server

server

Start a Coder server

Usage

coder server [flags]

Subcommands

NamePurpose
create-admin-userCreate a new admin user with the given username, email and password and adds it to every organization.
postgres-builtin-serveRun the built-in PostgreSQL deployment.
postgres-builtin-urlOutput the connection URL for the built-in PostgreSQL deployment.

Options

--access-url

Typeurl
Environment$CODER_ACCESS_URL
YAMLnetworking.accessURL

The URL that users will use to access the Coder deployment.

--browser-only

Typebool
Environment$CODER_BROWSER_ONLY
YAMLnetworking.browserOnly

Whether Coder only allows connections to workspaces via the browser.

--cache-dir

Typestring
Environment$CODER_CACHE_DIRECTORY
YAMLcacheDir
Default~/.cache/coder

The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd.

--trace-logs

Typebool
Environment$CODER_TRACE_LOGS
YAMLintrospection.tracing.captureLogs

Enables capturing of logs as events in traces. This is useful for debugging, but may result in a very large amount of events being sent to the tracing backend which may incur significant costs. If the verbose flag was supplied, debug-level logs will be included.

-c, --config

Typeyaml-config-path
Environment$CODER_CONFIG_PATH

Specify a YAML file to load configuration from.

--dangerous-allow-path-app-sharing

Typebool
Environment$CODER_DANGEROUS_ALLOW_PATH_APP_SHARING

Allow workspace apps that are not served from subdomains to be shared. Path-based app sharing is DISABLED by default for security purposes. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.

--dangerous-allow-path-app-site-owner-access

Typebool
Environment$CODER_DANGEROUS_ALLOW_PATH_APP_SITE_OWNER_ACCESS

Allow site-owners to access workspace apps from workspaces they do not own. Owners cannot access path-based apps they do not own by default. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.

--derp-config-path

Typestring
Environment$CODER_DERP_CONFIG_PATH
YAMLnetworking.derp.configPath

Path to read a DERP mapping from. See: https://tailscale.com/kb/1118/custom-derp-servers/.

--derp-config-url

Typestring
Environment$CODER_DERP_CONFIG_URL
YAMLnetworking.derp.url

URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/.

--derp-server-enable

Typebool
Environment$CODER_DERP_SERVER_ENABLE
YAMLnetworking.derp.enable
Defaulttrue

Whether to enable or disable the embedded DERP relay server.

--derp-server-region-code

Typestring
Environment$CODER_DERP_SERVER_REGION_CODE
YAMLnetworking.derp.regionCode
Defaultcoder

Region code to use for the embedded DERP server.

--derp-server-region-id

Typeint
Environment$CODER_DERP_SERVER_REGION_ID
YAMLnetworking.derp.regionID
Default999

Region ID to use for the embedded DERP server.

--derp-server-region-name

Typestring
Environment$CODER_DERP_SERVER_REGION_NAME
YAMLnetworking.derp.regionName
DefaultCoder Embedded Relay

Region name that for the embedded DERP server.

--derp-server-relay-url

Typeurl
Environment$CODER_DERP_SERVER_RELAY_URL
YAMLnetworking.derp.relayURL

An HTTP URL that is accessible by other replicas to relay DERP traffic. Required for high availability.

--derp-server-stun-addresses

Typestring-array
Environment$CODER_DERP_SERVER_STUN_ADDRESSES
YAMLnetworking.derp.stunAddresses
Defaultstun.l.google.com:19302

Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.

--disable-owner-workspace-access

Typebool
Environment$CODER_DISABLE_OWNER_WORKSPACE_ACCESS
YAMLdisableOwnerWorkspaceAccess

Remove the permission for the 'owner' role to have workspace execution on all workspaces. This prevents the 'owner' from ssh, apps, and terminal access based on the 'owner' role. They still have their user permissions to access their own workspaces.

--disable-password-auth

Typebool
Environment$CODER_DISABLE_PASSWORD_AUTH
YAMLnetworking.http.disablePasswordAuth

Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the coder server create-admin command to create a new admin user directly in the database.

--disable-path-apps

Typebool
Environment$CODER_DISABLE_PATH_APPS
YAMLdisablePathApps

Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.

--disable-session-expiry-refresh

Typebool
Environment$CODER_DISABLE_SESSION_EXPIRY_REFRESH
YAMLnetworking.http.disableSessionExpiryRefresh

Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.

--swagger-enable

Typebool
Environment$CODER_SWAGGER_ENABLE
YAMLenableSwagger

Expose the swagger endpoint via /swagger.

--experiments

Typestring-array
Environment$CODER_EXPERIMENTS
YAMLexperiments

Enable one or more experiments. These are not ready for production. Separate multiple experiments with commas, or enter '*' to opt-in to all available experiments.

--provisioner-force-cancel-interval

Typeduration
Environment$CODER_PROVISIONER_FORCE_CANCEL_INTERVAL
YAMLprovisioning.forceCancelInterval
Default10m0s

Time to force cancel provisioning tasks that are stuck.

--http-address

Typestring
Environment$CODER_HTTP_ADDRESS
YAMLnetworking.http.httpAddress
Default127.0.0.1:3000

HTTP bind address of the server. Unset to disable the HTTP endpoint.

--log-human

Typestring
Environment$CODER_LOGGING_HUMAN
YAMLintrospection.logging.humanPath
Default/dev/stderr

Output human-readable logs to a given file.

--log-json

Typestring
Environment$CODER_LOGGING_JSON
YAMLintrospection.logging.jsonPath

Output JSON logs to a given file.

--max-token-lifetime

Typeduration
Environment$CODER_MAX_TOKEN_LIFETIME
YAMLnetworking.http.maxTokenLifetime
Default876600h0m0s

The maximum lifetime duration users can specify when creating an API token.

--oauth2-github-allow-everyone

Typebool
Environment$CODER_OAUTH2_GITHUB_ALLOW_EVERYONE
YAMLoauth2.github.allowEveryone

Allow all logins, setting this option means allowed orgs and teams must be empty.

--oauth2-github-allow-signups

Typebool
Environment$CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS
YAMLoauth2.github.allowSignups

Whether new users can sign up with GitHub.

--oauth2-github-allowed-orgs

Typestring-array
Environment$CODER_OAUTH2_GITHUB_ALLOWED_ORGS
YAMLoauth2.github.allowedOrgs

Organizations the user must be a member of to Login with GitHub.

--oauth2-github-allowed-teams

Typestring-array
Environment$CODER_OAUTH2_GITHUB_ALLOWED_TEAMS
YAMLoauth2.github.allowedTeams

Teams inside organizations the user must be a member of to Login with GitHub. Structured as: /.

--oauth2-github-client-id

Typestring
Environment$CODER_OAUTH2_GITHUB_CLIENT_ID
YAMLoauth2.github.clientID

Client ID for Login with GitHub.

--oauth2-github-client-secret

Typestring
Environment$CODER_OAUTH2_GITHUB_CLIENT_SECRET

Client secret for Login with GitHub.

--oauth2-github-enterprise-base-url

Typestring
Environment$CODER_OAUTH2_GITHUB_ENTERPRISE_BASE_URL
YAMLoauth2.github.enterpriseBaseURL

Base URL of a GitHub Enterprise deployment to use for Login with GitHub.

--oidc-allow-signups

Typebool
Environment$CODER_OIDC_ALLOW_SIGNUPS
YAMLoidc.allowSignups
Defaulttrue

Whether new users can sign up with OIDC.

--oidc-auth-url-params

Typestruct[map[string]string]
Environment$CODER_OIDC_AUTH_URL_PARAMS
YAMLoidc.authURLParams
Default{"access_type": "offline"}

OIDC auth URL parameters to pass to the upstream provider.

--oidc-client-id

Typestring
Environment$CODER_OIDC_CLIENT_ID
YAMLoidc.clientID

Client ID to use for Login with OIDC.

--oidc-client-secret

Typestring
Environment$CODER_OIDC_CLIENT_SECRET

Client secret to use for Login with OIDC.

--oidc-email-domain

Typestring-array
Environment$CODER_OIDC_EMAIL_DOMAIN
YAMLoidc.emailDomain

Email domains that clients logging in with OIDC must match.

--oidc-email-field

Typestring
Environment$CODER_OIDC_EMAIL_FIELD
YAMLoidc.emailField
Defaultemail

OIDC claim field to use as the email.

--oidc-group-field

Typestring
Environment$CODER_OIDC_GROUP_FIELD
YAMLoidc.groupField

Change the OIDC default 'groups' claim field. By default, will be 'groups' if present in the oidc scopes argument.

--oidc-group-mapping

Typestruct[map[string]string]
Environment$CODER_OIDC_GROUP_MAPPING
YAMLoidc.groupMapping
Default{}

A map of OIDC group IDs and the group in Coder it should map to. This is useful for when OIDC providers only return group IDs.

--oidc-ignore-email-verified

Typebool
Environment$CODER_OIDC_IGNORE_EMAIL_VERIFIED
YAMLoidc.ignoreEmailVerified

Ignore the email_verified claim from the upstream provider.

--oidc-ignore-userinfo

Typebool
Environment$CODER_OIDC_IGNORE_USERINFO
YAMLoidc.ignoreUserInfo
Defaultfalse

Ignore the userinfo endpoint and only use the ID token for user information.

--oidc-issuer-url

Typestring
Environment$CODER_OIDC_ISSUER_URL
YAMLoidc.issuerURL

Issuer URL to use for Login with OIDC.

--oidc-scopes

Typestring-array
Environment$CODER_OIDC_SCOPES
YAMLoidc.scopes
Defaultopenid,profile,email

Scopes to grant when authenticating with OIDC.

--oidc-username-field

Typestring
Environment$CODER_OIDC_USERNAME_FIELD
YAMLoidc.usernameField
Defaultpreferred_username

OIDC claim field to use as the username.

--oidc-sign-in-text

Typestring
Environment$CODER_OIDC_SIGN_IN_TEXT
YAMLoidc.signInText
DefaultOpenID Connect

The text to show on the OpenID Connect sign in button.

--oidc-icon-url

Typeurl
Environment$CODER_OIDC_ICON_URL
YAMLoidc.iconURL

URL pointing to the icon to use on the OepnID Connect login button.

--provisioner-daemon-poll-interval

Typeduration
Environment$CODER_PROVISIONER_DAEMON_POLL_INTERVAL
YAMLprovisioning.daemonPollInterval
Default1s

Time to wait before polling for a new job.

--provisioner-daemon-poll-jitter

Typeduration
Environment$CODER_PROVISIONER_DAEMON_POLL_JITTER
YAMLprovisioning.daemonPollJitter
Default100ms

Random jitter added to the poll interval.

--postgres-url

Typestring
Environment$CODER_PG_CONNECTION_URL

URL of a PostgreSQL database. If empty, PostgreSQL binaries will be downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. Access the built-in database with "coder server postgres-builtin-url".

--prometheus-address

Typehost:port
Environment$CODER_PROMETHEUS_ADDRESS
YAMLintrospection.prometheus.address
Default127.0.0.1:2112

The bind address to serve prometheus metrics.

--prometheus-collect-agent-stats

Typebool
Environment$CODER_PROMETHEUS_COLLECT_AGENT_STATS
YAMLintrospection.prometheus.collect_agent_stats

Collect agent stats (may increase charges for metrics storage).

--prometheus-enable

Typebool
Environment$CODER_PROMETHEUS_ENABLE
YAMLintrospection.prometheus.enable

Serve prometheus metrics on the address defined by prometheus address.

--provisioner-daemons

Typeint
Environment$CODER_PROVISIONER_DAEMONS
YAMLprovisioning.daemons
Default3

Number of provisioner daemons to create on start. If builds are stuck in queued state for a long time, consider increasing this.

--proxy-trusted-headers

Typestring-array
Environment$CODER_PROXY_TRUSTED_HEADERS
YAMLnetworking.proxyTrustedHeaders

Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, True-Client-Ip, X-Forwarded-For.

--proxy-trusted-origins

Typestring-array
Environment$CODER_PROXY_TRUSTED_ORIGINS
YAMLnetworking.proxyTrustedOrigins

Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24.

--redirect-to-access-url

Typebool
Environment$CODER_REDIRECT_TO_ACCESS_URL
YAMLnetworking.redirectToAccessURL

Specifies whether to redirect requests that do not match the access URL host.

--scim-auth-header

Typestring
Environment$CODER_SCIM_AUTH_HEADER

Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.

--ssh-config-options

Typestring-array
Environment$CODER_SSH_CONFIG_OPTIONS
YAMLclient.sshConfigOptions

These SSH config options will override the default SSH config options. Provide options in "key=value" or "key value" format separated by commas.Using this incorrectly can break SSH to your deployment, use cautiously.

--ssh-hostname-prefix

Typestring
Environment$CODER_SSH_HOSTNAME_PREFIX
YAMLclient.sshHostnamePrefix
Defaultcoder.

The SSH deployment prefix is used in the Host of the ssh config.

--ssh-keygen-algorithm

Typestring
Environment$CODER_SSH_KEYGEN_ALGORITHM
YAMLsshKeygenAlgorithm
Defaulted25519

The algorithm to use for generating ssh keys. Accepted values are "ed25519", "ecdsa", or "rsa4096".

Typebool
Environment$CODER_SECURE_AUTH_COOKIE
YAMLnetworking.secureAuthCookie

Controls if the 'Secure' property is set on browser session cookies.

--session-duration

Typeduration
Environment$CODER_SESSION_DURATION
YAMLnetworking.http.sessionDuration
Default24h0m0s

The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.

--log-stackdriver

Typestring
Environment$CODER_LOGGING_STACKDRIVER
YAMLintrospection.logging.stackdriverPath

Output Stackdriver compatible logs to a given file.

--strict-transport-security

Typeint
Environment$CODER_STRICT_TRANSPORT_SECURITY
YAMLnetworking.tls.strictTransportSecurity
Default0

Controls if the 'Strict-Transport-Security' header is set on all static file responses. This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of the header.

--strict-transport-security-options

Typestring-array
Environment$CODER_STRICT_TRANSPORT_SECURITY_OPTIONS
YAMLnetworking.tls.strictTransportSecurityOptions

Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.

--tls-address

Typehost:port
Environment$CODER_TLS_ADDRESS
YAMLnetworking.tls.address
Default127.0.0.1:3443

HTTPS bind address of the server.

--tls-cert-file

Typestring-array
Environment$CODER_TLS_CERT_FILE
YAMLnetworking.tls.certFiles

Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.

--tls-client-auth

Typestring
Environment$CODER_TLS_CLIENT_AUTH
YAMLnetworking.tls.clientAuth
Defaultnone

Policy the server will follow for TLS Client Authentication. Accepted values are "none", "request", "require-any", "verify-if-given", or "require-and-verify".

--tls-client-ca-file

Typestring
Environment$CODER_TLS_CLIENT_CA_FILE
YAMLnetworking.tls.clientCAFile

PEM-encoded Certificate Authority file used for checking the authenticity of client.

--tls-client-cert-file

Typestring
Environment$CODER_TLS_CLIENT_CERT_FILE
YAMLnetworking.tls.clientCertFile

Path to certificate for client TLS authentication. It requires a PEM-encoded file.

--tls-client-key-file

Typestring
Environment$CODER_TLS_CLIENT_KEY_FILE
YAMLnetworking.tls.clientKeyFile

Path to key for client TLS authentication. It requires a PEM-encoded file.

--tls-enable

Typebool
Environment$CODER_TLS_ENABLE
YAMLnetworking.tls.enable

Whether TLS will be enabled.

--tls-key-file

Typestring-array
Environment$CODER_TLS_KEY_FILE
YAMLnetworking.tls.keyFiles

Paths to the private keys for each of the certificates. It requires a PEM-encoded file.

--tls-min-version

Typestring
Environment$CODER_TLS_MIN_VERSION
YAMLnetworking.tls.minVersion
Defaulttls12

Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" or "tls13".

--telemetry

Typebool
Environment$CODER_TELEMETRY_ENABLE
YAMLtelemetry.enable
Defaulttrue

Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.

--telemetry-trace

Typebool
Environment$CODER_TELEMETRY_TRACE
YAMLtelemetry.trace
Defaulttrue

Whether Opentelemetry traces are sent to Coder. Coder collects anonymized application tracing to help improve our product. Disabling telemetry also disables this option.

--trace

Typebool
Environment$CODER_TRACE_ENABLE
YAMLintrospection.tracing.enable

Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md.

--trace-honeycomb-api-key

Typestring
Environment$CODER_TRACE_HONEYCOMB_API_KEY

Enables trace exporting to Honeycomb.io using the provided API Key.

--update-check

Typebool
Environment$CODER_UPDATE_CHECK
YAMLupdateCheck
Defaultfalse

Periodically check for new releases of Coder and inform the owner. The check is performed once per day.

-v, --verbose

Typebool
Environment$CODER_VERBOSE
YAMLintrospection.logging.verbose

Output debug-level logs.

--wildcard-access-url

Typeurl
Environment$CODER_WILDCARD_ACCESS_URL
YAMLnetworking.wildcardAccessURL

Specifies the wildcard hostname to use for workspace applications in the form "*.example.com".

--write-config

Typebool


Write out the current server config as YAML to stdout.

--pprof-address

Typehost:port
Environment$CODER_PPROF_ADDRESS
YAMLintrospection.pprof.address
Default127.0.0.1:6060

The bind address to serve pprof.

--pprof-enable

Typebool
Environment$CODER_PPROF_ENABLE
YAMLintrospection.pprof.enable

Serve pprof metrics on the address defined by pprof address.

See an opportunity to improve our docs? Make an edit.