Add code-server

container-config/nginx-home/code-server

@@ -0,0 +1,13 @@
+server {
+  server_name code.strypsteen.com;
+  listen 443 ssl;
+  listen [::]:443 ssl;
+  include snippets/headers.conf;
+  location / {
+    proxy_pass http://systemd-code-server.:8080;
+    include snippets/proxy.conf;
+    proxy_http_version 1.1;
+    proxy_set_header Connection upgrade;
+    proxy_set_header Upgrade $http_upgrade;
+  }
+}

container-config/nginx/snippets/headers.conf

@@ -1,5 +1,4 @@
-add_header X-Frame-Options DENY always;
+add_header X-Frame-Options SAMEORIGIN always;
 add_header X-Content-Type-Options nosniff always;
 add_header Referrer-Policy no-referrer always;
-add_header Permissions-Policy accelerometer=(),ambient-light-sensor=(),autoplay=(),battery=(),camera=(),cross-origin-isolated=(),display-capture=(),document-domain=(),encrypted-media=(),execution-while-not-rendered=(),execution-while-out-of-viewport=(),fullscreen=(),geolocation=(),gyroscope=(),keyboard-map=(),magnetometer=(),microphone=(),midi=(),navigation-override=(),payment=(),picture-in-picture=(),publickey-credentials-get=(),screen-wake-lock=(),sync-xhr=(),usb=(),web-share=(),xr-spatial-tracking=() always;
 add_header Strict-Transport-Security $hsts always;

container-config/nginx/snippets/proxy.conf

@@ -5,5 +5,4 @@ proxy_set_header Host $host;
 proxy_hide_header X-Frame-Options;
 proxy_hide_header X-Content-Type-Options;
 proxy_hide_header Referrer-Policy;
-proxy_hide_header Permissions-Policy;
 proxy_hide_header Strict-Transport-Security;

home/etc/containers/systemd/code-server.container

@@ -0,0 +1,14 @@
+[Service]
+ExecStartPost=podman exec -du0 systemd-code-server sh -c "apt-get update && apt-get install -y bash-completion gcc make vim"
+[Container]
+Image=docker.io/codercom/code-server
+UserNS=auto:size=65536
+ReadOnly=false
+Network=nginx.network
+Exec=--disable-telemetry
+Volume=code-server.volume:/home/coder:U,Z
+Volume=/etc/gitconfig:/etc/gitconfig:z,ro
+Secret=CODE_SERVER_PASSWORD,type=env,target=PASSWORD
+AutoUpdate=registry
+[Install]
+WantedBy=multi-user.target

home/etc/containers/systemd/nginx.container

@@ -1,6 +1,6 @@
 [Unit]
-Requires=forgejo.service synapse.service vaultwarden.service
-After=forgejo.service synapse.service vaultwarden.service
+Requires=code-server.service forgejo.service synapse.service vaultwarden.service
+After=code-server.service forgejo.service synapse.service vaultwarden.service
 [Container]
 Image=cgr.dev/chainguard/nginx
 UserNS=auto

setup-laptop.sh

@@ -6,4 +6,4 @@ systemctl enable --now sshd
 systemctl mask --global grub-boot-success.timer
 flatpak remote-add --if-not-exists flathub /usr/lib/fedora-third-party/conf.d/fedora-flathub.flatpakrepo
 flatpak remote-modify --subset=floss flathub
-flatpak install com.github.micahflee.torbrowser-launcher com.github.tchx84.Flatseal com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.gimp.GIMP org.gnome.Boxes org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox
+flatpak install com.brave.Browser com.github.micahflee.torbrowser-launcher com.github.tchx84.Flatseal com.vscodium.codium com.yubico.yubioath im.riot.Riot io.mpv.Mpv org.gimp.GIMP org.gnome.Boxes org.gnome.Calculator org.gnome.Evince org.gnome.Evolution org.gnome.FileRoller org.gnome.Snapshot org.gnome.TextEditor org.libreoffice.LibreOffice org.mozilla.firefox