ybox 0.9.8__py3-none-any.whl

ybox/conf/distros/deb-generic/pkgdeps.py

@@ -0,0 +1,208 @@
+"""
+Show the optional dependencies for a package that may be in deb package repositories.
+The output is in the format:
+
+{header}
+{prefix}<name>{separator}<level>{separator}<order>{separator}<installed>{separator}<description>
+
+where:
+ * <name>: name of the optional dependency
+ * <level>: level of the dependency i.e. 1 for direct dependency, 2 for dependency of dependency
+            and so on; resolution of level > 2 is not required since caller currently ignores those
+ * <order>: this is a simple counter assigned to the dependencies where the value itself is of no
+            significance but if multiple dependencies have the same value then it means that they
+            are ORed dependencies and only one of them should normlly be selected for installation
+ * <installed>: true if the dependency already installed and false otherwise
+ * <description>: detailed description of the dependency; it can contain literal \n to indicate
+                  newlines in the description
+"""
+
+import os
+import re
+import sys
+from enum import Enum
+from typing import Callable, Iterable, Optional, Union
+
+from ybox.cmd import parse_opt_deps_args, run_command
+from ybox.print import print_error, print_notice
+
+# regex pattern for package name in Recommends or Suggests fields
+PKG_DEP_RE = re.compile(r"([,|]?)\s*([^\s,|(]+)\s*(\([^)]*\))?\s*")
+
+PackageAlternate = tuple[str, str, Optional[list[str]]]
+
+
+def main() -> None:
+    """main entrypoint for `pkgdeps.py` script"""
+    main_argv(sys.argv[1:])
+
+
+def main_argv(argv: list[str]) -> None:
+    """
+    Main entrypoint of `pkgdeps.py` that takes a list of arguments which are usually the
+    command-line arguments of the `main()` function.
+
+    :param argv: arguments to the function (main function passes `sys.argv[1:]`)
+    """
+    args = parse_opt_deps_args(argv)
+    if args.level > 2:
+        print_error(f"pkgdeps.py does not support level > 2 (given = {args.level})")
+        sys.exit(1)
+
+    print_notice(f"Searching dependencies of '{args.package}' in deb repositories")
+    sep: str = args.separator
+    if opt_deps := find_opt_deps(args.package, args.level):
+        if args.header:
+            print(args.header)
+        prefix = args.prefix
+        for pkg, (desc, level, order, installed) in opt_deps.items():
+            # columns below are expected by ybox-pkg
+            print(f"{prefix}{pkg}{sep}{level}{sep}{order}{sep}{installed}{sep}{desc}")
+
+
+class PkgDetail(Enum):
+    """Enumerates the package fields used by `pkgdeps`"""
+    PACKAGE = 1
+    DESCRIPTION = 2
+    PROVIDE = 3
+    REQUIRED_DEP = 4
+    OPTIONAL_DEP = 5
+
+
+def process_next_item(line: str, parse_line: Callable[[str], tuple[PkgDetail, str]],
+                      parse_dep: Callable[[str], Iterable[tuple[str, str, Optional[str]]]],
+                      installed: Callable[[str], bool], max_level: int,
+                      pkg_details: dict[str, list[PackageAlternate]], level: int = 1) -> None:
+    """
+    Process the next item in the package details.
+    """
+    # pylint: disable=unused-argument
+    print("TODO: SW: refactor so that it can be used by pkgdeps of deb-generic as well as arch")
+    sys.exit(1)
+
+
+def find_opt_deps(package: str, max_level: int) -> dict[str, tuple[str, int, int, bool]]:
+    """
+    Find the optional dependencies of a package till the given `level`. Here `Recommends` packages
+    are treated as level 1 while `Suggests` are treated as level 2. Higher levels than 2 will fail.
+
+    The result is returned as a dictionary having package name as the key with a tuple having its
+    description, the level it was found, its `order` and a boolean indicating whether the package
+    is already installed or not.
+
+    :param package: name of the package whose optional dependencies have to be searched
+    :param max_level: the maximum level to which the search will extend
+    :return: a dictionary which will be populated with the result having dependency name
+             as the key with a tuple of description, level, order and whether package is installed
+    """
+    # Fetching optional dependencies consists of two steps:
+    #  1. find the recomends and suggests fields of the package
+    #  2. determine whether those packages are installed or not and obtain their descriptions
+    # It also needs to take care of "|" dependencies where either of the two can be present,
+    # so the `order` needs to be set appropriately.
+
+    # The map below stores all the available package names to their description.
+    # This deliberately uses only the first line of the description for a multi-line description
+    # since it is used for display of the optional dependencies menu where single line is enough.
+    all_packages: dict[str, str] = {}
+    # the map below stores all the virtual packages to the list of the packages that provide them,
+    # including the actual package itself which always provides itself
+    provides_map: dict[str, Union[str, list[str]]] = {}
+
+    def insert_or_update_provides(provide: str, pkg: str) -> None:
+        """insert a single value in provides map if not present, else change to list and append"""
+        if provides := provides_map.get(provide):
+            if isinstance(provides, list):
+                provides.append(pkg)
+            else:
+                provides_map[provide] = [provides, pkg]
+        else:
+            provides_map[provide] = pkg
+
+    # map of `Recommends` and `Suggests` dependencies to their level and order
+    opt_dep_map: dict[str, tuple[int, int]] = {}
+    # dump all available packages, build a map of package name and its description, then pick the
+    # package and its dependencies; the total map size with just those fields will be a few MB
+    # while using `grep-aptavail` multiple times will be inefficient
+    check_optional = False
+    current_pkg = ""
+    # this counter is for assigning a counter to the dependencies which has a significance only
+    # for ORed dependencies which will have the same order (and thus indicate to the higher level
+    #   that only one of them should be installed)
+    order = 0
+    for line in str(run_command(["/usr/bin/apt-cache", "dumpavail"],
+                                capture_output=True)).splitlines():
+        if line.startswith("Package:"):
+            if (current_pkg := line[len("Package:"):].strip()) == package:
+                check_optional = True
+            else:
+                check_optional = False
+                insert_or_update_provides(current_pkg, current_pkg)
+        elif check_optional:
+            # Note: version comparisons are not required here since all we need is the description
+            # of the package. This assumes that the best package available for installation in the
+            # repositories satisfies the version mentioned in the Recommends/Suggests dependencies,
+            # but that may not be true in some rare cases in which case the installation of the
+            # optional dependency will fail after user selects it.
+            if line.startswith("Recommends:"):
+                for match in PKG_DEP_RE.finditer(line, len("Recommends:")):
+                    if match.group(1) != "|":  # ORed dependencies have the same `order`
+                        order += 1
+                    opt_dep_map[match.group(2)] = (1, order)
+            elif max_level > 1 and line.startswith("Suggests:"):
+                for match in PKG_DEP_RE.finditer(line, len("Suggests:")):
+                    if match.group(1) != "|":  # ORed dependencies have the same `order`
+                        order += 1
+                    opt_dep_map[match.group(2)] = (2, order)
+        else:
+            if line.startswith("Provides:"):
+                for match in PKG_DEP_RE.finditer(line, len("Provides:")):
+                    insert_or_update_provides(match.group(2), current_pkg)
+            elif line.startswith("Description:"):
+                all_packages[current_pkg] = line[len("Description:"):].strip()
+
+    if not opt_dep_map:
+        return {}
+    # get the system architecture to quickly check for existence of an installed package
+    sys_arch = str(run_command(["/usr/bin/dpkg", "--print-architecture"],
+                               capture_output=True)).strip()
+    # list of required optional dependencies as a tuple (name, (description, level, order,
+    #   installed)); note that `Recommends` are level 1 while `Suggests` are level 2 and recursion
+    # for levels is skipped
+    opt_deps: list[tuple[str, tuple[str, int, int, bool]]] = []
+    # loop through the `opt_deps_map` and look them up in the `provides` map to get the actual
+    # packages which will be inserted in `opt_deps` with their level and order while description
+    # will be looked up from `all_packages` map
+    last_installed_order = 0
+    for dep, (level, order) in opt_dep_map.items():
+        if provides := provides_map.get(dep):
+            if isinstance(provides, str):
+                provides = (provides,)
+            for provide in provides:
+                if provide == package:  # for the possible case of self-recommend/suggest
+                    continue
+                # for each `provide` check if its installed
+                installed = os.path.exists(f"/var/lib/dpkg/info/{provide}.list") or os.path.exists(
+                    f"/var/lib/dpkg/info/{provide}:{sys_arch}.list")
+                # if there is an installed package, then remove the uninstalled packages in the
+                # same order since one of them is already installed (installed ones are required
+                #   for registeration as existing dependency by ybox-pkg, so they are still kept)
+                if installed:
+                    last_installed_order = order
+                    # pop uninstalled ones in the same `order` which will be at the end since
+                    # opt_dep_map iterator will be insertion order which is sorted by `order`;
+                    # previous installed one in same `order` would have removed all uninstalled
+                    # ones in that order that were before it, so don't need to check before it
+                    while opt_deps and opt_deps[-1][1][2] == order and not opt_deps[-1][1][3]:
+                        opt_deps.pop()
+                elif order == last_installed_order:
+                    continue
+                opt_deps.append((provide, (all_packages[provide], level, order, installed)))
+
+    # sort opt_deps by level and order and return
+    opt_deps.sort(key=lambda x: (x[1][1], x[1][2]))
+    return dict(opt_deps)
+
+
+if __name__ == "__main__":
+    main()

ybox/conf/distros/deb-oldstable/distro.ini

@@ -0,0 +1,21 @@
+# Configuration specific to each distribution (INI style file)
+
+# Base configuration for the distribution
+[base]
+# name is required
+name = Debian oldstable - Bullseye
+# Comma separated files to include before applying these settings.
+# Paths can be absolute or relative to the location of this file.
+includes = ../deb-generic/distro.ini
+# docker image of the distribution
+image = docker.io/library/debian:bullseye
+# whether to search for and configure fastest available mirrors for packages
+# (debian uses the builtin mirror by default since those determined dynamically can be
+#   flaky and instead uses apt-fast to configure parallel downloads)
+configure_fastest_mirrors = false
+# distribution scripts that need to be copied to the container in $YBOX_TARGET_SCRIPTS_DIR
+# (should include init.sh, init-base.sh and init-user.sh scripts that are are normally required
+# for all distributions)
+scripts = ../deb-generic/init-base.sh,../deb-generic/init.sh,../deb-generic/init-user.sh,
+          ../deb-generic/check-package.sh,
+          ../deb-generic/list_fmt_long.py,../deb-generic/fetch-gpg-key-id.sh

ybox/conf/distros/deb-stable/distro.ini

@@ -0,0 +1,21 @@
+# Configuration specific to each distribution (INI style file)
+
+# Base configuration for the distribution
+[base]
+# name is required
+name = Debian stable - Bookworm
+# Comma separated files to include before applying these settings.
+# Paths can be absolute or relative to the location of this file.
+includes = ../deb-generic/distro.ini
+# docker image of the distribution
+image = docker.io/library/debian:bookworm
+# whether to search for and configure fastest available mirrors for packages
+# (debian uses the builtin mirror by default since those determined dynamically can be
+#   flaky and instead uses apt-fast to configure parallel downloads)
+configure_fastest_mirrors = false
+# distribution scripts that need to be copied to the container in $YBOX_TARGET_SCRIPTS_DIR
+# (should include init.sh, init-base.sh and init-user.sh scripts that are are normally required
+# for all distributions)
+scripts = ../deb-generic/init-base.sh,../deb-generic/init.sh,../deb-generic/init-user.sh,
+          ../deb-generic/check-package.sh,
+          ../deb-generic/list_fmt_long.py,../deb-generic/fetch-gpg-key-id.sh

ybox/conf/distros/supported.list

@@ -0,0 +1,5 @@
+arch
+ubuntu2404
+ubuntu2204
+deb-stable
+deb-oldstable

ybox/conf/distros/ubuntu2204/distro.ini

@@ -0,0 +1,21 @@
+# Configuration specific to each distribution (INI style file)
+
+# Base configuration for the distribution
+[base]
+# name is required
+name = Ubuntu 22.04 LTS Jammy Jellyfish
+# Comma separated files to include before applying these settings.
+# Paths can be absolute or relative to the location of this file.
+includes = ../deb-generic/distro.ini
+# docker image of the distribution
+image = docker.io/library/ubuntu:jammy
+# whether to search for and configure fastest available mirrors for packages
+# (ubuntu uses the builtin mirror by default since those determined dynamically can be
+#   flaky and instead uses apt-fast to configure parallel downloads)
+configure_fastest_mirrors = false
+# distribution scripts that need to be copied to the container in $YBOX_TARGET_SCRIPTS_DIR
+# (should include init.sh, init-base.sh and init-user.sh scripts that are are normally required
+# for all distributions)
+scripts = ../deb-generic/init-base.sh,../deb-generic/init.sh,../deb-generic/init-user.sh,
+          ../deb-generic/check-package.sh,
+          ../deb-generic/list_fmt_long.py,../deb-generic/fetch-gpg-key-id.sh

ybox/conf/distros/ubuntu2404/distro.ini

@@ -0,0 +1,21 @@
+# Configuration specific to each distribution (INI style file)
+
+# Base configuration for the distribution
+[base]
+# name is required
+name = Ubuntu 24.04 LTS Noble Numbat
+# Comma separated files to include before applying these settings.
+# Paths can be absolute or relative to the location of this file.
+includes = ../deb-generic/distro.ini
+# docker image of the distribution
+image = docker.io/library/ubuntu:noble
+# whether to search for and configure fastest available mirrors for packages
+# (ubuntu uses the builtin mirror by default since those determined dynamically can be
+#   flaky and instead uses apt-fast to configure parallel downloads)
+configure_fastest_mirrors = false
+# distribution scripts that need to be copied to the container in $YBOX_TARGET_SCRIPTS_DIR
+# (should include init.sh, init-base.sh and init-user.sh scripts that are are normally required
+# for all distributions)
+scripts = ../deb-generic/init-base.sh,../deb-generic/init.sh,../deb-generic/init-user.sh,
+          ../deb-generic/check-package.sh,
+          ../deb-generic/list_fmt_long.py,../deb-generic/fetch-gpg-key-id.sh

ybox/conf/profiles/apps.ini

@@ -0,0 +1,26 @@
+[base]
+name = Profile for CLI and GUI apps
+includes = basic.ini
+
+[security]
+# SYS_PTRACE may be required by mesa which is invoked indirectly by both firefox and chromium.
+# Without this, the following warning is seen:
+#     WARNING: Kernel has no file descriptor comparison support: Operation not permitted
+caps_add = SYS_PTRACE
+
+[mounts]
+music = $HOME/Music:$TARGET_HOME/Music:ro
+pictures = $HOME/Pictures:$TARGET_HOME/Pictures:ro
+videos = $HOME/Videos:$TARGET_HOME/Videos:ro
+
+[apps]
+# some packages for Arch Linux - uncomment and update for your distribution as required
+#browsers = firefox,chromium
+
+[app_flags]
+# These flags will be added to Exec line of google-chrome.desktop when it is copied to host.
+# /dev/shm usage is disabled for chrome because that requires ipc=host or mounting host
+# /dev/shm in read-write mode which can be insecure.
+google-chrome = !p --disable-dev-shm-usage !a
+google-chrome-beta = !p --disable-dev-shm-usage !a
+google-chrome-unstable = !p --disable-dev-shm-usage !a

ybox/conf/profiles/basic.ini

@@ -0,0 +1,310 @@
+# Configuration file for podman/docker containers used by ybox scripts.
+# This is the common file included by all other configurations.
+#
+# Value format is as supported by python ConfigParser
+# (e.g. https://docs.python.org/3/library/configparser.html for Python3 docs).
+# Specifically boolean values are extracted using getboolean() method which supports
+# many different values like on/off, true/false etc.
+# Key-value separator can only be '=' while ':' is not supported. Default basic value
+# interpolation implemented by the python module has been extended to also support environment
+# variables as described next.
+#
+# The values can contain environment variables using the notation supported by
+# python expandvars (https://docs.python.org/3/library/os.path.html#os.path.expandvars).
+# A few special environment variables are also available:
+#   - YBOX_DISTRIBUTION_NAME: name of the Linux distribution (as provided to 'ybox-create')
+#   - YBOX_CONTAINER_NAME: name of the current container (as provided/set by 'ybox-create')
+#   - YBOX_CONTAINER_DIR: set to $HOME/.local/share/ybox/$YBOX_CONTAINER_NAME for convenience
+#   - YBOX_TARGET_SCRIPTS_DIR: local directory in the container where various ybox scripts
+#                              are mounted (e.g. entrypoint scripts)
+#   - YBOX_SYS_CONF_DIR: path to system configuration directory where configuration directory
+#                        shipped with ybox is installed (or the string form of
+#                          the directory if it is not on filesystem like an egg or similar)
+#   - TARGET_HOME: set to the home directory of the container user
+# Additionally a special notation can be used for current date+time with this notation:
+#   ${NOW:<fmt>}. The <fmt> uses the format supported by python strftime
+# (https://docs.python.org/3/library/datetime.html#datetime.datetime.strftime)
+# while the NOW is the result of datetime.now() call.
+#
+# Expansion of other keys in the same section or the special 'DEFAULT' section is also provided
+# using the notation supported by python's configparser BasicInterpolation, see:
+# https://docs.python.org/3/library/configparser.html#configparser.BasicInterpolation
+# In a nutshell you need '%(<var>)s' notation to expand <var> key and bare '%' should be '%%'.
+# However, the '%' inside the ${NOW:<fmt>} format should not be escaped because all environment
+# variables as well as ${NOW:...} are expanded before the variable references.
+#
+# NOTE: Take care to have different path settings point to distinct directory/path
+# locations e.g. base.shared_root, base.home and base.log_opts.path (podman) should point to
+# different directories else you can lose one or the other since the code currently does not
+# check for such overlaps and will happily mount the directory as the container home while
+# logs are also being written there which can result in an unpredictable behavior.
+# Likewise the configuration files in [configs] section are temporarily copied/linked in
+# $YBOX_CONTAINER_DIR/configs which is not configurable and should not be used and there
+# is a temporary mount directory having utility scripts in $YBOX_CONTAINER_DIR/ybox-scripts
+
+
+# Basic container settings that are documented individually below.
+[base]
+# A short description of this profile.
+name = Basic profile for CLI and most GUI apps
+# Comma separated files to include before applying these settings.
+# Paths can be absolute or relative to the location of this file.
+includes =
+# Whether the system directories are shared between all containers of the same distribution
+# is determined by this variable. The common system directories are bind mounted to a common
+# host directory specified by this `shared_root` variable.
+#
+# It includes all directories (defined in distro.ini) that hold system package data which
+# also means that the packages installed on one container are visible on all the containers
+# of the same distribution. So those packages can be launched from any of the containers
+# but they will be subject to that container configuration. The wrapper launcher scripts
+# created by `ybox-pkg install` will ensure that packages are launched only from the containers
+# where they were installed so that should be the preferred way to launch apps (except for
+#   packages common to multiple containers which can be launched from any of those).
+#
+# Default is enabled so as to save space, page cache space etc, and allow users
+# to freely create as many containers as desired to achieve best isolation without worrying
+# about dramatic increase in disk and/or memory usage.
+shared_root = $HOME/.local/share/ybox/SHARED_ROOTS/$YBOX_DISTRIBUTION_NAME
+# Bind mount the container $HOME to this local path (aka $TARGET_HOME). This makes it
+# easier for backup software and otherwise to read useful container data.
+# If not provided then you should explicitly mount required directories in the [mounts]
+# section otherwise home will remain completely ephemeral which is not recommended.
+home = $YBOX_CONTAINER_DIR/home
+# Whether the configuration files (specified in [configs] section) should be hard linked
+#    to a temporary directory that is made available to the container, or copied over.
+# Hardlinks will not work if you have mounted the temporary directory inside
+# ~/.local/share/ybox on a separate volume other than home itself.
+# Directories are hard linked recursively and symlinks in the source are followed to their
+# destination which must again exist on the same filesystem.
+#
+# In case of hardlinks, any changes made on host will be immediately visible otherwise
+# with this as false, you need to re-create the container to let it see any changes.
+# You can also use this for only first time reference and then make a separate copy
+# inside the container which will break any direct sharing between the host and container.
+#
+# An empty value will cause [configs] section to be completely skipped.
+config_hardlinks = true
+# If enabled, then locale in the container will be configured as per the LANG and LANGUAGE
+# environment variables from the host environment.
+config_locale = true
+# If enabled then X server from the user session is available to the container.
+x11 = on
+# If enabled then Wayland server from the user session is available to the container.
+wayland = on
+# If enabled then pulseaudio/pipewire from the user session is available to the container.
+# This will enable either of pulse/pipewire (or both) whichever is available on the host.
+pulseaudio = on
+# If enabled then dbus from the user session is available to the container.
+dbus = on
+# If enabled then the system dbus from the host is available to the container.
+dbus_sys = off
+# If enabled then Direct Rendering Infrastructure for accelerated graphics is available to
+# the container.
+dri = on
+# If enabled then NVIDIA GPUs will be accessible in the container by making available NVIDIA
+# devices, libraries and binaries from the host system to the container. The search for
+# NVIDIA on the host should work on most modern Linux distributions, but if does not then
+# install NVIDIA container toolkit and use the "nvidia_ctk" option below.
+#
+# This option should be preferred over "nvidia_ctk" option because it can handle NVIDIA
+# driver updates transparently without reconfiguration and does not need additional installation.
+nvidia = off
+# If enabled then NVIDIA GPUs will be available to the container. You need to install
+# NVIDIA container toolkit for this to work. Refer to Arch wiki for details which usually
+# works well on most Linux distros (https://wiki.archlinux.org/title/docker or
+#    https://wiki.archlinux.org/title/podman), and the official NVIDIA docs:
+#  https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
+# For example on ubuntu with podman, configure the apt repository from the previous link
+# and install the package as noted there, then run
+# `sudo nvidia-ctk cdi generate --output=/etc/cdi/nvidia.yaml`.
+# This will need to be repeated if nvidia driver version is upgraded.
+#
+# This will take precedence if both "nvidia" and "nvidia_ctk" are enabled.
+nvidia_ctk = off
+# default podman/docker shm-size is 64m which can be insufficient for many apps
+shm_size = 1g
+# Limit the maximum number of processes in the container (to avoid stuff like fork bombs).
+pids_limit = 2048
+# Logging driver to use. Default for podman/docker is to use journald in modern Linux
+# distributions which pollutes the journald logs.
+# Note that on podman, json-file is an alias for k8s-file which produces plaintext format.
+log_driver = json-file
+# Comma separated options for the logger.
+# Example of path with timestamped file for podman
+#log_opts = path=$YBOX_CONTAINER_DIR/logs/${NOW:%Y-%m-%d_%H.%M.%S}.log,max-size=10m,max-file=3
+# Example for docker that does not support `path`
+log_opts = max-size=10m,max-file=3
+
+
+# The security-opt and other security options passed to podman/docker.
+# You should restrict these as required.
+# If these have to be relaxed for some apps, then it is highly recommended to put
+# those in their own separate containers having minimal or no access to original home
+# directories to isolate them as much as possible. Do read up on security implications
+# before relaxing these.
+# See docs like https://docs.docker.com/engine/security/seccomp,
+# https://docs.docker.com/engine/security/apparmor,
+# https://docs.podman.io/en/latest/markdown/podman-run.1.html etc
+# The following keys are available -- not all of these may be supported by the available
+#     podman/docker installation but are passed as is, so they can throw an error:
+#   label: corresponding to --security-opt=label=...
+#   apparmor: --security-opt=apparmor=...
+#   seccomp: --security-opt=seccomp=...
+#   mask: --security-opt=mask=...
+#   unmask: --security-opt=unmask=...
+#   no_new_privileges: boolean to enable --security-opt=no-new-privileges
+#   proc_opts: --security-opt=proc-opts=...
+#   seccomp_policy: --seccomp-policy=...
+#   caps_add: comma separated multiple --cap-add=... options
+#   caps_drop: comma separated multiple --cap-drop=... options
+#   ulimits: comma separated multiple --ulimit=... options
+#   ipc: --ipc=...
+#   cgroup_parent: --cgroup-parent=...
+#   cgroup_confs: comma separated multiple --cgroup-conf=... options
+#   cgroupns: --cgroupns=...
+#   cgroups: --cgroups=...
+#   device_cgroup_rules: comma separated multiple --device-cgroup-rule=... options
+#   secrets: comma separated multiple --secret=... options
+[security]
+# The options are sent as is to podman/docker e.g. "label=type:container_runtime_t"
+# (the default "container_runtime_t" label bypasses some selinux restrictions)
+label = type:container_runtime_t
+# arch pacman may need this but seems to be working fine without it even with the warnings
+#caps_add = SYS_CHROOT
+# --ulimit=host is only available for podman which copies host ulimits by default
+# ulimits = host
+# default is private IPC
+# WARNING: setting this to 'host' can open a major security attack vector
+ipc = private
+
+
+# These are podman/docker volumes that can use either the format of --mount or -v options
+# (the scripts make a quick guess by searching for = or ,).
+# These will typically include some directories from your home like Downloads.
+[mounts]
+# Share terminfo definitions which may be missing for some terminals in the container.
+terminfo = /usr/share/terminfo:/var/lib/terminfo:ro
+# Downloads is configured to share data with original session easily so it should not
+# contain "unsharable" stuff.
+downloads = $HOME/Downloads:$TARGET_HOME/Downloads
+# Documents is shared in read-only mode
+documents = $HOME/Documents:$TARGET_HOME/Documents:ro
+# might be required for some apps if NVIDIA is enabled
+# video_dev = /dev/video0:/dev/video0
+
+
+# These can be used to specify the configuration files from the host session
+# that you want to share with the container. The files from the host session
+# will either be copied or hard linked (depending on the "config_hardlinks" option in [base]
+#   section) to a directory that is mounted read-only.
+#
+# The value has two parts separated by "->" with the LHS of this being the source that
+# is to be copied while the RHS is the required relative path in the target directory.
+# On the target container the same is used to symlink from the target on RHS to source on LHS.
+# Source is skipped if it does not exist or not readable with a message on standard output.
+#
+# Typically this will contain shell, vim and other common configuration files.
+# These can be either files or directories and are skipped if they do not exist.
+# The keys here have no special significance other than the fact that they should be
+# unique and can be used to override in later files that include this one.
+#
+# Note: The files are symlinks in the container user area and are mounted on a read-only
+# mount by default, so if you need to change a file within a container then you will
+# need to first remove the symlink and make a copy of the file. This will remove the
+# direct sharing between the two which has to be done manually thereon if required.
+# The sharing behavior also depends on "config_hardlinks" as described in its comment above
+# in the [base] section.
+#
+# Note: The HOME environment variable here will be evaluated both in the host
+# session (for the source to be transferred) and inside the container session
+# (for the target). Do not use TARGET_HOME here which can be incorrect for the host session.
+[configs]
+bashrc = $HOME/.bashrc -> .bashrc
+starship = $HOME/.config/starship.toml -> .config/starship.toml
+fishrc = $HOME/.config/fish -> .config/fish
+omf = $HOME/.config/omf -> .config/omf
+omf_data = $HOME/.local/share/omf -> .local/share/omf
+zshrc = $HOME/.zshrc -> .zshrc
+zsh_p10 = $HOME/.p10k.zsh -> .p10k.zsh
+dir_colors = $HOME/.dir_colors -> .dir_colors
+vimrc = $HOME/.vimrc -> .vimrc
+nvimrc = $HOME/.config/nvim -> .config/nvim
+themes = $HOME/.themes -> .themes
+cursors = $HOME/.icons -> .icons
+icons = $HOME/.local/share/icons -> .local/share/icons
+pipconf = $HOME/.config/pip/pip.conf -> .config/pip/pip.conf
+gitconf = $HOME/.gitconfig -> .gitconfig
+gtk2rc = $HOME/.gtkrc-2.0 -> .gtkrc-2.0
+gtk3rc = $HOME/.config/gtk-3.0 -> .config/gtk-3.0
+gtk4rc = $HOME/.config/gtk-4.0 -> .config/gtk-4.0
+qt5conf = $HOME/.config/Trolltech.conf -> .config/Trolltech.conf
+qt5ctconf = $HOME/.config/qt5ct/qt5ct.conf -> .config/qt5ct/qt5ct.conf
+ariaconf = $HOME/.config/aria2/aria2.conf -> .config/aria2/aria2.conf
+speechconf = $HOME/.config/speech-dispatcher -> .config/speech-dispatcher
+
+
+# Environment variables set for the container using invoking podman/docker environment.
+# Environment variables in values can be specified like usual which are expanded by
+# python expandvars as usual.
+#
+# X, pulse and other such environment variables are set automatically by the settings
+# in the [base] section but one can override/add to them explicitly here if required.
+#
+# Keys without values can be specified which are sent as such to the "-e" option
+# which means they will be set and passed if set in the invoking podman/docker environment.
+#
+# Special note on LD_LIBRARY_PATH: the "nvidia=on" directive in the [base] section sets up
+# LD_LIBRARY_PATH to point to internally created NVIDIA library directories shared from
+# the host environment. So explicitly setting LD_LIBRARY_PATH below will break NVIDIA
+# unless one also figures out and adds the internally added paths to LD_LIBRARY_PATH.
+[env]
+TERM
+TERMINFO_DIRS = /usr/share/terminfo:/var/lib/terminfo
+XDG_CURRENT_DESKTOP
+XDG_SESSION_DESKTOP
+XDG_SESSION_TYPE
+DESKTOP_SESSION
+GTK_IM_MODULE
+QT_IM_MODULE
+SDL_IM_MODULE
+XMODIFIERS
+
+
+# Additional apps to be installed in the container. Note that these are installed
+# on first container startup and will go away if the container is removed, so you
+# should keep persistent data related to apps on separate persistent storage
+# specified in the [mounts] section above.
+[apps]
+# The format is a unique name followed by comma separated package names of the distro
+# specific packages. The package name may have a ':dep(<pkg>)' suffix that indicates it is being
+# installed as an optional dependency of another package which is mentioned in the parentheses.
+# For example (package names are from pacman) -- also notice multiline value for 'firefox_deps':
+#firefox = firefox
+#firefox_deps = hunspell-en_us:dep(firefox),libnotify:dep(firefox),
+#               speech-dispatcher:dep(firefox)
+
+
+# Default flags can be added to specified programs when launching them via their wrapper
+# desktop files or wrapper executables
+[app_flags]
+# These flags/arguments will be added to Exec line of chromium.desktop when it is copied to
+# host as well as in the wrapper chromium executable created on the host.
+# You can use "!p" here for the first argument in the 'Exec='/'TryExec=' line in the desktop
+# file and '!a' for rest of the arguments. When linking to an executable program, '!p' will
+# refer to the full path of the executable while '!a' will be replaced by "$@" in the shell
+# script. Use '!!p' for a literal '!p' and '!!a' for a literal '!a'.
+
+# /dev/shm usage is disabled for chromium because that requires ipc=host or mounting host
+# /dev/shm in read-write mode which is quite insecure.
+chromium = !p --disable-dev-shm-usage --enable-chrome-browser-cloud-management !a
+
+
+# Startup programs you want to run when starting the container. These are run using
+# /bin/bash shell of the container, so you can use shell variables if required.
+# These programs are run as normal container user, so if you need to run using root
+# account then add 'sudo' before the command.
+[startup]
+# for example you can avoid sharing dbus of the original session rather start a separate one
+#dbus = /usr/bin/dbus-daemon --session
+#dbus_sys = sudo /usr/bin/dbus-daemon --system