Claim volume mountpoints via image entrypoint, stop destroying shared state

Fresh Docker named volumes mount as root:root under sysbox-runc even when
the image path is pre-owned, so ~/projects was unwritable on first start.
Chown it (plus /mnt/home-persist, /mnt/shared) from a real entrypoint
script that execs into /sbin/init, replacing the Terraform-side sudo dance.

Also drop stale docker_volume.shared / docker_volume.home_persist addresses
from existing workspaces' tfstate via `removed { destroy = false }`, so
prior-template workspaces stop trying to delete the real shared volumes.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

main.tf

@@ -100,15 +100,6 @@ resource "coder_agent" "main" {
     echo "${data.coder_workspace_owner.me.ssh_private_key}" > ~/.ssh/id_ed25519
     chmod 600 ~/.ssh/id_ed25519
 
-    # Per-owner persistence volume. home-persist-resolve (run via
-    # coder_script.lifecycle_init below) symlinks declared $HOME paths into it.
-    sudo mkdir -p /mnt/home-persist
-    sudo chown "${local.workspace_uid}:${local.workspace_gid}" /mnt/home-persist
-
-    # Deployment-wide shared drop box. Sticky-bit 1777 (like /tmp) so anyone
-    # can write but only the file's owner can delete.
-    sudo mkdir -p /mnt/shared
-    sudo chmod 1777 /mnt/shared
   EOT
 
   shutdown_script = ""
@@ -349,6 +340,27 @@ resource "coder_script" "lifecycle_init" {
   EOT
 }
 
+# Drop leftover state entries from pre-c56cc1d templates without deleting the
+# underlying Docker volumes. Existing workspaces still carry
+# docker_volume.shared / docker_volume.home_persist in their tfstate; on every
+# stop/destroy Terraform tries to remove the real volumes (which hold shared
+# and per-owner persistent data). These `removed` blocks tell Terraform to
+# forget the addresses on the next apply while leaving the volumes intact.
+# Safe to delete once no workspace has those addresses in state anymore.
+removed {
+  from = docker_volume.shared
+  lifecycle {
+    destroy = false
+  }
+}
+
+removed {
+  from = docker_volume.home_persist
+  lifecycle {
+    destroy = false
+  }
+}
+
 # Persistent storage for the workspace's inner dockerd. Without this, every
 # `docker pull`, buildx cache, and image built inside the workspace is lost
 # on every restart. The workspace's dockerd runs under sysbox-runc.

src/base/Dockerfile

@@ -96,28 +96,14 @@ USER root
 # Coder agent: systemd unit runs /etc/coder/agent-init.sh as the workspace
 # user after dockerd is up. The script itself is uploaded at container-create
 # time by the Terraform template (kreuzwerker/docker `upload` block).
-RUN mkdir -p /etc/coder && \
-    cat > /etc/systemd/system/coder-agent.service <<EOF
-[Unit]
-Description=Coder Agent
-After=docker.service network-online.target
-Wants=network-online.target docker.service
-ConditionPathExists=/etc/coder/agent-init.sh
-
-[Service]
-Type=simple
-User=${USERNAME}
-Group=${USERNAME}
-WorkingDirectory=/home/${USERNAME}
-PassEnvironment=CODER_AGENT_TOKEN
-ExecStart=/bin/bash /etc/coder/agent-init.sh
-Restart=on-failure
-RestartSec=5
-
-[Install]
-WantedBy=multi-user.target
-EOF
-
+RUN mkdir -p /etc/coder
+COPY coder-agent.service /etc/systemd/system/coder-agent.service
 RUN systemctl enable coder-agent.service
 
+# Entrypoint claims fresh-volume mountpoints for the workspace user before
+# systemd starts. See entrypoint.sh for rationale.
+COPY --chmod=0755 entrypoint.sh /usr/local/sbin/coder-entrypoint
+ENV USERNAME=${USERNAME}
+
+ENTRYPOINT ["/usr/local/sbin/coder-entrypoint"]
 CMD ["/sbin/init"]

src/base/coder-agent.service

@@ -0,0 +1,18 @@
+[Unit]
+Description=Coder Agent
+After=docker.service network-online.target
+Wants=network-online.target docker.service
+ConditionPathExists=/etc/coder/agent-init.sh
+
+[Service]
+Type=simple
+User=coder
+Group=coder
+WorkingDirectory=/home/coder
+PassEnvironment=CODER_AGENT_TOKEN
+ExecStart=/bin/bash /etc/coder/agent-init.sh
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target

src/base/entrypoint.sh

@@ -0,0 +1,27 @@
+#!/bin/bash
+# Container entrypoint. Runs as root before systemd (PID 1) starts.
+#
+# Fresh Docker named volumes mount as root:root the first time they're
+# attached, even though the underlying image path is owned by the workspace
+# user (docker's "copy-up" doesn't reliably apply under sysbox-runc). Claim
+# the mountpoints here so coder-agent.service — which starts later under
+# systemd — sees correctly-owned mounts. Idempotent: chown/chmod are no-ops
+# when values already match.
+set -e
+
+USERNAME="${USERNAME:-coder}"
+
+for path in "/home/${USERNAME}/projects" /mnt/home-persist; do
+  [ -d "$path" ] || continue
+  chown "${USERNAME}:${USERNAME}" "$path"
+  chmod 0755 "$path"
+done
+
+# Deployment-wide share: every workspace runs as the same uid, so full 0777
+# gives all workspaces unrestricted read/write/delete on everything inside.
+if [ -d /mnt/shared ]; then
+  chown "${USERNAME}:${USERNAME}" /mnt/shared
+  chmod 0777 /mnt/shared
+fi
+
+exec "$@"