the universal sandbox runtime for agents and humans.
pocketenv.io
sandbox
openclaw
agent
claude-code
vercel-sandbox
deno-sandbox
cloudflare-sandbox
atproto
sprites
daytona
Add Docker and Nix sandbox deployments
+257
-3
+4
-3
.github/workflows/deploy.yml
+4
-3
.github/workflows/deploy.yml
+24
apps/cf-sandbox/deploy/docker/Dockerfile
+24
apps/cf-sandbox/deploy/docker/Dockerfile
···
1
+
FROM docker:dind-rootless
2
+
3
+
USER root
4
+
5
+
# Use the musl build so it runs on Alpine-based docker:dind-rootless
6
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /container-server/sandbox /sandbox
7
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /usr/lib/libstdc++.so.6 /usr/lib/libstdc++.so.6
8
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /usr/lib/libgcc_s.so.1 /usr/lib/libgcc_s.so.1
9
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /bin/bash /bin/bash
10
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /usr/lib/libreadline.so.8 /usr/lib/libreadline.so.8
11
+
COPY --from=docker.io/cloudflare/sandbox:0.7.5-musl /usr/lib/libreadline.so.8.2 /usr/lib/libreadline.so.8.2
12
+
13
+
# Create startup script that starts dockerd with
14
+
# iptables disabled, waits for readiness, then keeps running
15
+
RUN printf '#!/bin/sh\n\
16
+
set -eu\n\
17
+
dockerd-entrypoint.sh dockerd --iptables=false --ip6tables=false &\n\
18
+
until docker version >/dev/null 2>&1; do sleep 0.2; done\n\
19
+
echo "Docker is ready"\n\
20
+
wait\n' > /home/rootless/boot-docker-for-dind.sh && chmod +x /home/rootless/boot-docker-for-dind.sh
21
+
22
+
ENTRYPOINT ["/sandbox"]
23
+
24
+
CMD ["/home/rootless/boot-docker-for-dind.sh"]
+104
apps/cf-sandbox/deploy/docker/wrangler.jsonc
+104
apps/cf-sandbox/deploy/docker/wrangler.jsonc
···
1
+
/**
2
+
* For more details on how to configure Wrangler, refer to:
3
+
* https://developers.cloudflare.com/workers/wrangler/configuration/
4
+
*/
5
+
/**
6
+
* For more details on how to configure Wrangler, refer to:
7
+
* https://developers.cloudflare.com/workers/wrangler/configuration/
8
+
*/
9
+
{
10
+
"$schema": "node_modules/wrangler/config-schema.json",
11
+
"name": "docker",
12
+
"main": "src/index.ts",
13
+
"compatibility_date": "2025-05-06",
14
+
"compatibility_flags": ["nodejs_compat"],
15
+
"observability": {
16
+
"enabled": true,
17
+
},
18
+
/**
19
+
* Smart Placement
20
+
* Docs: https://developers.cloudflare.com/workers/configuration/smart-placement/#smart-placement
21
+
*/
22
+
// "placement": { "mode": "smart" }
23
+
/**
24
+
* Bindings
25
+
* Bindings allow your Worker to interact with resources on the Cloudflare Developer Platform, including
26
+
* databases, object storage, AI inference, real-time communication and more.
27
+
* https://developers.cloudflare.com/workers/runtime-apis/bindings/
28
+
*/
29
+
/**
30
+
* Environment Variables
31
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#environment-variables
32
+
*/
33
+
// "vars": { "MY_VARIABLE": "production_value" }
34
+
"vars": { "SANDBOX_TRANSPORT": "websocket" },
35
+
/**
36
+
* Note: Use secrets to store sensitive data.
37
+
* https://developers.cloudflare.com/workers/configuration/secrets/
38
+
*/
39
+
/**
40
+
* Static Assets
41
+
* https://developers.cloudflare.com/workers/static-assets/binding/
42
+
*/
43
+
// "assets": { "directory": "./public/", "binding": "ASSETS" }
44
+
/**
45
+
* Service Bindings (communicate between multiple Workers)
46
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#service-bindings
47
+
*/
48
+
// "services": [{ "binding": "MY_SERVICE", "service": "my-service" }]
49
+
"containers": [
50
+
{
51
+
"class_name": "Sandbox",
52
+
"image": "./Dockerfile",
53
+
"instance_type": "standard-1",
54
+
},
55
+
],
56
+
"durable_objects": {
57
+
"bindings": [
58
+
{
59
+
"class_name": "Sandbox",
60
+
"name": "Sandbox",
61
+
},
62
+
],
63
+
},
64
+
"migrations": [
65
+
{
66
+
"new_sqlite_classes": ["Sandbox"],
67
+
"tag": "v1",
68
+
},
69
+
],
70
+
"hyperdrive": [
71
+
{
72
+
"binding": "HYPERDRIVE",
73
+
"id": "45a57339b01e45559b753ffcacbc20e4",
74
+
},
75
+
],
76
+
/**
77
+
* Smart Placement
78
+
* https://developers.cloudflare.com/workers/configuration/smart-placement/#smart-placement
79
+
*/
80
+
// "placement": { "mode": "smart" }
81
+
/**
82
+
* Bindings
83
+
* Bindings allow your Worker to interact with resources on the Cloudflare Developer Platform, including
84
+
* databases, object storage, AI inference, real-time communication and more.
85
+
* https://developers.cloudflare.com/workers/runtime-apis/bindings/
86
+
*/
87
+
/**
88
+
* Environment Variables
89
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#environment-variables
90
+
* Note: Use secrets to store sensitive data.
91
+
* https://developers.cloudflare.com/workers/configuration/secrets/
92
+
*/
93
+
// "vars": { "MY_VARIABLE": "production_value" }
94
+
/**
95
+
* Static Assets
96
+
* https://developers.cloudflare.com/workers/static-assets/binding/
97
+
*/
98
+
// "assets": { "directory": "./public/", "binding": "ASSETS" }
99
+
/**
100
+
* Service Bindings (communicate between multiple Workers)
101
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#service-bindings
102
+
*/
103
+
// "services": [ { "binding": "MY_SERVICE", "service": "my-service" } ]
104
+
}
+21
apps/cf-sandbox/deploy/nix/Dockerfile
+21
apps/cf-sandbox/deploy/nix/Dockerfile
···
1
+
FROM ubuntu:latest
2
+
3
+
RUN apt-get update -y
4
+
5
+
RUN apt-get install curl -y
6
+
7
+
RUN curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux \
8
+
--extra-conf "sandbox = false" \
9
+
--init none \
10
+
--no-confirm
11
+
ENV PATH="${PATH}:/nix/var/nix/profiles/default/bin"
12
+
13
+
RUN curl -fsSL https://get.jetify.com/devbox | bash
14
+
15
+
RUN echo 'extra-trusted-substituters = https://cache.flox.dev' >> /etc/nix/nix.custom.conf \
16
+
&& echo 'extra-trusted-public-keys = flox-cache-public-1:7F4OyH7ZCnFhcze3fJdfyXYLQw/aV7GEed86nQ7IsOs=' >> /etc/nix/nix.custom.conf
17
+
18
+
RUN nix profile install \
19
+
--experimental-features "nix-command flakes" \
20
+
--accept-flake-config \
21
+
'github:flox/flox/latest'
+104
apps/cf-sandbox/deploy/nix/wrangler.jsonc
+104
apps/cf-sandbox/deploy/nix/wrangler.jsonc
···
1
+
/**
2
+
* For more details on how to configure Wrangler, refer to:
3
+
* https://developers.cloudflare.com/workers/wrangler/configuration/
4
+
*/
5
+
/**
6
+
* For more details on how to configure Wrangler, refer to:
7
+
* https://developers.cloudflare.com/workers/wrangler/configuration/
8
+
*/
9
+
{
10
+
"$schema": "node_modules/wrangler/config-schema.json",
11
+
"name": "nix",
12
+
"main": "src/index.ts",
13
+
"compatibility_date": "2025-05-06",
14
+
"compatibility_flags": ["nodejs_compat"],
15
+
"observability": {
16
+
"enabled": true,
17
+
},
18
+
/**
19
+
* Smart Placement
20
+
* Docs: https://developers.cloudflare.com/workers/configuration/smart-placement/#smart-placement
21
+
*/
22
+
// "placement": { "mode": "smart" }
23
+
/**
24
+
* Bindings
25
+
* Bindings allow your Worker to interact with resources on the Cloudflare Developer Platform, including
26
+
* databases, object storage, AI inference, real-time communication and more.
27
+
* https://developers.cloudflare.com/workers/runtime-apis/bindings/
28
+
*/
29
+
/**
30
+
* Environment Variables
31
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#environment-variables
32
+
*/
33
+
// "vars": { "MY_VARIABLE": "production_value" }
34
+
"vars": { "SANDBOX_TRANSPORT": "websocket" },
35
+
/**
36
+
* Note: Use secrets to store sensitive data.
37
+
* https://developers.cloudflare.com/workers/configuration/secrets/
38
+
*/
39
+
/**
40
+
* Static Assets
41
+
* https://developers.cloudflare.com/workers/static-assets/binding/
42
+
*/
43
+
// "assets": { "directory": "./public/", "binding": "ASSETS" }
44
+
/**
45
+
* Service Bindings (communicate between multiple Workers)
46
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#service-bindings
47
+
*/
48
+
// "services": [{ "binding": "MY_SERVICE", "service": "my-service" }]
49
+
"containers": [
50
+
{
51
+
"class_name": "Sandbox",
52
+
"image": "./Dockerfile",
53
+
"instance_type": "standard-1",
54
+
},
55
+
],
56
+
"durable_objects": {
57
+
"bindings": [
58
+
{
59
+
"class_name": "Sandbox",
60
+
"name": "Sandbox",
61
+
},
62
+
],
63
+
},
64
+
"migrations": [
65
+
{
66
+
"new_sqlite_classes": ["Sandbox"],
67
+
"tag": "v1",
68
+
},
69
+
],
70
+
"hyperdrive": [
71
+
{
72
+
"binding": "HYPERDRIVE",
73
+
"id": "45a57339b01e45559b753ffcacbc20e4",
74
+
},
75
+
],
76
+
/**
77
+
* Smart Placement
78
+
* https://developers.cloudflare.com/workers/configuration/smart-placement/#smart-placement
79
+
*/
80
+
// "placement": { "mode": "smart" }
81
+
/**
82
+
* Bindings
83
+
* Bindings allow your Worker to interact with resources on the Cloudflare Developer Platform, including
84
+
* databases, object storage, AI inference, real-time communication and more.
85
+
* https://developers.cloudflare.com/workers/runtime-apis/bindings/
86
+
*/
87
+
/**
88
+
* Environment Variables
89
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#environment-variables
90
+
* Note: Use secrets to store sensitive data.
91
+
* https://developers.cloudflare.com/workers/configuration/secrets/
92
+
*/
93
+
// "vars": { "MY_VARIABLE": "production_value" }
94
+
/**
95
+
* Static Assets
96
+
* https://developers.cloudflare.com/workers/static-assets/binding/
97
+
*/
98
+
// "assets": { "directory": "./public/", "binding": "ASSETS" }
99
+
/**
100
+
* Service Bindings (communicate between multiple Workers)
101
+
* https://developers.cloudflare.com/workers/wrangler/configuration/#service-bindings
102
+
*/
103
+
// "services": [ { "binding": "MY_SERVICE", "service": "my-service" } ]
104
+
}