Refactor/remove cgroups simplify v1

.envrc

@@ -1 +1 @@
-use flake . --impure
+use flake

.github/workflows/ci.yml

@@ -0,0 +1,37 @@
+name: CI
+
+on:
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v24
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+
+      - name: Check flake
+        run: nix flake check
+
+      - name: Format check
+        run: nix develop -c cargo fmt -- --check
+
+      - name: Clippy
+        run: nix develop -c cargo clippy --all-targets --all-features -- -D warnings
+
+      - name: Test
+        run: nix develop -c cargo test --workspace
+
+      - name: Build
+        run: nix build .#leeward-x86_64
+
+      - name: Security audit
+        run: nix develop -c cargo audit

.github/workflows/release.yml

@@ -0,0 +1,112 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag (e.g., v0.1.0)'
+        required: true
+        type: string
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Nix
+        uses: cachix/install-nix-action@v24
+        with:
+          extra_nix_config: |
+            experimental-features = nix-command flakes
+            accept-flake-config = true
+
+      - name: Setup Cachix
+        uses: cachix/cachix-action@v14
+        with:
+          name: leeward
+          skipPush: true
+
+      - name: Build all packages
+        run: |
+          # Build all outputs
+          nix build .#leeward-x86_64 -L
+          nix build .#leeward-aarch64 -L
+          nix build .#leeward-static -L
+          nix build .#leeward-deb -L
+
+          # Copy artifacts
+          mkdir -p artifacts
+          cp -L result*/* artifacts/ || true
+
+      - name: Create release archives
+        run: |
+          cd artifacts
+
+          # Create tarballs for each architecture
+          for arch in x86_64 aarch64; do
+            if [ -d "leeward-$arch" ]; then
+              tar czf "leeward-${arch}-linux.tar.gz" "leeward-$arch"
+            fi
+          done
+
+          # Create checksums
+          sha256sum *.tar.gz *.deb > checksums.txt || true
+
+          cd ..
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: release-artifacts
+          path: artifacts/*
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: release-artifacts
+          path: artifacts
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: ${{ github.event.inputs.tag || github.ref_name }}
+          name: Release ${{ github.event.inputs.tag || github.ref_name }}
+          draft: false
+          prerelease: false
+          files: |
+            artifacts/*.tar.gz
+            artifacts/*.deb
+            artifacts/checksums.txt
+          body: |
+            ## Installation
+
+            ### Debian/Ubuntu
+            ```bash
+            wget https://github.com/vektia/leeward/releases/latest/download/leeward_*_amd64.deb
+            sudo dpkg -i leeward_*.deb
+            ```
+
+            ### Binary (x86_64)
+            ```bash
+            curl -L https://github.com/vektia/leeward/releases/latest/download/leeward-x86_64-linux.tar.gz | tar xz
+            sudo mv leeward-x86_64/* /usr/local/bin/
+            ```
+
+            ### Nix
+            ```nix
+            nix run github:vektia/leeward/${{ github.event.inputs.tag || github.ref_name }}
+            ```
+
+            See [CHANGELOG.md](https://github.com/vektia/leeward/blob/main/CHANGELOG.md) for changes.

.gitignore

@@ -1,3 +1,4 @@
+# Python
 __pycache__/
 .pytest_cache/
 .ruff_cache
@@ -9,19 +10,22 @@ __pycache__/
 dist/
 build/
 *.egg-info/
+*.whl
 
+# Rust
 target/
-Cargo.lock
-
-*.whl
 *.so
 
+# Development tools
 .direnv/
 .devenv/
 .pre-commit-config.yaml
-
-/target
-
 .cargo-home/
 
-include/
+# Nix build results
+result
+result-*
+
+# Runtime files
+*.sock
+.leeward.sock

CHANGELOG.md

@@ -0,0 +1,39 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+- Initial release of leeward
+- Pre-fork worker pool architecture for ~0.5ms latency
+- Linux namespace isolation (pid, mount, net, ipc, uts)
+- Seccomp syscall filtering
+- Landlock filesystem restrictions
+- Unix socket IPC between daemon and CLI
+- MessagePack protocol for communication
+- Systemd service files (system and user)
+- Nix flake support with overlay
+- Debian package generation
+- Static musl binary builds
+- Multi-architecture support (x86_64, aarch64)
+
+### Architecture
+- `leeward-core`: Core isolation primitives
+- `leeward-daemon`: Persistent daemon with worker pool
+- `leeward-cli`: Command-line interface
+- `leeward-ffi`: C FFI library for language bindings
+
+### Security Features
+- No root required (uses user namespaces)
+- Defense in depth with 3 isolation layers
+- Zero network access by default
+- Restricted filesystem access via Landlock
+- Minimal syscall whitelist via seccomp
+
+## [0.1.0] - TBD
+
+Initial public release.