diff --git a/.env.example b/.env.example
index 3f585671..2594b3a9 100644
--- a/.env.example
+++ b/.env.example
@@ -237,8 +237,7 @@ MKDOCS_DOCS_PATH=/mkdocs/docs
 
 # --- Code Server ---
 CODE_SERVER_PORT=8888
-CODE_SERVER_URL=http://code-server:8080
-USER_NAME=coder
+CODE_SERVER_URL=http://code-server-changemaker:8443
 
 # --- Homepage ---
 HOMEPAGE_PORT=3010
diff --git a/api/src/config/env.ts b/api/src/config/env.ts
index 2de77ff3..3a248814 100644
--- a/api/src/config/env.ts
+++ b/api/src/config/env.ts
@@ -195,7 +195,7 @@ const envSchema = z.object({
   SMS_DEVICE_MONITOR_INTERVAL_MS: z.coerce.number().default(30000),
 
   // Docs / Code Server
-  CODE_SERVER_URL: z.string().default('http://code-server-changemaker:8080'),
+  CODE_SERVER_URL: z.string().default('http://code-server-changemaker:8443'),
   CODE_SERVER_PORT: z.coerce.number().default(8888),
   MKDOCS_PREVIEW_URL: z.string().default('http://mkdocs-changemaker:8000'),
   MKDOCS_PORT: z.coerce.number().default(4003),
diff --git a/bunker-ops/roles/changemaker/templates/env.j2 b/bunker-ops/roles/changemaker/templates/env.j2
index 82b8df4a..8585224c 100644
--- a/bunker-ops/roles/changemaker/templates/env.j2
+++ b/bunker-ops/roles/changemaker/templates/env.j2
@@ -171,7 +171,7 @@ MEDIA_API_PORT={{ cml_media_api_port }}
 MEDIA_API_PUBLIC_URL=http://media-api:{{ cml_media_api_port }}
 
 # --- Docs / Code Server ---
-CODE_SERVER_URL=http://code-server-changemaker:8080
+CODE_SERVER_URL=http://code-server-changemaker:8443
 CODE_SERVER_PORT=8888
 MKDOCS_PREVIEW_URL=http://mkdocs-changemaker:8000
 MKDOCS_PORT=4003
diff --git a/changemaker-control-panel/templates/env.hbs b/changemaker-control-panel/templates/env.hbs
index f62971dd..e463de61 100644
--- a/changemaker-control-panel/templates/env.hbs
+++ b/changemaker-control-panel/templates/env.hbs
@@ -252,8 +252,7 @@ MKDOCS_SITE_SERVER_PORT={{math ports.embed "+" 14}}
 MKDOCS_PREVIEW_URL=http://{{containerPrefix}}-mkdocs:8000
 MKDOCS_DOCS_PATH=/mkdocs/docs
 CODE_SERVER_PORT={{math ports.embed "+" 7}}
-CODE_SERVER_URL=http://{{containerPrefix}}-code-server:8080
-USER_NAME=coder
+CODE_SERVER_URL=http://{{containerPrefix}}-code-server:8443
 BASE_DOMAIN=https://{{domain}}
 
 # Gitea
diff --git a/changemaker-control-panel/templates/nginx/conf.d/default.conf.hbs b/changemaker-control-panel/templates/nginx/conf.d/default.conf.hbs
index c5e24d89..21ea25c7 100644
--- a/changemaker-control-panel/templates/nginx/conf.d/default.conf.hbs
+++ b/changemaker-control-panel/templates/nginx/conf.d/default.conf.hbs
@@ -345,7 +345,7 @@ server {
     server_name code.{{domain}};
 
     location / {
-        set $upstream_code http://{{containerPrefix}}-code-server:8080;
+        set $upstream_code http://{{containerPrefix}}-code-server:8443;
         proxy_pass $upstream_code;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
diff --git a/changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs b/changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs
index 1ff4627e..1c7eb583 100644
--- a/changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs
+++ b/changemaker-control-panel/templates/nginx/conf.d/services.conf.hbs
@@ -120,7 +120,7 @@ server {
 server {
     listen 8888;
     location / {
-        set $upstream_code http://{{containerPrefix}}-code-server:8080;
+        set $upstream_code http://{{containerPrefix}}-code-server:8443;
         proxy_pass $upstream_code;
         proxy_hide_header X-Frame-Options;
         proxy_hide_header Content-Security-Policy;
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 6a08a266..e5e0ff1c 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -511,25 +511,25 @@ services:
   # PLATFORM SERVICES (kept from v1)
   # =========================================================================
 
-  # Code Server — Browser IDE
+  # Code Server — Browser IDE (LinuxServer upstream, no custom build)
   code-server:
-    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/changemaker-code-server:${IMAGE_TAG:-latest}
+    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/code-server:latest
     container_name: code-server-changemaker
-    command: /home/coder/project
     environment:
-      - DOCKER_USER=${USER_NAME:-coder}
-    user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
+      - PUID=${USER_ID:-1000}
+      - PGID=${GROUP_ID:-1000}
+      - TZ=${TZ:-UTC}
+      - DEFAULT_WORKSPACE=/config/workspace
     volumes:
-      - ./configs/code-server/.config:/home/coder/.config
-      - ./configs/code-server/.local:/home/coder/.local
-      - ./nginx:/home/coder/project/nginx
-      - ./configs:/home/coder/project/configs
-      - ./scripts:/home/coder/project/scripts
-      - ./mkdocs:/home/coder/project/mkdocs
-      - ./docker-compose.yml:/home/coder/project/docker-compose.yml
+      - ./configs/code-server:/config
+      - ./nginx:/config/workspace/nginx
+      - ./configs:/config/workspace/configs
+      - ./scripts:/config/workspace/scripts
+      - ./mkdocs:/config/workspace/mkdocs
+      - ./docker-compose.yml:/config/workspace/docker-compose.yml
       # NOTE: .env intentionally excluded — secrets must not be accessible via Code Server
     ports:
-      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8080"
+      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8443"
     restart: unless-stopped
     logging: *default-logging
     networks:
diff --git a/docker-compose.yml b/docker-compose.yml
index f3f79c52..7ad32191 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -526,30 +526,27 @@ services:
   # PLATFORM SERVICES (kept from v1)
   # =========================================================================
 
-  # Code Server — Browser IDE
+  # Code Server — Browser IDE (LinuxServer upstream, no custom build)
   code-server:
-    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/changemaker-code-server:${IMAGE_TAG:-local}
-    build:
-      context: .
-      dockerfile: Dockerfile.code-server
+    image: ${GITEA_REGISTRY:-gitea.bnkops.com/admin}/code-server:latest
     container_name: code-server-changemaker
-    command: /home/coder/project
     environment:
-      - DOCKER_USER=${USER_NAME:-coder}
-    user: "${USER_ID:-1000}:${GROUP_ID:-1000}"
+      - PUID=${USER_ID:-1000}
+      - PGID=${GROUP_ID:-1000}
+      - TZ=${TZ:-UTC}
+      - DEFAULT_WORKSPACE=/config/workspace
     volumes:
-      - ./configs/code-server/.config:/home/coder/.config
-      - ./configs/code-server/.local:/home/coder/.local
-      - ./api:/home/coder/project/api
-      - ./admin:/home/coder/project/admin
-      - ./nginx:/home/coder/project/nginx
-      - ./configs:/home/coder/project/configs
-      - ./scripts:/home/coder/project/scripts
-      - ./mkdocs:/home/coder/project/mkdocs
-      - ./docker-compose.yml:/home/coder/project/docker-compose.yml
+      - ./configs/code-server:/config
+      - ./api:/config/workspace/api
+      - ./admin:/config/workspace/admin
+      - ./nginx:/config/workspace/nginx
+      - ./configs:/config/workspace/configs
+      - ./scripts:/config/workspace/scripts
+      - ./mkdocs:/config/workspace/mkdocs
+      - ./docker-compose.yml:/config/workspace/docker-compose.yml
       # NOTE: .env intentionally excluded — secrets must not be accessible via Code Server
     ports:
-      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8080"
+      - "127.0.0.1:${CODE_SERVER_PORT:-8888}:8443"
     restart: unless-stopped
     logging: *default-logging
     networks:
diff --git a/mkdocs/docs/docs/getting-started/environment-variables.md b/mkdocs/docs/docs/getting-started/environment-variables.md
index 336f0892..d9679d9c 100644
--- a/mkdocs/docs/docs/getting-started/environment-variables.md
+++ b/mkdocs/docs/docs/getting-started/environment-variables.md
@@ -315,8 +315,7 @@ Self-hosted Git repository. Optional service.
 | Variable | Default | Description |
 |----------|---------|-------------|
 | `CODE_SERVER_PORT` | `8888` | Code Server web UI port. |
-| `CODE_SERVER_URL` | `http://code-server:8080` | Internal container URL. |
-| `USER_NAME` | `coder` | User account inside the Code Server container. |
+| `CODE_SERVER_URL` | `http://code-server-changemaker:8443` | Internal container URL. |
 
 ---
 
diff --git a/nginx/conf.d/services.conf.template b/nginx/conf.d/services.conf.template
index f88b78df..e1c1e70a 100644
--- a/nginx/conf.d/services.conf.template
+++ b/nginx/conf.d/services.conf.template
@@ -114,7 +114,7 @@ server {
     add_header Content-Security-Policy "frame-ancestors 'self' app.${DOMAIN}" always;
 
     location / {
-        set $upstream_code http://code-server-changemaker:8080;
+        set $upstream_code http://code-server-changemaker:8443;
         proxy_pass $upstream_code;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
diff --git a/scripts/build-and-push.sh b/scripts/build-and-push.sh
index 7d391061..655a6753 100755
--- a/scripts/build-and-push.sh
+++ b/scripts/build-and-push.sh
@@ -10,7 +10,6 @@
 # Options:
 #   --services a,b,c      Comma-separated list of services to build
 #                         (default: api admin media-api nginx)
-#   --include-code-server Also build and push code-server (~9GB, slow)
 #   --no-push             Build only, skip push (verify builds work)
 #   --tag TAG             Override commit SHA tag (default: git rev-parse --short HEAD)
 #   --registry URL        Override registry (default: gitea.bnkops.com/admin)
@@ -30,7 +29,6 @@ REGISTRY="${GITEA_REGISTRY:-gitea.bnkops.com/admin}"
 COMMIT_SHA="$(git -C "$PROJECT_DIR" rev-parse --short HEAD 2>/dev/null || echo "local")"
 TAG="${COMMIT_SHA}"
 SERVICES="api admin media-api nginx"
-INCLUDE_CODE_SERVER=false
 NO_PUSH=false
 DRY_RUN=false
 
@@ -52,7 +50,6 @@ run()     { if [[ "$DRY_RUN" == "true" ]]; then echo -e "${CYAN}[DRY-RUN]${NC} $
 while [[ $# -gt 0 ]]; do
   case "$1" in
     --services)          SERVICES="${2//,/ }"; shift 2 ;;
-    --include-code-server) INCLUDE_CODE_SERVER=true; shift ;;
     --no-push)           NO_PUSH=true; shift ;;
     --tag)               TAG="$2"; shift 2 ;;
     --registry)          REGISTRY="$2"; shift 2 ;;
@@ -64,11 +61,6 @@ while [[ $# -gt 0 ]]; do
   esac
 done
 
-# Add code-server if requested
-if [[ "$INCLUDE_CODE_SERVER" == "true" ]]; then
-  SERVICES="$SERVICES code-server"
-fi
-
 echo -e "${BOLD}Changemaker Lite — Build & Push${NC}"
 echo "  Registry:  $REGISTRY"
 echo "  Tag:       $TAG"
@@ -119,15 +111,6 @@ build_service() {
         --load \
         "${PROJECT_DIR}/nginx"
       ;;
-    code-server)
-      warn "Building code-server (~9GB) — this will take a while..."
-      run docker buildx build \
-        --file "${PROJECT_DIR}/Dockerfile.code-server" \
-        --tag "${image}" \
-        --tag "${image_latest}" \
-        --load \
-        "${PROJECT_DIR}"
-      ;;
     *)
       error "Unknown service: $svc"
       return 1
diff --git a/scripts/install.sh b/scripts/install.sh
index 765a453e..120236c6 100755
--- a/scripts/install.sh
+++ b/scripts/install.sh
@@ -256,7 +256,9 @@ if [[ "$START_SERVICES" =~ ^[Yy]$ ]]; then
   echo ""
   cd "$INSTALL_DIR"
 
-  if ! docker compose pull 2>&1; then
+  # --ignore-pull-failures: optional services may not have images in the
+  # registry yet — don't abort the whole install for those.
+  if ! docker compose pull --ignore-pull-failures 2>&1; then
     echo ""
     error "Failed to pull images from the registry."
     echo ""
diff --git a/scripts/upgrade.sh b/scripts/upgrade.sh
index b20c2cb3..826d72ae 100755
--- a/scripts/upgrade.sh
+++ b/scripts/upgrade.sh
@@ -21,7 +21,7 @@ MIN_DISK_MB=2048
 # Source-built containers (always rebuilt)
 SOURCE_CONTAINERS="api admin media-api"
 # Conditionally rebuilt if Dockerfile changed
-CONDITIONAL_CONTAINERS="nginx code-server"
+CONDITIONAL_CONTAINERS="nginx"
 # App containers stopped during upgrade
 APP_CONTAINERS="api admin media-api nginx"
 # Infrastructure containers (must stay up)
@@ -884,24 +884,6 @@ if [[ "$USE_REGISTRY" == "true" ]]; then
     fi
   fi
 
-  # code-server: pull from registry if available; never build during upgrade
-  # (code-server is 9GB+ and takes 30+ min to build — run build-and-push.sh separately)
-  CS_IMAGE="${REGISTRY}/changemaker-code-server"
-  if docker image inspect "${CS_IMAGE}:${REGISTRY_TAG}" &>/dev/null 2>&1; then
-    info "code-server:${REGISTRY_TAG} already present, skipping"
-  elif docker compose pull code-server 2>/dev/null; then
-    success "code-server pulled from registry"
-  else
-    # Try :latest, then retag any existing local image so compose up doesn't build
-    for fallback_tag in latest local; do
-      if docker image inspect "${CS_IMAGE}:${fallback_tag}" &>/dev/null 2>&1; then
-        docker tag "${CS_IMAGE}:${fallback_tag}" "${CS_IMAGE}:${REGISTRY_TAG}" 2>/dev/null || true
-        info "Tagged code-server:${fallback_tag} → :${REGISTRY_TAG}"
-        break
-      fi
-    done
-  fi
-
 else
   # --- Source build path (original behaviour) ---
   info "Rebuilding source containers: $SOURCE_CONTAINERS"
@@ -920,15 +902,6 @@ else
           info "nginx unchanged, skipping rebuild"
         fi
         ;;
-      code-server)
-        if echo "$CHANGED_FILES" | grep -q "^Dockerfile.code-server"; then
-          info "Rebuilding code-server (Dockerfile changed)..."
-          docker compose build code-server
-          success "code-server rebuilt"
-        else
-          info "code-server unchanged, skipping rebuild"
-        fi
-        ;;
     esac
   done
 fi