I guess I use Pi now

bash/.bashrc

@@ -220,3 +220,6 @@ function open_nas_decrypt() {
 function close_nas_decrypt() {
   fusermount -u "$MACHINE_NAS_DECRYPT_PATH"
 }
+
+# alias pi to the bwrap wrapper
+alias pi="pi-bwrap"

opencode-bwrap/.config/systemd/user/opencode-bwrap-server-tailscale.service

@@ -0,0 +1,10 @@
+[Unit]
+Description=Forwarder from Tailscale to OpenCode Server
+After=opencode-bwrap-server.service
+Requires=opencode-bwrap-server.service
+
+[Service]
+ExecStart=/usr/bin/bash -c "TAILSCALE_IP=$(ip -4 a show dev tailscale0 | grep 'scope global' | awk '{ print $2; }' | cut -d'/' -f1); socat TCP-LISTEN:4096,fork,bind=$TAILSCALE_IP TCP:127.0.0.1:4096"
+
+[Install]
+WantedBy=default.target

opencode-bwrap/.config/systemd/user/opencode-bwrap-server.service

@@ -0,0 +1,9 @@
+[Unit]
+Description=OpenCode w/ bubblewrap server
+
+[Service]
+WorkingDirectory=%h/workspace
+ExecStart=%h/.local/bin/opencode-bwrap serve
+
+[Install]
+WantedBy=default.target

opencode-bwrap/.local/bin/opencode-bwrap

@@ -43,4 +43,25 @@ BWRAP_ARGS=(
   --remount-ro /
 )
 
-bwrap "${BWRAP_ARGS[@]}" opencode "$@"
+OPENCODE_ARGS=()
+
+while [ ! -z "$1" ]; do
+  case "$1" in
+    --add-bind)
+      if [ -z "$2" ]; then
+        echo "Missing parameter to --add-bind"
+        exit 1
+      fi
+      real_path="$(readlink -f "$2")"
+      BWRAP_ARGS+=("--bind" "$real_path" "$real_path")
+      shift
+      shift
+      ;;
+    *)
+      OPENCODE_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+
+bwrap "${BWRAP_ARGS[@]}" opencode "${OPENCODE_ARGS[@]}"

opencode-bwrap/.local/bin/opencode-bwrap-attach

@@ -0,0 +1,7 @@
+#!/usr/bin/env bash
+
+URL="$1"
+
+[ -z "$URL" ] && URL="http://127.0.0.1:4096"
+
+opencode-bwrap attach "$URL" --dir "$PWD"

pi-bwrap/.local/bin/pi-bwrap

@@ -0,0 +1,69 @@
+#!/usr/bin/env bash
+
+if [ "$PWD" == "$HOME" ]; then
+  echo "Don't run this in \$HOME!"
+  exit 1
+fi
+
+scriptpath="$(dirname "$(realpath $0)")"
+
+BWRAP_ARGS=(
+  --unshare-user
+  --dev-bind / /
+  --tmpfs /tmp
+  --tmpfs "$HOME"
+
+  # Hide XDG_RUNTIME_DIR for now
+  --tmpfs "$XDG_RUNTIME_DIR"
+
+  # Always give RW permission to PWD
+  --bind "$PWD" "$PWD"
+
+  # Now ro-bind some directories
+  --ro-bind "$HOME/.config" "$HOME/.config"
+  --ro-bind "$HOME/dotfiles" "$HOME/dotfiles"
+  --ro-bind "$HOME/.bashrc" "$HOME/.bashrc"
+  --ro-bind "$HOME/.bash_profile" "$HOME/.bash_profile"
+
+  # Pi directory
+  --bind "$HOME/.pi" "$HOME/.pi"
+
+  # NVM (Pi is installed by a node version in nvm)
+  --bind "$HOME/.nvm" "$HOME/.nvm"
+
+  # Language / dev stuff
+  --bind "$HOME/.cargo" "$HOME/.cargo"
+  --bind "$HOME/.rustup" "$HOME/.rustup"
+  --bind "$HOME/Android" "$HOME/Android"
+  --bind "$HOME/.npm" "$HOME/.npm"
+  --bind "$HOME/.gradle" "$HOME/.gradle"
+  --bind "$HOME/.cache/go" "$HOME/.cache/go"
+  --bind "$HOME/go" "$HOME/go"
+
+  # Now remount rootfs as ro
+  --remount-ro /
+)
+
+PI_ARGS=()
+
+while [ ! -z "$1" ]; do
+  case "$1" in
+    --add-bind)
+      if [ -z "$2" ]; then
+        echo "Missing parameter to --add-bind"
+        exit 1
+      fi
+      real_path="$(readlink -f "$2")"
+      BWRAP_ARGS+=("--bind" "$real_path" "$real_path")
+      shift
+      shift
+      ;;
+    *)
+      PI_ARGS+=("$1")
+      shift
+      ;;
+  esac
+done
+
+echo "Launching pi within bwrap jail..."
+bwrap "${BWRAP_ARGS[@]}" $scriptpath/pi-wrapper-inner "${PI_ARGS[@]}"

pi-bwrap/.local/bin/pi-wrapper-inner

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+source /usr/share/nvm/init-nvm.sh
+nvm exec pi pi "$@"

utils/.local/bin/ass_to_srt

@@ -0,0 +1,4 @@
+#!/usr/bin/env bash
+
+ffmpeg -i "$1" "$2"
+sed -E -i 's/<[^>]+>//g' "$2"