code-server — Runbook
Routine Tasks
Rotate OIDC client secret
- Run
pocketid-setupworkflow from Forgejo Actions (workflow_dispatch) - The playbook creates a new client secret and updates Vault automatically
- Trigger
Deploy code-serverworkflow to pick up the new secret
Logs
| Log | Contents | Location | Loki query | Format |
|---|---|---|---|---|
| Application | HTTP requests, extension loading, terminal sessions | Docker (LXC 118) stdout | {job="tools", container="code-server"} |
Plain text |
| OAuth2 Proxy | Auth events, OIDC redirects, access denials | Docker (LXC 119) stdout | {job="infra-apps", container="oauth2-proxy-code-server"} |
Plain text |
Notes:
- SSH fallback: ssh [email protected] "pct exec 118 -- docker logs code-server" / ssh [email protected] "pct exec 119 -- docker logs oauth2-proxy-code-server"
Troubleshooting
Stuck on auth redirect loop
- Check oauth2-proxy logs for OIDC errors
- Verify the client secret in Vault is up to date: re-run
pocketid-setupand redeploy - Clear browser cookies for
code.eva-00.networkand retry
Workspace changes lost after redeploy
The workspace is in the code-server-workspace Docker volume — it persists across redeployments. If data was lost, check if the volume was accidentally removed during a docker-compose down -v.