I want to run Claude Code in yolo mode,
but I’m too cowardly responsible to do this on the computer that has my passwords and text messages on it.
So I made a virtual machine and run Claude in that.
The opportunity to Optimize was too good to pass up, however, so I added something cool for web projects: secure mapping of subdomains to local ports, so that the restricted agent user can run webservers and I can visit them over https. This lets me see what it’s doing as it makes changes, and it works great with multiple checkouts too — I can have more than one copy of the repo with a separate Claude and subdomain for each working (and viewable) at the same time.
My threat model is the lethal trifecta for AI agents. I want to give it access to the Internet, including reading untrusted content, but I don’t want it to be able to leak my private data.
The Ansible role is called chineseroom1.
Check out the GitHub repo
mrled/ansible-collection-chineseroom
or the collection on Ansible Galaxy.
Right now it’s pretty barebones and tied to my technology choices (Fedora 42 in a VM on ARM), but it would be cool to make it more generic.
I’d also like to add at least one more feature:
optional IP and domain whitelisting.
The former was a cinch with nftables,
but the latter requires configuring Squid Proxy,
which is apparently Too Hard for a flagship model (or a mediocre SRE) to oneshot,
so I haven’t gotten it working yet.
This would let you make a different threat model tradeoff —
deny it Internet access, but give it untrusted content and private data.
If any of that sounds useful to have or fun to work on, I accept PRs :)
-
This reminds me, I need to re-read Blindsight, which introduced me to the concept of a Chinese Room. ↩︎