Podman rootless mode requires complex uid/gid mapping in LXC
containers. Docker works out of the box with nesting enabled.
Podman still supported as fallback if docker unavailable.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Minimal archiso profile (base + linux only)
- Test script runs build in container sandbox
- Verifies end-to-end ISO generation pipeline
Usage: ./scripts/test-iso-build.sh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace systemd-nspawn (Arch-only) with Podman/Docker containers:
- Works on any Linux host (Debian, Ubuntu, Fedora, etc.)
- Prefers Podman for rootless security, falls back to Docker
- Uses archlinux:latest image with archiso installed
- Network isolation via --network=none
- Resource limits: 8GB RAM, 4 CPUs
- Deterministic builds via SOURCE_DATE_EPOCH
This allows ISO builds from any development/production environment
rather than requiring an Arch-based build server.
LXC/Proxmox users: enable nesting on the container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup-postgres.sh with pg_dump custom format (-Fc)
- Verify backup integrity via pg_restore --list
- Compress backups with gzip for storage efficiency
- Delete backups older than 30 days (configurable via RETENTION_DAYS)
- Weekly restore test on Mondays to validate backup usability
- Add cron configuration for daily 2 AM backups
- Add .gitignore for pycache, env files, and backup files
- Create scripts/setup-sandbox.sh to bootstrap Arch base environment
- Add BuildSandbox class for container management and build execution
- Configure sandbox with network isolation, read-only root, 8GB/4core limits
- Add sandbox_root and iso_output_root settings to config
