[Template] SSH Linux - Add support for deploying Coder on existing Linux systems (bare-metal installation)#605
Conversation
IamTaoChen changed the title 
IamTaoChen commented Dec 17, 2025
I'm not sure if this is needed by others and suitable, so it's just a draft |
matifali commented Dec 17, 2025
Thanks for the contribution @IamTaoChen. Please move this to your own namespace. Follow the instructions here: https://coder.com/docs/about/contributing/templates |
There was a problem hiding this comment.
Pull request overview
This PR introduces a new Coder template that enables provisioning of existing Linux systems as Coder workspaces via SSH. The template supports both password and SSH key authentication methods, allowing users to deploy the Coder agent on bare-metal or pre-existing Linux installations without creating new infrastructure.
Key Changes
- SSH-based deployment template with configurable authentication (password or SSH key)
- Dynamic application selection (VS Code Desktop, VS Code Web, Cursor)
- Automated agent lifecycle management with startup/stop provisioners
Reviewed changes
Copilot reviewed 3 out of 5 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| registry/IamTaoChen/templates/ssh-linux/main.tf | Terraform configuration defining SSH connection, agent deployment, and application modules |
| registry/IamTaoChen/templates/ssh-linux/README.md | Template documentation covering prerequisites, architecture, parameters, and usage |
| registry/IamTaoChen/README.md | Author profile and template registry metadata |
| registry/IamTaoChen/.images/avatar.png | Author avatar image (binary) |
| .icons/linux.svg | Linux/Tux icon for template display |
| @@ -0,0 +1,66 @@ | |||
| --- | |||
| display_name: Deploy Coder on existing Linux System | |||
| description: Provision an existing Linux system as a by deploying the Coder agent via SSH with this example template. | |||
There was a problem hiding this comment.
Grammatical error: "as a by deploying" should be "as a workspace by deploying" or simply "by deploying".
| 1. Create a new workspace in Coder using this template. | ||
| 2. Fill in the parameters with your Linux system's details. | ||
| 3. Start the workspace—Coden will connect via SSH and deploy the agent. |
There was a problem hiding this comment.
Typo: "Coden" should be "Coder".
registry/IamTaoChen/README.md Outdated
| ### ssh-linux | ||
| Provision an existing Linux system as a by deploying the Coder agent via SSH with this example template. |
There was a problem hiding this comment.
Grammatical error: "as a by deploying" should be "as a workspace by deploying" or simply "by deploying".
| resource "random_integer" "vs_code_port"{ | ||
| min = 54000 | ||
| max = 55999 | ||
| } |
There was a problem hiding this comment.
The random_integer resource for vs_code_port is defined but only conditionally used when "VS Code Web" is selected. Consider moving this resource inside a conditional count or using a dynamic approach to avoid creating unnecessary resources when VS Code Web is not selected.
| connection{ | ||
| type = "ssh" | ||
| host = data.coder_parameter.host.value | ||
| user = data.coder_parameter.username.value | ||
| port = data.coder_parameter.port.value | ||
| password = local.ssh_password | ||
| private_key = local.ssh_private_key | ||
| timeout = "5m" |
There was a problem hiding this comment.
Security concern: SSH credentials (password or private key) are stored in Terraform state and passed as environment variables. Consider adding documentation warning users about this security implication, especially for production use. Users should be aware that these credentials will be stored in the Terraform state file.
There was a problem hiding this comment.
I want to use the ssh-key pair which generate by coder but I don't know how to read the private_key
| " sleep 5", | ||
| " kill -KILL \"$PID\" || true", | ||
| " fi", | ||
| " rm -r ${local.coder_cache_dir}", |
There was a problem hiding this comment.
Potential bug: The agent cleanup on stop removes the entire cache directory with rm -r ${local.coder_cache_dir}. This will delete debug logs and potentially other workspace-specific data. Consider only removing the PID file or being more selective about what gets cleaned up, especially if users want to preserve logs for troubleshooting.
There was a problem hiding this comment.
I want to rm all. this debug.log is valid while deploying failed
IamTaoChen commented Dec 17, 2025
After #606 merge, can add KasmVNC into apps   |
| order = 1 | ||
| validation{ | ||
| regex = "^[a-zA-Z0-9:.%\\-]+$" | ||
| error = "Please enter a valid hostname, IPv4, or IPv6 address." |
There was a problem hiding this comment.
The validation error message could be more helpful by providing examples of valid formats. Consider updating to: "Please enter a valid hostname, IPv4, or IPv6 address. Examples: example.com, 192.168.1.1, or fe80::1"
| error="Please enter a valid hostname, IPv4, or IPv6 address." | |
| error="Please enter a valid hostname, IPv4, or IPv6 address. Examples: example.com, 192.168.1.1, or fe80::1" |
| " kill -TERM \"$PID\" || true", | ||
| " sleep 5", | ||
| " kill -KILL \"$PID\" || true", |
There was a problem hiding this comment.
The kill command sequence may fail silently if the process doesn't exist or has already exited. The kill -0 check is good, but between the check and the actual kill, the process could exit. Additionally, kill -KILL after a 5-second sleep may be too aggressive. Consider adding error handling and potentially increasing the grace period, or checking if the process is still running before sending SIGKILL.
| " kill -TERM \"$PID\" || true", | |
| " sleep 5", | |
| " kill -KILL \"$PID\" || true", | |
| " kill -TERM \"$PID\" 2>/dev/null || echo \"Warning: failed to send SIGTERM to process $PID\" >&2", | |
| " for i in $(seq 1 10); do", | |
| " if ! kill -0 \"$PID\" 2>/dev/null; then", | |
| " break", | |
| " fi", | |
| " sleep 1", | |
| " done", | |
| " if kill -0 \"$PID\" 2>/dev/null; then", | |
| " kill -KILL \"$PID\" 2>/dev/null || echo \"Warning: failed to send SIGKILL to process $PID\" >&2", | |
| " fi", |
| 1. Create a new workspace in Coder using this template. | ||
| 2. Fill in the parameters with your Linux system's details. | ||
| 3. Start the workspace—Codenr will connect via SSH and deploy the agent. |
There was a problem hiding this comment.
Typographical error: "Codenr" should be "Coder".
| 3. Start the workspace—Codenr will connect via SSH and deploy the agent. | |
| 3. Start the workspace—Coder will connect via SSH and deploy the agent. |
| "cat > $coder_sh << 'EOF'", | ||
| "${coder_agent.main.init_script}", | ||
| "EOF", | ||
| "chmod +x $coder_sh", | ||
| "echo \"$(date) : create $coder_sh\" >> ${local.coder_cache_dir}/debug.log", | ||
| "nohup env CODER_AGENT_TOKEN='${coder_agent.main.token}' $coder_sh > $log_file 2>&1 &", |
There was a problem hiding this comment.
Security concern: The CODER_AGENT_TOKEN is being passed as a plain environment variable in the remote-exec command. This exposes the token in process listings and logs on the remote system. Consider using a more secure method to pass the token, such as writing it to a file with restricted permissions first, or using Coder's built-in secure token handling mechanisms.
| "cat > $coder_sh << 'EOF'", | |
| "${coder_agent.main.init_script}", | |
| "EOF", | |
| "chmod +x $coder_sh", | |
| "echo \"$(date) : create $coder_sh\" >> ${local.coder_cache_dir}/debug.log", | |
| "nohup env CODER_AGENT_TOKEN='${coder_agent.main.token}' $coder_sh > $log_file 2>&1 &", | |
| "token_file=${local.coder_cache_dir}/coder_token", | |
| "cat > $coder_sh << 'EOF'", | |
| "${coder_agent.main.init_script}", | |
| "EOF", | |
| "chmod +x $coder_sh", | |
| "umask 177 && printf '%s' '${coder_agent.main.token}' > \"$token_file\"", | |
| "chmod 600 \"$token_file\"", | |
| "echo \"$(date) : create $coder_sh and token file $token_file\" >> ${local.coder_cache_dir}/debug.log", | |
| "nohup sh -c 'export CODER_AGENT_TOKEN=$(cat \"$1\"); exec \"$2\"' sh \"$token_file\"\"$coder_sh\" > $log_file 2>&1 &", |
2 participants
Description
A draft that allow user connect existing linux system though coder by ssh
Type of Change
Template Information
Path:
registry/IamTaoChen/templates/ssh-linuxTesting & Validation
bun test)bun fmt)Related Issues