Initial commit.

joecorall · joecorall · commit 67f0751b6f59 · 2025-12-06T06:39:08.000-05:00
diff --git a/.bash_aliases b/.bash_aliases
@@ -0,0 +1 @@
+alias ll='ls -l'
diff --git a/.github/workflows/push.yaml b/.github/workflows/push.yaml
@@ -0,0 +1,18 @@
+name: build
+on:
+  push:
+jobs:
+  lint:
+    permissions:
+      contents: read
+    runs-on: ubuntu-24.04
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5
+      - run: shellcheck *.sh
+  push:
+    needs: [lint]
+    uses: libops/.github/.github/workflows/build-push-ghcr.yaml@main
+    permissions:
+      contents: read
+      packages: write
+    secrets: inherit
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,114 @@
+FROM node:20
+
+ARG TZ
+ENV TZ="$TZ"
+
+# install go
+WORKDIR /go
+COPY download.sh /usr/local/bin
+ARG \
+  TARGETARCH=amd64 \
+  # renovate: datasource=github-tags depName=golang packageName=golang/go versioning=go-mod-directive
+  GO_VERSION=go1.25.3 \
+  GO_BASE_URL="https://go.dev/dl/${GO_VERSION}" \
+  GO_AMD64=linux-amd64.tar.gz	\
+  GO_AMD64_SHA256="0335f314b6e7bfe08c3d0cfaa7c19db961b7b99fb20be62b0a826c992ad14e0f" \
+  GO_ARM64=linux-arm64.tar.gz \
+  GO_ARM64_SHA256="1d42ebc84999b5e2069f5e31b67d6fc5d67308adad3e178d5a2ee2c9ff2001f5"
+
+RUN --mount=type=cache,id=base-downloads-${TARGETARCH},sharing=locked,target=/opt/downloads \
+  if [ "${TARGETARCH}" = "amd64" ]; \
+  then \
+  download.sh \
+  --url "${GO_BASE_URL}.${GO_AMD64}" \
+  --sha256 "${GO_AMD64_SHA256}" \
+  --dest /usr/local ; \
+  else \
+  download.sh \
+  --url "${GO_BASE_URL}.${GO_ARM64}" \
+  --sha256 "${GO_ARM64_SHA256}" \
+  --dest /usr/local ; \
+  fi
+
+
+# Install basic development tools and iptables/ipset
+RUN apt-get update && apt-get install -y --no-install-recommends \
+  less \
+  git \
+  procps \
+  sudo \
+  fzf \
+  zsh \
+  man-db \
+  unzip \
+  gnupg2 \
+  gh \
+  iptables \
+  ipset \
+  iproute2 \
+  dnsutils \
+  aggregate \
+  jq \
+  nano \
+  vim \
+  make \
+  && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+# Ensure default node user has access to /usr/local/share
+RUN mkdir -p /usr/local/share/npm-global && \
+  chown -R node:node /usr/local/share && \
+  mkdir -p /workspace /home/node/.claude && \
+  chown -R node:node /workspace /home/node/.claude
+
+WORKDIR /workspace
+
+ARG GIT_DELTA_VERSION=0.18.2
+RUN ARCH=$(dpkg --print-architecture) && \
+  wget --progress=dot:giga "https://github.com/dandavison/delta/releases/download/${GIT_DELTA_VERSION}/git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  dpkg -i "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb" && \
+  rm "git-delta_${GIT_DELTA_VERSION}_${ARCH}.deb"
+
+# Set up non-root user
+USER node
+
+# Install global packages
+ENV NPM_CONFIG_PREFIX=/usr/local/share/npm-global
+ENV PATH=$PATH:/usr/local/share/npm-global/bin
+
+# Set the default shell to zsh rather than sh
+ENV SHELL=/bin/zsh
+
+# Set the default editor and visual
+ENV EDITOR=nano
+ENV VISUAL=nano
+
+# Default powerline10k theme
+ARG ZSH_IN_DOCKER_VERSION=1.2.0
+RUN sh -c "$(wget --progress=dot:giga -O- https://github.com/deluan/zsh-in-docker/releases/download/v${ZSH_IN_DOCKER_VERSION}/zsh-in-docker.sh)" -- \
+  -p git \
+  -p fzf \
+  -a "source /usr/share/doc/fzf/examples/key-bindings.zsh" \
+  -a "source /usr/share/doc/fzf/examples/completion.zsh" \
+  -a "export PROMPT_COMMAND='history -a' && export HISTFILE=/commandhistory/.bash_history" \
+  -x
+
+# Install Claude and Gemini
+RUN npm install -g @anthropic-ai/claude-code@v2.0.59
+RUN npm install -g @google/gemini-cli@v0.19.4
+
+# Copy and set up firewall script
+COPY init-firewall.sh /usr/local/bin/
+USER root
+RUN chmod +x /usr/local/bin/init-firewall.sh && \
+  echo "node ALL=(root) NOPASSWD: /usr/local/bin/init-firewall.sh" > /etc/sudoers.d/node-firewall && \
+  chmod 0440 /etc/sudoers.d/node-firewall
+USER node
+ENV \
+  NODE_OPTIONS="--max-old-space-size=4096" \
+  CLAUDE_CONFIG_DIR="/home/node/.claude" \
+  POWERLEVEL9K_DISABLE_GITSTATUS="true"
+
+COPY docker-entrypoint.sh /docker-entrypoint.sh
+COPY .bash_aliases /home/node/
+
+ENTRYPOINT [ "/docker-entrypoint.sh" ]
diff --git a/README.md b/README.md
@@ -0,0 +1,21 @@
+# cli-sandbox
+
+Run `gemini` and `claude` in a docker container
+
+## Usage
+
+```
+cd /path/to/codebase
+docker run \
+  -v $HOME/.gemini:/home/node/.gemini \
+  -v $HOME/.claude:/home/node/.claude \
+  --cap-add=NET_ADMIN --cap-add=NET_RAW \
+  -v ./:/workspace \
+  -w /workspace \
+  --rm -it ghcr.io/joecorall/cli-sandbox:main
+# chit chat
+```
+
+## Attribution
+
+`Dockerfile` and `init-firewall.sh` forked from [anthropics/claude-code](https://github.com/anthropics/claude-code/tree/main/.devcontainer). Added gemini support
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -eou pipefail
+
+sudo /usr/local/bin/init-firewall.sh \
+  || (
+        echo "Unable to set firewall" \
+        echo "Make sure you pass these flags to docker run: --cap-add=NET_ADMIN --cap-add=NET_RAW" \
+        && exit 1
+      )
+
+if [ "$#" -eq 0 ]; then
+  exec /bin/bash
+else
+  exec "$@"
+fi
diff --git a/download.sh b/download.sh
@@ -0,0 +1,167 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+ARGS=("$@")
+PROGNAME=$(basename "$0")
+readonly ARGS PROGNAME
+
+function usage {
+    cat <<-EOF
+    usage: $PROGNAME options
+
+    Downloads the file at the given url to the download cache folder.
+
+    Does not re-download the file it already exists and matches the given checksum.
+
+    Unpacks the file if the destination option is given.
+
+    Download is placed in the directory ${DOWNLOAD_CACHE_DIRECTORY}.
+
+    OPTIONS:
+       -u --url           The url of the file to download.
+       -c --sha256        The sha256 checksum to use to validate the download.
+       -d --dest          The location to unpack file into (optional).
+       -s --strip         Exclude the root folder when unpacking (optional, not supported with gzip or jar).
+       -h --help          Show this help.
+       -x --debug         Debug this script.
+
+    Examples:
+       $PROGNAME  \\
+        --url https://github.com/just-containers/s6-overlay/releases/download/v1.22.1.0/s6-overlay-amd64.tar.gz
+        --sha256 7f3aba1d803543dd1df3944d014f055112cf8dadf0a583c76dd5f46578ebe3c2 \\
+        --dest /opt/s6-overlay
+EOF
+}
+
+function cmdline {
+    local arg=
+    local args=
+    for arg; do
+        local delim=""
+        case "$arg" in
+        # Translate --gnu-long-options to -g (short options)
+        --url) args="${args}-u " ;;
+        --sha256) args="${args}-c " ;;
+        --dest) args="${args}-d " ;;
+        --strip) args="${args}-s " ;;
+        --help) args="${args}-h " ;;
+        --debug) args="${args}-x " ;;
+        # Pass through anything else
+        *)
+            [[ "${arg:0:1}" == "-" ]] || delim="\""
+            args="${args}${delim}${arg}${delim} "
+            ;;
+        esac
+    done
+
+    # Reset the positional parameters to the short options
+    eval set -- "${args}"
+
+    while getopts "u:c:d:shx" OPTION; do
+        case $OPTION in
+        u)
+            readonly URL=${OPTARG}
+            ;;
+        c)
+            readonly CHECKSUM=${OPTARG}
+            ;;
+        d)
+            readonly DEST=${OPTARG}
+            ;;
+        s)
+            readonly STRIP=true
+            ;;
+        h)
+            usage
+            exit 0
+            ;;
+        x)
+            set -x
+            ;;
+        *)
+            echo "Invalid Option: $OPTION" >&2
+            usage
+            exit 1
+            ;;
+        esac
+    done
+
+    if [[ -z $URL || -z $CHECKSUM ]]; then
+        echo "Missing one or more required options: --url --sha256"
+        exit 1
+    fi
+
+    # All remaning parameters are files to be removed from the installation.
+    shift $((OPTIND-1))
+    readonly REMOVE=("$@")
+
+    return 0
+}
+
+function validate {
+    local file=${1}
+    sha256sum "${file}" | cut -f1 -d' ' | xargs test "${CHECKSUM}" ==
+}
+
+function unpack {
+    local file="${1}"
+    local dest="${2}"
+    local args=()
+    local filename=
+    mkdir -p "${dest}"
+    if [[ -v STRIP ]]; then
+        args+=("--strip-components" "1")
+    fi
+    filename=$(basename "${file}")
+    case "${file}" in
+    *.tar.xz | *.txz)
+        tar -xf "${file}" -C "${dest}" "${args[@]}"
+        ;;
+    *.tar.gz | *.tgz)
+        tar -xzf "${file}" -C "${dest}" "${args[@]}"
+        ;;
+    *.gz | *.gzip)
+        gunzip "${file}" -f -c > "${dest}/${filename%.*}"
+        ;;
+    *.zip | *.war)
+        if [[ -v STRIP ]]; then
+            mkdir -p /tmp/unpack
+            unzip "${file}" -d /tmp/unpack
+            mv "$(find /tmp/unpack/ -type d -mindepth 1 -maxdepth 1)"/* "${dest}"
+            rm -fr /tmp/unpack
+        else
+            unzip "${file}" -d "${dest}"
+        fi
+        ;;
+    *.jar)
+        cp "${file}" "${dest}"
+        ;;
+    *)
+        echo "Unable to unpack ${file} please update script to support additional formats." >&2
+        exit 1
+        ;;
+    esac
+    # Remove extraneous files.
+    for i in "${REMOVE[@]}"; do
+        rm -fr "${dest:?}/${i}"
+    done
+}
+
+function main {
+    local file
+    cmdline "${ARGS[@]}"
+
+    DOWNLOAD_CACHE_DIRECTORY=${DOWNLOAD_CACHE_DIRECTORY:-/tmp}
+    file="${DOWNLOAD_CACHE_DIRECTORY:?}/$(basename "${URL}")"
+    # Remove the downloaded file if it exist and does not match the checksum so that it can be downloaded again.
+    if [ -f "${file}" ] && ! validate "${file}"; then
+        rm "${file}"
+    fi
+    wget -N -P "${DOWNLOAD_CACHE_DIRECTORY}" "${URL}"
+    # Return non-zero if the checksum does not match the downloaded file.
+    validate "${file}"
+    if [[ -v DEST ]]; then
+        unpack "${file}" "${DEST}"
+    fi
+}
+main
diff --git a/init-firewall.sh b/init-firewall.sh
