "$OPENCODE_PATH" ]; then
|
|
echo "❌ Error: 'opencode' not found in your PATH."
|
|
exit 1
|
|
fi
|
|
|
|
echo "🛡️ Engaging Bubblewrap Sandbox..."
|
|
echo "📍 Using binary: $OPENCODE_PATH"
|
|
|
|
# 2. Run bwrap using the absolute path
|
|
bwrap \
|
|
--ro-bind /bin /bin \
|
|
--ro-bind /usr /usr \
|
|
--ro-bind /lib /lib \
|
|
--ro-bind /lib64 /lib64 \
|
|
--ro-bind /nix /nix \
|
|
--ro-bind /home/pan/.nix-profile/bin /home/pan/.nix-profile/bin \
|
|
--ro-bind /home/pan/.config/opencode /home/pan/.config/opencode \
|
|
--ro-bind /etc/resolv.conf /etc/resolv.conf \
|
|
--ro-bind /etc/hosts /etc/hosts \
|
|
--ro-bind-try /etc/ssl/certs /etc/ssl/certs \
|
|
--ro-bind-try /etc/static/ssl/certs /etc/static/ssl/certs \
|
|
--bind /home/pan/.local/share/opencode /home/pan/.local/share/opencode \
|
|
--proc /proc \
|
|
--dev-bind /dev /dev \
|
|
--tmpfs /tmp \
|
|
--unshare-all \
|
|
--share-net \
|
|
--die-with-parent \
|
|
--bind "$(pwd)" "$(pwd)" \
|
|
--chdir "$(pwd)" \
|
|
--setenv PATH "$PATH" \
|
|
--setenv HOME "$HOME" \
|
|
--setenv TASKRC "$TASKRC" \
|
|
--setenv TASKDATA "$TASKDATA" \
|
|
"$OPENCODE_PATH" "$@"
|