Sync common files from infra repository

Synchronized from bootc-dev/infra@7b39639.

Signed-off-by: bootc-dev Bot <bot@bootc.dev>

Author: bootc-dev Bot

.bootc-dev-infra-commit.txt

@@ -1 +1 @@
-61b769aee4ec165dcbfd993aeaa10a7fae2cb629
+7b396396c7dcbcfe104a756ae0db45155394dadb

.devcontainer/devcontainer.json

@@ -1,30 +1,25 @@
 {
   "name": "bootc-devenv-debian",
-  // TODO override this back to prod image
   "image": "ghcr.io/bootc-dev/devenv-debian",
   "customizations": {
     "vscode": {
-      // Abitrary, but most of our code is in one of these two
+      // Arbitrary, but most of our code is in one of these two
       "extensions": [
         "rust-lang.rust-analyzer",
         "golang.Go"
       ]
+    },
+    "devaipod": {
+      // When running under devaipod, use minimal capabilities
+      // (SYS_ADMIN, NET_ADMIN, etc.) instead of full --privileged.
+      "nestedContainers": true
     }
   },
   "features": {},
-  "runArgs": [
-    // In general we hope that the outer environment has set up
-    // a user namespace to keep this secure.
-    "--cap-add=all",
-    // Required for mounting /proc in nested user namespace
-    "--security-opt", "label=disable",
-    // Allows access to /proc paths needed for nested containers
-    "--security-opt", "unmask=/proc/*",
-    // Device access for nested containers and VMs
-    "--device", "/dev/net/tun",
-    // I always want KVM
-    "--device", "/dev/kvm"
-  ],
+  // Use privileged mode for broad compatibility (Codespaces, Docker,
+  // stock devcontainer CLI). devaipod overrides this with tighter
+  // security via the nestedContainers customization above.
+  "privileged": true,
   "postCreateCommand": {
     // Our init script
     "devenv-init": "sudo /usr/local/bin/devenv-init.sh"
@@ -33,4 +28,3 @@
     "PATH": "${containerEnv:PATH}:/usr/local/cargo/bin"
   }
 }
-