joakimp
298203a7cd
Includes device-code flow docs for browser-less SSO login from remote/Docker environments.
opencode-devbox
Portable AI developer environment in a Docker container. Run opencode on any Docker-capable machine with configurable LLM providers, dev tools, and host filesystem access.
Why?
The official ghcr.io/anomalyco/opencode image (now archived) was Alpine-based and minimal — no git, no dev tools, broken PTY support due to musl/glibc incompatibility. This project provides a Debian-based, production-ready alternative using the current v1.x release.
Quick Start
# Clone
git clone ssh://gitea.jordbo.se:2222/joakimp/opencode-devbox.git
cd opencode-devbox
# Configure
cp .env.example .env
# Edit .env with your provider, API key, workspace path, git config
# Build and run
docker compose run --rm devbox
Features
- Debian bookworm base — glibc, full PTY/terminal support
- Configurable providers — Anthropic, OpenAI, AWS Bedrock via env vars
- Host filesystem access — bind mount any directory as
/workspace - SSH key forwarding — git push/pull to private repos
- MCP server support — Node.js included for
npx-based MCP servers - Non-root user — runs as
developer(UID 1000) with sudo - Optional runtimes — Python, Go via build args (Node.js always included — required for opencode v1.x)
- AWS CLI v2 — built-in SSO/Bedrock authentication with headless device-code flow
- Multi-arch — amd64 and arm64
Configuration
Environment Variables
| Variable | Description | Default |
|---|---|---|
OPENCODE_PROVIDER |
LLM provider (anthropic, openai, amazon-bedrock) |
anthropic |
OPENCODE_MODEL |
Model override | Provider default |
ANTHROPIC_API_KEY |
Anthropic API key | — |
OPENAI_API_KEY |
OpenAI API key | — |
AWS_REGION |
AWS region for Bedrock | us-east-1 |
GIT_USER_NAME |
Git commit author name | — |
GIT_USER_EMAIL |
Git commit author email | — |
WORKSPACE_PATH |
Host path to mount | . |
SSH_KEY_PATH |
Host SSH key directory | ~/.ssh |
Custom opencode config
Mount your own opencode.json for full control (MCP servers, custom models, etc.):
volumes:
- ./my-opencode.json:/home/developer/.config/opencode/opencode.json:ro
Build Args
Enable optional language runtimes:
docker compose build --build-arg INSTALL_PYTHON=true --build-arg INSTALL_GO=true
| Arg | Default | Description |
|---|---|---|
INSTALL_PYTHON |
false |
Python 3 + pip + venv |
INSTALL_GO |
false |
Go toolchain |
AWS Bedrock Authentication
When using AWS Bedrock as your LLM provider, you need to authenticate via AWS SSO from inside the container. Since the container runs headless (no browser), use the device-code flow:
# Start the container interactively
docker compose run --rm devbox bash
# Authenticate — prints a URL and code you open in your local browser
aws sso login --sso-session <your-sso-session> --use-device-code
# Once approved in the browser, start opencode
opencode
The --use-device-code flag outputs a URL and short code instead of trying to open a browser. Copy the URL into any browser (on your laptop, phone, etc.), enter the code, and complete the 2FA flow. The CLI in the container picks up the session automatically.
SSO sessions typically last 8–12 hours before requiring re-authentication.
Architecture
Host Machine
├── ~/projects/my-app ──bind mount──▶ /workspace (container)
├── ~/.ssh ──bind mount──▶ /home/developer/.ssh (ro)
└── .env ──env vars───▶ provider config + API keys
Container (Debian bookworm)
├── opencode binary
├── AWS CLI v2 (SSO + Bedrock auth)
├── git, ssh, ripgrep, fd, jq, curl, fzf
├── Node.js (for MCP servers)
├── entrypoint.sh (SSH perms, git config, provider setup)
└── /workspace ← your code lives here
License
MIT