User-context installers, drop PATH symlinks and systemd / chown plumbing

chapterjason · claude · chapterjason · commit 941cd8a1a4a2 · 2026-04-23T17:50:46.000Z
Everything that targets a single user (nvm, claude-code, rtk, web-shell
on base; cmake, sccache on cpp) now runs as `coder` from a user-context
loop in the Dockerfile. Upstream installers write into $HOME directly —
no root+chown dance, no /usr/local symlinks into user-space.

Script-by-script changes:

scripts/nvm/install.sh
  - Install to $HOME/.nvm via upstream (no more /usr/local/share/nvm).
  - Let the upstream installer append its loader snippet to ~/.profile
    (PROFILE=$HOME/.profile).
  - Dropped /etc/profile.d/nvm.sh, /etc/bash.bashrc and /etc/zsh/zshrc
    hooks, and all chown/chmod plumbing.

scripts/claude-code/install.sh (earlier commit, context here)
  - Runs as user, appends a runtime-idempotent PATH hook to ~/.profile
    for $HOME/.local/bin.

scripts/rtk/install.sh
  - Use plain upstream install, which lands the binary in $HOME/.local/bin.
  - post-create.sh moves from /usr/local/share/rtk to $HOME/.local/share/rtk.

scripts/sccache/install.sh
  - Pipe curl | tar with --strip-components=1 + path filter to extract
    just the binary straight into $HOME/.local/bin. No mktemp, no trap.

scripts/cmake/install.sh (earlier commit, context here)
  - Merge tarball into $HOME/.local with --strip-components=1.

scripts/web-shell/install.sh
  - Drop the systemd unit + /etc/profile.d fallback + INIT_COMM branch.
  - Drop the $HOME/.cache chown repair.
  - Drop the curl+tmpfile dance — npm install -g accepts the GitHub
    release tarball URL directly.

scripts/llvm/install.sh, context-mode, home-persist
  - Drop the per-script `if ! command -v X; then apt-get install X`
    fallbacks. curl / tar / git / jq / ca-certificates are now
    explicitly in the base image's main apt install.

src/base/Dockerfile
  - Add ca-certificates and curl to the main apt install.
  - Root loop: context-mode, home-persist only.
  - User-context loop: nvm, claude-code, rtk, web-shell.

src/cpp/Dockerfile
  - Root loop: just llvm.
  - User-context loop: cmake + sccache.

main.tf
  - coder_script.web_shell now sources $HOME/.nvm/nvm.sh + nvm use
    default so the backgrounded web-shell binary resolves on PATH.
  - Replace the systemd-based web-shell supervision with a plain
    coder_script: `nohup web-shell … &amp;`, no while-loop, no pgrep
    guard — matches coder/code-server and coder/jetbrains module
    patterns.
  - Lifecycle_init references $HOME/.local/share/rtk/post-create.sh.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/main.tf b/main.tf
@@ -63,8 +63,8 @@ data "coder_parameter" "directory" {
   type         = "string"
   name         = "directory"
   display_name = "Working directory"
-  description  = "Folder IDE modules open by default."
-  default      = "/home/coder"
+  description  = "Folder IDE modules and web-shell open by default."
+  default      = "/home/coder/projects"
   mutable      = true
 }
 
@@ -94,12 +94,6 @@ resource "coder_agent" "main" {
   startup_script = <<-EOT
     set -e
 
-    # Prepare user home with default files on first start.
-    if [ ! -f ~/.init_done ]; then
-      cp -rT /etc/skel ~
-      touch ~/.init_done
-    fi
-
     # SSH key for git-over-SSH clones. Public key + allowed_signers come via
     # coder_script.git_ssh_signing below.
     mkdir -p ~/.ssh && chmod 700 ~/.ssh
@@ -209,6 +203,25 @@ resource "coder_app" "web-shell" {
   }
 }
 
+# Start web-shell on agent start. web-shell lives in the user's nvm default
+# node bin, so load nvm and activate the default alias to put it on PATH.
+resource "coder_script" "web_shell" {
+  count        = data.coder_workspace.me.start_count
+  agent_id     = coder_agent.main.id
+  display_name = "web-shell"
+  icon         = "/icon/terminal.svg"
+  run_on_start = true
+  script       = <<-EOT
+    #!/usr/bin/env bash
+    set -e
+    export NVM_DIR="$HOME/.nvm"
+    [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh" && nvm use default >/dev/null 2>&1 || true
+    HOST=127.0.0.1 PORT=4000 WEB_SHELL_CWD="${data.coder_parameter.directory.value}" \
+      nohup web-shell > /tmp/web-shell.log 2>&1 &
+    disown >/dev/null 2>&1 || true
+  EOT
+}
+
 # See https://registry.coder.com/modules/coder/jetbrains
 module "jetbrains" {
   count    = data.coder_workspace.me.start_count
@@ -224,7 +237,7 @@ module "git-clone" {
   source   = "registry.coder.com/coder/git-clone/coder"
   agent_id = coder_agent.main.id
   url      = data.coder_parameter.repo_url.value
-  base_dir = "~"
+  base_dir = "~/projects"
   version  = "~> 1.0"
 }
 
@@ -331,7 +344,7 @@ resource "coder_script" "lifecycle_init" {
 
     [ -x /usr/local/bin/home-persist-resolve ]          && /usr/local/bin/home-persist-resolve
     [ -x /usr/local/share/context-mode/post-create.sh ] && /usr/local/share/context-mode/post-create.sh
-    [ -x /usr/local/share/rtk/post-create.sh ]          && /usr/local/share/rtk/post-create.sh
+    [ -x "$HOME/.local/share/rtk/post-create.sh" ]      && "$HOME/.local/share/rtk/post-create.sh"
     exit 0
   EOT
 }
@@ -362,10 +375,12 @@ resource "docker_volume" "docker_data" {
   }
 }
 
-# Per-workspace $HOME volume. Persists user data (~/.bashrc tweaks, cloned
-# repo, build artefacts) across workspace restarts.
-resource "docker_volume" "home_volume" {
-  name = "coder-${data.coder_workspace.me.id}-home"
+# Per-workspace projects volume. Cloned repos + work-in-progress live here
+# so they survive workspace restarts. $HOME itself is image-owned and resets
+# each start; per-owner state that must persist outside projects goes through
+# home-persist (see docs/persistence.md).
+resource "docker_volume" "projects_volume" {
+  name = "coder-${data.coder_workspace.me.id}-projects"
   lifecycle {
     ignore_changes = all
   }
@@ -418,8 +433,8 @@ resource "docker_container" "workspace" {
   }
 
   volumes {
-    container_path = local.workspace_home
-    volume_name    = docker_volume.home_volume.name
+    container_path = "${local.workspace_home}/projects"
+    volume_name    = docker_volume.projects_volume.name
     read_only      = false
   }
 
diff --git a/scripts/cmake/install.sh b/scripts/cmake/install.sh
@@ -1,16 +1,10 @@
 #!/usr/bin/env bash
-# cmake installer.
+# cmake installer. Runs as the workspace user — binaries land in $HOME/.local/.
 # https://cmake.org/
 set -e
 
 CMAKE_VERSION="${VERSION:-latest}"
 
-if ! command -v curl >/dev/null 2>&1 || ! command -v tar >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends curl ca-certificates tar
-  rm -rf /var/lib/apt/lists/*
-fi
-
 if [ "$CMAKE_VERSION" = "latest" ]; then
   CMAKE_VERSION="$(curl -fsSL https://api.github.com/repos/Kitware/CMake/releases/latest \
     | sed -n 's/^.*"tag_name": *"v\([^"]*\)".*$/\1/p')"
@@ -28,13 +22,8 @@ trap 'rm -rf "$TMPDIR"' EXIT
 
 curl -fsSL -o "$TMPDIR/cmake.tar.gz" \
   "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-${CM_ARCH}.tar.gz"
-tar -xzf "$TMPDIR/cmake.tar.gz" -C "$TMPDIR"
-
-INSTALL_DIR="/usr/local/cmake-${CMAKE_VERSION}"
-rm -rf "$INSTALL_DIR"
-mv "$TMPDIR/cmake-${CMAKE_VERSION}-linux-${CM_ARCH}" "$INSTALL_DIR"
 
-for bin in cmake ctest cpack ccmake; do
-  [ -x "$INSTALL_DIR/bin/$bin" ] || continue
-  ln -sf "$INSTALL_DIR/bin/$bin" "/usr/local/bin/$bin"
-done
+# Merge tarball contents into $HOME/.local — binaries land at $HOME/.local/bin/,
+# which is on PATH via claude-code's .profile hook. No symlinks.
+mkdir -p "$HOME/.local"
+tar -xzf "$TMPDIR/cmake.tar.gz" -C "$HOME/.local" --strip-components=1
diff --git a/scripts/context-mode/install.sh b/scripts/context-mode/install.sh
@@ -9,12 +9,6 @@
 # so it writes through the symlink into the persistent volume on every start.
 set -e
 
-if ! command -v git >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends git ca-certificates
-  rm -rf /var/lib/apt/lists/*
-fi
-
 mkdir -p /usr/local/share/context-mode
 cat >/usr/local/share/context-mode/post-create.sh <<'EOF'
 #!/usr/bin/env bash
diff --git a/scripts/home-persist/install.sh b/scripts/home-persist/install.sh
@@ -8,11 +8,5 @@
 # Coder parameter.
 set -e
 
-if ! command -v jq >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends jq ca-certificates
-  rm -rf /var/lib/apt/lists/*
-fi
-
 mkdir -p /etc/home-persist.d
 install -m 0755 "$(dirname "$0")/resolve.sh" /usr/local/bin/home-persist-resolve
diff --git a/scripts/llvm/install.sh b/scripts/llvm/install.sh
@@ -6,26 +6,6 @@ set -e
 LLVM_VERSION="${VERSION:-22}"
 LLVM_ALL="${ALL:-true}"
 
-# llvm.sh writes the LLVM apt source in deb822 format on trixie/forky/sid, so
-# software-properties-common (gone from trixie) is no longer required there.
-# Older Debian/Ubuntu suites still need add-apt-repository, which lives in
-# software-properties-common. Detect the suite and preinstall accordingly.
-PKGS=(ca-certificates curl gnupg lsb-release wget)
-. /etc/os-release
-case "${VERSION_CODENAME:-}" in
-  trixie|forky|sid) ;;
-  *) PKGS+=(software-properties-common) ;;
-esac
-NEED=()
-for pkg in "${PKGS[@]}"; do
-  dpkg -s "$pkg" >/dev/null 2>&1 || NEED+=("$pkg")
-done
-if [ "${#NEED[@]}" -gt 0 ]; then
-  apt-get update
-  apt-get install -y --no-install-recommends "${NEED[@]}"
-  rm -rf /var/lib/apt/lists/*
-fi
-
 TMPDIR="$(mktemp -d)"
 trap 'rm -rf "$TMPDIR"' EXIT
 
diff --git a/scripts/nvm/install.sh b/scripts/nvm/install.sh
@@ -1,84 +1,25 @@
 #!/usr/bin/env bash
-# nvm installer.
+# nvm installer. Runs as the workspace user — installs to $HOME/.nvm via
+# the upstream installer, which appends its loader snippet to ~/.profile.
 # https://github.com/nvm-sh/nvm
 set -e
 
 NVM_VERSION="${VERSION:-0.40.4}"
 NODE_VERSION="${NODE:-lts}"
 
-NVM_DIR=/usr/local/share/nvm
-export NVM_DIR
-
-USER_NAME="${_REMOTE_USER:-${USERNAME:-root}}"
-if [ "$USER_NAME" = "root" ]; then
-  USER_GROUP="root"
-else
-  USER_GROUP="$(id -gn "$USER_NAME")"
-fi
-
-if ! command -v curl >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends curl ca-certificates
-  rm -rf /var/lib/apt/lists/*
-fi
-
-mkdir -p "$NVM_DIR"
-chown "$USER_NAME:$USER_GROUP" "$NVM_DIR"
-chmod g+ws "$NVM_DIR"
-
-curl -fsSL "https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh" | PROFILE=/dev/null bash
-
-cat >/etc/profile.d/nvm.sh <<EOF
-export NVM_DIR="$NVM_DIR"
-if [ -s "\$NVM_DIR/nvm.sh" ]; then
-  \\. "\$NVM_DIR/nvm.sh"
-  [ -s "\$NVM_DIR/bash_completion" ] && \\. "\$NVM_DIR/bash_completion"
-  # Activate the default alias if present — puts node/npm/npx on PATH.
-  [ -s "\$NVM_DIR/alias/default" ] && nvm use default >/dev/null 2>&1
-fi
-EOF
-chmod 644 /etc/profile.d/nvm.sh
-
-# Non-login interactive bash shells (VS Code / code-server terminals) source
-# /etc/bash.bashrc, not /etc/profile.d. Without this hook, the `nvm` shell
-# function isn't defined in those shells even though `node` / `npm` work via
-# the /usr/local/bin symlinks below. Idempotent guard so re-running the
-# install doesn't duplicate the block.
-if [ ! -f /etc/bash.bashrc ] || ! grep -q 'nvm-hook' /etc/bash.bashrc; then
-  cat >>/etc/bash.bashrc <<'EOF'
-
-# nvm-hook: sourced by non-login interactive bash shells.
-if [ -z "${NVM_DIR:-}" ] && [ -s /etc/profile.d/nvm.sh ]; then
-  . /etc/profile.d/nvm.sh
-fi
-EOF
-fi
-
-# Same for zsh if the distro ships /etc/zsh/zshrc.
-if [ -f /etc/zsh/zshrc ] && ! grep -q 'nvm-hook' /etc/zsh/zshrc; then
-  cat >>/etc/zsh/zshrc <<'EOF'
-
-# nvm-hook: sourced by interactive zsh shells.
-if [ -z "${NVM_DIR:-}" ] && [ -s /etc/profile.d/nvm.sh ]; then
-  . /etc/profile.d/nvm.sh
-fi
-EOF
-fi
+curl -fsSL "https://raw.githubusercontent.com/nvm-sh/nvm/v${NVM_VERSION}/install.sh" \
+  | PROFILE="$HOME/.profile" bash
 
 if [ "$NODE_VERSION" != "none" ]; then
+  export NVM_DIR="$HOME/.nvm"
+  # shellcheck disable=SC1091
+  . "$NVM_DIR/nvm.sh"
   if [ "$NODE_VERSION" = "lts" ]; then
-    NVM_INSTALL_ARG="--lts"
-    NVM_ALIAS_TARGET="lts/*"
+    nvm install --lts
+    nvm alias default "lts/*"
   else
-    NVM_INSTALL_ARG="$NODE_VERSION"
-    NVM_ALIAS_TARGET="$NODE_VERSION"
+    # shellcheck disable=SC2086
+    nvm install "$NODE_VERSION"
+    nvm alias default "$NODE_VERSION"
   fi
-
-  # shellcheck disable=SC1091
-  . "$NVM_DIR/nvm.sh"
-  # shellcheck disable=SC2086
-  nvm install $NVM_INSTALL_ARG
-  nvm alias default "$NVM_ALIAS_TARGET"
 fi
-
-chown -R "$USER_NAME:$USER_GROUP" "$NVM_DIR"
diff --git a/scripts/rtk/install.sh b/scripts/rtk/install.sh
@@ -1,30 +1,17 @@
 #!/usr/bin/env bash
-# rtk installer.
+# rtk installer. Runs as the workspace user — binary lands in $HOME/.local/bin.
 # https://github.com/rtk-ai/rtk
-#
-# Our workspaces mount $HOME as a named volume (see docs/persistence.md),
-# so anything written to the user's home at build time is hidden on runs
-# where the volume already has contents. Install the binary system-wide to
-# /usr/local/bin, and defer the `rtk init` auto-patch to a post-create hook
-# (run via coder_script at workspace start) so it runs against the real home.
 set -e
 
-if ! command -v curl >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends curl ca-certificates
-  rm -rf /var/lib/apt/lists/*
-fi
-
-curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh |
-  RTK_INSTALL_DIR=/usr/local/bin sh
+curl -fsSL https://raw.githubusercontent.com/rtk-ai/rtk/refs/heads/master/install.sh | sh
 
-if [ ! -x /usr/local/bin/rtk ]; then
-  echo "rtk: expected /usr/local/bin/rtk after install, but it was not found." >&2
+if [ ! -x "$HOME/.local/bin/rtk" ]; then
+  echo "rtk: expected $HOME/.local/bin/rtk after install, but it was not found." >&2
   exit 1
 fi
 
-mkdir -p /usr/local/share/rtk
-cat >/usr/local/share/rtk/post-create.sh <<'EOF'
+mkdir -p "$HOME/.local/share/rtk"
+cat >"$HOME/.local/share/rtk/post-create.sh" <<'EOF'
 #!/usr/bin/env bash
 # Runs as the remote user via a coder_script at workspace start.
 set -e
@@ -37,4 +24,4 @@ fi
 mkdir -p "$HOME/.claude"
 rtk init -g --auto-patch
 EOF
-chmod 0755 /usr/local/share/rtk/post-create.sh
+chmod 0755 "$HOME/.local/share/rtk/post-create.sh"
diff --git a/scripts/sccache/install.sh b/scripts/sccache/install.sh
@@ -1,16 +1,10 @@
 #!/usr/bin/env bash
-# sccache installer.
+# sccache installer. Runs as the workspace user — binary lands in $HOME/.local/bin.
 # https://github.com/mozilla/sccache
 set -e
 
 SCCACHE_VERSION="${VERSION:-latest}"
 
-if ! command -v curl >/dev/null 2>&1 || ! command -v tar >/dev/null 2>&1; then
-  apt-get update
-  apt-get install -y --no-install-recommends curl ca-certificates tar
-  rm -rf /var/lib/apt/lists/*
-fi
-
 if [ "$SCCACHE_VERSION" = "latest" ]; then
   SCCACHE_VERSION="$(curl -fsSL https://api.github.com/repos/mozilla/sccache/releases/latest \
     | sed -n 's/^.*"tag_name": *"v\([^"]*\)".*$/\1/p')"
@@ -23,11 +17,7 @@ case "$ARCH" in
   *) echo "sccache: unsupported arch: $ARCH" >&2; exit 1 ;;
 esac
 
-TMPDIR="$(mktemp -d)"
-trap 'rm -rf "$TMPDIR"' EXIT
-
-curl -fsSL -o "$TMPDIR/sccache.tar.gz" \
-  "https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-${SC_ARCH}.tar.gz"
-tar -xzf "$TMPDIR/sccache.tar.gz" -C "$TMPDIR"
-
-install -m 0755 "$TMPDIR/sccache-v${SCCACHE_VERSION}-${SC_ARCH}/sccache" /usr/local/bin/sccache
+mkdir -p "$HOME/.local/bin"
+curl -fsSL "https://github.com/mozilla/sccache/releases/download/v${SCCACHE_VERSION}/sccache-v${SCCACHE_VERSION}-${SC_ARCH}.tar.gz" \
+  | tar -xzf - -C "$HOME/.local/bin" --strip-components=1 \
+      "sccache-v${SCCACHE_VERSION}-${SC_ARCH}/sccache"
diff --git a/scripts/web-shell/install.sh b/scripts/web-shell/install.sh
diff --git a/src/base/Dockerfile b/src/base/Dockerfile
diff --git a/src/cpp/Dockerfile b/src/cpp/Dockerfile
