#!/usr/bin/env bash
#
# See: https://news.ycombinator.com/item?id=45034496

bin=$(basename "$0")

echo "==========================="
echo "Wrapping $bin in bubblewrap"
echo "==========================="

exec bwrap \
  --bind ~/.cache ~/.cache \
  --bind "${PWD}" "${PWD}" \
  --dev /dev \
  --die-with-parent \
  --disable-userns \
  --new-session \
  --proc /proc \
  --ro-bind /etc/ca-certificates /etc/ca-certificates \
  --ro-bind /etc/resolv.conf /etc/resolv.conf \
  --ro-bind /etc/ssl /etc/ssl \
  --ro-bind /usr /usr \
  --setenv PATH /usr/bin \
  --symlink /usr/bin /bin \
  --symlink /usr/bin /sbin \
  --symlink /usr/lib /lib \
  --symlink /usr/lib64 /lib64 \
  --tmpfs /tmp \
  --unshare-all \
  --unshare-user \
  --share-net \
  /usr/bin/env "$bin" "$@"