Replace custom code-server (9GB) with upstream LinuxServer image (~1GB)

Drop the custom Dockerfile.code-server that bundled Claude Code CLI,
Python/MkDocs tooling, and build-essential on top of codercom base.
Switch to the already-mirrored linuxserver/code-server image instead.

- Both compose files: use code-server:latest, LinuxServer env vars
  (PUID/PGID/DEFAULT_WORKSPACE), port 8443, /config mount layout
- Nginx configs + templates: proxy to :8443 instead of :8080
- API env default: CODE_SERVER_URL updated to :8443
- build-and-push.sh: remove --include-code-server flag
- upgrade.sh: remove code-server conditional rebuild + registry fallback
- install.sh: add --ignore-pull-failures for optional missing images
- .env.example, CCP templates, bunker-ops template: updated

Bunker Admin

.env.example

@@ -237,8 +237,7 @@ MKDOCS_DOCS_PATH=/mkdocs/docs
 
 # --- Code Server ---
 CODE_SERVER_PORT=8888
-CODE_SERVER_URL=http://code-server:8080
-USER_NAME=coder
+CODE_SERVER_URL=http://code-server-changemaker:8443
 
 # --- Homepage ---
 HOMEPAGE_PORT=3010

api/src/config/env.ts

@@ -195,7 +195,7 @@ const envSchema = z.object({
   SMS_DEVICE_MONITOR_INTERVAL_MS: z.coerce.number().default(30000),
 
   // Docs / Code Server
-  CODE_SERVER_URL: z.string().default('http://code-server-changemaker:8080'),
+  CODE_SERVER_URL: z.string().default('http://code-server-changemaker:8443'),
   CODE_SERVER_PORT: z.coerce.number().default(8888),
   MKDOCS_PREVIEW_URL: z.string().default('http://mkdocs-changemaker:8000'),
   MKDOCS_PORT: z.coerce.number().default(4003),

bunker-ops/roles/changemaker/templates/env.j2

@@ -171,7 +171,7 @@ MEDIA_API_PORT={{ cml_media_api_port }}
 MEDIA_API_PUBLIC_URL=http://media-api:{{ cml_media_api_port }}
 
 # --- Docs / Code Server ---
-CODE_SERVER_URL=http://code-server-changemaker:8080
+CODE_SERVER_URL=http://code-server-changemaker:8443
 CODE_SERVER_PORT=8888
 MKDOCS_PREVIEW_URL=http://mkdocs-changemaker:8000
 MKDOCS_PORT=4003

changemaker-control-panel/templates/env.hbs

@@ -252,8 +252,7 @@ MKDOCS_SITE_SERVER_PORT={{math ports.embed "+" 14}}
 MKDOCS_PREVIEW_URL=http://{{containerPrefix}}-mkdocs:8000
 MKDOCS_DOCS_PATH=/mkdocs/docs
 CODE_SERVER_PORT={{math ports.embed "+" 7}}
-CODE_SERVER_URL=http://{{containerPrefix}}-code-server:8080
-USER_NAME=coder
+CODE_SERVER_URL=http://{{containerPrefix}}-code-server:8443
 BASE_DOMAIN=https://{{domain}}
 
 # Gitea

changemaker-control-panel/templates/nginx/conf.d/default.conf.hbs

@@ -345,7 +345,7 @@ server {
     server_name code.{{domain}};
 
     location / {
-        set $upstream_code http://{{containerPrefix}}-code-server:8080;
+        set $upstream_code http://{{containerPrefix}}-code-server:8443;
         proxy_pass $upstream_code;
         proxy_http_version 1.1;
         proxy_set_header Host $host;

changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs

@@ -120,7 +120,7 @@ server {
 server {
     listen 8888;
     location / {
-        set $upstream_code http://{{containerPrefix}}-code-server:8080;
+        set $upstream_code http://{{containerPrefix}}-code-server:8443;
         proxy_pass $upstream_code;
         proxy_hide_header X-Frame-Options;
         proxy_hide_header Content-Security-Policy;

docker-compose.prod.yml

@@ -511,25 +511,25 @@ services:
   # PLATFORM SERVICES (kept from v1)
   # =========================================================================
 
-  # Code Server — Browser IDE
+  # Code Server — Browser IDE (LinuxServer upstream, no custom build)
   code-server:
-    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/changemaker-code-server:${IMAGE_TAG:-latest}
+    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/code-server:latest
     container_name: code-server-changemaker
-    command: /home/coder/project
     environment:
-      - DOCKER_USER=${USER_NAME:-coder}
-    user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
+      - PUID=${USER_ID:-1000}
+      - PGID=${GROUP_ID:-1000}
+      - TZ=${TZ:-UTC}
+      - DEFAULT_WORKSPACE=/config/workspace
     volumes:
-      - ./configs/code-server/.config:/home/coder/.config
-      - ./configs/code-server/.local:/home/coder/.local
-      - ./nginx:/home/coder/project/nginx
-      - ./configs:/home/coder/project/configs
-      - ./scripts:/home/coder/project/scripts
-      - ./mkdocs:/home/coder/project/mkdocs
-      - ./docker-compose.yml:/home/coder/project/docker-compose.yml
+      - ./configs/code-server:/config
+      - ./nginx:/config/workspace/nginx
+      - ./configs:/config/workspace/configs
+      - ./scripts:/config/workspace/scripts
+      - ./mkdocs:/config/workspace/mkdocs
+      - ./docker-compose.yml:/config/workspace/docker-compose.yml
       # NOTE: .env intentionally excluded — secrets must not be accessible via Code Server
     ports:
-      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8080"
+      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8443"
     restart: unless-stopped
     logging: *default-logging
     networks:

docker-compose.yml

@@ -526,30 +526,27 @@ services:
   # PLATFORM SERVICES (kept from v1)
   # =========================================================================
 
-  # Code Server — Browser IDE
+  # Code Server — Browser IDE (LinuxServer upstream, no custom build)
   code-server:
-    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/changemaker-code-server:${IMAGE_TAG:-local}
-    build:
-      context: .
-      dockerfile: Dockerfile.code-server
+    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/code-server:latest
     container_name: code-server-changemaker
-    command: /home/coder/project
     environment:
-      - DOCKER_USER=${USER_NAME:-coder}
-    user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
+      - PUID=${USER_ID:-1000}
+      - PGID=${GROUP_ID:-1000}
+      - TZ=${TZ:-UTC}
+      - DEFAULT_WORKSPACE=/config/workspace
     volumes:
-      - ./configs/code-server/.config:/home/coder/.config
-      - ./configs/code-server/.local:/home/coder/.local
-      - ./api:/home/coder/project/api
-      - ./admin:/home/coder/project/admin
-      - ./nginx:/home/coder/project/nginx
-      - ./configs:/home/coder/project/configs
-      - ./scripts:/home/coder/project/scripts
-      - ./mkdocs:/home/coder/project/mkdocs
-      - ./docker-compose.yml:/home/coder/project/docker-compose.yml
+      - ./configs/code-server:/config
+      - ./api:/config/workspace/api
+      - ./admin:/config/workspace/admin
+      - ./nginx:/config/workspace/nginx
+      - ./configs:/config/workspace/configs
+      - ./scripts:/config/workspace/scripts
+      - ./mkdocs:/config/workspace/mkdocs
+      - ./docker-compose.yml:/config/workspace/docker-compose.yml
       # NOTE: .env intentionally excluded — secrets must not be accessible via Code Server
     ports:
-      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8080"
+      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8443"
     restart: unless-stopped
     logging: *default-logging
     networks:

mkdocs/docs/docs/getting-started/environment-variables.md

@@ -315,8 +315,7 @@ Self-hosted Git repository. Optional service.
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `CODE_SERVER_PORT` | `8888` | Code Server web UI port. |
-| `CODE_SERVER_URL` | `http://code-server:8080` | Internal container URL. |
-| `USER_NAME` | `coder` | User account inside the Code Server container. |
+| `CODE_SERVER_URL` | `http://code-server-changemaker:8443` | Internal container URL. |
 
 ---
 

nginx/conf.d/services.conf.template

@@ -114,7 +114,7 @@ server {
     add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
 
     location / {
-        set $upstream_code http://code-server-changemaker:8080;
+        set $upstream_code http://code-server-changemaker:8443;
         proxy_pass $upstream_code;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;

scripts/build-and-push.sh

@@ -10,7 +10,6 @@
 # Options:
 #   --services a,b,c      Comma-separated list of services to build
 #                         (default: api admin media-api nginx)
-#   --include-code-server Also build and push code-server (~9GB, slow)
 #   --no-push             Build only, skip push (verify builds work)
 #   --tag TAG             Override commit SHA tag (default: git rev-parse --short HEAD)
 #   --registry URL        Override registry (default: gitea.bnkops.com/admin)
@@ -30,7 +29,6 @@ REGISTRY="${GITEA_REGISTRY:-gitea.bnkops.com/admin}"
 COMMIT_SHA="$(git -C "$PROJECT_DIR" rev-parse --short HEAD 2>/dev/null || echo "local")"
 TAG="${COMMIT_SHA}"
 SERVICES="api admin media-api nginx"
-INCLUDE_CODE_SERVER=false
 NO_PUSH=false
 DRY_RUN=false
 
@@ -52,7 +50,6 @@ run()     { if [[ "$DRY_RUN" == "true" ]]; then echo -e "${CYAN}[DRY-RUN]${NC} $
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --services)          SERVICES="${2//,/ }"; shift 2 ;;
-    --include-code-server) INCLUDE_CODE_SERVER=true; shift ;;
     --no-push)           NO_PUSH=true; shift ;;
     --tag)               TAG="$2"; shift 2 ;;
     --registry)          REGISTRY="$2"; shift 2 ;;
@@ -64,11 +61,6 @@ while [[ $# -gt 0 ]]; do
   esac
 done
 
-# Add code-server if requested
-if [[ "$INCLUDE_CODE_SERVER" == "true" ]]; then
-  SERVICES="$SERVICES code-server"
-fi
-
 echo -e "${BOLD}Changemaker Lite — Build & Push${NC}"
 echo "  Registry:  $REGISTRY"
 echo "  Tag:       $TAG"
@@ -119,15 +111,6 @@ build_service() {
         --load \
         "${PROJECT_DIR}/nginx"
       ;;
-    code-server)
-      warn "Building code-server (~9GB) — this will take a while..."
-      run docker buildx build \
-        --file "${PROJECT_DIR}/Dockerfile.code-server" \
-        --tag "${image}" \
-        --tag "${image_latest}" \
-        --load \
-        "${PROJECT_DIR}"
-      ;;
     *)
       error "Unknown service: $svc"
       return 1

scripts/install.sh

@@ -256,7 +256,9 @@ if [[ "$START_SERVICES" =~ ^[Yy]$ ]]; then
   echo ""
   cd "$INSTALL_DIR"
 
-  if ! docker compose pull 2>&1; then
+  # --ignore-pull-failures: optional services may not have images in the
+  # registry yet — don't abort the whole install for those.
+  if ! docker compose pull --ignore-pull-failures 2>&1; then
     echo ""
     error "Failed to pull images from the registry."
     echo ""

scripts/upgrade.sh

@@ -21,7 +21,7 @@ MIN_DISK_MB=2048
 # Source-built containers (always rebuilt)
 SOURCE_CONTAINERS="api admin media-api"
 # Conditionally rebuilt if Dockerfile changed
-CONDITIONAL_CONTAINERS="nginx code-server"
+CONDITIONAL_CONTAINERS="nginx"
 # App containers stopped during upgrade
 APP_CONTAINERS="api admin media-api nginx"
 # Infrastructure containers (must stay up)
@@ -884,24 +884,6 @@ if [[ "$USE_REGISTRY" == "true" ]]; then
     fi
   fi
 
-  # code-server: pull from registry if available; never build during upgrade
-  # (code-server is 9GB+ and takes 30+ min to build — run build-and-push.sh separately)
-  CS_IMAGE="${REGISTRY}/changemaker-code-server"
-  if docker image inspect "${CS_IMAGE}:${REGISTRY_TAG}" &>/dev/null 2>&1; then
-    info "code-server:${REGISTRY_TAG} already present, skipping"
-  elif docker compose pull code-server 2>/dev/null; then
-    success "code-server pulled from registry"
-  else
-    # Try :latest, then retag any existing local image so compose up doesn't build
-    for fallback_tag in latest local; do
-      if docker image inspect "${CS_IMAGE}:${fallback_tag}" &>/dev/null 2>&1; then
-        docker tag "${CS_IMAGE}:${fallback_tag}" "${CS_IMAGE}:${REGISTRY_TAG}" 2>/dev/null || true
-        info "Tagged code-server:${fallback_tag} → :${REGISTRY_TAG}"
-        break
-      fi
-    done
-  fi
-
 else
   # --- Source build path (original behaviour) ---
   info "Rebuilding source containers: $SOURCE_CONTAINERS"
@@ -920,15 +902,6 @@ else
           info "nginx unchanged, skipping rebuild"
         fi
         ;;
-      code-server)
-        if echo "$CHANGED_FILES" | grep -q "^Dockerfile.code-server"; then
-          info "Rebuilding code-server (Dockerfile changed)..."
-          docker compose build code-server
-          success "code-server rebuilt"
-        else
-          info "code-server unchanged, skipping rebuild"
-        fi
-        ;;
     esac
   done
 fi