docs: final README pass

- Add Antigravity and SSH to feature list in intro
- Add shm.sizeLimit to Display/resources table
- Update startup flow to show accurate antigravity launch flags
- Fix kubectl describe label selector
- Add troubleshooting note for latest-tag pod restart

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Dockerfile

@@ -46,15 +46,33 @@ RUN curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - && \
 # Install Happy Coder and Claude Code globally
 RUN npm install -g happy-coder @anthropic-ai/claude-code
 
-# Install Antigravity (Google's Project IDX / Cloud Code alternative)
-# Note: Antigravity might be packaged differently - adjust as needed
-# For now, we'll use VSCode with Project IDX extensions as a placeholder
+# Install VSCode
 RUN wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor -o /usr/share/keyrings/packages.microsoft.gpg && \
     echo "deb [arch=amd64 signed-by=/usr/share/keyrings/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list && \
     apt-get update && \
     apt-get install -y code && \
     rm -rf /var/lib/apt/lists/*
 
+# Install Google Antigravity IDE
+RUN mkdir -p /etc/apt/keyrings && \
+    curl -fsSL https://us-central1-apt.pkg.dev/doc/repo-signing-key.gpg | \
+      gpg --dearmor --yes -o /etc/apt/keyrings/antigravity-repo-key.gpg && \
+    echo "deb [signed-by=/etc/apt/keyrings/antigravity-repo-key.gpg] https://us-central1-apt.pkg.dev/projects/antigravity-auto-updater-dev/ antigravity-debian main" \
+      > /etc/apt/sources.list.d/antigravity.list && \
+    apt-get update && \
+    apt-get install -y antigravity && \
+    rm -rf /var/lib/apt/lists/*
+
+# Install OpenSSH server (for SSH IDE mode)
+RUN apt-get update && \
+    apt-get install -y openssh-server && \
+    rm -rf /var/lib/apt/lists/* && \
+    mkdir -p /var/run/sshd && \
+    sed -i 's/#PubkeyAuthentication yes/PubkeyAuthentication yes/' /etc/ssh/sshd_config && \
+    sed -i 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \
+    sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config && \
+    echo "PermitRootLogin no" >> /etc/ssh/sshd_config
+
 # Create user user with specific UID/GID
 RUN groupadd -g 1000 user && \
     useradd -u 1000 -g 1000 -m -s /bin/bash user && \
@@ -69,6 +87,7 @@ COPY --chmod=755 scripts/startapp.sh /startapp.sh
 COPY --chmod=755 scripts/init-repo.sh /usr/local/bin/init-repo
 # Fix app user shell after baseimage-gui creates it at runtime
 COPY --chmod=755 scripts/cont-init-user.sh /etc/cont-init.d/20-fix-user-shell.sh
+COPY --chmod=755 scripts/cont-init-sshd.sh /etc/cont-init.d/25-start-sshd.sh
 
 # Set working directory
 WORKDIR /workspace

README.md

@@ -3,7 +3,8 @@
 ![Build and Push](https://github.com/cpfarhood/devcontainer/actions/workflows/build-and-push.yaml/badge.svg)
 
 A containerized cloud development environment with web-based GUI access, featuring:
-- **VSCode** via browser-based VNC (port 5800)
+- **VSCode or Google Antigravity** via browser-based VNC (port 5800)
+- **SSH access** option (OpenSSH on port 22, additive with any IDE)
 - **Happy Coder** AI assistant backed by Claude
 - **Automatic GitHub repo cloning** on startup
 - **Persistent home directory** via ReadWriteMany PVC
@@ -20,6 +21,7 @@ The secret is picked up automatically via `envFrom`. Keys recognised:
 | `GITHUB_TOKEN` | PAT for private repo access (`repo` scope) |
 | `VNC_PASSWORD` | Password for the VNC web UI |
 | `ANTHROPIC_API_KEY` | API key — alternative to browser-based Claude login |
+| `SSH_AUTHORIZED_KEYS` | Public key(s) for SSH access (required when `ssh: true`) |
 
 ```bash
 kubectl create secret generic devcontainer-mydev-secrets-env \
@@ -75,16 +77,55 @@ A Chrome browser window will open inside VNC for the Claude Max OAuth login. Cre
 |-------|---------|-------------|
 | `name` | `""` | Instance name — used in all resource names (`devcontainer-{name}`) |
 | `githubRepo` | `""` | Repository to clone into `/workspace` on startup |
+| `ide` | `vscode` | IDE to launch — `vscode`, `antigravity`, or `none` (see below) |
+| `ssh` | `false` | Also start an OpenSSH server on port 22 (additive, any `ide`) |
 | `image.repository` | `ghcr.io/cpfarhood/devcontainer` | Container image |
 | `image.tag` | `latest` | Image tag |
 
+### IDE choice
+
+`ide` controls what GUI is launched in the VNC session:
+
+| Value | Port | Description |
+|-------|------|-------------|
+| `vscode` (default) | 5800 (VNC) | VSCode desktop via browser-based VNC |
+| `antigravity` | 5800 (VNC) | Google Antigravity (VSCode fork with AI) via VNC |
+| `none` | — | No IDE; container stays alive (useful when `ssh: true`) |
+
+### SSH access
+
+`ssh: true` starts OpenSSH on port 22 **in addition to** the IDE. It works with any `ide` value:
+
+```bash
+# SSH-only (no VNC)
+helm install mydev ./chart --set name=mydev --set ide=none --set ssh=true
+
+# VSCode in VNC + SSH access at the same time
+helm install mydev ./chart --set name=mydev --set ssh=true
+```
+
+Add your public key to the env secret:
+
+```bash
+kubectl create secret generic devcontainer-mydev-secrets-env \
+  --from-literal=GITHUB_TOKEN='ghp_...' \
+  --from-literal=SSH_AUTHORIZED_KEYS='ssh-ed25519 AAAA...'
+```
+
+Then connect:
+
+```bash
+kubectl port-forward deployment/devcontainer-mydev 2222:22
+ssh -p 2222 user@localhost
+```
+
 ### Happy Coder
 
 | Value | Default | Description |
 |-------|---------|-------------|
 | `happyServerUrl` | `https://happy.farh.net` | Happy Coder server endpoint |
 | `happyWebappUrl` | `https://happy-coder.farh.net` | Happy Coder webapp URL |
-| `happyHomeDir` | `/workspace/.happy` | Happy runtime state directory (ephemeral — lives in emptyDir) |
+| `happyHomeDir` | `/home/user/.happy` | Happy runtime state directory (persists on the home PVC) |
 | `happyExperimental` | `true` | Enable experimental Happy features |
 
 ### Kubernetes cluster access
@@ -120,6 +161,7 @@ With any non-`none` value, a `ServiceAccount` named `devcontainer-{name}` is cre
 | `groupId` | `1000` | GID for the app user |
 | `storage.size` | `32Gi` | Home PVC size |
 | `storage.className` | `ceph-filesystem` | StorageClass (must be ReadWriteMany) |
+| `shm.sizeLimit` | `2Gi` | `/dev/shm` size (memory-backed; used by Electron apps) |
 | `resources.requests.memory` | `2Gi` | |
 | `resources.requests.cpu` | `1000m` | |
 | `resources.limits.memory` | `8Gi` | |
@@ -133,13 +175,18 @@ With any non-`none` value, a `ServiceAccount` named `devcontainer-{name}` is cre
 ### Startup flow
 
 ```
-Container start (as app user, UID 1000)
+Container start
   → cont-init.d/20-fix-user-shell.sh   — fix shell/home on baseimage-gui app user
-  → /startapp.sh
+  → cont-init.d/25-start-sshd.sh       — start sshd if SSH=true
+  → /startapp.sh  (runs as app user, UID 1000)
       → init-repo.sh
           → clone / pull GITHUB_REPO into /workspace/{repo}
-          → happy daemon start          — starts Happy Coder background daemon
-      → code --new-window /workspace/{repo}   — opens VSCode in VNC
+          → rm daemon.state.json.lock    — clear stale Happy lock
+          → happy daemon start           — starts Happy Coder background daemon
+      → IDE=vscode:      code --new-window --wait /workspace/{repo}
+        IDE=antigravity:  antigravity --no-sandbox --user-data-dir ~/.config/antigravity ... /workspace/{repo}
+        IDE=none:         sleep infinity
+      (SSH=true: sshd also running as root on port 22; host keys persisted on PVC)
 ```
 
 ### Storage
@@ -149,7 +196,7 @@ Container start (as app user, UID 1000)
 | `/home` | ReadWriteMany PVC (`userhome-{name}`) | Survives pod restarts — stores Claude credentials, dotfiles, git config |
 | `/workspace` | `emptyDir` | Ephemeral — repo is re-cloned on each pod start |
 
-Happy Coder's runtime state (`HAPPY_HOME_DIR`) is kept in `/workspace/.happy` so stale lock files never survive a pod restart.
+Happy Coder's runtime state (`HAPPY_HOME_DIR`) is kept in `/home/user/.happy` on the persistent home PVC, so auth credentials and settings survive pod restarts. A stale lock file (`daemon.state.json.lock`) is removed automatically on each startup.
 
 ---
 
@@ -165,7 +212,7 @@ happy daemon status
 happy daemon start
 
 # View daemon logs
-ls ~/.happy/logs/ || ls /workspace/.happy/logs/
+ls ~/.happy/logs/
 ```
 
 ### Claude not authenticated
@@ -185,7 +232,15 @@ Then restart the pod to pick up the new env var.
 ```bash
 kubectl port-forward deployment/devcontainer-mydev 5800:5800
 kubectl logs deployment/devcontainer-mydev
-kubectl describe pod -l instance=mydev
+kubectl describe pod -l app.kubernetes.io/instance=mydev
+```
+
+### Pod not picking up new image after upgrade
+
+The chart uses `image.tag: latest`. Kubernetes won't restart the pod on a Helm upgrade unless the Deployment spec changes. Force a restart manually:
+
+```bash
+kubectl rollout restart deployment/devcontainer-mydev
 ```
 
 ### Repository not cloning

chart/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: devcontainer
 description: Antigravity Dev Container with Happy Coder AI assistant
 type: application
-version: 0.1.3
+version: 0.1.12
 appVersion: "latest"

chart/templates/deployment.yaml

@@ -25,10 +25,21 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           ports:
+            {{- if ne (.Values.ide | default "vscode") "none" }}
             - containerPort: 5800
               name: vnc-web
               protocol: TCP
+            {{- end }}
+            {{- if .Values.ssh }}
+            - containerPort: 22
+              name: ssh
+              protocol: TCP
+            {{- end }}
           env:
+            - name: IDE
+              value: {{ .Values.ide | default "vscode" | quote }}
+            - name: SSH
+              value: {{ .Values.ssh | toString | quote }}
             - name: USER_ID
               value: {{ .Values.userId | quote }}
             - name: GROUP_ID
@@ -60,6 +71,9 @@ spec:
               mountPath: /home
             - name: workspace
               mountPath: /workspace
+            - name: shm
+              mountPath: /dev/shm
+          {{- if ne (.Values.ide | default "vscode") "none" }}
           livenessProbe:
             httpGet:
               path: /
@@ -72,9 +86,25 @@ spec:
               port: 5800
             initialDelaySeconds: 10
             periodSeconds: 5
+          {{- else if .Values.ssh }}
+          livenessProbe:
+            tcpSocket:
+              port: 22
+            initialDelaySeconds: 15
+            periodSeconds: 10
+          readinessProbe:
+            tcpSocket:
+              port: 22
+            initialDelaySeconds: 5
+            periodSeconds: 5
+          {{- end }}
       volumes:
         - name: workspace
           emptyDir: {}
+        - name: shm
+          emptyDir:
+            medium: Memory
+            sizeLimit: {{ .Values.shm.sizeLimit }}
         - name: userhome
           persistentVolumeClaim:
             claimName: {{ include "antigravity.pvcName" . }}

chart/templates/service.yaml

@@ -6,9 +6,17 @@ metadata:
     {{- include "antigravity.labels" . | nindent 4 }}
 spec:
   ports:
+    {{- if ne (.Values.ide | default "vscode") "none" }}
     - port: 5800
       name: vnc-web
       protocol: TCP
       targetPort: vnc-web
+    {{- end }}
+    {{- if .Values.ssh }}
+    - port: 22
+      name: ssh
+      protocol: TCP
+      targetPort: ssh
+    {{- end }}
   selector:
     {{- include "antigravity.labels" . | nindent 4 }}

chart/values.yaml

@@ -9,10 +9,21 @@ image:
 # GitHub repository to clone into /workspace
 githubRepo: ""
 
+# IDE to launch inside the container.
+# Options:
+#   vscode      — VSCode via VNC browser UI on port 5800 (default)
+#   antigravity — Google Antigravity (VSCode fork) via VNC on port 5800
+#   none        — no IDE; useful when ssh: true is the sole access method
+ide: vscode
+
+# Start an OpenSSH server on port 22 in addition to the IDE.
+# Set SSH_AUTHORIZED_KEYS in the env secret to allow key-based login.
+ssh: false
+
 # Happy Coder endpoints
 happyServerUrl: "https://happy.farh.net"
 happyWebappUrl: "https://happy-coder.farh.net"
-happyHomeDir: "/workspace/.happy"
+happyHomeDir: "/home/user/.happy"
 happyExperimental: "true"
 
 # VNC display
@@ -30,6 +41,11 @@ storage:
   size: 32Gi
   className: ceph-filesystem
 
+# Shared memory size — mounted at /dev/shm as a memory-backed emptyDir.
+# Electron apps (Antigravity, Chrome) use /dev/shm for GPU/IPC buffers.
+shm:
+  sizeLimit: 2Gi
+
 resources:
   requests:
     memory: "2Gi"

scripts/cont-init-sshd.sh

@@ -0,0 +1,45 @@
+#!/bin/sh
+# Start OpenSSH server when SSH=true.
+# Runs as root during container initialisation (cont-init.d).
+[ "${SSH:-false}" = "true" ] || exit 0
+
+echo "=== SSH enabled: starting sshd ==="
+
+HOME_DIR="/home/user"
+HOST_KEY_STORE="$HOME_DIR/.ssh/host_keys"
+
+# Persist host keys on the home PVC so clients don't see a "host key
+# changed" warning after pod restarts.
+if [ -d "$HOST_KEY_STORE" ] && [ -n "$(ls "$HOST_KEY_STORE"/ssh_host_* 2>/dev/null)" ]; then
+    # Restore previously generated host keys
+    echo "Restoring SSH host keys from PVC..."
+    cp "$HOST_KEY_STORE"/ssh_host_* /etc/ssh/
+    chmod 600 /etc/ssh/ssh_host_*_key
+    chmod 644 /etc/ssh/ssh_host_*_key.pub
+else
+    # First boot: generate and save host keys to PVC
+    echo "Generating SSH host keys (first boot)..."
+    ssh-keygen -A 2>/dev/null || true
+    mkdir -p "$HOST_KEY_STORE"
+    cp /etc/ssh/ssh_host_* "$HOST_KEY_STORE/"
+    chmod 700 "$HOST_KEY_STORE"
+    chown -R 1000:1000 "$HOST_KEY_STORE"
+    echo "SSH host keys saved to PVC."
+fi
+
+# Populate authorized_keys from env var (injected via Kubernetes secret)
+if [ -n "$SSH_AUTHORIZED_KEYS" ]; then
+    mkdir -p "$HOME_DIR/.ssh"
+    chmod 700 "$HOME_DIR/.ssh"
+    printf '%s\n' "$SSH_AUTHORIZED_KEYS" > "$HOME_DIR/.ssh/authorized_keys"
+    chmod 600 "$HOME_DIR/.ssh/authorized_keys"
+    chown -R 1000:1000 "$HOME_DIR/.ssh"
+    echo "SSH authorized keys configured."
+else
+    echo "WARNING: SSH_AUTHORIZED_KEYS not set — you will not be able to log in."
+fi
+
+# Start sshd in background (root required to bind :22 and fork sessions)
+/usr/sbin/sshd -D &
+
+echo "sshd started (PID $!)"

scripts/init-repo.sh

@@ -63,10 +63,9 @@ chown "$RUN_UID:$RUN_GID" "$HOME"
 # so no sudo needed — Happy/Claude Code will find credentials in the correct home dir.
 echo "Starting Happy Coder..."
 
-# HAPPY_HOME_DIR is in /workspace (emptyDir), so it is always fresh on pod start.
-# Remove the lock file as a safety net in case daemon start is called more than
-# once within the same container lifetime.
-rm -f "${HAPPY_HOME_DIR:-/workspace/.happy}/daemon.state.json.lock"
+# Remove stale lock file. HAPPY_HOME_DIR lives on the home PVC so it survives
+# pod restarts — without this cleanup the daemon refuses to start after a crash.
+rm -f "${HAPPY_HOME_DIR:-$HOME/.happy}/daemon.state.json.lock"
 
 cd "$WORKSPACE_DIR"
 happy daemon start || echo "Happy Coder daemon failed to start, continuing anyway..."

scripts/startapp.sh

@@ -14,8 +14,27 @@ else
     WORKSPACE_DIR="/workspace/default"
 fi
 
-echo "Opening Antigravity in: $WORKSPACE_DIR"
+IDE="${IDE:-vscode}"
+echo "IDE mode: $IDE"
+echo "Workspace: $WORKSPACE_DIR"
 
-# Start Antigravity (VSCode) in the workspace directory as claude user
-# The baseimage-gui will handle the GUI display
-exec code --new-window --wait "$WORKSPACE_DIR"
+case "$IDE" in
+    antigravity)
+        echo "Opening Google Antigravity in: $WORKSPACE_DIR"
+        # --no-sandbox is required for Electron apps in Docker (no kernel sandbox available).
+        # Explicit --user-data-dir and --extensions-dir pin config to the home PVC so
+        # settings and the setup wizard state survive pod restarts.
+        exec antigravity --no-sandbox \
+            --user-data-dir "$HOME/.config/antigravity" \
+            --extensions-dir "$HOME/.antigravity/extensions" \
+            --new-window --wait "$WORKSPACE_DIR"
+        ;;
+    none)
+        echo "IDE=none: no IDE launched, keeping container alive."
+        exec sleep infinity
+        ;;
+    *)
+        echo "Opening VSCode in: $WORKSPACE_DIR"
+        exec code --new-window --wait "$WORKSPACE_DIR"
+        ;;
+esac