npm - @opencode-cloud/core - Versions diffs - 3.1.1 → 3.1.4 - Mend

@opencode-cloud/core 3.1.1 → 3.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/Cargo.toml CHANGED Viewed

@@ -1,6 +1,6 @@
 [package]
 name = "opencode-cloud-core"
-version = "3.1.1"
+version = "3.1.4"
 edition = "2024"
 rust-version = "1.88"
 license = "MIT"

package/README.md CHANGED Viewed

@@ -129,6 +129,39 @@ occ uninstall
 occ config show
 ```
+## Authentication
+opencode-cloud uses **PAM (Pluggable Authentication Modules)** for authentication. Users created via `occ user add` can authenticate to both:
+- **opencode web UI** - Access the coding interface
+- **Cockpit** - System administration interface
+### Creating Users
+Create a user with a password:
+```bash
+occ user add <username>
+```
+Generate a random password:
+```bash
+occ user add <username> --generate
+```
+### Managing Users
+- List users: `occ user list`
+- Change password: `occ user passwd <username>`
+- Remove user: `occ user remove <username>`
+- Enable/disable account: `occ user enable <username>` / `occ user disable <username>`
+### Legacy Authentication Fields
+The `auth_username` and `auth_password` config fields are **deprecated** and ignored. They are kept in the config schema for backward compatibility with existing deployments, but new users should be created via `occ user add` instead.
+To migrate from legacy fields:
+1. Create a PAM user: `occ user add <username>`
+2. The legacy fields will be automatically cleared on next config save
 ### Rebuilding the Docker Image
 When developing locally or after updating opencode-cloud, you may need to rebuild the Docker image to pick up changes in the embedded Dockerfile:

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@opencode-cloud/core",
-  "version": "3.1.1",
+  "version": "3.1.4",
   "description": "Core NAPI bindings for opencode-cloud (internal package)",
   "main": "index.js",
   "types": "index.d.ts",

package/src/config/schema.rs CHANGED Viewed

@@ -42,11 +42,18 @@ pub struct Config {
     #[serde(default = "default_restart_delay")]
     pub restart_delay: u32,
-    /// Username for opencode basic auth (default: None, triggers wizard)
+    /// Username for opencode basic auth (DEPRECATED - use PAM users via `occ user add` instead)
+    ///
+    /// This field is kept for backward compatibility but is ignored.
+    /// New deployments should create users via `occ user add` which uses PAM authentication.
+    /// Legacy deployments can migrate by running `occ user add <username>`.
     #[serde(default)]
     pub auth_username: Option<String>,
-    /// Password for opencode basic auth (default: None, triggers wizard)
+    /// Password for opencode basic auth (DEPRECATED - use PAM users via `occ user add` instead)
+    ///
+    /// This field is kept for backward compatibility but is ignored.
+    /// Passwords are stored in the container's /etc/shadow via PAM, not in config files.
     #[serde(default)]
     pub auth_password: Option<String>,
@@ -233,8 +240,11 @@ impl Config {
     /// Check if required auth credentials are configured
     ///
     /// Returns true if:
-    /// - Both auth_username and auth_password are Some and non-empty (legacy), OR
-    /// - The users array is non-empty (PAM-based auth)
+    /// - The users array is non-empty (PAM-based auth - preferred), OR
+    /// - Both auth_username and auth_password are Some and non-empty (legacy - deprecated)
+    ///
+    /// **Note:** Legacy auth_username/auth_password fields are deprecated and ignored in favor of PAM users.
+    /// This method still checks them for backward compatibility, but new deployments should use `occ user add`.
     ///
     /// This is used to determine if the setup wizard needs to run.
     pub fn has_required_auth(&self) -> bool {

package/src/docker/Dockerfile CHANGED Viewed

@@ -40,7 +40,10 @@ ENV DEBIAN_FRONTEND=noninteractive
 ENV TZ=UTC
 # Install build essentials (2026-01-22)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Use BuildKit cache mount for APT package lists and cache
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends \
     build-essential=12.* \
     # UNPINNED: ca-certificates - security-critical root certs, needs auto-updates
     ca-certificates \
@@ -74,7 +77,10 @@ ENV LC_ALL=C.UTF-8
 # Install core system packages in logical groups for better caching
 # Group 1: Core utilities and build tools (2026-01-22)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Use BuildKit cache mount for APT package lists and cache
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends \
     # Init systems
     tini=0.19.* \
     dumb-init=1.2.* \
@@ -120,6 +126,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     netcat-openbsd=1.226-* \
     iputils-ping=3:20240117-* \
     dnsutils=1:9.18.* \
+    # Reverse proxy for opencode UI + API
+    nginx=1.24.* \
     # Compression
     zip=3.0-* \
     unzip=6.0-* \
@@ -136,14 +144,20 @@ RUN systemctl mask \
     systemd-remount-fs.service
 # Group 2: Database clients (2026-01-22)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Use BuildKit cache mount for APT package lists and cache
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends \
     sqlite3=3.45.* \
     postgresql-client=16+* \
     default-mysql-client=1.1.* \
     && rm -rf /var/lib/apt/lists/*
 # Group 3: Development libraries for compiling tools (2026-01-22)
-RUN apt-get update && apt-get install -y --no-install-recommends \
+# Use BuildKit cache mount for APT package lists and cache
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends \
     libssl-dev=3.0.* \
     libffi-dev=3.4.* \
     zlib1g-dev=1:1.3.* \
@@ -151,6 +165,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
     libreadline-dev=8.2-* \
     libsqlite3-dev=3.45.* \
     libncurses-dev=6.4+* \
+    libpam0g-dev=1.5.* \
     liblzma-dev=5.6.* \
     && rm -rf /var/lib/apt/lists/*
@@ -221,6 +236,7 @@ ENV PATH="/home/opencode/.local/share/mise/shims:${PATH}"
 # Uses stable toolchain (rustup manages toolchain versioning)
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain stable \
     && . /home/opencode/.cargo/env \
+    && rustup default stable \
     && rustup component add rust-analyzer rustfmt clippy
 ENV PATH="/home/opencode/.cargo/bin:${PATH}"
@@ -241,15 +257,20 @@ ENV PNPM_HOME="/home/opencode/.local/share/pnpm"
 ENV PATH="${PNPM_HOME}:${PATH}"
 RUN mkdir -p "${PNPM_HOME}"
 # uv - self-managing installer, trusted to handle versions (fast Python package manager)
 RUN curl -LsSf https://astral.sh/uv/install.sh | sh
 # Install pipx for isolated Python application installs
-RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
+# Use BuildKit cache mount for pip cache
+RUN --mount=type=cache,target=/home/opencode/.cache/pip,uid=1000,gid=1000,mode=0755 \
+    mkdir -p /home/opencode/.cache/pip \
+    && eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pip install --user pipx \
     && pipx ensurepath
 # Install global TypeScript compiler
+# NOTE: Avoid cache mount here to prevent pnpm store permission issues
 RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
     && pnpm add -g typescript
@@ -258,7 +279,9 @@ RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
 # -----------------------------------------------------------------------------
 # ripgrep 15.1.0 - fast regex search
 # eza 0.23.4 - modern ls replacement
-RUN . /home/opencode/.cargo/env \
+# NOTE: Avoid cache mounts here due to permission issues with non-root Cargo cache
+RUN mkdir -p /home/opencode/.cargo/registry /home/opencode/.cargo/git \
+    && . /home/opencode/.cargo/env \
     && cargo install --locked ripgrep@15.1.0 eza@0.23.4
 # lazygit v0.58.1 (2026-01-12) - terminal UI for git
@@ -304,8 +327,11 @@ RUN . /home/opencode/.cargo/env \
 #     && go install mvdan.cc/sh/v3/cmd/shfmt@v3.12.0
 # Install btop system monitor (2026-01-22)
+# Use BuildKit cache mount for APT package lists and cache
 USER root
-RUN apt-get update && apt-get install -y --no-install-recommends btop=1.3.* \
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    apt-get update && apt-get install -y --no-install-recommends btop=1.3.* \
     && rm -rf /var/lib/apt/lists/*
 USER opencode
@@ -313,7 +339,10 @@ USER opencode
 # GitHub CLI
 # -----------------------------------------------------------------------------
 USER root
-RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
+# Use BuildKit cache mount for APT package lists and cache
+RUN --mount=type=cache,target=/var/lib/apt/lists \
+    --mount=type=cache,target=/var/cache/apt \
+    curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | dd of=/usr/share/keyrings/githubcli-archive-keyring.gpg \
     && chmod go+r /usr/share/keyrings/githubcli-archive-keyring.gpg \
     && echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" > /etc/apt/sources.list.d/github-cli.list \
     && apt-get update && apt-get install -y --no-install-recommends gh \
@@ -321,38 +350,41 @@ RUN curl -fsSL https://cli.github.com/packages/githubcli-archive-keyring.gpg | d
 USER opencode
 # -----------------------------------------------------------------------------
-# Cockpit Web Console (2026-01-22)
+# Cockpit Web Console (2026-01-22) - temporarily disabled
 # -----------------------------------------------------------------------------
 # Cockpit provides web-based administration for the container
 # Ubuntu noble has cockpit 316 in main repos
-USER root
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    cockpit-ws \
-    cockpit-system \
-    cockpit-bridge \
-    && rm -rf /var/lib/apt/lists/*
+# Use BuildKit cache mount for APT package lists and cache
+# USER root
+# RUN --mount=type=cache,target=/var/lib/apt/lists \
+#     --mount=type=cache,target=/var/cache/apt \
+#     apt-get update && \
+#     apt-get install -y --no-install-recommends \
+#     cockpit-ws \
+#     cockpit-system \
+#     cockpit-bridge \
+#     && rm -rf /var/lib/apt/lists/*
+#
 # Enable Cockpit socket activation (manual symlink since systemctl doesn't work during build)
-RUN mkdir -p /etc/systemd/system/sockets.target.wants \
-    && ln -sf /lib/systemd/system/cockpit.socket /etc/systemd/system/sockets.target.wants/cockpit.socket
+# RUN mkdir -p /etc/systemd/system/sockets.target.wants \
+#     && ln -sf /lib/systemd/system/cockpit.socket /etc/systemd/system/sockets.target.wants/cockpit.socket
+#
 # Configure Cockpit for HTTP (TLS terminated externally) and proxy headers
-RUN mkdir -p /etc/cockpit && \
-    printf '%s\n' \
-    '[WebService]' \
-    '# Allow HTTP connections (TLS terminated externally like opencode)' \
-    'AllowUnencrypted = true' \
-    '' \
-    '# Trust proxy headers for X-Forwarded-For, X-Forwarded-Proto' \
-    'ProtocolHeader = X-Forwarded-Proto' \
-    'ForwardedForHeader = X-Forwarded-For' \
-    '' \
-    '# Limit concurrent login attempts' \
-    'MaxStartups = 10' \
-    > /etc/cockpit/cockpit.conf
-USER opencode
+# RUN mkdir -p /etc/cockpit && \
+#     printf '%s\n' \
+#     '[WebService]' \
+#     '# Allow HTTP connections (TLS terminated externally like opencode)' \
+#     'AllowUnencrypted = true' \
+#     '' \
+#     '# Trust proxy headers for X-Forwarded-For, X-Forwarded-Proto' \
+#     'ProtocolHeader = X-Forwarded-Proto' \
+#     'ForwardedForHeader = X-Forwarded-For' \
+#     '' \
+#     '# Limit concurrent login attempts' \
+#     'MaxStartups = 10' \
+#     > /etc/cockpit/cockpit.conf
+#
+# USER opencode
 # -----------------------------------------------------------------------------
 # CI/CD + tooling (disabled)
@@ -416,59 +448,6 @@ USER opencode
 # RUN eval "$(/home/opencode/.local/bin/mise activate bash)" \
 #     && go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.9.3
-# -----------------------------------------------------------------------------
-# opencode Installation
-# -----------------------------------------------------------------------------
-# opencode - self-managing installer, trusted to handle versions
-# The script installs to ~/.opencode/bin/
-# Retry logic added because opencode.ai API can be flaky during parallel builds
-RUN for i in 1 2 3 4 5; do \
-        curl -fsSL https://opencode.ai/install | bash && break || \
-        echo "Attempt $i failed, retrying in 10s..." && sleep 10; \
-    done \
-    && ls -la /home/opencode/.opencode/bin/opencode \
-    && /home/opencode/.opencode/bin/opencode --version
-# Add opencode to PATH
-ENV PATH="/home/opencode/.opencode/bin:${PATH}"
-# -----------------------------------------------------------------------------
-# GSD Plugin Installation
-# -----------------------------------------------------------------------------
-# Install the GSD (Get Shit Done) plugin for opencode
-# Note: If this fails in container builds due to "~" path resolution, retry with
-# OPENCODE_CONFIG_DIR=/home/opencode/.config/opencode set explicitly.
-RUN npx --yes get-shit-done-cc --opencode --global
-# -----------------------------------------------------------------------------
-# opencode systemd Service (2026-01-22)
-# -----------------------------------------------------------------------------
-# Create opencode as a systemd service for Cockpit integration
-USER root
-RUN printf '%s\n' \
-    '[Unit]' \
-    'Description=opencode Web Interface' \
-    'After=network.target' \
-    '' \
-    '[Service]' \
-    'Type=simple' \
-    'User=opencode' \
-    'WorkingDirectory=/home/opencode/workspace' \
-    'ExecStart=/home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
-    'Restart=always' \
-    'RestartSec=5' \
-    'Environment=PATH=/home/opencode/.opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
-    '' \
-    '[Install]' \
-    'WantedBy=multi-user.target' \
-    > /etc/systemd/system/opencode.service
-# Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)
-RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
-    && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
-USER opencode
 # -----------------------------------------------------------------------------
 # Sensible Defaults Configuration
 # -----------------------------------------------------------------------------
@@ -536,6 +515,279 @@ RUN printf '%s\n' \
 # Set up pipx path
 RUN echo 'export PATH="/home/opencode/.local/bin:$PATH"' >> /home/opencode/.zshrc
+# -----------------------------------------------------------------------------
+# opencode Setup (Fork + Broker + Proxy)
+# -----------------------------------------------------------------------------
+# Keep this block near the end to preserve cache for earlier layers. We expect
+# opencode fork changes to happen more often than base tooling changes.
+#
+# This block includes:
+# - opencode build (backend binary) + app build (frontend dist)
+# - opencode-broker build
+# - nginx config for single-endpoint UI + API proxy
+# - PAM configuration + systemd services
+# - opencode config file
+#
+# NOTE: This section switches between opencode and root users as needed.
+# -----------------------------------------------------------------------------
+# opencode Installation (Fork from pRizz/opencode)
+# -----------------------------------------------------------------------------
+# Clone the fork and build opencode from source (as non-root user)
+# Pin to specific commit for reproducibility: 50fd5d1a6a17dc1b378a0e60b464a75dd876d6e2
+# Build opencode from source (BuildKit cache mounts disabled for now)
+RUN rm -rf /tmp/opencode-repo \
+    && git clone --depth 1 https://github.com/pRizz/opencode.git /tmp/opencode-repo \
+    && cd /tmp/opencode-repo \
+    && git checkout 50fd5d1a6a17dc1b378a0e60b464a75dd876d6e2 \
+    && curl -fsSL https://bun.sh/install | bash -s "bun-v1.3.5" \
+    && export PATH="/home/opencode/.bun/bin:${PATH}" \
+    && bun install --frozen-lockfile \
+    && bun run packages/opencode/script/build.ts --single \
+    && cd packages/app \
+    && bun run build \
+    && cd /tmp/opencode-repo \
+    && mkdir -p /home/opencode/.local/share/opencode/bin \
+    && cp /tmp/opencode-repo/packages/opencode/dist/opencode-*/bin/opencode /home/opencode/.local/share/opencode/bin/opencode \
+    && chown -R opencode:opencode /home/opencode/.local/share/opencode \
+    && chmod +x /home/opencode/.local/share/opencode/bin/opencode \
+    && /home/opencode/.local/share/opencode/bin/opencode --version
+# Add opencode to PATH
+ENV PATH="/home/opencode/.local/share/opencode/bin:${PATH}"
+# Copy UI assets to standard web root (requires root)
+USER root
+RUN mkdir -p /var/www/opencode \
+    && cp -R /tmp/opencode-repo/packages/app/dist/. /var/www/opencode/ \
+    && chown -R root:root /var/www/opencode \
+    && chmod 755 /var/www /var/www/opencode \
+    && chmod -R a+rX /var/www/opencode
+# -----------------------------------------------------------------------------
+# opencode-broker Installation
+# -----------------------------------------------------------------------------
+# Build opencode-broker from source (Rust service for PAM authentication)
+# The broker handles PAM authentication and user process spawning
+# NOTE: Requires root privileges for setuid bit (chmod 4755) to allow broker
+# to run with elevated privileges for PAM authentication
+USER root
+RUN cd /tmp/opencode-repo/packages/opencode-broker \
+    && runuser -u opencode -- bash -c '. /home/opencode/.cargo/env && cargo build --release' \
+    && mkdir -p /usr/local/bin \
+    && cp target/release/opencode-broker /usr/local/bin/opencode-broker \
+    && chmod 4755 /usr/local/bin/opencode-broker \
+    && rm -rf /tmp/opencode-repo
+# Verify broker binary exists and is executable
+RUN ls -la /usr/local/bin/opencode-broker \
+    && test -x /usr/local/bin/opencode-broker \
+    && echo "Broker installed"
+# -----------------------------------------------------------------------------
+# Nginx Reverse Proxy for UI + API
+# -----------------------------------------------------------------------------
+# Serve the built UI from /var/www/opencode and proxy API/WebSocket
+# TODO: Explore a sustainable routing strategy (e.g., backend-driven base URL or
+# TODO: content-type aware proxying without hardcoded path lists).
+RUN rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf 2>/dev/null || true \
+    && printf '%s\n' \
+    'server {' \
+    '  listen 3000;' \
+    '  server_name _;' \
+    '' \
+    '  root /var/www/opencode;' \
+    '  index index.html;' \
+    '' \
+    '  location = /health {' \
+    '    proxy_pass http://127.0.0.1:3001;' \
+    '  }' \
+    '' \
+    '  location /assets/ {' \
+    '    try_files $uri =404;' \
+    '  }' \
+    '' \
+    '  location ~* \.(?:js|css|png|jpg|jpeg|gif|svg|ico|webp|woff2?|ttf|map)$ {' \
+    '    try_files $uri =404;' \
+    '  }' \
+    '' \
+    '  location ~ ^/(auth|session|sessions|pty|event|events|api|ws|v1|rpc|config|global|path|project|provider) {' \
+    '    proxy_pass http://127.0.0.1:3001;' \
+    '    proxy_http_version 1.1;' \
+    '    proxy_set_header Upgrade $http_upgrade;' \
+    '    proxy_set_header Connection "upgrade";' \
+    '    proxy_set_header Host $host;' \
+    '    proxy_set_header X-Real-IP $remote_addr;' \
+    '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+    '    proxy_set_header X-Forwarded-Proto $scheme;' \
+    '  }' \
+    '' \
+    '  location / {' \
+    '    try_files $uri $uri/ @opencode_fallback;' \
+    '  }' \
+    '' \
+    '  location @opencode_fallback {' \
+    '    if ($http_accept ~* "text/html") { rewrite ^ /index.html break; }' \
+    '    proxy_pass http://127.0.0.1:3001;' \
+    '    proxy_http_version 1.1;' \
+    '    proxy_set_header Upgrade $http_upgrade;' \
+    '    proxy_set_header Connection "upgrade";' \
+    '    proxy_set_header Host $host;' \
+    '    proxy_set_header X-Real-IP $remote_addr;' \
+    '    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;' \
+    '    proxy_set_header X-Forwarded-Proto $scheme;' \
+    '  }' \
+    '}' \
+    > /etc/nginx/conf.d/opencode.conf
+# -----------------------------------------------------------------------------
+# PAM Configuration
+# -----------------------------------------------------------------------------
+# Install PAM configuration for opencode authentication
+# This allows opencode to authenticate users via PAM (same users as Cockpit)
+# NOTE: Requires root privileges to write to /etc/pam.d/
+RUN printf '%s\n' \
+    '# PAM configuration for OpenCode authentication' \
+    '# Install to /etc/pam.d/opencode' \
+    '' \
+    '# Standard UNIX authentication' \
+    'auth required pam_unix.so' \
+    'account required pam_unix.so' \
+    '' \
+    '# Optional: Enable TOTP 2FA (uncomment when pam_google_authenticator is installed)' \
+    '# auth required pam_google_authenticator.so' \
+    > /etc/pam.d/opencode \
+    && chmod 644 /etc/pam.d/opencode
+# Verify PAM config file exists
+RUN ls -la /etc/pam.d/opencode && cat /etc/pam.d/opencode
+# -----------------------------------------------------------------------------
+# opencode-broker systemd Service
+# -----------------------------------------------------------------------------
+# Create opencode-broker service for PAM authentication
+# NOTE: Requires root privileges to write to /etc/systemd/system/
+RUN printf '%s\n' \
+    '[Unit]' \
+    'Description=OpenCode Authentication Broker' \
+    'Documentation=https://github.com/pRizz/opencode' \
+    'After=network.target' \
+    '' \
+    '[Service]' \
+    'Type=notify' \
+    'ExecStart=/usr/local/bin/opencode-broker' \
+    'ExecReload=/bin/kill -HUP $MAINPID' \
+    'Restart=always' \
+    'RestartSec=5' \
+    '' \
+    '# Security hardening' \
+    'NoNewPrivileges=false' \
+    'ProtectSystem=strict' \
+    'ProtectHome=read-only' \
+    'PrivateTmp=true' \
+    'ReadWritePaths=/run/opencode' \
+    '' \
+    '# Socket directory' \
+    'RuntimeDirectory=opencode' \
+    'RuntimeDirectoryMode=0755' \
+    '' \
+    '# Logging' \
+    'StandardOutput=journal' \
+    'StandardError=journal' \
+    'SyslogIdentifier=opencode-broker' \
+    '' \
+    '[Install]' \
+    'WantedBy=multi-user.target' \
+    > /etc/systemd/system/opencode-broker.service
+# Enable opencode-broker service
+RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
+    && ln -sf /etc/systemd/system/opencode-broker.service /etc/systemd/system/multi-user.target.wants/opencode-broker.service
+USER opencode
+# -----------------------------------------------------------------------------
+# GSD Plugin Installation
+# -----------------------------------------------------------------------------
+# Install the GSD (Get Shit Done) plugin for opencode
+# Note: If this fails in container builds due to "~" path resolution, retry with
+# OPENCODE_CONFIG_DIR=/home/opencode/.config/opencode set explicitly.
+RUN mkdir -p /home/opencode/.npm \
+    && npx --yes get-shit-done-cc --opencode --global
+# -----------------------------------------------------------------------------
+# opencode systemd Service (2026-01-22)
+# -----------------------------------------------------------------------------
+# Create opencode as a systemd service for Cockpit integration (backend only)
+# NOTE: Requires root privileges to write to /etc/systemd/system/
+USER root
+RUN printf '%s\n' \
+    '[Unit]' \
+    'Description=opencode Web Interface' \
+    'After=network.target opencode-broker.service' \
+    '' \
+    '[Service]' \
+    'Type=simple' \
+    'User=opencode' \
+    'WorkingDirectory=/home/opencode/workspace' \
+    'ExecStart=/home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0' \
+    'Restart=always' \
+    'RestartSec=5' \
+    'Environment=PATH=/home/opencode/.local/share/opencode/bin:/home/opencode/.local/bin:/home/opencode/.cargo/bin:/home/opencode/.local/share/mise/shims:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' \
+    '' \
+    '[Install]' \
+    'WantedBy=multi-user.target' \
+    > /etc/systemd/system/opencode.service
+# Enable opencode service to start at boot (manual symlink since systemctl doesn't work during build)
+RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
+    && ln -sf /etc/systemd/system/opencode.service /etc/systemd/system/multi-user.target.wants/opencode.service
+# Nginx service for serving UI + proxying API
+RUN printf '%s\n' \
+    '[Unit]' \
+    'Description=Nginx reverse proxy for opencode UI' \
+    'After=network.target opencode.service' \
+    '' \
+    '[Service]' \
+    'Type=simple' \
+    'ExecStart=/usr/sbin/nginx -g "daemon off;"' \
+    'ExecReload=/usr/sbin/nginx -s reload' \
+    'Restart=always' \
+    'RestartSec=5' \
+    '' \
+    '[Install]' \
+    'WantedBy=multi-user.target' \
+    > /etc/systemd/system/opencode-nginx.service
+# Enable nginx service
+RUN mkdir -p /etc/systemd/system/multi-user.target.wants \
+    && ln -sf /etc/systemd/system/opencode-nginx.service /etc/systemd/system/multi-user.target.wants/opencode-nginx.service
+# Prevent the distro nginx service from also starting (port 3000 conflict)
+RUN rm -f /etc/systemd/system/multi-user.target.wants/nginx.service \
+    && ln -sf /dev/null /etc/systemd/system/nginx.service
+# -----------------------------------------------------------------------------
+# opencode Configuration
+# -----------------------------------------------------------------------------
+# Create opencode.json config file with PAM authentication enabled
+RUN mkdir -p /home/opencode/.config/opencode \
+    && printf '%s\n' \
+    '{' \
+    '  "auth": {' \
+    '    "enabled": true' \
+    '  }' \
+    '}' \
+    > /home/opencode/.config/opencode/opencode.json \
+    && chown -R opencode:opencode /home/opencode/.config/opencode \
+    && chmod 644 /home/opencode/.config/opencode/opencode.json
+# Verify config file exists
+RUN ls -la /home/opencode/.config/opencode/opencode.json && cat /home/opencode/.config/opencode/opencode.json
+USER opencode
 # -----------------------------------------------------------------------------
 # Entrypoint Script (Hybrid Init Support)
 # -----------------------------------------------------------------------------
@@ -549,7 +801,8 @@ RUN printf '%s\n' \
     '    exec /sbin/init' \
     'else' \
     '    # Use runuser to switch to opencode user without password prompt' \
-    '    exec /usr/bin/tini -- runuser -u opencode -- /home/opencode/.opencode/bin/opencode web --port 3000 --hostname 0.0.0.0' \
+    '    runuser -u opencode -- /home/opencode/.local/share/opencode/bin/opencode --port 3001 --hostname 0.0.0.0 &' \
+    '    exec /usr/sbin/nginx -g "daemon off;"' \
     'fi' \
     > /usr/local/bin/entrypoint.sh && chmod +x /usr/local/bin/entrypoint.sh