Stop destroying shared volumes on workspace delete; pin web-shell 0.5.0

docker_volume.shared and docker_volume.home_persist were declared in the
per-workspace terraform state, so `terraform destroy` on any workspace
also tried to remove them. They're deployment-wide / per-owner — Docker
refused removal while other workspaces still had them mounted, failing
the destroy and leaving partial state.

Removed both docker_volume resources and reference the volumes by literal
name in docker_container.workspace. Docker auto-creates named volumes on
first container attach (standard `-v name:/path` semantics), so first
workspace for an owner silently creates coder-<owner>-home-persist and
first workspace anywhere creates coder-shared. Subsequent workspaces
reuse them; delete only tears down the container and workspace-scoped
volumes.

Trade-off: auto-created volumes have no coder.owner / coder.owner_id
labels. Doesn't affect runtime — only orphan-cleanup tooling that filters
by label.

Also pin web-shell to 0.5.0 (was floating on `latest`) so image builds
are reproducible across CI runs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

main.tf

@@ -358,33 +358,6 @@ resource "docker_volume" "docker_data" {
   }
 }
 
-# Per-owner persistence volume. Follows the owner across every workspace they
-# open. Survives workspace deletion. Bind-mounted at /mnt/home-persist; the
-# home-persist resolver symlinks declared $HOME paths into it.
-resource "docker_volume" "home_persist" {
-  name = "coder-${data.coder_workspace_owner.me.name}-home-persist"
-  lifecycle {
-    ignore_changes = all
-  }
-  labels {
-    label = "coder.owner"
-    value = data.coder_workspace_owner.me.name
-  }
-  labels {
-    label = "coder.owner_id"
-    value = data.coder_workspace_owner.me.id
-  }
-}
-
-# Deployment-wide shared drop box. A single docker volume — fixed name, no
-# per-owner/per-workspace suffix — attached to every workspace.
-resource "docker_volume" "shared" {
-  name = "coder-shared"
-  lifecycle {
-    ignore_changes = all
-  }
-}
-
 # Per-workspace $HOME volume. Persists user data (~/.bashrc tweaks, cloned
 # repo, build artefacts) across workspace restarts.
 resource "docker_volume" "home_volume" {
@@ -446,9 +419,14 @@ resource "docker_container" "workspace" {
     read_only      = false
   }
 
+  # home_persist and shared are NOT terraform-managed — they're owned outside
+  # this workspace's lifecycle (per-owner and deployment-wide respectively).
+  # Referencing them by name means workspace destroy won't try to remove them
+  # (which would fail while other workspaces hold them). Docker auto-creates
+  # on first attach; pre-create on the host if you want labels for tracking.
   volumes {
     container_path = "/mnt/home-persist"
-    volume_name    = docker_volume.home_persist.name
+    volume_name    = "coder-${data.coder_workspace_owner.me.name}-home-persist"
     read_only      = false
   }
 
@@ -460,7 +438,7 @@ resource "docker_container" "workspace" {
 
   volumes {
     container_path = "/mnt/shared"
-    volume_name    = docker_volume.shared.name
+    volume_name    = "coder-shared"
     read_only      = false
   }
 

scripts/web-shell/install.sh

@@ -16,7 +16,7 @@
 # reached via Coder's reverse proxy, which gates access with Coder auth.
 set -e
 
-WS_VERSION_OPT="${VERSION:-latest}"
+WS_VERSION_OPT="${VERSION:-0.5.0}"
 WS_PORT="${PORT:-4000}"
 
 # Resolve the container's remote user. $_REMOTE_USER is set by the Dockerfile's