- Sandbox auto-detects podman/docker and handles sudo requirement
- Podman needs sudo for mkarchiso (loop devices, chroot)
- Docker runs privileged via daemon (no sudo needed)
- Test profile updated for UEFI-only boot (modern approach)
- Build VM (debate-builder) successfully produced 432MB ISO
Architecture:
- Dev LXC: FastAPI, PostgreSQL, code
- Build VM: Podman + archiso for ISO generation
- SSH triggers builds remotely
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Podman rootless mode requires complex uid/gid mapping in LXC
containers. Docker works out of the box with nesting enabled.
Podman still supported as fallback if docker unavailable.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Minimal archiso profile (base + linux only)
- Test script runs build in container sandbox
- Verifies end-to-end ISO generation pipeline
Usage: ./scripts/test-iso-build.sh
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Changed sandbox from systemd-nspawn to Podman/Docker
- Verified: container image builds, mkarchiso available
- 5/6 truths verified (only E2E ISO build outstanding)
- Added decision: Podman/Docker for cross-platform support
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace systemd-nspawn (Arch-only) with Podman/Docker containers:
- Works on any Linux host (Debian, Ubuntu, Fedora, etc.)
- Prefers Podman for rootless security, falls back to Docker
- Uses archlinux:latest image with archiso installed
- Network isolation via --network=none
- Resource limits: 8GB RAM, 4 CPUs
- Deterministic builds via SOURCE_DATE_EPOCH
This allows ISO builds from any development/production environment
rather than requiring an Arch-based build server.
LXC/Proxmox users: enable nesting on the container.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Add backup-postgres.sh with pg_dump custom format (-Fc)
- Verify backup integrity via pg_restore --list
- Compress backups with gzip for storage efficiency
- Delete backups older than 30 days (configurable via RETENTION_DAYS)
- Weekly restore test on Mondays to validate backup usability
- Add cron configuration for daily 2 AM backups
- Add .gitignore for pycache, env files, and backup files
- Create scripts/setup-sandbox.sh to bootstrap Arch base environment
- Add BuildSandbox class for container management and build execution
- Configure sandbox with network isolation, read-only root, 8GB/4core limits
- Add sandbox_root and iso_output_root settings to config
- Add Caddyfile with self-signed TLS for local development
- Configure reverse_proxy to FastAPI on localhost:8000
- Add security headers (HSTS, X-Content-Type-Options, X-Frame-Options)
- Enable HTTP to HTTPS redirect on port 80
- Add Caddy service to docker-compose.yml with host networking
- Configure admin API on localhost:2019 for future route management
Tasks completed: 2/2
- Set up PostgreSQL with Docker and async session factory
- Configure Alembic and create Build model
SUMMARY: .planning/phases/01-core-infrastructure-security/01-02-SUMMARY.md
- Add FastAPI app with title 'Debate API' v1.0.0
- Configure pydantic-settings for environment-based configuration
- Create /health endpoint at root level
- Create /api/v1/health and /api/v1/health/ready endpoints
- Disable docs/redoc in production environment
Visual Linux distribution customization platform with 3D builder interface, starting with Omarchy/CachyOS.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
