devcontainer/.devcontainer/paranoid/devcontainer.json at 0b1c425f225c4e297434b410d362b8d30f84edd6 · theredguild/devcontainer · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
{
  // For format details, see https://aka.ms/devcontainer.json.
  // This is the hardened version of TRG's DevContainer - provides maximum security hardening
  // with a read-only filesystem and network hardening for high-security Web3 development.
  "name": "(EXPERIMENTAL) Paranoid TRG's DevContainer",

  // Build configuration - uses the local Dockerfile in this directory
  "build": {
    "dockerfile": "Dockerfile"
  },

  // Use vscode user for security (non-root execution)
  "remoteUser": "vscode",

  // Features to add to the dev container. More info: https://containers.dev/features.
  // Git and GitHub CLI features for version control and GitHub integration
  "features": {
    "ghcr.io/devcontainers/features/git:1": {},
    "ghcr.io/devcontainers/features/github-cli:1": {}
  },

  // Container environment variables
  "containerEnv": {
    "SHELL": "/bin/zsh",  // Use zsh as the default shell
    "DEVCONTAINER_ID_LABEL": "paranoid-web3-devcontainer"  // Label for container identification
  },

  // Configure tool-specific properties for VS Code
  "customizations": {
    "vscode": {
      // Web3 security and development extensions
      // check out https://marketplace.visualstudio.com/items?itemName=tintinweb.ethereum-security-bundle for more information

      // VS Code settings for security and functionality
      "settings": {
          // Security settings - killswitch for automated tasks
          "task.autoDetect": "off",                    // Disable automatic task detection
          "task.problemMatchers.autoDetect": "off",    // Disable automatic problem matchers

          // Trust and security configuration
          "security.workspace.trust.enabled": false,   // Trust no one by default

          // Privacy settings - killswitch for telemetry
          "telemetry.telemetryLevel": "off",           // Disable all telemetry collection

          // Terminal configuration
          "terminal.integrated.defaultProfile.linux": "zsh",  // Use zsh by default
          "terminal.integrated.profiles.linux": { "zsh": { "path": "/usr/bin/zsh" } }
          // Using bash might be more safe and stable, but zsh provides better features
        }
    }
  },

  // Commands to run during container lifecycle
  "initializeCommand": "echo 'Initializing hardened dev container...'",
  "postStartCommand": "echo '🚀 Dev container is ready for Web3 development!'",

  // Workspace configuration - hardened within container
  "workspaceFolder": "/workspace",
  // Mount workspace as tmpfs for complete hardening - no host file access.
  // This ensures that the workspace is ephemeral and does not persist data.
  "workspaceMount": "type=tmpfs,destination=/workspace,tmpfs-mode=1777",

  // Docker run arguments for security and hardening
  "runArgs": [
      // Security hardening - drop all Linux capabilities to reduce attack surface
      "--cap-drop=ALL",

      // Read-only filesystem for maximum security, preventing any persistent changes
      "--read-only",

      // Security options for container hardening
      "--security-opt",
      "no-new-privileges:true",      // Prevent privilege escalation from within the container
      "--security-opt",
      "apparmor=docker-default",     // Apply Docker's default AppArmor profile for enhanced security

      // --- Writable, EXECUTABLE Mounts for VS Code Server ---
      "--tmpfs", "/home/vscode/.vscode-server:rw,exec,nosuid,size=512m,uid=1000,gid=1000",
      "--tmpfs", "/home/vscode/.vscode-server-insiders:rw,exec,nosuid,size=256m,uid=1000,gid=1000",

      // --- Writable, NON-EXECUTABLE Mounts for Caches, Configs, and Logs ---
      "--tmpfs", "/home/vscode/.cache:rw,noexec,nosuid,size=256m,uid=1000,gid=1000",
      "--tmpfs", "/home/vscode/.config:rw,noexec,nosuid,size=128m,uid=1000,gid=1000",
      "--tmpfs", "/home/vscode/.local:rw,noexec,nosuid,size=256m,uid=1000,gid=1000",
      "--tmpfs", "/home/vscode/.gnupg:rw,noexec,nosuid,size=32m,uid=1000,gid=1000",
      "--tmpfs", "/tmp:rw,noexec,nosuid,size=512m",
      "--tmpfs", "/var/tmp:rw,noexec,nosuid,size=512m",
      "--tmpfs", "/var/log:rw,noexec,nosuid,size=128m",
      "--tmpfs", "/run:rw,noexec,nosuid,size=128m",
      "--tmpfs", "/home/vscode/.devcontainer:rw,noexec,nosuid,size=32m,uid=1000,gid=1000"
  ]
}