server
Start a Coder server
Usage
coder server [flags]
Subcommands
Name | Purpose |
---|---|
create-admin-user | Create a new admin user with the given username, email and password and adds it to every organization. |
postgres-builtin-url | Output the connection URL for the built-in PostgreSQL deployment. |
postgres-builtin-serve | Run the built-in PostgreSQL deployment. |
dbcrypt | Manage database encryption. |
Options
--access-url
Type | url |
Environment | $CODER_ACCESS_URL |
YAML | networking.accessURL |
The URL that users will use to access the Coder deployment.
--wildcard-access-url
Type | string |
Environment | $CODER_WILDCARD_ACCESS_URL |
YAML | networking.wildcardAccessURL |
Specifies the wildcard hostname to use for workspace applications in the form "*.example.com".
--docs-url
Type | url |
Environment | $CODER_DOCS_URL |
YAML | networking.docsURL |
Default | https://coder.com/docs |
Specifies the custom docs URL.
--redirect-to-access-url
Type | bool |
Environment | $CODER_REDIRECT_TO_ACCESS_URL |
YAML | networking.redirectToAccessURL |
Specifies whether to redirect requests that do not match the access URL host.
--http-address
Type | string |
Environment | $CODER_HTTP_ADDRESS |
YAML | networking.http.httpAddress |
Default | 127.0.0.1:3000 |
HTTP bind address of the server. Unset to disable the HTTP endpoint.
--tls-address
Type | host:port |
Environment | $CODER_TLS_ADDRESS |
YAML | networking.tls.address |
Default | 127.0.0.1:3443 |
HTTPS bind address of the server.
--tls-enable
Type | bool |
Environment | $CODER_TLS_ENABLE |
YAML | networking.tls.enable |
Whether TLS will be enabled.
--tls-cert-file
Type | string-array |
Environment | $CODER_TLS_CERT_FILE |
YAML | networking.tls.certFiles |
Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.
--tls-client-ca-file
Type | string |
Environment | $CODER_TLS_CLIENT_CA_FILE |
YAML | networking.tls.clientCAFile |
PEM-encoded Certificate Authority file used for checking the authenticity of client.
--tls-client-auth
Type | string |
Environment | $CODER_TLS_CLIENT_AUTH |
YAML | networking.tls.clientAuth |
Default | none |
Policy the server will follow for TLS Client Authentication. Accepted values are "none", "request", "require-any", "verify-if-given", or "require-and-verify".
--tls-key-file
Type | string-array |
Environment | $CODER_TLS_KEY_FILE |
YAML | networking.tls.keyFiles |
Paths to the private keys for each of the certificates. It requires a PEM-encoded file.
--tls-min-version
Type | string |
Environment | $CODER_TLS_MIN_VERSION |
YAML | networking.tls.minVersion |
Default | tls12 |
Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".
--tls-client-cert-file
Type | string |
Environment | $CODER_TLS_CLIENT_CERT_FILE |
YAML | networking.tls.clientCertFile |
Path to certificate for client TLS authentication. It requires a PEM-encoded file.
--tls-client-key-file
Type | string |
Environment | $CODER_TLS_CLIENT_KEY_FILE |
YAML | networking.tls.clientKeyFile |
Path to key for client TLS authentication. It requires a PEM-encoded file.
--tls-ciphers
Type | string-array |
Environment | $CODER_TLS_CIPHERS |
YAML | networking.tls.tlsCiphers |
Specify specific TLS ciphers that allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
--tls-allow-insecure-ciphers
Type | bool |
Environment | $CODER_TLS_ALLOW_INSECURE_CIPHERS |
YAML | networking.tls.tlsAllowInsecureCiphers |
Default | false |
By default, only ciphers marked as 'secure' are allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
--derp-server-enable
Type | bool |
Environment | $CODER_DERP_SERVER_ENABLE |
YAML | networking.derp.enable |
Default | true |
Whether to enable or disable the embedded DERP relay server.
--derp-server-region-name
Type | string |
Environment | $CODER_DERP_SERVER_REGION_NAME |
YAML | networking.derp.regionName |
Default | Coder Embedded Relay |
Region name that for the embedded DERP server.
--derp-server-stun-addresses
Type | string-array |
Environment | $CODER_DERP_SERVER_STUN_ADDRESSES |
YAML | networking.derp.stunAddresses |
Default | stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302,stun3.l.google.com:19302,stun4.l.google.com:19302 |
Addresses for STUN servers to establish P2P connections. It's recommended to have at least two STUN servers to give users the best chance of connecting P2P to workspaces. Each STUN server will get it's own DERP region, with region IDs starting at --derp-server-region-id + 1
. Use special value 'disable' to turn off STUN completely.
--derp-server-relay-url
Type | url |
Environment | $CODER_DERP_SERVER_RELAY_URL |
YAML | networking.derp.relayURL |
An HTTP URL that is accessible by other replicas to relay DERP traffic. Required for high availability.
--block-direct-connections
Type | bool |
Environment | $CODER_BLOCK_DIRECT |
YAML | networking.derp.blockDirect |
Block peer-to-peer (aka. direct) workspace connections. All workspace connections from the CLI will be proxied through Coder (or custom configured DERP servers) and will never be peer-to-peer when enabled. Workspaces may still reach out to STUN servers to get their address until they are restarted after this change has been made, but new connections will still be proxied regardless.
--derp-force-websockets
Type | bool |
Environment | $CODER_DERP_FORCE_WEBSOCKETS |
YAML | networking.derp.forceWebSockets |
Force clients and agents to always use WebSocket to connect to DERP relay servers. By default, DERP uses Upgrade: derp
, which may cause issues with some reverse proxies. Clients may automatically fallback to WebSocket if they detect an issue with Upgrade: derp
, but this does not work in all situations.
--derp-config-url
Type | string |
Environment | $CODER_DERP_CONFIG_URL |
YAML | networking.derp.url |
URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.
--derp-config-path
Type | string |
Environment | $CODER_DERP_CONFIG_PATH |
YAML | networking.derp.configPath |
Path to read a DERP mapping from. See: https://tailscale.com/kb/1118/custom-derp-servers/.
--prometheus-enable
Type | bool |
Environment | $CODER_PROMETHEUS_ENABLE |
YAML | introspection.prometheus.enable |
Serve prometheus metrics on the address defined by prometheus address.
--prometheus-address
Type | host:port |
Environment | $CODER_PROMETHEUS_ADDRESS |
YAML | introspection.prometheus.address |
Default | 127.0.0.1:2112 |
The bind address to serve prometheus metrics.
--prometheus-collect-agent-stats
Type | bool |
Environment | $CODER_PROMETHEUS_COLLECT_AGENT_STATS |
YAML | introspection.prometheus.collect_agent_stats |
Collect agent stats (may increase charges for metrics storage).
--prometheus-aggregate-agent-stats-by
Type | string-array |
Environment | $CODER_PROMETHEUS_AGGREGATE_AGENT_STATS_BY |
YAML | introspection.prometheus.aggregate_agent_stats_by |
Default | agent_name,template_name,username,workspace_name |
When collecting agent stats, aggregate metrics by a given set of comma-separated labels to reduce cardinality. Accepted values are agent_name, template_name, username, workspace_name.
--prometheus-collect-db-metrics
Type | bool |
Environment | $CODER_PROMETHEUS_COLLECT_DB_METRICS |
YAML | introspection.prometheus.collect_db_metrics |
Default | false |
Collect database query metrics (may increase charges for metrics storage). If set to false, a reduced set of database metrics are still collected.
--pprof-enable
Type | bool |
Environment | $CODER_PPROF_ENABLE |
YAML | introspection.pprof.enable |
Serve pprof metrics on the address defined by pprof address.
--pprof-address
Type | host:port |
Environment | $CODER_PPROF_ADDRESS |
YAML | introspection.pprof.address |
Default | 127.0.0.1:6060 |
The bind address to serve pprof.
--oauth2-github-client-id
Type | string |
Environment | $CODER_OAUTH2_GITHUB_CLIENT_ID |
YAML | oauth2.github.clientID |
Client ID for Login with GitHub.
--oauth2-github-client-secret
Type | string |
Environment | $CODER_OAUTH2_GITHUB_CLIENT_SECRET |
Client secret for Login with GitHub.
--oauth2-github-allowed-orgs
Type | string-array |
Environment | $CODER_OAUTH2_GITHUB_ALLOWED_ORGS |
YAML | oauth2.github.allowedOrgs |
Organizations the user must be a member of to Login with GitHub.
--oauth2-github-allowed-teams
Type | string-array |
Environment | $CODER_OAUTH2_GITHUB_ALLOWED_TEAMS |
YAML | oauth2.github.allowedTeams |
Teams inside organizations the user must be a member of to Login with GitHub. Structured as:
--oauth2-github-allow-signups
Type | bool |
Environment | $CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS |
YAML | oauth2.github.allowSignups |
Whether new users can sign up with GitHub.
--oauth2-github-allow-everyone
Type | bool |
Environment | $CODER_OAUTH2_GITHUB_ALLOW_EVERYONE |
YAML | oauth2.github.allowEveryone |
Allow all logins, setting this option means allowed orgs and teams must be empty.
--oauth2-github-enterprise-base-url
Type | string |
Environment | $CODER_OAUTH2_GITHUB_ENTERPRISE_BASE_URL |
YAML | oauth2.github.enterpriseBaseURL |
Base URL of a GitHub Enterprise deployment to use for Login with GitHub.
--oidc-allow-signups
Type | bool |
Environment | $CODER_OIDC_ALLOW_SIGNUPS |
YAML | oidc.allowSignups |
Default | true |
Whether new users can sign up with OIDC.
--oidc-client-id
Type | string |
Environment | $CODER_OIDC_CLIENT_ID |
YAML | oidc.clientID |
Client ID to use for Login with OIDC.
--oidc-client-secret
Type | string |
Environment | $CODER_OIDC_CLIENT_SECRET |
Client secret to use for Login with OIDC.
--oidc-client-key-file
Type | string |
Environment | $CODER_OIDC_CLIENT_KEY_FILE |
YAML | oidc.oidcClientKeyFile |
Pem encoded RSA private key to use for oauth2 PKI/JWT authorization. This can be used instead of oidc-client-secret if your IDP supports it.
--oidc-client-cert-file
Type | string |
Environment | $CODER_OIDC_CLIENT_CERT_FILE |
YAML | oidc.oidcClientCertFile |
Pem encoded certificate file to use for oauth2 PKI/JWT authorization. The public certificate that accompanies oidc-client-key-file. A standard x509 certificate is expected.
--oidc-email-domain
Type | string-array |
Environment | $CODER_OIDC_EMAIL_DOMAIN |
YAML | oidc.emailDomain |
Email domains that clients logging in with OIDC must match.
--oidc-issuer-url
Type | string |
Environment | $CODER_OIDC_ISSUER_URL |
YAML | oidc.issuerURL |
Issuer URL to use for Login with OIDC.
--oidc-scopes
Type | string-array |
Environment | $CODER_OIDC_SCOPES |
YAML | oidc.scopes |
Default | openid,profile,email |
Scopes to grant when authenticating with OIDC.
--oidc-ignore-email-verified
Type | bool |
Environment | $CODER_OIDC_IGNORE_EMAIL_VERIFIED |
YAML | oidc.ignoreEmailVerified |
Ignore the email_verified claim from the upstream provider.
--oidc-username-field
Type | string |
Environment | $CODER_OIDC_USERNAME_FIELD |
YAML | oidc.usernameField |
Default | preferred_username |
OIDC claim field to use as the username.
--oidc-name-field
Type | string |
Environment | $CODER_OIDC_NAME_FIELD |
YAML | oidc.nameField |
Default | name |
OIDC claim field to use as the name.
--oidc-email-field
Type | string |
Environment | $CODER_OIDC_EMAIL_FIELD |
YAML | oidc.emailField |
Default | email |
OIDC claim field to use as the email.
--oidc-auth-url-params
Type | struct[map[string]string] |
Environment | $CODER_OIDC_AUTH_URL_PARAMS |
YAML | oidc.authURLParams |
Default | {"access_type": "offline"} |
OIDC auth URL parameters to pass to the upstream provider.
--oidc-ignore-userinfo
Type | bool |
Environment | $CODER_OIDC_IGNORE_USERINFO |
YAML | oidc.ignoreUserInfo |
Default | false |
Ignore the userinfo endpoint and only use the ID token for user information.
--oidc-group-field
Type | string |
Environment | $CODER_OIDC_GROUP_FIELD |
YAML | oidc.groupField |
This field must be set if using the group sync feature and the scope name is not 'groups'. Set to the claim to be used for groups.
--oidc-group-mapping
Type | struct[map[string]string] |
Environment | $CODER_OIDC_GROUP_MAPPING |
YAML | oidc.groupMapping |
Default | {} |
A map of OIDC group IDs and the group in Coder it should map to. This is useful for when OIDC providers only return group IDs.
--oidc-group-auto-create
Type | bool |
Environment | $CODER_OIDC_GROUP_AUTO_CREATE |
YAML | oidc.enableGroupAutoCreate |
Default | false |
Automatically creates missing groups from a user's groups claim.
--oidc-group-regex-filter
Type | regexp |
Environment | $CODER_OIDC_GROUP_REGEX_FILTER |
YAML | oidc.groupRegexFilter |
Default | .* |
If provided any group name not matching the regex is ignored. This allows for filtering out groups that are not needed. This filter is applied after the group mapping.
--oidc-allowed-groups
Type | string-array |
Environment | $CODER_OIDC_ALLOWED_GROUPS |
YAML | oidc.groupAllowed |
If provided any group name not in the list will not be allowed to authenticate. This allows for restricting access to a specific set of groups. This filter is applied after the group mapping and before the regex filter.
--oidc-user-role-field
Type | string |
Environment | $CODER_OIDC_USER_ROLE_FIELD |
YAML | oidc.userRoleField |
This field must be set if using the user roles sync feature. Set this to the name of the claim used to store the user's role. The roles should be sent as an array of strings.
--oidc-user-role-mapping
Type | struct[map[string][]string] |
Environment | $CODER_OIDC_USER_ROLE_MAPPING |
YAML | oidc.userRoleMapping |
Default | {} |
A map of the OIDC passed in user roles and the groups in Coder it should map to. This is useful if the group names do not match. If mapped to the empty string, the role will ignored.
--oidc-user-role-default
Type | string-array |
Environment | $CODER_OIDC_USER_ROLE_DEFAULT |
YAML | oidc.userRoleDefault |
If user role sync is enabled, these roles are always included for all authenticated users. The 'member' role is always assigned.
--oidc-sign-in-text
Type | string |
Environment | $CODER_OIDC_SIGN_IN_TEXT |
YAML | oidc.signInText |
Default | OpenID Connect |
The text to show on the OpenID Connect sign in button.
--oidc-icon-url
Type | url |
Environment | $CODER_OIDC_ICON_URL |
YAML | oidc.iconURL |
URL pointing to the icon to use on the OpenID Connect login button.
--oidc-signups-disabled-text
Type | string |
Environment | $CODER_OIDC_SIGNUPS_DISABLED_TEXT |
YAML | oidc.signupsDisabledText |
The custom text to show on the error page informing about disabled OIDC signups. Markdown format is supported.
--dangerous-oidc-skip-issuer-checks
Type | bool |
Environment | $CODER_DANGEROUS_OIDC_SKIP_ISSUER_CHECKS |
YAML | oidc.dangerousSkipIssuerChecks |
OIDC issuer urls must match in the request, the id_token 'iss' claim, and in the well-known configuration. This flag disables that requirement, and can lead to an insecure OIDC configuration. It is not recommended to use this flag.
--telemetry
Type | bool |
Environment | $CODER_TELEMETRY_ENABLE |
YAML | telemetry.enable |
Default | true |
Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.
--trace
Type | bool |
Environment | $CODER_TRACE_ENABLE |
YAML | introspection.tracing.enable |
Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md.
--trace-honeycomb-api-key
Type | string |
Environment | $CODER_TRACE_HONEYCOMB_API_KEY |
Enables trace exporting to Honeycomb.io using the provided API Key.
--trace-logs
Type | bool |
Environment | $CODER_TRACE_LOGS |
YAML | introspection.tracing.captureLogs |
Enables capturing of logs as events in traces. This is useful for debugging, but may result in a very large amount of events being sent to the tracing backend which may incur significant costs.
--provisioner-daemons
Type | int |
Environment | $CODER_PROVISIONER_DAEMONS |
YAML | provisioning.daemons |
Default | 3 |
Number of provisioner daemons to create on start. If builds are stuck in queued state for a long time, consider increasing this.
--provisioner-daemon-poll-interval
Type | duration |
Environment | $CODER_PROVISIONER_DAEMON_POLL_INTERVAL |
YAML | provisioning.daemonPollInterval |
Default | 1s |
Deprecated and ignored.
--provisioner-daemon-poll-jitter
Type | duration |
Environment | $CODER_PROVISIONER_DAEMON_POLL_JITTER |
YAML | provisioning.daemonPollJitter |
Default | 100ms |
Deprecated and ignored.
--provisioner-force-cancel-interval
Type | duration |
Environment | $CODER_PROVISIONER_FORCE_CANCEL_INTERVAL |
YAML | provisioning.forceCancelInterval |
Default | 10m0s |
Time to force cancel provisioning tasks that are stuck.
--provisioner-daemon-psk
Type | string |
Environment | $CODER_PROVISIONER_DAEMON_PSK |
Pre-shared key to authenticate external provisioner daemons to Coder server.
-l, --log-filter
Type | string-array |
Environment | $CODER_LOG_FILTER |
YAML | introspection.logging.filter |
Filter debug logs by matching against a given regex. Use .* to match all debug logs.
--log-human
Type | string |
Environment | $CODER_LOGGING_HUMAN |
YAML | introspection.logging.humanPath |
Default | /dev/stderr |
Output human-readable logs to a given file.
--log-json
Type | string |
Environment | $CODER_LOGGING_JSON |
YAML | introspection.logging.jsonPath |
Output JSON logs to a given file.
--log-stackdriver
Type | string |
Environment | $CODER_LOGGING_STACKDRIVER |
YAML | introspection.logging.stackdriverPath |
Output Stackdriver compatible logs to a given file.
--enable-terraform-debug-mode
Type | bool |
Environment | $CODER_ENABLE_TERRAFORM_DEBUG_MODE |
YAML | introspection.logging.enableTerraformDebugMode |
Default | false |
Allow administrators to enable Terraform debug output.
--additional-csp-policy
Type | string-array |
Environment | $CODER_ADDITIONAL_CSP_POLICY |
YAML | networking.http.additionalCSPPolicy |
Coder configures a Content Security Policy (CSP) to protect against XSS attacks. This setting allows you to add additional CSP directives, which can open the attack surface of the deployment. Format matches the CSP directive format, e.g. --additional-csp-policy="script-src https://example.com".
--dangerous-allow-path-app-sharing
Type | bool |
Environment | $CODER_DANGEROUS_ALLOW_PATH_APP_SHARING |
Allow workspace apps that are not served from subdomains to be shared. Path-based app sharing is DISABLED by default for security purposes. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.
--dangerous-allow-path-app-site-owner-access
Type | bool |
Environment | $CODER_DANGEROUS_ALLOW_PATH_APP_SITE_OWNER_ACCESS |
Allow site-owners to access workspace apps from workspaces they do not own. Owners cannot access path-based apps they do not own by default. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.
--experiments
Type | string-array |
Environment | $CODER_EXPERIMENTS |
YAML | experiments |
Enable one or more experiments. These are not ready for production. Separate multiple experiments with commas, or enter '*' to opt-in to all available experiments.
--update-check
Type | bool |
Environment | $CODER_UPDATE_CHECK |
YAML | updateCheck |
Default | false |
Periodically check for new releases of Coder and inform the owner. The check is performed once per day.
--max-token-lifetime
Type | duration |
Environment | $CODER_MAX_TOKEN_LIFETIME |
YAML | networking.http.maxTokenLifetime |
Default | 876600h0m0s |
The maximum lifetime duration users can specify when creating an API token.
--default-token-lifetime
Type | duration |
Environment | $CODER_DEFAULT_TOKEN_LIFETIME |
YAML | defaultTokenLifetime |
Default | 168h0m0s |
The default lifetime duration for API tokens. This value is used when creating a token without specifying a duration, such as when authenticating the CLI or an IDE plugin.
--swagger-enable
Type | bool |
Environment | $CODER_SWAGGER_ENABLE |
YAML | enableSwagger |
Expose the swagger endpoint via /swagger.
--proxy-trusted-headers
Type | string-array |
Environment | $CODER_PROXY_TRUSTED_HEADERS |
YAML | networking.proxyTrustedHeaders |
Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, True-Client-Ip, X-Forwarded-For.
--proxy-trusted-origins
Type | string-array |
Environment | $CODER_PROXY_TRUSTED_ORIGINS |
YAML | networking.proxyTrustedOrigins |
Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24.
--cache-dir
Type | string |
Environment | $CODER_CACHE_DIRECTORY |
YAML | cacheDir |
Default | ~/.cache/coder |
The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. This directory is NOT safe to be configured as a shared directory across coderd/provisionerd replicas.
--postgres-url
Type | string |
Environment | $CODER_PG_CONNECTION_URL |
URL of a PostgreSQL database. If empty, PostgreSQL binaries will be downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. Access the built-in database with "coder server postgres-builtin-url".
--postgres-auth
Type | password|awsiamrds |
Environment | $CODER_PG_AUTH |
YAML | pgAuth |
Default | password |
Type of auth to use when connecting to postgres.
--secure-auth-cookie
Type | bool |
Environment | $CODER_SECURE_AUTH_COOKIE |
YAML | networking.secureAuthCookie |
Controls if the 'Secure' property is set on browser session cookies.
--terms-of-service-url
Type | string |
Environment | $CODER_TERMS_OF_SERVICE_URL |
YAML | termsOfServiceURL |
A URL to an external Terms of Service that must be accepted by users when logging in.
--strict-transport-security
Type | int |
Environment | $CODER_STRICT_TRANSPORT_SECURITY |
YAML | networking.tls.strictTransportSecurity |
Default | 0 |
Controls if the 'Strict-Transport-Security' header is set on all static file responses. This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of the header.
--strict-transport-security-options
Type | string-array |
Environment | $CODER_STRICT_TRANSPORT_SECURITY_OPTIONS |
YAML | networking.tls.strictTransportSecurityOptions |
Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.
--ssh-keygen-algorithm
Type | string |
Environment | $CODER_SSH_KEYGEN_ALGORITHM |
YAML | sshKeygenAlgorithm |
Default | ed25519 |
The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".
--browser-only
Type | bool |
Environment | $CODER_BROWSER_ONLY |
YAML | networking.browserOnly |
Whether Coder only allows connections to workspaces via the browser.
--scim-auth-header
Type | string |
Environment | $CODER_SCIM_AUTH_HEADER |
Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.
--external-token-encryption-keys
Type | string-array |
Environment | $CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS |
Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a comma-separated list of base64-encoded keys. Each key, when base64-decoded, must be exactly 32 bytes in length. The first key will be used to encrypt new values. Subsequent keys will be used as a fallback when decrypting. During normal operation it is recommended to only set one key unless you are in the process of rotating keys with the coder server dbcrypt rotate
command.
--disable-path-apps
Type | bool |
Environment | $CODER_DISABLE_PATH_APPS |
YAML | disablePathApps |
Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.
--disable-owner-workspace-access
Type | bool |
Environment | $CODER_DISABLE_OWNER_WORKSPACE_ACCESS |
YAML | disableOwnerWorkspaceAccess |
Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.
--session-duration
Type | duration |
Environment | $CODER_SESSION_DURATION |
YAML | networking.http.sessionDuration |
Default | 24h0m0s |
The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.
--disable-session-expiry-refresh
Type | bool |
Environment | $CODER_DISABLE_SESSION_EXPIRY_REFRESH |
YAML | networking.http.disableSessionExpiryRefresh |
Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.
--disable-password-auth
Type | bool |
Environment | $CODER_DISABLE_PASSWORD_AUTH |
YAML | networking.http.disablePasswordAuth |
Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the coder server create-admin
command to create a new admin user directly in the database.
-c, --config
Type | yaml-config-path |
Environment | $CODER_CONFIG_PATH |
Specify a YAML file to load configuration from.
--ssh-hostname-prefix
Type | string |
Environment | $CODER_SSH_HOSTNAME_PREFIX |
YAML | client.sshHostnamePrefix |
Default | coder. |
The SSH deployment prefix is used in the Host of the ssh config.
--ssh-config-options
Type | string-array |
Environment | $CODER_SSH_CONFIG_OPTIONS |
YAML | client.sshConfigOptions |
These SSH config options will override the default SSH config options. Provide options in "key=value" or "key value" format separated by commas.Using this incorrectly can break SSH to your deployment, use cautiously.
--cli-upgrade-message
Type | string |
Environment | $CODER_CLI_UPGRADE_MESSAGE |
YAML | client.cliUpgradeMessage |
The upgrade message to display to users when a client/server mismatch is detected. By default it instructs users to update using 'curl -L https://coder.com/install.sh | sh'.
--write-config
Type | bool |
Write out the current server config as YAML to stdout.
--support-links
Type | struct[[]codersdk.LinkConfig] |
Environment | $CODER_SUPPORT_LINKS |
YAML | supportLinks |
Support links to display in the top right drop down menu.
--proxy-health-interval
Type | duration |
Environment | $CODER_PROXY_HEALTH_INTERVAL |
YAML | networking.http.proxyHealthInterval |
Default | 1m0s |
The interval in which coderd should be checking the status of workspace proxies.
--default-quiet-hours-schedule
Type | string |
Environment | $CODER_QUIET_HOURS_DEFAULT_SCHEDULE |
YAML | userQuietHoursSchedule.defaultQuietHoursSchedule |
Default | CRON_TZ=UTC 0 0 * * * |
The default daily cron schedule applied to users that haven't set a custom quiet hours schedule themselves. The quiet hours schedule determines when workspaces will be force stopped due to the template's autostop requirement, and will round the max deadline up to be within the user's quiet hours window (or default). The format is the same as the standard cron format, but the day-of-month, month and day-of-week must be *. Only one hour and minute can be specified (ranges or comma separated values are not supported).
--allow-custom-quiet-hours
Type | bool |
Environment | $CODER_ALLOW_CUSTOM_QUIET_HOURS |
YAML | userQuietHoursSchedule.allowCustomQuietHours |
Default | true |
Allow users to set their own quiet hours schedule for workspaces to stop in (depending on template autostop requirement settings). If false, users can't change their quiet hours schedule and the site default is always used.
--web-terminal-renderer
Type | string |
Environment | $CODER_WEB_TERMINAL_RENDERER |
YAML | client.webTerminalRenderer |
Default | canvas |
The renderer to use when opening a web terminal. Valid values are 'canvas', 'webgl', or 'dom'.
--allow-workspace-renames
Type | bool |
Environment | $CODER_ALLOW_WORKSPACE_RENAMES |
YAML | allowWorkspaceRenames |
Default | false |
DEPRECATED: Allow users to rename their workspaces. Use only for temporary compatibility reasons, this will be removed in a future release.
--health-check-refresh
Type | duration |
Environment | $CODER_HEALTH_CHECK_REFRESH |
YAML | introspection.healthcheck.refresh |
Default | 10m0s |
Refresh interval for healthchecks.
--health-check-threshold-database
Type | duration |
Environment | $CODER_HEALTH_CHECK_THRESHOLD_DATABASE |
YAML | introspection.healthcheck.thresholdDatabase |
Default | 15ms |
The threshold for the database health check. If the median latency of the database exceeds this threshold over 5 attempts, the database is considered unhealthy. The default value is 15ms.
--email-from
Type | string |
Environment | $CODER_EMAIL_FROM |
YAML | email.from |
The sender's address to use.
--email-smarthost
Type | string |
Environment | $CODER_EMAIL_SMARTHOST |
YAML | email.smarthost |
The intermediary SMTP host through which emails are sent.
--email-hello
Type | string |
Environment | $CODER_EMAIL_HELLO |
YAML | email.hello |
Default | localhost |
The hostname identifying the SMTP server.
--email-force-tls
Type | bool |
Environment | $CODER_EMAIL_FORCE_TLS |
YAML | email.forceTLS |
Default | false |
Force a TLS connection to the configured SMTP smarthost.
--email-auth-identity
Type | string |
Environment | $CODER_EMAIL_AUTH_IDENTITY |
YAML | email.emailAuth.identity |
Identity to use with PLAIN authentication.
--email-auth-username
Type | string |
Environment | $CODER_EMAIL_AUTH_USERNAME |
YAML | email.emailAuth.username |
Username to use with PLAIN/LOGIN authentication.
--email-auth-password
Type | string |
Environment | $CODER_EMAIL_AUTH_PASSWORD |
Password to use with PLAIN/LOGIN authentication.
--email-auth-password-file
Type | string |
Environment | $CODER_EMAIL_AUTH_PASSWORD_FILE |
YAML | email.emailAuth.passwordFile |
File from which to load password for use with PLAIN/LOGIN authentication.
--email-tls-starttls
Type | bool |
Environment | $CODER_EMAIL_TLS_STARTTLS |
YAML | email.emailTLS.startTLS |
Enable STARTTLS to upgrade insecure SMTP connections using TLS.
--email-tls-server-name
Type | string |
Environment | $CODER_EMAIL_TLS_SERVERNAME |
YAML | email.emailTLS.serverName |
Server name to verify against the target certificate.
--email-tls-skip-verify
Type | bool |
Environment | $CODER_EMAIL_TLS_SKIPVERIFY |
YAML | email.emailTLS.insecureSkipVerify |
Skip verification of the target server's certificate (insecure).
--email-tls-ca-cert-file
Type | string |
Environment | $CODER_EMAIL_TLS_CACERTFILE |
YAML | email.emailTLS.caCertFile |
CA certificate file to use.
--email-tls-cert-file
Type | string |
Environment | $CODER_EMAIL_TLS_CERTFILE |
YAML | email.emailTLS.certFile |
Certificate file to use.
--email-tls-cert-key-file
Type | string |
Environment | $CODER_EMAIL_TLS_CERTKEYFILE |
YAML | email.emailTLS.certKeyFile |
Certificate key file to use.
--notifications-method
Type | string |
Environment | $CODER_NOTIFICATIONS_METHOD |
YAML | notifications.method |
Default | smtp |
Which delivery method to use (available options: 'smtp', 'webhook').
--notifications-dispatch-timeout
Type | duration |
Environment | $CODER_NOTIFICATIONS_DISPATCH_TIMEOUT |
YAML | notifications.dispatchTimeout |
Default | 1m0s |
How long to wait while a notification is being sent before giving up.
--notifications-email-from
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_FROM |
YAML | notifications.email.from |
The sender's address to use.
--notifications-email-smarthost
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_SMARTHOST |
YAML | notifications.email.smarthost |
The intermediary SMTP host through which emails are sent.
--notifications-email-hello
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_HELLO |
YAML | notifications.email.hello |
The hostname identifying the SMTP server.
--notifications-email-force-tls
Type | bool |
Environment | $CODER_NOTIFICATIONS_EMAIL_FORCE_TLS |
YAML | notifications.email.forceTLS |
Force a TLS connection to the configured SMTP smarthost.
--notifications-email-auth-identity
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_AUTH_IDENTITY |
YAML | notifications.email.emailAuth.identity |
Identity to use with PLAIN authentication.
--notifications-email-auth-username
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_AUTH_USERNAME |
YAML | notifications.email.emailAuth.username |
Username to use with PLAIN/LOGIN authentication.
--notifications-email-auth-password
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD |
Password to use with PLAIN/LOGIN authentication.
--notifications-email-auth-password-file
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD_FILE |
YAML | notifications.email.emailAuth.passwordFile |
File from which to load password for use with PLAIN/LOGIN authentication.
--notifications-email-tls-starttls
Type | bool |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_STARTTLS |
YAML | notifications.email.emailTLS.startTLS |
Enable STARTTLS to upgrade insecure SMTP connections using TLS.
--notifications-email-tls-server-name
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_SERVERNAME |
YAML | notifications.email.emailTLS.serverName |
Server name to verify against the target certificate.
--notifications-email-tls-skip-verify
Type | bool |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_SKIPVERIFY |
YAML | notifications.email.emailTLS.insecureSkipVerify |
Skip verification of the target server's certificate (insecure).
--notifications-email-tls-ca-cert-file
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_CACERTFILE |
YAML | notifications.email.emailTLS.caCertFile |
CA certificate file to use.
--notifications-email-tls-cert-file
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_CERTFILE |
YAML | notifications.email.emailTLS.certFile |
Certificate file to use.
--notifications-email-tls-cert-key-file
Type | string |
Environment | $CODER_NOTIFICATIONS_EMAIL_TLS_CERTKEYFILE |
YAML | notifications.email.emailTLS.certKeyFile |
Certificate key file to use.
--notifications-webhook-endpoint
Type | url |
Environment | $CODER_NOTIFICATIONS_WEBHOOK_ENDPOINT |
YAML | notifications.webhook.endpoint |
The endpoint to which to send webhooks.
--notifications-max-send-attempts
Type | int |
Environment | $CODER_NOTIFICATIONS_MAX_SEND_ATTEMPTS |
YAML | notifications.maxSendAttempts |
Default | 5 |
The upper limit of attempts to send a notification.