fix: robust agent user setup and document network routing

Cloud-init runcmd now explicitly creates the agent user with SSH key,
handling cases where cloud-init's users section fails silently or the
base image has unexpected state.

README documents the route command needed after colima start with
--network-address to reach containers on the Incus bridge network.

Author: stuffbucket

README.md

@@ -17,6 +17,18 @@ brew install colima incus
 colima start --profile incus --vm-type vz --vz-rosetta --network-address
 ```
 
+The `--network-address` flag assigns a routable IP to the VM. After starting, add a route so your Mac can reach containers on the Incus bridge network:
+
+```bash
+# Get the VM's IP address
+VM_IP=$(colima list -p incus -j | jq -r '.address')
+
+# Add route to container network (persists until reboot)
+sudo route add -net 192.100.0.0/24 $VM_IP
+```
+
+To make routing persistent across reboots, add a LaunchDaemon or re-run after `colima start`.
+
 Build and initialize:
 
 ```bash

coop

@@ -93,10 +93,20 @@ write_files:
     permissions: '0644'
 
 runcmd:
+  # Ensure agent user exists with correct shell (handles UID conflicts)
+  - id agent >/dev/null 2>&1 || useradd -m -s /bin/bash -u 1000 -U agent
+  - usermod -s /bin/bash agent
+  - usermod -aG sudo,adm agent || true
+  - 'echo "agent ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/agent'
+  
   # Setup agent home directories
   - mkdir -p /home/agent/.bashrc.d /home/agent/.local/bin /home/agent/.config
   - mkdir -p /home/agent/.ssh /home/agent/.vscode-server /home/agent/workspace /home/agent/go/bin
   - chmod 700 /home/agent/.ssh
+{{- if .SSHPubKey }}
+  - 'echo "{{.SSHPubKey}}" > /home/agent/.ssh/authorized_keys'
+  - chmod 600 /home/agent/.ssh/authorized_keys
+{{- end }}
   - 'grep -q "bashrc.d" /home/agent/.bashrc || echo "for f in ~/.bashrc.d/*.sh; do [ -r \"$f\" ] && . \"$f\"; done" >> /home/agent/.bashrc'
   
   # Optional upgrades (non-fatal)