Run web-shell as a systemd service instead of a coder_script

chapterjason · claude · chapterjason · commit 4a3121c869f6 · 2026-04-23T18:23:48.000Z
Bakes web-shell.service + web-shell-launch into the base image; Terraform
uploads /etc/default/web-shell with the WEB_SHELL_CWD parameter so the
unit picks up the chosen working directory. Gains auto-restart on crash
and consistent logging to /var/log/web-shell.log.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/main.tf b/main.tf
@@ -194,25 +194,6 @@ resource "coder_app" "web-shell" {
   }
 }
 
-# Start web-shell on agent start. web-shell lives in the user's nvm default
-# node bin, so load nvm and activate the default alias to put it on PATH.
-resource "coder_script" "web_shell" {
-  count        = data.coder_workspace.me.start_count
-  agent_id     = coder_agent.main.id
-  display_name = "web-shell"
-  icon         = "/icon/terminal.svg"
-  run_on_start = true
-  script       = <<-EOT
-    #!/usr/bin/env bash
-    set -e
-    export NVM_DIR="$HOME/.nvm"
-    [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" && nvm use default >/dev/null 2>&1 || true
-    HOST=127.0.0.1 PORT=4000 WEB_SHELL_CWD="${data.coder_parameter.directory.value}" \
-      nohup web-shell > /tmp/web-shell.log 2>&1 &
-    disown >/dev/null 2>&1 || true
-  EOT
-}
-
 # See https://registry.coder.com/modules/coder/jetbrains
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
@@ -453,6 +434,14 @@ resource "docker_container" "workspace" {
     content    = replace(coder_agent.main.init_script, "/localhost|127\\.0\\.0\\.1/", "host.docker.internal")
   }
 
+  # Config for web-shell.service (baked into the image). The unit reads this
+  # via EnvironmentFile; changing the `directory` parameter re-renders it and
+  # the unit picks it up on next start.
+  upload {
+    file    = "/etc/default/web-shell"
+    content = "WEB_SHELL_CWD=${data.coder_parameter.directory.value}\n"
+  }
+
   host {
     host = "host.docker.internal"
     ip   = "host-gateway"
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
@@ -98,7 +98,11 @@ USER root
 # time by the Terraform template (kreuzwerker/docker `upload` block).
 RUN mkdir -p /etc/coder
 COPY src/base/coder-agent.service /etc/systemd/system/coder-agent.service
-RUN systemctl enable coder-agent.service
+COPY src/base/web-shell.service /etc/systemd/system/web-shell.service
+COPY --chmod=0755 src/base/web-shell-launch.sh /usr/local/bin/web-shell-launch
+RUN install -m 0644 /dev/null /var/log/web-shell.log && \
+    chown coder:coder /var/log/web-shell.log && \
+    systemctl enable coder-agent.service web-shell.service
 
 # Entrypoint claims fresh-volume mountpoints for the workspace user before
 # systemd starts. See entrypoint.sh for rationale.
diff --git a/src/base/web-shell-launch.sh b/src/base/web-shell-launch.sh
@@ -0,0 +1,14 @@
+#!/usr/bin/env bash
+# web-shell launcher. web-shell is installed under the workspace user's nvm
+# default, so nvm must be sourced before the binary is on PATH. Runs as the
+# workspace user under web-shell.service.
+set -e
+
+export NVM_DIR="$HOME/.nvm"
+if [ -s "$NVM_DIR/nvm.sh" ]; then
+  # shellcheck disable=SC1091
+  . "$NVM_DIR/nvm.sh"
+  nvm use default >/dev/null 2>&1 || true
+fi
+
+exec web-shell
diff --git a/src/base/web-shell.service b/src/base/web-shell.service
@@ -0,0 +1,21 @@
+[Unit]
+Description=web-shell
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=coder
+Group=coder
+WorkingDirectory=/home/coder
+EnvironmentFile=-/etc/default/web-shell
+Environment=HOST=127.0.0.1
+Environment=PORT=4000
+ExecStart=/usr/local/bin/web-shell-launch
+Restart=on-failure
+RestartSec=5
+StandardOutput=append:/var/log/web-shell.log
+StandardError=append:/var/log/web-shell.log
+
+[Install]
+WantedBy=multi-user.target
