From 43cecab0f7f62f827f56b81bd4c7d49d62c955cb Mon Sep 17 00:00:00 2001
From: Joakim Persson <joakim.persson@icloud.com>
Date: Fri, 17 Apr 2026 13:53:51 +0200
Subject: [PATCH] Add shared-machine multi-user setup with per-user isolation
 via SIGNUM

For machines where multiple users share one OS account. Each user gets
isolated containers, config, and named volumes by running docker compose
from their own directory with a unique SIGNUM in .env.
---
 .env.shared.example       | 27 +++++++++++++++++++++
 README.md                 | 33 ++++++++++++++++++++++++++
 docker-compose.shared.yml | 50 +++++++++++++++++++++++++++++++++++++++
 3 files changed, 110 insertions(+)
 create mode 100644 .env.shared.example
 create mode 100644 docker-compose.shared.yml

diff --git a/.env.shared.example b/.env.shared.example
new file mode 100644
index 0000000..ac090db
--- /dev/null
+++ b/.env.shared.example
@@ -0,0 +1,27 @@
+# ── Shared machine setup ─────────────────────────────────────────────
+# Your corporate signum / username (REQUIRED)
+# This isolates your container, config, and data from other users.
+SIGNUM=your-signum-here
+
+# ── Provider ─────────────────────────────────────────────────────────
+OPENCODE_PROVIDER=amazon-bedrock
+OPENCODE_MODEL=amazon-bedrock/eu.anthropic.claude-opus-4-6-v1
+AWS_REGION=eu-west-1
+AWS_PROFILE=default
+
+# ── Git ──────────────────────────────────────────────────────────────
+GIT_USER_NAME=Your Name
+GIT_USER_EMAIL=your.name@example.com
+
+# ── Paths (adjust to your layout) ───────────────────────────────────
+# Default: ~/src mounted as /workspace
+# WORKSPACE_PATH=~/src
+
+# SSH keys — defaults to shared ~/.ssh
+# If you have per-user keys: SSH_KEY_PATH=~/<signum>/.ssh
+# SSH_KEY_PATH=~/.ssh
+
+# ── Locale (defaults to en_US.UTF-8) ────────────────────────────────
+# LANG=sv_SE.UTF-8
+# LANGUAGE=sv_SE:sv
+# LC_ALL=sv_SE.UTF-8
diff --git a/README.md b/README.md
index 6266583..b6b5a06 100644
--- a/README.md
+++ b/README.md
@@ -271,6 +271,39 @@ volumes:
   - devbox-vscode:/home/developer/.vscode-server
 ```
 
+### Shared machine setup (multiple users, single OS account)
+
+For machines where multiple users share one OS account (e.g. a common `garage` user), a separate compose file isolates each user's config and data using a `SIGNUM` variable.
+
+Each user creates their own directory and setup:
+
+```bash
+# Replace <signum> with your username/identifier
+mkdir -p ~/<signum>/opencode-devbox
+cd ~/<signum>/opencode-devbox
+
+# Copy the shared-machine compose and env files
+cp /path/to/opencode-devbox/docker-compose.shared.yml docker-compose.yml
+cp /path/to/opencode-devbox/.env.shared.example .env
+
+# Create per-user config directory
+mkdir -p ~/<signum>/.config/opencode
+
+# Edit .env with your signum, provider, keys, etc.
+vim .env
+
+# Start
+docker compose up -d
+docker compose exec -u developer devbox-<signum> opencode
+```
+
+Each user's container, config, and named volumes are fully isolated:
+- Container name: `devbox-<signum>` (no collisions)
+- Named volumes: prefixed with the project directory name (automatic per-user isolation)
+- Opencode config: `~/<signum>/.config/opencode/` (per-user settings, OMOS config, etc.)
+
+See `docker-compose.shared.yml` and `.env.shared.example` for the full configuration.
+
 ### Rebuilding the Image
 
 `docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
diff --git a/docker-compose.shared.yml b/docker-compose.shared.yml
new file mode 100644
index 0000000..28d81d5
--- /dev/null
+++ b/docker-compose.shared.yml
@@ -0,0 +1,50 @@
+# opencode-devbox docker-compose for shared machines
+#
+# For machines where multiple users share one OS account (e.g. 'garage').
+# Each user gets isolated config, data, and named volumes by setting
+# SIGNUM in their .env file.
+#
+# Setup per user:
+#   1. mkdir -p ~/<signum>/opencode-devbox && cd ~/<signum>/opencode-devbox
+#   2. cp docker-compose.shared.yml docker-compose.yml
+#   3. cp .env.shared.example .env
+#   4. Edit .env with your signum, provider, keys, etc.
+#   5. mkdir -p ~/<signum>/.config/opencode
+#   6. docker compose up -d
+#
+# Named volumes are automatically isolated per user because Docker Compose
+# prefixes them with the project directory name (e.g. opencode-devbox_devbox-data).
+# Since each user runs from ~/<signum>/opencode-devbox/, volumes don't collide.
+
+services:
+  devbox:
+    image: joakimp/opencode-devbox:latest
+    container_name: devbox-${SIGNUM:?Set SIGNUM in .env}
+    stdin_open: true
+    tty: true
+    env_file:
+      - .env
+    environment:
+      - TERM=xterm-256color
+    volumes:
+      # Host workspace — user's project directory
+      - ${WORKSPACE_PATH:-~/src}:/workspace
+
+      # SSH keys — user-specific if available, else shared
+      - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
+
+      # Opencode config — per-user (persists settings across restarts)
+      - ${HOME}/${SIGNUM}/.config/opencode:/home/developer/.config/opencode
+
+      # Persist opencode data (auth, memory, session history)
+      - devbox-data:/home/developer/.local/share/opencode
+
+      # Persist uv data (Python installs)
+      - devbox-uv:/home/developer/.local/share/uv
+
+      # Optional: AWS credentials (per-user if available)
+      # - ${HOME}/${SIGNUM}/.aws:/home/developer/.aws
+
+volumes:
+  devbox-data:
+  devbox-uv: