Merge branch 'master' into ipv6

2026-01-09 07:01:06 +08:00 · 2025-08-10 11:39:04 +01:00 · 2025-08-10 11:39:04 +01:00 · 236e751721
commit 236e751721
parent e9f4337417 7a2065c171
15 changed files with 748 additions and 638 deletions
--- a/.github/workflows/package_trigger.yml
+++ b/.github/workflows/package_trigger.yml
@ -1,42 +0,0 @@
-name: Package Trigger Main
-
-on:
-  workflow_dispatch:
-
-jobs:
-  package-trigger-master:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4.1.1
-
-      - name: Package Trigger
-        if: github.ref == 'refs/heads/master'
-        run: |
-          if [ -n "${{ secrets.PAUSE_PACKAGE_TRIGGER_CODE_SERVER_MASTER }}" ]; then
-            echo "**** Github secret PAUSE_PACKAGE_TRIGGER_CODE_SERVER_MASTER is set; skipping trigger. ****"
-            echo "Github secret \`PAUSE_PACKAGE_TRIGGER_CODE_SERVER_MASTER\` is set; skipping trigger." >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-          if [ $(curl -s https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-code-server/job/master/lastBuild/api/json | jq -r '.building') == "true" ]; then
-            echo "**** There already seems to be an active build on Jenkins; skipping package trigger ****"
-            echo "There already seems to be an active build on Jenkins; skipping package trigger" >> $GITHUB_STEP_SUMMARY
-            exit 0
-          fi
-          echo "**** Package trigger running off of master branch. To disable, set a Github secret named \"PAUSE_PACKAGE_TRIGGER_CODE_SERVER_MASTER\". ****"
-          echo "Package trigger running off of master branch. To disable, set a Github secret named \`PAUSE_PACKAGE_TRIGGER_CODE_SERVER_MASTER\`" >> $GITHUB_STEP_SUMMARY
-          response=$(curl -iX POST \
-            https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-code-server/job/master/buildWithParameters?PACKAGE_CHECK=true \
-            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} | grep -i location | sed "s|^[L|l]ocation: \(.*\)|\1|")
-          echo "**** Jenkins job queue url: ${response%$'\r'} ****"
-          echo "**** Sleeping 10 seconds until job starts ****"
-          sleep 10
-          buildurl=$(curl -s "${response%$'\r'}api/json" | jq -r '.executable.url')
-          buildurl="${buildurl%$'\r'}"
-          echo "**** Jenkins job build url: ${buildurl} ****"
-          echo "Jenkins job build url: ${buildurl}" >> $GITHUB_STEP_SUMMARY
-          echo "**** Attempting to change the Jenkins job description ****"
-          curl -iX POST \
-            "${buildurl}submitDescription" \
-            --user ${{ secrets.JENKINS_USER }}:${{ secrets.JENKINS_TOKEN }} \
-            --data-urlencode "description=GHA package trigger https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-            --data-urlencode "Submit=Submit"
--- a/7
+++ b/7
@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-ubuntu:jammy
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-ubuntu:noble

 # set version label
 ARG BUILD_DATE
@ -16,11 +18,9 @@ RUN \
  apt-get update && \
  apt-get install -y \
    git \
-    jq \
    libatomic1 \
    nano \
    net-tools \
-    netcat \
    sudo && \
  echo "**** install code-server ****" && \
  if [ -z ${CODE_RELEASE+x} ]; then \
@ -33,6 +33,7 @@ RUN \
    "https://github.com/coder/code-server/releases/download/v${CODE_RELEASE}/code-server-${CODE_RELEASE}-linux-amd64.tar.gz" && \
  tar xf /tmp/code-server.tar.gz -C \
    /app/code-server --strip-components=1 && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
  echo "**** clean up ****" && \
  apt-get clean && \
  rm -rf \
--- a/Dockerfile.aarch64
+++ b/Dockerfile.aarch64
@ -1,4 +1,6 @@
-FROM ghcr.io/linuxserver/baseimage-ubuntu:arm64v8-jammy
+# syntax=docker/dockerfile:1
+
+FROM ghcr.io/linuxserver/baseimage-ubuntu:arm64v8-noble

 # set version label
 ARG BUILD_DATE
@ -16,11 +18,9 @@ RUN \
  apt-get update && \
  apt-get install -y \
    git \
-    jq \
    libatomic1 \
    nano \
    net-tools \
-    netcat \
    sudo && \
  echo "**** install code-server ****" && \
  if [ -z ${CODE_RELEASE+x} ]; then \
@ -33,6 +33,7 @@ RUN \
    "https://github.com/coder/code-server/releases/download/v${CODE_RELEASE}/code-server-${CODE_RELEASE}-linux-arm64.tar.gz" && \
  tar xf /tmp/code-server.tar.gz -C \
    /app/code-server --strip-components=1 && \
+  printf "Linuxserver.io version: ${VERSION}\nBuild-date: ${BUILD_DATE}" > /build_version && \
  echo "**** clean up ****" && \
  apt-get clean && \
  rm -rf \
--- a/10
+++ b/10
@ -33,8 +33,8 @@ pipeline {
    CI_PORT='8443'
    CI_SSL='false'
    CI_DELAY='120'
-    CI_DOCKERENV='TZ=US/Pacific'
-    CI_AUTH='user:password'
+    CI_DOCKERENV=''
+    CI_AUTH=''
    CI_WEBPATH=''
  }
  stages {
@ -589,7 +589,7 @@ pipeline {
          --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
          --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
          --label \"org.opencontainers.image.title=Code-server\" \
-          --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.\" \
+          --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.  \" \
          --no-cache --pull -t ${IMAGE}:${META_TAG} --platform=linux/amd64 \
          --provenance=true --sbom=true --builder=container --load \
          --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
@ -655,7 +655,7 @@ pipeline {
              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
              --label \"org.opencontainers.image.title=Code-server\" \
-              --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.\" \
+              --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.  \" \
              --no-cache --pull -t ${IMAGE}:amd64-${META_TAG} --platform=linux/amd64 \
              --provenance=true --sbom=true --builder=container --load \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
@ -714,7 +714,7 @@ pipeline {
              --label \"org.opencontainers.image.licenses=GPL-3.0-only\" \
              --label \"org.opencontainers.image.ref.name=${COMMIT_SHA}\" \
              --label \"org.opencontainers.image.title=Code-server\" \
-              --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.\" \
+              --label \"org.opencontainers.image.description=[Code-server](https://coder.com) is VS Code running on a remote server, accessible through the browser.  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.  - If you have a Windows or Mac workstation, more easily develop for Linux.  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.  - Preserve battery life when you're on the go.  - All intensive computation runs on your server.  - You're no longer running excess instances of Chrome.  \" \
              --no-cache --pull -f Dockerfile.aarch64 -t ${IMAGE}:arm64v8-${META_TAG} --platform=linux/arm64 \
              --provenance=true --sbom=true --builder=container --load \
              --build-arg ${BUILD_VERSION_ARG}=${EXT_RELEASE} --build-arg VERSION=\"${VERSION_TAG}\" --build-arg BUILD_DATE=${GITHUB_DATE} ."
--- a/README.md
+++ b/README.md
@ -75,6 +75,23 @@ git config --global user.email "email address"

 How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed).

+## Read-Only Operation
+
+This image can be run with a read-only container filesystem. For details please [read the docs](https://docs.linuxserver.io/misc/read-only/).
+
+### Caveats
+
+* `/tmp` must be mounted to tmpfs
+* `sudo` will not be available
+
+## Non-Root Operation
+
+This image can be run with a non-root user. For details please [read the docs](https://docs.linuxserver.io/misc/non-root/).
+
+### Caveats
+
+* `sudo` will not be available
+
 ## Usage

 To help you get started creating a container from this image you can either use docker-compose or the docker cli.
@ -100,8 +117,9 @@ services:
      - SUDO_PASSWORD_HASH= #optional
      - PROXY_DOMAIN=code-server.my.domain #optional
      - DEFAULT_WORKSPACE=/config/workspace #optional
+      - PWA_APPNAME=code-server #optional
    volumes:
-      - /path/to/appdata/config:/config
+      - /path/to/code-server/config:/config
    ports:
      - 8443:8443
    restart: unless-stopped
@ -121,8 +139,9 @@ docker run -d \
  -e SUDO_PASSWORD_HASH= `#optional` \
  -e PROXY_DOMAIN=code-server.my.domain `#optional` \
  -e DEFAULT_WORKSPACE=/config/workspace `#optional` \
+  -e PWA_APPNAME=code-server `#optional` \
  -p 8443:8443 \
-  -v /path/to/appdata/config:/config \
+  -v /path/to/code-server/config:/config \
  --restart unless-stopped \
  lscr.io/linuxserver/code-server:latest
 ```
@ -141,9 +160,12 @@ Containers are configured using parameters passed at runtime (such as those abov
 | `-e HASHED_PASSWORD=` | Optional web gui password, overrides `PASSWORD`, instructions on how to create it is below. |
 | `-e SUDO_PASSWORD=password` | If this optional variable is set, user will have sudo access in the code-server terminal with the specified password. |
 | `-e SUDO_PASSWORD_HASH=` | Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`. |
-| `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#sub-domains) |
+| `-e PROXY_DOMAIN=code-server.my.domain` | If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain) |
 | `-e DEFAULT_WORKSPACE=/config/workspace` | If this optional variable is set, code-server will open this directory by default |
+| `-e PWA_APPNAME=code-server` | If this optional variable is set, the PWA app will the specified name. |
 | `-v /config` | Contains all relevant configuration files. |
+| `--read-only=true` | Run container with a read-only filesystem. Please [read the docs](https://docs.linuxserver.io/misc/read-only/). |
+| `--user=1000:1000` | Run container with a non-root user. Please [read the docs](https://docs.linuxserver.io/misc/non-root/). |

 ## Environment variables from files (Docker secrets)

@ -308,6 +330,10 @@ Once registered you can define the dockerfile to use with `-f Dockerfile.aarch64
 ## Versions

 * **10.08.25:** - Let server listen on both ipv4 and ipv6.
+* **03.06.25:** - Allow setting PWA name using env var `PWA_APPNAME`.
+* **13.10.24:** - Only chown config folder when change to ownership or new install is detected.
+* **09.10.24:** - Manage permissions in /config/.ssh according to file type
+* **19.08.24:** - Rebase to Ubuntu Noble.
 * **01.07.23:** - Deprecate armhf. As announced [here](https://www.linuxserver.io/blog/a-farewell-to-arm-hf)
 * **05.10.22:** - Install recommended deps to maintain parity with the older images.
 * **29.09.22:** - Rebase to jammy, switch to s6v3. Fix chown logic to skip `/config/workspace` contents.
--- a/jenkins-vars.yml
+++ b/jenkins-vars.yml
@ -22,6 +22,6 @@ repo_vars:
  - CI_PORT='8443'
  - CI_SSL='false'
  - CI_DELAY='120'
-  - CI_DOCKERENV='TZ=US/Pacific'
-  - CI_AUTH='user:password'
+  - CI_DOCKERENV=''
+  - CI_AUTH=''
  - CI_WEBPATH=''
--- a/package_versions.txt
+++ b/package_versions.txt
--- a/readme-vars.yml
+++ b/readme-vars.yml
@ -4,28 +4,29 @@
 project_name: code-server
 project_url: "https://coder.com"
 project_logo: "https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/code-server-banner.png"
-project_blurb: "[{{ project_name|capitalize }}]({{ project_url }}) is VS Code running on a remote server, accessible through the browser.\n- Code on your Chromebook, tablet, and laptop with a consistent dev environment.\n- If you have a Windows or Mac workstation, more easily develop for Linux.\n- Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.\n- Preserve battery life when you're on the go.\n- All intensive computation runs on your server.\n- You're no longer running excess instances of Chrome."
+project_blurb: |
+  [{{ project_name|capitalize }}]({{ project_url }}) is VS Code running on a remote server, accessible through the browser.
+  - Code on your Chromebook, tablet, and laptop with a consistent dev environment.
+  - If you have a Windows or Mac workstation, more easily develop for Linux.
+  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.
+  - Preserve battery life when you're on the go.
+  - All intensive computation runs on your server.
+  - You're no longer running excess instances of Chrome.
 project_lsio_github_repo_url: "https://github.com/linuxserver/docker-{{ project_name }}"
+project_categories: "Programming"
 # supported architectures
 available_architectures:
  - {arch: "{{ arch_x86_64 }}", tag: "amd64-latest"}
  - {arch: "{{ arch_arm64 }}", tag: "arm64v8-latest"}
-# development version
-development_versions: false
-development_versions_items:
-  - {tag: "latest", desc: "Stable releases"}
 # container parameters
 common_param_env_vars_enabled: true
 param_container_name: "{{ project_name }}"
 param_usage_include_vols: true
 param_volumes:
-  - {vol_path: "/config", vol_host_path: "/path/to/appdata/config", desc: "Contains all relevant configuration files."}
+  - {vol_path: "/config", vol_host_path: "/path/to/{{ project_name }}/config", desc: "Contains all relevant configuration files."}
 param_usage_include_ports: true
 param_ports:
  - {external_port: "8443", internal_port: "8443", port_desc: "web gui"}
-param_usage_include_env: true
-param_env_vars:
-  - {env_var: "TZ", env_value: "Europe/London", desc: "Specify a timezone to use EG Europe/London"}
 # optional container parameters
 opt_param_usage_include_env: true
 opt_param_env_vars:
@ -33,10 +34,16 @@ opt_param_env_vars:
  - {env_var: "HASHED_PASSWORD", env_value: "", desc: "Optional web gui password, overrides `PASSWORD`, instructions on how to create it is below."}
  - {env_var: "SUDO_PASSWORD", env_value: "password", desc: "If this optional variable is set, user will have sudo access in the code-server terminal with the specified password."}
  - {env_var: "SUDO_PASSWORD_HASH", env_value: "", desc: "Optionally set sudo password via hash (takes priority over `SUDO_PASSWORD` var). Format is `$type$salt$hashed`."}
-  - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#sub-domains)"}
+  - {env_var: "PROXY_DOMAIN", env_value: "code-server.my.domain", desc: "If this optional variable is set, this domain will be proxied for subdomain proxying. See [Documentation](https://github.com/coder/code-server/blob/main/docs/guide.md#using-a-subdomain)"}
  - {env_var: "DEFAULT_WORKSPACE", env_value: "/config/workspace", desc: "If this optional variable is set, code-server will open this directory by default"}
-optional_block_1: false
-optional_block_1_items: ""
+  - {env_var: "PWA_APPNAME", env_value: "code-server", desc: "If this optional variable is set, the PWA app will the specified name."}
+readonly_supported: true
+readonly_message: |
+  * `/tmp` must be mounted to tmpfs
+  * `sudo` will not be available
+nonroot_supported: true
+nonroot_message: |
+  * `sudo` will not be available
 # application setup block
 app_setup_block_enabled: true
 app_setup_block: |
@ -52,9 +59,54 @@ app_setup_block: |
  ### Hashed code-server password

  How to create the [hashed password](https://github.com/cdr/code-server/blob/master/docs/FAQ.md#can-i-store-my-password-hashed).
+# init diagram
+init_diagram: |
+  "code-server:latest": {
+    docker-mods
+    base {
+      fix-attr +\nlegacy cont-init
+    }
+    docker-mods -> base
+    legacy-services
+    custom services
+    init-services -> legacy-services
+    init-services -> custom services
+    custom services -> legacy-services
+    legacy-services -> ci-service-check
+    init-migrations -> init-adduser
+    init-config -> init-code-server
+    init-os-end -> init-config
+    init-code-server -> init-config-end
+    init-config -> init-config-end
+    init-crontab-config -> init-config-end
+    init-config -> init-crontab-config
+    init-mods-end -> init-custom-files
+    init-adduser -> init-device-perms
+    base -> init-envfile
+    base -> init-migrations
+    init-config-end -> init-mods
+    init-mods-package-install -> init-mods-end
+    init-mods -> init-mods-package-install
+    init-adduser -> init-os-end
+    init-device-perms -> init-os-end
+    init-envfile -> init-os-end
+    init-custom-files -> init-services
+    init-services -> svc-code-server
+    svc-code-server -> legacy-services
+    init-services -> svc-cron
+    svc-cron -> legacy-services
+  }
+  Base Images: {
+    "baseimage-ubuntu:noble"
+  }
+  "code-server:latest" <- Base Images
 # changelog
 changelogs:
  - {date: "10.08.25:", desc: "Let server listen on both ipv4 and ipv6."}
+  - {date: "03.06.25:", desc: "Allow setting PWA name using env var `PWA_APPNAME`."}
+  - {date: "13.10.24:", desc: "Only chown config folder when change to ownership or new install is detected."}
+  - {date: "09.10.24:", desc: "Manage permissions in /config/.ssh according to file type"}
+  - {date: "19.08.24:", desc: "Rebase to Ubuntu Noble."}
  - {date: "01.07.23:", desc: "Deprecate armhf. As announced [here](https://www.linuxserver.io/blog/a-farewell-to-arm-hf)"}
  - {date: "05.10.22:", desc: "Install recommended deps to maintain parity with the older images."}
  - {date: "29.09.22:", desc: "Rebase to jammy, switch to s6v3. Fix chown logic to skip `/config/workspace` contents."}
--- a/root/etc/s6-overlay/s6-rc.d/init-code-server/run
+++ b/root/etc/s6-overlay/s6-rc.d/init-code-server/run
@ -1,31 +1,46 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash

 mkdir -p /config/{extensions,data,workspace,.ssh}

-if [ -n "${SUDO_PASSWORD}" ] || [ -n "${SUDO_PASSWORD_HASH}" ]; then
-    echo "setting up sudo access"
-    if ! grep -q 'abc' /etc/sudoers; then
-        echo "adding abc to sudoers"
-        echo "abc ALL=(ALL:ALL) ALL" >> /etc/sudoers
-    fi
-    if [ -n "${SUDO_PASSWORD_HASH}" ]; then
-        echo "setting sudo password using sudo password hash"
-        sed -i "s|^abc:\!:|abc:${SUDO_PASSWORD_HASH}:|" /etc/shadow
-    else
-        echo "setting sudo password using SUDO_PASSWORD env var"
-        echo -e "${SUDO_PASSWORD}\n${SUDO_PASSWORD}" | passwd abc
+if [[ -z ${LSIO_NON_ROOT_USER} ]] && [[ -z ${LSIO_READ_ONLY_FS} ]]; then
+    if [[ -n "${SUDO_PASSWORD}" ]] || [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
+        echo "setting up sudo access"
+        if ! grep -q 'abc' /etc/sudoers; then
+            echo "adding abc to sudoers"
+            echo "abc ALL=(ALL:ALL) ALL" >> /etc/sudoers
+        fi
+        if [[ -n "${SUDO_PASSWORD_HASH}" ]]; then
+            echo "setting sudo password using sudo password hash"
+            sed -i "s|^abc:\!:|abc:${SUDO_PASSWORD_HASH}:|" /etc/shadow
+        else
+            echo "setting sudo password using SUDO_PASSWORD env var"
+            echo -e "${SUDO_PASSWORD}\n${SUDO_PASSWORD}" | passwd abc
+        fi
    fi
 fi

-[[ ! -f /config/.bashrc ]] && \
+if [[ ! -f /config/.bashrc ]]; then
    cp /root/.bashrc /config/.bashrc
-[[ ! -f /config/.profile ]] && \
-    cp /root/.profile /config/.profile
-
-# fix permissions (ignore contents of /config/workspace)
-find /config -path /config/workspace -prune -o -exec chown abc:abc {} +
-chown abc:abc /config/workspace
-chmod 700 /config/.ssh
-if [ -n "$(ls -A /config/.ssh)" ]; then
-    chmod 600 /config/.ssh/*
+fi
+
+if [[ ! -f /config/.profile ]]; then
+    cp /root/.profile /config/.profile
+fi
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    # fix permissions (ignore contents of workspace)
+    PUID=${PUID:-911}
+    if [[ ! "$(stat -c %u /config/.profile)" == "${PUID}" ]]; then
+        echo "Change in ownership or new install detected, please be patient while we chown existing files"
+        echo "This could take some time"
+        find /config -path "/config/workspace" -prune -o -exec lsiown abc:abc {} +
+        lsiown abc:abc /config/workspace
+    fi
+    chmod 700 /config/.ssh
+    if [[ -n "$(ls -A /config/.ssh)" ]]; then
+        find /config/.ssh/ -type d -exec chmod 700 '{}' \;
+        find /config/.ssh/ -type f -exec chmod 600 '{}' \;
+        find /config/.ssh/ -type f -iname '*.pub' -exec chmod 644 '{}' \;
+    fi
 fi
--- a/root/etc/s6-overlay/s6-rc.d/init-code-server/type
+++ b/root/etc/s6-overlay/s6-rc.d/init-code-server/type
@ -1 +1 @@
-oneshot
+oneshot
--- a/root/etc/s6-overlay/s6-rc.d/init-code-server/up
+++ b/root/etc/s6-overlay/s6-rc.d/init-code-server/up
@ -1 +1 @@
-/etc/s6-overlay/s6-rc.d/init-code-server/run
+/etc/s6-overlay/s6-rc.d/init-code-server/run
--- a/root/etc/s6-overlay/s6-rc.d/svc-code-server/notification-fd
+++ b/root/etc/s6-overlay/s6-rc.d/svc-code-server/notification-fd
@ -1 +1 @@
-3
+3
--- a/root/etc/s6-overlay/s6-rc.d/svc-code-server/run
+++ b/root/etc/s6-overlay/s6-rc.d/svc-code-server/run
@ -1,26 +1,46 @@
 #!/usr/bin/with-contenv bash
+# shellcheck shell=bash

-if [ -n "${PASSWORD}" ] || [ -n "${HASHED_PASSWORD}" ]; then
+if [[ -n "${PASSWORD}" ]] || [[ -n "${HASHED_PASSWORD}" ]]; then
    AUTH="password"
 else
    AUTH="none"
    echo "starting with no password"
 fi

-if [ -z ${PROXY_DOMAIN+x} ]; then
+if [[ -z ${PROXY_DOMAIN+x} ]]; then
    PROXY_DOMAIN_ARG=""
 else
    PROXY_DOMAIN_ARG="--proxy-domain=${PROXY_DOMAIN}"
 fi

-exec \
-    s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
-        s6-setuidgid abc \
+if [[ -z ${PWA_APPNAME} ]]; then
+    PWA_APPNAME="code-server"
+fi
+
+if [[ -z ${LSIO_NON_ROOT_USER} ]]; then
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
+            s6-setuidgid abc \
+                /app/code-server/bin/code-server \
+                    --bind-addr 0.0.0.0:8443 \
+                    --user-data-dir /config/data \
+                    --extensions-dir /config/extensions \
+                    --disable-telemetry \
+                    --auth "${AUTH}" \
+                    --app-name "${PWA_APPNAME}" \
+                    "${PROXY_DOMAIN_ARG}" \
+                    "${DEFAULT_WORKSPACE:-/config/workspace}"
+else
+    exec \
+        s6-notifyoncheck -d -n 300 -w 1000 -c "nc -z 127.0.0.1 8443" \
            /app/code-server/bin/code-server \
                --bind-addr "[::]:8443" \
                --user-data-dir /config/data \
                --extensions-dir /config/extensions \
                --disable-telemetry \
                --auth "${AUTH}" \
+                --app-name "${PWA_APPNAME}" \
                "${PROXY_DOMAIN_ARG}" \
                "${DEFAULT_WORKSPACE:-/config/workspace}"
+fi
--- a/root/etc/s6-overlay/s6-rc.d/svc-code-server/type
+++ b/root/etc/s6-overlay/s6-rc.d/svc-code-server/type
@ -1 +1 @@
-longrun
+longrun
--- a/root/usr/local/bin/install-extension
+++ b/root/usr/local/bin/install-extension
@ -3,7 +3,7 @@

 _install=(/app/code-server/bin/code-server "--extensions-dir" "/config/extensions" "--install-extension")

-if [ "$(whoami)" == "abc" ]; then
+if [[ "$(whoami)" == "abc" ]]; then
    "${_install[@]}" "$@"
 else
    s6-setuidgid abc "${_install[@]}" "$@"