fix(examples): register incus template and address panel review

johnstcn · johnstcn · commit 2f0d2a395039 · 2026-04-22T20:16:14.000Z
- Add //go:embed templates/incus and regenerate examples.gen.json
- Fix header comment and add explanatory comments in coder-incus.yaml
- Add next-step guidance to Incus section in README
- Fix Terraform install description and double-word typo in README
diff --git a/examples/examples.gen.json b/examples/examples.gen.json
@@ -160,6 +160,19 @@
 		],
 		"markdown": "\n# Remote Development on Google Compute Engine (Windows)\n\n## Prerequisites\n\n### Authentication\n\nThis template assumes that coderd is run in an environment that is authenticated\nwith Google Cloud. For example, run `gcloud auth application-default login` to\nimport credentials on the system and user running coderd. For other ways to\nauthenticate [consult the Terraform\ndocs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#adding-credentials).\n\nCoder requires a Google Cloud Service Account to provision workspaces. To create\na service account:\n\n1. Navigate to the [CGP\n   console](https://console.cloud.google.com/projectselector/iam-admin/serviceaccounts/create),\n   and select your Cloud project (if you have more than one project associated\n   with your account)\n\n1. Provide a service account name (this name is used to generate the service\n   account ID)\n\n1. Click **Create and continue**, and choose the following IAM roles to grant to\n   the service account:\n\n   - Compute Admin\n   - Service Account User\n\n   Click **Continue**.\n\n1. Click on the created key, and navigate to the **Keys** tab.\n\n1. Click **Add key** \u003e **Create new key**.\n\n1. Generate a **JSON private key**, which will be what you provide to Coder\n   during the setup process.\n\n## Architecture\n\nThis template provisions the following resources:\n\n- GCP VM (ephemeral)\n- GCP Disk (persistent, mounted to root)\n\nCoder persists the root volume. The full filesystem is preserved when the workspace restarts. See this [community example](https://github.com/bpmct/coder-templates/tree/main/aws-linux-ephemeral) of an ephemeral AWS instance.\n\n\u003e **Note**\n\u003e This template is designed to be a starting point! Edit the Terraform to extend the template to support your use case.\n\n## code-server\n\n`code-server` is installed via the `startup_script` argument in the `coder_agent`\nresource block. The `coder_app` resource is defined to access `code-server` through\nthe dashboard UI over `localhost:13337`.\n"
 	},
+	{
+		"id": "incus",
+		"url": "",
+		"name": "Incus System Container with Docker",
+		"description": "Develop in an Incus System Container with Docker using Incus",
+		"icon": "/icon/lxc.svg",
+		"tags": [
+			"incus",
+			"lxc",
+			"lxd"
+		],
+		"markdown": "\n# Incus System Container with Docker\n\nDevelop in an Incus System Container and run nested Docker containers using Incus.\n\n## Architecture\n\nThis template uses the [Incus guest API](https://linuxcontainers.org/incus/docs/main/dev-incus/) (`/dev/incus/sock`) to deliver the Coder agent token and URL into the container without any host filesystem coupling. This means:\n\n- **The provisioner does not need to run on the Incus host.** There are no bind mounts or local file writes. All configuration is passed via Incus `user.*` config keys and read from inside the container at runtime.\n- **The agent binary is downloaded automatically.** The standard Coder init script fetches the correct binary from the Coder server on every boot, keeping it in sync with the server version.\n- **The agent token is refreshed on every start.** Terraform updates the `user.coder_agent_token` config key each workspace start. A watcher service inside the container listens for config changes via the guest API events endpoint and restarts the agent when a new token arrives.\n\n### Boot sequence\n\n1. **First boot (cloud-init):** Creates the workspace user, writes the bootstrap scripts and systemd units, installs `curl` and `git`, and enables the services. Cloud-init only runs once.\n2. **Every boot (systemd):**\n   - `coder-agent-config.service` (oneshot) reads `CODER_AGENT_TOKEN` and `CODER_AGENT_URL` from the Incus guest API and writes them to `/opt/coder/init.env`.\n   - `coder-agent.service` loads the env file and runs the Coder init script, which downloads the agent binary and starts it.\n   - `coder-agent-watcher.service` streams config change events from the guest API. If the Incus provider updates the token *after* the container has already booted (a known provider ordering issue), the watcher detects the change, re-fetches the config, and restarts the agent.\n\n### Packages\n\nEssential packages (`curl`, `git`) are installed via cloud-init on first boot, before the agent starts. Additional packages (e.g. `docker.io`) are installed via a non-blocking [`coder_script`](https://registry.terraform.io/providers/coder/coder/latest/docs/resources/script) that runs on each workspace start. It does not block login; users can connect to the workspace immediately while packages install in the background. On subsequent starts, it detects packages are already installed and skips the installation.\n\n## Prerequisites\n\n1. Install [Incus](https://linuxcontainers.org/incus/) on a machine reachable by the Coder provisioner.\n2. Allow Coder to access the Incus socket.\n\n   - If you're running Coder as a system service, run `sudo usermod -aG incus-admin coder` and restart the Coder service.\n   - If you're running Coder as a Docker Compose service, get the group ID of the `incus-admin` group by running `getent group incus-admin` and add the following to your `compose.yaml` file:\n\n     ```yaml\n     services:\n       coder:\n         volumes:\n           - /var/lib/incus/unix.socket:/var/lib/incus/unix.socket\n         group_add:\n           - 996 # Replace with the group ID of the `incus-admin` group\n     ```\n\n3. Create a storage pool named `coder` by running `incus storage create coder btrfs` (or use another [supported driver](https://linuxcontainers.org/incus/docs/main/reference/storage_drivers/)).\n\n## Usage\n\n\u003e **Note:** This template requires a container image with cloud-init installed, such as `images:debian/13/cloud` or `images:ubuntu/24.04/cloud`. Images are pulled automatically from the [Linux Containers image server](https://images.linuxcontainers.org/).\n\n1. Run `coder templates push --directory .` from this directory.\n2. Create a workspace from the template in the Coder UI.\n\n## Parameters\n\n| Parameter          | Description                                                                                | Default                  |\n|--------------------|--------------------------------------------------------------------------------------------|--------------------------|\n| **Image**          | Container image with cloud-init. Options: Debian 13, Debian 12, Ubuntu 24.04, Ubuntu 22.04 | `images:debian/13/cloud` |\n| **CPU**            | Number of CPUs (1-8)                                                                       | `1`                      |\n| **Memory**         | Memory in GB (1-16)                                                                        | `2`                      |\n| **Storage pool**   | Incus storage pool name                                                                    | `coder`                  |\n| **Git repository** | Clone a git repo inside the workspace                                                      | *(empty)*                |\n\n## Extending this template\n\nSee the [lxc/incus](https://registry.terraform.io/providers/lxc/incus/latest/docs) Terraform provider documentation to add the following features to your Coder template:\n\n- Remote Incus hosts (HTTPS)\n- Additional volume mounts\n- Custom networks\n- GPU passthrough\n- More\n\nWe also welcome contributions!\n"
+	},
 	{
 		"id": "kubernetes",
 		"url": "",
diff --git a/examples/examples.go b/examples/examples.go
@@ -36,6 +36,7 @@ var (
 	//go:embed templates/gcp-linux
 	//go:embed templates/gcp-vm-container
 	//go:embed templates/gcp-windows
+	//go:embed templates/incus
 	//go:embed templates/kubernetes
 	//go:embed templates/kubernetes-devcontainer
 	//go:embed templates/nomad-docker
diff --git a/examples/lima/README.md b/examples/lima/README.md
@@ -41,11 +41,15 @@ This configuration (`coder-incus.yaml`) creates a VM to run Coder workspaces in
 This will:
 
 - Start a Debian 13 VM
-- Install Incus and Terraform from the official repos
+- Install Incus from the Debian repos and Terraform via the Coder installer
 - Install Coder using the [installation script](../../docs/install/install.sh.md)
 - Generate an initial user account `admin@coder.com` with a randomly generated password (stored in the VM under `/home/${USER}.linux/.config/coderv2/password`)
 - Initialize a [sample Incus template](https://github.com/coder/coder/tree/main/examples/templates/incus) for creating workspaces
 
+Once this completes, you can visit `http://localhost:3000` and start creating workspaces!
+
+Alternatively, enter the VM with `limactl shell coder-incus` and run `coder templates init` to start creating your own templates!
+
 ## Further Information
 
-- To learn more about Lima, [visit the the project's GitHub page](https://github.com/lima-vm/lima/).
+- To learn more about Lima, [visit the project's GitHub page](https://github.com/lima-vm/lima/).
diff --git a/examples/lima/coder-incus.yaml b/examples/lima/coder-incus.yaml
@@ -1,4 +1,4 @@
-# Deploy Coder in Lima with Incus pre-installed
+# Deploy Coder in Lima with Incus
 # See: https://coder.com/docs/install
 # $ limactl start ./coder-incus.yaml
 # $ limactl shell coder-incus
@@ -21,6 +21,7 @@ images:
   - location: "https://cloud.debian.org/images/cloud/trixie/daily/latest/debian-13-genericcloud-arm64-daily.qcow2"
     arch: "aarch64"
 
+# Disable 9p mounts; they are not supported by the Debian cloud image kernel.
 mountTypesUnsupported: [9p]
 
 # Your home directory is mounted read-only
@@ -33,6 +34,7 @@ hostResolver:
   hosts:
     host.docker.internal: host.lima.internal
 provision:
+  # Fallback for Lima versions where hostResolver is not available.
   - mode: system
     script: |
       #!/bin/sh
