diff --git a/stack/vs-code-server.yml b/stack/vs-code-server.yml
index f5fe807..39fbe2d 100644
--- a/stack/vs-code-server.yml
+++ b/stack/vs-code-server.yml
@@ -5,38 +5,32 @@ services:
     image: ghcr.io/coder/coder:latest
     container_name: coder
     restart: unless-stopped
+    user: "1000:1000"  # 非 root
     environment:
-      # === 資料庫連線（同 stack 內的 postgres）===
+      # === 資料庫 ===
       CODER_PG_CONNECTION_URL: postgresql://coder:${POSTGRES_PASSWORD}@postgres:5432/coder?sslmode=disable
 
-      # === 外部存取設定 ===
-      CODER_ADDRESS: 0.0.0.0:3000
-      CODER_WILDCARD_ACCESS_URL: "https://*.coder.your-domain.com"  # 子域名給 workspace
-      CODER_ACCESS_URL: "https://coder.your-domain.com"            # 主 dashboard
+      # === 外部 URL ===
+      CODER_ACCESS_URL: https://coder.your-domain.com
+      CODER_WILDCARD_ACCESS_URL: https://*.coder.your-domain.com
 
-      # === TLS 由 Nginx/Cloudflared 處理 ===
+      # === TLS 由 Nginx 處理 ===
       CODER_TLS_ENABLE: "false"
 
-      # === GitHub OIDC SSO（多使用者自動登入）===
-      CODER_OIDC_ISSUER_URL: "https://token.actions.githubusercontent.com"
-      CODER_OIDC_CLIENT_ID: "${CODER_OIDC_CLIENT_ID}"
-      CODER_OIDC_CLIENT_SECRET: "${CODER_OIDC_CLIENT_SECRET}"
-      CODER_OIDC_EMAIL_DOMAIN: ""  # 留空允許所有 GitHub 帳號
+      # === GitHub OIDC ===
+      CODER_OIDC_ISSUER_URL: https://token.actions.githubusercontent.com
+      CODER_OIDC_CLIENT_ID: ${CODER_OIDC_CLIENT_ID}
+      CODER_OIDC_CLIENT_SECRET: ${CODER_OIDC_CLIENT_SECRET}
       CODER_OIDC_ALLOW_SIGNUPS: "true"
 
-      # === Docker 權限（讓 Coder 建立 workspace 容器）===
-      DOCKER_HOST: "unix:///var/run/docker.sock"
-
     volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-      - coder_data:/home/coder/.config
+      # 每個使用者獨立資料夾
+      - user_data:/home
+      - coder_config:/home/coder/.config
     networks:
       - coder-net
     depends_on:
       - postgres
-    # 不暴露端口！由 Nginx 反向代理
-    # ports:
-    #   - "3000:3000"
 
   postgres:
     image: postgres:15-alpine
@@ -52,7 +46,13 @@ services:
       - coder-net
 
 volumes:
-  coder_data:
+  user_data:
+    driver: local
+    driver_opts:
+      type: none
+      device: /path/to/host/user_data   # 宿主機目錄
+      o: bind
+  coder_config:
     driver: local
   postgres_data:
     driver: local
@@ -60,4 +60,3 @@ volumes:
 networks:
   coder-net:
     driver: bridge
-    name: coder_network