Bump opencode to v1.14.19

setup-host.sh now detects OpenStack via metadata endpoint and skips ufw.
New setup-openstack-secgroup.sh creates the required security group with
SSH, mosh, and ICMP rules via the OpenStack CLI.

.env.shared.example

@@ -0,0 +1,27 @@
+# ── Shared machine setup ─────────────────────────────────────────────
+# Your corporate signum / username (REQUIRED)
+# This isolates your container, config, and data from other users.
+SIGNUM=your-signum-here
+
+# ── Provider ─────────────────────────────────────────────────────────
+OPENCODE_PROVIDER=amazon-bedrock
+OPENCODE_MODEL=amazon-bedrock/eu.anthropic.claude-opus-4-6-v1
+AWS_REGION=eu-west-1
+AWS_PROFILE=default
+
+# ── Git ──────────────────────────────────────────────────────────────
+GIT_USER_NAME=Your Name
+GIT_USER_EMAIL=your.name@example.com
+
+# ── Paths (adjust to your layout) ───────────────────────────────────
+# Default: ~/src mounted as /workspace
+# WORKSPACE_PATH=~/src
+
+# SSH keys — defaults to shared ~/.ssh
+# If you have per-user keys: SSH_KEY_PATH=~/<signum>/.ssh
+# SSH_KEY_PATH=~/.ssh
+
+# ── Locale (defaults to en_US.UTF-8) ────────────────────────────────
+# LANG=sv_SE.UTF-8
+# LANGUAGE=sv_SE:sv
+# LC_ALL=sv_SE.UTF-8

DOCKER_HUB.md

@@ -125,7 +125,9 @@ The container defaults to English (`en_US.UTF-8`) and neovim as the editor. Over
 | `LC_ALL` | Override all locale settings | `en_US.UTF-8` |
 | `EDITOR` | Default text editor | `nvim` |
 
-All common UTF-8 locales are pre-generated in the image. Example for Swedish:
+Pre-generated locales: `en_US`, `en_GB`, `sv_SE`, `da_DK`, `nb_NO`, `fi_FI`, `de_DE`, `fr_FR`, `es_ES`, `it_IT`, `pt_BR`, `nl_NL`, `pl_PL`, `ja_JP`, `ko_KR`, `zh_CN` (all UTF-8).
+
+Example for Swedish:
 
 ```bash
 LANG=sv_SE.UTF-8
@@ -133,6 +135,15 @@ LANGUAGE=sv_SE:sv
 LC_ALL=sv_SE.UTF-8
 ```
 
+To add a locale not in the list, run inside the container:
+
+```bash
+sudo sed -i '/xx_XX.UTF-8/s/^# //g' /etc/locale.gen
+sudo locale-gen
+```
+
+Replace `xx_XX` with the desired locale (e.g. `ru_RU`, `tr_TR`). This change does not persist across container restarts — for permanent additions, build from source and modify the Dockerfile.
+
 ## Initial Setup
 
 ### 1. Create host directories
@@ -389,6 +400,7 @@ services:
     image: joakimp/opencode-devbox:latest
     # For multi-agent orchestration, use the omos variant instead:
     # image: joakimp/opencode-devbox:latest-omos
+    container_name: opencode-devbox
     stdin_open: true
     tty: true
     env_file:
@@ -399,8 +411,7 @@ services:
       - ~/projects:/workspace
       - ~/.ssh:/home/developer/.ssh:ro
       - devbox-data:/home/developer/.local/share/opencode
-      # Optional: persist Python/uv installs across restarts
-      # - devbox-uv:/home/developer/.local/share/uv
+      - devbox-uv:/home/developer/.local/share/uv
       # Optional: persist Rust toolchains and cargo data
       # - devbox-rustup:/home/developer/.rustup
       # - devbox-cargo:/home/developer/.cargo
@@ -417,7 +428,7 @@ services:
 
 volumes:
   devbox-data:
-  # devbox-uv:
+  devbox-uv:
   # devbox-rustup:
   # devbox-cargo:
   # devbox-vscode:
@@ -454,7 +465,7 @@ docker compose run --rm devbox bash   # interactive shell
 - **opencode** — AI coding assistant
 - **Node.js 22** — for npx-based MCP servers
 - **AWS CLI v2** — SSO and Bedrock authentication
-- **Dev tools** — git, git-lfs, ssh, ripgrep, fd, fzf, bat, eza, zoxide, uv, rustup, jq, make, curl, wget, neovim 0.12, tmux, htop, tree
+- **Dev tools** — git, git-lfs, git-crypt, age, ssh, ripgrep, fd, fzf, bat, eza, zoxide, uv, rustup, jq, make, gcc, g++, curl, wget, neovim 0.12, tmux, htop, tree
 - **Non-root user** — runs as `developer` with UID auto-matched to workspace owner (sudo available)
 
 ### OMOS image (`latest-omos`)

Dockerfile

@@ -5,7 +5,7 @@ ARG DEBIAN_VERSION=trixie-slim
 FROM debian:${DEBIAN_VERSION} AS base
 
 ARG TARGETARCH
-ARG OPENCODE_VERSION=1.4.6
+ARG OPENCODE_VERSION=1.14.19
 
 LABEL maintainer="joakimp"
 LABEL description="Portable opencode developer container"
@@ -32,10 +32,15 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     make \
     patch \
     diffutils \
+    git-crypt \
+    age \
+    file \
     sudo \
     locales \
     procps \
     unzip \
+    gcc \
+    g++ \
     && ln -s /usr/bin/fdfind /usr/local/bin/fd \
     && rm -rf /var/lib/apt/lists/*
 
@@ -71,7 +76,7 @@ RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "arm64" ;
     nvim --version | head -1
 
 # bat — syntax-highlighted cat replacement
-ARG BAT_VERSION=0.25.0
+ARG BAT_VERSION=0.26.1
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
     curl -fsSL "https://github.com/sharkdp/bat/releases/download/v${BAT_VERSION}/bat-v${BAT_VERSION}-${ARCH}-unknown-linux-musl.tar.gz" | tar -xz -C /tmp && \
     install /tmp/bat-v${BAT_VERSION}-${ARCH}-unknown-linux-musl/bat /usr/local/bin/bat && \
@@ -91,7 +96,7 @@ RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64"
     zoxide --version
 
 # uv — fast Python package manager (replaces pip, venv, pyenv)
-ARG UV_VERSION=0.11.6
+ARG UV_VERSION=0.11.7
 RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64" ;; *) echo "x86_64" ;; esac) && \
     curl -fsSL "https://github.com/astral-sh/uv/releases/download/${UV_VERSION}/uv-${ARCH}-unknown-linux-musl.tar.gz" | tar -xz -C /tmp && \
     install /tmp/uv-${ARCH}-unknown-linux-musl/uv /usr/local/bin/uv && \
@@ -108,7 +113,8 @@ RUN ARCH=$(case "${TARGETARCH}" in amd64) echo "x86_64" ;; arm64) echo "aarch64"
     chmod +x /usr/local/bin/rustup-init
 
 # Set locale — generate common UTF-8 locales (override via LANG/LC_ALL env vars)
-RUN sed -i '/\.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
+# To add more locales, run: sudo sed -i '/<locale>.UTF-8/s/^# //g' /etc/locale.gen && sudo locale-gen
+RUN sed -i -E '/(en_US|en_GB|sv_SE|da_DK|nb_NO|fi_FI|de_DE|fr_FR|es_ES|it_IT|pt_BR|nl_NL|pl_PL|ja_JP|ko_KR|zh_CN)\.UTF-8/s/^# //g' /etc/locale.gen && locale-gen
 ENV LANG=en_US.UTF-8
 ENV LANGUAGE=en_US:en
 ENV LC_ALL=en_US.UTF-8
@@ -148,7 +154,7 @@ RUN if [ "${INSTALL_PYTHON}" = "true" ]; then \
 
 # ── Optional: Go ─────────────────────────────────────────────────────
 ARG INSTALL_GO=false
-ARG GO_VERSION=1.23.4
+ARG GO_VERSION=1.26.2
 RUN if [ "${INSTALL_GO}" = "true" ]; then \
       GOARCH=$(case "${TARGETARCH}" in amd64) echo "amd64" ;; arm64) echo "arm64" ;; *) echo "amd64" ;; esac) && \
       curl -fsSL "https://go.dev/dl/go${GO_VERSION}.linux-${GOARCH}.tar.gz" | tar -C /usr/local -xz && \
@@ -159,10 +165,22 @@ RUN if [ "${INSTALL_GO}" = "true" ]; then \
 # ── Optional: oh-my-opencode-slim (multi-agent orchestration) ────────
 # Installs Bun runtime and the oh-my-opencode-slim npm package.
 # Runtime activation is controlled by ENABLE_OMOS env var in entrypoint.
+# Uses the baseline Bun build (SSE4.2 only) for compatibility with older
+# CPUs that lack AVX2 (e.g. Sandy Bridge on OpenStack).
 ARG INSTALL_OMOS=false
 ARG OMOS_VERSION=latest
 RUN if [ "${INSTALL_OMOS}" = "true" ]; then \
-      curl -fsSL https://bun.sh/install | BUN_INSTALL=/usr/local bash && \
+      ARCH=$(uname -m) && \
+      if [ "$ARCH" = "x86_64" ]; then \
+        BUN_ARCH="x64-baseline"; \
+      elif [ "$ARCH" = "aarch64" ]; then \
+        BUN_ARCH="aarch64"; \
+      fi && \
+      curl -fsSL "https://github.com/oven-sh/bun/releases/latest/download/bun-linux-${BUN_ARCH}.zip" -o /tmp/bun.zip && \
+      unzip -o /tmp/bun.zip -d /tmp/bun && \
+      mv /tmp/bun/bun-linux-${BUN_ARCH}/bun /usr/local/bin/bun && \
+      chmod +x /usr/local/bin/bun && \
+      rm -rf /tmp/bun /tmp/bun.zip && \
       bun --version && \
       npm install -g oh-my-opencode-slim@${OMOS_VERSION}; \
     fi

README.md

@@ -271,6 +271,39 @@ volumes:
   - devbox-vscode:/home/developer/.vscode-server
 ```
 
+### Shared machine setup (multiple users, single OS account)
+
+For machines where multiple users share one OS account (e.g. a common `garage` user), a separate compose file isolates each user's config and data using a `SIGNUM` variable.
+
+Each user creates their own directory and setup:
+
+```bash
+# Replace <signum> with your username/identifier
+mkdir -p ~/<signum>/opencode-devbox
+cd ~/<signum>/opencode-devbox
+
+# Copy the shared-machine compose and env files
+cp /path/to/opencode-devbox/docker-compose.shared.yml docker-compose.yml
+cp /path/to/opencode-devbox/.env.shared.example .env
+
+# Create per-user config directory
+mkdir -p ~/<signum>/.config/opencode
+
+# Edit .env with your signum, provider, keys, etc.
+vim .env
+
+# Start
+docker compose up -d
+docker compose exec -u developer devbox-<signum> opencode
+```
+
+Each user's container, config, and named volumes are fully isolated:
+- Container name: `devbox-<signum>` (no collisions)
+- Named volumes: prefixed with the project directory name (automatic per-user isolation)
+- Opencode config: `~/<signum>/.config/opencode/` (per-user settings, OMOS config, etc.)
+
+See `docker-compose.shared.yml` and `.env.shared.example` for the full configuration.
+
 ### Rebuilding the Image
 
 `docker compose run` and `docker compose up` use the existing image — they **do not rebuild** when you change the Dockerfile or build args (e.g. updating `OPENCODE_VERSION`). Rebuild explicitly:
@@ -444,8 +477,8 @@ Container (Debian trixie)
 ├── opencode binary
 ├── oh-my-opencode-slim (optional — multi-agent orchestration plugin, includes Bun)
 ├── AWS CLI v2 (SSO + Bedrock auth)
-├── neovim 0.12, tmux, htop, bat, eza, zoxide, uv, rustup, make
-├── git, ssh, ripgrep, fd, fzf, jq, curl, tree
+├── neovim 0.12, tmux, htop, bat, eza, zoxide, uv, rustup, make, gcc, g++
+├── git, git-crypt, age, ssh, ripgrep, fd, fzf, jq, curl, tree
 ├── Node.js (for MCP servers)
 ├── Bun (optional — included with oh-my-opencode-slim)
 ├── entrypoint.sh (UID adjustment, git config, provider setup)

check-versions.sh

@@ -0,0 +1,66 @@
+#!/bin/bash
+# check-versions.sh — Compare pinned versions in Dockerfile against latest releases
+# Run before tagging a release to see what can be bumped.
+set -euo pipefail
+
+BOLD="\033[1m"; DIM="\033[2m"; GREEN="\033[32m"; YELLOW="\033[33m"; RESET="\033[0m"
+
+DOCKERFILE="${1:-Dockerfile}"
+
+if [[ ! -f "$DOCKERFILE" ]]; then
+  echo "Usage: $0 [Dockerfile]"
+  exit 1
+fi
+
+get_pinned() {
+  grep "^ARG $1=" "$DOCKERFILE" | head -1 | cut -d= -f2
+}
+
+get_latest_github() {
+  local repo="$1"
+  local tag
+  tag=$(curl -s "https://api.github.com/repos/${repo}/releases/latest" | jq -r '.tag_name // empty')
+  # Strip leading 'v' if present
+  echo "${tag#v}"
+}
+
+get_latest_go() {
+  curl -s "https://go.dev/dl/?mode=json" | jq -r '.[0].version' | sed 's/^go//'
+}
+
+get_latest_npm() {
+  npm view "$1" version 2>/dev/null
+}
+
+check() {
+  local name="$1" current="$2" latest="$3"
+  if [[ -z "$latest" ]]; then
+    printf "  ${DIM}%-20s %-12s  (could not check)${RESET}\n" "$name" "$current"
+  elif [[ "$current" == "$latest" ]]; then
+    printf "  ${GREEN}%-20s %-12s  ✓ up to date${RESET}\n" "$name" "$current"
+  else
+    printf "  ${YELLOW}${BOLD}%-20s %-12s  → %s available${RESET}\n" "$name" "$current" "$latest"
+  fi
+}
+
+echo ""
+echo -e "${BOLD}Version check for $DOCKERFILE${RESET}"
+echo ""
+
+# GitHub-sourced binaries
+check "opencode"  "$(get_pinned OPENCODE_VERSION)" "$(get_latest_npm opencode-ai)"
+check "gosu"      "$(get_pinned GOSU_VERSION)"      "$(get_latest_github tianon/gosu)"
+check "fzf"       "$(get_pinned FZF_VERSION)"        "$(get_latest_github junegunn/fzf)"
+check "git-lfs"   "$(get_pinned GIT_LFS_VERSION)"    "$(get_latest_github git-lfs/git-lfs)"
+check "neovim"    "$(get_pinned NVIM_VERSION)"        "$(get_latest_github neovim/neovim)"
+check "bat"       "$(get_pinned BAT_VERSION)"         "$(get_latest_github sharkdp/bat)"
+check "eza"       "$(get_pinned EZA_VERSION)"         "$(get_latest_github eza-community/eza)"
+check "zoxide"    "$(get_pinned ZOXIDE_VERSION)"      "$(get_latest_github ajeetdsouza/zoxide)"
+check "uv"        "$(get_pinned UV_VERSION)"          "$(get_latest_github astral-sh/uv)"
+check "Go (opt)"  "$(get_pinned GO_VERSION)"          "$(get_latest_go)"
+
+echo ""
+echo -e "${DIM}Node.js uses major version ($(get_pinned NODE_VERSION)) — auto-updates via nodesource.${RESET}"
+echo -e "${DIM}rustup-init uses latest from static.rust-lang.org — no pinned version.${RESET}"
+echo -e "${DIM}Debian apt packages update on each build via apt-get update.${RESET}"
+echo ""

deploy/README.md

@@ -0,0 +1,199 @@
+# Deploy — Host VM setup
+
+Scripts for setting up a fresh Linux VM to host opencode-devbox.
+
+## Files
+
+- **`cloud-init.yml`** — cloud-init user-data template for automated VM provisioning on OpenStack, Proxmox, or any cloud with cloud-init support
+- **`setup-host.sh`** — interactive post-install script for VMs that weren't provisioned with cloud-init
+- **`setup-openstack-secgroup.sh`** — creates an OpenStack security group with the right rules (SSH, mosh, ICMP)
+- **`sync-to-vm.sh`** — syncs local config directories (`~/.aws`, `~/.config/opencode`, etc.) to a remote VM based on which bind mounts are active in its `docker-compose.yml`
+
+## Supported distributions
+
+- **Debian 13 (Trixie)** — recommended (matches opencode-devbox base image)
+- **Ubuntu 24.04 LTS** — also works
+
+Other distributions will need manual adaptation.
+
+## Quick start
+
+### Option 1: Cloud-init (automated)
+
+Customize `cloud-init.yml` — replace the SSH public key and optionally the hostname/timezone. Then use it during VM creation:
+
+- **Proxmox**: attach as cloud-init user-data
+- **OpenStack**: pass via `--user-data` flag (see full example below)
+- **AWS/DigitalOcean/etc**: paste into the "user data" field
+
+#### Full OpenStack example
+
+Cloud-init only handles guest configuration — flavor, image, network, and security group must be specified explicitly at creation time.
+
+> **Note:** Do not use `--key-name` — the SSH key is configured in `cloud-init.yml` under `ssh_authorized_keys` for the `devbox` user. The `--key-name` flag injects into the image's default user (e.g. `debian`), not the `devbox` user created by cloud-init.
+
+```bash
+# List available flavors to choose appropriate sizing
+openstack flavor list
+
+# Create the security group first (one-time, see below)
+./setup-openstack-secgroup.sh
+
+# Basic — boot from default storage
+openstack server create \
+  --flavor c4m8 \
+  --image Debian-13-Trixie \
+  --network my-network \
+  --security-group opencode-devbox \
+  --user-data cloud-init.yml \
+  devbox-vm
+```
+
+If your cloud offers NVMe-backed (performance) volumes, boot from one for faster Docker and build I/O:
+
+```bash
+# Performance — boot from NVMe volume (40GB, preserved on instance deletion)
+openstack server create \
+  --flavor c4m8 \
+  --network my-network \
+  --security-group opencode-devbox \
+  --user-data cloud-init.yml \
+  --block-device source_type=image,uuid=$(openstack image show Debian-13-Trixie -f value -c id),destination_type=volume,volume_size=40,delete_on_termination=false,boot_index=0,volume_type=performance \
+  devbox-vm
+```
+
+> **Note:** The inline `volume_type` parameter requires API microversion 2.67+. If the server goes to ERROR state, check your volume quota (`openstack quota show`) and try creating the volume separately:
+> ```bash
+> openstack volume create --image Debian-13-Trixie --size 40 --type performance --bootable devbox-boot-volume
+> openstack server create --flavor c4m8 --volume devbox-boot-volume --network my-network --security-group opencode-devbox --user-data cloud-init.yml devbox-vm
+> ```
+
+#### Floating IP
+
+OpenStack doesn't support assigning a floating IP at instance creation time — it's a separate step after the VM is active:
+
+```bash
+# Allocate a new floating IP from the external network
+openstack floating ip create <external-network>
+
+# Assign it to the VM
+openstack server add floating ip devbox-vm <floating-ip>
+```
+
+To find your external network name: `openstack network list --external`. If you already have an unassigned floating IP, skip the create step.
+
+The VM boots with Docker installed, firewall configured (or skipped on OpenStack), and your SSH key authorized. Log in as the `devbox` user.
+
+### Console password (optional)
+
+The cloud-init template uses SSH key authentication only — no password is set by default. This is sufficient for normal use since the `devbox` user has passwordless `sudo`.
+
+A password is only needed for:
+
+- **Emergency console access** — logging in via OpenStack Horizon console (noVNC) or Proxmox VNC when SSH is unreachable
+- **`su - devbox`** — switching to the devbox user from another account
+
+To enable console access, uncomment the `chpasswd` block in `cloud-init.yml` before deploying:
+
+```yaml
+chpasswd:
+  expire: false
+  users:
+    - name: devbox
+      password: your-password-here
+      type: text
+```
+
+For an already-running VM, set a password via SSH:
+
+```bash
+sudo passwd devbox
+```
+
+### Option 2: Post-install script (manual)
+
+On a fresh Debian/Ubuntu VM:
+
+```bash
+curl -fsSL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/deploy/setup-host.sh | bash
+```
+
+Or clone and run:
+
+```bash
+git clone https://gitea.jordbo.se/joakimp/opencode-devbox
+cd opencode-devbox/deploy
+./setup-host.sh
+```
+
+## What gets installed
+
+- Docker Engine (from Docker's official apt repo, not distro's `docker.io`)
+- Docker Compose plugin (v2)
+- `tmux`, `mosh`, `git`
+- `ufw` firewall with SSH (22) and mosh (UDP 60000-61000) allowed — **skipped on OpenStack** (detected automatically; use security groups instead)
+- IPv4 DNS preference (works around Docker Hub IPv6 connectivity issues)
+
+## OpenStack security groups
+
+On OpenStack, firewalling is handled by security groups rather than ufw. The `setup-host.sh` script detects OpenStack automatically and skips ufw configuration.
+
+To create the required security group:
+
+```bash
+./setup-openstack-secgroup.sh
+```
+
+This creates a security group named `opencode-devbox` with rules for SSH (TCP 22), mosh (UDP 60000-61000), and ICMP. Apply it to your instance:
+
+```bash
+# New instance
+openstack server create --security-group opencode-devbox ...
+
+# Existing instance
+openstack server add security group <instance-name> opencode-devbox
+```
+
+## VM sizing recommendations
+
+| Use case | vCPU | RAM | Disk |
+|---|---|---|---|
+| Minimum | 2 | 4 GB | 20 GB |
+| Recommended | 4 | 8 GB | 40 GB |
+| Heavy use (Rust/Python builds, multi-project) | 8 | 16 GB | 80 GB |
+
+## After VM setup
+
+If you uncomment any bind mounts in `docker-compose.yml` (e.g. `~/.aws`, `~/.config/opencode`), create the directories first — Docker creates missing bind mount paths as root-owned, which causes permission issues:
+
+```bash
+# Only create directories for mounts you uncomment
+mkdir -p ~/.aws                  # AWS Bedrock SSO
+mkdir -p ~/.config/opencode      # persistent opencode config
+mkdir -p ~/.config/nvim          # custom neovim config
+mkdir -p ~/.agents/skills        # opencode agent skills
+```
+
+Named volumes (`devbox-data`, `devbox-uv`, etc.) are managed by Docker and need no pre-creation.
+
+```bash
+mkdir -p ~/opencode-devbox && cd ~/opencode-devbox
+curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/docker-compose.yml -o docker-compose.yml
+curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/.env.example -o .env
+vim .env                                           # configure provider and keys
+vim docker-compose.yml                             # uncomment optional volume mounts
+docker compose up -d
+docker compose exec -u developer devbox opencode
+```
+
+> **AWS Bedrock users:** Uncomment the `~/.aws` volume mount in `docker-compose.yml` before starting. You'll also need to copy your `~/.aws/config` from a machine where SSO is already configured, then authenticate inside the container with `aws sso login`.
+
+### Syncing local config to the VM
+
+After editing `docker-compose.yml` on the VM to uncomment the bind mounts you need, run `sync-to-vm.sh` from your local machine to copy the corresponding directories:
+
+```bash
+./deploy/sync-to-vm.sh devbox-affection
+```
+
+The script reads `docker-compose.yml` on the remote VM, detects which bind mounts are active, and syncs only those directories from your local machine. It also creates the remote directories if they don't exist.

deploy/cloud-init.yml

@@ -0,0 +1,110 @@
+#cloud-config
+# cloud-init template for opencode-devbox host VM
+# Tested on Debian 13 (Trixie) and Ubuntu 24.04
+#
+# Usage:
+#   - Proxmox: attach this file as cloud-init user-data in VM config
+#   - OpenStack: pass as --user-data when creating the instance
+#   - Cloud providers: paste into "user data" field
+#
+# Customize the marked sections before use.
+
+# ── Hostname ─────────────────────────────────────────────────────────
+hostname: devbox
+manage_etc_hosts: true
+
+# ── User ─────────────────────────────────────────────────────────────
+users:
+  - name: devbox
+    groups: sudo, docker
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    ssh_authorized_keys:
+      # CUSTOMIZE: replace with your public SSH key.
+      # This is the only SSH key config needed — do NOT use --key-name with
+      # openstack server create, as that injects into the image's default
+      # user (e.g. debian), not the devbox user defined here.
+      - ssh-ed25519 AAAA... your-key-here
+
+# ── Optional: console password ───────────────────────────────────────
+# Uncomment to set a password for the devbox user. Only needed for
+# emergency access via the OpenStack/Proxmox console (VNC/noVNC).
+# SSH key authentication is used for normal access.
+#
+# chpasswd:
+#   expire: false
+#   users:
+#     - name: devbox
+#       password: your-password-here
+#       type: text
+
+# ── Locale and timezone ──────────────────────────────────────────────
+# en_US.UTF-8 is pre-generated on Debian/Ubuntu and works out of the box.
+# To use a different locale (e.g. sv_SE.UTF-8), add it to the runcmd
+# section before the locale is applied:
+#   - locale-gen sv_SE.UTF-8
+# Then change the locale line below to match.
+locale: en_US.UTF-8
+timezone: Europe/Stockholm
+
+# ── Package installation ─────────────────────────────────────────────
+package_update: true
+package_upgrade: true
+packages:
+  - ca-certificates
+  - curl
+  - gnupg
+  - git
+  - tmux
+  - mosh
+  - rsync
+  - fzf
+  - ripgrep
+  - ufw
+
+# ── Commands to run at first boot ────────────────────────────────────
+runcmd:
+  # Install Docker from official repository
+  - install -m 0755 -d /etc/apt/keyrings
+  - curl -fsSL https://download.docker.com/linux/$(. /etc/os-release && echo "$ID")/gpg -o /etc/apt/keyrings/docker.asc
+  - chmod a+r /etc/apt/keyrings/docker.asc
+  - echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/$(. /etc/os-release && echo \"$ID\") $(. /etc/os-release && echo \"$VERSION_CODENAME\") stable" > /etc/apt/sources.list.d/docker.list
+  - apt-get update
+  - apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+  - usermod -aG docker devbox
+
+  # Firewall — skip on OpenStack (use security groups instead)
+  - |
+    if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ >/dev/null 2>&1; then
+      echo "OpenStack detected — skipping ufw (use security groups instead)"
+    else
+      ufw default deny incoming
+      ufw default allow outgoing
+      ufw allow ssh
+      ufw allow 60000:61000/udp
+      ufw --force enable
+    fi
+
+  # Disable IPv6 preference for Docker (avoids intermittent Docker Hub connectivity issues)
+  - echo 'precedence ::ffff:0:0/96  100' >> /etc/gai.conf
+
+  # Create projects directory for the user
+  - mkdir -p /home/devbox/projects
+  - chown devbox:devbox /home/devbox/projects
+
+# ── Final message ───────────────────────────────────────────────────
+final_message: |
+  opencode-devbox host VM ready.
+
+  Next steps:
+    1. SSH in:      ssh devbox@<this-host>
+    2. Clone your opencode-devbox compose config, or:
+       mkdir -p ~/opencode-devbox && cd ~/opencode-devbox
+       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/docker-compose.yml -o docker-compose.yml
+       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/.env.example -o .env
+    3. Edit .env with your provider and keys
+    4. Edit docker-compose.yml to uncomment optional mounts (e.g. ~/.aws for Bedrock)
+    5. docker compose up -d
+    6. docker compose exec -u developer devbox opencode
+
+  Cloud-init run completed in $UPTIME seconds.

deploy/setup-host.sh

@@ -0,0 +1,145 @@
+#!/bin/bash
+# setup-host.sh — Post-install script for opencode-devbox host VM
+#
+# Run this on a fresh Debian 13 or Ubuntu 24.04 VM to set up everything
+# needed to run opencode-devbox containers.
+#
+# Usage:
+#   curl -fsSL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/deploy/setup-host.sh | bash
+#
+# Or clone and run:
+#   git clone https://gitea.jordbo.se/joakimp/opencode-devbox
+#   cd opencode-devbox/deploy
+#   ./setup-host.sh
+
+set -euo pipefail
+
+# ── Colors ──────────────────────────────────────────────────────────
+BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RED="\033[31m"; RESET="\033[0m"
+info()  { echo -e "${BOLD}==>${RESET} $*"; }
+ok()    { echo -e "${GREEN}${BOLD}✓${RESET} $*"; }
+warn()  { echo -e "${YELLOW}${BOLD}!${RESET} $*"; }
+err()   { echo -e "${RED}${BOLD}✗${RESET} $*" >&2; }
+
+# ── Detect distro ──────────────────────────────────────────────────
+if [[ ! -f /etc/os-release ]]; then
+  err "Cannot detect Linux distribution — /etc/os-release missing"
+  exit 1
+fi
+
+. /etc/os-release
+
+case "$ID" in
+  debian|ubuntu)
+    info "Detected $PRETTY_NAME"
+    ;;
+  *)
+    err "Unsupported distribution: $ID — this script only supports Debian and Ubuntu"
+    exit 1
+    ;;
+esac
+
+# ── Require sudo ────────────────────────────────────────────────────
+if [[ $EUID -eq 0 ]]; then
+  err "Do not run as root — use a regular user with sudo"
+  exit 1
+fi
+
+if ! sudo -n true 2>/dev/null; then
+  warn "This script needs sudo access. You may be prompted for your password."
+fi
+
+# ── Update packages ─────────────────────────────────────────────────
+info "Updating package index..."
+sudo apt-get update -qq
+
+info "Installing base packages..."
+sudo apt-get install -y --no-install-recommends \
+  ca-certificates curl gnupg git tmux mosh rsync fzf ripgrep ufw
+
+# ── Docker ──────────────────────────────────────────────────────────
+if command -v docker &>/dev/null; then
+  ok "Docker already installed ($(docker --version))"
+else
+  info "Installing Docker from official repository..."
+  sudo install -m 0755 -d /etc/apt/keyrings
+  sudo curl -fsSL "https://download.docker.com/linux/${ID}/gpg" -o /etc/apt/keyrings/docker.asc
+  sudo chmod a+r /etc/apt/keyrings/docker.asc
+
+  echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/${ID} ${VERSION_CODENAME} stable" | \
+    sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
+
+  sudo apt-get update -qq
+  sudo apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
+
+  ok "Docker installed: $(docker --version)"
+fi
+
+# ── Add user to docker group ────────────────────────────────────────
+if groups | grep -q docker; then
+  ok "User already in docker group"
+else
+  info "Adding $USER to docker group..."
+  sudo usermod -aG docker "$USER"
+  warn "You must log out and back in for docker group to take effect"
+  warn "Or run: newgrp docker"
+fi
+
+# ── Firewall ────────────────────────────────────────────────────────
+# Detect OpenStack — if running on OpenStack, skip ufw (security groups handle firewalling)
+SKIP_UFW=false
+if curl -s --connect-timeout 2 http://169.254.169.254/openstack/ &>/dev/null; then
+  SKIP_UFW=true
+  warn "OpenStack detected — skipping ufw (use security groups instead)"
+  warn "Ensure your security group allows: SSH (22/tcp), mosh (60000-61000/udp)"
+fi
+
+if [[ "$SKIP_UFW" == "false" ]]; then
+  info "Configuring firewall (ufw)..."
+  sudo ufw default deny incoming >/dev/null
+  sudo ufw default allow outgoing >/dev/null
+  sudo ufw allow ssh >/dev/null
+  sudo ufw allow 60000:61000/udp comment 'mosh' >/dev/null
+  if ! sudo ufw status | grep -q "Status: active"; then
+    sudo ufw --force enable
+  fi
+  ok "Firewall active — SSH and mosh allowed"
+fi
+
+# ── IPv4 preference for Docker Hub ──────────────────────────────────
+if ! grep -q 'precedence ::ffff:0:0/96' /etc/gai.conf 2>/dev/null; then
+  info "Setting IPv4 preference in /etc/gai.conf..."
+  echo 'precedence ::ffff:0:0/96  100' | sudo tee -a /etc/gai.conf > /dev/null
+  ok "IPv4 preferred for DNS resolution"
+fi
+
+# ── Create projects directory ───────────────────────────────────────
+if [[ ! -d "$HOME/projects" ]]; then
+  mkdir -p "$HOME/projects"
+  ok "Created ~/projects"
+fi
+
+# ── Done ────────────────────────────────────────────────────────────
+echo ""
+ok "Host setup complete"
+echo ""
+cat <<EOF
+${BOLD}Next steps:${RESET}
+
+  1. If you weren't already in the docker group, log out and back in:
+       exit
+       ssh <your-user>@<this-host>
+
+  2. Set up opencode-devbox:
+       mkdir -p ~/opencode-devbox && cd ~/opencode-devbox
+       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/docker-compose.yml -o docker-compose.yml
+       curl -sL https://gitea.jordbo.se/joakimp/opencode-devbox/raw/branch/main/.env.example -o .env
+
+  3. Edit .env with your provider and API keys:
+       vim .env
+
+  4. Start and connect:
+       docker compose up -d
+       docker compose exec -u developer devbox opencode
+
+EOF

deploy/setup-openstack-secgroup.sh

@@ -0,0 +1,63 @@
+#!/bin/bash
+# setup-openstack-secgroup.sh — Create an OpenStack security group for opencode-devbox
+#
+# Prerequisites:
+#   - OpenStack CLI installed (pip install python-openstackclient)
+#   - Authenticated (source your openrc.sh or clouds.yaml configured)
+#
+# Usage:
+#   ./setup-openstack-secgroup.sh [group-name]
+#
+# Default group name: opencode-devbox
+
+set -euo pipefail
+
+GROUP_NAME="${1:-opencode-devbox}"
+
+BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RESET="\033[0m"
+info()  { echo -e "${BOLD}==>${RESET} $*"; }
+ok()    { echo -e "${GREEN}${BOLD}✓${RESET} $*"; }
+warn()  { echo -e "${YELLOW}${BOLD}!${RESET} $*"; }
+
+if ! command -v openstack &>/dev/null; then
+  echo "Error: openstack CLI not found. Install with: pip install python-openstackclient"
+  exit 1
+fi
+
+# Check if group already exists
+if openstack security group show "$GROUP_NAME" &>/dev/null; then
+  warn "Security group '$GROUP_NAME' already exists — updating rules"
+else
+  info "Creating security group '$GROUP_NAME'..."
+  openstack security group create "$GROUP_NAME" \
+    --description "opencode-devbox: SSH, mosh, HTTPS"
+  ok "Security group created"
+fi
+
+# Add rules (idempotent — OpenStack ignores duplicates)
+info "Adding rules..."
+
+# SSH (TCP 22)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol tcp --dst-port 22 --remote-ip 0.0.0.0/0 \
+  --description "SSH" 2>/dev/null && ok "SSH (TCP 22)" || warn "SSH rule already exists"
+
+# Mosh (UDP 60000-61000)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol udp --dst-port 60000:61000 --remote-ip 0.0.0.0/0 \
+  --description "mosh" 2>/dev/null && ok "mosh (UDP 60000-61000)" || warn "mosh rule already exists"
+
+# ICMP (ping — useful for diagnostics)
+openstack security group rule create "$GROUP_NAME" \
+  --protocol icmp --remote-ip 0.0.0.0/0 \
+  --description "ICMP ping" 2>/dev/null && ok "ICMP ping" || warn "ICMP rule already exists"
+
+echo ""
+ok "Security group '$GROUP_NAME' ready"
+echo ""
+echo -e "${BOLD}Apply to a new instance:${RESET}"
+echo "  openstack server create --security-group $GROUP_NAME ..."
+echo ""
+echo -e "${BOLD}Apply to an existing instance:${RESET}"
+echo "  openstack server add security group <instance-name> $GROUP_NAME"
+echo ""

deploy/sync-to-vm.sh

@@ -0,0 +1,142 @@
+#!/bin/bash
+# sync-to-vm.sh — Copy local config to an opencode-devbox VM
+#
+# Reads docker-compose.yml on the remote VM to detect which bind mounts
+# are active, then syncs the corresponding directories from this machine.
+#
+# Usage:
+#   ./sync-to-vm.sh <ssh-host>
+#
+# Examples:
+#   ./sync-to-vm.sh devbox-affection
+#   ./sync-to-vm.sh devbox@129.192.68.184
+
+set -euo pipefail
+
+# ── Colors ──────────────────────────────────────────────────────────
+BOLD="\033[1m"; GREEN="\033[32m"; YELLOW="\033[33m"; RED="\033[31m"; RESET="\033[0m"
+info()  { echo -e "${BOLD}==>${RESET} $*"; }
+ok()    { echo -e "${GREEN}${BOLD}✓${RESET} $*"; }
+warn()  { echo -e "${YELLOW}${BOLD}!${RESET} $*"; }
+err()   { echo -e "${RED}${BOLD}✗${RESET} $*" >&2; }
+
+# ── Args ────────────────────────────────────────────────────────────
+if [[ $# -lt 1 ]]; then
+  err "Usage: $0 <ssh-host>"
+  echo "  Example: $0 devbox-affection"
+  exit 1
+fi
+
+SSH_HOST="$1"
+REMOTE_COMPOSE="~/opencode-devbox/docker-compose.yml"
+
+# ── SSH multiplexing (reuse one connection for all operations) ──────
+CTRL_SOCKET=$(mktemp -u /tmp/sync-to-vm-XXXXXX)
+SSH_OPTS="-o ControlMaster=auto -o ControlPath=${CTRL_SOCKET} -o ControlPersist=120 -o ConnectTimeout=10 -o ServerAliveInterval=15 -o ServerAliveCountMax=3"
+
+cleanup() {
+  ssh ${SSH_OPTS} -O exit "$SSH_HOST" 2>/dev/null || true
+  rm -f "$CTRL_SOCKET"
+}
+trap cleanup EXIT
+
+ssh_cmd() {
+  ssh ${SSH_OPTS} "$SSH_HOST" "$@"
+}
+
+# ── Bind mount patterns to detect ──────────────────────────────────
+# Maps: grep pattern → local source → remote destination
+declare -a MOUNT_PATTERNS=(
+  "~/.aws:/home/developer/.aws|$HOME/.aws|~/.aws"
+  "~/.config/opencode:/home/developer/.config/opencode|$HOME/.config/opencode|~/.config/opencode"
+  "~/.config/nvim:/home/developer/.config/nvim|$HOME/.config/nvim|~/.config/nvim"
+  "~/.agents/skills:/home/developer/.agents/skills|$HOME/.agents/skills|~/.agents/skills"
+)
+
+# ── Establish persistent SSH connection ─────────────────────────────
+info "Connecting to ${SSH_HOST}..."
+if ! ssh_cmd true 2>/dev/null; then
+  err "Cannot connect to ${SSH_HOST}"
+  exit 1
+fi
+ok "Connected to ${SSH_HOST}"
+
+# ── Fetch remote docker-compose.yml ─────────────────────────────────
+info "Reading docker-compose.yml from ${SSH_HOST}..."
+REMOTE_COMPOSE_CONTENT=$(ssh_cmd "cat $REMOTE_COMPOSE 2>/dev/null") || {
+  err "Could not read ${REMOTE_COMPOSE} on ${SSH_HOST}"
+  err "Has the VM been set up? Run the post-setup steps first."
+  exit 1
+}
+
+# ── Ensure workspace directory exists on remote ─────────────────────
+REMOTE_ENV="~/opencode-devbox/.env"
+WORKSPACE_PATH=$(ssh_cmd "grep -E '^\s*WORKSPACE_PATH=' $REMOTE_ENV 2>/dev/null | cut -d= -f2- | tr -d '\"'" 2>/dev/null || true)
+if [[ -n "$WORKSPACE_PATH" ]]; then
+  info "Ensuring WORKSPACE_PATH (${WORKSPACE_PATH}) exists on ${SSH_HOST}..."
+  ssh_cmd "mkdir -p ${WORKSPACE_PATH}"
+  ok "Workspace directory ready"
+else
+  # Default from docker-compose.yml is ~/projects or current dir
+  WORKSPACE_PATH=$(echo "$REMOTE_COMPOSE_CONTENT" | grep -oP 'WORKSPACE_PATH:-[^}]+' | sed 's/WORKSPACE_PATH:-//' || true)
+  if [[ -n "$WORKSPACE_PATH" && "$WORKSPACE_PATH" != "." ]]; then
+    info "Ensuring default WORKSPACE_PATH (${WORKSPACE_PATH}) exists on ${SSH_HOST}..."
+    ssh_cmd "mkdir -p ${WORKSPACE_PATH}"
+    ok "Workspace directory ready"
+  fi
+fi
+
+# ── Detect active bind mounts ──────────────────────────────────────
+SYNCED=0
+
+for entry in "${MOUNT_PATTERNS[@]}"; do
+  IFS='|' read -r pattern local_path remote_path <<< "$entry"
+
+  # Check if the mount is uncommented (active) in docker-compose.yml
+  # Match lines that start with optional whitespace and a dash, NOT preceded by #
+  if echo "$REMOTE_COMPOSE_CONTENT" | grep -qE "^\s*-\s+['\"]?${pattern}" 2>/dev/null; then
+    # Mount is active — check if local source exists
+    if [[ ! -d "$local_path" ]]; then
+      warn "Mount active for ${pattern} but ${local_path} does not exist locally — skipping"
+      continue
+    fi
+
+    # Check if directory has content
+    if [[ -z "$(ls -A "$local_path" 2>/dev/null)" ]]; then
+      warn "${local_path} is empty — skipping"
+      continue
+    fi
+
+    info "Syncing ${local_path} → ${SSH_HOST}:${remote_path}"
+
+    # Ensure remote directory exists
+    ssh_cmd "mkdir -p ${remote_path}"
+
+    # Sync with rsync (fall back to scp if rsync unavailable)
+    # Exclude generated/cached content that gets recreated on the remote
+    if command -v rsync &>/dev/null; then
+      rsync -az --progress \
+        --exclude='node_modules' \
+        --exclude='__pycache__' \
+        --exclude='.venv' \
+        --exclude='*.pyc' \
+        --exclude='cli/cache' \
+        --exclude='sso/cache' \
+        -e "ssh ${SSH_OPTS}" "${local_path}/" "${SSH_HOST}:${remote_path}/"
+    else
+      scp -o "ControlPath=${CTRL_SOCKET}" -r "${local_path}/." "${SSH_HOST}:${remote_path}/"
+    fi
+
+    ok "Synced ${local_path}"
+    SYNCED=$((SYNCED + 1))
+  fi
+done
+
+# ── Summary ─────────────────────────────────────────────────────────
+echo ""
+if [[ $SYNCED -eq 0 ]]; then
+  warn "No active bind mounts detected in remote docker-compose.yml"
+  warn "Uncomment the mounts you need in ${REMOTE_COMPOSE} on the VM, then re-run this script"
+else
+  ok "Synced ${SYNCED} director$([ $SYNCED -eq 1 ] && echo 'y' || echo 'ies') to ${SSH_HOST}"
+fi

docker-compose.shared.yml

@@ -0,0 +1,50 @@
+# opencode-devbox docker-compose for shared machines
+#
+# For machines where multiple users share one OS account (e.g. 'garage').
+# Each user gets isolated config, data, and named volumes by setting
+# SIGNUM in their .env file.
+#
+# Setup per user:
+#   1. mkdir -p ~/<signum>/opencode-devbox && cd ~/<signum>/opencode-devbox
+#   2. cp docker-compose.shared.yml docker-compose.yml
+#   3. cp .env.shared.example .env
+#   4. Edit .env with your signum, provider, keys, etc.
+#   5. mkdir -p ~/<signum>/.config/opencode
+#   6. docker compose up -d
+#
+# Named volumes are automatically isolated per user because Docker Compose
+# prefixes them with the project directory name (e.g. opencode-devbox_devbox-data).
+# Since each user runs from ~/<signum>/opencode-devbox/, volumes don't collide.
+
+services:
+  devbox:
+    image: joakimp/opencode-devbox:latest
+    container_name: devbox-${SIGNUM:?Set SIGNUM in .env}
+    stdin_open: true
+    tty: true
+    env_file:
+      - .env
+    environment:
+      - TERM=xterm-256color
+    volumes:
+      # Host workspace — user's project directory
+      - ${WORKSPACE_PATH:-~/src}:/workspace
+
+      # SSH keys — user-specific if available, else shared
+      - ${SSH_KEY_PATH:-~/.ssh}:/home/developer/.ssh:ro
+
+      # Opencode config — per-user (persists settings across restarts)
+      - ${HOME}/${SIGNUM}/.config/opencode:/home/developer/.config/opencode
+
+      # Persist opencode data (auth, memory, session history)
+      - devbox-data:/home/developer/.local/share/opencode
+
+      # Persist uv data (Python installs)
+      - devbox-uv:/home/developer/.local/share/uv
+
+      # Optional: AWS credentials (per-user if available)
+      # - ${HOME}/${SIGNUM}/.aws:/home/developer/.aws
+
+volumes:
+  devbox-data:
+  devbox-uv:

docker-compose.yml

@@ -10,13 +10,17 @@
 
 services:
   devbox:
-    build:
-      context: .
-      args:
-        INSTALL_PYTHON: "false"
-        INSTALL_GO: "false"
-        INSTALL_OMOS: "false"
-    image: opencode-devbox:latest
+    image: joakimp/opencode-devbox:latest
+    # For multi-agent orchestration, use the omos variant instead:
+    # image: joakimp/opencode-devbox:latest-omos
+    #
+    # To build from source instead of pulling from Docker Hub, uncomment:
+    # build:
+    #   context: .
+    #   args:
+    #     INSTALL_PYTHON: "false"
+    #     INSTALL_GO: "false"
+    #     INSTALL_OMOS: "false"
     container_name: opencode-devbox
     stdin_open: true
     tty: true