holyclaude-ai-workstation
Deploy a full AI coding workstation with Claude Code, web UI, headless browser, and 5 AI CLIs in a single Docker container
How do I install this agent skill?
npx skills add https://github.com/aradotso/trending-skills --skill holyclaude-ai-workstationIs this agent skill safe to install?
- Gen Agent Trust Hubfail
This skill instructs users to download and run an opaque Docker image from an untrusted source with elevated container privileges, creating significant security risks including potential remote code execution and credential exposure.
- Socketwarn
1 alert: gptSecurity
- Snykfail
Risk: CRITICAL · 4 issues
- ZeroLeakspass
Score: 93/100 · 2 sections analyzed
What does this agent skill do?
HolyClaude AI Workstation
Skill by ara.so — Daily 2026 Skills collection.
HolyClaude is a containerized AI development workstation that bundles Claude Code CLI, a CloudCLI web UI, Chromium headless browser with Playwright, 5 AI CLIs (Claude, Gemini, OpenAI Codex, Cursor, TaskMaster AI), and 50+ dev tools into a single Docker image. One docker compose up replaces hours of manual setup.
Installation
Prerequisites
- Docker + Docker Compose installed
- Existing Anthropic account (Max/Pro subscription or API key)
Quick Start
mkdir holyclaude && cd holyclaude
Create docker-compose.yaml:
services:
holyclaude:
image: CoderLuii/HolyClaude:latest
container_name: holyclaude
hostname: holyclaude
restart: unless-stopped
shm_size: 2g
ports:
- "3001:3001"
volumes:
- ./data/claude:/root/.claude
- ./data/config:/root/.config
- ./projects:/workspace
environment:
- PUID=1000
- PGID=1000
docker compose up -d
# Open http://localhost:3001
Image Variants
# Full image — all tools pre-installed (recommended)
docker pull CoderLuii/HolyClaude:latest
# Slim image — smaller download, tools installed on demand
docker pull CoderLuii/HolyClaude:slim
# Pinned version for production stability
docker pull CoderLuii/HolyClaude:1.2.3
docker pull CoderLuii/HolyClaude:1.2.3-slim
Full Docker Compose Configuration
services:
holyclaude:
image: CoderLuii/HolyClaude:latest
container_name: holyclaude
hostname: holyclaude
restart: unless-stopped
shm_size: 2g # Required for Chromium
ports:
- "3001:3001" # CloudCLI web UI
volumes:
- ./data/claude:/root/.claude # Claude credentials & config (persisted)
- ./data/config:/root/.config # App config (persisted)
- ./projects:/workspace # Your project files
environment:
# User/group IDs (match host user to avoid permission issues)
- PUID=1000
- PGID=1000
# AI provider API keys (optional — can also set via web UI)
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
- GEMINI_API_KEY=${GEMINI_API_KEY}
- OPENAI_API_KEY=${OPENAI_API_KEY}
- CURSOR_API_KEY=${CURSOR_API_KEY}
# NAS/SMB mount polling (enable if using Synology/QNAP)
- CHOKIDAR_USEPOLLING=true
# Notification webhooks (optional)
- DISCORD_WEBHOOK_URL=${DISCORD_WEBHOOK_URL}
- SLACK_WEBHOOK_URL=${SLACK_WEBHOOK_URL}
security_opt:
- seccomp:unconfined # Required for Chromium sandbox
Environment Variable Reference
| Variable | Required | Description |
|---|---|---|
PUID | Recommended | Host user ID (run id -u to find yours) |
PGID | Recommended | Host group ID (run id -g to find yours) |
ANTHROPIC_API_KEY | Optional | Anthropic API key (alternative to OAuth login) |
GEMINI_API_KEY | Optional | Google AI API key for Gemini CLI |
OPENAI_API_KEY | Optional | OpenAI API key for Codex CLI |
CURSOR_API_KEY | Optional | Cursor API key |
CHOKIDAR_USEPOLLING | NAS only | Set true for SMB/NFS mounts |
DISCORD_WEBHOOK_URL | Optional | Discord notifications |
SLACK_WEBHOOK_URL | Optional | Slack notifications |
Authentication
Method 1: OAuth (Claude Max/Pro Subscription)
- Open
http://localhost:3001 - Create a CloudCLI account (10 seconds)
- Sign in with your Anthropic account via OAuth
- No API key needed — uses your existing subscription
Method 2: API Key
environment:
- ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
Or paste the key directly in the CloudCLI web UI settings.
Credential Persistence
Credentials are stored in the bind-mounted volume:
./data/claude/ → /root/.claude/
./data/config/ → /root/.config/
Credentials survive container restarts, updates, and recreation.
Platform-Specific Configuration
Linux (amd64/arm64) — Default
# No extra config needed
shm_size: 2g
macOS (Docker Desktop)
# Works out of the box with Docker Desktop
shm_size: 2g
Windows (WSL2 + Docker Desktop)
# Requires WSL2 backend enabled in Docker Desktop
shm_size: 2g
Synology / QNAP NAS
environment:
- CHOKIDAR_USEPOLLING=true # Fixes file watching on SMB mounts
volumes:
- /volume1/docker/holyclaude/data/claude:/root/.claude
- /volume1/docker/holyclaude/projects:/workspace
Kubernetes (ARM64 / Oracle Cloud Graviton)
# arm64 image is published alongside amd64
image: CoderLuii/HolyClaude:latest # multi-arch manifest auto-selects correct arch
What's Inside the Container
AI CLIs
| CLI | Invocation | Key Provider |
|---|---|---|
| Claude Code | claude | Anthropic (ANTHROPIC_API_KEY or OAuth) |
| Gemini CLI | gemini | Google (GEMINI_API_KEY) |
| OpenAI Codex | codex | OpenAI (OPENAI_API_KEY) |
| Cursor | cursor | Cursor (CURSOR_API_KEY) |
| TaskMaster AI | task-master | Uses configured AI provider keys |
Headless Browser Stack
- Chromium — pre-installed and configured
- Xvfb — virtual display on
:99 - Playwright — configured and ready
- Shared memory —
shm_size: 2gpre-configured (fixes the 64MB Docker default)
Dev Tools (50+)
- Languages: Node.js, Python 3, TypeScript, Bun, Deno
- Package managers: npm, yarn, pnpm, pip, cargo
- Database clients: PostgreSQL, MySQL, SQLite, Redis CLI
- Cloud CLIs: AWS CLI, Google Cloud SDK, Azure CLI
- Dev tools: GitHub CLI (
gh), Git, curl, jq, ripgrep, fd - Process manager: s6-overlay (auto-restart, graceful shutdown)
Working with Projects
Mount your project directory
volumes:
- ./projects:/workspace
# Or mount a specific project:
- /path/to/my-app:/workspace/my-app
Inside the container
# Access the container shell
docker exec -it holyclaude bash
# Navigate to workspace
cd /workspace
# Run Claude Code directly
claude
# Run other AI CLIs
gemini
codex
Playwright / Headless Browser Usage
Playwright is pre-configured. Use it from Claude Code tasks or directly:
// playwright.config.ts — already works inside the container
import { defineConfig } from '@playwright/test';
export default defineConfig({
use: {
// Chromium is pre-installed, no download needed
browserName: 'chromium',
launchOptions: {
args: [
'--no-sandbox',
'--disable-setuid-sandbox',
'--disable-dev-shm-usage', // Use /tmp instead of /dev/shm
],
},
},
});
// Direct Playwright usage inside container
import { chromium } from 'playwright';
const browser = await chromium.launch({
args: [
'--no-sandbox',
'--disable-setuid-sandbox',
'--disable-dev-shm-usage',
],
});
const page = await browser.newPage();
await page.goto('https://example.com');
const screenshot = await page.screenshot({ path: '/workspace/screenshot.png' });
await browser.close();
# Run Playwright tests inside container
docker exec -it holyclaude bash -c "cd /workspace && npx playwright test"
# Run with headed mode via Xvfb
docker exec -it holyclaude bash -c "DISPLAY=:99 npx playwright test --headed"
Updating HolyClaude
# Pull latest image
docker compose pull
# Recreate container with new image (zero data loss — data is in bind mounts)
docker compose up -d
# Or explicit recreation
docker compose down && docker compose up -d
Pinned Version Strategy
# For production: pin to a specific version
image: CoderLuii/HolyClaude:1.2.3
# Update by changing the tag and running:
docker compose up -d
Data & Persistence
holyclaude/
├── docker-compose.yaml
├── data/
│ ├── claude/ # Claude credentials, .claude.json, history
│ └── config/ # CloudCLI and app configuration
└── projects/ # Your workspace (mount your code here)
All credentials and config survive:
- Container restarts
docker compose down && up- Image updates via
docker compose pull - Container recreation
Common Patterns
Pattern: Multiple Projects
volumes:
- ./data/claude:/root/.claude
- ./data/config:/root/.config
- ~/code/project-a:/workspace/project-a
- ~/code/project-b:/workspace/project-b
- ~/code/project-c:/workspace/project-c
Pattern: Read-only API Keys via .env file
# .env (never commit this)
ANTHROPIC_API_KEY=sk-ant-...
GEMINI_API_KEY=AIza...
OPENAI_API_KEY=sk-...
# docker-compose.yaml
services:
holyclaude:
env_file: .env
Pattern: Custom Port
ports:
- "8080:3001" # Access via http://localhost:8080
Pattern: Remote Server Access
ports:
- "0.0.0.0:3001:3001" # Accessible from network
# Then access via http://your-server-ip:3001
# Recommend putting behind nginx/Caddy with HTTPS for production
Pattern: Nginx Reverse Proxy
services:
holyclaude:
image: CoderLuii/HolyClaude:latest
# Don't expose ports directly — nginx handles it
expose:
- "3001"
networks:
- web
nginx:
image: nginx:alpine
ports:
- "443:443"
volumes:
- ./nginx.conf:/etc/nginx/conf.d/default.conf
- ./certs:/etc/nginx/certs
networks:
- web
networks:
web:
Troubleshooting
Container won't start
# Check logs
docker compose logs holyclaude
# Check if port 3001 is already in use
lsof -i :3001
Chromium crashes / headless browser fails
# Ensure shm_size is set (CRITICAL)
shm_size: 2g
# Ensure seccomp is unconfined
security_opt:
- seccomp:unconfined
# Verify display is available inside container
docker exec holyclaude bash -c "echo $DISPLAY"
# Should output: :99
Permission denied errors on bind mounts
environment:
- PUID=1000 # Must match your host user: `id -u`
- PGID=1000 # Must match your host group: `id -g`
# Fix existing permissions on host
sudo chown -R 1000:1000 ./data ./projects
File watching broken on NAS / SMB mounts
environment:
- CHOKIDAR_USEPOLLING=true
Claude Code installer hangs
This is pre-solved in HolyClaude — the container sets the correct WORKDIR ownership. If you're building a custom image on top:
# Ensure WORKDIR is not root-owned before running Claude Code installer
RUN chown -R node:node /app
WORKDIR /app
SQLite locks on NAS mount
volumes:
# Move SQLite databases to a local volume, not NAS mount
- holyclaude-db:/root/.local/share/holyclaude
- /nas/mount:/workspace # NAS mount only for project files
volumes:
holyclaude-db:
Claude Code authentication lost after restart
# Ensure this volume is mounted (credentials live here)
volumes:
- ./data/claude:/root/.claude
Process keeps dying / not restarting
HolyClaude uses s6-overlay for process supervision. Check service status:
docker exec holyclaude s6-svstat /run/service/cloudcli
docker exec holyclaude s6-svstat /run/service/xvfb
Building Locally
git clone https://github.com/CoderLuii/HolyClaude.git
cd HolyClaude
# Build full image
docker build -t holyclaude:local .
# Build slim image
docker build -t holyclaude:local-slim --target slim .
# Build for specific platform
docker buildx build --platform linux/arm64 -t holyclaude:arm64 .
# Run your local build
docker run -d \
--name holyclaude \
--shm-size=2g \
-p 3001:3001 \
-v $(pwd)/data/claude:/root/.claude \
holyclaude:local
Quick Reference
# Start
docker compose up -d
# Stop
docker compose down
# View logs (live)
docker compose logs -f holyclaude
# Shell access
docker exec -it holyclaude bash
# Update to latest
docker compose pull && docker compose up -d
# Restart only the container
docker compose restart holyclaude
# Check resource usage
docker stats holyclaude
How can the creator link this skill?
Add the canonical catalog link to the repository README so users can inspect current installs and available audits. The publishing guide covers the complete discovery path.
<a href="https://skillzs.dev/skills/aradotso/trending-skills/holyclaude-ai-workstation">View holyclaude-ai-workstation on skillZs</a>