chore(devtools): devcontainer allows go and rust repos (onyx-dot-app#10041)

jmelahman · web-flow · commit 4a96ef13d73a · 2026-04-09T15:46:50.000-07:00
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -10,6 +10,7 @@
     "source=${localEnv:HOME}/.gitconfig,target=/home/dev/.gitconfig.host,type=bind,readonly",
     "source=${localEnv:HOME}/.ssh,target=/home/dev/.ssh.host,type=bind,readonly",
     "source=${localEnv:HOME}/.config/nvim,target=/home/dev/.config/nvim.host,type=bind,readonly",
+    "source=onyx-devcontainer-cache,target=/home/dev/.cache,type=volume",
     "source=onyx-devcontainer-local,target=/home/dev/.local,type=volume"
   ],
   "remoteUser": "dev",
diff --git a/.devcontainer/init-dev-user.sh b/.devcontainer/init-dev-user.sh
@@ -5,7 +5,7 @@ set -euo pipefail
 # bind-mounted files are accessible without running as root.
 #
 # Standard Docker:   Workspace is owned by the host user's UID (e.g. 1000).
-#                    We remap dev to that UID — fast and seamless.
+#                    We remap dev to that UID -- fast and seamless.
 #
 # Rootless Docker:   Workspace appears as root-owned (UID 0) inside the
 #                    container due to user-namespace mapping.  We can't remap
@@ -23,9 +23,10 @@ DEV_GID=$(id -g "$TARGET_USER")
 DEV_HOME=/home/"$TARGET_USER"
 
 # Ensure directories that tools expect exist under ~dev.
-# ~/.local is a named Docker volume — ensure subdirs exist and are owned by dev.
+# ~/.local and ~/.cache are named Docker volumes -- ensure they are owned by dev.
 mkdir -p "$DEV_HOME"/.local/state "$DEV_HOME"/.local/share
 chown -R "$TARGET_USER":"$TARGET_USER" "$DEV_HOME"/.local
+chown -R "$TARGET_USER":"$TARGET_USER" "$DEV_HOME"/.cache
 
 # Copy host configs mounted as *.host into their real locations.
 # This gives the dev user owned copies without touching host originals.
@@ -41,7 +42,7 @@ if [ -d "$DEV_HOME/.config/nvim.host" ]; then
     chown -R "$TARGET_USER":"$TARGET_USER" "$DEV_HOME/.config/nvim"
 fi
 
-# Already matching — nothing to do.
+# Already matching -- nothing to do.
 if [ "$WS_UID" = "$DEV_UID" ] && [ "$WS_GID" = "$DEV_GID" ]; then
     exit 0
 fi
diff --git a/.devcontainer/init-firewall.sh b/.devcontainer/init-firewall.sh
@@ -24,7 +24,7 @@ fi
 ipset create allowed-domains hash:net || true
 ipset flush allowed-domains
 
-# Fetch GitHub IP ranges (IPv4 only — ipset hash:net and iptables are IPv4)
+# Fetch GitHub IP ranges (IPv4 only -- ipset hash:net and iptables are IPv4)
 GITHUB_IPS=$(curl -s https://api.github.com/meta | jq -r '.api[]' 2>/dev/null | grep -v ':' || echo "")
 for ip in $GITHUB_IPS; do
     if ! ipset add allowed-domains "$ip" -exist 2>&1; then
@@ -42,6 +42,9 @@ ALLOWED_DOMAINS=(
     "update.code.visualstudio.com"
     "pypi.org"
     "files.pythonhosted.org"
+    "go.dev"
+    "storage.googleapis.com"
+    "static.rust-lang.org"
 )
 
 for domain in "${ALLOWED_DOMAINS[@]}"; do
