fix: move the web terminal out of the dashboard authentication layout (#5699 )

Fixes #5698. This was a regression.
ci: Fix release tag push (#5696 )
2023-01-12 21:44:29 +00:00 · 2023-01-12 22:18:10 +02:00 · 2023-01-12 17:08:31 -03:00 · 2023-01-12 19:21:56 +00:00 · 2023-01-12 15:52:16 -03:00 · 2023-01-12 17:02:11 +00:00
5726 changed files with 234007 additions and 30546 deletions
@@ -0,0 +1,83 @@
+FROM ubuntu
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV EDITOR=vim
+
+RUN apt-get update && apt-get upgrade --yes
+
+RUN apt-get install --yes \
+	ca-certificates \
+	bash-completion \
+	build-essential \
+	curl \
+	cmake \
+	direnv \
+	emacs-nox \
+	gnupg \
+	htop \
+	jq \
+	less \
+	lsb-release \
+	lsof \
+	man-db \
+	nano \
+	neovim \
+	ssl-cert \
+	sudo \
+	unzip \
+	xz-utils \
+	zip
+
+# configure locales to UTF8
+RUN apt-get install locales && locale-gen en_US.UTF-8
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+# configure direnv
+RUN direnv hook bash >> $HOME/.bashrc
+
+# install nix
+RUN sh <(curl -L https://nixos.org/nix/install) --daemon
+
+RUN mkdir -p $HOME/.config/nix $HOME/.config/nixpkgs \
+	&& echo 'sandbox = false' >> $HOME/.config/nix/nix.conf \
+	&& echo '{ allowUnfree = true; }' >> $HOME/.config/nixpkgs/config.nix \
+	&& echo '. $HOME/.nix-profile/etc/profile.d/nix.sh' >> $HOME/.bashrc
+
+
+# install docker and configure daemon to use vfs as GitHub codespaces requires vfs
+# https://github.com/moby/moby/issues/13742#issuecomment-725197223
+RUN mkdir -p /etc/apt/keyrings \
+	&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+	&& echo \
+	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+	$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null \
+	&& apt-get update \
+	&& apt-get install --yes docker-ce docker-ce-cli containerd.io docker-compose-plugin \
+	&& mkdir -p /etc/docker \
+	&& echo '{"cgroup-parent":"/actions_job","storage-driver":"vfs"}' >> /etc/docker/daemon.json
+
+# install golang and language tooling
+ENV GO_VERSION=1.19
+ENV GOPATH=$HOME/go-packages
+ENV GOROOT=$HOME/go
+ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
+RUN curl -fsSL https://dl.google.com/go/go$GO_VERSION.linux-amd64.tar.gz | tar xzs
+RUN echo 'export PATH=$GOPATH/bin:$PATH' >> $HOME/.bashrc
+
+RUN bash -c ". $HOME/.bashrc \
+	go install -v golang.org/x/tools/gopls@latest \
+	&& go install -v mvdan.cc/sh/v3/cmd/shfmt@latest \
+	&& go install -v github.com/mikefarah/yq/v4@v4.30.6 \
+	"
+
+# install nodejs
+RUN bash -c "$(curl -fsSL https://deb.nodesource.com/setup_14.x)" \
+	&& apt-get install -y nodejs
+
+# install zstd
+RUN bash -c "$(curl -fsSL https://raw.githubusercontent.com/horta/zstd.install/main/install)"
+
+# install nfpm
+RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list \
+	&& apt update \
+	&& apt install nfpm
@@ -0,0 +1,24 @@
+// For format details, see https://aka.ms/devcontainer.json
+{
+  "name": "Development environments on your infrastructure",
+
+  // Sets the run context to one level up instead of the .devcontainer folder.
+  "context": ".",
+
+  // Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
+  "dockerFile": "Dockerfile",
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+
+  "postStartCommand": "dockerd",
+
+  // privileged is required by GitHub codespaces - https://github.com/microsoft/vscode-dev-containers/issues/727
+  "runArgs": [
+    "--cap-add=SYS_PTRACE",
+    "--security-opt",
+    "seccomp=unconfined",
+    "--privileged",
+    "--init"
+  ]
+}
@@ -0,0 +1,16 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = tab
+
+[*.{md,json,yaml,yml,tf,tfvars,nix}]
+indent_style = space
+indent_size = 2
+
+[coderd/database/dump.sql]
+indent_style = space
+indent_size = 4
@@ -3,3 +3,7 @@ coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
 provisionersdk/proto/*.go linguist-generated=true
+*.tfplan.json linguist-generated=true
+*.tfstate.json linguist-generated=true
+*.tfstate.dot linguist-generated=true
+*.tfplan.dot linguist-generated=true
@@ -1 +1,4 @@
-site @coder/coder-frontend
+site/ @coder/frontend
+docs/ @coder/docs
+README.md @coder/docs
+ADOPTERS.md @coder/docs
@@ -1,31 +1,30 @@
 codecov:
  require_ci_to_pass: false
+  notify:
+    after_n_builds: 5

-comment:
-  show_carryforward_flags: yes
+comment: false
+
+github_checks:
+  annotations: false

 coverage:
-  notify:
-    slack:
-      default:
-        url: secret:v1::ALa1/e2X+k36fPseab5D7+kBFc9bJyIoIQioD0IMA5jr+0HXVpBRNDCHZhHjCdGc67yff6PPixPEOLwEZpxC37rM23RBZOYlqAq9A5e0MeZVlEoVq19aOYN4Xel17hMJ6GGm7n17wrYpCpcvlVSqNrN0+cr3guVDyG10kQyfh2Y=
-        threshold: 1%
-        only_pulls: false
-        branches:
-          - "main"
+  range: 50..75
+  round: down
+  precision: 2
  status:
    patch:
      default:
        informational: yes
    project:
      default:
-        target: 70%
-        informational: yes
+        target: 65%
+        informational: true

 ignore:
  # This is generated code.
  - coderd/database/models.go
-  - coderd/database/query.sql.go
+  - coderd/database/queries.sql.go
  - coderd/database/databasefake
  # These are generated or don't require tests.
  - cmd
@@ -35,6 +34,10 @@ ignore:
  - peerbroker/proto
  - provisionerd/proto
  - provisionersdk/proto
-  - scripts/datadog-cireport
+  - scripts
  - site/.storybook
  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest
@@ -3,9 +3,10 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
+    labels: []
    commit-message:
      prefix: "chore"
    ignore:
@@ -27,23 +28,47 @@ updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
-      interval: "daily"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch

  - package-ecosystem: "npm"
    directory: "/site/"
    schedule:
-      interval: "daily"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
+    labels: []
    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
      # Ignore major updates to Node.js types, because they need to
      # correspond to the Node.js engine version
      - dependency-name: "@types/node"
        update-types:
          - version-update:semver-major
+
+  - package-ecosystem: "terraform"
+    directory: "/examples/templates"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # We likely want to update this ourselves.
+      - dependency-name: "coder/coder"
@@ -0,0 +1,3 @@
+<!--
+Check if your change requires documentation edits before merging: https://coder.com/docs/coder. Make edits in `docs/`.
+-->
@@ -1,60 +0,0 @@
-###############################################################################
-# This file configures "Semantic Pull Requests", which is documented here:
-# https://github.com/zeke/semantic-pull-requests
-#
-# This action/spec implements the "Conventional Commits" RFC which is
-# available here:
-# https://www.notion.so/coderhq/Conventional-commits-1d51287f58b64026bb29393f277734ed
-###############################################################################
-
-# We have no valid scopes right now.
-# A scope should be added when commits aren't aligning with associated change anymore.
-scopes:
-
-# We only check that the PR title is semantic. The PR title is automatically
-# applied to the "Squash & Merge" flow as the suggested commit message, so this
-# should suffice unless someone drastically alters the message in that flow.
-titleOnly: true
-
-# Types are the 'tag' types in a commit or PR title. For example, in
-#
-# chore: fix thing
-#
-# 'chore' is the type.
-types:
-  # A build of any kind.
-  - build
-
-  # A RELEASED fix that will NOT be back-ported. The originating issue may have
-  # been discovered internally or externally to Coder.
-  - fix
-
-  # Any code task that is ignored for changelog purposes. Examples include
-  # devbin scripts and internal-only configurations.
-  - chore
-
-  # Any work performed on CI.
-  - ci
-
-  # An UNRELEASED correction. For example, features are often built
-  # incrementally and sometimes introduce minor flaws during a release cycle.
-  # Corrections address those increments and flaws.
-  - correct
-
-  # Work that directly implements or supports the implementation of a feature.
-  - feat
-
-  # A fix for a RELEASED bug (regression fix) that is intended for patch-release
-  # purposes.
-  - hotfix
-
-  # A refactor changes code structure without any behavioral change.
-  - refactor
-
-  # A git revert for any style of commit.
-  - revert
-
-  # Adding tests of any kind. Should be separate from feature or fix
-  # implementations. For example, if a commit adds a fix + test, it's a fix
-  # commit. If a commit is simply bumping coverage, it's a test commit.
-  - test
@@ -1,14 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 14
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 5
-# Only apply the stale logic to pulls, since we are using issues to manage work
-only: pulls
-# Label to apply when stale.
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no activity occurs in the next 5 days.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
@@ -0,0 +1,26 @@
+name: "CLA Assistant"
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types: [opened, closed, synchronize]
+
+jobs:
+  CLAssistant:
+    runs-on: ubuntu-latest
+    steps:
+      - name: "CLA Assistant"
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.2.1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the below token should have repo scope and must be manually added by you in the repository's secret
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCOMMUNITY_GITHUB_TOKEN }}
+        with:
+          remote-organization-name: "coder"
+          remote-repository-name: "cla"
+          path-to-signatures: "v2022-09-04/signatures.json"
+          path-to-document: "https://github.com/coder/cla/blob/main/README.md"
+          # branch should not be protected
+          branch: "main"
+          allowlist: dependabot*
@@ -0,0 +1,67 @@
+name: "CodeQL"
+
+permissions:
+  security-events: write
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: ["main"]
+  schedule:
+    # run every week at 10:24 on Thursday
+    - cron: "24 10 * * 4"
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ["go", "javascript"]
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: ${{ matrix.language }}
+
+      - name: Setup Go
+        if: matrix.language == 'go'
+        uses: actions/setup-go@v3
+        with:
+          go-version: "~1.19"
+
+      - name: Go Cache Paths
+        if: matrix.language == 'go'
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Mod Cache
+        if: matrix.language == 'go'
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Remove Makefile # workaround to prevent CodeQL from building site
+        if: matrix.language == 'go'
+        run: |
+          # Disable Analysis step from trying to build the project.
+          rm Makefile
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+        with:
+          category: "/language:${{matrix.language}}"
@@ -1,98 +0,0 @@
-# This workflow (aka The Gauntlet) is a high-iteration run of our tests,
-# used to evaluate stability and shake out intermittent failures.
-name: coder-test-stability
-on:
-  schedule:
-    # Run everyday around midnight Central.
-    - cron: "0 6 * * *"
-
-  pull_request:
-    branches:
-      - main
-    paths:
-      - .github/workflows/coder-test-stability.yaml
-  workflow_dispatch:
-    inputs:
-      iterationCount:
-        description: "Iteration Count"
-        required: false
-        default: "10"
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes, and serialize builds in branches.
-# https://docs.github.com/en/actions/using-jobs/using-concurrency#example-using-concurrency-to-cancel-any-in-progress-job-or-run
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-jobs:
-  coder-test-stability:
-    name: "test/go/stability/${{ matrix.os }}/${{ matrix.instance }}"
-    runs-on: ${{ matrix.os }}
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-2022
-        instance:
-          - 1
-          - 2
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "~1.18"
-
-      - uses: actions/cache@v3
-        with:
-          # Go mod cache, Linux build cache, Mac build cache, Windows build cache
-          path: |
-            ~/go/pkg/mod
-            ~/.cache/go-build
-            ~/Library/Caches/go-build
-            %LocalAppData%\go-build
-          key: ${{ matrix.os }}-go-${{ hashFiles('**/go.sum') }}
-          restore-keys: |
-            ${{ matrix.os }}-go-
-
-      - run: go install gotest.tools/gotestsum@latest
-
-      - uses: hashicorp/setup-terraform@v1
-        with:
-          terraform_version: 1.1.2
-          terraform_wrapper: false
-
-      - name: Test with Mock Database
-        shell: bash
-        env:
-          GOCOUNT: ${{ github.event.inputs.iterationCount || 10 }}
-          GOMAXPROCS: ${{ runner.os == 'Windows' && 1 || 2 }}
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -timeout=15m -count=$GOCOUNT -race -short -failfast
-
-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: fake
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
-
-      - name: Test with PostgreSQL Database
-        if: runner.os == 'Linux'
-        env:
-          GOCOUNT: ${{ github.event.inputs.iterationCount || 10 }}
-        run: DB=true gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage" -timeout=30m
-          -count=$GOCOUNT -race -parallel=2 -failfast
-
-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]' && runner.os == 'Linux'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: postgresql
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
@@ -4,13 +4,8 @@ on:
  push:
    branches:
      - main
-      - "release/*"
-    tags:
-      - "*"

  pull_request:
-    branches:
-      - "*"

  workflow_dispatch:

@@ -33,21 +28,103 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 jobs:
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: typos-action
+        uses: crate-ci/typos@v1.13.3
+        with:
+          config: .github/workflows/typos.toml
+      - name: Fix Helper
+        if: ${{ failure() }}
+        run: |
+          echo "::notice:: you can automatically fix typos from your CLI:
+          cargo install typos-cli
+          typos -c .github/workflows/typos.toml -w"
+
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      docs-only: ${{ steps.filter.outputs.docs_count == steps.filter.outputs.all_count }}
+      sh: ${{ steps.filter.outputs.sh }}
+      ts: ${{ steps.filter.outputs.ts }}
+      k8s: ${{ steps.filter.outputs.k8s }}
+    steps:
+      - uses: actions/checkout@v3
+      # For pull requests it's not necessary to checkout the code
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            all:
+              - '**'
+            docs:
+              - 'docs/**'
+              # For testing:
+              # - '.github/**'
+            sh:
+              - "**.sh"
+            ts:
+              - 'site/**'
+            k8s:
+              - 'helm/**'
+              - Dockerfile
+              - scripts/helm.sh
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  # Debug step
+  debug-inputs:
+    needs:
+      - changes
+    runs-on: ubuntu-latest
+    steps:
+      - id: log
+        run: |
+          echo "${{ toJSON(needs) }}"
+
  style-lint-golangci:
    name: style/lint/golangci
+    timeout-minutes: 5
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.19"
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@v3.3.1
+        with:
+          version: v1.48.0
+
+  check-enterprise-imports:
+    name: check/enterprise-imports
+    timeout-minutes: 5
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v2
+      - name: Check imports of enterprise code
+        run: ./scripts/check_enterprise_imports.sh
+
+  style-lint-shellcheck:
+    name: style/lint/shellcheck
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@1.1.0
+        env:
+          SHELLCHECK_OPTS: --external-sources
        with:
-          go-version: "~1.18"
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.1.0
-        with:
-          version: v1.45.2
+          ignore: node_modules

  style-lint-typescript:
    name: "style/lint/typescript"
+    timeout-minutes: 5
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
@@ -71,30 +148,105 @@ jobs:
        run: yarn lint
        working-directory: site

-  gen:
-    name: "style/gen"
+  style-lint-k8s:
+    name: "style/lint/k8s"
+    timeout-minutes: 5
+    needs: changes
+    if: needs.changes.outputs.k8s == 'true'
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - name: Install Protoc
-        uses: arduino/setup-protoc@v1
-        with:
-          version: "3.19.4"
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "~1.18"
-      - run: curl -sSL
-          https://github.com/kyleconroy/sqlc/releases/download/v1.11.0/sqlc_1.11.0_linux_amd64.tar.gz
-          | sudo tar -C /usr/bin -xz sqlc
+      - name: Checkout
+        uses: actions/checkout@v3

-      - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
-      - run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
-      - run: "make --output-sync -j gen"
-      - run: ./scripts/check_unstaged.sh
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.9.2
+
+      - name: cd helm && make lint
+        run: |
+          cd helm
+          make lint
+
+  gen:
+    name: "style/gen"
+    timeout-minutes: 8
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.docs-only == 'false'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.19"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ github.job }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ github.job }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
+
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile
+          # or the version in the comments will differ.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
+
+      - name: make gen
+        run: "make --output-sync -j -B gen"
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh

  style-fmt:
    name: "style/fmt"
    runs-on: ubuntu-latest
+    timeout-minutes: 5
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@@ -116,12 +268,21 @@ jobs:
      - name: Install node_modules
        run: ./scripts/yarn_install.sh

-      - name: "make fmt"
-        run: "make --output-sync -j fmt"
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
+
+      - name: make fmt
+        run: |
+          export PATH=${PATH}:$(go env GOPATH)/bin
+          make --output-sync -j -B fmt
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh

  test-go:
    name: "test/go"
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' ||  matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'windows-latest-8-cores'|| matrix.os }}
+    timeout-minutes: 20
    strategy:
      matrix:
        os:
@@ -131,9 +292,9 @@ jobs:
    steps:
      - uses: actions/checkout@v3

-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -145,7 +306,7 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}

      - name: Go Mod Cache
        uses: actions/cache@v3
@@ -153,55 +314,90 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.4.0
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.9.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          repo: gotestyourself/gotestsum
-          tag: v1.7.0
+          tag: v1.8.2

-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

      - name: Test with Mock Database
+        id: test
        shell: bash
-        env:
-          GOCOUNT: ${{ runner.os == 'Windows' && 1 || 2 }}
-          GOMAXPROCS: ${{ runner.os == 'Windows' && 1 || 2 }}
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -timeout=3m -count=$GOCOUNT -short -failfast
+        run: |
+          # Code coverage is more computationally expensive and also
+          # prevents test caching, so we disable it on alternate operating
+          # systems.
+          if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
+            echo ::set-output name=cover::true
+            export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
+          else
+            echo ::set-output name=cover::false
+          fi
+          set +e
+          gotestsum --junitfile="gotests.xml" --jsonfile="gotestsum.json" --packages="./..." --debug -- -parallel=8 -timeout=5m -short -failfast $COVERAGE_FLAGS
+          ret=$?
+          if ((ret)); then
+            # Eternalize test timeout logs because "re-run failed" erases
+            # artifacts and gotestsum doesn't always capture it:
+            # https://github.com/gotestyourself/gotestsum/issues/292
+            # Multiple test packages could've failed, each one may or may
+            # not run into the edge case. PS. Don't summon ShellCheck here.
+            for testWithStack in $(grep 'panic: test timed out' gotestsum.json | grep -E -o '("Test":[^,}]*)'); do
+              if [ -n "$testWithStack" ] && grep -q "${testWithStack}.*PASS" gotestsum.json; then
+                echo "Conditions met for gotestsum stack trace missing bug, outputting panic trace:"
+                grep -A 999999 "${testWithStack}.*panic: test timed out" gotestsum.json
+              fi
+            done
+          fi
+          exit $ret

-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: fake
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotestsum-debug-${{ matrix.os }}.json
+          path: ./gotestsum.json
+          retention-days: 7

-      - uses: codecov/codecov-action@v2
-        if: github.actor != 'dependabot[bot]'
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotests-${{ matrix.os }}.xml
+          path: ./gotests.xml
+          retention-days: 30
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: steps.test.outputs.cover && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./gotests.coverage
          flags: unittest-go-${{ matrix.os }}
-          fail_ci_if_error: true

  test-go-postgres:
    name: "test/go/postgres"
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    # This timeout must be greater than the timeout set by `go test` in
+    # `make test-postgres` to ensure we receive a trace of running
+    # goroutines. Setting this to the timeout +5m should work quite well
+    # even if some of the preceding steps are slow.
+    timeout-minutes: 25
    steps:
      - uses: actions/checkout@v3

-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -213,7 +409,7 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}

      - name: Go Mod Cache
        uses: actions/cache@v3
@@ -221,85 +417,93 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.4.0
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.9.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
          repo: gotestyourself/gotestsum
-          tag: v1.7.0
+          tag: v1.8.2

-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

-      - name: Start PostgreSQL Database
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-          POSTGRES_DB: postgres
-          PGDATA: /tmp
-        run: |
-          docker run \
-            -e POSTGRES_PASSWORD=postgres \
-            -e POSTGRES_USER=postgres \
-            -e POSTGRES_DB=postgres \
-            -e PGDATA=/tmp \
-            -p 5432:5432 \
-            -d postgres:11 \
-            -c shared_buffers=1GB \
-            -c max_connections=1000
-          while ! pg_isready -h 127.0.0.1
-          do
-              echo "$(date) - waiting for database to start"
-              sleep 0.5
-          done
-
      - name: Test with PostgreSQL Database
-        run: DB=ci gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage" -timeout=3m
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -count=1 -parallel=2 -race -failfast
+        run: |
+          set +e
+          make test-postgres
+          ret=$?
+          if ((ret)); then
+            # Eternalize test timeout logs because "re-run failed" erases
+            # artifacts and gotestsum doesn't always capture it:
+            # https://github.com/gotestyourself/gotestsum/issues/292
+            # Multiple test packages could've failed, each one may or may
+            # not run into the edge case. PS. Don't summon ShellCheck here.
+            for testWithStack in $(grep 'panic: test timed out' gotestsum.json | grep -E -o '("Test":[^,}]*)'); do
+              if [ -n "$testWithStack" ] && grep -q "${testWithStack}.*PASS" gotestsum.json; then
+                echo "Conditions met for gotestsum stack trace missing bug, outputting panic trace:"
+                grep -A 999999 "${testWithStack}.*panic: test timed out" gotestsum.json
+              fi
+            done
+          fi
+          exit $ret

-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: postgresql
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotestsum-debug-postgres.json
+          path: ./gotestsum.json
+          retention-days: 7

-      - uses: codecov/codecov-action@v2
-        if: github.actor != 'dependabot[bot]'
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotests-postgres.xml
+          path: ./gotests.xml
+          retention-days: 30
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./gotests.coverage
-          flags: unittest-go-${{ matrix.os }}
-          fail_ci_if_error: true
+          flags: unittest-go-postgres-${{ matrix.os }}

  deploy:
    name: "deploy"
-    runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    timeout-minutes: 30
+    needs: changes
+    if: |
+      github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+      && needs.changes.outputs.docs-only == 'false'
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0

      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v0
+        uses: google-github-actions/auth@v1
        with:
          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com

      - name: Set up Google Cloud SDK
-        uses: google-github-actions/setup-gcloud@v0
+        uses: google-github-actions/setup-gcloud@v1

-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -319,10 +523,6 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
      - name: Cache Node
        id: cache-node
        uses: actions/cache@v3
@@ -330,32 +530,53 @@ jobs:
          path: |
            **/node_modules
            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          key: js-${{ runner.os }}-release-node-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            js-${{ runner.os }}-

-      - name: Build Release
-        run: make release
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0

-      - uses: actions/upload-artifact@v3
-        with:
-          name: coder_linux_amd64.deb
-          path: ./dist/coder_*_linux_amd64.deb
+      - name: Install zstd
+        run: sudo apt-get install -y zstd
+
+      - name: Build Release
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_windows_amd64.zip \
+            build/coder_"$version"_linux_amd64.{tar.gz,deb}

      - name: Install Release
        run: |
          gcloud config set project coder-dogfood
          gcloud config set compute/zone us-central1-a
-          gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb
+          gcloud compute scp ./build/coder_*_linux_amd64.deb coder:/tmp/coder.deb
          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
          gcloud compute ssh coder -- sudo systemctl daemon-reload

      - name: Start
        run: gcloud compute ssh coder -- sudo service coder restart

+      - uses: actions/upload-artifact@v3
+        with:
+          name: coder
+          path: |
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.deb
+          retention-days: 7
+
  test-js:
    name: "test/js"
-    runs-on: ubuntu-latest
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    timeout-minutes: 20
    steps:
      - uses: actions/checkout@v3

@@ -370,11 +591,6 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "~1.18"
-
      - uses: actions/setup-node@v3
        with:
          node-version: "14"
@@ -382,44 +598,32 @@ jobs:
      - name: Install node_modules
        run: ./scripts/yarn_install.sh

-      - name: Build frontend
-        run: yarn build
-        working-directory: site
-
-      - name: Build Storybook
-        run: yarn storybook:build
-        working-directory: site
-
      - run: yarn test:coverage
        working-directory: site

-      - uses: codecov/codecov-action@v2
-        if: github.actor != 'dependabot[bot]'
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./site/coverage/lcov.info
          flags: unittest-js
-          fail_ci_if_error: true
-
-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml

  test-e2e:
    name: "test/e2e/${{ matrix.os }}"
+    needs:
+      - changes
+    if: needs.changes.outputs.docs-only == 'false'
    runs-on: ${{ matrix.os }}
+    timeout-minutes: 20
    strategy:
      matrix:
        os:
          - ubuntu-latest
-          - macos-latest
-          # TODO: Get `make build` running on Windows 2022
-          # https://github.com/coder/coder/issues/384
-          # - windows-2022
    steps:
      - uses: actions/checkout@v3

@@ -430,28 +634,21 @@ jobs:
          path: |
            **/node_modules
            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
+          key: js-${{ runner.os }}-e2e-${{ hashFiles('**/yarn.lock') }}

-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v2
+      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

-      - uses: hashicorp/setup-terraform@v1
+      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

      - uses: actions/setup-node@v3
        with:
          node-version: "14"

-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
      - name: Echo Go Cache Paths
        id: go-cache-paths
        run: |
@@ -472,7 +669,8 @@ jobs:

      - name: Build
        run: |
-          make site/out
+          sudo npm install -g prettier
+          make -B site/out/index.html

      - run: yarn playwright:install
        working-directory: site
@@ -485,10 +683,75 @@ jobs:
          DEBUG: pw:api
        working-directory: site

-      - name: Upload DataDog Trace
-        if: (success() || failure()) && github.actor != 'dependabot[bot]' && runner.os == 'Linux'
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: e2e
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
+      - name: Upload Playwright Failed Tests
+        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./site/test-results/**/*.webm
+          retention-days: 7
+
+  chromatic:
+    # REMARK: this is only used to build storybook and deploy it to Chromatic.
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: needs.changes.outputs.ts == 'true'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Required by Chromatic for build-over-build history, otherwise we
+          # only get 1 commit on shallow checkout.
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: cd site && yarn
+
+      # This step is not meant for mainline because any detected changes to
+      # storybook snapshots will require manual approval/review in order for
+      # the check to pass. This is desired in PRs, but not in mainline.
+      - name: Publish to Chromatic (non-mainline)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          buildScriptName: "storybook:build"
+          exitOnceUploaded: true
+          # Chromatic states its fine to make this token public. See:
+          # https://www.chromatic.com/docs/github-actions#forked-repositories
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+      # This is a separate step for mainline only that auto accepts and changes
+      # instead of holding CI up. Since we squash/merge, this is defensive to
+      # avoid the same changeset from requiring review once squashed into
+      # main. Chromatic is supposed to be able to detect that we use squash
+      # commits, but it's good to be defensive in case, otherwise CI remains
+      # infinitely "in progress" in mainline unless we re-review each build.
+      - name: Publish to Chromatic (mainline)
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          autoAcceptChanges: true
+          buildScriptName: "storybook:build"
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+  markdown-link-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@master
+      # For the main branch:
+      - if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        with:
+          use-quiet-mode: yes
+          use-verbose-mode: yes
+          config-file: .github/workflows/mlc_config.json
+      # For pull requests:
+      - if: github.ref != 'refs/heads/main' || github.event.pull_request.head.repo.fork
+        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        with:
+          use-quiet-mode: yes
+          use-verbose-mode: yes
+          check-modified-files-only: yes
+          base-branch: main
+          config-file: .github/workflows/mlc_config.json
@@ -0,0 +1,13 @@
+# Dependabot is annoying, but this makes it a bit less so.
+name: Auto Approve Dependabot
+
+on: pull_request_target
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: hmarr/auto-approve-action@v3
+        if: github.actor == 'dependabot[bot]'
@@ -0,0 +1,73 @@
+name: dogfood
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "dogfood/**"
+  pull_request:
+    paths:
+      - "dogfood/**"
+  workflow_dispatch:
+
+jobs:
+  deploy_image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v6.4
+
+      - name: "Branch name to Docker tag name"
+        id: docker-tag-name
+        run: |
+          tag=${{ steps.branch-name.outputs.current_branch }}
+          # Replace / with --, e.g. user/feature => user--feature.
+          tag=${tag//\//--}
+          echo "::set-output name=tag::${tag}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: "{{defaultContext}}:dogfood"
+          push: true
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline
+  deploy_template:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Get short commit SHA
+        id: vars
+        run: echo "::set-output name=sha_short::$(git rev-parse --short HEAD)"
+      - name: "Install latest Coder"
+        run: |
+          curl -L https://coder.com/install.sh | sh
+        # env:
+        #   VERSION: 0.x
+      - name: "Push template"
+        run: |
+          coder templates push $CODER_TEMPLATE_NAME --directory $CODER_TEMPLATE_DIR --yes --name=$CODER_TEMPLATE_VERSION
+        env:
+          # Consumed by Coder CLI
+          CODER_URL: https://dev.coder.com
+          CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
+          # Template source & details
+          CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
+          CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
+          CODER_TEMPLATE_DIR: ./dogfood
@@ -0,0 +1,22 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "://localhost"
+    },
+    {
+      "pattern": "://.*.?example\\.com"
+    },
+    {
+      "pattern": "developer.github.com"
+    },
+    {
+      "pattern": "docs.github.com"
+    },
+    {
+      "pattern": "support.google.com"
+    },
+    {
+      "pattern": "tailscale.com"
+    }
+  ]
+}
@@ -0,0 +1,60 @@
+name: Submit Packages
+on:
+  workflow_run:
+    workflows: [release]
+    types:
+      - completed
+env:
+  CODER_VERSION: "${{ github.event.release.tag_name }}"
+
+jobs:
+  winget:
+    runs-on: windows-latest
+    steps:
+      - name: Install wingetcreate
+        run: |
+          Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
+
+      - name: Submit updated manifest to winget-pkgs
+        run: |
+          $release_assets = gh release view --repo coder/coder "$env:CODER_VERSION" --json assets | `
+            ConvertFrom-Json
+          # Get the installer URL from the release assets.
+          $installer_url = $release_assets.assets | `
+            Where-Object name -Match ".*_windows_amd64_installer.exe$" | `
+            Select -ExpandProperty url
+
+          echo "Installer URL: $installer_url"
+
+          # The package version is the same as the tag minus the leading "v".
+          $version = $env:CODER_VERSION.Trim('v')
+
+          echo "Package version: $version"
+
+          # The URL "|X64" suffix forces the architecture as it cannot be
+          # sniffed properly from the URL. wingetcreate checks both the URL and
+          # binary magic bytes for the architecture and they need to both match,
+          # but they only check for `x64`, `win64` and `_64` in the URL. Our URL
+          # contains `amd64` which doesn't match sadly.
+          #
+          # wingetcreate will still do the binary magic bytes check, so if we
+          # accidentally change the architecture of the installer, it will fail
+          # submission.
+          .\wingetcreate.exe update Coder.Coder `
+            --submit `
+            --version "${version}" `
+            --urls "${installer_url}|X64" `
+            --token "${{ secrets.CDRCI_GITHUB_TOKEN }}"
+
+        env:
+          # For gh CLI:
+          GH_TOKEN: ${{ github.token }}
+
+      - name: Comment on PR
+        run: |
+          # find the PR that wingetcreate just made
+          $pr_list = gh pr list --repo microsoft/winget-pkgs --search "author:cdrci Coder.Coder version ${{ steps.version.outputs.version }}" --limit 1 --json number | `
+            ConvertFrom-Json`
+          $pr_number = $pr_list[0].number
+
+          gh pr comment --repo microsoft/winget-pkgs "$pr_number" --body "🤖 cc: @deansheather @matifali"
@@ -0,0 +1,20 @@
+name: Lint PR
+
+on:
+  pull_request_target:
+    types:
+      - opened
+      - reopened
+      - edited
+      - synchronize
+
+jobs:
+  main:
+    name: Validate PR title
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          requireScope: false
@@ -1,36 +1,143 @@
-name: release
+# GitHub release workflow.
+name: Release
+run-name: Release ${{ github.ref_name }}${{ inputs.dry_run && ' (DRYRUN)' || '' }}
 on:
-  push:
-    tags:
-      - "v*"
+  workflow_dispatch:
+    inputs:
+      increment:
+        description: Preferred version increment (release script may promote e.g. patch to minor depending on changes).
+        type: choice
+        required: true
+        default: patch
+        options:
+          - patch
+          - minor
+          - major
+      draft:
+        description: Create a draft release (for manually editing release notes before publishing).
+        type: boolean
+        required: true
+        default: false
+      dry_run:
+        description: Perform a dry-run release.
+        type: boolean
+        required: true
+        default: false
+      ignore_missing_commit_metadata:
+        description: WARNING! This option disables the requirement that all commits have a PR. Not needed for dry_run.
+        type: boolean
+        default: false
+
+permissions:
+  # Required to publish a release
+  contents: write
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  # Use `inputs` (vs `github.event.inputs`) to ensure that booleans are actual
+  # booleans, not strings.
+  # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/
+  CODER_RELEASE: ${{ !inputs.dry_run }}
+  CODER_RELEASE_INCREMENT: ${{ inputs.increment }}
+  CODER_RELEASE_DRAFT: ${{ inputs.draft }}
+  CODER_DRY_RUN: ${{ inputs.dry_run }}
+
 jobs:
-  goreleaser:
-    runs-on: ubuntu-latest
+  release:
+    name: Create and publish
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-16-cores' || 'ubuntu-latest' }}
+    env:
+      # Necessary for Docker manifest
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
+      - name: Check release on main (or dry-run)
+        if: ${{ github.ref_name != 'main' && !inputs.dry_run }}
+        run: |
+          echo "Release not allowed on ${{ github.ref_name }}, use dry-run."
+          exit 1
+
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0
-      - uses: actions/setup-go@v2
-        with:
-          go-version: "~1.18"
+          # Set token for pushing protected tag (vX.X.X).
+          token: ${{ secrets.RELEASE_GITHUB_PAT }}

-      - name: Echo Go Cache Paths
-        id: go-cache-paths
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      # Configure git user name/email for creating annotated version tag.
+      - name: Setup git config
        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+          git config user.name "Coder CI"
+          git config user.email "dean+cdrci@coder.com"

-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
+      - name: Create release tag and release notes
+        run: |
+          set -euo pipefail
+          ref=HEAD
+          old_version="$(git describe --abbrev=0 "$ref^1")"

-      - name: Go Mod Cache
-        uses: actions/cache@v3
+          if [[ "${{ inputs.ignore_missing_commit_metadata }}" == *t* ]]; then
+            export CODER_IGNORE_MISSING_COMMIT_METADATA=1
+          fi
+
+          # Warn if CODER_IGNORE_MISSING_COMMIT_METADATA is set any other way
+          # than via dry-run.
+          if [[ ${CODER_IGNORE_MISSING_COMMIT_METADATA:-0} != 0 ]]; then
+            echo "WARNING: CODER_IGNORE_MISSING_COMMIT_METADATA is enabled and we will ignore missing commit metadata." 1>&2
+          fi
+
+          version_args=()
+          if [[ $CODER_DRY_RUN == *t* ]]; then
+            # Allow dry-run of branches to pass.
+            export CODER_IGNORE_MISSING_COMMIT_METADATA=1
+            version_args+=(--dry-run)
+          fi
+
+          # Cache commit metadata.
+          . ./scripts/release/check_commit_metadata.sh "$old_version" "$ref"
+
+          declare -p version_args
+
+          # Create new release tag (note that this tag is not pushed before
+          # release.sh is run).
+          version="$(
+            ./scripts/release/tag_version.sh \
+              "${version_args[@]}" \
+              --ref "$ref" \
+              --"$CODER_RELEASE_INCREMENT"
+          )"
+
+          # Generate notes.
+          release_notes_file="$(mktemp -t release_notes.XXXXXX)"
+          ./scripts/release/generate_release_notes.sh --old-version "$old_version" --new-version "$version" --ref "$ref" >> "$release_notes_file"
+          echo CODER_RELEASE_NOTES_FILE="$release_notes_file" >> $GITHUB_ENV
+
+      - name: Echo release notes
+        run: |
+          set -euo pipefail
+          cat "$CODER_RELEASE_NOTES_FILE"
+
+      - name: Docker Login
+        uses: docker/login-action@v2
        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.19"

      - name: Cache Node
        id: cache-node
@@ -43,13 +150,152 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

-      - name: Build Site
-        run: make site/out
+      - name: Install nsis and zstd
+        run: sudo apt-get install -y nsis zstd

-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
-        with:
-          version: latest
-          args: release --rm-dist
+      - name: Install nfpm
+        run: |
+          set -euo pipefail
+          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
+          sudo dpkg -i /tmp/nfpm.deb
+
+      - name: Install rcodesign
+        run: |
+          set -euo pipefail
+
+          # Install a prebuilt binary of rcodesign for linux amd64. Once the
+          # following PR is merged and released upstream, we can download
+          # directly from GitHub releases instead:
+          #   https://github.com/indygreg/PyOxidizer/pull/635
+          wget -O /tmp/rcodesign https://cdn.discordapp.com/attachments/283356472258199552/1016767245717872700/rcodesign
+          sudo install --mode 755 /tmp/rcodesign /usr/local/bin/rcodesign
+
+      - name: Setup Apple Developer certificate and API key
+        run: |
+          set -euo pipefail
+          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12
+          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
+          echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8
+        env:
+          AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
+
+      - name: Build binaries
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
+            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
+            build/coder_"$version"_windows_amd64_installer.exe \
+            build/coder_helm_"$version".tgz
+        env:
+          CODER_SIGN_DARWIN: "1"
+          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
+          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_FILE: /tmp/apple_apikey.p8
+
+      - name: Delete Apple Developer certificate and API key
+        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+
+      - name: Build Linux Docker images
+        run: |
+          set -euxo pipefail
+
+          # build Docker images for each architecture
+          version="$(./scripts/version.sh)"
+          make -j build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
+          # we can't build multi-arch if the images aren't pushed, so quit now
+          # if dry-running
+          if [[ "$CODER_RELEASE" != *t* ]]; then
+            echo Skipping multi-arch docker builds due to dry-run.
+            exit 0
+          fi
+
+          # build and push multi-arch manifest, this depends on the other images
+          # being pushed so will automatically push them.
+          make -j push/build/coder_"$version"_linux.tag
+
+          # if the current version is equal to the highest (according to semver)
+          # version in the repo, also create a multi-arch image as ":latest" and
+          # push it
+          if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then
+            ./scripts/build_docker_multiarch.sh \
+              --push \
+              --target "$(./scripts/image_tag.sh --version latest)" \
+              $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
+          fi
+
+      - name: ls build
+        run: ls -lh build
+
+      - name: Publish release
+        run: |
+          set -euo pipefail
+
+          publish_args=()
+          if [[ $CODER_RELEASE_DRAFT == *t* ]]; then
+            publish_args+=(--draft)
+          fi
+          if [[ $CODER_DRY_RUN == *t* ]]; then
+            publish_args+=(--dry-run)
+          fi
+          declare -p publish_args
+
+          ./scripts/release/publish.sh \
+            "${publish_args[@]}" \
+            --release-notes-file "$CODER_RELEASE_NOTES_FILE" \
+            ./build/*_installer.exe \
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup GCloud SDK
+        uses: "google-github-actions/setup-gcloud@v1"
+
+      - name: Publish Helm Chart
+        if: ${{ !inputs.dry_run }}
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          mkdir -p build/helm
+          cp "build/coder_helm_${version}.tgz" build/helm
+          gsutil cp gs://helm.coder.com/v2/index.yaml build/helm/index.yaml
+          helm repo index build/helm --url https://helm.coder.com/v2 --merge build/helm/index.yaml
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/coder_helm_${version}.tgz gs://helm.coder.com/v2
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/index.yaml gs://helm.coder.com/v2
+
+      - name: Upload artifacts to actions (if dry-run)
+        if: ${{ inputs.dry_run }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: release-artifacts
+          path: |
+            ./build/*_installer.exe
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.tgz
+            ./build/*.apk
+            ./build/*.deb
+            ./build/*.rpm
+          retention-days: 7
@@ -0,0 +1,35 @@
+name: Stale Issue Cron
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      # v5.1.0 has a weird bug that makes stalebot add then remove its own label
+      # https://github.com/actions/stale/pull/775
+      - uses: actions/stale@v7.0.0
+        with:
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          # Pull Requests become stale more quickly due to merge conflicts.
+          # Also, we promote minimizing WIP.
+          days-before-pr-stale: 7
+          days-before-pr-close: 3
+          stale-pr-message: >
+            This Pull Request is becoming stale. In order to minimize WIP, 
+            prevent merge conflicts and keep the tracker readable, I'm going
+            close to this PR in 3 days if there isn't more activity.
+          stale-issue-message: >
+            This issue is becoming stale. In order to keep the tracker readable
+            and actionable, I'm going close to this issue in 7 days if there 
+            isn't more activity.
+          # Upped from 30 since we have a big tracker and was hitting the limit.
+          operations-per-run: 60
+          # Start with the oldest issues, always.
+          ascending: true
@@ -0,0 +1,25 @@
+[default.extend-identifiers]
+alog = "alog"
+Jetbrains = "JetBrains"
+IST = "IST"
+MacOS = "macOS"
+
+[default.extend-words]
+# do as sudo replacement
+doas = "doas"
+darcula = "darcula"
+Hashi = "Hashi"
+trialer = "trialer"
+encrypter = "encrypter"
+
+[files]
+extend-exclude = [
+    "**.svg",
+    "**.png",
+    "**.lock",
+    "go.sum",
+    "go.mod",
+    # These files contain base64 strings that confuse the detector
+    "**XService**.ts",
+    "**identity.go",
+]
@@ -0,0 +1,18 @@
+name: Welcome
+on:
+  pull_request:
+    types: [opened]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: wow-actions/welcome@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FIRST_PR_REACTIONS: "+1, hooray, rocket, heart"
+          FIRST_PR_COMMENT: |
+            👋 Welcome @{{ author }} to Coder! Yo @coder/docs this is @{{ author }}'s first pull-request here!
+          FIRST_PR_MERGED: |
+            🎉 Thanks for the contribution @{{ author }}! Yo @coder/docs @{{ author }}'s first contribution has been merged! 👀👀👀
@@ -1,36 +1,49 @@
-###############################################################################
-#                                 NOTICE                                      #
-# If you change this file, kindly copy-pasta your change into .prettierignore #
-# and .eslintignore as well. See the following discussions to understand why  #
-# we have to resort to this duplication (at least for now):                   #
-#                                                                             #
-# https://github.com/prettier/prettier/issues/8048                            #
-# https://github.com/prettier/prettier/issues/8506                            #
-# https://github.com/prettier/prettier/issues/8679                            #
-###############################################################################
-
-node_modules
-vendor
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
 .eslintcache
-yarn-error.log
+.gitpod.yml
 .idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotestsum.json
+node_modules/
+vendor/
+yarn-error.log

-# Front-end ignore
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
 .next/
-site/.eslintcache
-site/.next/
-site/node_modules/
-site/storybook-static/
-site/test-results/
-site/yarn-error.log
-coverage/
 site/**/*.typegen.ts
+site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/storageState.json
+site/playwright-report/*
+
+# Make target for updating golden files.
+cli/testdata/.gen-golden

 # Build
-dist/
+/build/
+/dist/
 site/out/

 *.tfstate
+*.tfstate.backup
 *.tfplan
 *.lock.hcl
 .terraform/
+
+/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
@@ -77,7 +77,7 @@ linters-settings:
      # - sloppyReassign
      - sloppyTypeAssert
      - sortSlice
-      # - sprintfQuotedString
+      - sprintfQuotedString
      - sqlQuery
      # - stringConcatSimplify
      # - stringXbytes
@@ -103,7 +103,14 @@ linters-settings:
    settings:
      ruleguard:
        failOn: all
-        rules: rules.go
+        rules: "${configDir}/scripts/rules.go"
+
+  staticcheck:
+    # https://staticcheck.io/docs/options#checks
+    # We disable SA1019 because it gets angry about our usage of xerrors. We
+    # intentionally xerrors because stack frame support didn't make it into the
+    # stdlib port.
+    checks: ["all", "-SA1019"]

  goimports:
    local-prefixes: coder.com,cdr.dev,go.coder.com,github.com/cdr,github.com/coder
@@ -116,6 +123,8 @@ linters-settings:

  misspell:
    locale: US
+    ignore-words:
+      - trialer

  nestif:
    min-complexity: 4 # Min complexity of if statements (def 5, goal 4)
@@ -177,26 +186,6 @@ linters-settings:
      - name: var-declaration
      - name: var-naming
      - name: waitgroup-by-value
-  varnamelen:
-    ignore-names:
-      - err
-      - rw
-      - r
-      - i
-      - db
-      - t
-      - id
-      - wg
-    # Optional list of variable declarations that should be ignored completely. (defaults to empty list)
-    # Entries must be in the form of "<variable name> <type>" or "<variable name> *<type>" for
-    # variables, or "const <name>" for constants.
-    ignore-decls:
-      - rw http.ResponseWriter
-      - r *http.Request
-      - t testing.T
-      - t testing.TB
-      - ok bool
-      - wg sync.WaitGroup

 issues:
  # Rules listed here: https://github.com/securego/gosec#available-rules
@@ -214,6 +203,8 @@ run:
  concurrency: 4
  skip-dirs:
    - node_modules
+  skip-files:
+    - scripts/rules.go
  timeout: 5m

 # Over time, add more and more linters from
@@ -246,16 +237,21 @@ linters:
    - noctx
    - paralleltest
    - revive
-    - rowserrcheck
-    - sqlclosecheck
+
+    # These don't work until the following issue is solved.
+    # https://github.com/golangci/golangci-lint/issues/2649
+    # - rowserrcheck
+    # - sqlclosecheck
+    # - structcheck
+    # - wastedassign
+
    - staticcheck
-    - structcheck
    - tenv
    # In Go, it's possible for a package to test it's internal functionality
    # without testing any exported functions. This is enabled to promote
    # decomposing a package before testing it's internals. A function caller
    # should be able to test most of the functionality from exported functions.
-    # 
+    #
    # There are edge-cases to this rule, but they should be carefully considered
    # to avoid structural inconsistency.
    - testpackage
@@ -264,5 +260,3 @@ linters:
    - unconvert
    - unused
    - varcheck
-    - varnamelen
-    - wastedassign
@@ -1,57 +0,0 @@
-archives:
-  - id: coder
-    builds:
-      - coder
-    files:
-      - README.md
-
-before:
-  hooks:
-    - go mod tidy
-    - rm -f site/out/bin/coder*
-
-builds:
-  - id: coder-slim
-    dir: cmd/coder
-    ldflags: ["-s -w"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64]
-    hooks:
-      # The "trimprefix" appends ".exe" on Windows.
-      post: |
-        cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ trimprefix .Name "coder" }}
-
-  - id: coder
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64, arm64]
-
-nfpms:
-  - id: packages
-    vendor: Coder
-    homepage: https://coder.com
-    maintainer: Coder <support@coder.com>
-    description: |
-      Provision development environments with infrastructure with code
-    formats:
-      - apk
-      - deb
-      - rpm
-    suggests:
-      - postgresql
-    builds:
-      - coder
-    bindir: /usr/bin
-    contents:
-      - src: coder.env
-        dst: /etc/coder.d/coder.env
-        type: "config|noreplace"
-      - src: coder.service
-        dst: /usr/lib/systemd/system/coder.service
-
-release:
-  ids: [coder, packages]
@@ -0,0 +1,63 @@
+# Code generated by Makefile (.gitignore .prettierignore.include). DO NOT EDIT.
+
+# .gitignore:
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
+.eslintcache
+.gitpod.yml
+.idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotestsum.json
+node_modules/
+vendor/
+yarn-error.log
+
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
+.next/
+site/**/*.typegen.ts
+site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/storageState.json
+site/playwright-report/*
+
+# Make target for updating golden files.
+cli/testdata/.gen-golden
+
+# Build
+/build/
+/dist/
+site/out/
+
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.lock.hcl
+.terraform/
+
+/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
+# .prettierignore.include:
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
@@ -0,0 +1,10 @@
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
@@ -0,0 +1,16 @@
+# This config file is used in conjunction with `.editorconfig` to specify
+# formatting for prettier-supported files. See `.editorconfig` and
+# `site/.editorconfig`for whitespace formatting options.
+printWidth: 80
+semi: false
+trailingComma: all
+overrides:
+  - files:
+      - README.md
+    options:
+      proseWrap: preserve
+  - files:
+      - "site/**/*.yaml"
+      - "site/**/*.yml"
+    options:
+      proseWrap: always
@@ -0,0 +1,8 @@
+// Replace all NullTime with string
+replace github.com/coder/coder/codersdk.NullTime string
+// Prevent swaggo from rendering enums for time.Duration
+replace time.Duration int64
+// Do not expose "echo" provider
+replace github.com/coder/coder/codersdk.ProvisionerType string
+// Do not render netip.Addr
+replace netip.Addr string
@@ -1,5 +1,6 @@
 {
  "recommendations": [
+    "github.vscode-codeql",
    "golang.go",
    "hashicorp.terraform",
    "esbenp.prettier-vscode",
@@ -7,6 +8,8 @@
    "emeraldwalk.runonsave",
    "zxh404.vscode-proto3",
    "redhat.vscode-yaml",
-    "streetsidesoftware.code-spell-checker"
+    "streetsidesoftware.code-spell-checker",
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig"
  ]
 }
@@ -1,68 +1,178 @@
 {
  "cSpell.words": [
+    "afero",
+    "apps",
+    "ASKPASS",
+    "awsidentity",
+    "bodyclose",
+    "buildinfo",
+    "buildname",
+    "circbuf",
    "cliflag",
    "cliui",
+    "codecov",
    "coderd",
+    "coderdenttest",
    "coderdtest",
    "codersdk",
+    "cronstrue",
+    "databasefake",
+    "dbtype",
+    "DERP",
+    "derphttp",
+    "derpmap",
+    "devel",
+    "devtunnel",
+    "dflags",
    "drpc",
    "drpcconn",
    "drpcmux",
    "drpcserver",
    "Dsts",
+    "embeddedpostgres",
+    "enablements",
+    "errgroup",
+    "eventsourcemock",
+    "Failf",
    "fatih",
+    "Formik",
+    "gitauth",
+    "gitsshkey",
    "goarch",
    "gographviz",
    "goleak",
+    "gonet",
    "gossh",
+    "gsyslog",
+    "GTTY",
    "hashicorp",
    "hclsyntax",
+    "httpapi",
    "httpmw",
    "idtoken",
    "Iflag",
    "incpatch",
+    "ipnstate",
    "isatty",
    "Jobf",
+    "Keygen",
    "kirsle",
+    "Kubernetes",
    "ldflags",
+    "magicsock",
    "manifoldco",
+    "mapstructure",
    "mattn",
    "mitchellh",
    "moby",
+    "namesgenerator",
+    "namespacing",
+    "netaddr",
+    "netip",
+    "netmap",
+    "netns",
+    "netstack",
+    "nettype",
    "nfpms",
    "nhooyr",
+    "nmcfg",
    "nolint",
    "nosec",
    "ntqry",
+    "OIDC",
    "oneof",
+    "opty",
+    "paralleltest",
    "parameterscopeid",
    "pqtype",
+    "prometheusmetrics",
+    "promhttp",
    "promptui",
    "protobuf",
    "provisionerd",
+    "provisionerdserver",
    "provisionersdk",
    "ptty",
+    "ptys",
    "ptytest",
+    "quickstart",
+    "reconfig",
+    "replicasync",
    "retrier",
+    "rpty",
+    "SCIM",
    "sdkproto",
+    "sdktrace",
+    "Signup",
+    "slogtest",
+    "sourcemapped",
+    "Srcs",
+    "stdbuf",
    "stretchr",
+    "STTY",
+    "stuntest",
+    "tailbroker",
+    "tailcfg",
+    "tailexchange",
+    "tailnet",
+    "tailnettest",
+    "Tailscale",
    "TCGETS",
    "tcpip",
    "TCSETS",
+    "templateversions",
+    "testdata",
+    "testid",
+    "testutil",
    "tfexec",
+    "tfjson",
+    "tfplan",
    "tfstate",
+    "tios",
+    "tmpdir",
+    "tparallel",
+    "trialer",
    "trimprefix",
+    "tsdial",
+    "tslogger",
+    "tstun",
+    "turnconn",
+    "typegen",
+    "typesafe",
    "unconvert",
    "Untar",
+    "Userspace",
+    "VMID",
+    "walkthrough",
+    "weblinks",
    "webrtc",
+    "wgcfg",
+    "wgconfig",
+    "wgengine",
+    "wgmonitor",
+    "wgnet",
+    "workspaceagent",
+    "workspaceagents",
+    "workspaceapp",
+    "workspaceapps",
+    "workspacebuilds",
+    "workspacename",
+    "wsconncache",
+    "wsjson",
    "xerrors",
+    "xstate",
    "yamux"
  ],
+  "cSpell.ignorePaths": ["site/package.json", ".vscode/settings.json"],
  "emeraldwalk.runonsave": {
    "commands": [
      {
-        "match": "database/query.sql",
+        "match": "database/queries/*.sql",
        "cmd": "make gen"
+      },
+      {
+        "match": "provisionerd/proto/provisionerd.proto",
+        "cmd": "make provisionerd/proto/provisionerd.pb.go"
      }
    ]
  },
@@ -76,19 +186,17 @@
  "go.lintFlags": ["--fast"],
  "go.lintOnSave": "package",
  "go.coverOnSave": true,
-  // The codersdk is used by coderd another other packages extensively.
-  // To reduce redundancy in tests, it's covered by other packages.
-  "go.testFlags": ["-short", "-coverpkg=./.,github.com/coder/coder/codersdk"],
  "go.coverageDecorator": {
    "type": "gutter",
-    "coveredHighlightColor": "rgba(64,128,128,0.5)",
-    "uncoveredHighlightColor": "rgba(128,64,64,0.25)",
-    "coveredBorderColor": "rgba(64,128,128,0.5)",
-    "uncoveredBorderColor": "rgba(128,64,64,0.25)",
    "coveredGutterStyle": "blockgreen",
    "uncoveredGutterStyle": "blockred"
  },
+  // The codersdk is used by coderd another other packages extensively.
+  // To reduce redundancy in tests, it's covered by other packages.
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": ["-short", "-coverpkg=./..."],
  // We often use a version of TypeScript that's ahead of the version shipped
  // with VS Code.
-  "typescript.tsdk": "./site/node_modules/typescript/lib",
+  "typescript.tsdk": "./site/node_modules/typescript/lib"
 }
@@ -0,0 +1,13 @@
+# Adopters
+
+[!["Join us on
+Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=green)](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=adopters.md) [![Twitter
+Follow](https://img.shields.io/twitter/follow/coderhq?label=%40coderhq&style=social)](https://twitter.com/coderhq)
+
+🦩 _If you're using Coder in your organization, please try to add your company name to this list. It really helps the project to gain momentum and credibility. It's a small contribution back to the project with a big impact. You can do this by by editing this file and contributing your changes via a pull-request on GitHub._
+
+> 👋 _If you are considering using Coder in your organization please introduce yourself via https://coder.com/demo_ 🙇🏻‍♂️
+
+| Organization                   | Contact                                 | Description of Use             |
+| ------------------------------ | --------------------------------------- | ------------------------------ |
+| [Coder](https://www.coder.com) | [@coderhq](https://twitter.com/coderhq) | Coder builds coder with Coder. |
@@ -0,0 +1,30 @@
+# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and
+# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built
+# using the go toolchain on the host and then copied into the build context by
+# scripts/build_docker.sh.
+FROM alpine:latest
+
+# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
+# in the build script.
+ARG CODER_VERSION
+LABEL \
+	org.opencontainers.image.title="Coder" \
+	org.opencontainers.image.description="A tool for provisioning self-hosted development environments with Terraform." \
+	org.opencontainers.image.url="https://github.com/coder/coder" \
+	org.opencontainers.image.source="https://github.com/coder/coder" \
+	org.opencontainers.image.version="$CODER_VERSION"
+
+# Create coder group and user. We cannot use `addgroup` and `adduser` because
+# they won't work if we're building the image for a different architecture.
+COPY --chown=0:0 --chmod=644 group passwd /etc/
+COPY --chown=1000:1000 --chmod=700 empty-dir /home/coder
+
+# The coder binary is injected by scripts/build_docker.sh.
+COPY --chown=1000:1000 --chmod=755 coder /opt/coder
+
+USER 1000:1000
+ENV HOME=/home/coder
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt
+WORKDIR /home/coder
+
+ENTRYPOINT [ "/opt/coder", "server" ]
@@ -0,0 +1,661 @@
+                    GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU Affero General Public License is a free, copyleft license for
+software and other kinds of works, specifically designed to ensure
+cooperation with the community in the case of network server software.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+our General Public Licenses are intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  Developers that use our General Public Licenses protect your rights
+with two steps: (1) assert copyright on the software, and (2) offer
+you this License which gives you legal permission to copy, distribute
+and/or modify the software.
+
+  A secondary benefit of defending all users' freedom is that
+improvements made in alternate versions of the program, if they
+receive widespread use, become available for other developers to
+incorporate.  Many developers of free software are heartened and
+encouraged by the resulting cooperation.  However, in the case of
+software used on network servers, this result may fail to come about.
+The GNU General Public License permits making a modified version and
+letting the public access it on a server without ever releasing its
+source code to the public.
+
+  The GNU Affero General Public License is designed specifically to
+ensure that, in such cases, the modified source code becomes available
+to the community.  It requires the operator of a network server to
+provide the source code of the modified version running there to the
+users of that server.  Therefore, public use of a modified version, on
+a publicly accessible server, gives the public access to the source
+code of the modified version.
+
+  An older license, called the Affero General Public License and
+published by Affero, was designed to accomplish similar goals.  This is
+a different license, not a version of the Affero GPL, but Affero has
+released a new version of the Affero GPL which permits relicensing under
+this license.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU Affero General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Remote Network Interaction; Use with the GNU General Public License.
+
+  Notwithstanding any other provision of this License, if you modify the
+Program, your modified version must prominently offer all users
+interacting with it remotely through a computer network (if your version
+supports such interaction) an opportunity to receive the Corresponding
+Source of your version by providing access to the Corresponding Source
+from a network server at no charge, through some standard or customary
+means of facilitating copying of software.  This Corresponding Source
+shall include the Corresponding Source for any work covered by version 3
+of the GNU General Public License that is incorporated pursuant to the
+following paragraph.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the work with which it is combined will remain governed by version
+3 of the GNU General Public License.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU Affero General Public License from time to time.  Such new versions
+will be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU Affero General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU Affero General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU Affero General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU Affero General Public License as published
+    by the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU Affero General Public License for more details.
+
+    You should have received a copy of the GNU Affero General Public License
+    along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If your software can interact with users remotely through a computer
+network, you should also make sure that it provides a way for users to
+get its source.  For example, if your program is a web application, its
+interface could display a "Source" link that leads users to an archive
+of the code.  There are many ways you could offer source, and different
+solutions will be better for different programs; see section 13 for the
+specific requirements.
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU AGPL, see
+<https://www.gnu.org/licenses/>.
@@ -0,0 +1,31 @@
+## Acceptance
+
+By using any software and associated documentation files under Coder 
+Technologies Inc.’s ("Coder") directory named "enterprise" ("Enterprise
+Software"), you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide, 
+non-sublicensable, non-transferable license to use, copy, distribute, make 
+available, modify and prepare derivative works of the Enterprise Software, in 
+each case subject to the limitations and conditions below.
+
+## Limitations
+
+You may not move, change, disable, or circumvent the license key functionality 
+in the software, and you may not remove or obscure any functionality in the 
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. 
+
+You agree that Coder and/or its licensors (as applicable) retain all right, 
+title and interest in and to all such modifications and/or patches.
+
+## Additional Terms
+
+This Enterprise Software may only be used in production, if you (and any entity 
+that you represent) have agreed to, and are in compliance with, the Coder’s 
+Terms of Service, available at https://coder.com/legal/terms-of-service, or 
+other agreement governing the use of the Software, as agreed by you and Coder. 
@@ -1,98 +1,604 @@
-INSTALL_DIR=$(shell go env GOPATH)/bin
-GOOS=$(shell go env GOOS)
-GOARCH=$(shell go env GOARCH)
+# This is the Coder Makefile. The build directory for most tasks is `build/`.
+#
+# These are the targets you're probably looking for:
+# - clean
+# - build-fat: builds all "fat" binaries for all architectures
+# - build-slim: builds all "slim" binaries (no frontend or slim binaries
+#   embedded) for all architectures
+# - release: simulate a release (mostly, does not push images)
+# - build/coder(-slim)?_${os}_${arch}(.exe)?: build a single fat binary
+# - build/coder_${os}_${arch}.(zip|tar.gz): build a release archive
+# - build/coder_linux_${arch}.(apk|deb|rpm): build a release Linux package
+# - build/coder_${version}_linux_${arch}.tag: build a release Linux Docker image
+# - build/coder_helm.tgz: build a release Helm chart

-bin:
-	goreleaser build --snapshot --rm-dist
-.PHONY: bin
+.DEFAULT_GOAL := build-fat

-build: site/out bin
-.PHONY: build
+# Use a single bash shell for each job, and immediately exit on failure
+SHELL := bash
+.SHELLFLAGS := -ceu
+.ONESHELL:

-# Runs migrations to output a dump of the database.
-coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
-	go run coderd/database/dump/main.go
+# This doesn't work on directories.
+# See https://stackoverflow.com/questions/25752543/make-delete-on-error-for-directory-targets
+.DELETE_ON_ERROR:

-# Generates Go code for querying the database.
-coderd/database/generate: fmt/sql coderd/database/dump.sql coderd/database/query.sql
-	cd coderd/database && sqlc generate && rm db_tmp.go
-	cd coderd/database && gofmt -w -r 'Querier -> querier' *.go
-	cd coderd/database && gofmt -w -r 'Queries -> sqlQuerier' *.go
-.PHONY: coderd/database/generate
+# Don't print the commands in the file unless you specify VERBOSE. This is
+# essentially the same as putting "@" at the start of each line.
+ifndef VERBOSE
+.SILENT:
+endif
+
+# Create the output directories if they do not exist.
+$(shell mkdir -p build site/out/bin)
+
+GOOS         := $(shell go env GOOS)
+GOARCH       := $(shell go env GOARCH)
+GOOS_BIN_EXT := $(if $(filter windows, $(GOOS)),.exe,)
+VERSION      := $(shell ./scripts/version.sh)
+
+# Use the highest ZSTD compression level in CI.
+ifdef CI
+ZSTDFLAGS := -22 --ultra
+else
+ZSTDFLAGS := -6
+endif
+
+# Common paths to exclude from find commands, this rule is written so
+# that it can be it can be used in a chain of AND statements (meaning
+# you can simply write `find . $(FIND_EXCLUSIONS) -name thing-i-want`).
+# Note, all find statements should be written with `.` or `./path` as
+# the search path so that these exclusions match.
+FIND_EXCLUSIONS= \
+	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path './site/out/*' \) -prune \)
+# Source files used for make targets, evaluated on use.
+GO_SRC_FILES = $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.go')
+# All the shell files in the repo, excluding ignored files.
+SHELL_SRC_FILES = $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')
+
+# All ${OS}_${ARCH} combos we build for. Windows binaries have the .exe suffix.
+OS_ARCHES := \
+	linux_amd64 linux_arm64 linux_armv7 \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64.exe windows_arm64.exe
+
+# Archive formats and their corresponding ${OS}_${ARCH} combos.
+ARCHIVE_TAR_GZ := linux_amd64 linux_arm64 linux_armv7
+ARCHIVE_ZIP    := \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64 windows_arm64
+
+# All package formats we build and the ${OS}_${ARCH} combos we build them for.
+PACKAGE_FORMATS   := apk deb rpm
+PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
+
+# All architectures we build Docker images for (Linux only).
+DOCKER_ARCHES := amd64 arm64 armv7
+
+# Computed variables based on the above.
+CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
+CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
+CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
+CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
+CODER_ZIP_ARCHIVES       := $(foreach os_arch, $(ARCHIVE_ZIP), build/coder_$(VERSION)_$(os_arch).zip)
+CODER_ALL_ARCHIVES       := $(CODER_TAR_GZ_ARCHIVES) $(CODER_ZIP_ARCHIVES)
+CODER_ALL_PACKAGES       := $(foreach os_arch, $(PACKAGE_OS_ARCHES), $(addprefix build/coder_$(VERSION)_$(os_arch).,$(PACKAGE_FORMATS)))
+CODER_ARCH_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_$(VERSION)_linux_$(arch).tag)
+CODER_ARCH_IMAGES_PUSHED := $(addprefix push/, $(CODER_ARCH_IMAGES))
+CODER_MAIN_IMAGE         := build/coder_$(VERSION)_linux.tag
+
+CODER_SLIM_NOVERSION_BINARIES     := $(addprefix build/coder-slim_,$(OS_ARCHES))
+CODER_FAT_NOVERSION_BINARIES      := $(addprefix build/coder_,$(OS_ARCHES))
+CODER_ALL_NOVERSION_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_linux_$(arch).tag) build/coder_linux.tag
+CODER_ALL_NOVERSION_IMAGES_PUSHED := $(addprefix push/, $(CODER_ALL_NOVERSION_IMAGES))
+
+
+clean:
+	rm -rf build site/out
+	mkdir -p build site/out/bin
+	git restore site/out
+.PHONY: clean
+
+build-slim: $(CODER_SLIM_BINARIES)
+.PHONY: build-slim
+
+build-fat build-full build: $(CODER_FAT_BINARIES)
+.PHONY: build-fat build-full build
+
+release: $(CODER_FAT_BINARIES) $(CODER_ALL_ARCHIVES) $(CODER_ALL_PACKAGES) $(CODER_ARCH_IMAGES) build/coder_helm_$(VERSION).tgz
+.PHONY: release
+
+build/coder-slim_$(VERSION)_checksums.sha1: site/out/bin/coder.sha1
+	cp "$<" "$@"
+
+site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		openssl dgst -r -sha1 coder-* | tee coder.sha1
+	popd
+
+build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		tar cf "../../../build/$(@F)" coder-*
+	popd
+
+	# delete the uncompressed binaries from the embedded dir
+	rm -f site/out/bin/coder-*
+
+site/out/bin/coder.tar.zst: build/coder-slim_$(VERSION).tar.zst
+	cp "$<" "$@"
+
+build/coder-slim_$(VERSION).tar.zst: build/coder-slim_$(VERSION).tar
+	zstd $(ZSTDFLAGS) \
+		--force \
+		--long \
+		--no-progress \
+		-o "build/coder-slim_$(VERSION).tar.zst" \
+		"build/coder-slim_$(VERSION).tar"
+
+# Redirect from version-less targets to the versioned ones. There is a similar
+# target for slim binaries below.
+#
+# Called like this:
+#   make build/coder_linux_amd64
+#   make build/coder_windows_amd64.exe
+$(CODER_FAT_NOVERSION_BINARIES): build/coder_%: build/coder_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Same as above, but for slim binaries.
+#
+# Called like this:
+#   make build/coder-slim_linux_amd64
+#   make build/coder-slim_windows_amd64.exe
+$(CODER_SLIM_NOVERSION_BINARIES): build/coder-slim_%: build/coder-slim_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# "fat" binaries always depend on the site and the compressed slim binaries.
+$(CODER_FAT_BINARIES): \
+	site/out/index.html \
+	site/out/bin/coder.sha1 \
+	site/out/bin/coder.tar.zst
+
+# This is a handy block that parses the target to determine whether it's "slim"
+# or "fat", which OS was specified and which architecture was specified.
+#
+# It populates the following variables: mode, os, arch_ext, arch, ext (without
+# dot).
+define get-mode-os-arch-ext =
+	mode="$$([[ "$@" = build/coder-slim* ]] && echo "slim" || echo "fat")"
+	os="$$(echo $@ | cut -d_ -f3)"
+	arch_ext="$$(echo $@ | cut -d_ -f4)"
+	if [[ "$$arch_ext" == *.* ]]; then
+		arch="$$(echo $$arch_ext | cut -d. -f1)"
+		ext="$${arch_ext#*.}"
+	else
+		arch="$$arch_ext"
+		ext=""
+	fi
+endef
+
+# This task handles all builds, for both "fat" and "slim" binaries. It parses
+# the target name to get the metadata for the build, so it must be specified in
+# this format:
+#     build/coder(-slim)?_${version}_${os}_${arch}(.exe)?
+#
+# You should probably use the non-version targets above instead if you're
+# calling this manually.
+$(CODER_ALL_BINARIES): go.mod go.sum \
+	$(GO_SRC_FILES) \
+	$(shell find ./examples/templates)
+
+	$(get-mode-os-arch-ext)
+	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
+		echo "ERROR: Invalid build binary extension" 1>&2
+		exit 1
+	fi
+	if [[ "$$os" == "windows" ]] && [[ "$$ext" != exe ]]; then
+		echo "ERROR: Windows binaries must have an .exe extension." 1>&2
+		exit 1
+	fi
+
+	build_args=( \
+		--os "$$os" \
+		--arch "$$arch" \
+		--version "$(VERSION)" \
+		--output "$@" \
+	)
+	if [ "$$mode" == "slim" ]; then
+		build_args+=(--slim)
+	fi
+
+	./scripts/build_go.sh "$${build_args[@]}"
+
+	if [[ "$$mode" == "slim" ]]; then
+		dot_ext=""
+		if [[ "$$ext" != "" ]]; then
+			dot_ext=".$$ext"
+		fi
+
+		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
+	fi
+
+# This task builds all archives. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.${format}
+#
+# The following OS/arch/format combinations are supported:
+#     .tar.gz: linux_amd64, linux_arm64, linux_armv7
+#     .zip:    darwin_amd64, darwin_arm64, windows_amd64, windows_arm64
+#
+# This depends on all fat binaries because it's difficult to do dynamic
+# dependencies due to the .exe requirement on Windows. These targets are
+# typically only used during release anyways.
+$(CODER_ALL_ARCHIVES): $(CODER_FAT_BINARIES)
+	$(get-mode-os-arch-ext)
+	bin_ext=""
+	if [[ "$$os" == "windows" ]]; then
+		bin_ext=".exe"
+	fi
+
+	./scripts/archive.sh \
+		--format "$$ext" \
+		--os "$$os" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}$${bin_ext}"
+
+# This task builds all packages. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_linux_${arch}.${format}
+#
+# Supports apk, deb, rpm for all linux targets.
+#
+# This depends on all Linux fat binaries and archives because it's difficult to
+# do dynamic dependencies due to the extensions in the filenames. These targets
+# are typically only used during release anyways.
+#
+# Packages need to run after the archives are built, otherwise they cause tar
+# errors like "file changed as we read it".
+CODER_PACKAGE_DEPS := $(foreach os_arch, $(PACKAGE_OS_ARCHES), build/coder_$(VERSION)_$(os_arch) build/coder_$(VERSION)_$(os_arch).tar.gz)
+$(CODER_ALL_PACKAGES): $(CODER_PACKAGE_DEPS)
+	$(get-mode-os-arch-ext)
+
+	./scripts/package.sh \
+		--arch "$$arch" \
+		--format "$$ext" \
+		--version "$(VERSION)" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+# This task builds a Windows amd64 installer. Depends on makensis.
+build/coder_$(VERSION)_windows_amd64_installer.exe: build/coder_$(VERSION)_windows_amd64.exe
+	./scripts/build_windows_installer.sh \
+		--version "$(VERSION)" \
+		--output "$@" \
+		"$<"
+
+# Redirect from version-less Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES): build/coder_%: build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES)
+
+# Redirect from version-less push Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make push/build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES_PUSHED): push/build/coder_%: push/build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES_PUSHED)
+
+# This task builds all Docker images. It parses the target name to get the
+# metadata for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.tag
+#
+# Supports linux_amd64, linux_arm64, linux_armv7.
+#
+# Images need to run after the archives and packages are built, otherwise they
+# cause errors like "file changed as we read it".
+$(CODER_ARCH_IMAGES): build/coder_$(VERSION)_%.tag: \
+	build/coder_$(VERSION)_% \
+	build/coder_$(VERSION)_%.apk \
+	build/coder_$(VERSION)_%.deb \
+	build/coder_$(VERSION)_%.rpm \
+	build/coder_$(VERSION)_%.tar.gz
+
+	$(get-mode-os-arch-ext)
+
+	image_tag="$$(./scripts/image_tag.sh --arch "$$arch" --version "$(VERSION)")"
+	./scripts/build_docker.sh \
+		--arch "$$arch" \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+	echo "$$image_tag" > "$@"
+
+# Multi-arch Docker image. This requires all architecture-specific images to be
+# built AND pushed.
+$(CODER_MAIN_IMAGE): $(CODER_ARCH_IMAGES_PUSHED)
+	image_tag="$$(./scripts/image_tag.sh --version "$(VERSION)")"
+	./scripts/build_docker_multiarch.sh \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		$(foreach img, $^, "$$(cat "$(img:push/%=%)")")
+
+	echo "$$image_tag" > "$@"
+
+# Push a Docker image.
+$(CODER_ARCH_IMAGES_PUSHED): push/%: %
+	image_tag="$$(cat "$<")"
+	docker push "$$image_tag"
+.PHONY: $(CODER_ARCH_IMAGES_PUSHED)
+
+# Push the multi-arch Docker manifest.
+push/$(CODER_MAIN_IMAGE): $(CODER_MAIN_IMAGE)
+	image_tag="$$(cat "$<")"
+	docker manifest push "$$image_tag"
+.PHONY: push/$(CODER_MAIN_IMAGE)
+
+# Shortcut for Helm chart package.
+build/coder_helm.tgz: build/coder_helm_$(VERSION).tgz
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Helm chart package.
+build/coder_helm_$(VERSION).tgz:
+	./scripts/helm.sh \
+		--version "$(VERSION)" \
+		--output "$@"
+
+site/out/index.html: site/package.json $(shell find ./site $(FIND_EXCLUSIONS) -type f \( -name '*.ts' -o -name '*.tsx' \))
+	./scripts/yarn_install.sh
+	cd site
+	yarn build
+
+install: build/coder_$(VERSION)_$(GOOS)_$(GOARCH)$(GOOS_BIN_EXT)
+	install_dir="$$(go env GOPATH)/bin"
+	output_file="$${install_dir}/coder$(GOOS_BIN_EXT)"
+
+	mkdir -p "$$install_dir"
+	cp "$<" "$$output_file"
+.PHONY: install
+
+fmt: fmt/prettier fmt/terraform fmt/shfmt
+.PHONY: fmt

 fmt/prettier:
-	@echo "--- prettier"
+	echo "--- prettier"
+	cd site
 # Avoid writing files in CI to reduce file write activity
 ifdef CI
-	cd site && yarn run format:check
+	yarn run format:check
 else
-	cd site && yarn run format:write
+	yarn run format:write
 endif
 .PHONY: fmt/prettier

-fmt/sql: ./coderd/database/query.sql
-	npx sql-formatter \
-		--language postgresql \
-		--lines-between-queries 2 \
-		./coderd/database/query.sql \
-		--output ./coderd/database/query.sql
-	sed -i 's/@ /@/g' ./coderd/database/query.sql
+fmt/terraform: $(wildcard *.tf)
+	terraform fmt -recursive
+.PHONY: fmt/terraform

-fmt: fmt/prettier fmt/sql
-.PHONY: fmt
+fmt/shfmt: $(SHELL_SRC_FILES)
+	echo "--- shfmt"
+# Only do diff check in CI, errors on diff.
+ifdef CI
+	shfmt -d $(SHELL_SRC_FILES)
+else
+	shfmt -w $(SHELL_SRC_FILES)
+endif
+.PHONY: fmt/shfmt

-gen: coderd/database/generate peerbroker/proto provisionersdk/proto provisionerd/proto
-.PHONY: gen
-
-install: bin
-	@echo "--- Copying from bin to $(INSTALL_DIR)"
-	cp -r ./dist/coder_$(GOOS)_$(GOARCH)/* $(INSTALL_DIR)
-	@echo "-- CLI available at $(shell ls $(INSTALL_DIR)/coder*)"
-.PHONY: install
-
-lint:
-	golangci-lint run
+lint: lint/shellcheck lint/go
 .PHONY: lint

-peerbroker/proto: peerbroker/proto/peerbroker.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./peerbroker/proto/peerbroker.proto
-.PHONY: peerbroker/proto
+lint/go:
+	./scripts/check_enterprise_imports.sh
+	golangci-lint run
+.PHONY: lint/go

-provisionerd/proto: provisionerd/proto/provisionerd.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./provisionerd/proto/provisionerd.proto
-.PHONY: provisionerd/proto
+# Use shfmt to determine the shell files, takes editorconfig into consideration.
+lint/shellcheck: $(SHELL_SRC_FILES)
+	echo "--- shellcheck"
+	shellcheck --external-sources $(SHELL_SRC_FILES)
+.PHONY: lint/shellcheck

-provisionersdk/proto: provisionersdk/proto/provisioner.proto
+# all gen targets should be added here and to gen/mark-fresh
+gen: \
+	coderd/database/dump.sql \
+	coderd/database/querier.go \
+	provisionersdk/proto/provisioner.pb.go \
+	provisionerd/proto/provisionerd.pb.go \
+	site/src/api/typesGenerated.ts \
+	docs/admin/prometheus.md \
+	coderd/apidoc/swagger.json \
+	.prettierignore.include \
+	.prettierignore \
+	site/.prettierrc.yaml \
+	site/.prettierignore \
+	site/.eslintignore
+.PHONY: gen
+
+# Mark all generated files as fresh so make thinks they're up-to-date. This is
+# used during releases so we don't run generation scripts.
+gen/mark-fresh:
+	files="\
+		coderd/database/dump.sql \
+		coderd/database/querier.go \
+		provisionersdk/proto/provisioner.pb.go \
+		provisionerd/proto/provisionerd.pb.go \
+		site/src/api/typesGenerated.ts \
+		docs/admin/prometheus.md \
+		coderd/apidoc/swagger.json \
+		.prettierignore.include \
+		.prettierignore \
+		site/.prettierrc.yaml \
+		site/.prettierignore \
+		site/.eslintignore \
+	"
+	for file in $$files; do
+		echo "$$file"
+		if [ ! -f "$$file" ]; then
+			echo "File '$$file' does not exist"
+			exit 1
+		fi
+
+		# touch sets the mtime of the file to the current time
+		touch $$file
+	done
+.PHONY: gen/mark-fresh
+
+# Runs migrations to output a dump of the database schema after migrations are
+# applied.
+coderd/database/dump.sql: coderd/database/gen/dump/main.go $(wildcard coderd/database/migrations/*.sql)
+	go run ./coderd/database/gen/dump/main.go
+
+# Generates Go code for querying the database.
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql) coderd/database/gen/enum/main.go
+	./coderd/database/generate.sh
+
+provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
 		--go_out=. \
 		--go_opt=paths=source_relative \
 		--go-drpc_out=. \
 		--go-drpc_opt=paths=source_relative \
 		./provisionersdk/proto/provisioner.proto
-.PHONY: provisionersdk/proto

-release: site/out
-	goreleaser release --snapshot --rm-dist
-.PHONY: release
+provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
+	protoc \
+		--go_out=. \
+		--go_opt=paths=source_relative \
+		--go-drpc_out=. \
+		--go-drpc_opt=paths=source_relative \
+		./provisionerd/proto/provisionerd.proto

-site/out:
-	./scripts/yarn_install.sh
-	cd site && yarn typegen
-	cd site && yarn build
-	# Restores GITKEEP files!
-	git checkout HEAD site/out
-.PHONY: site/out
+site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
+	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
+	cd site
+	yarn run format:types

-test:
-	gotestsum -- -v -short ./...
+docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+	go run scripts/metricsdocgen/main.go
+	cd site
+	yarn run format:write:only ../docs/admin/prometheus.md

+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen -not \( -path './scripts/apidocgen/node_modules' -prune \) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo
+	./scripts/apidocgen/generate.sh
+	cd site
+	yarn run format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
+
+update-golden-files: cli/testdata/.gen-golden
+.PHONY: update-golden-files
+
+cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(GO_SRC_FILES)
+	go test ./cli -run=TestCommandHelp -update
+	touch "$@"
+
+# Generate a prettierrc for the site package that uses relative paths for
+# overrides. This allows us to share the same prettier config between the
+# site and the root of the repo.
+site/.prettierrc.yaml: .prettierrc.yaml
+	. ./scripts/lib.sh
+	dependencies yq
+
+	echo "# Code generated by Makefile (../$<). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+
+	# Replace all listed override files with relative paths inside site/.
+	# - ./ -> ../
+	# - ./site -> ./
+	yq \
+		'.overrides[].files |= map(. | sub("^./"; "") | sub("^"; "../") | sub("../site/"; "./"))' \
+		"$<" >> "$@"
+
+# Combine .gitignore with .prettierignore.include to generate .prettierignore.
+.prettierignore: .gitignore .prettierignore.include
+	echo "# Code generated by Makefile ($^). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+	for f in $^; do
+		echo "# $${f}:" >> "$@"
+		cat "$$f" >> "$@"
+	done
+
+# Generate ignore files based on gitignore into the site directory. We turn all
+# rules into relative paths for the `site/` directory (where applicable),
+# following the pattern format defined by git:
+# https://git-scm.com/docs/gitignore#_pattern_format
+#
+# This is done for compatibility reasons, see:
+# https://github.com/prettier/prettier/issues/8048
+# https://github.com/prettier/prettier/issues/8506
+# https://github.com/prettier/prettier/issues/8679
+site/.eslintignore site/.prettierignore: .prettierignore Makefile
+	rm -f "$@"
+	touch "$@"
+	# Skip generated by header, inherit `.prettierignore` header as-is.
+	while read -r rule; do
+		# Remove leading ! if present to simplify rule, added back at the end.
+		tmp="$${rule#!}"
+		ignore="$${rule%"$$tmp"}"
+		rule="$$tmp"
+		case "$$rule" in
+			# Comments or empty lines (include).
+			\#*|'') ;;
+			# Generic rules (include).
+			\*\**) ;;
+			# Site prefixed rules (include).
+			site/*) rule="$${rule#site/}";;
+			./site/*) rule="$${rule#./site/}";;
+			# Rules that are non-generic and don't start with site (rewrite).
+			/*) rule=.."$$rule";;
+			*/?*) rule=../"$$rule";;
+			*) ;;
+		esac
+		echo "$${ignore}$${rule}" >> "$@"
+	done < "$<"
+
+test: test-clean
+	gotestsum --debug -- -v -short ./...
+.PHONY: test
+
+# When updating -timeout for this test, keep in sync with
+# test-go-postgres (.github/workflows/coder.yaml).
+test-postgres: test-clean test-postgres-docker
+	# The postgres test is prone to failure, so we limit parallelism for
+	# more consistent execution.
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum \
+		--junitfile="gotests.xml" \
+		--jsonfile="gotestsum.json" \
+		--packages="./..." -- \
+		-covermode=atomic -coverprofile="gotests.coverage" -timeout=20m \
+		-parallel=4 \
+		-coverpkg=./... \
+		-count=1 -race -failfast
+.PHONY: test-postgres
+
+test-postgres-docker:
+	docker rm -f test-postgres-docker || true
+	docker run \
+		--env POSTGRES_PASSWORD=postgres \
+		--env POSTGRES_USER=postgres \
+		--env POSTGRES_DB=postgres \
+		--env PGDATA=/tmp \
+		--tmpfs /tmp \
+		--publish 5432:5432 \
+		--name test-postgres-docker \
+		--restart no \
+		--detach \
+		postgres:13 \
+		-c shared_buffers=1GB \
+		-c max_connections=1000 \
+		-c fsync=off \
+		-c synchronous_commit=off \
+		-c full_page_writes=off
+	while ! pg_isready -h 127.0.0.1
+	do
+		echo "$(date) - waiting for database to start"
+		sleep 0.5
+	done
+.PHONY: test-postgres-docker
+
+test-clean:
+	go clean -testcache
+.PHONY: test-clean
@@ -1,64 +1,125 @@
 # Coder

-[!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/coder/coder/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://coder.com/community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq) [![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[!["Join us on
+Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=green)](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)
+[![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[![Go Reference](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
+[![Twitter
+Follow](https://img.shields.io/twitter/follow/coderhq?label=%40coderhq&style=social)](https://twitter.com/coderhq)

-Provision remote development environments with Terraform.
+Software development on your infrastructure. Offload your team's development from local workstations to cloud servers. Onboard developers in minutes. Build, test and compile at the speed of the cloud. Keep your source code and data behind your firewall.

-## Highlights
+> "By leveraging Terraform, Coder lets developers run any IDE on any compute platform including on-prem, AWS, Azure, GCP, DigitalOcean, Kubernetes, Docker, and more, with workspaces running on Linux, Windows, or Mac." - **Kevin Fishner Chief of Staff at [HashiCorp](https://hashicorp.com/)**

- Automate development environments for Linux, Windows, and MacOS in your cloud
- Start writing code with a single command
- Use one of many [examples](./examples) to get started
+<p align="center">
+  <img src="./docs/images/hero-image.png">
+</p>
+
+**Manage less**
+
+- Ensure your entire team is using the same tools and resources
+  - Rollout critical updates to your developers with one command
+- Automatically shut down expensive cloud resources
+- Keep your source code and data behind your firewall
+
+**Code more**
+
+- Build and test faster
+  - Leveraging cloud CPUs, RAM, network speeds, etc.
+- Access your environment from any place on any client (even an iPad)
+- Onboard instantly then stay up to date continuously
+
+## Recommended Reading
+
+- [How our development team shares one giant bare metal machine](https://coder.com/blog/how-our-development-team-shares-one-giant-bare-metal-machine?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)
+- [Laptop development is dead: why remote development is the future](https://medium.com/@elliotgraebert/laptop-development-is-dead-why-remote-development-is-the-future-f92ce103fd13)
+- [Learn how Palantir improved build times by 78% with coder](https://blog.palantir.com/the-benefits-of-remote-ephemeral-workspaces-1a1251ed6e53).
+- [A software development environment is not just a container](https://coder.com/blog/not-a-container?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md).
+- [What Coder is not](https://coder.com/docs/coder-oss/latest/index#what-coder-is-not?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md).

 ## Getting Started

-Install [the latest release](https://github.com/coder/coder/releases).
+The easiest way to install Coder is to use our
+[install script](https://github.com/coder/coder/blob/main/install.sh) for Linux
+and macOS. For Windows, use the latest `..._installer.exe` file from GitHub
+Releases.

-To tinker, start with dev-mode (all data is in-memory, and is destroyed on exit):
+To install, run:

 ```bash
-$ coder start --dev
+curl -L https://coder.com/install.sh | sh
 ```

-To run a production deployment with PostgreSQL:
+You can preview what occurs during the install process:

 ```bash
-$ CODER_PG_CONNECTION_URL="postgres://<username>@<host>/<database>?password=<password>" \
-    coder start
+curl -L https://coder.com/install.sh | sh -s -- --dry-run
 ```

-To run as a system service, install with `.deb` or `.rpm`:
+You can modify the installation process by including flags. Run the help command for reference:

 ```bash
-# Edit the configuration!
-$ sudo vim /etc/coder.d/coder.env
-$ sudo service coder restart
+curl -L https://coder.com/install.sh | sh -s -- --help
 ```

-### Your First Workspace
+> See [install](docs/install) for additional methods.

-In a new terminal, create a new project (eg. Develop in Linux on Google Cloud):
+Once installed, you can start a production deployment<sup>1</sup> with a single command:

-```
-$ coder projects init
-$ coder projects create
+```console
+# Automatically sets up an external access URL on *.try.coder.app
+coder server
+
+# Requires a PostgreSQL instance (version 13 or higher) and external access URL
+coder server --postgres-url <url> --access-url <url>
 ```

-Create a new workspace and SSH in:
+> <sup>1</sup> The embedded database is great for trying out Coder with small deployments, but do consider using an external database for increased assurance and control.

-```
-$ coder workspaces create my-first-workspace
-$ coder ssh my-first-workspace
-```
+Use `coder --help` to get a complete list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/coder-oss/latest/quickstart) for a full walkthrough.

-## Development
+## Documentation

-The code structure is inspired by [Basics of Unix Philosophy](https://homepage.cs.uri.edu/~thenry/resources/unix_art/ch01s06.html) and [Effective Go](https://go.dev/doc/effective_go).
+Visit our docs [here](https://coder.com/docs/coder-oss).

-Coder requires Go 1.18+, Node 14+, and GNU Make.
+## Templates

- `make bin` builds binaries
- `make install` installs binaries to `$GOPATH/bin`
- `make test`
- `make release` dry-runs a new release
- `./develop.sh` hot-reloads for frontend development
+Find our templates [here](./examples/templates).
+
+## Comparison
+
+Please file [an issue](https://github.com/coder/coder/issues/new) if any information is out of date. Also refer to:
+
+- [What Coder is not](https://coder.com/docs/coder-oss/latest/index#what-coder-is-not?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md).
+- [The Self-Hosting Paradox](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md).
+- [GitHub Codespaces, Coder, and Enterprise Customers](https://coder.com/blog/github-codespaces-coder-and-enterprise-customers?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)
+- [How our development team shares one giant bare metal machine](https://coder.com/blog/how-our-development-team-shares-one-giant-bare-metal-machine?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md).
+
+| Tool                                                                                                                                                                                      | Type     | Delivery Model                                                                                                                              | Cost                                     | Internet Access Required | Latency and Data Sovereignty                                                                                                                                               | Security isolation model                                                                                                                                                                                            | Product quality                                                                                                          | Service Availability                                          | Environments                                                                                                                                                               | IDE                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- | ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Coder](https://coder.com/blog/how-our-development-team-shares-one-giant-bare-metal-machine?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)                   | Platform | OSS + Self-Managed                                                                                                                          | Pay your cloud                           | No                       | Self-Hosted                                                                                                                                                                | Unopinionated (whatever/wherever you choose to deploy thus 100% configurable)                                                                                                                                       | [Defect history](https://github.com/coder/coder/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Abug)           | Self-Hosted                                                   | All [Terraform](https://www.terraform.io/registry/providers) resources, all clouds, multi-architecture: Linux, Mac, Windows, containers, VMs, amd64, arm64                 | Anything (vim, emacs, theia, code-server, openvscode-server, entire jetbrains suite inc gateway remote development, visual studio code desktop, visual studio for mac, visual studio for windows) you choose to install and deploy                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| [code-server](https://coder.com/blog/code-server-multiple-users?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)                                               | Web IDE  | OSS + Self-Managed                                                                                                                          | Pay your cloud                           | No                       | Self-Hosted                                                                                                                                                                | Self-Hosted docker container                                                                                                                                                                                        | [Defect history](https://github.com/coder/code-server/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3Abug)     | Self-hosted                                                   | Linux, Mac, Windows, containers, VMs, amd64, arm64                                                                                                                         | [code-server](https://github.com/coder/code-server) (VSCode MIT) [with restrictions](https://ghuntley.com/fracture)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| [openvscode-server](https://github.com/gitpod-io/openvscode-server)                                                                                                                       | Web IDE  | OSS + Self-Managed                                                                                                                          | Pay your cloud                           | No                       | Self-Hosted                                                                                                                                                                | Self-Hosted docker container                                                                                                                                                                                        | [Defect history](https://github.com/gitpod-io/openvscode-server)                                                         | Self-hosted                                                   | Linux, Mac, Windows, containers, VMs, amd64                                                                                                                                | [openvscode-server](https://github.com/gitpod-io/openvscode-server) (VSCode MIT) [with restrictions](https://ghuntley.com/fracture)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
+| [Amazon CodeCatalyst](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)       | Platform | SaaS                                                                                                                                        | Pay AWS                                  | Yes                      | US West (Oregon)                                                                                                                                                           | ["all customer multi-tenancy isolation is done through virtual machines" for security reasons](https://devclass.com/2022/12/05/interview-why-aws-prefers-vms-for-code-isolation-and-tips-on-developing-for-lambda/) | N/A                                                                                                                      | [Service Health](https://health.aws.amazon.com/health/status) | Linux Virtual Machines                                                                                                                                                     | Cloud9, Visual Studio Code Desktop ([no restrictions](https://ghuntley.com/fracture)) and JetBrains Gateway                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| [CodeAnywhere](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)              | Platform | SaaS                                                                                                                                        | Per user                                 | Yes                      | N/A                                                                                                                                                                        | N/A                                                                                                                                                                                                                 | N/A                                                                                                                      | N/A                                                           | N/A                                                                                                                                                                        | Theia                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             |
+| [GitHub Codespaces](https://coder.com/blog/github-codespaces-coder-and-enterprise-customers?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)                   | Platform | SaaS                                                                                                                                        | 2x Azure Compute                         | Yes                      | Four regions (US West, US East, Europe West, Southeast Asia)                                                                                                               | ["two codespaces are never co-located on the same VM"](https://docs.github.com/en/codespaces/codespaces-reference/security-in-github-codespaces)                                                                    | N/A                                                                                                                      | [Incident History](https://www.githubstatus.com/history)      | Linux Virtual Machines, [GPUs supported](https://docs.github.com/en/codespaces/developing-in-codespaces/getting-started-with-github-codespaces-for-machine-learning)       | Visual Studio Code ([no restrictions](https://ghuntley.com/fracture)) and JetBrains Gateway                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       |
+| [Gitpod](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)                    | Platform | [SaaS](https://news.ycombinator.com/item?id=33907897)                                                                                       | [Credits](https://www.gitpod.io/pricing) | Yes                      | Two regions (Europe, US)                                                                                                                                                   | [All customers intermixed on the same machine isolated via runc](https://kinvolk.io/blog/2020/12/improving-kubernetes-and-container-security-with-user-namespaces/)                                                 | [Defect history](https://github.com/gitpod-io/gitpod/issues?q=is%3Aissue+label%3A%22type%3A+bug%22+sort%3Aupdated-desc+) | [Incident history](https://www.gitpodstatus.com/history)      | Basic Linux containers, [GPUs](https://github.com/gitpod-io/gitpod/issues/10650) and [kubernetes/k3s](https://github.com/gitpod-io/gitpod/issues/4889) is not yet possible | [openvscode-server](https://github.com/gitpod-io/openvscode-server) (VSCode MIT) [with restrictions](https://ghuntley.com/fracture) inhibiting functionality of [.NET](https://www.isdotnetopen.com), [Python](https://visualstudiomagazine.com/articles/2021/11/05/vscode-python-nov21.aspx), [C](https://marketplace.visualstudio.com/items/ms-vscode.cpptools/license), [C++](https://marketplace.visualstudio.com/items/ms-vscode.cpptools/license), [Jupyter](https://visualstudiomagazine.com/articles/2021/11/05/vscode-python-nov21.aspx) and usage of [GitHub Co-pilot](https://github.com/gitpod-io/gitpod/issues/10032). Visual Studio Code Desktop ([no restrictions](https://ghuntley.com/fracture)) and JetBrains Gateway supported |
+| [Google Cloud Workstations](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md) | Platform | SaaS (Preview, not GA)                                                                                                                      | Pay Google                               | Yes                      | southamerica-west1, us-east1, us-central1, us-west1, asia-east1, asia-southeast1, europe-north1, europe-southwest1, europe-west1, europe-west2, europe-west3, europe-west4 | N/A                                                                                                                                                                                                                 | N/A                                                                                                                      | Not generally available, offered in preview mode.             | Linux                                                                                                                                                                      | code-oss ([with restrictions](https://ghuntley.com/fracture)), Visual Studio Code Desktop ([no restrictions](https://ghuntley.com/fracture)) and JetBrains Gateway                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                |
+| [JetBrains Space](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)           | Platform | SaaS + On-Prem ([Dev environments are not supported](https://www.jetbrains.com/help/space-on-premises/space-on-premises-installation.html)) | Pay JetBrains                            | Yes                      | EU Ireland region (eu-west-1)                                                                                                                                              | EC2                                                                                                                                                                                                                 | N/A                                                                                                                      | [Service Health](https://status.jetbrains.space/)             | Linux Virtual Machines                                                                                                                                                     | JetBrains Suite                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
+| [Microsoft DevBox](https://coder.com/blog/the-self-hosting-paradox?utm_source=github.com/coder/coder?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)          | Platform | SaaS (Preview, not GA)                                                                                                                      | Pay Microsoft                            | Yes                      | Australia East, Europe West, Japan East, Canada Central, UK South, US East, US East 2, US South Central, and US West 3                                                     | Microsoft Azure Virtual Machine                                                                                                                                                                                     | N/A                                                                                                                      | Not generally available, offered in preview mode.             | Windows Virtual Machine                                                                                                                                                    | Any application that runs on Windows via Microsoft Remote Desktop                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
+
+_Last updated: 14/12/2022_
+
+## Community and Support
+
+Join our community on [Discord](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md) and [Twitter](https://twitter.com/coderhq)!
+
+[Suggest improvements and report problems](https://github.com/coder/coder/issues/new/choose)
+
+## Contributing
+
+If you're using Coder in your organization, please try to add your company name to the [ADOPTERS.md](./ADOPTERS.md). It really helps the project to gain momentum and credibility. It's a small contribution back to the project with a big impact.
+
+Read the [contributing docs](https://coder.com/docs/coder-oss/latest/CONTRIBUTING).
+
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).
@@ -0,0 +1,181 @@
+package agent
+
+import (
+	"context"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+// WorkspaceAgentApps fetches the workspace apps.
+type WorkspaceAgentApps func(context.Context) ([]codersdk.WorkspaceApp, error)
+
+// PostWorkspaceAgentAppHealth updates the workspace app health.
+type PostWorkspaceAgentAppHealth func(context.Context, codersdk.PostWorkspaceAppHealthsRequest) error
+
+// WorkspaceAppHealthReporter is a function that checks and reports the health of the workspace apps until the passed context is canceled.
+type WorkspaceAppHealthReporter func(ctx context.Context)
+
+// NewWorkspaceAppHealthReporter creates a WorkspaceAppHealthReporter that reports app health to coderd.
+func NewWorkspaceAppHealthReporter(logger slog.Logger, apps []codersdk.WorkspaceApp, postWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth) WorkspaceAppHealthReporter {
+	runHealthcheckLoop := func(ctx context.Context) error {
+		// no need to run this loop if no apps for this workspace.
+		if len(apps) == 0 {
+			return nil
+		}
+
+		hasHealthchecksEnabled := false
+		health := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+		for _, app := range apps {
+			if app.Health == codersdk.WorkspaceAppHealthDisabled {
+				continue
+			}
+			health[app.ID] = app.Health
+			hasHealthchecksEnabled = true
+		}
+
+		// no need to run this loop if no health checks are configured.
+		if !hasHealthchecksEnabled {
+			return nil
+		}
+
+		// run a ticker for each app health check.
+		var mu sync.RWMutex
+		failures := make(map[uuid.UUID]int, 0)
+		for _, nextApp := range apps {
+			if !shouldStartTicker(nextApp) {
+				continue
+			}
+			app := nextApp
+			go func() {
+				t := time.NewTicker(time.Duration(app.Healthcheck.Interval) * time.Second)
+				defer t.Stop()
+
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-t.C:
+					}
+					// we set the http timeout to the healthcheck interval to prevent getting too backed up.
+					client := &http.Client{
+						Timeout: time.Duration(app.Healthcheck.Interval) * time.Second,
+					}
+					err := func() error {
+						req, err := http.NewRequestWithContext(ctx, http.MethodGet, app.Healthcheck.URL, nil)
+						if err != nil {
+							return err
+						}
+						res, err := client.Do(req)
+						if err != nil {
+							return err
+						}
+						// successful healthcheck is a non-5XX status code
+						_ = res.Body.Close()
+						if res.StatusCode >= http.StatusInternalServerError {
+							return xerrors.Errorf("error status code: %d", res.StatusCode)
+						}
+
+						return nil
+					}()
+					if err != nil {
+						mu.Lock()
+						if failures[app.ID] < int(app.Healthcheck.Threshold) {
+							// increment the failure count and keep status the same.
+							// we will change it when we hit the threshold.
+							failures[app.ID]++
+						} else {
+							// set to unhealthy if we hit the failure threshold.
+							// we stop incrementing at the threshold to prevent the failure value from increasing forever.
+							health[app.ID] = codersdk.WorkspaceAppHealthUnhealthy
+						}
+						mu.Unlock()
+					} else {
+						mu.Lock()
+						// we only need one successful health check to be considered healthy.
+						health[app.ID] = codersdk.WorkspaceAppHealthHealthy
+						failures[app.ID] = 0
+						mu.Unlock()
+					}
+
+					t.Reset(time.Duration(app.Healthcheck.Interval) * time.Second)
+				}
+			}()
+		}
+
+		mu.Lock()
+		lastHealth := copyHealth(health)
+		mu.Unlock()
+		reportTicker := time.NewTicker(time.Second)
+		defer reportTicker.Stop()
+		// every second we check if the health values of the apps have changed
+		// and if there is a change we will report the new values.
+		for {
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-reportTicker.C:
+				mu.RLock()
+				changed := healthChanged(lastHealth, health)
+				mu.RUnlock()
+				if !changed {
+					continue
+				}
+
+				mu.Lock()
+				lastHealth = copyHealth(health)
+				mu.Unlock()
+				err := postWorkspaceAgentAppHealth(ctx, codersdk.PostWorkspaceAppHealthsRequest{
+					Healths: lastHealth,
+				})
+				if err != nil {
+					logger.Error(ctx, "failed to report workspace app stat", slog.Error(err))
+				}
+			}
+		}
+	}
+
+	return func(ctx context.Context) {
+		for r := retry.New(time.Second, 30*time.Second); r.Wait(ctx); {
+			err := runHealthcheckLoop(ctx)
+			if err == nil || xerrors.Is(err, context.Canceled) || xerrors.Is(err, context.DeadlineExceeded) {
+				return
+			}
+			logger.Error(ctx, "failed running workspace app reporter", slog.Error(err))
+		}
+	}
+}
+
+func shouldStartTicker(app codersdk.WorkspaceApp) bool {
+	return app.Healthcheck.URL != "" && app.Healthcheck.Interval > 0 && app.Healthcheck.Threshold > 0
+}
+
+func healthChanged(old map[uuid.UUID]codersdk.WorkspaceAppHealth, new map[uuid.UUID]codersdk.WorkspaceAppHealth) bool {
+	for name, newValue := range new {
+		oldValue, found := old[name]
+		if !found {
+			return true
+		}
+		if newValue != oldValue {
+			return true
+		}
+	}
+
+	return false
+}
+
+func copyHealth(h1 map[uuid.UUID]codersdk.WorkspaceAppHealth) map[uuid.UUID]codersdk.WorkspaceAppHealth {
+	h2 := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+	for k, v := range h1 {
+		h2[k] = v
+	}
+
+	return h2
+}
@@ -0,0 +1,206 @@
+package agent_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestAppHealth_Healthy(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug:        "app1",
+			Healthcheck: codersdk.Healthcheck{},
+			Health:      codersdk.WorkspaceAppHealthDisabled,
+		},
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		nil,
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	apps, err := getApps(ctx)
+	require.NoError(t, err)
+	require.EqualValues(t, codersdk.WorkspaceAppHealthDisabled, apps[0].Health)
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[1].Health == codersdk.WorkspaceAppHealthHealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_500(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusInternalServerError, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_Timeout(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// sleep longer than the interval to cause the health check to time out
+			time.Sleep(2 * time.Second)
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_NotSpamming(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+
+	counter := new(int32)
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			atomic.AddInt32(counter, 1)
+		}),
+	}
+	_, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	// Ensure we haven't made more than 2 (expected 1 + 1 for buffer) requests in the last second.
+	// if there is a bug where we are spamming the healthcheck route this will catch it.
+	time.Sleep(time.Second)
+	require.LessOrEqual(t, *counter, int32(2))
+}
+
+func setupAppReporter(ctx context.Context, t *testing.T, apps []codersdk.WorkspaceApp, handlers []http.Handler) (agent.WorkspaceAgentApps, func()) {
+	closers := []func(){}
+	for i, handler := range handlers {
+		if handler == nil {
+			continue
+		}
+		ts := httptest.NewServer(handler)
+		app := apps[i]
+		app.Healthcheck.URL = ts.URL
+		apps[i] = app
+		closers = append(closers, ts.Close)
+	}
+
+	var mu sync.Mutex
+	workspaceAgentApps := func(context.Context) ([]codersdk.WorkspaceApp, error) {
+		mu.Lock()
+		defer mu.Unlock()
+		var newApps []codersdk.WorkspaceApp
+		return append(newApps, apps...), nil
+	}
+	postWorkspaceAgentAppHealth := func(_ context.Context, req codersdk.PostWorkspaceAppHealthsRequest) error {
+		mu.Lock()
+		for id, health := range req.Healths {
+			for i, app := range apps {
+				if app.ID != id {
+					continue
+				}
+				app.Health = health
+				apps[i] = app
+			}
+		}
+		mu.Unlock()
+
+		return nil
+	}
+
+	go agent.NewWorkspaceAppHealthReporter(slogtest.Make(t, nil).Leveled(slog.LevelDebug), apps, postWorkspaceAgentAppHealth)(ctx)
+
+	return workspaceAgentApps, func() {
+		for _, closeFn := range closers {
+			closeFn()
+		}
+	}
+}
@@ -1,56 +0,0 @@
-package agent
-
-import (
-	"context"
-	"net"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker/proto"
-)
-
-// Conn wraps a peer connection with helper functions to
-// communicate with the agent.
-type Conn struct {
-	// Negotiator is responsible for exchanging messages.
-	Negotiator proto.DRPCPeerBrokerClient
-
-	*peer.Conn
-}
-
-// SSH dials the built-in SSH server.
-func (c *Conn) SSH() (net.Conn, error) {
-	channel, err := c.Dial(context.Background(), "ssh", &peer.ChannelOptions{
-		Protocol: "ssh",
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("dial: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSHClient calls SSH to create a client that uses a weak cipher
-// for high throughput.
-func (c *Conn) SSHClient() (*ssh.Client, error) {
-	netConn, err := c.SSH()
-	if err != nil {
-		return nil, xerrors.Errorf("ssh: %w", err)
-	}
-	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
-		// SSH host validation isn't helpful, because obtaining a peer
-		// connection already signifies user-intent to dial a workspace.
-		// #nosec
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("ssh conn: %w", err)
-	}
-	return ssh.NewClient(sshConn, channels, requests), nil
-}
-
-func (c *Conn) Close() error {
-	_ = c.Negotiator.DRPCConn().Close()
-	return c.Conn.Close()
-}
@@ -0,0 +1,64 @@
+//go:build linux || (windows && amd64)
+
+package agent
+
+import (
+	"time"
+
+	"github.com/cakturk/go-netstat/netstat"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.ListeningPort, error) {
+	lp.mut.Lock()
+	defer lp.mut.Unlock()
+
+	if time.Since(lp.mtime) < time.Second {
+		// copy
+		ports := make([]codersdk.ListeningPort, len(lp.ports))
+		copy(ports, lp.ports)
+		return ports, nil
+	}
+
+	tabs, err := netstat.TCPSocks(func(s *netstat.SockTabEntry) bool {
+		return s.State == netstat.Listen
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("scan listening ports: %w", err)
+	}
+
+	seen := make(map[uint16]struct{}, len(tabs))
+	ports := []codersdk.ListeningPort{}
+	for _, tab := range tabs {
+		if tab.LocalAddr == nil || tab.LocalAddr.Port < codersdk.MinimumListeningPort {
+			continue
+		}
+
+		// Don't include ports that we've already seen. This can happen on
+		// Windows, and maybe on Linux if you're using a shared listener socket.
+		if _, ok := seen[tab.LocalAddr.Port]; ok {
+			continue
+		}
+		seen[tab.LocalAddr.Port] = struct{}{}
+
+		procName := ""
+		if tab.Process != nil {
+			procName = tab.Process.Name
+		}
+		ports = append(ports, codersdk.ListeningPort{
+			ProcessName: procName,
+			Network:     codersdk.ListeningPortNetworkTCP,
+			Port:        tab.LocalAddr.Port,
+		})
+	}
+
+	lp.ports = ports
+	lp.mtime = time.Now()
+
+	// copy
+	ports = make([]codersdk.ListeningPort, len(lp.ports))
+	copy(ports, lp.ports)
+	return ports, nil
+}
@@ -0,0 +1,12 @@
+//go:build !linux && !(windows && amd64)
+
+package agent
+
+import "github.com/coder/coder/codersdk"
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.ListeningPort, error) {
+	// Can't scan for ports on non-linux or non-windows_amd64 systems at the
+	// moment. The UI will not show any "no ports found" message to the user, so
+	// the user won't suspect a thing.
+	return []codersdk.ListeningPort{}, nil
+}
@@ -0,0 +1,4 @@
+// Package reaper contains logic for reaping subprocesses. It is
+// specifically used in the agent to avoid the accumulation of
+// zombie processes.
+package reaper
@@ -0,0 +1,28 @@
+package reaper
+
+import "github.com/hashicorp/go-reap"
+
+type Option func(o *options)
+
+// WithExecArgs specifies the exec arguments for the fork exec call.
+// By default the same arguments as the parent are used as dictated by
+// os.Args. Since ForkReap calls a fork-exec it is the responsibility of
+// the caller to avoid fork-bombing oneself.
+func WithExecArgs(args ...string) Option {
+	return func(o *options) {
+		o.ExecArgs = args
+	}
+}
+
+// WithPIDCallback sets the channel that reaped child process PIDs are pushed
+// onto.
+func WithPIDCallback(ch reap.PidCh) Option {
+	return func(o *options) {
+		o.PIDs = ch
+	}
+}
+
+type options struct {
+	ExecArgs []string
+	PIDs     reap.PidCh
+}
@@ -0,0 +1,12 @@
+//go:build !linux
+
+package reaper
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return false
+}
+
+func ForkReap(_ ...Option) error {
+	return nil
+}
@@ -0,0 +1,66 @@
+//go:build linux
+
+package reaper_test
+
+import (
+	"os"
+	"os/exec"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-reap"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/testutil"
+)
+
+func TestReap(t *testing.T) {
+	t.Parallel()
+
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if _, ok := os.LookupEnv("CI"); ok {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	// OK checks that's the reaper is successfully reaping
+	// exited processes and passing the PIDs through the shared
+	// channel.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		pids := make(reap.PidCh, 1)
+		err := reaper.ForkReap(
+			reaper.WithPIDCallback(pids),
+			// Provide some argument that immediately exits.
+			reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
+		)
+		require.NoError(t, err)
+
+		cmd := exec.Command("tail", "-f", "/dev/null")
+		err = cmd.Start()
+		require.NoError(t, err)
+
+		cmd2 := exec.Command("tail", "-f", "/dev/null")
+		err = cmd2.Start()
+		require.NoError(t, err)
+
+		err = cmd.Process.Kill()
+		require.NoError(t, err)
+
+		err = cmd2.Process.Kill()
+		require.NoError(t, err)
+
+		expectedPIDs := []int{cmd.Process.Pid, cmd2.Process.Pid}
+
+		for i := 0; i < len(expectedPIDs); i++ {
+			select {
+			case <-time.After(testutil.WaitShort):
+				t.Fatalf("Timed out waiting for process")
+			case pid := <-pids:
+				require.Contains(t, expectedPIDs, pid)
+			}
+		}
+	})
+}
@@ -0,0 +1,63 @@
+//go:build linux
+
+package reaper
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/hashicorp/go-reap"
+	"golang.org/x/xerrors"
+)
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return os.Getpid() == 1
+}
+
+// ForkReap spawns a goroutine that reaps children. In order to avoid
+// complications with spawning `exec.Commands` in the same process that
+// is reaping, we forkexec a child process. This prevents a race between
+// the reaper and an exec.Command waiting for its process to complete.
+// The provided 'pids' channel may be nil if the caller does not care about the
+// reaped children PIDs.
+func ForkReap(opt ...Option) error {
+	opts := &options{
+		ExecArgs: os.Args,
+	}
+
+	for _, o := range opt {
+		o(opts)
+	}
+
+	go reap.ReapChildren(opts.PIDs, nil, nil, nil)
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return xerrors.Errorf("get wd: %w", err)
+	}
+
+	pattrs := &syscall.ProcAttr{
+		Dir: pwd,
+		Env: os.Environ(),
+		Sys: &syscall.SysProcAttr{
+			Setsid: true,
+		},
+		Files: []uintptr{
+			uintptr(syscall.Stdin),
+			uintptr(syscall.Stdout),
+			uintptr(syscall.Stderr),
+		},
+	}
+
+	//#nosec G204
+	pid, _ := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+
+	var wstatus syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	for xerrors.Is(err, syscall.EINTR) {
+		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	}
+
+	return nil
+}
@@ -0,0 +1,203 @@
+package agent
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+)
+
+// streamLocalForwardPayload describes the extra data sent in a
+// streamlocal-forward@openssh.com containing the socket path to bind to.
+type streamLocalForwardPayload struct {
+	SocketPath string
+}
+
+// forwardedStreamLocalPayload describes the data sent as the payload in the new
+// channel request when a Unix connection is accepted by the listener.
+type forwardedStreamLocalPayload struct {
+	SocketPath string
+	Reserved   uint32
+}
+
+// forwardedUnixHandler is a clone of ssh.ForwardedTCPHandler that does
+// streamlocal forwarding (aka. unix forwarding) instead of TCP forwarding.
+type forwardedUnixHandler struct {
+	sync.Mutex
+	log      slog.Logger
+	forwards map[string]net.Listener
+}
+
+func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server, req *gossh.Request) (bool, []byte) {
+	h.Lock()
+	if h.forwards == nil {
+		h.forwards = make(map[string]net.Listener)
+	}
+	h.Unlock()
+	conn, ok := ctx.Value(ssh.ContextKeyConn).(*gossh.ServerConn)
+	if !ok {
+		h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")
+		return false, nil
+	}
+
+	switch req.Type {
+	case "streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+
+		addr := reqPayload.SocketPath
+		h.Lock()
+		_, ok := h.forwards[addr]
+		h.Unlock()
+		if ok {
+			h.log.Warn(ctx, "SSH unix forward request for socket path that is already being forwarded (maybe to another client?)",
+				slog.F("socket_path", addr),
+			)
+			return false, nil
+		}
+
+		// Create socket parent dir if not exists.
+		parentDir := filepath.Dir(addr)
+		err = os.MkdirAll(parentDir, 0700)
+		if err != nil {
+			h.log.Warn(ctx, "create parent dir for SSH unix forward request",
+				slog.F("parent_dir", parentDir),
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		ln, err := net.Listen("unix", addr)
+		if err != nil {
+			h.log.Warn(ctx, "listen on Unix socket for SSH unix forward request",
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		// The listener needs to successfully start before it can be added to
+		// the map, so we don't have to worry about checking for an existing
+		// listener.
+		//
+		// This is also what the upstream TCP version of this code does.
+		h.Lock()
+		h.forwards[addr] = ln
+		h.Unlock()
+
+		ctx, cancel := context.WithCancel(ctx)
+		go func() {
+			<-ctx.Done()
+			_ = ln.Close()
+		}()
+		go func() {
+			defer cancel()
+
+			for {
+				c, err := ln.Accept()
+				if err != nil {
+					if !xerrors.Is(err, net.ErrClosed) {
+						h.log.Warn(ctx, "accept on local Unix socket for SSH unix forward request",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+					}
+					// closed below
+					break
+				}
+				payload := gossh.Marshal(&forwardedStreamLocalPayload{
+					SocketPath: addr,
+				})
+
+				go func() {
+					ch, reqs, err := conn.OpenChannel("forwarded-streamlocal@openssh.com", payload)
+					if err != nil {
+						h.log.Warn(ctx, "open SSH channel to forward Unix connection to client",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+						_ = c.Close()
+						return
+					}
+					go gossh.DiscardRequests(reqs)
+					Bicopy(ctx, ch, c)
+				}()
+			}
+
+			h.Lock()
+			ln2, ok := h.forwards[addr]
+			if ok && ln2 == ln {
+				delete(h.forwards, addr)
+			}
+			h.Unlock()
+			_ = ln.Close()
+		}()
+
+		return true, nil
+
+	case "cancel-streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+		h.Lock()
+		ln, ok := h.forwards[reqPayload.SocketPath]
+		h.Unlock()
+		if ok {
+			_ = ln.Close()
+		}
+		return true, nil
+
+	default:
+		return false, nil
+	}
+}
+
+// directStreamLocalPayload describes the extra data sent in a
+// direct-streamlocal@openssh.com channel request containing the socket path.
+type directStreamLocalPayload struct {
+	SocketPath string
+
+	Reserved1 string
+	Reserved2 uint32
+}
+
+func directStreamLocalHandler(_ *ssh.Server, _ *gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {
+	var reqPayload directStreamLocalPayload
+	err := gossh.Unmarshal(newChan.ExtraData(), &reqPayload)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, "could not parse direct-streamlocal@openssh.com channel payload")
+		return
+	}
+
+	var dialer net.Dialer
+	dconn, err := dialer.DialContext(ctx, "unix", reqPayload.SocketPath)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, fmt.Sprintf("dial unix socket %q: %+v", reqPayload.SocketPath, err.Error()))
+		return
+	}
+
+	ch, reqs, err := newChan.Accept()
+	if err != nil {
+		_ = dconn.Close()
+		return
+	}
+	go gossh.DiscardRequests(reqs)
+
+	Bicopy(ctx, ch, dconn)
+}
@@ -0,0 +1,49 @@
+package agent
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/go-chi/chi"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func (*agent) statisticsHandler() http.Handler {
+	r := chi.NewRouter()
+	r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{
+			Message: "Hello from the agent!",
+		})
+	})
+
+	lp := &listeningPortsHandler{}
+	r.Get("/api/v0/listening-ports", lp.handler)
+
+	return r
+}
+
+type listeningPortsHandler struct {
+	mut   sync.Mutex
+	ports []codersdk.ListeningPort
+	mtime time.Time
+}
+
+// handler returns a list of listening ports. This is tested by coderd's
+// TestWorkspaceAgentListeningPorts test.
+func (lp *listeningPortsHandler) handler(rw http.ResponseWriter, r *http.Request) {
+	ports, err := lp.getListeningPorts()
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Could not scan for listening ports.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.ListeningPortsResponse{
+		Ports: ports,
+	})
+}
@@ -3,8 +3,6 @@ package usershell
 import "os"

 // Get returns the $SHELL environment variable.
-// TODO: This should use "dscl" to fetch the proper value. See:
-// https://stackoverflow.com/questions/16375519/how-to-get-the-default-shell
-func Get(username string) (string, error) {
+func Get(_ string) (string, error) {
 	return os.Getenv("SHELL"), nil
 }
@@ -4,7 +4,11 @@ import "os/exec"

 // Get returns the command prompt binary name.
 func Get(username string) (string, error) {
-	_, err := exec.LookPath("powershell.exe")
+	_, err := exec.LookPath("pwsh.exe")
+	if err == nil {
+		return "pwsh.exe", nil
+	}
+	_, err = exec.LookPath("powershell.exe")
 	if err == nil {
 		return "powershell.exe", nil
 	}
@@ -0,0 +1,126 @@
+package buildinfo
+
+import (
+	"fmt"
+	"runtime/debug"
+	"strings"
+	"sync"
+	"time"
+
+	"golang.org/x/mod/semver"
+)
+
+var (
+	buildInfo      *debug.BuildInfo
+	buildInfoValid bool
+	readBuildInfo  sync.Once
+
+	externalURL     string
+	readExternalURL sync.Once
+
+	version     string
+	readVersion sync.Once
+
+	// Injected with ldflags at build!
+	tag string
+)
+
+const (
+	// develPrefix is prefixed to developer versions of the application.
+	develPrefix = "v0.0.0-devel"
+)
+
+// Version returns the semantic version of the build.
+// Use golang.org/x/mod/semver to compare versions.
+func Version() string {
+	readVersion.Do(func() {
+		revision, valid := revision()
+		if valid {
+			revision = "+" + revision[:7]
+		}
+		if tag == "" {
+			// This occurs when the tag hasn't been injected,
+			// like when using "go run".
+			version = develPrefix + revision
+			return
+		}
+		version = "v" + tag
+		// The tag must be prefixed with "v" otherwise the
+		// semver library will return an empty string.
+		if semver.Build(version) == "" {
+			version += revision
+		}
+	})
+	return version
+}
+
+// VersionsMatch compares the two versions. It assumes the versions match if
+// the major and the minor versions are equivalent. Patch versions are
+// disregarded. If it detects that either version is a developer build it
+// returns true.
+func VersionsMatch(v1, v2 string) bool {
+	// Developer versions are disregarded...hopefully they know what they are
+	// doing.
+	if strings.HasPrefix(v1, develPrefix) || strings.HasPrefix(v2, develPrefix) {
+		return true
+	}
+
+	return semver.MajorMinor(v1) == semver.MajorMinor(v2)
+}
+
+// IsDev returns true if this is a development build.
+func IsDev() bool {
+	return strings.HasPrefix(Version(), develPrefix)
+}
+
+// ExternalURL returns a URL referencing the current Coder version.
+// For production builds, this will link directly to a release.
+// For development builds, this will link to a commit.
+func ExternalURL() string {
+	readExternalURL.Do(func() {
+		repo := "https://github.com/coder/coder"
+		revision, valid := revision()
+		if !valid {
+			externalURL = repo
+			return
+		}
+		externalURL = fmt.Sprintf("%s/commit/%s", repo, revision)
+	})
+	return externalURL
+}
+
+// Time returns when the Git revision was published.
+func Time() (time.Time, bool) {
+	value, valid := find("vcs.time")
+	if !valid {
+		return time.Time{}, false
+	}
+	parsed, err := time.Parse(time.RFC3339, value)
+	if err != nil {
+		panic("couldn't parse time: " + err.Error())
+	}
+	return parsed, true
+}
+
+// revision returns the Git hash of the build.
+func revision() (string, bool) {
+	return find("vcs.revision")
+}
+
+// find panics if a setting with the specific key was not
+// found in the build info.
+func find(key string) (string, bool) {
+	readBuildInfo.Do(func() {
+		buildInfo, buildInfoValid = debug.ReadBuildInfo()
+	})
+	if !buildInfoValid {
+		panic("couldn't read build info")
+	}
+	for _, setting := range buildInfo.Settings {
+		if setting.Key != key {
+			continue
+		}
+		return setting.Value, true
+	}
+	return "", false
+}
@@ -0,0 +1,99 @@
+package buildinfo_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/mod/semver"
+
+	"github.com/coder/coder/buildinfo"
+)
+
+func TestBuildInfo(t *testing.T) {
+	t.Parallel()
+	t.Run("Version", func(t *testing.T) {
+		t.Parallel()
+		version := buildinfo.Version()
+		require.True(t, semver.IsValid(version))
+		prerelease := semver.Prerelease(version)
+		require.Equal(t, "-devel", prerelease)
+		require.Equal(t, "v0", semver.Major(version))
+	})
+	t.Run("ExternalURL", func(t *testing.T) {
+		t.Parallel()
+		require.Equal(t, "https://github.com/coder/coder", buildinfo.ExternalURL())
+	})
+	// Tests don't include Go build info.
+	t.Run("NoTime", func(t *testing.T) {
+		t.Parallel()
+		_, valid := buildinfo.Time()
+		require.False(t, valid)
+	})
+
+	t.Run("VersionsMatch", func(t *testing.T) {
+		t.Parallel()
+
+		type testcase struct {
+			name        string
+			v1          string
+			v2          string
+			expectMatch bool
+		}
+
+		cases := []testcase{
+			{
+				name:        "OK",
+				v1:          "v1.2.3",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Test that we return true if a developer version is detected.
+			// Developers do not need to be warned of mismatched versions.
+			{
+				name:        "DevelIgnored",
+				v1:          "v0.0.0-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Our CI instance uses a "-devel" prerelease
+			// flag. This is not the same as a developer WIP build.
+			{
+				name:        "DevelPreleaseNotIgnored",
+				v1:          "v1.1.1-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: false,
+			},
+			{
+				name:        "MajorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v0.1.2",
+				expectMatch: false,
+			},
+			{
+				name:        "MinorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v1.3.2",
+				expectMatch: false,
+			},
+			// Different patches are ok, breaking changes are not allowed
+			// in patches.
+			{
+				name:        "PatchMismatch",
+				v1:          "v1.2.3+hash.whocares",
+				v2:          "v1.2.4+somestuff.hm.ok",
+				expectMatch: true,
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+				require.Equal(t, c.expectMatch, buildinfo.VersionsMatch(c.v1, c.v2),
+					fmt.Sprintf("expected match=%v for version %s and %s", c.expectMatch, c.v1, c.v2),
+				)
+			})
+		}
+	})
+}
@@ -0,0 +1,183 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"net/http/pprof"
+	"net/url"
+	"os"
+	"path/filepath"
+	"runtime"
+	"time"
+
+	"cloud.google.com/go/compute/metadata"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+	"gopkg.in/natefinch/lumberjack.v2"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/codersdk"
+)
+
+func workspaceAgent() *cobra.Command {
+	var (
+		auth         string
+		pprofAddress string
+		noReap       bool
+	)
+	cmd := &cobra.Command{
+		Use: "agent",
+		// This command isn't useful to manually execute.
+		Hidden: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx, cancel := context.WithCancel(cmd.Context())
+			defer cancel()
+
+			go dumpHandler(ctx)
+
+			rawURL, err := cmd.Flags().GetString(varAgentURL)
+			if err != nil {
+				return xerrors.Errorf("CODER_AGENT_URL must be set: %w", err)
+			}
+			coderURL, err := url.Parse(rawURL)
+			if err != nil {
+				return xerrors.Errorf("parse %q: %w", rawURL, err)
+			}
+
+			logWriter := &lumberjack.Logger{
+				Filename: filepath.Join(os.TempDir(), "coder-agent.log"),
+				MaxSize:  5, // MB
+			}
+			defer logWriter.Close()
+			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
+
+			isLinux := runtime.GOOS == "linux"
+
+			// Spawn a reaper so that we don't accumulate a ton
+			// of zombie processes.
+			if reaper.IsInitProcess() && !noReap && isLinux {
+				logger.Info(ctx, "spawning reaper process")
+				// Do not start a reaper on the child process. It's important
+				// to do this else we fork bomb ourselves.
+				args := append(os.Args, "--no-reap")
+				err := reaper.ForkReap(reaper.WithExecArgs(args...))
+				if err != nil {
+					logger.Error(ctx, "failed to reap", slog.Error(err))
+					return xerrors.Errorf("fork reap: %w", err)
+				}
+
+				logger.Info(ctx, "reaper process exiting")
+				return nil
+			}
+
+			version := buildinfo.Version()
+			logger.Info(ctx, "starting agent",
+				slog.F("url", coderURL),
+				slog.F("auth", auth),
+				slog.F("version", version),
+			)
+			client := codersdk.New(coderURL)
+			// Set a reasonable timeout so requests can't hang forever!
+			client.HTTPClient.Timeout = 10 * time.Second
+
+			// Enable pprof handler
+			// This prevents the pprof import from being accidentally deleted.
+			_ = pprof.Handler
+			pprofSrvClose := serveHandler(ctx, logger, nil, pprofAddress, "pprof")
+			defer pprofSrvClose()
+
+			// exchangeToken returns a session token.
+			// This is abstracted to allow for the same looping condition
+			// regardless of instance identity auth type.
+			var exchangeToken func(context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error)
+			switch auth {
+			case "token":
+				token, err := cmd.Flags().GetString(varAgentToken)
+				if err != nil {
+					return xerrors.Errorf("CODER_AGENT_TOKEN must be set for token auth: %w", err)
+				}
+				client.SetSessionToken(token)
+			case "google-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var gcpClient *metadata.Client
+				gcpClientRaw := ctx.Value("gcp-client")
+				if gcpClientRaw != nil {
+					gcpClient, _ = gcpClientRaw.(*metadata.Client)
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+				}
+			case "aws-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var awsClient *http.Client
+				awsClientRaw := ctx.Value("aws-client")
+				if awsClientRaw != nil {
+					awsClient, _ = awsClientRaw.(*http.Client)
+					if awsClient != nil {
+						client.HTTPClient = awsClient
+					}
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceAWSInstanceIdentity(ctx)
+				}
+			case "azure-instance-identity":
+				// This is *only* done for testing to mock client authentication.
+				// This will never be set in a production scenario.
+				var azureClient *http.Client
+				azureClientRaw := ctx.Value("azure-client")
+				if azureClientRaw != nil {
+					azureClient, _ = azureClientRaw.(*http.Client)
+					if azureClient != nil {
+						client.HTTPClient = azureClient
+					}
+				}
+				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
+					return client.AuthWorkspaceAzureInstanceIdentity(ctx)
+				}
+			}
+
+			executablePath, err := os.Executable()
+			if err != nil {
+				return xerrors.Errorf("getting os executable: %w", err)
+			}
+			err = os.Setenv("PATH", fmt.Sprintf("%s%c%s", os.Getenv("PATH"), filepath.ListSeparator, filepath.Dir(executablePath)))
+			if err != nil {
+				return xerrors.Errorf("add executable to $PATH: %w", err)
+			}
+
+			closer := agent.New(agent.Options{
+				Client: client,
+				Logger: logger,
+				ExchangeToken: func(ctx context.Context) (string, error) {
+					if exchangeToken == nil {
+						return client.SessionToken(), nil
+					}
+					resp, err := exchangeToken(ctx)
+					if err != nil {
+						return "", err
+					}
+					client.SetSessionToken(resp.SessionToken)
+					return resp.SessionToken, nil
+				},
+				EnvironmentVariables: map[string]string{
+					"GIT_ASKPASS": executablePath,
+				},
+			})
+			<-ctx.Done()
+			return closer.Close()
+		},
+	}
+
+	cliflag.StringVarP(cmd.Flags(), &auth, "auth", "", "CODER_AGENT_AUTH", "token", "Specify the authentication type to use for the agent")
+	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
+	cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
+	return cmd
+}
@@ -0,0 +1,210 @@
+package cli_test
+
+import (
+	"context"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+)
+
+func TestWorkspaceAgent(t *testing.T) {
+	t.Parallel()
+	t.Run("Azure", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
+		client := coderdtest.New(t, &coderdtest.Options{
+			AzureCertificates:        certificates,
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionApply: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "azure-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
+		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, workspace.LatestBuild.Resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		require.True(t, dialer.AwaitReachable(context.Background()))
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+
+	t.Run("AWS", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
+		client := coderdtest.New(t, &coderdtest.Options{
+			AWSCertificates:          certificates,
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionApply: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "aws-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
+		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		require.True(t, dialer.AwaitReachable(context.Background()))
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+
+	t.Run("GoogleCloud", func(t *testing.T) {
+		t.Parallel()
+		instanceID := "instanceidentifier"
+		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
+		client := coderdtest.New(t, &coderdtest.Options{
+			GoogleTokenValidator:     validator,
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionApply: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Auth: &proto.Agent_InstanceId{
+									InstanceId: instanceID,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
+		ctx, cancelFunc := context.WithCancel(context.Background())
+		defer cancelFunc()
+		errC := make(chan error)
+		go func() {
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "gcp-client", metadata)
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
+		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		require.NoError(t, err)
+		defer dialer.Close()
+		require.True(t, dialer.AwaitReachable(context.Background()))
+		sshClient, err := dialer.SSHClient(ctx)
+		require.NoError(t, err)
+		defer sshClient.Close()
+		session, err := sshClient.NewSession()
+		require.NoError(t, err)
+		defer session.Close()
+		key := "CODER_AGENT_TOKEN"
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		token, err := session.CombinedOutput(command)
+		require.NoError(t, err)
+		_, err = uuid.Parse(strings.TrimSpace(string(token)))
+		require.NoError(t, err)
+
+		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
+	})
+}
@@ -6,18 +6,54 @@
 //
 // Will produce the following usage docs:
 //
-//   -a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
-//
+//	-a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
 package cliflag

 import (
 	"fmt"
 	"os"
 	"strconv"
+	"strings"
+	"time"

+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+
+	"github.com/coder/coder/cli/cliui"
 )

+// IsSetBool returns the value of the boolean flag if it is set.
+// It returns false if the flag isn't set or if any error occurs attempting
+// to parse the value of the flag.
+func IsSetBool(cmd *cobra.Command, name string) bool {
+	val, ok := IsSet(cmd, name)
+	if !ok {
+		return false
+	}
+
+	b, err := strconv.ParseBool(val)
+	return err == nil && b
+}
+
+// IsSet returns the string value of the flag and whether it was set.
+func IsSet(cmd *cobra.Command, name string) (string, bool) {
+	flag := cmd.Flag(name)
+	if flag == nil {
+		return "", false
+	}
+
+	return flag.Value.String(), flag.Changed
+}
+
+// String sets a string flag on the given flag set.
+func String(flagset *pflag.FlagSet, name, shorthand, env, def, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		v = def
+	}
+	flagset.StringP(name, shorthand, v, fmtUsage(usage, env))
+}
+
 // StringVarP sets a string flag on the given flag set.
 func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string, env string, def string, usage string) {
 	v, ok := os.LookupEnv(env)
@@ -27,6 +63,30 @@ func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string
 	flagset.StringVarP(p, name, shorthand, v, fmtUsage(usage, env))
 }

+func StringArray(flagset *pflag.FlagSet, name, shorthand, env string, def []string, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		if v == "" {
+			def = []string{}
+		} else {
+			def = strings.Split(v, ",")
+		}
+	}
+	flagset.StringArrayP(name, shorthand, def, fmtUsage(usage, env))
+}
+
+func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shorthand string, env string, def []string, usage string) {
+	val, ok := os.LookupEnv(env)
+	if ok {
+		if val == "" {
+			def = []string{}
+		} else {
+			def = strings.Split(val, ",")
+		}
+	}
+	flagset.StringArrayVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+}
+
 // Uint8VarP sets a uint8 flag on the given flag set.
 func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string, env string, def uint8, usage string) {
 	val, ok := os.LookupEnv(env)
@@ -44,6 +104,39 @@ func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string
 	flagset.Uint8VarP(ptr, name, shorthand, uint8(vi64), fmtUsage(usage, env))
 }

+// IntVarP sets a uint8 flag on the given flag set.
+func IntVarP(flagset *pflag.FlagSet, ptr *int, name string, shorthand string, env string, def int, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	vi64, err := strconv.ParseUint(val, 10, 8)
+	if err != nil {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.IntVarP(ptr, name, shorthand, int(vi64), fmtUsage(usage, env))
+}
+
+func Bool(flagset *pflag.FlagSet, name, shorthand, env string, def bool, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := strconv.ParseBool(val)
+	if err != nil {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.BoolP(name, shorthand, valb, fmtUsage(usage, env))
+}
+
 // BoolVarP sets a bool flag on the given flag set.
 func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string, env string, def bool, usage string) {
 	val, ok := os.LookupEnv(env)
@@ -61,10 +154,32 @@ func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string,
 	flagset.BoolVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
 }

-func fmtUsage(u string, env string) string {
-	if env == "" {
-		return fmt.Sprintf("%s.", u)
+// DurationVarP sets a time.Duration flag on the given flag set.
+func DurationVarP(flagset *pflag.FlagSet, ptr *time.Duration, name string, shorthand string, env string, def time.Duration, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
 	}

-	return fmt.Sprintf("%s - consumes $%s.", u, env)
+	valb, err := time.ParseDuration(val)
+	if err != nil {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.DurationVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
+}
+
+func fmtUsage(u string, env string) string {
+	if env != "" {
+		// Avoid double dotting.
+		dot := "."
+		if strings.HasSuffix(u, ".") {
+			dot = ""
+		}
+		u = fmt.Sprintf("%s%s\n"+cliui.Styles.Placeholder.Render("Consumes $%s"), u, dot, env)
+	}
+
+	return u
 }
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strconv"
 	"testing"
+	"time"

 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/require"
@@ -13,9 +14,32 @@ import (
 )

 // Testcliflag cannot run in parallel because it uses t.Setenv.
+//
 //nolint:paralleltest
 func TestCliflag(t *testing.T) {
 	t.Run("StringDefault", func(t *testing.T) {
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.String(10)
+		cliflag.String(flagset, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("StringEnvVar", func(t *testing.T) {
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.String(10)
+		cliflag.String(flagset, name, shorthand, env, def, usage)
+		got, err := flagset.GetString(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("StringVarPDefault", func(t *testing.T) {
 		var ptr string
 		flagset, name, shorthand, env, usage := randomFlag()
 		def, _ := cryptorand.String(10)
@@ -25,10 +49,10 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

-	t.Run("StringEnvVar", func(t *testing.T) {
+	t.Run("StringVarPEnvVar", func(t *testing.T) {
 		var ptr string
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.String(10)
@@ -51,10 +75,40 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.NotContains(t, flagset.FlagUsages(), " - consumes")
+		require.NotContains(t, flagset.FlagUsages(), "Consumes")
 	})

-	t.Run("IntDefault", func(t *testing.T) {
+	t.Run("StringArrayDefault", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		def := []string{"hello"}
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
+
+	t.Run("StringArrayEnvVar", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		t.Setenv(env, "wow,test")
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, nil, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, []string{"wow", "test"}, got)
+	})
+
+	t.Run("StringArrayEnvVarEmpty", func(t *testing.T) {
+		var ptr []string
+		flagset, name, shorthand, env, usage := randomFlag()
+		t.Setenv(env, "")
+		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, nil, usage)
+		got, err := flagset.GetStringArray(name)
+		require.NoError(t, err)
+		require.Equal(t, []string{}, got)
+	})
+
+	t.Run("UInt8Default", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		def, _ := cryptorand.Int63n(10)
@@ -64,10 +118,10 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, uint8(def), got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

-	t.Run("IntEnvVar", func(t *testing.T) {
+	t.Run("UInt8EnvVar", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.Int63n(10)
@@ -80,7 +134,7 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(envValue), got)
 	})

-	t.Run("IntFailParse", func(t *testing.T) {
+	t.Run("UInt8FailParse", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.String(10)
@@ -93,6 +147,45 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(def), got)
 	})

+	t.Run("IntDefault", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("IntEnvVar", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Int63n(10)
+		t.Setenv(env, strconv.FormatUint(uint64(envValue), 10))
+		def, _ := cryptorand.Int()
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(envValue), got)
+	})
+
+	t.Run("IntFailParse", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+	})
+
 	t.Run("BoolDefault", func(t *testing.T) {
 		var ptr bool
 		flagset, name, shorthand, env, usage := randomFlag()
@@ -103,7 +196,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("BoolEnvVar", func(t *testing.T) {
@@ -131,6 +224,45 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 	})
+
+	t.Run("DurationDefault", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("DurationEnvVar", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Duration()
+		t.Setenv(env, envValue.String())
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("DurationFailParse", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
 }

 func randomFlag() (*pflag.FlagSet, string, string, string, string) {
@@ -5,8 +5,10 @@ import (
 	"bytes"
 	"errors"
 	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"

 	"github.com/spf13/cobra"
@@ -21,25 +23,40 @@ import (
 // New creates a CLI instance with a configuration pointed to a
 // temporary testing directory.
 func New(t *testing.T, args ...string) (*cobra.Command, config.Root) {
-	cmd := cli.Root()
+	return NewWithSubcommands(t, cli.AGPL(), args...)
+}
+
+func NewWithSubcommands(
+	t *testing.T, subcommands []*cobra.Command, args ...string,
+) (*cobra.Command, config.Root) {
+	cmd := cli.Root(subcommands)
 	dir := t.TempDir()
 	root := config.Root(dir)
 	cmd.SetArgs(append([]string{"--global-config", dir}, args...))
+
+	// We could consider using writers
+	// that log via t.Log here instead.
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
 	return cmd, root
 }

 // SetupConfig applies the URL and SessionToken of the client to the config.
 func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
-	err := root.Session().Write(client.SessionToken)
+	err := root.Session().Write(client.SessionToken())
 	require.NoError(t, err)
 	err = root.URL().Write(client.URL.String())
 	require.NoError(t, err)
 }

-// CreateProjectVersionSource writes the echo provisioner responses into a
+// CreateTemplateVersionSource writes the echo provisioner responses into a
 // new temporary testing directory.
-func CreateProjectVersionSource(t *testing.T, responses *echo.Responses) string {
+func CreateTemplateVersionSource(t *testing.T, responses *echo.Responses) string {
 	directory := t.TempDir()
+	f, err := ioutil.TempFile(directory, "*.tf")
+	require.NoError(t, err)
+	_ = f.Close()
 	data, err := echo.Tar(responses)
 	require.NoError(t, err)
 	extractTar(t, data, directory)
@@ -54,6 +71,9 @@ func extractTar(t *testing.T, data []byte, directory string) {
 			break
 		}
 		require.NoError(t, err)
+		if header.Name == "." || strings.Contains(header.Name, "..") {
+			continue
+		}
 		// #nosec
 		path := filepath.Join(directory, header.Name)
 		mode := header.FileInfo().Mode()
@@ -3,7 +3,6 @@ package clitest_test
 import (
 	"testing"

-	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"

 	"github.com/coder/coder/cli/clitest"
@@ -17,7 +16,7 @@ func TestMain(m *testing.M) {

 func TestCli(t *testing.T) {
 	t.Parallel()
-	clitest.CreateProjectVersionSource(t, nil)
+	clitest.CreateTemplateVersionSource(t, nil)
 	client := coderdtest.New(t, nil)
 	cmd, config := clitest.New(t)
 	clitest.SetupConfig(t, client, config)
@@ -25,8 +24,7 @@ func TestCli(t *testing.T) {
 	cmd.SetIn(pty.Input())
 	cmd.SetOut(pty.Output())
 	go func() {
-		err := cmd.Execute()
-		require.NoError(t, err)
+		_ = cmd.Execute()
 	}()
 	pty.ExpectMatch("coder")
 }
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"io"
+	"os"
+	"os/signal"
 	"sync"
 	"time"

@@ -15,7 +17,7 @@ import (

 type AgentOptions struct {
 	WorkspaceName string
-	Fetch         func(context.Context) (codersdk.WorkspaceResource, error)
+	Fetch         func(context.Context) (codersdk.WorkspaceAgent, error)
 	FetchInterval time.Duration
 	WarnInterval  time.Duration
 }
@@ -29,60 +31,116 @@ func Agent(ctx context.Context, writer io.Writer, opts AgentOptions) error {
 		opts.WarnInterval = 30 * time.Second
 	}
 	var resourceMutex sync.Mutex
-	resource, err := opts.Fetch(ctx)
+	agent, err := opts.Fetch(ctx)
 	if err != nil {
 		return xerrors.Errorf("fetch: %w", err)
 	}
-	if resource.Agent.Status == codersdk.WorkspaceAgentConnected {
+
+	if agent.Status == codersdk.WorkspaceAgentConnected {
 		return nil
 	}
-	if resource.Agent.Status == codersdk.WorkspaceAgentDisconnected {
-		opts.WarnInterval = 0
-	}
+
 	spin := spinner.New(spinner.CharSets[78], 100*time.Millisecond, spinner.WithColor("fgHiGreen"))
 	spin.Writer = writer
 	spin.ForceOutput = true
-	spin.Suffix = " Waiting for connection from " + Styles.Field.Render(resource.Type+"."+resource.Name) + "..."
+	spin.Suffix = " Waiting for connection from " + Styles.Field.Render(agent.Name) + "..."
 	spin.Start()
 	defer spin.Stop()

-	ticker := time.NewTicker(opts.FetchInterval)
-	defer ticker.Stop()
-	timer := time.NewTimer(opts.WarnInterval)
-	defer timer.Stop()
+	ctx, cancelFunc := context.WithCancel(ctx)
+	defer cancelFunc()
+	stopSpin := make(chan os.Signal, 1)
+	signal.Notify(stopSpin, os.Interrupt)
+	defer signal.Stop(stopSpin)
 	go func() {
 		select {
 		case <-ctx.Done():
 			return
-		case <-timer.C:
+		case <-stopSpin:
 		}
+		cancelFunc()
+		signal.Stop(stopSpin)
+		spin.Stop()
+		// nolint:revive
+		os.Exit(1)
+	}()
+
+	var waitMessage string
+	messageAfter := time.NewTimer(opts.WarnInterval)
+	defer messageAfter.Stop()
+	showMessage := func() {
 		resourceMutex.Lock()
 		defer resourceMutex.Unlock()
-		message := "Don't panic, your workspace is booting up!"
-		if resource.Agent.Status == codersdk.WorkspaceAgentDisconnected {
-			message = "The workspace agent lost connection! Wait for it to reconnect or run: " + Styles.Code.Render("coder workspaces rebuild "+opts.WorkspaceName)
+
+		m := waitingMessage(agent)
+		if m == waitMessage {
+			return
+		}
+		moveUp := ""
+		if waitMessage != "" {
+			// If this is an update, move a line up
+			// to keep it tidy and aligned.
+			moveUp = "\033[1A"
+		}
+		waitMessage = m
+
+		// Stop the spinner while we write our message.
+		spin.Stop()
+		// Clear the line and (if necessary) move up a line to write our message.
+		_, _ = fmt.Fprintf(writer, "\033[2K%s%s\n\n", moveUp, Styles.Paragraph.Render(Styles.Prompt.String()+waitMessage))
+		select {
+		case <-ctx.Done():
+		default:
+			// Safe to resume operation.
+			spin.Start()
+		}
+	}
+	go func() {
+		select {
+		case <-ctx.Done():
+		case <-messageAfter.C:
+			messageAfter.Stop()
+			showMessage()
 		}
-		// This saves the cursor position, then defers clearing from the cursor
-		// position to the end of the screen.
-		_, _ = fmt.Fprintf(writer, "\033[s\r\033[2K%s\n\n", Styles.Paragraph.Render(Styles.Prompt.String()+message))
-		defer fmt.Fprintf(writer, "\033[u\033[J")
 	}()
+
+	fetchInterval := time.NewTicker(opts.FetchInterval)
+	defer fetchInterval.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
-		case <-ticker.C:
+		case <-fetchInterval.C:
 		}
 		resourceMutex.Lock()
-		resource, err = opts.Fetch(ctx)
+		agent, err = opts.Fetch(ctx)
 		if err != nil {
+			resourceMutex.Unlock()
 			return xerrors.Errorf("fetch: %w", err)
 		}
-		if resource.Agent.Status != codersdk.WorkspaceAgentConnected {
-			resourceMutex.Unlock()
-			continue
-		}
 		resourceMutex.Unlock()
-		return nil
+		switch agent.Status {
+		case codersdk.WorkspaceAgentConnected:
+			return nil
+		case codersdk.WorkspaceAgentTimeout, codersdk.WorkspaceAgentDisconnected:
+			showMessage()
+		}
 	}
 }
+
+func waitingMessage(agent codersdk.WorkspaceAgent) string {
+	var m string
+	switch agent.Status {
+	case codersdk.WorkspaceAgentTimeout:
+		m = "The workspace agent is having trouble connecting."
+	case codersdk.WorkspaceAgentDisconnected:
+		m = "The workspace agent lost connection!"
+	default:
+		// Not a failure state, no troubleshooting necessary.
+		return "Don't panic, your workspace is booting up!"
+	}
+	if agent.TroubleshootingURL != "" {
+		return fmt.Sprintf("%s See troubleshooting instructions at: %s", m, agent.TroubleshootingURL)
+	}
+	return fmt.Sprintf("%s Wait for it to (re)connect or restart your workspace.", m)
+}
@@ -6,12 +6,13 @@ import (
 	"time"

 	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 	"go.uber.org/atomic"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestAgent(t *testing.T) {
@@ -22,16 +23,14 @@ func TestAgent(t *testing.T) {
 		RunE: func(cmd *cobra.Command, args []string) error {
 			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
 				WorkspaceName: "example",
-				Fetch: func(ctx context.Context) (codersdk.WorkspaceResource, error) {
-					resource := codersdk.WorkspaceResource{
-						Agent: &codersdk.WorkspaceAgent{
-							Status: codersdk.WorkspaceAgentDisconnected,
-						},
+				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status: codersdk.WorkspaceAgentDisconnected,
 					}
 					if disconnected.Load() {
-						resource.Agent.Status = codersdk.WorkspaceAgentConnected
+						agent.Status = codersdk.WorkspaceAgentConnected
 					}
-					return resource, nil
+					return agent, nil
 				},
 				FetchInterval: time.Millisecond,
 				WarnInterval:  10 * time.Millisecond,
@@ -45,9 +44,56 @@ func TestAgent(t *testing.T) {
 	go func() {
 		defer close(done)
 		err := cmd.Execute()
-		require.NoError(t, err)
+		assert.NoError(t, err)
 	}()
 	ptty.ExpectMatch("lost connection")
 	disconnected.Store(true)
 	<-done
 }
+
+func TestAgentTimeoutWithTroubleshootingURL(t *testing.T) {
+	t.Parallel()
+
+	ctx, _ := testutil.Context(t)
+
+	wantURL := "https://coder.com/troubleshoot"
+
+	var connected, timeout atomic.Bool
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						TroubleshootingURL: "https://coder.com/troubleshoot",
+					}
+					switch {
+					case connected.Load():
+						agent.Status = codersdk.WorkspaceAgentConnected
+					case timeout.Load():
+						agent.Status = codersdk.WorkspaceAgentTimeout
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  5 * time.Millisecond,
+			})
+			return err
+		},
+	}
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := cmd.ExecuteContext(ctx)
+		assert.NoError(t, err)
+	}()
+	ptty.ExpectMatch("Don't panic")
+	timeout.Store(true)
+	ptty.ExpectMatch(wantURL)
+	connected.Store(true)
+	<-done
+}
@@ -26,13 +26,15 @@ var Styles = struct {
 	Checkmark,
 	Code,
 	Crossmark,
+	DateTimeStamp,
+	Error,
 	Field,
 	Keyword,
 	Paragraph,
 	Placeholder,
 	Prompt,
 	FocusedPrompt,
-	Fuschia,
+	Fuchsia,
 	Logo,
 	Warn,
 	Wrap lipgloss.Style
@@ -41,14 +43,16 @@ var Styles = struct {
 	Checkmark:     defaultStyles.Checkmark,
 	Code:          defaultStyles.Code,
 	Crossmark:     defaultStyles.Error.Copy().SetString("✘"),
+	DateTimeStamp: defaultStyles.LabelDim,
+	Error:         defaultStyles.Error,
 	Field:         defaultStyles.Code.Copy().Foreground(lipgloss.AdaptiveColor{Light: "#000000", Dark: "#FFFFFF"}),
 	Keyword:       defaultStyles.Keyword,
 	Paragraph:     defaultStyles.Paragraph,
-	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.Color("240")),
+	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#585858", Dark: "#4d46b3"}),
 	Prompt:        defaultStyles.Prompt.Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
 	FocusedPrompt: defaultStyles.FocusedPrompt.Foreground(lipgloss.Color("#651fff")),
-	Fuschia:       defaultStyles.SelectedMenuItem.Copy(),
+	Fuchsia:       defaultStyles.SelectedMenuItem.Copy(),
 	Logo:          defaultStyles.Logo.SetString("Coder"),
 	Warn:          lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#04B575", Dark: "#ECFD65"}),
-	Wrap:          defaultStyles.Wrap,
+	Wrap:          lipgloss.NewStyle().Width(80),
 }
@@ -10,7 +10,7 @@ import (
 	"github.com/coder/coder/codersdk"
 )

-func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ProjectVersionParameterSchema) (string, error) {
+func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ParameterSchema) (string, error) {
 	_, _ = fmt.Fprintln(cmd.OutOrStdout(), Styles.Bold.Render("var."+parameterSchema.Name))
 	if parameterSchema.Description != "" {
 		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+strings.TrimSpace(strings.Join(strings.Split(parameterSchema.Description, "\n"), "\n  "))+"\n")
@@ -30,6 +30,7 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ProjectVersion
 		_, _ = fmt.Fprint(cmd.OutOrStdout(), "\033[1A")
 		value, err = Select(cmd, SelectOptions{
 			Options:    options,
+			Default:    parameterSchema.DefaultSourceValue,
 			HideSearch: true,
 		})
 		if err == nil {
@@ -37,9 +38,25 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ProjectVersion
 			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+Styles.Prompt.String()+Styles.Field.Render(value))
 		}
 	} else {
+		text := "Enter a value"
+		if parameterSchema.DefaultSourceValue != "" {
+			text += fmt.Sprintf(" (default: %q)", parameterSchema.DefaultSourceValue)
+		}
+		text += ":"
+
 		value, err = Prompt(cmd, PromptOptions{
-			Text: Styles.Bold.Render("Enter a value:"),
+			Text: Styles.Bold.Render(text),
 		})
+		value = strings.TrimSpace(value)
 	}
-	return value, err
+	if err != nil {
+		return "", err
+	}
+
+	// If they didn't specify anything, use the default value if set.
+	if len(options) == 0 && value == "" {
+		value = parameterSchema.DefaultSourceValue
+	}
+
+	return value, nil
 }
@@ -5,7 +5,6 @@ import (
 	"bytes"
 	"encoding/json"
 	"fmt"
-	"io"
 	"os"
 	"os/signal"
 	"strings"
@@ -13,6 +12,7 @@ import (
 	"github.com/bgentry/speakeasy"
 	"github.com/mattn/go-isatty"
 	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
 )

 // PromptOptions supply a set of options to the prompt.
@@ -24,28 +24,60 @@ type PromptOptions struct {
 	Validate  func(string) error
 }

+const skipPromptFlag = "yes"
+
+func AllowSkipPrompt(cmd *cobra.Command) {
+	cmd.Flags().BoolP(skipPromptFlag, "y", false, "Bypass prompts")
+}
+
+const (
+	ConfirmYes = "yes"
+	ConfirmNo  = "no"
+)
+
 // Prompt asks the user for input.
 func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
+	// If the cmd has a "yes" flag for skipping confirm prompts, honor it.
+	// If it's not a "Confirm" prompt, then don't skip. As the default value of
+	// "yes" makes no sense.
+	if opts.IsConfirm && cmd.Flags().Lookup(skipPromptFlag) != nil {
+		if skip, _ := cmd.Flags().GetBool(skipPromptFlag); skip {
+			return ConfirmYes, nil
+		}
+	}
+
 	_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.FocusedPrompt.String()+opts.Text+" ")
 	if opts.IsConfirm {
-		opts.Default = "yes"
-		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+Styles.Bold.Render("yes")+Styles.Placeholder.Render("/no) ")))
+		if len(opts.Default) == 0 {
+			opts.Default = ConfirmYes
+		}
+		renderedYes := Styles.Placeholder.Render(ConfirmYes)
+		renderedNo := Styles.Placeholder.Render(ConfirmNo)
+		if opts.Default == ConfirmYes {
+			renderedYes = Styles.Bold.Render(ConfirmYes)
+		} else {
+			renderedNo = Styles.Bold.Render(ConfirmNo)
+		}
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+renderedYes+Styles.Placeholder.Render("/"+renderedNo+Styles.Placeholder.Render(") "))))
 	} else if opts.Default != "" {
 		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+opts.Default+") "))
 	}
 	interrupt := make(chan os.Signal, 1)
-	signal.Notify(interrupt, os.Interrupt)
-	defer signal.Stop(interrupt)

 	errCh := make(chan error, 1)
 	lineCh := make(chan string)
 	go func() {
 		var line string
 		var err error
-		inFile, valid := cmd.InOrStdin().(*os.File)
-		if opts.Secret && valid && isatty.IsTerminal(inFile.Fd()) {
+
+		inFile, isInputFile := cmd.InOrStdin().(*os.File)
+		if opts.Secret && isInputFile && isatty.IsTerminal(inFile.Fd()) {
+			// we don't install a signal handler here because speakeasy has its own
 			line, err = speakeasy.Ask("")
 		} else {
+			signal.Notify(interrupt, os.Interrupt)
+			defer signal.Stop(interrupt)
+
 			reader := bufio.NewReader(cmd.InOrStdin())
 			line, err = reader.ReadString('\n')

@@ -53,22 +85,7 @@ func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
 			// This enables multiline JSON to be pasted into an input, and have
 			// it parse properly.
 			if err == nil && (strings.HasPrefix(line, "{") || strings.HasPrefix(line, "[")) {
-				pipeReader, pipeWriter := io.Pipe()
-				defer pipeWriter.Close()
-				defer pipeReader.Close()
-				go func() {
-					_, _ = pipeWriter.Write([]byte(line))
-					_, _ = reader.WriteTo(pipeWriter)
-				}()
-				var rawMessage json.RawMessage
-				err := json.NewDecoder(pipeReader).Decode(&rawMessage)
-				if err == nil {
-					var buf bytes.Buffer
-					err = json.Compact(&buf, rawMessage)
-					if err == nil {
-						line = buf.String()
-					}
-				}
+				line, err = promptJSON(reader, line)
 			}
 		}
 		if err != nil {
@@ -87,7 +104,7 @@ func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
 		return "", err
 	case line := <-lineCh:
 		if opts.IsConfirm && line != "yes" && line != "y" {
-			return line, Canceled
+			return line, xerrors.Errorf("got %q: %w", line, Canceled)
 		}
 		if opts.Validate != nil {
 			err := opts.Validate(line)
@@ -105,3 +122,39 @@ func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
 		return "", Canceled
 	}
 }
+
+func promptJSON(reader *bufio.Reader, line string) (string, error) {
+	var data bytes.Buffer
+	for {
+		_, _ = data.WriteString(line)
+		var rawMessage json.RawMessage
+		err := json.Unmarshal(data.Bytes(), &rawMessage)
+		if err != nil {
+			if err.Error() != "unexpected end of JSON input" {
+				// If a real syntax error occurs in JSON,
+				// we want to return that partial line to the user.
+				err = nil
+				line = data.String()
+				break
+			}
+
+			// Read line-by-line. We can't use a JSON decoder
+			// here because it doesn't work by newline, so
+			// reads will block.
+			line, err = reader.ReadString('\n')
+			if err != nil {
+				break
+			}
+			continue
+		}
+		// Compacting the JSON makes it easier for parsing and testing.
+		rawJSON := data.Bytes()
+		data.Reset()
+		err = json.Compact(&data, rawJSON)
+		if err != nil {
+			return line, xerrors.Errorf("compact json: %w", err)
+		}
+		return data.String(), nil
+	}
+	return line, nil
+}
@@ -1,14 +1,21 @@
 package cliui_test

 import (
+	"bytes"
 	"context"
+	"io"
+	"os"
+	"os/exec"
 	"testing"

 	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/pty"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestPrompt(t *testing.T) {
@@ -20,8 +27,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			msgChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -37,8 +44,8 @@ func TestPrompt(t *testing.T) {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text:      "Example",
 				IsConfirm: true,
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -46,6 +53,47 @@ func TestPrompt(t *testing.T) {
 		require.Equal(t, "yes", <-doneChan)
 	})

+	t.Run("Skip", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		var buf bytes.Buffer
+
+		// Copy all data written out to a buffer. When we close the ptty, we can
+		// no longer read from the ptty.Output(), but we can read what was
+		// written to the buffer.
+		dataRead, doneReading := context.WithTimeout(context.Background(), testutil.WaitShort)
+		go func() {
+			// This will throw an error sometimes. The underlying ptty
+			// has its own cleanup routines in t.Cleanup. Instead of
+			// trying to control the close perfectly, just let the ptty
+			// double close. This error isn't important, we just
+			// want to know the ptty is done sending output.
+			_, _ = io.Copy(&buf, ptty.Output())
+			doneReading()
+		}()
+
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text:      "ShouldNotSeeThis",
+				IsConfirm: true,
+			}, func(cmd *cobra.Command) {
+				cliui.AllowSkipPrompt(cmd)
+				cmd.SetArgs([]string{"-y"})
+			})
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+
+		require.Equal(t, "yes", <-doneChan)
+		// Close the reader to end the io.Copy
+		require.NoError(t, ptty.Close(), "close eof reader")
+		// Wait for the IO copy to finish
+		<-dataRead.Done()
+		// Timeout error means the output was hanging
+		require.ErrorIs(t, dataRead.Err(), context.Canceled, "should be canceled")
+		require.Len(t, buf.Bytes(), 0, "expect no output")
+	})
 	t.Run("JSON", func(t *testing.T) {
 		t.Parallel()
 		ptty := ptytest.New(t)
@@ -53,8 +101,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -69,8 +117,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -85,8 +133,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -97,7 +145,7 @@ func TestPrompt(t *testing.T) {
 	})
 }

-func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions) (string, error) {
+func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions, cmdOpt func(cmd *cobra.Command)) (string, error) {
 	value := ""
 	cmd := &cobra.Command{
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -106,7 +154,67 @@ func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions) (string, error) {
 			return err
 		},
 	}
-	cmd.SetOutput(ptty.Output())
+	// Optionally modify the cmd
+	if cmdOpt != nil {
+		cmdOpt(cmd)
+	}
+	cmd.SetOut(ptty.Output())
+	cmd.SetErr(ptty.Output())
 	cmd.SetIn(ptty.Input())
 	return value, cmd.ExecuteContext(context.Background())
 }
+
+func TestPasswordTerminalState(t *testing.T) {
+	if os.Getenv("TEST_SUBPROCESS") == "1" {
+		passwordHelper()
+		return
+	}
+	t.Parallel()
+
+	ptty := ptytest.New(t)
+	ptyWithFlags, ok := ptty.PTY.(pty.WithFlags)
+	if !ok {
+		t.Skip("unable to check PTY local echo on this platform")
+	}
+
+	cmd := exec.Command(os.Args[0], "-test.run=TestPasswordTerminalState") //nolint:gosec
+	cmd.Env = append(os.Environ(), "TEST_SUBPROCESS=1")
+	// connect the child process's stdio to the PTY directly, not via a pipe
+	cmd.Stdin = ptty.Input().Reader
+	cmd.Stdout = ptty.Output().Writer
+	cmd.Stderr = ptty.Output().Writer
+	err := cmd.Start()
+	require.NoError(t, err)
+	process := cmd.Process
+	defer process.Kill()
+
+	ptty.ExpectMatch("Password: ")
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && !echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is on while reading password")
+
+	err = process.Signal(os.Interrupt)
+	require.NoError(t, err)
+	_, err = process.Wait()
+	require.NoError(t, err)
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is off after reading password")
+}
+
+// nolint:unused
+func passwordHelper() {
+	cmd := &cobra.Command{
+		Run: func(cmd *cobra.Command, args []string) {
+			cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:   "Password:",
+				Secret: true,
+			})
+		},
+	}
+	cmd.ExecuteContext(context.Background())
+}
@@ -1,6 +1,7 @@
 package cliui

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io"
@@ -12,18 +13,17 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"

-	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/codersdk"
 )

-func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Client, build uuid.UUID, before time.Time) error {
+func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Client, build uuid.UUID) error {
 	return ProvisionerJob(ctx, writer, ProvisionerJobOptions{
 		Fetch: func() (codersdk.ProvisionerJob, error) {
 			build, err := client.WorkspaceBuild(ctx, build)
 			return build.Job, err
 		},
-		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-			return client.WorkspaceBuildLogsAfter(ctx, build, before)
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+			return client.WorkspaceBuildLogsAfter(ctx, build, 0)
 		},
 	})
 }
@@ -31,11 +31,14 @@ func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Clie
 type ProvisionerJobOptions struct {
 	Fetch  func() (codersdk.ProvisionerJob, error)
 	Cancel func() error
-	Logs   func() (<-chan codersdk.ProvisionerJobLog, error)
+	Logs   func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error)

 	FetchInterval time.Duration
 	// Verbose determines whether debug and trace logs will be shown.
 	Verbose bool
+	// Silent determines whether log output will be shown unless there is an
+	// error.
+	Silent bool
 }

 // ProvisionerJob renders a provisioner job with interactive cancellation.
@@ -100,7 +103,6 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp
 		}
 		updateStage("Running", *job.StartedAt)
 	}
-	updateJob()

 	if opts.Cancel != nil {
 		// Handles ctrl+c to cancel a job.
@@ -128,18 +130,38 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp

 	// The initial stage needs to print after the signal handler has been registered.
 	printStage()
+	updateJob()

-	logs, err := opts.Logs()
+	logs, closer, err := opts.Logs()
 	if err != nil {
-		return xerrors.Errorf("logs: %w", err)
+		return xerrors.Errorf("begin streaming logs: %w", err)
+	}
+	defer closer.Close()
+
+	var (
+		// logOutput is where log output is written
+		logOutput = writer
+		// logBuffer is where logs are buffered if opts.Silent is true
+		logBuffer = &bytes.Buffer{}
+	)
+	if opts.Silent {
+		logOutput = logBuffer
+	}
+	flushLogBuffer := func() {
+		if opts.Silent {
+			_, _ = io.Copy(writer, logBuffer)
+		}
 	}

 	ticker := time.NewTicker(opts.FetchInterval)
+	defer ticker.Stop()
 	for {
 		select {
 		case err = <-errChan:
+			flushLogBuffer()
 			return err
 		case <-ctx.Done():
+			flushLogBuffer()
 			return ctx.Err()
 		case <-ticker.C:
 			updateJob()
@@ -161,30 +183,35 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp
 				}
 				err = xerrors.New(job.Error)
 				jobMutex.Unlock()
+				flushLogBuffer()
 				return err
 			}
+
 			output := ""
 			switch log.Level {
-			case database.LogLevelTrace, database.LogLevelDebug:
+			case codersdk.LogLevelTrace, codersdk.LogLevelDebug:
 				if !opts.Verbose {
 					continue
 				}
 				output = Styles.Placeholder.Render(log.Output)
-			case database.LogLevelError:
+			case codersdk.LogLevelError:
 				output = defaultStyles.Error.Render(log.Output)
-			case database.LogLevelWarn:
+			case codersdk.LogLevelWarn:
 				output = Styles.Warn.Render(log.Output)
-			case database.LogLevelInfo:
+			case codersdk.LogLevelInfo:
 				output = log.Output
 			}
+
 			jobMutex.Lock()
 			if log.Stage != currentStage && log.Stage != "" {
 				updateStage(log.Stage, log.CreatedAt)
 				jobMutex.Unlock()
 				continue
 			}
-			_, _ = fmt.Fprintf(writer, "%s %s\n", Styles.Placeholder.Render(" "), output)
-			didLogBetweenStage = true
+			_, _ = fmt.Fprintf(logOutput, "%s %s\n", Styles.Placeholder.Render(" "), output)
+			if !opts.Silent {
+				didLogBetweenStage = true
+			}
 			jobMutex.Unlock()
 		}
 	}
@@ -2,6 +2,7 @@ package cliui_test

 import (
 	"context"
+	"io"
 	"os"
 	"runtime"
 	"sync"
@@ -9,7 +10,7 @@ import (
 	"time"

 	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/database"
@@ -90,9 +91,9 @@ func TestProvisionerJob(t *testing.T) {
 		go func() {
 			<-test.Next
 			currentProcess, err := os.FindProcess(os.Getpid())
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			err = currentProcess.Signal(os.Interrupt)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			<-test.Next
 			test.JobMutex.Lock()
 			test.Job.Status = codersdk.ProvisionerJobCanceled
@@ -136,8 +137,10 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 				Cancel: func() error {
 					return nil
 				},
-				Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-					return logs, nil
+				Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+					return logs, closeFunc(func() error {
+						return nil
+					}), nil
 				},
 			})
 		},
@@ -150,7 +153,7 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 		defer close(done)
 		err := cmd.ExecuteContext(context.Background())
 		if err != nil {
-			require.ErrorIs(t, err, cliui.Canceled)
+			assert.ErrorIs(t, err, cliui.Canceled)
 		}
 	}()
 	t.Cleanup(func() {
@@ -164,3 +167,9 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 		PTY:      ptty,
 	}
 }
+
+type closeFunc func() error
+
+func (c closeFunc) Close() error {
+	return c()
+}
@@ -0,0 +1,156 @@
+package cliui
+
+import (
+	"fmt"
+	"io"
+	"sort"
+	"strconv"
+
+	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/mod/semver"
+
+	"github.com/coder/coder/coderd/database"
+
+	"github.com/coder/coder/codersdk"
+)
+
+type WorkspaceResourcesOptions struct {
+	WorkspaceName  string
+	HideAgentState bool
+	HideAccess     bool
+	Title          string
+	ServerVersion  string
+}
+
+// WorkspaceResources displays the connection status and tree-view of provided resources.
+// ┌────────────────────────────────────────────────────────────────────────────┐
+// │ RESOURCE                     STATUS               ACCESS                   │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ google_compute_disk.root                                                   │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ google_compute_instance.dev                                                │
+// │ └─ dev (linux, amd64)        ⦾ connecting [10s]    coder ssh dev.dev       │
+// ├────────────────────────────────────────────────────────────────────────────┤
+// │ kubernetes_pod.dev                                                         │
+// │ ├─ go (linux, amd64)         ⦿ connected           coder ssh dev.go        │
+// │ └─ postgres (linux, amd64)   ⦾ disconnected [4s]   coder ssh dev.postgres  │
+// └────────────────────────────────────────────────────────────────────────────┘
+func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource, options WorkspaceResourcesOptions) error {
+	// Sort resources by type for consistent output.
+	sort.Slice(resources, func(i, j int) bool {
+		return resources[i].Type < resources[j].Type
+	})
+
+	tableWriter := table.NewWriter()
+	if options.Title != "" {
+		tableWriter.SetTitle(options.Title)
+	}
+	tableWriter.SetStyle(table.StyleLight)
+	tableWriter.Style().Options.SeparateColumns = false
+	row := table.Row{"Resource"}
+	if !options.HideAgentState {
+		row = append(row, "Status")
+		row = append(row, "Version")
+	}
+	if !options.HideAccess {
+		row = append(row, "Access")
+	}
+	tableWriter.AppendHeader(row)
+
+	totalAgents := 0
+	for _, resource := range resources {
+		totalAgents += len(resource.Agents)
+	}
+
+	for _, resource := range resources {
+		if resource.Type == "random_string" {
+			// Hide resources that aren't substantial to a user!
+			// This is an unfortunate case, and we should allow
+			// callers to hide resources eventually.
+			continue
+		}
+		resourceAddress := resource.Type + "." + resource.Name
+
+		// Sort agents by name for consistent output.
+		sort.Slice(resource.Agents, func(i, j int) bool {
+			return resource.Agents[i].Name < resource.Agents[j].Name
+		})
+
+		// Display a line for the resource.
+		tableWriter.AppendRow(table.Row{
+			Styles.Bold.Render(resourceAddress),
+			"",
+			"",
+		})
+		// Display all agents associated with the resource.
+		for index, agent := range resource.Agents {
+			pipe := "├"
+			if index == len(resource.Agents)-1 {
+				pipe = "└"
+			}
+			row := table.Row{
+				// These tree from a resource!
+				fmt.Sprintf("%s─ %s (%s, %s)", pipe, agent.Name, agent.OperatingSystem, agent.Architecture),
+			}
+			if !options.HideAgentState {
+				var agentStatus string
+				var agentVersion string
+				if !options.HideAgentState {
+					agentStatus = renderAgentStatus(agent)
+					agentVersion = renderAgentVersion(agent.Version, options.ServerVersion)
+				}
+				row = append(row, agentStatus, agentVersion)
+			}
+			if !options.HideAccess {
+				sshCommand := "coder ssh " + options.WorkspaceName
+				if totalAgents > 1 {
+					sshCommand += "." + agent.Name
+				}
+				sshCommand = Styles.Code.Render(sshCommand)
+				row = append(row, sshCommand)
+			}
+			tableWriter.AppendRow(row)
+		}
+		tableWriter.AppendSeparator()
+	}
+	_, err := fmt.Fprintln(writer, tableWriter.Render())
+	return err
+}
+
+func renderAgentStatus(agent codersdk.WorkspaceAgent) string {
+	switch agent.Status {
+	case codersdk.WorkspaceAgentConnecting:
+		since := database.Now().Sub(agent.CreatedAt)
+		return Styles.Warn.Render("⦾ connecting") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentDisconnected:
+		since := database.Now().Sub(*agent.DisconnectedAt)
+		return Styles.Error.Render("⦾ disconnected") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentTimeout:
+		since := database.Now().Sub(agent.CreatedAt)
+		return fmt.Sprintf(
+			"%s %s",
+			Styles.Warn.Render("⦾ timeout"),
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]"),
+		)
+	case codersdk.WorkspaceAgentConnected:
+		return Styles.Keyword.Render("⦿ connected")
+	default:
+		return Styles.Warn.Render("○ unknown")
+	}
+}
+
+func renderAgentVersion(agentVersion, serverVersion string) string {
+	if agentVersion == "" {
+		agentVersion = "(unknown)"
+	}
+	if !semver.IsValid(serverVersion) || !semver.IsValid(agentVersion) {
+		return Styles.Placeholder.Render(agentVersion)
+	}
+	outdated := semver.Compare(agentVersion, serverVersion) < 0
+	if outdated {
+		return Styles.Warn.Render(agentVersion + " (outdated)")
+	}
+	return Styles.Keyword.Render(agentVersion)
+}
@@ -0,0 +1,50 @@
+package cliui
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRenderAgentVersion(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		agentVersion  string
+		serverVersion string
+		expected      string
+	}{
+		{
+			name:          "OK",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.3",
+			expected:      "v1.2.3",
+		},
+		{
+			name:          "Outdated",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.4",
+			expected:      "v1.2.3 (outdated)",
+		},
+		{
+			name:          "AgentUnknown",
+			agentVersion:  "",
+			serverVersion: "v1.2.4",
+			expected:      "(unknown)",
+		},
+		{
+			name:          "ServerUnknown",
+			agentVersion:  "v1.2.3",
+			serverVersion: "",
+			expected:      "v1.2.3",
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			actual := renderAgentVersion(testCase.agentVersion, testCase.serverVersion)
+			assert.Equal(t, testCase.expected, actual)
+		})
+	}
+}
@@ -0,0 +1,96 @@
+package cliui_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestWorkspaceResources(t *testing.T) {
+	t.Parallel()
+	t.Run("SingleAgentSSH", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		done := make(chan struct{})
+		go func() {
+			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
+				Type:       "google_compute_instance",
+				Name:       "dev",
+				Transition: codersdk.WorkspaceTransitionStart,
+				Agents: []codersdk.WorkspaceAgent{{
+					Name:            "dev",
+					Status:          codersdk.WorkspaceAgentConnected,
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}},
+			}}, cliui.WorkspaceResourcesOptions{
+				WorkspaceName: "example",
+			})
+			assert.NoError(t, err)
+			close(done)
+		}()
+		ptty.ExpectMatch("coder ssh example")
+		<-done
+	})
+
+	t.Run("MultipleStates", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		disconnected := database.Now().Add(-4 * time.Second)
+		done := make(chan struct{})
+		go func() {
+			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "google_compute_disk",
+				Name:       "root",
+			}, {
+				Transition: codersdk.WorkspaceTransitionStop,
+				Type:       "google_compute_disk",
+				Name:       "root",
+			}, {
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "google_compute_instance",
+				Name:       "dev",
+				Agents: []codersdk.WorkspaceAgent{{
+					CreatedAt:       database.Now().Add(-10 * time.Second),
+					Status:          codersdk.WorkspaceAgentConnecting,
+					Name:            "dev",
+					OperatingSystem: "linux",
+					Architecture:    "amd64",
+				}},
+			}, {
+				Transition: codersdk.WorkspaceTransitionStart,
+				Type:       "kubernetes_pod",
+				Name:       "dev",
+				Agents: []codersdk.WorkspaceAgent{{
+					Status:          codersdk.WorkspaceAgentConnected,
+					Name:            "go",
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}, {
+					DisconnectedAt:  &disconnected,
+					Status:          codersdk.WorkspaceAgentDisconnected,
+					Name:            "postgres",
+					Architecture:    "amd64",
+					OperatingSystem: "linux",
+				}},
+			}}, cliui.WorkspaceResourcesOptions{
+				WorkspaceName:  "dev",
+				HideAgentState: false,
+				HideAccess:     false,
+			})
+			assert.NoError(t, err)
+			close(done)
+		}()
+		ptty.ExpectMatch("google_compute_disk.root")
+		ptty.ExpectMatch("google_compute_instance.dev")
+		ptty.ExpectMatch("coder ssh dev.postgres")
+		<-done
+	})
+}
@@ -1,11 +1,13 @@
 package cliui

 import (
+	"errors"
 	"flag"
 	"io"
 	"os"

 	"github.com/AlecAivazis/survey/v2"
+	"github.com/AlecAivazis/survey/v2/terminal"
 	"github.com/spf13/cobra"
 )

@@ -33,7 +35,9 @@ func init() {
 }

 type SelectOptions struct {
-	Options    []string
+	Options []string
+	// Default will be highlighted first if it's a valid option.
+	Default    string
 	Size       int
 	HideSearch bool
 }
@@ -48,10 +52,16 @@ func Select(cmd *cobra.Command, opts SelectOptions) (string, error) {
 	if flag.Lookup("test.v") != nil {
 		return opts.Options[0], nil
 	}
-	opts.HideSearch = false
+
+	var defaultOption interface{}
+	if opts.Default != "" {
+		defaultOption = opts.Default
+	}
+
 	var value string
 	err := survey.AskOne(&survey.Select{
 		Options:  opts.Options,
+		Default:  defaultOption,
 		PageSize: opts.Size,
 	}, &value, survey.WithIcons(func(is *survey.IconSet) {
 		is.Help.Text = "Type to search"
@@ -63,6 +73,9 @@ func Select(cmd *cobra.Command, opts SelectOptions) (string, error) {
 	}, fileReadWriter{
 		Writer: cmd.OutOrStdout(),
 	}, cmd.OutOrStdout()))
+	if errors.Is(err, terminal.InterruptErr) {
+		return value, Canceled
+	}
 	return value, err
 }

@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/cliui"
@@ -21,7 +22,7 @@ func TestSelect(t *testing.T) {
 			resp, err := newSelect(ptty, cliui.SelectOptions{
 				Options: []string{"First", "Second"},
 			})
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			msgChan <- resp
 		}()
 		require.Equal(t, "First", <-msgChan)
@@ -0,0 +1,326 @@
+package cliui
+
+import (
+	"fmt"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/fatih/structtag"
+	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/xerrors"
+)
+
+// Table creates a new table with standardized styles.
+func Table() table.Writer {
+	tableWriter := table.NewWriter()
+	tableWriter.Style().Box.PaddingLeft = ""
+	tableWriter.Style().Box.PaddingRight = "  "
+	tableWriter.Style().Options.DrawBorder = false
+	tableWriter.Style().Options.SeparateHeader = false
+	tableWriter.Style().Options.SeparateColumns = false
+	return tableWriter
+}
+
+// FilterTableColumns returns configurations to hide columns
+// that are not provided in the array. If the array is empty,
+// no filtering will occur!
+func FilterTableColumns(header table.Row, columns []string) []table.ColumnConfig {
+	if len(columns) == 0 {
+		return nil
+	}
+	columnConfigs := make([]table.ColumnConfig, 0)
+	for _, headerTextRaw := range header {
+		headerText, _ := headerTextRaw.(string)
+		hidden := true
+		for _, column := range columns {
+			if strings.EqualFold(strings.ReplaceAll(column, "_", " "), headerText) {
+				hidden = false
+				break
+			}
+		}
+		columnConfigs = append(columnConfigs, table.ColumnConfig{
+			Name:   headerText,
+			Hidden: hidden,
+		})
+	}
+	return columnConfigs
+}
+
+// DisplayTable renders a table as a string. The input argument must be a slice
+// of structs. At least one field in the struct must have a `table:""` tag
+// containing the name of the column in the outputted table.
+//
+// Nested structs are processed if the field has the `table:"$NAME,recursive"`
+// tag and their fields will be named as `$PARENT_NAME $NAME`. If the tag is
+// malformed or a field is marked as recursive but does not contain a struct or
+// a pointer to a struct, this function will return an error (even with an empty
+// input slice).
+//
+// If sort is empty, the input order will be used. If filterColumns is empty or
+// nil, all available columns are included.
+func DisplayTable(out any, sort string, filterColumns []string) (string, error) {
+	v := reflect.Indirect(reflect.ValueOf(out))
+
+	if v.Kind() != reflect.Slice {
+		return "", xerrors.Errorf("DisplayTable called with a non-slice type")
+	}
+
+	// Get the list of table column headers.
+	headersRaw, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		return "", xerrors.Errorf("get table headers recursively for type %q: %w", v.Type().Elem().String(), err)
+	}
+	if len(headersRaw) == 0 {
+		return "", xerrors.New(`no table headers found on the input type, make sure there is at least one "table" struct tag`)
+	}
+	headers := make(table.Row, len(headersRaw))
+	for i, header := range headersRaw {
+		headers[i] = header
+	}
+
+	// Verify that the given sort column and filter columns are valid.
+	if sort != "" || len(filterColumns) != 0 {
+		headersMap := make(map[string]string, len(headersRaw))
+		for _, header := range headersRaw {
+			headersMap[strings.ToLower(header)] = header
+		}
+
+		if sort != "" {
+			sort = strings.ToLower(strings.ReplaceAll(sort, "_", " "))
+			h, ok := headersMap[sort]
+			if !ok {
+				return "", xerrors.Errorf(`specified sort column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			sort = h
+		}
+
+		for i, column := range filterColumns {
+			column := strings.ToLower(strings.ReplaceAll(column, "_", " "))
+			h, ok := headersMap[column]
+			if !ok {
+				return "", xerrors.Errorf(`specified filter column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			filterColumns[i] = h
+		}
+	}
+
+	// Verify that the given sort column is valid.
+	if sort != "" {
+		sort = strings.ReplaceAll(sort, "_", " ")
+		found := false
+		for _, header := range headersRaw {
+			if strings.EqualFold(sort, header) {
+				found = true
+				sort = header
+				break
+			}
+		}
+		if !found {
+			return "", xerrors.Errorf("specified sort column %q not found in table headers, available columns are %q", sort, strings.Join(headersRaw, `", "`))
+		}
+	}
+
+	// Setup the table formatter.
+	tw := Table()
+	tw.AppendHeader(headers)
+	tw.SetColumnConfigs(FilterTableColumns(headers, filterColumns))
+	if sort != "" {
+		tw.SortBy([]table.SortBy{{
+			Name: sort,
+		}})
+	}
+
+	// Write each struct to the table.
+	for i := 0; i < v.Len(); i++ {
+		// Format the row as a slice.
+		rowMap, err := valueToTableMap(v.Index(i))
+		if err != nil {
+			return "", xerrors.Errorf("get table row map %v: %w", i, err)
+		}
+
+		rowSlice := make([]any, len(headers))
+		for i, h := range headersRaw {
+			v, ok := rowMap[h]
+			if !ok {
+				v = nil
+			}
+
+			// Special type formatting.
+			switch val := v.(type) {
+			case time.Time:
+				v = val.Format(time.RFC3339)
+			case *time.Time:
+				if val != nil {
+					v = val.Format(time.RFC3339)
+				}
+			case *int64:
+				if val != nil {
+					v = *val
+				}
+			case fmt.Stringer:
+				if val != nil {
+					v = val.String()
+				}
+			}
+
+			rowSlice[i] = v
+		}
+
+		tw.AppendRow(table.Row(rowSlice))
+	}
+
+	return tw.Render(), nil
+}
+
+// parseTableStructTag returns the name of the field according to the `table`
+// struct tag. If the table tag does not exist or is "-", an empty string is
+// returned. If the table tag is malformed, an error is returned.
+//
+// The returned name is transformed from "snake_case" to "normal text".
+func parseTableStructTag(field reflect.StructField) (name string, recurse bool, err error) {
+	tags, err := structtag.Parse(string(field.Tag))
+	if err != nil {
+		return "", false, xerrors.Errorf("parse struct field tag %q: %w", string(field.Tag), err)
+	}
+
+	tag, err := tags.Get("table")
+	if err != nil || tag.Name == "-" {
+		// tags.Get only returns an error if the tag is not found.
+		return "", false, nil
+	}
+
+	recursive := false
+	for _, opt := range tag.Options {
+		if opt == "recursive" {
+			recursive = true
+			continue
+		}
+
+		return "", false, xerrors.Errorf("unknown option %q in struct field tag", opt)
+	}
+
+	return strings.ReplaceAll(tag.Name, "_", " "), recursive, nil
+}
+
+func isStructOrStructPointer(t reflect.Type) bool {
+	return t.Kind() == reflect.Struct || (t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct)
+}
+
+// typeToTableHeaders converts a type to a slice of column names. If the given
+// type is invalid (not a struct or a pointer to a struct, has invalid table
+// tags, etc.), an error is returned.
+func typeToTableHeaders(t reflect.Type) ([]string, error) {
+	if !isStructOrStructPointer(t) {
+		return nil, xerrors.Errorf("typeToTableHeaders called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if t.Kind() == reflect.Pointer {
+		t = t.Elem()
+	}
+
+	headers := []string{}
+	for i := 0; i < t.NumField(); i++ {
+		field := t.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %q: %w", field.Name, t.String(), err)
+		}
+		if name == "" {
+			continue
+		}
+
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, t.String())
+			}
+
+			childNames, err := typeToTableHeaders(fieldType)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field header names for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for _, childName := range childNames {
+				headers = append(headers, fmt.Sprintf("%s %s", name, childName))
+			}
+			continue
+		}
+
+		headers = append(headers, name)
+	}
+
+	return headers, nil
+}
+
+// valueToTableMap converts a struct to a map of column name to value. If the
+// given type is invalid (not a struct or a pointer to a struct, has invalid
+// table tags, etc.), an error is returned.
+func valueToTableMap(val reflect.Value) (map[string]any, error) {
+	if !isStructOrStructPointer(val.Type()) {
+		return nil, xerrors.Errorf("valueToTableMap called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if val.Kind() == reflect.Pointer {
+		if val.IsNil() {
+			// No data for this struct, so return an empty map. All values will
+			// be rendered as nil in the resulting table.
+			return map[string]any{}, nil
+		}
+
+		val = val.Elem()
+	}
+
+	row := map[string]any{}
+	for i := 0; i < val.NumField(); i++ {
+		field := val.Type().Field(i)
+		fieldVal := val.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %T: %w", field.Name, val, err)
+		}
+		if name == "" {
+			continue
+		}
+
+		// Recurse if it's a struct.
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, fieldType.String())
+			}
+
+			// valueToTableMap does nothing on pointers so we don't need to
+			// filter here.
+			childMap, err := valueToTableMap(fieldVal)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field values for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for childName, childValue := range childMap {
+				row[fmt.Sprintf("%s %s", name, childName)] = childValue
+			}
+			continue
+		}
+
+		// Otherwise, we just use the field value.
+		row[name] = val.Field(i).Interface()
+	}
+
+	return row, nil
+}
+
+// TableHeaders returns the table header names of all
+// fields in tSlice. tSlice must be a slice of some type.
+func TableHeaders(tSlice any) ([]string, error) {
+	v := reflect.Indirect(reflect.ValueOf(tSlice))
+	rawHeaders, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		return nil, xerrors.Errorf("type to table headers: %w", err)
+	}
+	out := make([]string, 0, len(rawHeaders))
+	for _, hdr := range rawHeaders {
+		out = append(out, strings.Replace(hdr, " ", "_", -1))
+	}
+	return out, nil
+}
@@ -0,0 +1,374 @@
+package cliui_test
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+type stringWrapper struct {
+	str string
+}
+
+var _ fmt.Stringer = stringWrapper{}
+
+func (s stringWrapper) String() string {
+	return s.str
+}
+
+type tableTest1 struct {
+	Name        string      `table:"name"`
+	NotIncluded string      // no table tag
+	Age         int         `table:"age"`
+	Roles       []string    `table:"roles"`
+	Sub1        tableTest2  `table:"sub_1,recursive"`
+	Sub2        *tableTest2 `table:"sub_2,recursive"`
+	Sub3        tableTest3  `table:"sub 3,recursive"`
+	Sub4        tableTest2  `table:"sub 4"` // not recursive
+
+	// Types with special formatting.
+	Time    time.Time  `table:"time"`
+	TimePtr *time.Time `table:"time_ptr"`
+}
+
+type tableTest2 struct {
+	Name        stringWrapper `table:"name"`
+	Age         int           `table:"age"`
+	NotIncluded string        `table:"-"`
+}
+
+type tableTest3 struct {
+	NotIncluded string     // no table tag
+	Sub         tableTest2 `table:"inner,recursive"`
+}
+
+func Test_DisplayTable(t *testing.T) {
+	t.Parallel()
+
+	someTime := time.Date(2022, 8, 2, 15, 49, 10, 0, time.UTC)
+	in := []tableTest1{
+		{
+			Name:  "foo",
+			Age:   10,
+			Roles: []string{"a", "b", "c"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "foo1"},
+				Age:  11,
+			},
+			Sub2: &tableTest2{
+				Name: stringWrapper{str: "foo2"},
+				Age:  12,
+			},
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "foo3"},
+					Age:  13,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "foo4"},
+				Age:  14,
+			},
+			Time:    someTime,
+			TimePtr: &someTime,
+		},
+		{
+			Name:  "bar",
+			Age:   20,
+			Roles: []string{"a"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "bar1"},
+				Age:  21,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "bar3"},
+					Age:  23,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "bar4"},
+				Age:  24,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+		{
+			Name:  "baz",
+			Age:   30,
+			Roles: nil,
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "baz1"},
+				Age:  31,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "baz3"},
+					Age:  33,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "baz4"},
+				Age:  34,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+	}
+
+	// This test tests skipping fields without table tags, recursion, pointer
+	// dereferencing, and nil pointer skipping.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME                  TIME PTR
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  2022-08-02T15:49:10Z  2022-08-02T15:49:10Z
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  2022-08-02T15:49:10Z  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  2022-08-02T15:49:10Z  <nil>
+		`
+
+		// Test with non-pointer values.
+		out, err := cliui.DisplayTable(in, "", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+
+		// Test with pointer values.
+		inPtr := make([]*tableTest1, len(in))
+		for i, v := range in {
+			v := v
+			inPtr[i] = &v
+		}
+		out, err = cliui.DisplayTable(inPtr, "", nil)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Sort", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME                  TIME PTR
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  2022-08-02T15:49:10Z  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  2022-08-02T15:49:10Z  <nil>
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  2022-08-02T15:49:10Z  2022-08-02T15:49:10Z
+		`
+
+		out, err := cliui.DisplayTable(in, "name", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Filter", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  SUB 1 NAME  SUB 3 INNER NAME  TIME
+foo   foo1        foo3              2022-08-02T15:49:10Z
+bar   bar1        bar3              2022-08-02T15:49:10Z
+baz   baz1        baz3              2022-08-02T15:49:10Z
+		`
+
+		out, err := cliui.DisplayTable(in, "", []string{"name", "sub_1_name", "sub_3 inner name", "time"})
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	// This test ensures that safeties against invalid use of `table` tags
+	// causes errors (even without data).
+	t.Run("Errors", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("NotSlice", func(t *testing.T) {
+			t.Parallel()
+
+			var in string
+			_, err := cliui.DisplayTable(in, "", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadSortColumn", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "bad_column_does_not_exist", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadFilterColumns", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "", []string{"name", "bad_column_does_not_exist"})
+			require.Error(t, err)
+		})
+
+		t.Run("Interfaces", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []any
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []any{tableTest1{}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NotStruct", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []string
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []string{"foo", "bar", "baz"}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NoTableTags", func(t *testing.T) {
+			t.Parallel()
+
+			type noTableTagsTest struct {
+				Field string `json:"field"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noTableTagsTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noTableTagsTest{{Field: "hi"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/NoName", func(t *testing.T) {
+			t.Parallel()
+
+			type noNameTest struct {
+				Field string `table:""`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noNameTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noNameTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/BadSyntax", func(t *testing.T) {
+			t.Parallel()
+
+			type invalidSyntaxTest struct {
+				Field string `table:"asda,asdjada"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []invalidSyntaxTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []invalidSyntaxTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+	})
+}
+
+func Test_TableHeaders(t *testing.T) {
+	t.Parallel()
+	s := []tableTest1{}
+	expectedFields := []string{
+		"name",
+		"age",
+		"roles",
+		"sub_1_name",
+		"sub_1_age",
+		"sub_2_name",
+		"sub_2_age",
+		"sub_3_inner_name",
+		"sub_3_inner_age",
+		"sub_4",
+		"time",
+		"time_ptr",
+	}
+	headers, err := cliui.TableHeaders(s)
+	require.NoError(t, err)
+	require.EqualValues(t, expectedFields, headers)
+}
+
+// compareTables normalizes the incoming table lines
+func compareTables(t *testing.T, expected, out string) {
+	t.Helper()
+
+	expectedLines := strings.Split(strings.TrimSpace(expected), "\n")
+	gotLines := strings.Split(strings.TrimSpace(out), "\n")
+	assert.Equal(t, len(expectedLines), len(gotLines), "expected line count does not match generated line count")
+
+	// Map the expected and got lines to normalize them.
+	expectedNormalized := make([]string, len(expectedLines))
+	gotNormalized := make([]string, len(gotLines))
+	normalizeLine := func(s string) string {
+		return strings.Join(strings.Fields(strings.TrimSpace(s)), " ")
+	}
+	for i, s := range expectedLines {
+		expectedNormalized[i] = normalizeLine(s)
+	}
+	for i, s := range gotLines {
+		gotNormalized[i] = normalizeLine(s)
+	}
+
+	require.Equal(t, expectedNormalized, gotNormalized, "expected lines to match generated lines")
+}
@@ -6,6 +6,10 @@ import (
 	"path/filepath"
 )

+const (
+	FlagName = "global-config"
+)
+
 // Root represents the configuration directory.
 type Root string

@@ -13,6 +17,11 @@ func (r Root) Session() File {
 	return File(filepath.Join(string(r), "session"))
 }

+// ReplicaID is a unique identifier for the Coder server.
+func (r Root) ReplicaID() File {
+	return File(filepath.Join(string(r), "replica_id"))
+}
+
 func (r Root) URL() File {
 	return File(filepath.Join(string(r), "url"))
 }
@@ -21,6 +30,26 @@ func (r Root) Organization() File {
 	return File(filepath.Join(string(r), "organization"))
 }

+func (r Root) DotfilesURL() File {
+	return File(filepath.Join(string(r), "dotfilesurl"))
+}
+
+func (r Root) PostgresPath() string {
+	return filepath.Join(string(r), "postgres")
+}
+
+func (r Root) PostgresPassword() File {
+	return File(filepath.Join(r.PostgresPath(), "password"))
+}
+
+func (r Root) PostgresPort() File {
+	return File(filepath.Join(r.PostgresPath(), "port"))
+}
+
+func (r Root) DeploymentConfigPath() string {
+	return filepath.Join(string(r), "server.yaml")
+}
+
 // File provides convenience methods for interacting with *os.File.
 type File string

@@ -0,0 +1,25 @@
+# Coder Server Configuration
+
+# Automatically authenticate HTTP(s) Git requests.
+gitauth:
+# Supported: azure-devops, bitbucket, github, gitlab
+# - type: github
+#   client_id: xxxxxx
+#   client_secret: xxxxxx
+
+# Multiple providers are an Enterprise feature.
+# Contact sales@coder.com for a license.
+#
+# If multiple providers are used, a unique "id"
+# must be provided for each one.
+# - id: example
+#   type: azure-devops
+#   client_id: xxxxxxx
+#   client_secret: xxxxxxx
+# A custom regex can be used to match a specific
+# repository or organization to limit auth scope.
+#   regex: github.com/coder
+# Custom authentication and token URLs should be
+# used for self-managed Git provider deployments.
+#   auth_url: https://example.com/oauth/authorize
+#   token_url: https://example.com/oauth/token
@@ -1,15 +1,24 @@
 package cli

 import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
 	"fmt"
+	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"runtime"
+	"sort"
 	"strings"
-	"sync"

 	"github.com/cli/safeexec"
+	"github.com/pkg/diff"
+	"github.com/pkg/diff/write"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/xerrors"

@@ -18,111 +27,522 @@ import (
 	"github.com/coder/coder/codersdk"
 )

-const sshStartToken = "# ------------START-CODER-----------"
-const sshStartMessage = `# This was generated by "coder config-ssh".
+const (
+	sshDefaultConfigFileName = "~/.ssh/config"
+	sshStartToken            = "# ------------START-CODER-----------"
+	sshEndToken              = "# ------------END-CODER------------"
+	sshConfigSectionHeader   = "# This section is managed by coder. DO NOT EDIT."
+	sshConfigDocsHeader      = `
 #
-# To remove this blob, run:
-#
-#    coder config-ssh --remove
-#
-# You should not hand-edit this section, unless you are deleting it.`
-const sshEndToken = "# ------------END-CODER------------"
+# You should not hand-edit this section unless you are removing it, all
+# changes will be lost when running "coder config-ssh".
+`
+	sshConfigOptionsHeader = `#
+# Last config-ssh options:
+`
+)
+
+// sshConfigOptions represents options that can be stored and read
+// from the coder config in ~/.ssh/coder.
+type sshConfigOptions struct {
+	sshOptions []string
+}
+
+func (o sshConfigOptions) equal(other sshConfigOptions) bool {
+	// Compare without side-effects or regard to order.
+	opt1 := slices.Clone(o.sshOptions)
+	sort.Strings(opt1)
+	opt2 := slices.Clone(other.sshOptions)
+	sort.Strings(opt2)
+	return slices.Equal(opt1, opt2)
+}
+
+func (o sshConfigOptions) asList() (list []string) {
+	for _, opt := range o.sshOptions {
+		list = append(list, fmt.Sprintf("ssh-option: %s", opt))
+	}
+	return list
+}
+
+type sshWorkspaceConfig struct {
+	Name  string
+	Hosts []string
+}
+
+func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]sshWorkspaceConfig, error) {
+	res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+		Owner: codersdk.Me,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var errGroup errgroup.Group
+	workspaceConfigs := make([]sshWorkspaceConfig, len(res.Workspaces))
+	for i, workspace := range res.Workspaces {
+		i := i
+		workspace := workspace
+		errGroup.Go(func() error {
+			resources, err := client.TemplateVersionResources(ctx, workspace.LatestBuild.TemplateVersionID)
+			if err != nil {
+				return err
+			}
+
+			wc := sshWorkspaceConfig{Name: workspace.Name}
+			var agents []codersdk.WorkspaceAgent
+			for _, resource := range resources {
+				if resource.Transition != codersdk.WorkspaceTransitionStart {
+					continue
+				}
+				agents = append(agents, resource.Agents...)
+			}
+
+			// handle both WORKSPACE and WORKSPACE.AGENT syntax
+			if len(agents) == 1 {
+				wc.Hosts = append(wc.Hosts, workspace.Name)
+			}
+			for _, agent := range agents {
+				hostname := workspace.Name + "." + agent.Name
+				wc.Hosts = append(wc.Hosts, hostname)
+			}
+
+			workspaceConfigs[i] = wc
+
+			return nil
+		})
+	}
+	err = errGroup.Wait()
+	if err != nil {
+		return nil, err
+	}
+
+	return workspaceConfigs, nil
+}
+
+func sshPrepareWorkspaceConfigs(ctx context.Context, client *codersdk.Client) (receive func() ([]sshWorkspaceConfig, error)) {
+	wcC := make(chan []sshWorkspaceConfig, 1)
+	errC := make(chan error, 1)
+	go func() {
+		wc, err := sshFetchWorkspaceConfigs(ctx, client)
+		wcC <- wc
+		errC <- err
+	}()
+	return func() ([]sshWorkspaceConfig, error) {
+		return <-wcC, <-errC
+	}
+}

 func configSSH() *cobra.Command {
 	var (
-		sshConfigFile string
+		sshConfigFile    string
+		sshConfigOpts    sshConfigOptions
+		usePreviousOpts  bool
+		dryRun           bool
+		skipProxyCommand bool
 	)
 	cmd := &cobra.Command{
-		Use: "config-ssh",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+		Annotations: workspaceCommand,
+		Use:         "config-ssh",
+		Short:       "Add an SSH Host entry for your workspaces \"ssh coder.workspace\"",
+		Example: formatExamples(
+			example{
+				Description: "You can use -o (or --ssh-option) so set SSH options to be used for all your workspaces",
+				Command:     "coder config-ssh -o ForwardAgent=yes",
+			},
+			example{
+				Description: "You can use --dry-run (or -n) to see the changes that would be made",
+				Command:     "coder config-ssh --dry-run",
+			},
+		),
+		Args: cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
+
+			recvWorkspaceConfigs := sshPrepareWorkspaceConfigs(cmd.Context(), client)
+
+			out := cmd.OutOrStdout()
+			if dryRun {
+				// Print everything except diff to stderr so
+				// that it's possible to capture the diff.
+				out = cmd.OutOrStderr()
+			}
+			coderBinary, err := currentBinPath(out)
+			if err != nil {
+				return err
+			}
+			escapedCoderBinary, err := sshConfigExecEscape(coderBinary)
+			if err != nil {
+				return xerrors.Errorf("escape coder binary for ssh failed: %w", err)
+			}
+
+			root := createConfig(cmd)
+			escapedGlobalConfig, err := sshConfigExecEscape(string(root))
+			if err != nil {
+				return xerrors.Errorf("escape global config for ssh failed: %w", err)
+			}
+
+			homedir, err := os.UserHomeDir()
+			if err != nil {
+				return xerrors.Errorf("user home dir failed: %w", err)
+			}
+
 			if strings.HasPrefix(sshConfigFile, "~/") {
-				dirname, _ := os.UserHomeDir()
-				sshConfigFile = filepath.Join(dirname, sshConfigFile[2:])
-			}
-			// Doesn't matter if this fails, because we write the file anyways.
-			sshConfigContentRaw, _ := os.ReadFile(sshConfigFile)
-			sshConfigContent := string(sshConfigContentRaw)
-			startIndex := strings.Index(sshConfigContent, sshStartToken)
-			endIndex := strings.Index(sshConfigContent, sshEndToken)
-			if startIndex != -1 && endIndex != -1 {
-				sshConfigContent = sshConfigContent[:startIndex-1] + sshConfigContent[endIndex+len(sshEndToken):]
+				sshConfigFile = filepath.Join(homedir, sshConfigFile[2:])
 			}

-			workspaces, err := client.WorkspacesByUser(cmd.Context(), "")
-			if err != nil {
-				return err
-			}
-			if len(workspaces) == 0 {
-				return xerrors.New("You don't have any workspaces!")
-			}
-			binPath, err := currentBinPath(cmd)
-			if err != nil {
-				return err
+			// Only allow not-exist errors to avoid trashing
+			// the users SSH config.
+			configRaw, err := os.ReadFile(sshConfigFile)
+			if err != nil && !errors.Is(err, fs.ErrNotExist) {
+				return xerrors.Errorf("read ssh config failed: %w", err)
 			}

-			sshConfigContent += "\n" + sshStartToken + "\n" + sshStartMessage + "\n\n"
-			sshConfigContentMutex := sync.Mutex{}
-			var errGroup errgroup.Group
-			for _, workspace := range workspaces {
-				workspace := workspace
-				errGroup.Go(func() error {
-					resources, err := client.WorkspaceResourcesByBuild(cmd.Context(), workspace.LatestBuild.ID)
-					if err != nil {
-						return err
-					}
-					resourcesWithAgents := make([]codersdk.WorkspaceResource, 0)
-					for _, resource := range resources {
-						if resource.Agent == nil {
-							continue
-						}
-						resourcesWithAgents = append(resourcesWithAgents, resource)
-					}
-					sshConfigContentMutex.Lock()
-					defer sshConfigContentMutex.Unlock()
-					if len(resourcesWithAgents) == 1 {
-						sshConfigContent += strings.Join([]string{
-							"Host coder." + workspace.Name,
-							"\tHostName coder." + workspace.Name,
-							fmt.Sprintf("\tProxyCommand %q ssh --stdio %s", binPath, workspace.Name),
-							"\tConnectTimeout=0",
-							"\tStrictHostKeyChecking=no",
-						}, "\n") + "\n"
-					}
+			// Keep track of changes we are making.
+			var changes []string

-					return nil
+			// Parse the previous configuration only if config-ssh
+			// has been run previously.
+			var lastConfig *sshConfigOptions
+			if section, ok := sshConfigGetCoderSection(configRaw); ok {
+				c := sshConfigParseLastOptions(bytes.NewReader(section))
+				lastConfig = &c
+			}
+
+			// Avoid prompting in diff mode (unexpected behavior)
+			// or when a previous config does not exist.
+			if usePreviousOpts && lastConfig != nil {
+				sshConfigOpts = *lastConfig
+			} else if lastConfig != nil && !sshConfigOpts.equal(*lastConfig) {
+				newOpts := sshConfigOpts.asList()
+				newOptsMsg := "\n\n  New options: none"
+				if len(newOpts) > 0 {
+					newOptsMsg = fmt.Sprintf("\n\n  New options:\n    * %s", strings.Join(newOpts, "\n    * "))
+				}
+				oldOpts := lastConfig.asList()
+				oldOptsMsg := "\n\n  Previous options: none"
+				if len(oldOpts) > 0 {
+					oldOptsMsg = fmt.Sprintf("\n\n  Previous options:\n    * %s", strings.Join(oldOpts, "\n    * "))
+				}
+
+				line, err := cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("New options differ from previous options:%s%s\n\n  Use new options?", newOptsMsg, oldOptsMsg),
+					IsConfirm: true,
 				})
+				if err != nil {
+					if line == "" && xerrors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					// Selecting "no" will use the last config.
+					sshConfigOpts = *lastConfig
+				} else {
+					changes = append(changes, "Use new SSH options")
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
 			}
-			err = errGroup.Wait()
+
+			configModified := configRaw
+
+			buf := &bytes.Buffer{}
+			before, after := sshConfigSplitOnCoderSection(configModified)
+			// Write the first half of the users config file to buf.
+			_, _ = buf.Write(before)
+
+			// Write comment and store the provided options as part
+			// of the config for future (re)use.
+			newline := len(before) > 0
+			sshConfigWriteSectionHeader(buf, newline, sshConfigOpts)
+
+			workspaceConfigs, err := recvWorkspaceConfigs()
 			if err != nil {
-				return err
+				return xerrors.Errorf("fetch workspace configs failed: %w", err)
 			}
-			sshConfigContent += "\n" + sshEndToken
-			err = os.MkdirAll(filepath.Dir(sshConfigFile), os.ModePerm)
-			if err != nil {
-				return err
+			// Ensure stable sorting of output.
+			slices.SortFunc(workspaceConfigs, func(a, b sshWorkspaceConfig) bool {
+				return a.Name < b.Name
+			})
+			for _, wc := range workspaceConfigs {
+				sort.Strings(wc.Hosts)
+				// Write agent configuration.
+				for _, hostname := range wc.Hosts {
+					configOptions := []string{
+						"Host coder." + hostname,
+					}
+					for _, option := range sshConfigOpts.sshOptions {
+						configOptions = append(configOptions, "\t"+option)
+					}
+					configOptions = append(configOptions,
+						"\tHostName coder."+hostname,
+						"\tConnectTimeout=0",
+						"\tStrictHostKeyChecking=no",
+						// Without this, the "REMOTE HOST IDENTITY CHANGED"
+						// message will appear.
+						"\tUserKnownHostsFile=/dev/null",
+						// This disables the "Warning: Permanently added 'hostname' (RSA) to the list of known hosts."
+						// message from appearing on every SSH. This happens because we ignore the known hosts.
+						"\tLogLevel ERROR",
+					)
+					if !skipProxyCommand {
+						configOptions = append(
+							configOptions,
+							fmt.Sprintf(
+								"\tProxyCommand %s --global-config %s ssh --stdio %s",
+								escapedCoderBinary, escapedGlobalConfig, hostname,
+							),
+						)
+					}
+
+					_, _ = buf.WriteString(strings.Join(configOptions, "\n"))
+					_ = buf.WriteByte('\n')
+				}
 			}
-			err = os.WriteFile(sshConfigFile, []byte(sshConfigContent), os.ModePerm)
-			if err != nil {
-				return err
+
+			sshConfigWriteSectionEnd(buf)
+
+			// Write the remainder of the users config file to buf.
+			_, _ = buf.Write(after)
+
+			if !bytes.Equal(configModified, buf.Bytes()) {
+				changes = append(changes, fmt.Sprintf("Update the coder section in %s", sshConfigFile))
+				configModified = buf.Bytes()
+			}
+
+			if len(changes) == 0 {
+				_, _ = fmt.Fprintf(out, "No changes to make.\n")
+				return nil
+			}
+
+			if dryRun {
+				_, _ = fmt.Fprintf(out, "Dry run, the following changes would be made to your SSH configuration:\n\n  * %s\n\n", strings.Join(changes, "\n  * "))
+
+				color := isTTYOut(cmd)
+				diff, err := diffBytes(sshConfigFile, configRaw, configModified, color)
+				if err != nil {
+					return xerrors.Errorf("diff failed: %w", err)
+				}
+				if len(diff) > 0 {
+					// Write diff to stdout.
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s", diff)
+				}
+
+				return nil
+			}
+
+			if len(changes) > 0 {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("The following changes will be made to your SSH configuration:\n\n    * %s\n\n  Continue?", strings.Join(changes, "\n    * ")),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return nil
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
+			}
+
+			if !bytes.Equal(configRaw, configModified) {
+				err = writeWithTempFileAndMove(sshConfigFile, bytes.NewReader(configModified))
+				if err != nil {
+					return xerrors.Errorf("write ssh config failed: %w", err)
+				}
+			}
+
+			if len(workspaceConfigs) > 0 {
+				_, _ = fmt.Fprintln(out, "You should now be able to ssh into your workspace.")
+				_, _ = fmt.Fprintf(out, "For example, try running:\n\n\t$ ssh coder.%s\n", workspaceConfigs[0].Name)
+			} else {
+				_, _ = fmt.Fprint(out, "You don't have any workspaces yet, try creating one with:\n\n\t$ coder create <workspace>\n")
 			}
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "An auto-generated ssh config was written to %q\n", sshConfigFile)
-			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "You should now be able to ssh into your workspace")
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "For example, try running\n\n\t$ ssh coder.%s\n\n", workspaces[0].Name)
 			return nil
 		},
 	}
-	cliflag.StringVarP(cmd.Flags(), &sshConfigFile, "ssh-config-file", "", "CODER_SSH_CONFIG_FILE", "~/.ssh/config", "Specifies the path to an SSH config.")
+	cliflag.StringVarP(cmd.Flags(), &sshConfigFile, "ssh-config-file", "", "CODER_SSH_CONFIG_FILE", sshDefaultConfigFileName, "Specifies the path to an SSH config.")
+	cmd.Flags().StringArrayVarP(&sshConfigOpts.sshOptions, "ssh-option", "o", []string{}, "Specifies additional SSH options to embed in each host stanza.")
+	cmd.Flags().BoolVarP(&dryRun, "dry-run", "n", false, "Perform a trial run with no changes made, showing a diff at the end.")
+	cmd.Flags().BoolVarP(&skipProxyCommand, "skip-proxy-command", "", false, "Specifies whether the ProxyCommand option should be skipped. Useful for testing.")
+	_ = cmd.Flags().MarkHidden("skip-proxy-command")
+	cliflag.BoolVarP(cmd.Flags(), &usePreviousOpts, "use-previous-options", "", "CODER_SSH_USE_PREVIOUS_OPTIONS", false, "Specifies whether or not to keep options from previous run of config-ssh.")
+	cliui.AllowSkipPrompt(cmd)

 	return cmd
 }

+//nolint:revive
+func sshConfigWriteSectionHeader(w io.Writer, addNewline bool, o sshConfigOptions) {
+	nl := "\n"
+	if !addNewline {
+		nl = ""
+	}
+	_, _ = fmt.Fprint(w, nl+sshStartToken+"\n")
+	_, _ = fmt.Fprint(w, sshConfigSectionHeader)
+	_, _ = fmt.Fprint(w, sshConfigDocsHeader)
+	if len(o.sshOptions) > 0 {
+		_, _ = fmt.Fprint(w, sshConfigOptionsHeader)
+		for _, opt := range o.sshOptions {
+			_, _ = fmt.Fprintf(w, "# :%s=%s\n", "ssh-option", opt)
+		}
+	}
+	_, _ = fmt.Fprint(w, "#\n")
+}
+
+func sshConfigWriteSectionEnd(w io.Writer) {
+	_, _ = fmt.Fprint(w, sshEndToken+"\n")
+}
+
+func sshConfigParseLastOptions(r io.Reader) (o sshConfigOptions) {
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "# :") {
+			line = strings.TrimPrefix(line, "# :")
+			parts := strings.SplitN(line, "=", 2)
+			switch parts[0] {
+			case "ssh-option":
+				o.sshOptions = append(o.sshOptions, parts[1])
+			default:
+				// Unknown option, ignore.
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		panic(err)
+	}
+
+	return o
+}
+
+func sshConfigGetCoderSection(data []byte) (section []byte, ok bool) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		return data[startIndex : endIndex+len(sshEndToken)], true
+	}
+	return nil, false
+}
+
+// sshConfigSplitOnCoderSection splits the SSH config into two sections,
+// before contains the lines before sshStartToken and after contains the
+// lines after sshEndToken.
+func sshConfigSplitOnCoderSection(data []byte) (before, after []byte) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		// We use -1 and +1 here to also include the preceding
+		// and trailing newline, where applicable.
+		start := startIndex
+		if start > 0 {
+			start--
+		}
+		end := endIndex + len(sshEndToken)
+		if end < len(data) {
+			end++
+		}
+		return data[:start], data[end:]
+	}
+
+	return data, nil
+}
+
+// writeWithTempFileAndMove writes to a temporary file in the same
+// directory as path and renames the temp file to the file provided in
+// path. This ensure we avoid trashing the file we are writing due to
+// unforeseen circumstance like filesystem full, command killed, etc.
+func writeWithTempFileAndMove(path string, r io.Reader) (err error) {
+	dir := filepath.Dir(path)
+	name := filepath.Base(path)
+
+	// Ensure that e.g. the ~/.ssh directory exists.
+	if err = os.MkdirAll(dir, 0o700); err != nil {
+		return xerrors.Errorf("create directory: %w", err)
+	}
+
+	// Create a tempfile in the same directory for ensuring write
+	// operation does not fail.
+	f, err := os.CreateTemp(dir, fmt.Sprintf(".%s.", name))
+	if err != nil {
+		return xerrors.Errorf("create temp file failed: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			_ = os.Remove(f.Name()) // Cleanup in case a step failed.
+		}
+	}()
+
+	_, err = io.Copy(f, r)
+	if err != nil {
+		_ = f.Close()
+		return xerrors.Errorf("write temp file failed: %w", err)
+	}
+
+	err = f.Close()
+	if err != nil {
+		return xerrors.Errorf("close temp file failed: %w", err)
+	}
+
+	err = os.Rename(f.Name(), path)
+	if err != nil {
+		return xerrors.Errorf("rename temp file failed: %w", err)
+	}
+
+	return nil
+}
+
+// sshConfigExecEscape quotes the string if it contains spaces, as per
+// `man 5 ssh_config`. However, OpenSSH uses exec in the users shell to
+// run the command, and as such the formatting/escape requirements
+// cannot simply be covered by `fmt.Sprintf("%q", path)`.
+//
+// Always escaping the path with `fmt.Sprintf("%q", path)` usually works
+// on most platforms, but double quotes sometimes break on Windows 10
+// (see #2853). This function takes a best-effort approach to improving
+// compatibility and covering edge cases.
+//
+// Given the following ProxyCommand:
+//
+//	ProxyCommand "/path/with space/coder" ssh --stdio work
+//
+// This is ~what OpenSSH would execute:
+//
+//	/bin/bash -c '"/path/with space/to/coder" ssh --stdio workspace'
+//
+// However, since it's actually an arg in C, the contents inside the
+// single quotes are interpreted as is, e.g. if there was a '\t', it
+// would be the literal string '\t', not a tab.
+//
+// See:
+//   - https://github.com/coder/coder/issues/2853
+//   - https://github.com/openssh/openssh-portable/blob/V_9_0_P1/sshconnect.c#L158-L167
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/sshconnect.c#L231-L293
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/contrib/win32/win32compat/w32fd.c#L1075-L1100
+func sshConfigExecEscape(path string) (string, error) {
+	// This is unlikely to ever happen, but newlines are allowed on
+	// certain filesystems, but cannot be used inside ssh config.
+	if strings.ContainsAny(path, "\n") {
+		return "", xerrors.Errorf("invalid path: %s", path)
+	}
+	// In the unlikely even that a path contains quotes, they must be
+	// escaped so that they are not interpreted as shell quotes.
+	if strings.Contains(path, "\"") {
+		path = strings.ReplaceAll(path, "\"", "\\\"")
+	}
+	// A space or a tab requires quoting, but tabs must not be escaped
+	// (\t) since OpenSSH interprets it as a literal \t, not a tab.
+	if strings.ContainsAny(path, " \t") {
+		path = fmt.Sprintf("\"%s\"", path) //nolint:gocritic // We don't want %q here.
+	}
+	return path, nil
+}
+
 // currentBinPath returns the path to the coder binary suitable for use in ssh
 // ProxyCommand.
-func currentBinPath(cmd *cobra.Command) (string, error) {
+func currentBinPath(w io.Writer) (string, error) {
 	exePath, err := os.Executable()
 	if err != nil {
 		return "", xerrors.Errorf("get executable path: %w", err)
@@ -138,11 +558,12 @@ func currentBinPath(cmd *cobra.Command) (string, error) {
 	// correctly. Check if the current executable is in $PATH, and warn the user
 	// if it isn't.
 	if err != nil && runtime.GOOS == "windows" {
-		cliui.Warn(cmd.OutOrStdout(),
+		cliui.Warn(w,
 			"The current executable is not in $PATH.",
 			"This may lead to problems connecting to your workspace via SSH.",
 			fmt.Sprintf("Please move %q to a location in your $PATH (such as System32) and run `%s config-ssh` again.", binName, binName),
 		)
+		_, _ = fmt.Fprint(w, "\n")
 		// Return the exePath so SSH at least works outside of Msys2.
 		return exePath, nil
 	}
@@ -150,13 +571,39 @@ func currentBinPath(cmd *cobra.Command) (string, error) {
 	// Warn the user if the current executable is not the same as the one in
 	// $PATH.
 	if filepath.Clean(pathPath) != filepath.Clean(exePath) {
-		cliui.Warn(cmd.OutOrStdout(),
+		cliui.Warn(w,
 			"The current executable path does not match the executable path found in $PATH.",
 			"This may cause issues connecting to your workspace via SSH.",
 			fmt.Sprintf("\tCurrent executable path: %q", exePath),
 			fmt.Sprintf("\tExecutable path in $PATH: %q", pathPath),
 		)
+		_, _ = fmt.Fprint(w, "\n")
 	}

-	return binName, nil
+	return exePath, nil
+}
+
+// diffBytes takes two byte slices and diffs them as if they were in a
+// file named name.
+// nolint: revive // Color is an option, not a control coupling.
+func diffBytes(name string, b1, b2 []byte, color bool) ([]byte, error) {
+	var buf bytes.Buffer
+	var opts []write.Option
+	if color {
+		opts = append(opts, write.TerminalColor())
+	}
+	err := diff.Text(name, name, b1, b2, &buf, opts...)
+	if err != nil {
+		return nil, err
+	}
+	b := buf.Bytes()
+	// Check if diff only output two lines, if yes, there's no diff.
+	//
+	// Example:
+	// 	--- /home/user/.ssh/config
+	// 	+++ /home/user/.ssh/config
+	if bytes.Count(b, []byte{'\n'}) == 2 {
+		b = nil
+	}
+	return b, nil
 }
@@ -0,0 +1,62 @@
+package cli
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// This test tries to mimic the behavior of OpenSSH
+// when executing e.g. a ProxyCommand.
+func Test_sshConfigExecEscape(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		path    string
+		wantErr bool
+		windows bool
+	}{
+		{"no spaces", "simple", false, true},
+		{"spaces", "path with spaces", false, true},
+		{"quotes", "path with \"quotes\"", false, false},
+		{"backslashes", "path with \\backslashes", false, false},
+		{"tabs", "path with \ttabs", false, false},
+		{"newline fails", "path with \nnewline", true, false},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			if runtime.GOOS == "windows" {
+				t.Skip("Windows doesn't typically execute via /bin/sh or cmd.exe, so this test is not applicable.")
+			}
+
+			dir := filepath.Join(t.TempDir(), tt.path)
+			err := os.MkdirAll(dir, 0o755)
+			require.NoError(t, err)
+			bin := filepath.Join(dir, "coder")
+			contents := []byte("#!/bin/sh\necho yay\n")
+			err = os.WriteFile(bin, contents, 0o755) //nolint:gosec
+			require.NoError(t, err)
+
+			escaped, err := sshConfigExecEscape(bin)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			b, err := exec.Command("/bin/sh", "-c", escaped).CombinedOutput() //nolint:gosec
+			require.NoError(t, err)
+			got := strings.TrimSpace(string(b))
+			require.Equal(t, "yay", got)
+		})
+	}
+}
@@ -1,41 +1,736 @@
 package cli_test

 import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"net"
 	"os"
+	"os/exec"
+	"path/filepath"
+	"strconv"
+	"strings"
+	"sync"
 	"testing"

+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog/sloggers/slogtest"
+
+	"github.com/coder/coder/agent"
 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
-	"github.com/stretchr/testify/require"
+	"github.com/coder/coder/testutil"
 )

+func sshConfigFileName(t *testing.T) (sshConfig string) {
+	t.Helper()
+	tmpdir := t.TempDir()
+	dotssh := filepath.Join(tmpdir, ".ssh")
+	err := os.Mkdir(dotssh, 0o700)
+	require.NoError(t, err)
+	n := filepath.Join(dotssh, "config")
+	return n
+}
+
+func sshConfigFileCreate(t *testing.T, name string, data io.Reader) {
+	t.Helper()
+	t.Logf("Writing %s", name)
+	f, err := os.Create(name)
+	require.NoError(t, err)
+	n, err := io.Copy(f, data)
+	t.Logf("Wrote %d", n)
+	require.NoError(t, err)
+	err = f.Close()
+	require.NoError(t, err)
+}
+
+func sshConfigFileRead(t *testing.T, name string) string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+	return string(b)
+}
+
 func TestConfigSSH(t *testing.T) {
 	t.Parallel()
-	t.Run("Create", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
-		version := coderdtest.CreateProjectVersion(t, client, user.OrganizationID, nil)
-		coderdtest.AwaitProjectVersionJob(t, client, version.ID)
-		project := coderdtest.CreateProject(t, client, user.OrganizationID, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, "", project.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-		tempFile, err := os.CreateTemp(t.TempDir(), "")
-		require.NoError(t, err)
-		_ = tempFile.Close()
-		cmd, root := clitest.New(t, "config-ssh", "--ssh-config-file", tempFile.Name())
-		clitest.SetupConfig(t, client, root)
-		doneChan := make(chan struct{})
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		go func() {
-			defer close(doneChan)
-			err := cmd.Execute()
-			require.NoError(t, err)
-		}()
-		<-doneChan
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	user := coderdtest.CreateFirstUser(t, client)
+	authToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionPlan: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "example",
+						Type: "aws_instance",
+						Agents: []*proto.Agent{{
+							Id:   uuid.NewString(),
+							Name: "example",
+						}},
+					}},
+				},
+			},
+		}},
+		ProvisionApply: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "example",
+						Type: "aws_instance",
+						Agents: []*proto.Agent{{
+							Id:   uuid.NewString(),
+							Name: "example",
+							Auth: &proto.Agent_Token{
+								Token: authToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
 	})
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+	agentClient := codersdk.New(client.URL)
+	agentClient.SetSessionToken(authToken)
+	agentCloser := agent.New(agent.Options{
+		Client: agentClient,
+		Logger: slogtest.Make(t, nil).Named("agent"),
+	})
+	defer func() {
+		_ = agentCloser.Close()
+	}()
+	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+	agentConn, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
+	require.NoError(t, err)
+	defer agentConn.Close()
+
+	listener, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+	defer func() {
+		_ = listener.Close()
+	}()
+	copyDone := make(chan struct{})
+	go func() {
+		defer close(copyDone)
+		var wg sync.WaitGroup
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				break
+			}
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			ssh, err := agentConn.SSH(ctx)
+			cancel()
+			assert.NoError(t, err)
+			wg.Add(2)
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(conn, ssh)
+			}()
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(ssh, conn)
+			}()
+		}
+		wg.Wait()
+	}()
+
+	sshConfigFile := sshConfigFileName(t)
+
+	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
+	require.True(t, valid)
+	cmd, root := clitest.New(t, "config-ssh",
+		"--ssh-option", "HostName "+tcpAddr.IP.String(),
+		"--ssh-option", "Port "+strconv.Itoa(tcpAddr.Port),
+		"--ssh-config-file", sshConfigFile,
+		"--skip-proxy-command")
+	clitest.SetupConfig(t, client, root)
+	doneChan := make(chan struct{})
+	pty := ptytest.New(t)
+	cmd.SetIn(pty.Input())
+	cmd.SetOut(pty.Output())
+	go func() {
+		defer close(doneChan)
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	}()
+
+	matches := []struct {
+		match, write string
+	}{
+		{match: "Continue?", write: "yes"},
+	}
+	for _, m := range matches {
+		pty.ExpectMatch(m.match)
+		pty.WriteLine(m.write)
+	}
+
+	<-doneChan
+
+	home := filepath.Dir(filepath.Dir(sshConfigFile))
+	// #nosec
+	sshCmd := exec.Command("ssh", "-F", sshConfigFile, "coder."+workspace.Name, "echo", "test")
+	pty = ptytest.New(t)
+	// Set HOME because coder config is included from ~/.ssh/coder.
+	sshCmd.Env = append(sshCmd.Env, fmt.Sprintf("HOME=%s", home))
+	sshCmd.Stderr = pty.Output()
+	data, err := sshCmd.Output()
+	require.NoError(t, err)
+	require.Equal(t, "test", strings.TrimSpace(string(data)))
+
+	_ = listener.Close()
+	<-copyDone
+}
+
+func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
+	t.Parallel()
+
+	headerStart := strings.Join([]string{
+		"# ------------START-CODER-----------",
+		"# This section is managed by coder. DO NOT EDIT.",
+		"#",
+		"# You should not hand-edit this section unless you are removing it, all",
+		"# changes will be lost when running \"coder config-ssh\".",
+		"#",
+	}, "\n")
+	headerEnd := "# ------------END-CODER------------"
+	baseHeader := strings.Join([]string{
+		headerStart,
+		headerEnd,
+	}, "\n")
+
+	type writeConfig struct {
+		ssh string
+	}
+	type wantConfig struct {
+		ssh string
+	}
+	type match struct {
+		match, write string
+	}
+	tests := []struct {
+		name        string
+		args        []string
+		matches     []match
+		writeConfig writeConfig
+		wantConfig  wantConfig
+		wantErr     bool
+	}{
+		{
+			name: "Config file is created",
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is written after user content",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Section is not moved on re-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is not moved on re-run with new options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Adds newline at EOF",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Do not prompt for new options on first run",
+			writeConfig: writeConfig{
+				ssh: "",
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are no previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "No prompt on no changes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+		},
+		{
+			name: "No changes when continue = no",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=no"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "no"},
+			},
+		},
+		{
+			name: "Do not prompt when using --yes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					// Last options overwritten.
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--yes"},
+		},
+		{
+			name: "Do not prompt for new options when prev opts flag is set",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--use-previous-options",
+				"--yes",
+			},
+		},
+		{
+			name: "Do not overwrite config when using --dry-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+				"--dry-run",
+				"--yes",
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+				user      = coderdtest.CreateFirstUser(t, client)
+				version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+				_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+				project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+				workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
+				_         = coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+			)
+
+			// Prepare ssh config files.
+			sshConfigName := sshConfigFileName(t)
+			if tt.writeConfig.ssh != "" {
+				sshConfigFileCreate(t, sshConfigName, strings.NewReader(tt.writeConfig.ssh))
+			}
+
+			args := []string{
+				"config-ssh",
+				"--ssh-config-file", sshConfigName,
+			}
+			args = append(args, tt.args...)
+			cmd, root := clitest.New(t, args...)
+			clitest.SetupConfig(t, client, root)
+
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			done := tGo(t, func() {
+				err := cmd.Execute()
+				if !tt.wantErr {
+					assert.NoError(t, err)
+				} else {
+					assert.Error(t, err)
+				}
+			})
+
+			for _, m := range tt.matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-done
+
+			if tt.wantConfig.ssh != "" {
+				got := sshConfigFileRead(t, sshConfigName)
+				assert.Equal(t, tt.wantConfig.ssh, got)
+			}
+		})
+	}
+}
+
+func TestConfigSSH_Hostnames(t *testing.T) {
+	t.Parallel()
+
+	type resourceSpec struct {
+		name   string
+		agents []string
+	}
+	tests := []struct {
+		name      string
+		resources []resourceSpec
+		expected  []string
+	}{
+		{
+			name: "one resource with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "one resource with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1", "agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+		{
+			name: "two resources with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar"},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "two resources with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar", agents: []string{"agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var resources []*proto.Resource
+			for _, resourceSpec := range tt.resources {
+				resource := &proto.Resource{
+					Name: resourceSpec.name,
+					Type: "aws_instance",
+				}
+				for _, agentName := range resourceSpec.agents {
+					resource.Agents = append(resource.Agents, &proto.Agent{
+						Id:   uuid.NewString(),
+						Name: agentName,
+					})
+				}
+				resources = append(resources, resource)
+			}
+
+			provisionResponse := []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: resources,
+					},
+				},
+			}}
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			// authToken := uuid.NewString()
+			version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+				Parse:          echo.ParseComplete,
+				ProvisionPlan:  provisionResponse,
+				ProvisionApply: provisionResponse,
+			})
+			coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+			sshConfigFile := sshConfigFileName(t)
+
+			cmd, root := clitest.New(t, "config-ssh", "--ssh-config-file", sshConfigFile)
+			clitest.SetupConfig(t, client, root)
+			doneChan := make(chan struct{})
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			go func() {
+				defer close(doneChan)
+				err := cmd.Execute()
+				assert.NoError(t, err)
+			}()
+
+			matches := []struct {
+				match, write string
+			}{
+				{match: "Continue?", write: "yes"},
+			}
+			for _, m := range matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-doneChan
+
+			var expectedHosts []string
+			for _, hostnamePattern := range tt.expected {
+				hostname := strings.ReplaceAll(hostnamePattern, "@", workspace.Name)
+				expectedHosts = append(expectedHosts, hostname)
+			}
+
+			hosts := sshConfigFileParseHosts(t, sshConfigFile)
+			require.ElementsMatch(t, expectedHosts, hosts)
+		})
+	}
+}
+
+// sshConfigFileParseHosts reads a file in the format of .ssh/config and extracts
+// the hostnames that are listed in "Host" directives.
+func sshConfigFileParseHosts(t *testing.T, name string) []string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+
+	var result []string
+	lineScanner := bufio.NewScanner(bytes.NewBuffer(b))
+	for lineScanner.Scan() {
+		line := lineScanner.Text()
+		line = strings.TrimSpace(line)
+
+		tokenScanner := bufio.NewScanner(bytes.NewBufferString(line))
+		tokenScanner.Split(bufio.ScanWords)
+		ok := tokenScanner.Scan()
+		if ok && tokenScanner.Text() == "Host" {
+			for tokenScanner.Scan() {
+				result = append(result, tokenScanner.Text())
+			}
+		}
+	}
+
+	return result
 }
@@ -0,0 +1,6 @@
+package cli
+
+const (
+	timeFormat = "3:04PM MST"
+	dateFormat = "Jan 2, 2006"
+)
@@ -0,0 +1,283 @@
+package cli
+
+import (
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/util/ptr"
+	"github.com/coder/coder/codersdk"
+)
+
+func create() *cobra.Command {
+	var (
+		parameterFile string
+		templateName  string
+		startAt       string
+		stopAfter     time.Duration
+		workspaceName string
+	)
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "create [name]",
+		Short:       "Create a workspace",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			organization, err := CurrentOrganization(cmd, client)
+			if err != nil {
+				return err
+			}
+
+			if len(args) >= 1 {
+				workspaceName = args[0]
+			}
+
+			if workspaceName == "" {
+				workspaceName, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text: "Specify a name for your workspace:",
+					Validate: func(workspaceName string) error {
+						_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
+						if err == nil {
+							return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
+						}
+						return nil
+					},
+				})
+				if err != nil {
+					return err
+				}
+			}
+
+			_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
+			if err == nil {
+				return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
+			}
+
+			var template codersdk.Template
+			if templateName == "" {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Wrap.Render("Select a template below to preview the provisioned infrastructure:"))
+
+				templates, err := client.TemplatesByOrganization(cmd.Context(), organization.ID)
+				if err != nil {
+					return err
+				}
+
+				slices.SortFunc(templates, func(a, b codersdk.Template) bool {
+					return a.ActiveUserCount > b.ActiveUserCount
+				})
+
+				templateNames := make([]string, 0, len(templates))
+				templateByName := make(map[string]codersdk.Template, len(templates))
+
+				for _, template := range templates {
+					templateName := template.Name
+
+					if template.ActiveUserCount > 0 {
+						templateName += cliui.Styles.Placeholder.Render(
+							fmt.Sprintf(
+								" (used by %s)",
+								formatActiveDevelopers(template.ActiveUserCount),
+							),
+						)
+					}
+
+					templateNames = append(templateNames, templateName)
+					templateByName[templateName] = template
+				}
+
+				// Move the cursor up a single line for nicer display!
+				option, err := cliui.Select(cmd, cliui.SelectOptions{
+					Options:    templateNames,
+					HideSearch: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				template = templateByName[option]
+			} else {
+				template, err = client.TemplateByName(cmd.Context(), organization.ID, templateName)
+				if err != nil {
+					return xerrors.Errorf("get template by name: %w", err)
+				}
+			}
+
+			var schedSpec *string
+			if startAt != "" {
+				sched, err := parseCLISchedule(startAt)
+				if err != nil {
+					return err
+				}
+				schedSpec = ptr.Ref(sched.String())
+			}
+
+			parameters, err := prepWorkspaceBuild(cmd, client, prepWorkspaceBuildArgs{
+				Template:         template,
+				ExistingParams:   []codersdk.Parameter{},
+				ParameterFile:    parameterFile,
+				NewWorkspaceName: workspaceName,
+			})
+			if err != nil {
+				return err
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Confirm create?",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.Me, codersdk.CreateWorkspaceRequest{
+				TemplateID:        template.ID,
+				Name:              workspaceName,
+				AutostartSchedule: schedSpec,
+				TTLMillis:         ptr.Ref(stopAfter.Milliseconds()),
+				ParameterValues:   parameters,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been created at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+	cliflag.StringVarP(cmd.Flags(), &templateName, "template", "t", "CODER_TEMPLATE_NAME", "", "Specify a template name.")
+	cliflag.StringVarP(cmd.Flags(), &parameterFile, "parameter-file", "", "CODER_PARAMETER_FILE", "", "Specify a file path with parameter values.")
+	cliflag.StringVarP(cmd.Flags(), &startAt, "start-at", "", "CODER_WORKSPACE_START_AT", "", "Specify the workspace autostart schedule. Check `coder schedule start --help` for the syntax.")
+	cliflag.DurationVarP(cmd.Flags(), &stopAfter, "stop-after", "", "CODER_WORKSPACE_STOP_AFTER", 8*time.Hour, "Specify a duration after which the workspace should shut down (e.g. 8h).")
+	return cmd
+}
+
+type prepWorkspaceBuildArgs struct {
+	Template         codersdk.Template
+	ExistingParams   []codersdk.Parameter
+	ParameterFile    string
+	NewWorkspaceName string
+}
+
+// prepWorkspaceBuild will ensure a workspace build will succeed on the latest template version.
+// Any missing params will be prompted to the user.
+func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWorkspaceBuildArgs) ([]codersdk.CreateParameterRequest, error) {
+	ctx := cmd.Context()
+	templateVersion, err := client.TemplateVersion(ctx, args.Template.ActiveVersionID)
+	if err != nil {
+		return nil, err
+	}
+	parameterSchemas, err := client.TemplateVersionSchema(ctx, templateVersion.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	// parameterMapFromFile can be nil if parameter file is not specified
+	var parameterMapFromFile map[string]string
+	useParamFile := false
+	if args.ParameterFile != "" {
+		useParamFile = true
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("Attempting to read the variables from the parameter file.")+"\r\n")
+		parameterMapFromFile, err = createParameterMapFromFile(args.ParameterFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+	disclaimerPrinted := false
+	parameters := make([]codersdk.CreateParameterRequest, 0)
+PromptParamLoop:
+	for _, parameterSchema := range parameterSchemas {
+		if !parameterSchema.AllowOverrideSource {
+			continue
+		}
+		if !disclaimerPrinted {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("This template has customizable parameters. Values can be changed after create, but may have unintended side effects (like data loss).")+"\r\n")
+			disclaimerPrinted = true
+		}
+
+		// Param file is all or nothing
+		if !useParamFile {
+			for _, e := range args.ExistingParams {
+				if e.Name == parameterSchema.Name {
+					// If the param already exists, we do not need to prompt it again.
+					// The workspace scope will reuse params for each build.
+					continue PromptParamLoop
+				}
+			}
+		}
+
+		parameterValue, err := getParameterValueFromMapOrInput(cmd, parameterMapFromFile, parameterSchema)
+		if err != nil {
+			return nil, err
+		}
+
+		parameters = append(parameters, codersdk.CreateParameterRequest{
+			Name:              parameterSchema.Name,
+			SourceValue:       parameterValue,
+			SourceScheme:      codersdk.ParameterSourceSchemeData,
+			DestinationScheme: parameterSchema.DefaultDestinationScheme,
+		})
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout())
+
+	// Run a dry-run with the given parameters to check correctness
+	dryRun, err := client.CreateTemplateVersionDryRun(cmd.Context(), templateVersion.ID, codersdk.CreateTemplateVersionDryRunRequest{
+		WorkspaceName:   args.NewWorkspaceName,
+		ParameterValues: parameters,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("begin workspace dry-run: %w", err)
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Planning workspace...")
+	err = cliui.ProvisionerJob(cmd.Context(), cmd.OutOrStdout(), cliui.ProvisionerJobOptions{
+		Fetch: func() (codersdk.ProvisionerJob, error) {
+			return client.TemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Cancel: func() error {
+			return client.CancelTemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+			return client.TemplateVersionDryRunLogsAfter(cmd.Context(), templateVersion.ID, dryRun.ID, 0)
+		},
+		// Don't show log output for the dry-run unless there's an error.
+		Silent: true,
+	})
+	if err != nil {
+		// TODO (Dean): reprompt for parameter values if we deem it to
+		// be a validation error
+		return nil, xerrors.Errorf("dry-run workspace: %w", err)
+	}
+
+	resources, err := client.TemplateVersionDryRunResources(cmd.Context(), templateVersion.ID, dryRun.ID)
+	if err != nil {
+		return nil, xerrors.Errorf("get workspace dry-run resources: %w", err)
+	}
+
+	err = cliui.WorkspaceResources(cmd.OutOrStdout(), resources, cliui.WorkspaceResourcesOptions{
+		WorkspaceName: args.NewWorkspaceName,
+		// Since agents haven't connected yet, hiding this makes more sense.
+		HideAgentState: true,
+		Title:          "Workspace Preview",
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return parameters, nil
+}
@@ -0,0 +1,358 @@
+package cli_test
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestCreate(t *testing.T) {
+	t.Parallel()
+	t.Run("Create", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: provisionCompleteWithAgent,
+			ProvisionPlan:  provisionCompleteWithAgent,
+		})
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		args := []string{
+			"create",
+			"my-workspace",
+			"--template", template.Name,
+			"--start-at", "9:30AM Mon-Fri US/Central",
+			"--stop-after", "8h",
+		}
+		cmd, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []struct {
+			match string
+			write string
+		}{
+			{match: "compute.main"},
+			{match: "smith (linux, i386)"},
+			{match: "Confirm create", write: "yes"},
+		}
+		for _, m := range matches {
+			pty.ExpectMatch(m.match)
+			if len(m.write) > 0 {
+				pty.WriteLine(m.write)
+			}
+		}
+		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(context.Background(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			if assert.NotNil(t, ws.AutostartSchedule) {
+				assert.Equal(t, *ws.AutostartSchedule, "CRON_TZ=US/Central 30 9 * * Mon-Fri")
+			}
+			if assert.NotNil(t, ws.TTLMillis) {
+				assert.Equal(t, *ws.TTLMillis, 8*time.Hour.Milliseconds())
+			}
+		}
+	})
+
+	t.Run("CreateFromListWithSkip", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "my-workspace", "-y")
+
+		member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		clitest.SetupConfig(t, member, root)
+		cmdCtx, done := context.WithTimeout(context.Background(), testutil.WaitLong)
+		go func() {
+			defer done()
+			err := cmd.ExecuteContext(cmdCtx)
+			assert.NoError(t, err)
+		}()
+		// No pty interaction needed since we use the -y skip prompt flag
+		<-cmdCtx.Done()
+		require.ErrorIs(t, cmdCtx.Err(), context.Canceled)
+	})
+
+	t.Run("FromNothing", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []string{
+			"Specify a name", "my-workspace",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(cmd.Context(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			assert.Nil(t, ws.AutostartSchedule, "expected workspace autostart schedule to be nil")
+		}
+	})
+
+	t.Run("WithParameter", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			fmt.Sprintf("Enter a value (default: %q):", defaultValue), "bingo",
+			"Enter a value:", "boingo",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region: \"bingo\"\nusername: \"boingo\"")
+		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileNotContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("username: \"boingo\"")
+
+		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []struct {
+			match string
+			write string
+		}{
+			{
+				match: "Specify a name",
+				write: "my-workspace",
+			},
+			{
+				match: fmt.Sprintf("Enter a value (default: %q):", defaultValue),
+				write: "bingo",
+			},
+			{
+				match: "Confirm create?",
+				write: "yes",
+			},
+		}
+
+		for _, m := range matches {
+			pty.ExpectMatch(m.match)
+			pty.WriteLine(m.write)
+		}
+		<-doneChan
+	})
+	t.Run("FailedDryRun", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: []*proto.Parse_Response{{
+				Type: &proto.Parse_Response_Complete{
+					Complete: &proto.Parse_Complete{
+						ParameterSchemas: echo.ParameterSuccess,
+					},
+				},
+			}},
+			ProvisionPlan: []*proto.Provision_Response{
+				{
+					Type: &proto.Provision_Response_Complete{
+						Complete: &proto.Provision_Complete{},
+					},
+				},
+			},
+		})
+
+		tempDir := t.TempDir()
+		parameterFile, err := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		require.NoError(t, err)
+		defer parameterFile.Close()
+		_, _ = parameterFile.WriteString(fmt.Sprintf("%s: %q", echo.ParameterExecKey, echo.ParameterError("fail")))
+
+		// The template import job should end up failed, but we need it to be
+		// succeeded so the dry-run can begin.
+		version = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		require.Equal(t, codersdk.ProvisionerJobSucceeded, version.Job.Status, "job is not failed")
+
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "test", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+
+		err = cmd.Execute()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "dry-run workspace")
+	})
+}
+
+func createTestParseResponseWithDefault(defaultValue string) []*proto.Parse_Response {
+	return []*proto.Parse_Response{{
+		Type: &proto.Parse_Response_Complete{
+			Complete: &proto.Parse_Complete{
+				ParameterSchemas: []*proto.ParameterSchema{
+					{
+						AllowOverrideSource: true,
+						Name:                "region",
+						Description:         "description 1",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							Value:  defaultValue,
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+					{
+						AllowOverrideSource: true,
+						Name:                "username",
+						Description:         "description 2",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							// No default value
+							Value: "",
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+				},
+			},
+		},
+	}}
+}
@@ -0,0 +1,74 @@
+package cli
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+// nolint
+func deleteWorkspace() *cobra.Command {
+	var orphan bool
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "delete <workspace>",
+		Short:       "Delete a workspace",
+		Aliases:     []string{"rm"},
+		Args:        cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Confirm delete workspace?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			})
+			if err != nil {
+				return err
+			}
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			workspace, err := namedWorkspace(cmd, client, args[0])
+			if err != nil {
+				return err
+			}
+
+			var state []byte
+
+			if orphan {
+				cliui.Warn(
+					cmd.ErrOrStderr(),
+					"Orphaning workspace requires template edit permission",
+				)
+			}
+
+			build, err := client.CreateWorkspaceBuild(cmd.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+				Transition:       codersdk.WorkspaceTransitionDelete,
+				ProvisionerState: state,
+				Orphan:           orphan,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been deleted at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
+			return nil
+		},
+	}
+	cmd.Flags().BoolVar(&orphan, "orphan", false,
+		`Delete a workspace without deleting its resources. This can delete a
+workspace in a broken state, but may also lead to unaccounted cloud resources.`,
+	)
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
+}
@@ -0,0 +1,125 @@
+package cli_test
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestDelete(t *testing.T) {
+	t.Parallel()
+	t.Run("WithParameter", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+	})
+
+	t.Run("Orphan", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y", "--orphan")
+
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+	})
+
+	t.Run("DifferentUser", func(t *testing.T) {
+		t.Parallel()
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		adminUser := coderdtest.CreateFirstUser(t, adminClient)
+		orgID := adminUser.OrganizationID
+		client := coderdtest.CreateAnotherUser(t, adminClient, orgID)
+		user, err := client.User(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+
+		version := coderdtest.CreateTemplateVersion(t, adminClient, orgID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
+		template := coderdtest.CreateTemplate(t, adminClient, orgID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, root := clitest.New(t, "delete", user.Username+"/"+workspace.Name, "-y")
+		clitest.SetupConfig(t, adminClient, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+
+		workspace, err = client.Workspace(context.Background(), workspace.ID)
+		require.ErrorContains(t, err, "was deleted")
+	})
+
+	t.Run("InvalidWorkspaceIdentifier", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		cmd, root := clitest.New(t, "delete", "a/b/c", "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.ErrorContains(t, err, "invalid workspace name: \"a/b/c\"")
+		}()
+		<-doneChan
+	})
+}
@@ -0,0 +1,781 @@
+package deployment
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/spf13/pflag"
+	"github.com/spf13/viper"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/codersdk"
+)
+
+func newConfig() *codersdk.DeploymentConfig {
+	return &codersdk.DeploymentConfig{
+		AccessURL: &codersdk.DeploymentConfigField[string]{
+			Name:  "Access URL",
+			Usage: "External URL to access your deployment. This must be accessible by all provisioned workspaces.",
+			Flag:  "access-url",
+		},
+		WildcardAccessURL: &codersdk.DeploymentConfigField[string]{
+			Name:  "Wildcard Access URL",
+			Usage: "Specifies the wildcard hostname to use for workspace applications in the form \"*.example.com\".",
+			Flag:  "wildcard-access-url",
+		},
+		// DEPRECATED: Use HTTPAddress or TLS.Address instead.
+		Address: &codersdk.DeploymentConfigField[string]{
+			Name:      "Address",
+			Usage:     "Bind address of the server.",
+			Flag:      "address",
+			Shorthand: "a",
+			// Deprecated, so we don't have a default. If set, it will overwrite
+			// HTTPAddress and TLS.Address and print a warning.
+			Hidden:  true,
+			Default: "",
+		},
+		HTTPAddress: &codersdk.DeploymentConfigField[string]{
+			Name:    "Address",
+			Usage:   "HTTP bind address of the server. Unset to disable the HTTP endpoint.",
+			Flag:    "http-address",
+			Default: "127.0.0.1:3000",
+		},
+		AutobuildPollInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Autobuild Poll Interval",
+			Usage:   "Interval to poll for scheduled workspace builds.",
+			Flag:    "autobuild-poll-interval",
+			Hidden:  true,
+			Default: time.Minute,
+		},
+		DERP: &codersdk.DERP{
+			Server: &codersdk.DERPServerConfig{
+				Enable: &codersdk.DeploymentConfigField[bool]{
+					Name:    "DERP Server Enable",
+					Usage:   "Whether to enable or disable the embedded DERP relay server.",
+					Flag:    "derp-server-enable",
+					Default: true,
+				},
+				RegionID: &codersdk.DeploymentConfigField[int]{
+					Name:    "DERP Server Region ID",
+					Usage:   "Region ID to use for the embedded DERP server.",
+					Flag:    "derp-server-region-id",
+					Default: 999,
+				},
+				RegionCode: &codersdk.DeploymentConfigField[string]{
+					Name:    "DERP Server Region Code",
+					Usage:   "Region code to use for the embedded DERP server.",
+					Flag:    "derp-server-region-code",
+					Default: "coder",
+				},
+				RegionName: &codersdk.DeploymentConfigField[string]{
+					Name:    "DERP Server Region Name",
+					Usage:   "Region name that for the embedded DERP server.",
+					Flag:    "derp-server-region-name",
+					Default: "Coder Embedded Relay",
+				},
+				STUNAddresses: &codersdk.DeploymentConfigField[[]string]{
+					Name:    "DERP Server STUN Addresses",
+					Usage:   "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.",
+					Flag:    "derp-server-stun-addresses",
+					Default: []string{"stun.l.google.com:19302"},
+				},
+				RelayURL: &codersdk.DeploymentConfigField[string]{
+					Name:       "DERP Server Relay URL",
+					Usage:      "An HTTP URL that is accessible by other replicas to relay DERP traffic. Required for high availability.",
+					Flag:       "derp-server-relay-url",
+					Enterprise: true,
+				},
+			},
+			Config: &codersdk.DERPConfig{
+				URL: &codersdk.DeploymentConfigField[string]{
+					Name:  "DERP Config URL",
+					Usage: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/",
+					Flag:  "derp-config-url",
+				},
+				Path: &codersdk.DeploymentConfigField[string]{
+					Name:  "DERP Config Path",
+					Usage: "Path to read a DERP mapping from. See: https://tailscale.com/kb/1118/custom-derp-servers/",
+					Flag:  "derp-config-path",
+				},
+			},
+		},
+		GitAuth: &codersdk.DeploymentConfigField[[]codersdk.GitAuthConfig]{
+			Name:    "Git Auth",
+			Usage:   "Automatically authenticate Git inside workspaces.",
+			Flag:    "gitauth",
+			Default: []codersdk.GitAuthConfig{},
+		},
+		Prometheus: &codersdk.PrometheusConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Prometheus Enable",
+				Usage: "Serve prometheus metrics on the address defined by prometheus address.",
+				Flag:  "prometheus-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "Prometheus Address",
+				Usage:   "The bind address to serve prometheus metrics.",
+				Flag:    "prometheus-address",
+				Default: "127.0.0.1:2112",
+			},
+		},
+		Pprof: &codersdk.PprofConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Pprof Enable",
+				Usage: "Serve pprof metrics on the address defined by pprof address.",
+				Flag:  "pprof-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "Pprof Address",
+				Usage:   "The bind address to serve pprof.",
+				Flag:    "pprof-address",
+				Default: "127.0.0.1:6060",
+			},
+		},
+		ProxyTrustedHeaders: &codersdk.DeploymentConfigField[[]string]{
+			Name:  "Proxy Trusted Headers",
+			Flag:  "proxy-trusted-headers",
+			Usage: "Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, True-Client-Ip, X-Forwarded-For",
+		},
+		ProxyTrustedOrigins: &codersdk.DeploymentConfigField[[]string]{
+			Name:  "Proxy Trusted Origins",
+			Flag:  "proxy-trusted-origins",
+			Usage: "Origin addresses to respect \"proxy-trusted-headers\". e.g. 192.168.1.0/24",
+		},
+		CacheDirectory: &codersdk.DeploymentConfigField[string]{
+			Name:    "Cache Directory",
+			Usage:   "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd.",
+			Flag:    "cache-dir",
+			Default: DefaultCacheDir(),
+		},
+		InMemoryDatabase: &codersdk.DeploymentConfigField[bool]{
+			Name:   "In Memory Database",
+			Usage:  "Controls whether data will be stored in an in-memory database.",
+			Flag:   "in-memory",
+			Hidden: true,
+		},
+		PostgresURL: &codersdk.DeploymentConfigField[string]{
+			Name:   "Postgres Connection URL",
+			Usage:  "URL of a PostgreSQL database. If empty, PostgreSQL binaries will be downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. Access the built-in database with \"coder server postgres-builtin-url\".",
+			Flag:   "postgres-url",
+			Secret: true,
+		},
+		OAuth2: &codersdk.OAuth2Config{
+			Github: &codersdk.OAuth2GithubConfig{
+				ClientID: &codersdk.DeploymentConfigField[string]{
+					Name:  "OAuth2 GitHub Client ID",
+					Usage: "Client ID for Login with GitHub.",
+					Flag:  "oauth2-github-client-id",
+				},
+				ClientSecret: &codersdk.DeploymentConfigField[string]{
+					Name:   "OAuth2 GitHub Client Secret",
+					Usage:  "Client secret for Login with GitHub.",
+					Flag:   "oauth2-github-client-secret",
+					Secret: true,
+				},
+				AllowedOrgs: &codersdk.DeploymentConfigField[[]string]{
+					Name:  "OAuth2 GitHub Allowed Orgs",
+					Usage: "Organizations the user must be a member of to Login with GitHub.",
+					Flag:  "oauth2-github-allowed-orgs",
+				},
+				AllowedTeams: &codersdk.DeploymentConfigField[[]string]{
+					Name:  "OAuth2 GitHub Allowed Teams",
+					Usage: "Teams inside organizations the user must be a member of to Login with GitHub. Structured as: <organization-name>/<team-slug>.",
+					Flag:  "oauth2-github-allowed-teams",
+				},
+				AllowSignups: &codersdk.DeploymentConfigField[bool]{
+					Name:  "OAuth2 GitHub Allow Signups",
+					Usage: "Whether new users can sign up with GitHub.",
+					Flag:  "oauth2-github-allow-signups",
+				},
+				AllowEveryone: &codersdk.DeploymentConfigField[bool]{
+					Name:  "OAuth2 GitHub Allow Everyone",
+					Usage: "Allow all logins, setting this option means allowed orgs and teams must be empty.",
+					Flag:  "oauth2-github-allow-everyone",
+				},
+				EnterpriseBaseURL: &codersdk.DeploymentConfigField[string]{
+					Name:  "OAuth2 GitHub Enterprise Base URL",
+					Usage: "Base URL of a GitHub Enterprise deployment to use for Login with GitHub.",
+					Flag:  "oauth2-github-enterprise-base-url",
+				},
+			},
+		},
+		OIDC: &codersdk.OIDCConfig{
+			AllowSignups: &codersdk.DeploymentConfigField[bool]{
+				Name:    "OIDC Allow Signups",
+				Usage:   "Whether new users can sign up with OIDC.",
+				Flag:    "oidc-allow-signups",
+				Default: true,
+			},
+			ClientID: &codersdk.DeploymentConfigField[string]{
+				Name:  "OIDC Client ID",
+				Usage: "Client ID to use for Login with OIDC.",
+				Flag:  "oidc-client-id",
+			},
+			ClientSecret: &codersdk.DeploymentConfigField[string]{
+				Name:   "OIDC Client Secret",
+				Usage:  "Client secret to use for Login with OIDC.",
+				Flag:   "oidc-client-secret",
+				Secret: true,
+			},
+			EmailDomain: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "OIDC Email Domain",
+				Usage: "Email domains that clients logging in with OIDC must match.",
+				Flag:  "oidc-email-domain",
+			},
+			IssuerURL: &codersdk.DeploymentConfigField[string]{
+				Name:  "OIDC Issuer URL",
+				Usage: "Issuer URL to use for Login with OIDC.",
+				Flag:  "oidc-issuer-url",
+			},
+			Scopes: &codersdk.DeploymentConfigField[[]string]{
+				Name:    "OIDC Scopes",
+				Usage:   "Scopes to grant when authenticating with OIDC.",
+				Flag:    "oidc-scopes",
+				Default: []string{oidc.ScopeOpenID, "profile", "email"},
+			},
+			IgnoreEmailVerified: &codersdk.DeploymentConfigField[bool]{
+				Name:    "OIDC Ignore Email Verified",
+				Usage:   "Ignore the email_verified claim from the upstream provider.",
+				Flag:    "oidc-ignore-email-verified",
+				Default: false,
+			},
+			UsernameField: &codersdk.DeploymentConfigField[string]{
+				Name:    "OIDC Username Field",
+				Usage:   "OIDC claim field to use as the username.",
+				Flag:    "oidc-username-field",
+				Default: "preferred_username",
+			},
+		},
+
+		Telemetry: &codersdk.TelemetryConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Telemetry Enable",
+				Usage:   "Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.",
+				Flag:    "telemetry",
+				Default: flag.Lookup("test.v") == nil,
+			},
+			Trace: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Telemetry Trace",
+				Usage:   "Whether Opentelemetry traces are sent to Coder. Coder collects anonymized application tracing to help improve our product. Disabling telemetry also disables this option.",
+				Flag:    "telemetry-trace",
+				Default: flag.Lookup("test.v") == nil,
+			},
+			URL: &codersdk.DeploymentConfigField[string]{
+				Name:    "Telemetry URL",
+				Usage:   "URL to send telemetry.",
+				Flag:    "telemetry-url",
+				Hidden:  true,
+				Default: "https://telemetry.coder.com",
+			},
+		},
+		TLS: &codersdk.TLSConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "TLS Enable",
+				Usage: "Whether TLS will be enabled.",
+				Flag:  "tls-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Address",
+				Usage:   "HTTPS bind address of the server.",
+				Flag:    "tls-address",
+				Default: "127.0.0.1:3443",
+			},
+			RedirectHTTP: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Redirect HTTP to HTTPS",
+				Usage:   "Whether HTTP requests will be redirected to the access URL (if it's a https URL and TLS is enabled). Requests to local IP addresses are never redirected regardless of this setting.",
+				Flag:    "tls-redirect-http-to-https",
+				Default: true,
+			},
+			CertFiles: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "TLS Certificate Files",
+				Usage: "Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.",
+				Flag:  "tls-cert-file",
+			},
+			ClientCAFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client CA Files",
+				Usage: "PEM-encoded Certificate Authority file used for checking the authenticity of client",
+				Flag:  "tls-client-ca-file",
+			},
+			ClientAuth: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Client Auth",
+				Usage:   "Policy the server will follow for TLS Client Authentication. Accepted values are \"none\", \"request\", \"require-any\", \"verify-if-given\", or \"require-and-verify\".",
+				Flag:    "tls-client-auth",
+				Default: "none",
+			},
+			KeyFiles: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "TLS Key Files",
+				Usage: "Paths to the private keys for each of the certificates. It requires a PEM-encoded file.",
+				Flag:  "tls-key-file",
+			},
+			MinVersion: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Minimum Version",
+				Usage:   "Minimum supported version of TLS. Accepted values are \"tls10\", \"tls11\", \"tls12\" or \"tls13\"",
+				Flag:    "tls-min-version",
+				Default: "tls12",
+			},
+			ClientCertFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client Cert File",
+				Usage: "Path to certificate for client TLS authentication. It requires a PEM-encoded file.",
+				Flag:  "tls-client-cert-file",
+			},
+			ClientKeyFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client Key File",
+				Usage: "Path to key for client TLS authentication. It requires a PEM-encoded file.",
+				Flag:  "tls-client-key-file",
+			},
+		},
+		Trace: &codersdk.TraceConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Trace Enable",
+				Usage: "Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md",
+				Flag:  "trace",
+			},
+			HoneycombAPIKey: &codersdk.DeploymentConfigField[string]{
+				Name:   "Trace Honeycomb API Key",
+				Usage:  "Enables trace exporting to Honeycomb.io using the provided API Key.",
+				Flag:   "trace-honeycomb-api-key",
+				Secret: true,
+			},
+			CaptureLogs: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Capture Logs in Traces",
+				Usage: "Enables capturing of logs as events in traces. This is useful for debugging, but may result in a very large amount of events being sent to the tracing backend which may incur significant costs. If the verbose flag was supplied, debug-level logs will be included.",
+				Flag:  "trace-logs",
+			},
+		},
+		SecureAuthCookie: &codersdk.DeploymentConfigField[bool]{
+			Name:  "Secure Auth Cookie",
+			Usage: "Controls if the 'Secure' property is set on browser session cookies.",
+			Flag:  "secure-auth-cookie",
+		},
+		SSHKeygenAlgorithm: &codersdk.DeploymentConfigField[string]{
+			Name:    "SSH Keygen Algorithm",
+			Usage:   "The algorithm to use for generating ssh keys. Accepted values are \"ed25519\", \"ecdsa\", or \"rsa4096\".",
+			Flag:    "ssh-keygen-algorithm",
+			Default: "ed25519",
+		},
+		MetricsCacheRefreshInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Metrics Cache Refresh Interval",
+			Usage:   "How frequently metrics are refreshed",
+			Flag:    "metrics-cache-refresh-interval",
+			Hidden:  true,
+			Default: time.Hour,
+		},
+		AgentStatRefreshInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Agent Stat Refresh Interval",
+			Usage:   "How frequently agent stats are recorded",
+			Flag:    "agent-stats-refresh-interval",
+			Hidden:  true,
+			Default: 10 * time.Minute,
+		},
+		AgentFallbackTroubleshootingURL: &codersdk.DeploymentConfigField[string]{
+			Name:    "Agent Fallback Troubleshooting URL",
+			Usage:   "URL to use for agent troubleshooting when not set in the template",
+			Flag:    "agent-fallback-troubleshooting-url",
+			Hidden:  true,
+			Default: "https://coder.com/docs/coder-oss/latest/templates#troubleshooting-templates",
+		},
+		AuditLogging: &codersdk.DeploymentConfigField[bool]{
+			Name:       "Audit Logging",
+			Usage:      "Specifies whether audit logging is enabled.",
+			Flag:       "audit-logging",
+			Default:    true,
+			Enterprise: true,
+		},
+		BrowserOnly: &codersdk.DeploymentConfigField[bool]{
+			Name:       "Browser Only",
+			Usage:      "Whether Coder only allows connections to workspaces via the browser.",
+			Flag:       "browser-only",
+			Enterprise: true,
+		},
+		SCIMAPIKey: &codersdk.DeploymentConfigField[string]{
+			Name:       "SCIM API Key",
+			Usage:      "Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.",
+			Flag:       "scim-auth-header",
+			Enterprise: true,
+			Secret:     true,
+		},
+		Provisioner: &codersdk.ProvisionerConfig{
+			Daemons: &codersdk.DeploymentConfigField[int]{
+				Name:    "Provisioner Daemons",
+				Usage:   "Number of provisioner daemons to create on start. If builds are stuck in queued state for a long time, consider increasing this.",
+				Flag:    "provisioner-daemons",
+				Default: 3,
+			},
+			DaemonPollInterval: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Poll Interval",
+				Usage:   "Time to wait before polling for a new job.",
+				Flag:    "provisioner-daemon-poll-interval",
+				Default: time.Second,
+			},
+			DaemonPollJitter: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Poll Jitter",
+				Usage:   "Random jitter added to the poll interval.",
+				Flag:    "provisioner-daemon-poll-jitter",
+				Default: 100 * time.Millisecond,
+			},
+			ForceCancelInterval: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Force Cancel Interval",
+				Usage:   "Time to force cancel provisioning tasks that are stuck.",
+				Flag:    "provisioner-force-cancel-interval",
+				Default: 10 * time.Minute,
+			},
+		},
+		RateLimit: &codersdk.RateLimitConfig{
+			DisableAll: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Disable All Rate Limits",
+				Usage:   "Disables all rate limits. This is not recommended in production.",
+				Flag:    "dangerous-disable-rate-limits",
+				Default: false,
+			},
+			API: &codersdk.DeploymentConfigField[int]{
+				Name:  "API Rate Limit",
+				Usage: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
+				// Change the env from the auto-generated CODER_RATE_LIMIT_API to the
+				// old value to avoid breaking existing deployments.
+				EnvOverride: "CODER_API_RATE_LIMIT",
+				Flag:        "api-rate-limit",
+				Default:     512,
+			},
+		},
+		Experimental: &codersdk.DeploymentConfigField[bool]{
+			Name:  "Experimental",
+			Usage: "Enable experimental features. Experimental features are not ready for production.",
+			Flag:  "experimental",
+		},
+		UpdateCheck: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Update Check",
+			Usage:   "Periodically check for new releases of Coder and inform the owner. The check is performed once per day.",
+			Flag:    "update-check",
+			Default: flag.Lookup("test.v") == nil && !buildinfo.IsDev(),
+		},
+		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Max Token Lifetime",
+			Usage:   "The maximum lifetime duration for any user creating a token.",
+			Flag:    "max-token-lifetime",
+			Default: 24 * 30 * time.Hour,
+		},
+		Swagger: &codersdk.SwaggerConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Enable swagger endpoint",
+				Usage:   "Expose the swagger endpoint via /swagger.",
+				Flag:    "swagger-enable",
+				Default: false,
+			},
+		},
+	}
+}
+
+//nolint:revive
+func Config(flagset *pflag.FlagSet, vip *viper.Viper) (*codersdk.DeploymentConfig, error) {
+	dc := newConfig()
+	flg, err := flagset.GetString(config.FlagName)
+	if err != nil {
+		return nil, xerrors.Errorf("get global config from flag: %w", err)
+	}
+	vip.SetEnvPrefix("coder")
+
+	if flg != "" {
+		vip.SetConfigFile(flg + "/server.yaml")
+		err = vip.ReadInConfig()
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+			return dc, xerrors.Errorf("reading deployment config: %w", err)
+		}
+	}
+
+	setConfig("", vip, &dc)
+
+	return dc, nil
+}
+
+func setConfig(prefix string, vip *viper.Viper, target interface{}) {
+	val := reflect.Indirect(reflect.ValueOf(target))
+	typ := val.Type()
+	if typ.Kind() != reflect.Struct {
+		val = val.Elem()
+		typ = val.Type()
+	}
+
+	// Ensure that we only bind env variables to proper fields,
+	// otherwise Viper will get confused if the parent struct is
+	// assigned a value.
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		value := val.FieldByName("Value").Interface()
+
+		env, ok := val.FieldByName("EnvOverride").Interface().(string)
+		if !ok {
+			panic("DeploymentConfigField[].EnvOverride must be a string")
+		}
+		if env == "" {
+			env = formatEnv(prefix)
+		}
+
+		switch value.(type) {
+		case string:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetString(vip.GetString(prefix))
+		case bool:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetBool(vip.GetBool(prefix))
+		case int:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetInt(int64(vip.GetInt(prefix)))
+		case time.Duration:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetInt(int64(vip.GetDuration(prefix)))
+		case []string:
+			vip.MustBindEnv(prefix, env)
+			// As of October 21st, 2022 we supported delimiting a string
+			// with a comma, but Viper only supports with a space. This
+			// is a small hack around it!
+			rawSlice := reflect.ValueOf(vip.GetStringSlice(prefix)).Interface()
+			slice, ok := rawSlice.([]string)
+			if !ok {
+				panic(fmt.Sprintf("string slice is of type %T", rawSlice))
+			}
+			value := make([]string, 0, len(slice))
+			for _, entry := range slice {
+				value = append(value, strings.Split(entry, ",")...)
+			}
+			val.FieldByName("Value").Set(reflect.ValueOf(value))
+		case []codersdk.GitAuthConfig:
+			// Do not bind to CODER_GITAUTH, instead bind to CODER_GITAUTH_0_*, etc.
+			values := readSliceFromViper[codersdk.GitAuthConfig](vip, prefix, value)
+			val.FieldByName("Value").Set(reflect.ValueOf(values))
+		default:
+			panic(fmt.Sprintf("unsupported type %T", value))
+		}
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setConfig(key, vip, fv.Interface())
+		case reflect.Slice:
+			for j := 0; j < fv.Len(); j++ {
+				key := fmt.Sprintf("%s.%d", key, j)
+				setConfig(key, vip, fv.Index(j).Interface())
+			}
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+// readSliceFromViper reads a typed mapping from the key provided.
+// This enables environment variables like CODER_GITAUTH_<index>_CLIENT_ID.
+func readSliceFromViper[T any](vip *viper.Viper, key string, value any) []T {
+	elementType := reflect.TypeOf(value).Elem()
+	returnValues := make([]T, 0)
+	for entry := 0; true; entry++ {
+		// Only create an instance when the entry exists in viper...
+		// otherwise we risk
+		var instance *reflect.Value
+		for i := 0; i < elementType.NumField(); i++ {
+			fve := elementType.Field(i)
+			prop := fve.Tag.Get("json")
+			// For fields that are omitted in JSON, we use a YAML tag.
+			if prop == "-" {
+				prop = fve.Tag.Get("yaml")
+			}
+			configKey := fmt.Sprintf("%s.%d.%s", key, entry, prop)
+
+			// Ensure the env entry for this key is registered
+			// before checking value.
+			//
+			// We don't support DeploymentConfigField[].EnvOverride for array flags so
+			// this is fine to just use `formatEnv` here.
+			vip.MustBindEnv(configKey, formatEnv(configKey))
+
+			value := vip.Get(configKey)
+			if value == nil {
+				continue
+			}
+			if instance == nil {
+				newType := reflect.Indirect(reflect.New(elementType))
+				instance = &newType
+			}
+			switch v := instance.Field(i).Type().String(); v {
+			case "[]string":
+				value = vip.GetStringSlice(configKey)
+			case "bool":
+				value = vip.GetBool(configKey)
+			default:
+			}
+			instance.Field(i).Set(reflect.ValueOf(value))
+		}
+		if instance == nil {
+			break
+		}
+		value, ok := instance.Interface().(T)
+		if !ok {
+			continue
+		}
+		returnValues = append(returnValues, value)
+	}
+	return returnValues
+}
+
+func NewViper() *viper.Viper {
+	dc := newConfig()
+	vip := viper.New()
+	vip.SetEnvPrefix("coder")
+	vip.SetEnvKeyReplacer(strings.NewReplacer("-", "_", ".", "_"))
+
+	setViperDefaults("", vip, dc)
+
+	return vip
+}
+
+func setViperDefaults(prefix string, vip *viper.Viper, target interface{}) {
+	val := reflect.ValueOf(target).Elem()
+	val = reflect.Indirect(val)
+	typ := val.Type()
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		value := val.FieldByName("Default").Interface()
+		vip.SetDefault(prefix, value)
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setViperDefaults(key, vip, fv.Interface())
+		case reflect.Slice:
+			// we currently don't support default values on structured slices
+			continue
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+//nolint:revive
+func AttachFlags(flagset *pflag.FlagSet, vip *viper.Viper, enterprise bool) {
+	setFlags("", flagset, vip, newConfig(), enterprise)
+}
+
+//nolint:revive
+func setFlags(prefix string, flagset *pflag.FlagSet, vip *viper.Viper, target interface{}, enterprise bool) {
+	val := reflect.Indirect(reflect.ValueOf(target))
+	typ := val.Type()
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		isEnt := val.FieldByName("Enterprise").Bool()
+		if enterprise != isEnt {
+			return
+		}
+		flg := val.FieldByName("Flag").String()
+		if flg == "" {
+			return
+		}
+
+		env, ok := val.FieldByName("EnvOverride").Interface().(string)
+		if !ok {
+			panic("DeploymentConfigField[].EnvOverride must be a string")
+		}
+		if env == "" {
+			env = formatEnv(prefix)
+		}
+
+		usage := val.FieldByName("Usage").String()
+		usage = fmt.Sprintf("%s\n%s", usage, cliui.Styles.Placeholder.Render("Consumes $"+env))
+		shorthand := val.FieldByName("Shorthand").String()
+		hidden := val.FieldByName("Hidden").Bool()
+		value := val.FieldByName("Default").Interface()
+
+		// Allow currently set environment variables
+		// to override default values in help output.
+		vip.MustBindEnv(prefix, env)
+
+		switch value.(type) {
+		case string:
+			_ = flagset.StringP(flg, shorthand, vip.GetString(prefix), usage)
+		case bool:
+			_ = flagset.BoolP(flg, shorthand, vip.GetBool(prefix), usage)
+		case int:
+			_ = flagset.IntP(flg, shorthand, vip.GetInt(prefix), usage)
+		case time.Duration:
+			_ = flagset.DurationP(flg, shorthand, vip.GetDuration(prefix), usage)
+		case []string:
+			_ = flagset.StringSliceP(flg, shorthand, vip.GetStringSlice(prefix), usage)
+		case []codersdk.GitAuthConfig:
+			// Ignore this one!
+		default:
+			panic(fmt.Sprintf("unsupported type %T", typ))
+		}
+
+		_ = vip.BindPFlag(prefix, flagset.Lookup(flg))
+		if hidden {
+			_ = flagset.MarkHidden(flg)
+		}
+
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setFlags(key, flagset, vip, fv.Interface(), enterprise)
+		case reflect.Slice:
+			for j := 0; j < fv.Len(); j++ {
+				key := fmt.Sprintf("%s.%d", key, j)
+				setFlags(key, flagset, vip, fv.Index(j).Interface(), enterprise)
+			}
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+func formatEnv(key string) string {
+	return "CODER_" + strings.ToUpper(strings.NewReplacer("-", "_", ".", "_").Replace(key))
+}
+
+func DefaultCacheDir() string {
+	defaultCacheDir, err := os.UserCacheDir()
+	if err != nil {
+		defaultCacheDir = os.TempDir()
+	}
+	if dir := os.Getenv("CACHE_DIRECTORY"); dir != "" {
+		// For compatibility with systemd.
+		defaultCacheDir = dir
+	}
+
+	return filepath.Join(defaultCacheDir, "coder")
+}
@@ -0,0 +1,247 @@
+package deployment_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/cli/deployment"
+	"github.com/coder/coder/codersdk"
+)
+
+// nolint:paralleltest
+func TestConfig(t *testing.T) {
+	viper := deployment.NewViper()
+	flagSet := pflag.NewFlagSet("", pflag.ContinueOnError)
+	flagSet.String(config.FlagName, "", "")
+	deployment.AttachFlags(flagSet, viper, true)
+
+	for _, tc := range []struct {
+		Name  string
+		Env   map[string]string
+		Valid func(config *codersdk.DeploymentConfig)
+	}{{
+		Name: "Deployment",
+		Env: map[string]string{
+			"CODER_ADDRESS":                          "0.0.0.0:8443",
+			"CODER_ACCESS_URL":                       "https://dev.coder.com",
+			"CODER_PG_CONNECTION_URL":                "some-url",
+			"CODER_PPROF_ADDRESS":                    "something",
+			"CODER_PPROF_ENABLE":                     "true",
+			"CODER_PROMETHEUS_ADDRESS":               "hello-world",
+			"CODER_PROMETHEUS_ENABLE":                "true",
+			"CODER_PROVISIONER_DAEMONS":              "5",
+			"CODER_PROVISIONER_DAEMON_POLL_INTERVAL": "5s",
+			"CODER_PROVISIONER_DAEMON_POLL_JITTER":   "1s",
+			"CODER_SECURE_AUTH_COOKIE":               "true",
+			"CODER_SSH_KEYGEN_ALGORITHM":             "potato",
+			"CODER_TELEMETRY":                        "false",
+			"CODER_TELEMETRY_TRACE":                  "false",
+			"CODER_WILDCARD_ACCESS_URL":              "something-wildcard.com",
+			"CODER_UPDATE_CHECK":                     "false",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Address.Value, "0.0.0.0:8443")
+			require.Equal(t, config.AccessURL.Value, "https://dev.coder.com")
+			require.Equal(t, config.PostgresURL.Value, "some-url")
+			require.Equal(t, config.Pprof.Address.Value, "something")
+			require.Equal(t, config.Pprof.Enable.Value, true)
+			require.Equal(t, config.Prometheus.Address.Value, "hello-world")
+			require.Equal(t, config.Prometheus.Enable.Value, true)
+			require.Equal(t, config.Provisioner.Daemons.Value, 5)
+			require.Equal(t, config.Provisioner.DaemonPollInterval.Value, 5*time.Second)
+			require.Equal(t, config.Provisioner.DaemonPollJitter.Value, 1*time.Second)
+			require.Equal(t, config.SecureAuthCookie.Value, true)
+			require.Equal(t, config.SSHKeygenAlgorithm.Value, "potato")
+			require.Equal(t, config.Telemetry.Enable.Value, false)
+			require.Equal(t, config.Telemetry.Trace.Value, false)
+			require.Equal(t, config.WildcardAccessURL.Value, "something-wildcard.com")
+			require.Equal(t, config.UpdateCheck.Value, false)
+		},
+	}, {
+		Name: "DERP",
+		Env: map[string]string{
+			"CODER_DERP_CONFIG_PATH":           "/example/path",
+			"CODER_DERP_CONFIG_URL":            "https://google.com",
+			"CODER_DERP_SERVER_ENABLE":         "false",
+			"CODER_DERP_SERVER_REGION_CODE":    "something",
+			"CODER_DERP_SERVER_REGION_ID":      "123",
+			"CODER_DERP_SERVER_REGION_NAME":    "Code-Land",
+			"CODER_DERP_SERVER_RELAY_URL":      "1.1.1.1",
+			"CODER_DERP_SERVER_STUN_ADDRESSES": "google.org",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.DERP.Config.Path.Value, "/example/path")
+			require.Equal(t, config.DERP.Config.URL.Value, "https://google.com")
+			require.Equal(t, config.DERP.Server.Enable.Value, false)
+			require.Equal(t, config.DERP.Server.RegionCode.Value, "something")
+			require.Equal(t, config.DERP.Server.RegionID.Value, 123)
+			require.Equal(t, config.DERP.Server.RegionName.Value, "Code-Land")
+			require.Equal(t, config.DERP.Server.RelayURL.Value, "1.1.1.1")
+			require.Equal(t, config.DERP.Server.STUNAddresses.Value, []string{"google.org"})
+		},
+	}, {
+		Name: "Enterprise",
+		Env: map[string]string{
+			"CODER_AUDIT_LOGGING": "false",
+			"CODER_BROWSER_ONLY":  "true",
+			"CODER_SCIM_API_KEY":  "some-key",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.AuditLogging.Value, false)
+			require.Equal(t, config.BrowserOnly.Value, true)
+			require.Equal(t, config.SCIMAPIKey.Value, "some-key")
+		},
+	}, {
+		Name: "TLS",
+		Env: map[string]string{
+			"CODER_TLS_CERT_FILE":      "/etc/acme-sh/dev.coder.com,/etc/acme-sh/*.dev.coder.com",
+			"CODER_TLS_KEY_FILE":       "/etc/acme-sh/dev.coder.com,/etc/acme-sh/*.dev.coder.com",
+			"CODER_TLS_CLIENT_AUTH":    "/some/path",
+			"CODER_TLS_CLIENT_CA_FILE": "/some/path",
+			"CODER_TLS_ENABLE":         "true",
+			"CODER_TLS_MIN_VERSION":    "tls10",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.TLS.CertFiles.Value, 2)
+			require.Equal(t, config.TLS.CertFiles.Value[0], "/etc/acme-sh/dev.coder.com")
+			require.Equal(t, config.TLS.CertFiles.Value[1], "/etc/acme-sh/*.dev.coder.com")
+
+			require.Len(t, config.TLS.KeyFiles.Value, 2)
+			require.Equal(t, config.TLS.KeyFiles.Value[0], "/etc/acme-sh/dev.coder.com")
+			require.Equal(t, config.TLS.KeyFiles.Value[1], "/etc/acme-sh/*.dev.coder.com")
+
+			require.Equal(t, config.TLS.ClientAuth.Value, "/some/path")
+			require.Equal(t, config.TLS.ClientCAFile.Value, "/some/path")
+			require.Equal(t, config.TLS.Enable.Value, true)
+			require.Equal(t, config.TLS.MinVersion.Value, "tls10")
+		},
+	}, {
+		Name: "Trace",
+		Env: map[string]string{
+			"CODER_TRACE_ENABLE":            "true",
+			"CODER_TRACE_HONEYCOMB_API_KEY": "my-honeycomb-key",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Trace.Enable.Value, true)
+			require.Equal(t, config.Trace.HoneycombAPIKey.Value, "my-honeycomb-key")
+		},
+	}, {
+		Name: "OIDC_Defaults",
+		Env:  map[string]string{},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Empty(t, config.OIDC.IssuerURL.Value)
+			require.Empty(t, config.OIDC.EmailDomain.Value)
+			require.Empty(t, config.OIDC.ClientID.Value)
+			require.Empty(t, config.OIDC.ClientSecret.Value)
+			require.True(t, config.OIDC.AllowSignups.Value)
+			require.ElementsMatch(t, config.OIDC.Scopes.Value, []string{"openid", "email", "profile"})
+			require.False(t, config.OIDC.IgnoreEmailVerified.Value)
+		},
+	}, {
+		Name: "OIDC",
+		Env: map[string]string{
+			"CODER_OIDC_ISSUER_URL":            "https://accounts.google.com",
+			"CODER_OIDC_EMAIL_DOMAIN":          "coder.com",
+			"CODER_OIDC_CLIENT_ID":             "client",
+			"CODER_OIDC_CLIENT_SECRET":         "secret",
+			"CODER_OIDC_ALLOW_SIGNUPS":         "false",
+			"CODER_OIDC_SCOPES":                "something,here",
+			"CODER_OIDC_IGNORE_EMAIL_VERIFIED": "true",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com")
+			require.Equal(t, config.OIDC.EmailDomain.Value, []string{"coder.com"})
+			require.Equal(t, config.OIDC.ClientID.Value, "client")
+			require.Equal(t, config.OIDC.ClientSecret.Value, "secret")
+			require.False(t, config.OIDC.AllowSignups.Value)
+			require.Equal(t, config.OIDC.Scopes.Value, []string{"something", "here"})
+			require.True(t, config.OIDC.IgnoreEmailVerified.Value)
+		},
+	}, {
+		Name: "GitHub",
+		Env: map[string]string{
+			"CODER_OAUTH2_GITHUB_CLIENT_ID":     "client",
+			"CODER_OAUTH2_GITHUB_CLIENT_SECRET": "secret",
+			"CODER_OAUTH2_GITHUB_ALLOWED_ORGS":  "coder",
+			"CODER_OAUTH2_GITHUB_ALLOWED_TEAMS": "coder",
+			"CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS": "true",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.OAuth2.Github.ClientID.Value, "client")
+			require.Equal(t, config.OAuth2.Github.ClientSecret.Value, "secret")
+			require.Equal(t, []string{"coder"}, config.OAuth2.Github.AllowedOrgs.Value)
+			require.Equal(t, []string{"coder"}, config.OAuth2.Github.AllowedTeams.Value)
+			require.Equal(t, config.OAuth2.Github.AllowSignups.Value, true)
+		},
+	}, {
+		Name: "GitAuth",
+		Env: map[string]string{
+			"CODER_GITAUTH_0_ID":            "hello",
+			"CODER_GITAUTH_0_TYPE":          "github",
+			"CODER_GITAUTH_0_CLIENT_ID":     "client",
+			"CODER_GITAUTH_0_CLIENT_SECRET": "secret",
+			"CODER_GITAUTH_0_AUTH_URL":      "https://auth.com",
+			"CODER_GITAUTH_0_TOKEN_URL":     "https://token.com",
+			"CODER_GITAUTH_0_VALIDATE_URL":  "https://validate.com",
+			"CODER_GITAUTH_0_REGEX":         "github.com",
+			"CODER_GITAUTH_0_SCOPES":        "read write",
+			"CODER_GITAUTH_0_NO_REFRESH":    "true",
+
+			"CODER_GITAUTH_1_ID":            "another",
+			"CODER_GITAUTH_1_TYPE":          "gitlab",
+			"CODER_GITAUTH_1_CLIENT_ID":     "client-2",
+			"CODER_GITAUTH_1_CLIENT_SECRET": "secret-2",
+			"CODER_GITAUTH_1_AUTH_URL":      "https://auth-2.com",
+			"CODER_GITAUTH_1_TOKEN_URL":     "https://token-2.com",
+			"CODER_GITAUTH_1_REGEX":         "gitlab.com",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.GitAuth.Value, 2)
+			require.Equal(t, []codersdk.GitAuthConfig{{
+				ID:           "hello",
+				Type:         "github",
+				ClientID:     "client",
+				ClientSecret: "secret",
+				AuthURL:      "https://auth.com",
+				TokenURL:     "https://token.com",
+				ValidateURL:  "https://validate.com",
+				Regex:        "github.com",
+				Scopes:       []string{"read", "write"},
+				NoRefresh:    true,
+			}, {
+				ID:           "another",
+				Type:         "gitlab",
+				ClientID:     "client-2",
+				ClientSecret: "secret-2",
+				AuthURL:      "https://auth-2.com",
+				TokenURL:     "https://token-2.com",
+				Regex:        "gitlab.com",
+			}}, config.GitAuth.Value)
+		},
+	}, {
+		Name: "Wrong env must not break default values",
+		Env: map[string]string{
+			"CODER_PROMETHEUS_ENABLE": "true",
+			"CODER_PROMETHEUS":        "true", // Wrong env name, must not break prom addr.
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Prometheus.Enable.Value, true)
+			require.Equal(t, config.Prometheus.Address.Value, config.Prometheus.Address.Default)
+		},
+	}} {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Helper()
+			for key, value := range tc.Env {
+				t.Setenv(key, value)
+			}
+			config, err := deployment.Config(flagSet, viper)
+			require.NoError(t, err)
+			tc.Valid(config)
+		})
+	}
+}
@@ -0,0 +1,282 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+)
+
+func dotfiles() *cobra.Command {
+	var symlinkDir string
+	cmd := &cobra.Command{
+		Use:   "dotfiles [git_repo_url]",
+		Args:  cobra.ExactArgs(1),
+		Short: "Checkout and install a dotfiles repository from a Git URL",
+		Example: formatExamples(
+			example{
+				Description: "Check out and install a dotfiles repository without prompts",
+				Command:     "coder dotfiles --yes git@github.com:example/dotfiles.git",
+			},
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var (
+				dotfilesRepoDir = "dotfiles"
+				gitRepo         = args[0]
+				cfg             = createConfig(cmd)
+				cfgDir          = string(cfg)
+				dotfilesDir     = filepath.Join(cfgDir, dotfilesRepoDir)
+				// This follows the same pattern outlined by others in the market:
+				// https://github.com/coder/coder/pull/1696#issue-1245742312
+				installScriptSet = []string{
+					"install.sh",
+					"install",
+					"bootstrap.sh",
+					"bootstrap",
+					"script/bootstrap",
+					"setup.sh",
+					"setup",
+					"script/setup",
+				}
+			)
+
+			_, _ = fmt.Fprint(cmd.OutOrStdout(), "Checking if dotfiles repository already exists...\n")
+			dotfilesExists, err := dirExists(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("checking dir %s: %w", dotfilesDir, err)
+			}
+
+			moved := false
+			if dotfilesExists {
+				du, err := cfg.DotfilesURL().Read()
+				if err != nil && !errors.Is(err, os.ErrNotExist) {
+					return xerrors.Errorf("reading dotfiles url config: %w", err)
+				}
+				// if the git url has changed we create a backup and clone fresh
+				if gitRepo != du {
+					backupDir := fmt.Sprintf("%s_backup_%s", dotfilesDir, time.Now().Format(time.RFC3339))
+					_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      fmt.Sprintf("The dotfiles URL has changed from %q to %q.\n  Coder will backup the existing repo to %s.\n\n  Continue?", du, gitRepo, backupDir),
+						IsConfirm: true,
+					})
+					if err != nil {
+						return err
+					}
+
+					err = os.Rename(dotfilesDir, backupDir)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", dotfilesDir, err)
+					}
+					_, _ = fmt.Fprint(cmd.OutOrStdout(), "Done backup up dotfiles.\n")
+					dotfilesExists = false
+					moved = true
+				}
+			}
+
+			var (
+				gitCmdDir   string
+				subcommands []string
+				promptText  string
+			)
+			if dotfilesExists {
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Found dotfiles repository at %s\n", dotfilesDir)
+				gitCmdDir = dotfilesDir
+				subcommands = []string{"pull", "--ff-only"}
+				promptText = fmt.Sprintf("Pulling latest from %s into directory %s.\n  Continue?", gitRepo, dotfilesDir)
+			} else {
+				if !moved {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Did not find dotfiles repository at %s\n", dotfilesDir)
+				}
+				gitCmdDir = cfgDir
+				subcommands = []string{"clone", args[0], dotfilesRepoDir}
+				promptText = fmt.Sprintf("Cloning %s into directory %s.\n\n  Continue?", gitRepo, dotfilesDir)
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      promptText,
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			// ensure command dir exists
+			err = os.MkdirAll(gitCmdDir, 0750)
+			if err != nil {
+				return xerrors.Errorf("ensuring dir at %s: %w", gitCmdDir, err)
+			}
+
+			// check if git ssh command already exists so we can just wrap it
+			gitsshCmd := os.Getenv("GIT_SSH_COMMAND")
+			if gitsshCmd == "" {
+				gitsshCmd = "ssh"
+			}
+
+			// clone or pull repo
+			c := exec.CommandContext(cmd.Context(), "git", subcommands...)
+			c.Dir = gitCmdDir
+			c.Env = append(os.Environ(), fmt.Sprintf(`GIT_SSH_COMMAND=%s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no`, gitsshCmd))
+			c.Stdout = cmd.OutOrStdout()
+			c.Stderr = cmd.ErrOrStderr()
+			err = c.Run()
+			if err != nil {
+				if !dotfilesExists {
+					return err
+				}
+				// if the repo exists we soft fail the update operation and try to continue
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Failed to update repo, continuing..."))
+			}
+
+			// save git repo url so we can detect changes next time
+			err = cfg.DotfilesURL().Write(gitRepo)
+			if err != nil {
+				return xerrors.Errorf("writing dotfiles url config: %w", err)
+			}
+
+			files, err := os.ReadDir(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("reading files in dir %s: %w", dotfilesDir, err)
+			}
+
+			var dotfiles []string
+			for _, f := range files {
+				// make sure we do not copy `.git*` files
+				if strings.HasPrefix(f.Name(), ".") && !strings.HasPrefix(f.Name(), ".git") {
+					dotfiles = append(dotfiles, f.Name())
+				}
+			}
+
+			script := findScript(installScriptSet, files)
+			if script != "" {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("Running install script %s.\n\n  Continue?", script),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Running %s...\n", script)
+				// it is safe to use a variable command here because it's from
+				// a filtered list of pre-approved install scripts
+				// nolint:gosec
+				scriptCmd := exec.CommandContext(cmd.Context(), filepath.Join(dotfilesDir, script))
+				scriptCmd.Dir = dotfilesDir
+				scriptCmd.Stdout = cmd.OutOrStdout()
+				scriptCmd.Stderr = cmd.ErrOrStderr()
+				err = scriptCmd.Run()
+				if err != nil {
+					return xerrors.Errorf("running %s: %w", script, err)
+				}
+
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+				return nil
+			}
+
+			if len(dotfiles) == 0 {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "No install scripts or dotfiles found, nothing to do.")
+				return nil
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "No install scripts found, symlinking dotfiles to home directory.\n\n  Continue?",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			if symlinkDir == "" {
+				symlinkDir, err = os.UserHomeDir()
+				if err != nil {
+					return xerrors.Errorf("getting user home: %w", err)
+				}
+			}
+
+			for _, df := range dotfiles {
+				from := filepath.Join(dotfilesDir, df)
+				to := filepath.Join(symlinkDir, df)
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Symlinking %s to %s...\n", from, to)
+
+				isRegular, err := isRegular(to)
+				if err != nil {
+					return xerrors.Errorf("checking symlink for %s: %w", to, err)
+				}
+				// move conflicting non-symlink files to file.ext.bak
+				if isRegular {
+					backup := fmt.Sprintf("%s.bak", to)
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Moving %s to %s...\n", to, backup)
+					err = os.Rename(to, backup)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", to, err)
+					}
+				}
+
+				err = os.Symlink(from, to)
+				if err != nil {
+					return xerrors.Errorf("symlinking %s to %s: %w", from, to, err)
+				}
+			}
+
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+			return nil
+		},
+	}
+	cliui.AllowSkipPrompt(cmd)
+	cliflag.StringVarP(cmd.Flags(), &symlinkDir, "symlink-dir", "", "CODER_SYMLINK_DIR", "", "Specifies the directory for the dotfiles symlink destinations. If empty will use $HOME.")
+
+	return cmd
+}
+
+// dirExists checks if the path exists and is a directory.
+func dirExists(name string) (bool, error) {
+	fi, err := os.Stat(name)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+
+		return false, xerrors.Errorf("stat dir: %w", err)
+	}
+	if !fi.IsDir() {
+		return false, xerrors.New("exists but not a directory")
+	}
+
+	return true, nil
+}
+
+// findScript will find the first file that matches the script set.
+func findScript(scriptSet []string, files []fs.DirEntry) string {
+	for _, i := range scriptSet {
+		for _, f := range files {
+			if f.Name() == i {
+				return f.Name()
+			}
+		}
+	}
+
+	return ""
+}
+
+// isRegular detects if the file exists and is not a symlink.
+func isRegular(to string) (bool, error) {
+	fi, err := os.Lstat(to)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("lstat %s: %w", to, err)
+	}
+
+	return fi.Mode().IsRegular(), nil
+}
@@ -0,0 +1,141 @@
+package cli_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/cryptorand"
+)
+
+// nolint:paralleltest
+func TestDotfiles(t *testing.T) {
+	t.Run("MissingArg", func(t *testing.T) {
+		cmd, _ := clitest.New(t, "dotfiles")
+		err := cmd.Execute()
+		require.Error(t, err)
+	})
+	t.Run("NoInstallScript", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+	})
+	t.Run("InstallScript", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("install scripts on windows require sh and aren't very practical")
+		}
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, "install.sh"), []byte("#!/bin/bash\necho wow > "+filepath.Join(string(root), ".bashrc")), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", "install.sh")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add install.sh"`)
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow\n")
+	})
+	t.Run("SymlinkBackup", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		// add a conflicting file at destination
+		// nolint:gosec
+		err = os.WriteFile(filepath.Join(string(root), ".bashrc"), []byte("backup"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+
+		// check for backup file
+		b, err = os.ReadFile(filepath.Join(string(root), ".bashrc.bak"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "backup")
+	})
+}
+
+func testGitRepo(t *testing.T, root config.Root) string {
+	r, err := cryptorand.String(8)
+	require.NoError(t, err)
+	dir := filepath.Join(string(root), fmt.Sprintf("test-repo-%s", r))
+	err = os.MkdirAll(dir, 0750)
+	require.NoError(t, err)
+
+	c := exec.Command("git", "init")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.email", "ci@coder.com")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.name", "C I")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	return dir
+}
@@ -0,0 +1,83 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"os/signal"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/gitauth"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+// gitAskpass is used by the Coder agent to automatically authenticate
+// with Git providers based on a hostname.
+func gitAskpass() *cobra.Command {
+	return &cobra.Command{
+		Use:    "gitaskpass",
+		Hidden: true,
+		Args:   cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stop()
+
+			user, host, err := gitauth.ParseAskpass(args[0])
+			if err != nil {
+				return xerrors.Errorf("parse host: %w", err)
+			}
+
+			client, err := createAgentClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+
+			token, err := client.WorkspaceAgentGitAuth(ctx, host, false)
+			if err != nil {
+				var apiError *codersdk.Error
+				if errors.As(err, &apiError) && apiError.StatusCode() == http.StatusNotFound {
+					// This prevents the "Run 'coder --help' for usage"
+					// message from occurring.
+					cmd.Printf("%s\n", apiError.Message)
+					return cliui.Canceled
+				}
+				return xerrors.Errorf("get git token: %w", err)
+			}
+			if token.URL != "" {
+				if err := openURL(cmd, token.URL); err == nil {
+					cmd.Printf("Your browser has been opened to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				} else {
+					cmd.Printf("Open the following URL to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				}
+
+				for r := retry.New(250*time.Millisecond, 10*time.Second); r.Wait(ctx); {
+					token, err = client.WorkspaceAgentGitAuth(ctx, host, true)
+					if err != nil {
+						continue
+					}
+					cmd.Printf("You've been authenticated with Git!\n")
+					break
+				}
+			}
+
+			if token.Password != "" {
+				if user == "" {
+					fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+				} else {
+					fmt.Fprintln(cmd.OutOrStdout(), token.Password)
+				}
+			} else {
+				fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+			}
+
+			return nil
+		},
+	}
+}
@@ -0,0 +1,97 @@
+package cli_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+// nolint:paralleltest
+func TestGitAskpass(t *testing.T) {
+	t.Setenv("GIT_PREFIX", "/")
+	t.Run("UsernameAndPassword", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), w, http.StatusOK, codersdk.WorkspaceAgentGitAuthResponse{
+				Username: "something",
+				Password: "bananas",
+			})
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+		cmd, _ := clitest.New(t, "--agent-url", url, "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err := cmd.Execute()
+		require.NoError(t, err)
+		pty.ExpectMatch("something")
+
+		cmd, _ = clitest.New(t, "--agent-url", url, "Password for 'https://potato@github.com':")
+		pty = ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err = cmd.Execute()
+		require.NoError(t, err)
+		pty.ExpectMatch("bananas")
+	})
+
+	t.Run("NoHost", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), w, http.StatusNotFound, codersdk.Response{
+				Message: "Nope!",
+			})
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+		cmd, _ := clitest.New(t, "--agent-url", url, "--no-open", "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err := cmd.Execute()
+		require.ErrorIs(t, err, cliui.Canceled)
+		pty.ExpectMatch("Nope!")
+	})
+
+	t.Run("Poll", func(t *testing.T) {
+		resp := atomic.Pointer[codersdk.WorkspaceAgentGitAuthResponse]{}
+		resp.Store(&codersdk.WorkspaceAgentGitAuthResponse{
+			URL: "https://something.org",
+		})
+		poll := make(chan struct{}, 10)
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			val := resp.Load()
+			if r.URL.Query().Has("listen") {
+				poll <- struct{}{}
+				if val.URL != "" {
+					httpapi.Write(context.Background(), w, http.StatusInternalServerError, val)
+					return
+				}
+			}
+			httpapi.Write(context.Background(), w, http.StatusOK, val)
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+
+		cmd, _ := clitest.New(t, "--agent-url", url, "--no-open", "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		go func() {
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		<-poll
+		resp.Store(&codersdk.WorkspaceAgentGitAuthResponse{
+			Username: "username",
+			Password: "password",
+		})
+		pty.ExpectMatch("username")
+	})
+}
@@ -0,0 +1,189 @@
+package cli
+
+import (
+	"bufio"
+	"bytes"
+	"context"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+func gitssh() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:    "gitssh",
+		Hidden: true,
+		Short:  `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			env := os.Environ()
+
+			// Catch interrupt signals to ensure the temporary private
+			// key file is cleaned up on most cases.
+			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stop()
+
+			// Early check so errors are reported immediately.
+			identityFiles, err := parseIdentityFilesForHost(ctx, args, env)
+			if err != nil {
+				return err
+			}
+
+			client, err := createAgentClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+			key, err := client.AgentGitSSHKey(ctx)
+			if err != nil {
+				return xerrors.Errorf("get agent git ssh token: %w", err)
+			}
+
+			privateKeyFile, err := os.CreateTemp("", "coder-gitsshkey-*")
+			if err != nil {
+				return xerrors.Errorf("create temp gitsshkey file: %w", err)
+			}
+			defer func() {
+				_ = privateKeyFile.Close()
+				_ = os.Remove(privateKeyFile.Name())
+			}()
+			_, err = privateKeyFile.WriteString(key.PrivateKey)
+			if err != nil {
+				return xerrors.Errorf("write to temp gitsshkey file: %w", err)
+			}
+			err = privateKeyFile.Close()
+			if err != nil {
+				return xerrors.Errorf("close temp gitsshkey file: %w", err)
+			}
+
+			// Append our key, giving precedence to user keys. Note that
+			// OpenSSH server are typically configured with MaxAuthTries
+			// set to the default value of 6. This means that only the 6
+			// first keys can be tried. However, we will assume that if
+			// a user has configured 6+ keys for a host, they know what
+			// they're doing. This behavior is critical if a server has
+			// been configured with MaxAuthTries set to 1.
+			identityFiles = append(identityFiles, privateKeyFile.Name())
+
+			var identityArgs []string
+			for _, id := range identityFiles {
+				identityArgs = append(identityArgs, "-i", id)
+			}
+
+			args = append(identityArgs, args...)
+			c := exec.CommandContext(ctx, "ssh", args...)
+			c.Env = append(c.Env, env...)
+			c.Stderr = cmd.ErrOrStderr()
+			c.Stdout = cmd.OutOrStdout()
+			c.Stdin = cmd.InOrStdin()
+			err = c.Run()
+			if err != nil {
+				exitErr := &exec.ExitError{}
+				if xerrors.As(err, &exitErr) && exitErr.ExitCode() == 255 {
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(),
+						"\n"+cliui.Styles.Wrap.Render("Coder authenticates with "+cliui.Styles.Field.Render("git")+
+							" using the public key below. All clones with SSH are authenticated automatically 🪄.")+"\n")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Code.Render(strings.TrimSpace(key.PublicKey))+"\n")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "Add to GitHub and GitLab:")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://github.com/settings/ssh/new")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"https://gitlab.com/-/profile/keys")
+					_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+					return err
+				}
+				return xerrors.Errorf("run ssh command: %w", err)
+			}
+
+			return nil
+		},
+	}
+
+	return cmd
+}
+
+// fallbackIdentityFiles is the list of identity files SSH tries when
+// none have been defined for a host.
+var fallbackIdentityFiles = strings.Join([]string{
+	"identityfile ~/.ssh/id_rsa",
+	"identityfile ~/.ssh/id_dsa",
+	"identityfile ~/.ssh/id_ecdsa",
+	"identityfile ~/.ssh/id_ecdsa_sk",
+	"identityfile ~/.ssh/id_ed25519",
+	"identityfile ~/.ssh/id_ed25519_sk",
+	"identityfile ~/.ssh/id_xmss",
+}, "\n")
+
+// parseIdentityFilesForHost uses ssh -G to discern what SSH keys have
+// been enabled for the host (via the users SSH config) and returns a
+// list of existing identity files.
+//
+// We do this because when no keys are defined for a host, SSH uses
+// fallback keys (see above). However, by passing `-i` to attach our
+// private key, we're effectively disabling the fallback keys.
+//
+// Example invocation:
+//
+//	ssh -G -o SendEnv=GIT_PROTOCOL git@github.com git-upload-pack 'coder/coder'
+//
+// The extra arguments work without issue and lets us run the command
+// as-is without stripping out the excess (git-upload-pack 'coder/coder').
+func parseIdentityFilesForHost(ctx context.Context, args, env []string) (identityFiles []string, error error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil, xerrors.Errorf("get user home dir failed: %w", err)
+	}
+
+	var outBuf bytes.Buffer
+	var r io.Reader = &outBuf
+
+	args = append([]string{"-G"}, args...)
+	cmd := exec.CommandContext(ctx, "ssh", args...)
+	cmd.Env = append(cmd.Env, env...)
+	cmd.Stdout = &outBuf
+	cmd.Stderr = io.Discard
+	err = cmd.Run()
+	if err != nil {
+		// If ssh -G failed, the SSH version is likely too old, fallback
+		// to using the default identity files.
+		r = strings.NewReader(fallbackIdentityFiles)
+	}
+
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "identityfile ") {
+			id := strings.TrimPrefix(line, "identityfile ")
+			if strings.HasPrefix(id, "~/") {
+				id = home + id[1:]
+			}
+			// OpenSSH on Windows is weird, it supports using (and does
+			// use) mixed \ and / in paths.
+			//
+			// Example: C:\Users\ZeroCool/.ssh/known_hosts
+			//
+			// To check the file existence in Go, though, we want to use
+			// proper Windows paths.
+			// OpenSSH is amazing, this will work on Windows too:
+			// C:\Users\ZeroCool/.ssh/id_rsa
+			id = filepath.FromSlash(id)
+
+			// Only include the identity file if it exists.
+			if _, err := os.Stat(id); err == nil {
+				identityFiles = append(identityFiles, id)
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		// This should never happen, the check is for completeness.
+		return nil, xerrors.Errorf("scan ssh output: %w", err)
+	}
+
+	return identityFiles, nil
+}
@@ -0,0 +1,260 @@
+package cli_test
+
+import (
+	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync/atomic"
+	"testing"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/require"
+	gossh "golang.org/x/crypto/ssh"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func prepareTestGitSSH(ctx context.Context, t *testing.T) (*codersdk.Client, string, gossh.PublicKey) {
+	t.Helper()
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	user := coderdtest.CreateFirstUser(t, client)
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer t.Cleanup(cancel) // Defer so that cancel is the first cleanup.
+
+	// get user public key
+	keypair, err := client.GitSSHKey(ctx, codersdk.Me)
+	require.NoError(t, err)
+	//nolint:dogsled
+	pubkey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
+	require.NoError(t, err)
+
+	// setup template
+	agentToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:         echo.ParseComplete,
+		ProvisionPlan: echo.ProvisionComplete,
+		ProvisionApply: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "somename",
+						Type: "someinstance",
+						Agents: []*proto.Agent{{
+							Auth: &proto.Agent_Token{
+								Token: agentToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	// start workspace agent
+	cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
+	agentClient := client
+	clitest.SetupConfig(t, agentClient, root)
+
+	errC := make(chan error, 1)
+	go func() {
+		errC <- cmd.ExecuteContext(ctx)
+	}()
+	t.Cleanup(func() { require.NoError(t, <-errC) })
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+	return agentClient, agentToken, pubkey
+}
+
+func serveSSHForGitSSH(t *testing.T, handler func(ssh.Session), pubkeys ...gossh.PublicKey) *net.TCPAddr {
+	t.Helper()
+
+	// start ssh server
+	l, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = l.Close() })
+
+	serveOpts := []ssh.Option{
+		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			for _, pubkey := range pubkeys {
+				if ssh.KeysEqual(pubkey, key) {
+					return true
+				}
+			}
+			return false
+		}),
+	}
+	errC := make(chan error, 1)
+	go func() {
+		// as long as we get a successful session we don't care if the server errors
+		errC <- ssh.Serve(l, handler, serveOpts...)
+	}()
+	t.Cleanup(func() {
+		_ = l.Close() // Ensure server shutdown.
+		<-errC
+	})
+
+	// start ssh session
+	addr, ok := l.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+
+	return addr
+}
+
+func writePrivateKeyToFile(t *testing.T, name string, key *ecdsa.PrivateKey) {
+	t.Helper()
+
+	b, err := x509.MarshalPKCS8PrivateKey(key)
+	require.NoError(t, err)
+	b = pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: b,
+	})
+
+	err = os.WriteFile(name, b, 0o600)
+	require.NoError(t, err)
+}
+
+func TestGitSSH(t *testing.T) {
+	t.Parallel()
+	t.Run("Dial", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		client, token, pubkey := prepareTestGitSSH(ctx, t)
+		var inc int64
+		errC := make(chan error, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			atomic.AddInt64(&inc, 1)
+			t.Log("got authenticated session")
+			select {
+			case errC <- s.Exit(0):
+			default:
+				t.Error("error channel is full")
+			}
+		}, pubkey)
+
+		// set to agent config dir
+		cmd, _ := clitest.New(t,
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			fmt.Sprintf("-p%d", addr.Port),
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes",
+			"127.0.0.1",
+		)
+		err := cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		require.EqualValues(t, 1, inc)
+
+		err = <-errC
+		require.NoError(t, err, "error in agent execute")
+	})
+
+	t.Run("Local SSH Keys", func(t *testing.T) {
+		t.Parallel()
+
+		home := t.TempDir()
+		sshdir := filepath.Join(home, ".ssh")
+		err := os.MkdirAll(sshdir, 0o700)
+		require.NoError(t, err)
+
+		idFile := filepath.Join(sshdir, "id_ed25519")
+		privkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		require.NoError(t, err)
+		localPubkey, err := gossh.NewPublicKey(&privkey.PublicKey)
+		require.NoError(t, err)
+		writePrivateKeyToFile(t, idFile, privkey)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		client, token, coderPubkey := prepareTestGitSSH(ctx, t)
+
+		authkey := make(chan gossh.PublicKey, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			t.Logf("authenticated with: %s", gossh.MarshalAuthorizedKey(s.PublicKey()))
+			select {
+			case authkey <- s.PublicKey():
+			default:
+				t.Error("authkey channel is full")
+			}
+		}, localPubkey, coderPubkey)
+
+		// Create a new config which sets an identity file.
+		config := filepath.Join(sshdir, "config")
+		knownHosts := filepath.Join(sshdir, "known_hosts")
+		err = os.WriteFile(config, []byte(strings.Join([]string{
+			"Host mytest",
+			"  HostName 127.0.0.1",
+			fmt.Sprintf("  Port %d", addr.Port),
+			"  StrictHostKeyChecking no",
+			"  UserKnownHostsFile=" + knownHosts,
+			"  IdentitiesOnly yes",
+			"  IdentityFile=" + idFile,
+		}, "\n")), 0o600)
+		require.NoError(t, err)
+
+		pty := ptytest.New(t)
+		cmdArgs := []string{
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			"-F", config,
+			"mytest",
+		}
+		// Test authentication via local private key.
+		cmd, _ := clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, localPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
+
+		// Delete the local private key.
+		err = os.Remove(idFile)
+		require.NoError(t, err)
+
+		// With the local file deleted, the coder key should be used.
+		cmd, _ = clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, coderPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
+	})
+}
@@ -0,0 +1,146 @@
+package cli
+
+import (
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/autobuild/schedule"
+	"github.com/coder/coder/coderd/util/ptr"
+	"github.com/coder/coder/codersdk"
+)
+
+type workspaceListRow struct {
+	Workspace  string `table:"workspace"`
+	Template   string `table:"template"`
+	Status     string `table:"status"`
+	LastBuilt  string `table:"last built"`
+	Outdated   bool   `table:"outdated"`
+	StartsAt   string `table:"starts at"`
+	StopsAfter string `table:"stops after"`
+}
+
+func workspaceListRowFromWorkspace(now time.Time, usersByID map[uuid.UUID]codersdk.User, workspace codersdk.Workspace) workspaceListRow {
+	status := codersdk.WorkspaceDisplayStatus(workspace.LatestBuild.Job.Status, workspace.LatestBuild.Transition)
+
+	lastBuilt := now.UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
+	autostartDisplay := "-"
+	if !ptr.NilOrEmpty(workspace.AutostartSchedule) {
+		if sched, err := schedule.Weekly(*workspace.AutostartSchedule); err == nil {
+			autostartDisplay = fmt.Sprintf("%s %s (%s)", sched.Time(), sched.DaysOfWeek(), sched.Location())
+		}
+	}
+
+	autostopDisplay := "-"
+	if !ptr.NilOrZero(workspace.TTLMillis) {
+		dur := time.Duration(*workspace.TTLMillis) * time.Millisecond
+		autostopDisplay = durationDisplay(dur)
+		if !workspace.LatestBuild.Deadline.IsZero() && workspace.LatestBuild.Deadline.Time.After(now) && status == "Running" {
+			remaining := time.Until(workspace.LatestBuild.Deadline.Time)
+			autostopDisplay = fmt.Sprintf("%s (%s)", autostopDisplay, relative(remaining))
+		}
+	}
+
+	user := usersByID[workspace.OwnerID]
+	return workspaceListRow{
+		Workspace:  user.Username + "/" + workspace.Name,
+		Template:   workspace.TemplateName,
+		Status:     status,
+		LastBuilt:  durationDisplay(lastBuilt),
+		Outdated:   workspace.Outdated,
+		StartsAt:   autostartDisplay,
+		StopsAfter: autostopDisplay,
+	}
+}
+
+func list() *cobra.Command {
+	var (
+		all               bool
+		columns           []string
+		defaultQuery      = "owner:me"
+		searchQuery       string
+		me                bool
+		displayWorkspaces []workspaceListRow
+	)
+	cmd := &cobra.Command{
+		Annotations: workspaceCommand,
+		Use:         "list",
+		Short:       "List workspaces",
+		Aliases:     []string{"ls"},
+		Args:        cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			filter := codersdk.WorkspaceFilter{
+				FilterQuery: searchQuery,
+			}
+			if all && searchQuery == defaultQuery {
+				filter.FilterQuery = ""
+			}
+
+			if me {
+				myUser, err := client.User(cmd.Context(), codersdk.Me)
+				if err != nil {
+					return err
+				}
+				filter.Owner = myUser.Username
+			}
+
+			res, err := client.Workspaces(cmd.Context(), filter)
+			if err != nil {
+				return err
+			}
+			if len(res.Workspaces) == 0 {
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "  "+cliui.Styles.Code.Render("coder create <name>"))
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				return nil
+			}
+
+			userRes, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
+			if err != nil {
+				return err
+			}
+
+			usersByID := map[uuid.UUID]codersdk.User{}
+			for _, user := range userRes.Users {
+				usersByID[user.ID] = user
+			}
+
+			now := time.Now()
+			displayWorkspaces = make([]workspaceListRow, len(res.Workspaces))
+			for i, workspace := range res.Workspaces {
+				displayWorkspaces[i] = workspaceListRowFromWorkspace(now, usersByID, workspace)
+			}
+
+			out, err := cliui.DisplayTable(displayWorkspaces, "workspace", columns)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
+			return err
+		},
+	}
+
+	availColumns, err := cliui.TableHeaders(displayWorkspaces)
+	if err != nil {
+		panic(err)
+	}
+	columnString := strings.Join(availColumns[:], ", ")
+
+	cmd.Flags().BoolVarP(&all, "all", "a", false,
+		"Specifies whether all workspaces will be listed or not.")
+	cmd.Flags().StringArrayVarP(&columns, "column", "c", nil,
+		fmt.Sprintf("Specify a column to filter in the table. Available columns are: %v", columnString))
+	cmd.Flags().StringVar(&searchQuery, "search", defaultQuery, "Search for a workspace with a query.")
+	return cmd
+}
@@ -0,0 +1,45 @@
+package cli_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestList(t *testing.T) {
+	t.Parallel()
+	t.Run("Single", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "ls")
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
+		go func() {
+			errC := cmd.ExecuteContext(ctx)
+			assert.NoError(t, errC)
+			close(done)
+		}()
+		pty.ExpectMatch(workspace.Name)
+		pty.ExpectMatch("Started")
+		cancelFunc()
+		<-done
+	})
+}
@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"os/user"
+	"path"
 	"runtime"
 	"strings"

@@ -16,6 +17,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"

+	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 )
@@ -36,11 +38,29 @@ func init() {
 }

 func login() *cobra.Command {
-	return &cobra.Command{
-		Use:  "login <url>",
-		Args: cobra.ExactArgs(1),
+	const firstUserTrialEnv = "CODER_FIRST_USER_TRIAL"
+
+	var (
+		email    string
+		username string
+		password string
+		trial    bool
+	)
+	cmd := &cobra.Command{
+		Use:   "login <url>",
+		Short: "Authenticate with Coder deployment",
+		Args:  cobra.MaximumNArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			rawURL := args[0]
+			rawURL := ""
+			if len(args) == 0 {
+				var err error
+				rawURL, err = cmd.Flags().GetString(varURL)
+				if err != nil {
+					return xerrors.Errorf("get global url flag")
+				}
+			} else {
+				rawURL = args[0]
+			}

 			if !strings.HasPrefix(rawURL, "http://") && !strings.HasPrefix(rawURL, "https://") {
 				scheme := "https"
@@ -58,71 +78,116 @@ func login() *cobra.Command {
 				serverURL.Scheme = "https"
 			}

-			client := codersdk.New(serverURL)
+			client, err := createUnauthenticatedClient(cmd, serverURL)
+			if err != nil {
+				return err
+			}
+
+			// Try to check the version of the server prior to logging in.
+			// It may be useful to warn the user if they are trying to login
+			// on a very old client.
+			err = checkVersions(cmd, client)
+			if err != nil {
+				// Checking versions isn't a fatal error so we print a warning
+				// and proceed.
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Warn.Render(err.Error()))
+			}
+
 			hasInitialUser, err := client.HasFirstUser(cmd.Context())
 			if err != nil {
-				return xerrors.Errorf("has initial user: %w", err)
+				return xerrors.Errorf("Failed to check server %q for first user, is the URL correct and is coder accessible from your browser? Error - has initial user: %w", serverURL.String(), err)
 			}
 			if !hasInitialUser {
-				if !isTTY(cmd) {
-					return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
-				}
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"Your Coder deployment hasn't been set up!\n")
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), Caret+"Your Coder deployment hasn't been set up!\n")

-				_, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:      "Would you like to create the first user?",
-					Default:   "yes",
-					IsConfirm: true,
-				})
-				if errors.Is(err, cliui.Canceled) {
-					return nil
-				}
-				if err != nil {
-					return err
-				}
-				currentUser, err := user.Current()
-				if err != nil {
-					return xerrors.Errorf("get current user: %w", err)
-				}
-				username, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:    "What " + cliui.Styles.Field.Render("username") + " would you like?",
-					Default: currentUser.Username,
-				})
-				if errors.Is(err, cliui.Canceled) {
-					return nil
-				}
-				if err != nil {
-					return xerrors.Errorf("pick username prompt: %w", err)
-				}
-
-				email, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text: "What's your " + cliui.Styles.Field.Render("email") + "?",
-					Validate: func(s string) error {
-						err := validator.New().Var(s, "email")
-						if err != nil {
-							return xerrors.New("That's not a valid email address!")
-						}
+				if username == "" {
+					if !isTTY(cmd) {
+						return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
+					}
+					_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      "Would you like to create the first user?",
+						Default:   cliui.ConfirmYes,
+						IsConfirm: true,
+					})
+					if errors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					if err != nil {
 						return err
-					},
-				})
-				if err != nil {
-					return xerrors.Errorf("specify email prompt: %w", err)
+					}
+					currentUser, err := user.Current()
+					if err != nil {
+						return xerrors.Errorf("get current user: %w", err)
+					}
+					username, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:    "What " + cliui.Styles.Field.Render("username") + " would you like?",
+						Default: currentUser.Username,
+					})
+					if errors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					if err != nil {
+						return xerrors.Errorf("pick username prompt: %w", err)
+					}
 				}

-				password, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
-					Secret:   true,
-					Validate: cliui.ValidateNotEmpty,
-				})
-				if err != nil {
-					return xerrors.Errorf("specify password prompt: %w", err)
+				if email == "" {
+					email, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text: "What's your " + cliui.Styles.Field.Render("email") + "?",
+						Validate: func(s string) error {
+							err := validator.New().Var(s, "email")
+							if err != nil {
+								return xerrors.New("That's not a valid email address!")
+							}
+							return err
+						},
+					})
+					if err != nil {
+						return xerrors.Errorf("specify email prompt: %w", err)
+					}
+				}
+
+				if password == "" {
+					var matching bool
+
+					for !matching {
+						password, err = cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
+							Secret:   true,
+							Validate: cliui.ValidateNotEmpty,
+						})
+						if err != nil {
+							return xerrors.Errorf("specify password prompt: %w", err)
+						}
+						confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
+							Secret: true,
+						})
+						if err != nil {
+							return xerrors.Errorf("confirm password prompt: %w", err)
+						}
+
+						matching = confirm == password
+						if !matching {
+							_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Passwords do not match"))
+						}
+					}
+				}
+
+				if !cmd.Flags().Changed("first-user-trial") && os.Getenv(firstUserTrialEnv) == "" {
+					v, _ := cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      "Start a 30-day trial of Enterprise?",
+						IsConfirm: true,
+						Default:   "yes",
+					})
+					trial = v == "yes" || v == "y"
 				}

 				_, err = client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
-					Email:        email,
-					Username:     username,
-					Organization: username,
-					Password:     password,
+					Email:    email,
+					Username: username,
+					Password: password,
+					Trial:    trial,
 				})
 				if err != nil {
 					return xerrors.Errorf("create initial user: %w", err)
@@ -150,37 +215,42 @@ func login() *cobra.Command {
 					cliui.Styles.Paragraph.Render(fmt.Sprintf("Welcome to Coder, %s! You're authenticated.", cliui.Styles.Keyword.Render(username)))+"\n")

 				_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-					cliui.Styles.Paragraph.Render("Get started by creating a project: "+cliui.Styles.Code.Render("coder projects create"))+"\n")
+					cliui.Styles.Paragraph.Render("Get started by creating a template: "+cliui.Styles.Code.Render("coder templates init"))+"\n")
 				return nil
 			}

-			authURL := *serverURL
-			authURL.Path = serverURL.Path + "/cli-auth"
-			if err := openURL(cmd, authURL.String()); err != nil {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
-			} else {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Your browser has been opened to visit:\n\n\t%s\n\n", authURL.String())
-			}
+			sessionToken, _ := cmd.Flags().GetString(varToken)
+			if sessionToken == "" {
+				authURL := *serverURL
+				// Don't use filepath.Join, we don't want to use the os separator
+				// for a url.
+				authURL.Path = path.Join(serverURL.Path, "/cli-auth")
+				if err := openURL(cmd, authURL.String()); err != nil {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
+				} else {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Your browser has been opened to visit:\n\n\t%s\n\n", authURL.String())
+				}

-			sessionToken, err := cliui.Prompt(cmd, cliui.PromptOptions{
-				Text:   "Paste your token here:",
-				Secret: true,
-				Validate: func(token string) error {
-					client.SessionToken = token
-					_, err := client.User(cmd.Context(), "me")
-					if err != nil {
-						return xerrors.New("That's not a valid token!")
-					}
-					return err
-				},
-			})
-			if err != nil {
-				return xerrors.Errorf("paste token prompt: %w", err)
+				sessionToken, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:   "Paste your token here:",
+					Secret: true,
+					Validate: func(token string) error {
+						client.SetSessionToken(token)
+						_, err := client.User(cmd.Context(), codersdk.Me)
+						if err != nil {
+							return xerrors.New("That's not a valid token!")
+						}
+						return err
+					},
+				})
+				if err != nil {
+					return xerrors.Errorf("paste token prompt: %w", err)
+				}
 			}

 			// Login to get user data - verify it is OK before persisting
-			client.SessionToken = sessionToken
-			resp, err := client.User(cmd.Context(), "me")
+			client.SetSessionToken(sessionToken)
+			resp, err := client.User(cmd.Context(), codersdk.Me)
 			if err != nil {
 				return xerrors.Errorf("get user: %w", err)
 			}
@@ -195,10 +265,15 @@ func login() *cobra.Command {
 				return xerrors.Errorf("write server url: %w", err)
 			}

-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"Welcome to Coder, %s! You're authenticated.\n", cliui.Styles.Keyword.Render(resp.Username))
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), Caret+"Welcome to Coder, %s! You're authenticated.\n", cliui.Styles.Keyword.Render(resp.Username))
 			return nil
 		},
 	}
+	cliflag.StringVarP(cmd.Flags(), &email, "first-user-email", "", "CODER_FIRST_USER_EMAIL", "", "Specifies an email address to use if creating the first user for the deployment.")
+	cliflag.StringVarP(cmd.Flags(), &username, "first-user-username", "", "CODER_FIRST_USER_USERNAME", "", "Specifies a username to use if creating the first user for the deployment.")
+	cliflag.StringVarP(cmd.Flags(), &password, "first-user-password", "", "CODER_FIRST_USER_PASSWORD", "", "Specifies a password to use if creating the first user for the deployment.")
+	cliflag.BoolVarP(cmd.Flags(), &trial, "first-user-trial", "", firstUserTrialEnv, false, "Specifies whether a trial license should be provisioned for the Coder deployment or not.")
+	return cmd
 }

 // isWSL determines if coder-cli is running within Windows Subsystem for Linux
@@ -232,5 +307,16 @@ func openURL(cmd *cobra.Command, urlToOpen string) error {
 		return exec.Command("cmd.exe", "/c", "start", strings.ReplaceAll(urlToOpen, "&", "^&")).Start()
 	}

+	browserEnv := os.Getenv("BROWSER")
+	if browserEnv != "" {
+		browserSh := fmt.Sprintf("%s '%s'", browserEnv, urlToOpen)
+		cmd := exec.CommandContext(cmd.Context(), "sh", "-c", browserSh)
+		out, err := cmd.CombinedOutput()
+		if err != nil {
+			return xerrors.Errorf("failed to run %v (out: %q): %w", cmd.Args, out, err)
+		}
+		return nil
+	}
+
 	return browser.OpenURL(urlToOpen)
 }
@@ -2,11 +2,14 @@ package cli_test

 import (
 	"context"
+	"fmt"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/pty/ptytest"
 )
@@ -21,6 +24,15 @@ func TestLogin(t *testing.T) {
 		require.Error(t, err)
 	})

+	t.Run("InitialUserBadLoginURL", func(t *testing.T) {
+		t.Parallel()
+		badLoginURL := "https://fcca2077f06e68aaf9"
+		root, _ := clitest.New(t, "login", badLoginURL)
+		err := root.Execute()
+		errMsg := fmt.Sprintf("Failed to check server %q for first user, is the URL correct and is coder accessible from your browser?", badLoginURL)
+		require.ErrorContains(t, err, errMsg)
+	})
+
 	t.Run("InitialUserTTY", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
@@ -35,7 +47,7 @@ func TestLogin(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()

 		matches := []string{
@@ -43,6 +55,8 @@ func TestLogin(t *testing.T) {
 			"username", "testuser",
 			"email", "user@coder.com",
 			"password", "password",
+			"password", "password", // Confirm.
+			"trial", "yes",
 		}
 		for i := 0; i < len(matches); i += 2 {
 			match := matches[i]
@@ -54,6 +68,104 @@ func TestLogin(t *testing.T) {
 		<-doneChan
 	})

+	t.Run("InitialUserTTYFlag", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "--url", client.URL.String(), "login", "--force-tty")
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"first user?", "yes",
+			"username", "testuser",
+			"email", "user@coder.com",
+			"password", "password",
+			"password", "password", // Confirm.
+			"trial", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
+	t.Run("InitialUserFlags", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", client.URL.String(), "--first-user-username", "testuser", "--first-user-email", "user@coder.com", "--first-user-password", "password", "--first-user-trial")
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.Execute()
+			assert.NoError(t, err)
+		}()
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
+	t.Run("InitialUserTTYConfirmPasswordFailAndReprompt", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", "--force-tty", client.URL.String())
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.ExecuteContext(ctx)
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"first user?", "yes",
+			"username", "testuser",
+			"email", "user@coder.com",
+			"password", "mypass",
+			"password", "wrongpass", // Confirm.
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+
+		// Validate that we reprompt for matching passwords.
+		pty.ExpectMatch("Passwords do not match")
+		pty.ExpectMatch("Enter a " + cliui.Styles.Field.Render("password"))
+
+		pty.WriteLine("pass")
+		pty.ExpectMatch("Confirm")
+		pty.WriteLine("pass")
+		pty.ExpectMatch("trial")
+		pty.WriteLine("yes")
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
 	t.Run("ExistingUserValidTokenTTY", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
@@ -67,11 +179,11 @@ func TestLogin(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()

 		pty.ExpectMatch("Paste your token here:")
-		pty.WriteLine(client.SessionToken)
+		pty.WriteLine(client.SessionToken())
 		pty.ExpectMatch("Welcome to Coder")
 		<-doneChan
 	})
@@ -92,7 +204,7 @@ func TestLogin(t *testing.T) {
 			defer close(doneChan)
 			err := root.ExecuteContext(ctx)
 			// An error is expected in this case, since the login wasn't successful:
-			require.Error(t, err)
+			assert.Error(t, err)
 		}()

 		pty.ExpectMatch("Paste your token here:")
@@ -101,4 +213,16 @@ func TestLogin(t *testing.T) {
 		cancelFunc()
 		<-doneChan
 	})
+
+	t.Run("TokenFlag", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		coderdtest.CreateFirstUser(t, client)
+		root, cfg := clitest.New(t, "login", client.URL.String(), "--token", client.SessionToken())
+		err := root.Execute()
+		require.NoError(t, err)
+		sessionFile, err := cfg.Session().Read()
+		require.NoError(t, err)
+		require.Equal(t, client.SessionToken(), sessionFile)
+	})
 }
@@ -0,0 +1,77 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+func logout() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout",
+		Short: "Unauthenticate your local session",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			var errors []error
+
+			config := createConfig(cmd)
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Are you sure you want to log out?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmYes,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = client.Logout(cmd.Context())
+			if err != nil {
+				errors = append(errors, xerrors.Errorf("logout api: %w", err))
+			}
+
+			err = config.URL().Delete()
+			// Only throw error if the URL configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove URL file: %w", err))
+			}
+
+			err = config.Session().Delete()
+			// Only throw error if the session configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove session file: %w", err))
+			}
+
+			err = config.Organization().Delete()
+			// If the organization configuration file is absent, we still proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove organization file: %w", err))
+			}
+
+			if len(errors) > 0 {
+				var errorStringBuilder strings.Builder
+				for _, err := range errors {
+					_, _ = fmt.Fprint(&errorStringBuilder, "\t"+err.Error()+"\n")
+				}
+				errorString := strings.TrimRight(errorStringBuilder.String(), "\n")
+				return xerrors.New("Failed to log out.\n" + errorString)
+			}
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), Caret+"You are no longer logged in. You can log in using 'coder login <url>'.\n")
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
+}
--- a/Show More
+++ b/Show More