Reference
Command Line

server

Start a Coder server

Usage

coder server [flags]

Subcommands

NamePurpose
create-admin-userCreate a new admin user with the given username, email and password and adds it to every organization.
postgres-builtin-urlOutput the connection URL for the built-in PostgreSQL deployment.
postgres-builtin-serveRun the built-in PostgreSQL deployment.
dbcryptManage database encryption.

Options

--access-url

Typeurl
Environment$CODER_ACCESS_URL
YAMLnetworking.accessURL

The URL that users will use to access the Coder deployment.

--wildcard-access-url

Typestring
Environment$CODER_WILDCARD_ACCESS_URL
YAMLnetworking.wildcardAccessURL

Specifies the wildcard hostname to use for workspace applications in the form "*.example.com".

--docs-url

Typeurl
Environment$CODER_DOCS_URL
YAMLnetworking.docsURL
Defaulthttps://coder.com/docs

Specifies the custom docs URL.

--redirect-to-access-url

Typebool
Environment$CODER_REDIRECT_TO_ACCESS_URL
YAMLnetworking.redirectToAccessURL

Specifies whether to redirect requests that do not match the access URL host.

--http-address

Typestring
Environment$CODER_HTTP_ADDRESS
YAMLnetworking.http.httpAddress
Default127.0.0.1:3000

HTTP bind address of the server. Unset to disable the HTTP endpoint.

--tls-address

Typehost:port
Environment$CODER_TLS_ADDRESS
YAMLnetworking.tls.address
Default127.0.0.1:3443

HTTPS bind address of the server.

--tls-enable

Typebool
Environment$CODER_TLS_ENABLE
YAMLnetworking.tls.enable

Whether TLS will be enabled.

--tls-cert-file

Typestring-array
Environment$CODER_TLS_CERT_FILE
YAMLnetworking.tls.certFiles

Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.

--tls-client-ca-file

Typestring
Environment$CODER_TLS_CLIENT_CA_FILE
YAMLnetworking.tls.clientCAFile

PEM-encoded Certificate Authority file used for checking the authenticity of client.

--tls-client-auth

Typestring
Environment$CODER_TLS_CLIENT_AUTH
YAMLnetworking.tls.clientAuth
Defaultnone

Policy the server will follow for TLS Client Authentication. Accepted values are "none", "request", "require-any", "verify-if-given", or "require-and-verify".

--tls-key-file

Typestring-array
Environment$CODER_TLS_KEY_FILE
YAMLnetworking.tls.keyFiles

Paths to the private keys for each of the certificates. It requires a PEM-encoded file.

--tls-min-version

Typestring
Environment$CODER_TLS_MIN_VERSION
YAMLnetworking.tls.minVersion
Defaulttls12

Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".

--tls-client-cert-file

Typestring
Environment$CODER_TLS_CLIENT_CERT_FILE
YAMLnetworking.tls.clientCertFile

Path to certificate for client TLS authentication. It requires a PEM-encoded file.

--tls-client-key-file

Typestring
Environment$CODER_TLS_CLIENT_KEY_FILE
YAMLnetworking.tls.clientKeyFile

Path to key for client TLS authentication. It requires a PEM-encoded file.

--tls-ciphers

Typestring-array
Environment$CODER_TLS_CIPHERS
YAMLnetworking.tls.tlsCiphers

Specify specific TLS ciphers that allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.

--tls-allow-insecure-ciphers

Typebool
Environment$CODER_TLS_ALLOW_INSECURE_CIPHERS
YAMLnetworking.tls.tlsAllowInsecureCiphers
Defaultfalse

By default, only ciphers marked as 'secure' are allowed to be used. See https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.

--derp-server-enable

Typebool
Environment$CODER_DERP_SERVER_ENABLE
YAMLnetworking.derp.enable
Defaulttrue

Whether to enable or disable the embedded DERP relay server.

--derp-server-region-name

Typestring
Environment$CODER_DERP_SERVER_REGION_NAME
YAMLnetworking.derp.regionName
DefaultCoder Embedded Relay

Region name that for the embedded DERP server.

--derp-server-stun-addresses

Typestring-array
Environment$CODER_DERP_SERVER_STUN_ADDRESSES
YAMLnetworking.derp.stunAddresses
Defaultstun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302,stun3.l.google.com:19302,stun4.l.google.com:19302

Addresses for STUN servers to establish P2P connections. It's recommended to have at least two STUN servers to give users the best chance of connecting P2P to workspaces. Each STUN server will get it's own DERP region, with region IDs starting at --derp-server-region-id + 1. Use special value 'disable' to turn off STUN completely.

--derp-server-relay-url

Typeurl
Environment$CODER_DERP_SERVER_RELAY_URL
YAMLnetworking.derp.relayURL

An HTTP URL that is accessible by other replicas to relay DERP traffic. Required for high availability.

--block-direct-connections

Typebool
Environment$CODER_BLOCK_DIRECT
YAMLnetworking.derp.blockDirect

Block peer-to-peer (aka. direct) workspace connections. All workspace connections from the CLI will be proxied through Coder (or custom configured DERP servers) and will never be peer-to-peer when enabled. Workspaces may still reach out to STUN servers to get their address until they are restarted after this change has been made, but new connections will still be proxied regardless.

--derp-force-websockets

Typebool
Environment$CODER_DERP_FORCE_WEBSOCKETS
YAMLnetworking.derp.forceWebSockets

Force clients and agents to always use WebSocket to connect to DERP relay servers. By default, DERP uses Upgrade: derp, which may cause issues with some reverse proxies. Clients may automatically fallback to WebSocket if they detect an issue with Upgrade: derp, but this does not work in all situations.

--derp-config-url

Typestring
Environment$CODER_DERP_CONFIG_URL
YAMLnetworking.derp.url

URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.

--derp-config-path

Typestring
Environment$CODER_DERP_CONFIG_PATH
YAMLnetworking.derp.configPath

Path to read a DERP mapping from. See: https://tailscale.com/kb/1118/custom-derp-servers/.

--prometheus-enable

Typebool
Environment$CODER_PROMETHEUS_ENABLE
YAMLintrospection.prometheus.enable

Serve prometheus metrics on the address defined by prometheus address.

--prometheus-address

Typehost:port
Environment$CODER_PROMETHEUS_ADDRESS
YAMLintrospection.prometheus.address
Default127.0.0.1:2112

The bind address to serve prometheus metrics.

--prometheus-collect-agent-stats

Typebool
Environment$CODER_PROMETHEUS_COLLECT_AGENT_STATS
YAMLintrospection.prometheus.collect_agent_stats

Collect agent stats (may increase charges for metrics storage).

--prometheus-aggregate-agent-stats-by

Typestring-array
Environment$CODER_PROMETHEUS_AGGREGATE_AGENT_STATS_BY
YAMLintrospection.prometheus.aggregate_agent_stats_by
Defaultagent_name,template_name,username,workspace_name

When collecting agent stats, aggregate metrics by a given set of comma-separated labels to reduce cardinality. Accepted values are agent_name, template_name, username, workspace_name.

--prometheus-collect-db-metrics

Typebool
Environment$CODER_PROMETHEUS_COLLECT_DB_METRICS
YAMLintrospection.prometheus.collect_db_metrics
Defaultfalse

Collect database metrics (may increase charges for metrics storage).

--pprof-enable

Typebool
Environment$CODER_PPROF_ENABLE
YAMLintrospection.pprof.enable

Serve pprof metrics on the address defined by pprof address.

--pprof-address

Typehost:port
Environment$CODER_PPROF_ADDRESS
YAMLintrospection.pprof.address
Default127.0.0.1:6060

The bind address to serve pprof.

--oauth2-github-client-id

Typestring
Environment$CODER_OAUTH2_GITHUB_CLIENT_ID
YAMLoauth2.github.clientID

Client ID for Login with GitHub.

--oauth2-github-client-secret

Typestring
Environment$CODER_OAUTH2_GITHUB_CLIENT_SECRET

Client secret for Login with GitHub.

--oauth2-github-allowed-orgs

Typestring-array
Environment$CODER_OAUTH2_GITHUB_ALLOWED_ORGS
YAMLoauth2.github.allowedOrgs

Organizations the user must be a member of to Login with GitHub.

--oauth2-github-allowed-teams

Typestring-array
Environment$CODER_OAUTH2_GITHUB_ALLOWED_TEAMS
YAMLoauth2.github.allowedTeams

Teams inside organizations the user must be a member of to Login with GitHub. Structured as: /.

--oauth2-github-allow-signups

Typebool
Environment$CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
YAMLoauth2.github.allowSignups

Whether new users can sign up with GitHub.

--oauth2-github-allow-everyone

Typebool
Environment$CODER_OAUTH2_GITHUB_ALLOW_EVERYONE
YAMLoauth2.github.allowEveryone

Allow all logins, setting this option means allowed orgs and teams must be empty.

--oauth2-github-enterprise-base-url

Typestring
Environment$CODER_OAUTH2_GITHUB_ENTERPRISE_BASE_URL
YAMLoauth2.github.enterpriseBaseURL

Base URL of a GitHub Enterprise deployment to use for Login with GitHub.

--oidc-allow-signups

Typebool
Environment$CODER_OIDC_ALLOW_SIGNUPS
YAMLoidc.allowSignups
Defaulttrue

Whether new users can sign up with OIDC.

--oidc-client-id

Typestring
Environment$CODER_OIDC_CLIENT_ID
YAMLoidc.clientID

Client ID to use for Login with OIDC.

--oidc-client-secret

Typestring
Environment$CODER_OIDC_CLIENT_SECRET

Client secret to use for Login with OIDC.

--oidc-client-key-file

Typestring
Environment$CODER_OIDC_CLIENT_KEY_FILE
YAMLoidc.oidcClientKeyFile

Pem encoded RSA private key to use for oauth2 PKI/JWT authorization. This can be used instead of oidc-client-secret if your IDP supports it.

--oidc-client-cert-file

Typestring
Environment$CODER_OIDC_CLIENT_CERT_FILE
YAMLoidc.oidcClientCertFile

Pem encoded certificate file to use for oauth2 PKI/JWT authorization. The public certificate that accompanies oidc-client-key-file. A standard x509 certificate is expected.

--oidc-email-domain

Typestring-array
Environment$CODER_OIDC_EMAIL_DOMAIN
YAMLoidc.emailDomain

Email domains that clients logging in with OIDC must match.

--oidc-issuer-url

Typestring
Environment$CODER_OIDC_ISSUER_URL
YAMLoidc.issuerURL

Issuer URL to use for Login with OIDC.

--oidc-scopes

Typestring-array
Environment$CODER_OIDC_SCOPES
YAMLoidc.scopes
Defaultopenid,profile,email

Scopes to grant when authenticating with OIDC.

--oidc-ignore-email-verified

Typebool
Environment$CODER_OIDC_IGNORE_EMAIL_VERIFIED
YAMLoidc.ignoreEmailVerified

Ignore the email_verified claim from the upstream provider.

--oidc-username-field

Typestring
Environment$CODER_OIDC_USERNAME_FIELD
YAMLoidc.usernameField
Defaultpreferred_username

OIDC claim field to use as the username.

--oidc-name-field

Typestring
Environment$CODER_OIDC_NAME_FIELD
YAMLoidc.nameField
Defaultname

OIDC claim field to use as the name.

--oidc-email-field

Typestring
Environment$CODER_OIDC_EMAIL_FIELD
YAMLoidc.emailField
Defaultemail

OIDC claim field to use as the email.

--oidc-auth-url-params

Typestruct[map[string]string]
Environment$CODER_OIDC_AUTH_URL_PARAMS
YAMLoidc.authURLParams
Default{"access_type": "offline"}

OIDC auth URL parameters to pass to the upstream provider.

--oidc-ignore-userinfo

Typebool
Environment$CODER_OIDC_IGNORE_USERINFO
YAMLoidc.ignoreUserInfo
Defaultfalse

Ignore the userinfo endpoint and only use the ID token for user information.

--oidc-organization-field

Typestring
Environment$CODER_OIDC_ORGANIZATION_FIELD
YAMLoidc.organizationField

This field must be set if using the organization sync feature. Set to the claim to be used for organizations.

--oidc-organization-assign-default

Typebool
Environment$CODER_OIDC_ORGANIZATION_ASSIGN_DEFAULT
YAMLoidc.organizationAssignDefault
Defaulttrue

If set to true, users will always be added to the default organization. If organization sync is enabled, then the default org is always added to the user's set of expectedorganizations.

--oidc-organization-mapping

Typestruct[map[string][]uuid.UUID]
Environment$CODER_OIDC_ORGANIZATION_MAPPING
YAMLoidc.organizationMapping
Default{}

A map of OIDC claims and the organizations in Coder it should map to. This is required because organization IDs must be used within Coder.

--oidc-group-field

Typestring
Environment$CODER_OIDC_GROUP_FIELD
YAMLoidc.groupField

This field must be set if using the group sync feature and the scope name is not 'groups'. Set to the claim to be used for groups.

--oidc-group-mapping

Typestruct[map[string]string]
Environment$CODER_OIDC_GROUP_MAPPING
YAMLoidc.groupMapping
Default{}

A map of OIDC group IDs and the group in Coder it should map to. This is useful for when OIDC providers only return group IDs.

--oidc-group-auto-create

Typebool
Environment$CODER_OIDC_GROUP_AUTO_CREATE
YAMLoidc.enableGroupAutoCreate
Defaultfalse

Automatically creates missing groups from a user's groups claim.

--oidc-group-regex-filter

Typeregexp
Environment$CODER_OIDC_GROUP_REGEX_FILTER
YAMLoidc.groupRegexFilter
Default.*

If provided any group name not matching the regex is ignored. This allows for filtering out groups that are not needed. This filter is applied after the group mapping.

--oidc-allowed-groups

Typestring-array
Environment$CODER_OIDC_ALLOWED_GROUPS
YAMLoidc.groupAllowed

If provided any group name not in the list will not be allowed to authenticate. This allows for restricting access to a specific set of groups. This filter is applied after the group mapping and before the regex filter.

--oidc-user-role-field

Typestring
Environment$CODER_OIDC_USER_ROLE_FIELD
YAMLoidc.userRoleField

This field must be set if using the user roles sync feature. Set this to the name of the claim used to store the user's role. The roles should be sent as an array of strings.

--oidc-user-role-mapping

Typestruct[map[string][]string]
Environment$CODER_OIDC_USER_ROLE_MAPPING
YAMLoidc.userRoleMapping
Default{}

A map of the OIDC passed in user roles and the groups in Coder it should map to. This is useful if the group names do not match. If mapped to the empty string, the role will ignored.

--oidc-user-role-default

Typestring-array
Environment$CODER_OIDC_USER_ROLE_DEFAULT
YAMLoidc.userRoleDefault

If user role sync is enabled, these roles are always included for all authenticated users. The 'member' role is always assigned.

--oidc-sign-in-text

Typestring
Environment$CODER_OIDC_SIGN_IN_TEXT
YAMLoidc.signInText
DefaultOpenID Connect

The text to show on the OpenID Connect sign in button.

--oidc-icon-url

Typeurl
Environment$CODER_OIDC_ICON_URL
YAMLoidc.iconURL

URL pointing to the icon to use on the OpenID Connect login button.

--oidc-signups-disabled-text

Typestring
Environment$CODER_OIDC_SIGNUPS_DISABLED_TEXT
YAMLoidc.signupsDisabledText

The custom text to show on the error page informing about disabled OIDC signups. Markdown format is supported.

--dangerous-oidc-skip-issuer-checks

Typebool
Environment$CODER_DANGEROUS_OIDC_SKIP_ISSUER_CHECKS
YAMLoidc.dangerousSkipIssuerChecks

OIDC issuer urls must match in the request, the id_token 'iss' claim, and in the well-known configuration. This flag disables that requirement, and can lead to an insecure OIDC configuration. It is not recommended to use this flag.

--telemetry

Typebool
Environment$CODER_TELEMETRY_ENABLE
YAMLtelemetry.enable
Defaulttrue

Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.

--trace

Typebool
Environment$CODER_TRACE_ENABLE
YAMLintrospection.tracing.enable

Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md.

--trace-honeycomb-api-key

Typestring
Environment$CODER_TRACE_HONEYCOMB_API_KEY

Enables trace exporting to Honeycomb.io using the provided API Key.

--trace-logs

Typebool
Environment$CODER_TRACE_LOGS
YAMLintrospection.tracing.captureLogs

Enables capturing of logs as events in traces. This is useful for debugging, but may result in a very large amount of events being sent to the tracing backend which may incur significant costs.

--provisioner-daemons

Typeint
Environment$CODER_PROVISIONER_DAEMONS
YAMLprovisioning.daemons
Default3

Number of provisioner daemons to create on start. If builds are stuck in queued state for a long time, consider increasing this.

--provisioner-daemon-poll-interval

Typeduration
Environment$CODER_PROVISIONER_DAEMON_POLL_INTERVAL
YAMLprovisioning.daemonPollInterval
Default1s

Deprecated and ignored.

--provisioner-daemon-poll-jitter

Typeduration
Environment$CODER_PROVISIONER_DAEMON_POLL_JITTER
YAMLprovisioning.daemonPollJitter
Default100ms

Deprecated and ignored.

--provisioner-force-cancel-interval

Typeduration
Environment$CODER_PROVISIONER_FORCE_CANCEL_INTERVAL
YAMLprovisioning.forceCancelInterval
Default10m0s

Time to force cancel provisioning tasks that are stuck.

--provisioner-daemon-psk

Typestring
Environment$CODER_PROVISIONER_DAEMON_PSK

Pre-shared key to authenticate external provisioner daemons to Coder server.

-l, --log-filter

Typestring-array
Environment$CODER_LOG_FILTER
YAMLintrospection.logging.filter

Filter debug logs by matching against a given regex. Use .* to match all debug logs.

--log-human

Typestring
Environment$CODER_LOGGING_HUMAN
YAMLintrospection.logging.humanPath
Default/dev/stderr

Output human-readable logs to a given file.

--log-json

Typestring
Environment$CODER_LOGGING_JSON
YAMLintrospection.logging.jsonPath

Output JSON logs to a given file.

--log-stackdriver

Typestring
Environment$CODER_LOGGING_STACKDRIVER
YAMLintrospection.logging.stackdriverPath

Output Stackdriver compatible logs to a given file.

--enable-terraform-debug-mode

Typebool
Environment$CODER_ENABLE_TERRAFORM_DEBUG_MODE
YAMLintrospection.logging.enableTerraformDebugMode
Defaultfalse

Allow administrators to enable Terraform debug output.

--dangerous-allow-path-app-sharing

Typebool
Environment$CODER_DANGEROUS_ALLOW_PATH_APP_SHARING

Allow workspace apps that are not served from subdomains to be shared. Path-based app sharing is DISABLED by default for security purposes. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.

--dangerous-allow-path-app-site-owner-access

Typebool
Environment$CODER_DANGEROUS_ALLOW_PATH_APP_SITE_OWNER_ACCESS

Allow site-owners to access workspace apps from workspaces they do not own. Owners cannot access path-based apps they do not own by default. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.

--experiments

Typestring-array
Environment$CODER_EXPERIMENTS
YAMLexperiments

Enable one or more experiments. These are not ready for production. Separate multiple experiments with commas, or enter '*' to opt-in to all available experiments.

--update-check

Typebool
Environment$CODER_UPDATE_CHECK
YAMLupdateCheck
Defaultfalse

Periodically check for new releases of Coder and inform the owner. The check is performed once per day.

--max-token-lifetime

Typeduration
Environment$CODER_MAX_TOKEN_LIFETIME
YAMLnetworking.http.maxTokenLifetime
Default876600h0m0s

The maximum lifetime duration users can specify when creating an API token.

--default-token-lifetime

Typeduration
Environment$CODER_DEFAULT_TOKEN_LIFETIME
YAMLdefaultTokenLifetime
Default168h0m0s

The default lifetime duration for API tokens. This value is used when creating a token without specifying a duration, such as when authenticating the CLI or an IDE plugin.

--swagger-enable

Typebool
Environment$CODER_SWAGGER_ENABLE
YAMLenableSwagger

Expose the swagger endpoint via /swagger.

--proxy-trusted-headers

Typestring-array
Environment$CODER_PROXY_TRUSTED_HEADERS
YAMLnetworking.proxyTrustedHeaders

Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, True-Client-Ip, X-Forwarded-For.

--proxy-trusted-origins

Typestring-array
Environment$CODER_PROXY_TRUSTED_ORIGINS
YAMLnetworking.proxyTrustedOrigins

Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24.

--cache-dir

Typestring
Environment$CODER_CACHE_DIRECTORY
YAMLcacheDir
Default~/.cache/coder

The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd. This directory is NOT safe to be configured as a shared directory across coderd/provisionerd replicas.

--postgres-url

Typestring
Environment$CODER_PG_CONNECTION_URL

URL of a PostgreSQL database. If empty, PostgreSQL binaries will be downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. Access the built-in database with "coder server postgres-builtin-url".

--postgres-auth

Typepassword|awsiamrds
Environment$CODER_PG_AUTH
YAMLpgAuth
Defaultpassword

Type of auth to use when connecting to postgres.

Typebool
Environment$CODER_SECURE_AUTH_COOKIE
YAMLnetworking.secureAuthCookie

Controls if the 'Secure' property is set on browser session cookies.

--terms-of-service-url

Typestring
Environment$CODER_TERMS_OF_SERVICE_URL
YAMLtermsOfServiceURL

A URL to an external Terms of Service that must be accepted by users when logging in.

--strict-transport-security

Typeint
Environment$CODER_STRICT_TRANSPORT_SECURITY
YAMLnetworking.tls.strictTransportSecurity
Default0

Controls if the 'Strict-Transport-Security' header is set on all static file responses. This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of the header.

--strict-transport-security-options

Typestring-array
Environment$CODER_STRICT_TRANSPORT_SECURITY_OPTIONS
YAMLnetworking.tls.strictTransportSecurityOptions

Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.

--ssh-keygen-algorithm

Typestring
Environment$CODER_SSH_KEYGEN_ALGORITHM
YAMLsshKeygenAlgorithm
Defaulted25519

The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".

--browser-only

Typebool
Environment$CODER_BROWSER_ONLY
YAMLnetworking.browserOnly

Whether Coder only allows connections to workspaces via the browser.

--scim-auth-header

Typestring
Environment$CODER_SCIM_AUTH_HEADER

Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.

--external-token-encryption-keys

Typestring-array
Environment$CODER_EXTERNAL_TOKEN_ENCRYPTION_KEYS

Encrypt OIDC and Git authentication tokens with AES-256-GCM in the database. The value must be a comma-separated list of base64-encoded keys. Each key, when base64-decoded, must be exactly 32 bytes in length. The first key will be used to encrypt new values. Subsequent keys will be used as a fallback when decrypting. During normal operation it is recommended to only set one key unless you are in the process of rotating keys with the coder server dbcrypt rotate command.

--disable-path-apps

Typebool
Environment$CODER_DISABLE_PATH_APPS
YAMLdisablePathApps

Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.

--disable-owner-workspace-access

Typebool
Environment$CODER_DISABLE_OWNER_WORKSPACE_ACCESS
YAMLdisableOwnerWorkspaceAccess

Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.

--session-duration

Typeduration
Environment$CODER_SESSION_DURATION
YAMLnetworking.http.sessionDuration
Default24h0m0s

The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.

--disable-session-expiry-refresh

Typebool
Environment$CODER_DISABLE_SESSION_EXPIRY_REFRESH
YAMLnetworking.http.disableSessionExpiryRefresh

Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.

--disable-password-auth

Typebool
Environment$CODER_DISABLE_PASSWORD_AUTH
YAMLnetworking.http.disablePasswordAuth

Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the coder server create-admin command to create a new admin user directly in the database.

-c, --config

Typeyaml-config-path
Environment$CODER_CONFIG_PATH

Specify a YAML file to load configuration from.

--ssh-hostname-prefix

Typestring
Environment$CODER_SSH_HOSTNAME_PREFIX
YAMLclient.sshHostnamePrefix
Defaultcoder.

The SSH deployment prefix is used in the Host of the ssh config.

--ssh-config-options

Typestring-array
Environment$CODER_SSH_CONFIG_OPTIONS
YAMLclient.sshConfigOptions

These SSH config options will override the default SSH config options. Provide options in "key=value" or "key value" format separated by commas.Using this incorrectly can break SSH to your deployment, use cautiously.

--cli-upgrade-message

Typestring
Environment$CODER_CLI_UPGRADE_MESSAGE
YAMLclient.cliUpgradeMessage

The upgrade message to display to users when a client/server mismatch is detected. By default it instructs users to update using 'curl -L https://coder.com/install.sh | sh'.

--write-config

Typebool


Write out the current server config as YAML to stdout.

Typestruct[[]codersdk.LinkConfig]
Environment$CODER_SUPPORT_LINKS
YAMLsupportLinks

Support links to display in the top right drop down menu.

--proxy-health-interval

Typeduration
Environment$CODER_PROXY_HEALTH_INTERVAL
YAMLnetworking.http.proxyHealthInterval
Default1m0s

The interval in which coderd should be checking the status of workspace proxies.

--default-quiet-hours-schedule

Typestring
Environment$CODER_QUIET_HOURS_DEFAULT_SCHEDULE
YAMLuserQuietHoursSchedule.defaultQuietHoursSchedule
DefaultCRON_TZ=UTC 0 0 * * *

The default daily cron schedule applied to users that haven't set a custom quiet hours schedule themselves. The quiet hours schedule determines when workspaces will be force stopped due to the template's autostop requirement, and will round the max deadline up to be within the user's quiet hours window (or default). The format is the same as the standard cron format, but the day-of-month, month and day-of-week must be *. Only one hour and minute can be specified (ranges or comma separated values are not supported).

--allow-custom-quiet-hours

Typebool
Environment$CODER_ALLOW_CUSTOM_QUIET_HOURS
YAMLuserQuietHoursSchedule.allowCustomQuietHours
Defaulttrue

Allow users to set their own quiet hours schedule for workspaces to stop in (depending on template autostop requirement settings). If false, users can't change their quiet hours schedule and the site default is always used.

--web-terminal-renderer

Typestring
Environment$CODER_WEB_TERMINAL_RENDERER
YAMLclient.webTerminalRenderer
Defaultcanvas

The renderer to use when opening a web terminal. Valid values are 'canvas', 'webgl', or 'dom'.

--allow-workspace-renames

Typebool
Environment$CODER_ALLOW_WORKSPACE_RENAMES
YAMLallowWorkspaceRenames
Defaultfalse

DEPRECATED: Allow users to rename their workspaces. Use only for temporary compatibility reasons, this will be removed in a future release.

--health-check-refresh

Typeduration
Environment$CODER_HEALTH_CHECK_REFRESH
YAMLintrospection.healthcheck.refresh
Default10m0s

Refresh interval for healthchecks.

--health-check-threshold-database

Typeduration
Environment$CODER_HEALTH_CHECK_THRESHOLD_DATABASE
YAMLintrospection.healthcheck.thresholdDatabase
Default15ms

The threshold for the database health check. If the median latency of the database exceeds this threshold over 5 attempts, the database is considered unhealthy. The default value is 15ms.

--notifications-method

Typestring
Environment$CODER_NOTIFICATIONS_METHOD
YAMLnotifications.method
Defaultsmtp

Which delivery method to use (available options: 'smtp', 'webhook').

--notifications-dispatch-timeout

Typeduration
Environment$CODER_NOTIFICATIONS_DISPATCH_TIMEOUT
YAMLnotifications.dispatchTimeout
Default1m0s

How long to wait while a notification is being sent before giving up.

--notifications-email-from

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_FROM
YAMLnotifications.email.from

The sender's address to use.

--notifications-email-smarthost

Typehost:port
Environment$CODER_NOTIFICATIONS_EMAIL_SMARTHOST
YAMLnotifications.email.smarthost
Defaultlocalhost:587

The intermediary SMTP host through which emails are sent.

--notifications-email-hello

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_HELLO
YAMLnotifications.email.hello
Defaultlocalhost

The hostname identifying the SMTP server.

--notifications-email-force-tls

Typebool
Environment$CODER_NOTIFICATIONS_EMAIL_FORCE_TLS
YAMLnotifications.email.forceTLS
Defaultfalse

Force a TLS connection to the configured SMTP smarthost.

--notifications-email-auth-identity

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_AUTH_IDENTITY
YAMLnotifications.email.emailAuth.identity

Identity to use with PLAIN authentication.

--notifications-email-auth-username

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_AUTH_USERNAME
YAMLnotifications.email.emailAuth.username

Username to use with PLAIN/LOGIN authentication.

--notifications-email-auth-password

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD

Password to use with PLAIN/LOGIN authentication.

--notifications-email-auth-password-file

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD_FILE
YAMLnotifications.email.emailAuth.passwordFile

File from which to load password for use with PLAIN/LOGIN authentication.

--notifications-email-tls-starttls

Typebool
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_STARTTLS
YAMLnotifications.email.emailTLS.startTLS

Enable STARTTLS to upgrade insecure SMTP connections using TLS.

--notifications-email-tls-server-name

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_SERVERNAME
YAMLnotifications.email.emailTLS.serverName

Server name to verify against the target certificate.

--notifications-email-tls-skip-verify

Typebool
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_SKIPVERIFY
YAMLnotifications.email.emailTLS.insecureSkipVerify

Skip verification of the target server's certificate (insecure).

--notifications-email-tls-ca-cert-file

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_CACERTFILE
YAMLnotifications.email.emailTLS.caCertFile

CA certificate file to use.

--notifications-email-tls-cert-file

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_CERTFILE
YAMLnotifications.email.emailTLS.certFile

Certificate file to use.

--notifications-email-tls-cert-key-file

Typestring
Environment$CODER_NOTIFICATIONS_EMAIL_TLS_CERTKEYFILE
YAMLnotifications.email.emailTLS.certKeyFile

Certificate key file to use.

--notifications-webhook-endpoint

Typeurl
Environment$CODER_NOTIFICATIONS_WEBHOOK_ENDPOINT
YAMLnotifications.webhook.endpoint

The endpoint to which to send webhooks.

--notifications-max-send-attempts

Typeint
Environment$CODER_NOTIFICATIONS_MAX_SEND_ATTEMPTS
YAMLnotifications.maxSendAttempts
Default5

The upper limit of attempts to send a notification.

See an opportunity to improve our docs? Make an edit.