chore: Add linter rule to prevent breaking of sse (#4144 )

* chore: Add linter rule to prevent breaking of sse
chore: Add user autocomplete (#4210 )
2022-09-27 11:14:58 -04:00 · 2022-09-27 10:23:38 -04:00 · 2022-09-27 08:24:49 -05:00 · 2022-09-27 07:54:29 -05:00 · 2022-09-27 07:38:18 -05:00 · 2022-09-27 03:51:58 +00:00
5017 changed files with 99609 additions and 26664 deletions
@@ -0,0 +1,83 @@
+FROM ubuntu
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV EDITOR=vim
+
+RUN apt-get update && apt-get upgrade
+
+RUN apt-get install --yes \
+        ca-certificates \
+        bash-completion \
+        build-essential \
+        curl \
+        cmake \
+        direnv \
+        emacs-nox \
+        gnupg \
+        htop \
+        jq \
+        less \
+        lsb-release \
+        lsof \
+        man-db \
+        nano \
+        neovim \
+        ssl-cert \
+        sudo \
+        unzip \
+        xz-utils \
+        zip
+
+# configure locales to UTF8
+RUN apt-get install locales && locale-gen en_US.UTF-8
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+# configure direnv
+RUN direnv hook bash >> $HOME/.bashrc
+
+# install nix
+RUN sh <(curl -L https://nixos.org/nix/install) --daemon
+
+RUN mkdir -p $HOME/.config/nix $HOME/.config/nixpkgs \
+        && echo 'sandbox = false' >> $HOME/.config/nix/nix.conf \
+        && echo '{ allowUnfree = true; }' >> $HOME/.config/nixpkgs/config.nix \
+        && echo '. $HOME/.nix-profile/etc/profile.d/nix.sh' >> $HOME/.bashrc
+
+
+# install docker and configure daemon to use vfs as GitHub codespaces requires vfs
+# https://github.com/moby/moby/issues/13742#issuecomment-725197223
+RUN mkdir -p /etc/apt/keyrings \
+        && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+        && echo \
+  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null \
+        && apt-get update \
+        && apt-get install --yes docker-ce docker-ce-cli containerd.io docker-compose-plugin \
+        && mkdir -p /etc/docker \
+        && echo '{"cgroup-parent":"/actions_job","storage-driver":"vfs"}' >> /etc/docker/daemon.json
+
+# install golang and language tooling
+ENV GO_VERSION=1.19
+ENV GOPATH=$HOME/go-packages
+ENV GOROOT=$HOME/go
+ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
+RUN curl -fsSL https://dl.google.com/go/go$GO_VERSION.linux-amd64.tar.gz | tar xzs
+RUN echo 'export PATH=$GOPATH/bin:$PATH' >> $HOME/.bashrc
+
+RUN bash -c ". $HOME/.bashrc \
+	go install -v golang.org/x/tools/gopls@latest \
+	&& go install -v mvdan.cc/sh/v3/cmd/shfmt@latest \
+	"
+
+# install nodejs
+RUN bash -c "$(curl -fsSL https://deb.nodesource.com/setup_14.x)" \
+	&& apt-get install -y nodejs
+
+# install zstd
+RUN bash -c "$(curl -fsSL https://raw.githubusercontent.com/horta/zstd.install/main/install)"
+
+# install nfpm
+RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list \
+	&& apt update \
+	&& apt install nfpm
+
@@ -0,0 +1,18 @@
+// For format details, see https://aka.ms/devcontainer.json
+{
+	"name": "Development environments on your infrastructure",
+
+	// Sets the run context to one level up instead of the .devcontainer folder.
+	"context": ".",
+
+	// Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
+	"dockerFile": "Dockerfile",
+
+	// Use 'forwardPorts' to make a list of ports inside the container available locally.
+	// "forwardPorts": [],
+	
+	"postStartCommand": "dockerd",
+
+	// privileged is required by GitHub codespaces - https://github.com/microsoft/vscode-dev-containers/issues/727
+	"runArgs": [ "--cap-add=SYS_PTRACE", "--security-opt", "seccomp=unconfined", "--privileged", "--init" ]	
+}
@@ -0,0 +1,16 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = tab
+
+[*.{md,json,yaml,yml,tf,tfvars}]
+indent_style = space
+indent_size = 2
+
+[coderd/database/dump.sql]
+indent_style = space
+indent_size = 4
@@ -3,3 +3,7 @@ coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
 provisionersdk/proto/*.go linguist-generated=true
+*.tfplan.json linguist-generated=true
+*.tfstate.json linguist-generated=true
+*.tfstate.dot linguist-generated=true
+*.tfplan.dot linguist-generated=true
@@ -1,2 +1,4 @@
 site/ @coder/frontend
-site/src/xServices @presleyp
+docs/ @coder/docs
+README.md @coder/docs
+ADOPTERS.md @coder/docs
@@ -1,37 +0,0 @@
---
-name: Bug report
-about: Report a bug
-title: "Bug: "
-labels: ["bug :bug:", "needs grooming :razor:"]
---
-
-## OS Information
-
- OS:
- Browser (if applicable): 
- Architecture:
- `coder --version`:
-
-## Steps to Reproduce
-
-<!-- 1. -->
-<!-- 2. -->
-<!-- 3. -->
-
-## Expected
-
-<!-- What should happen? -->
-
-## Actual
-
-<!-- What actually happens? -->
-
-## Logs
-
-## Screenshot
-
-<!-- Ideally provide a screenshot, gif, video or screen recording. -->
-
-## Notes
-
-<!-- Anything else you want to share -->
@@ -1,5 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Question?
-    url: https://github.com/coder/coder/discussions/new?category=q-a
-    about: Ask for help on our GitHub Discussions board
@@ -1,12 +0,0 @@
---
-name: Documentation improvement
-about: Suggest a documentation improvement
-title: "Docs: "
-labels: ["documentation :memo:", "needs grooming :razor:"]
---
-
-## What is your suggestion?
-
-## How will this improve the docs?
-
-## Are you interested in submitting a PR for this?
@@ -0,0 +1,9 @@
+<!--- Provide a general summary of the issue in the Title above -->
+
+## Expected Behavior
+
+<!--- Tell us what should happen -->
+
+## Current Behavior
+
+<!--- Tell us what happens instead of the expected behavior -->
@@ -1,14 +0,0 @@
---
-name: Feature request
-about: Suggest an idea to improve coder
-title: "Feat: "
-labels: ["new feature :sparkles:", "needs grooming :razor:"]
---
-
-## What is your suggestion?
-
-## Why do you want this feature?
-
-## Are there any workarounds to get this functionality today?
-
-## Are you interested in submitting a PR for this?
@@ -1,5 +1,7 @@
 codecov:
  require_ci_to_pass: false
+  notify:
+    after_n_builds: 5

 comment: false

@@ -7,19 +9,22 @@ github_checks:
  annotations: false

 coverage:
+  range: 50..75
+  round: down
+  precision: 2
  status:
    patch:
      default:
        informational: yes
    project:
      default:
-        target: 70%
-        informational: yes
+        target: 65%
+        informational: true

 ignore:
  # This is generated code.
  - coderd/database/models.go
-  - coderd/database/query.sql.go
+  - coderd/database/queries.sql.go
  - coderd/database/databasefake
  # These are generated or don't require tests.
  - cmd
@@ -29,6 +34,10 @@ ignore:
  - peerbroker/proto
  - provisionerd/proto
  - provisionersdk/proto
-  - scripts/datadog-cireport
+  - scripts
  - site/.storybook
  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest
@@ -3,9 +3,10 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
+    labels: []
    commit-message:
      prefix: "chore"
    ignore:
@@ -27,27 +28,32 @@ updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "go"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+        - version-update:semver-patch

  - package-ecosystem: "npm"
    directory: "/site/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "typescript/js"
+    labels: []
    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+        - version-update:semver-patch
      # Ignore major updates to Node.js types, because they need to
      # correspond to the Node.js engine version
      - dependency-name: "@types/node"
@@ -55,16 +61,14 @@ updates:
          - version-update:semver-major

  - package-ecosystem: "terraform"
-    directory: "/examples"
+    directory: "/examples/templates"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "terraform"
+    labels: []
    ignore:
      # We likely want to update this ourselves.
      - dependency-name: "coder/coder"
@@ -1,13 +1,3 @@
-<!-- Help reviewers by listing the subtasks in this PR
-
-Here's an example:
-
-This PR adds a new feature to the CLI.
-
-## Subtasks
-
- [x] added a test for feature
-
-Fixes #345
-
+<!--
+Check if your change requires documentation edits before merging: https://coder.com/docs/coder. Make edits in `docs/`.
 -->
@@ -1,14 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 14
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 5
-# Only apply the stale logic to pulls, since we are using issues to manage work
-only: pulls
-# Label to apply when stale.
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no activity occurs in the next 5 days.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
@@ -1,60 +0,0 @@
-# Note: Chromatic is a separate workflow for coder.yaml as suggested by the
-# chromatic docs. Explicitly, Chromatic works best on 'push' instead of other
-# event types (like pull request), keep in mind that it works build-over-build
-# by storing snapshots.
-#
-# SEE: https://www.chromatic.com/docs/ci
-name: chromatic
-
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - "*"
-
-  pull_request:
-
-jobs:
-  deploy:
-    # REMARK: this is only used to build storybook and deploy it to Chromatic.
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          # Required by Chromatic for build-over-build history, otherwise we
-          # only get 1 commit on shallow checkout.
-          fetch-depth: 0
-
-      - name: Install dependencies
-        run: cd site && yarn
-
-      # This step is not meant for mainline because any detected changes to
-      # storybook snapshots will require manual approval/review in order for
-      # the check to pass. This is desired in PRs, but not in mainline.
-      - name: Publish to Chromatic (non-mainline)
-        if: github.ref != 'refs/heads/main'
-        uses: chromaui/action@v1
-        with:
-          buildScriptName: "storybook:build"
-          exitOnceUploaded: true
-          # Chromatic states its fine to make this token public. See:
-          # https://www.chromatic.com/docs/github-actions#forked-repositories
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
-
-      # This is a separate step for mainline only that auto accepts and changes
-      # instead of holding CI up. Since we squash/merge, this is defensive to
-      # avoid the same changeset from requiring review once squashed into
-      # main. Chromatic is supposed to be able to detect that we use squash
-      # commits, but it's good to be defensive in case, otherwise CI remains
-      # infinitely "in progress" in mainline unless we re-review each build.
-      - name: Publish to Chromatic (mainline)
-        if: github.ref == 'refs/heads/main'
-        uses: chromaui/action@v1
-        with:
-          autoAcceptChanges: true
-          buildScriptName: "storybook:build"
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
@@ -30,6 +30,64 @@ concurrency:
  cancel-in-progress: ${{ github.event_name == 'pull_request' }}

 jobs:
+  typos:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: typos-action
+        uses: crate-ci/typos@master
+        with:
+          config: .github/workflows/typos.toml
+      - name: Fix Helper
+        if: ${{ failure() }}
+        run: |
+          echo "::notice:: you can automatically fix typos from your CLI:
+          cargo install typos-cli
+          typos -c .github/workflows/typos.toml -w"
+
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      docs-only: ${{ steps.filter.outputs.docs_count == steps.filter.outputs.all_count }}
+      sh: ${{ steps.filter.outputs.sh }}
+      ts: ${{ steps.filter.outputs.ts }}
+      k8s: ${{ steps.filter.outputs.k8s }}
+    steps:
+      - uses: actions/checkout@v3
+      # For pull requests it's not necessary to checkout the code
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            all:
+              - '**'
+            docs:
+              - 'docs/**'
+              # For testing:
+              # - '.github/**'
+            sh:
+              - "**.sh"
+            ts:
+              - 'site/**'
+            k8s:
+              - 'helm/**'
+              - Dockerfile
+              - scripts/helm.sh
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  # Debug step
+  debug-inputs:
+    needs:
+      - changes
+    runs-on: ubuntu-latest
+    steps:
+      - id: log
+        run: |
+          echo "${{ toJSON(needs) }}"
+
  style-lint-golangci:
    name: style/lint/golangci
    timeout-minutes: 5
@@ -38,11 +96,33 @@ jobs:
      - uses: actions/checkout@v3
      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3.2.0
        with:
-          version: v1.46.0
+          version: v1.48.0
+
+  check-enterprise-imports:
+    name: check/enterprise-imports
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Check imports of enterprise code
+        run: ./scripts/check_enterprise_imports.sh
+
+  style-lint-shellcheck:
+    name: style/lint/shellcheck
+    timeout-minutes: 5
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@1.1.0
+        env:
+          SHELLCHECK_OPTS: --external-sources
+        with:
+          ignore: node_modules

  style-lint-typescript:
    name: "style/lint/typescript"
@@ -70,10 +150,32 @@ jobs:
        run: yarn lint
        working-directory: site

+  style-lint-k8s:
+    name: "style/lint/k8s"
+    timeout-minutes: 5
+    needs: changes
+    if: needs.changes.outputs.k8s == 'true'
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.9.2
+
+      - name: cd helm && make lint
+        run: |
+          cd helm
+          make lint
+
  gen:
    name: "style/gen"
-    timeout-minutes: 5
+    timeout-minutes: 8
    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.docs-only == 'false'
    steps:
      - uses: actions/checkout@v3

@@ -91,22 +193,55 @@ jobs:
      - name: Install node_modules
        run: ./scripts/yarn_install.sh

-      - name: Install Protoc
-        uses: arduino/setup-protoc@v1
-        with:
-          version: "3.20.0"
      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
-      - run: curl -sSL
-          https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz
-          | sudo tar -C /usr/bin -xz sqlc
+          go-version: "~1.19"

-      - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
-      - run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
-      - run: go install golang.org/x/tools/cmd/goimports@latest
-      - run: "make --output-sync -j gen"
-      - run: ./scripts/check_unstaged.sh
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=go-build::$(go env GOCACHE)"
+          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-build }}
+          key: ${{ github.job }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.go-mod }}
+          key: ${{ github.job }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile
+          # or the version in the comments will differ.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
+
+      - name: make gen
+        run: "make --output-sync -j -B gen"
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh

  style-fmt:
    name: "style/fmt"
@@ -133,8 +268,13 @@ jobs:
      - name: Install node_modules
        run: ./scripts/yarn_install.sh

-      - name: "make fmt"
-        run: "make --output-sync -j fmt"
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
+
+      - name: make fmt
+        run: |
+          export PATH=${PATH}:$(go env GOPATH)/bin
+          make --output-sync -j -B fmt

  test-go:
    name: "test/go"
@@ -151,7 +291,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -163,7 +303,7 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}

      - name: Go Mod Cache
        uses: actions/cache@v3
@@ -171,8 +311,8 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.6.0
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.7.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -181,46 +321,55 @@ jobs:

      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

      - name: Test with Mock Database
+        id: test
        shell: bash
-        env:
-          GOCOUNT: ${{ runner.os == 'Windows' && 1 || 2 }}
-          GOMAXPROCS: ${{ runner.os == 'Windows' && 1 || 2 }}
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -timeout=3m -count=$GOCOUNT -short -failfast
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: fake
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
+        run: |
+          # Code coverage is more computationally expensive and also
+          # prevents test caching, so we disable it on alternate operating
+          # systems.
+          if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
+            echo ::set-output name=cover::true
+            export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
+          else
+            echo ::set-output name=cover::false
+          fi
+          set -x
+          test_timeout=5m
+          if [[ "${{ matrix.os }}" == windows* ]]; then
+            test_timeout=10m
+          fi
+          gotestsum --junitfile="gotests.xml" --packages="./..." -- -parallel=8 -timeout=$test_timeout -short -failfast $COVERAGE_FLAGS

      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: steps.test.outputs.cover && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./gotests.coverage
          flags: unittest-go-${{ matrix.os }}
-          fail_ci_if_error: true

  test-go-postgres:
    name: "test/go/postgres"
    runs-on: ubuntu-latest
-    timeout-minutes: 20
+    # This timeout must be greater than the timeout set by `go test` in
+    # `make test-postgres` to ensure we receive a trace of running
+    # goroutines. Setting this to the timeout +5m should work quite well
+    # even if some of the preceding steps are slow.
+    timeout-minutes: 25
    steps:
      - uses: actions/checkout@v3

      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -232,7 +381,7 @@ jobs:
        uses: actions/cache@v3
        with:
          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}

      - name: Go Mod Cache
        uses: actions/cache@v3
@@ -240,8 +389,8 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}

-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.6.0
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.7.1
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        with:
@@ -250,63 +399,39 @@ jobs:

      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

-      - name: Start PostgreSQL Database
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-          POSTGRES_DB: postgres
-          PGDATA: /tmp
-        run: |
-          docker run \
-            -e POSTGRES_PASSWORD=postgres \
-            -e POSTGRES_USER=postgres \
-            -e POSTGRES_DB=postgres \
-            -e PGDATA=/tmp \
-            -p 5432:5432 \
-            -d postgres:11 \
-            -c shared_buffers=1GB \
-            -c max_connections=1000
-          while ! pg_isready -h 127.0.0.1
-          do
-              echo "$(date) - waiting for database to start"
-              sleep 0.5
-          done
-
      - name: Test with PostgreSQL Database
-        run: DB=ci gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage" -timeout=3m
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -count=1 -parallel=2 -race -failfast
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: postgresql
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
+        run: make test-postgres

      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./gotests.coverage
          flags: unittest-go-postgres-${{ matrix.os }}
-          fail_ci_if_error: true

  deploy:
    name: "deploy"
    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+    timeout-minutes: 30
+    needs: changes
+    if: |
+      github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+      && needs.changes.outputs.docs-only == 'false'
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0

      - name: Authenticate to Google Cloud
        uses: google-github-actions/auth@v0
@@ -319,7 +444,7 @@ jobs:

      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - name: Echo Go Cache Paths
        id: go-cache-paths
@@ -339,10 +464,6 @@ jobs:
          path: ${{ steps.go-cache-paths.outputs.go-mod }}
          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}

-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
      - name: Cache Node
        id: cache-node
        uses: actions/cache@v3
@@ -350,35 +471,48 @@ jobs:
          path: |
            **/node_modules
            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          key: js-${{ runner.os }}-release-node-${{ hashFiles('**/yarn.lock') }}
          restore-keys: |
            js-${{ runner.os }}-

-      - name: Build site
-        run: make site/out/index.html
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
+
+      - name: Install zstd
+        run: sudo apt-get install -y zstd

      - name: Build Release
-        uses: goreleaser/goreleaser-action@v2.9.1
-        with:
-          version: latest
-          args: release --snapshot --rm-dist --skip-sign
+        run: |
+          set -euo pipefail
+          go mod download

-      - uses: actions/upload-artifact@v3
-        with:
-          name: coder_linux_amd64.deb
-          path: ./dist/coder_*_linux_amd64.deb
+          version="$(./scripts/version.sh)"
+          make -j \
+            build/coder_"$version"_windows_amd64.zip \
+            build/coder_"$version"_linux_amd64.{tar.gz,deb}

      - name: Install Release
        run: |
          gcloud config set project coder-dogfood
          gcloud config set compute/zone us-central1-a
-          gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb
+          gcloud compute scp ./build/coder_*_linux_amd64.deb coder:/tmp/coder.deb
          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
          gcloud compute ssh coder -- sudo systemctl daemon-reload

      - name: Start
        run: gcloud compute ssh coder -- sudo service coder restart

+      - uses: actions/upload-artifact@v3
+        with:
+          name: coder
+          path: |
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.deb
+          retention-days: 7
+
  test-js:
    name: "test/js"
    runs-on: ubuntu-latest
@@ -397,11 +531,6 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
      - uses: actions/setup-node@v3
        with:
          node-version: "14"
@@ -413,23 +542,22 @@ jobs:
        working-directory: site

      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: ./site/coverage/lcov.info
          flags: unittest-js
-          fail_ci_if_error: true
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml

  test-e2e:
    name: "test/e2e/${{ matrix.os }}"
+    needs:
+      - changes
+    if: needs.changes.outputs.docs-only == 'false'
    runs-on: ${{ matrix.os }}
    timeout-minutes: 20
    strategy:
@@ -446,28 +574,21 @@ jobs:
          path: |
            **/node_modules
            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
+          key: js-${{ runner.os }}-e2e-${{ hashFiles('**/yarn.lock') }}

-      # Go is required for uploading the test results to datadog
      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.19"

      - uses: hashicorp/setup-terraform@v2
        with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
          terraform_wrapper: false

      - uses: actions/setup-node@v3
        with:
          node-version: "14"

-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
      - name: Echo Go Cache Paths
        id: go-cache-paths
        run: |
@@ -488,7 +609,8 @@ jobs:

      - name: Build
        run: |
-          make site/out/index.html
+          sudo npm install -g prettier
+          make -B site/out/index.html

      - run: yarn playwright:install
        working-directory: site
@@ -501,10 +623,55 @@ jobs:
          DEBUG: pw:api
        working-directory: site

-      - name: Upload DataDog Trace
+      - name: Upload Playwright Failed Tests
        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: e2e
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./site/test-results/**/*.webm
+          retention:days: 7
+
+  chromatic:
+    # REMARK: this is only used to build storybook and deploy it to Chromatic.
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: needs.changes.outputs.ts == 'true'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Required by Chromatic for build-over-build history, otherwise we
+          # only get 1 commit on shallow checkout.
+          fetch-depth: 0
+
+      - name: Install dependencies
+        run: cd site && yarn
+
+      # This step is not meant for mainline because any detected changes to
+      # storybook snapshots will require manual approval/review in order for
+      # the check to pass. This is desired in PRs, but not in mainline.
+      - name: Publish to Chromatic (non-mainline)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          buildScriptName: "storybook:build"
+          exitOnceUploaded: true
+          # Chromatic states its fine to make this token public. See:
+          # https://www.chromatic.com/docs/github-actions#forked-repositories
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+      # This is a separate step for mainline only that auto accepts and changes
+      # instead of holding CI up. Since we squash/merge, this is defensive to
+      # avoid the same changeset from requiring review once squashed into
+      # main. Chromatic is supposed to be able to detect that we use squash
+      # commits, but it's good to be defensive in case, otherwise CI remains
+      # infinitely "in progress" in mainline unless we re-review each build.
+      - name: Publish to Chromatic (mainline)
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          autoAcceptChanges: true
+          buildScriptName: "storybook:build"
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
@@ -0,0 +1,13 @@
+# Dependabot is annoying, but this makes it a bit less so.
+name: Auto Approve Dependabot
+
+on: pull_request_target
+
+jobs:
+  auto-approve:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: hmarr/auto-approve-action@v2
+        if: github.actor == 'dependabot[bot]'
@@ -0,0 +1,51 @@
+name: dogfood
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*"
+    paths:
+      - "dogfood/**"
+  pull_request:
+    paths:
+      - "dogfood/**"
+  workflow_dispatch:
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v5.4
+
+      - name: "Branch name to Docker tag name"
+        id: docker-tag-name
+        run: |
+          tag=${{ steps.branch-name.outputs.current_branch }}
+          # Replace / with --, e.g. user/feature => user--feature.
+          tag=${tag//\//--}
+          echo "::set-output name=tag::${tag}"
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v3
+        with:
+          context: "{{defaultContext}}:dogfood"
+          push: true
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline
@@ -1,66 +1,58 @@
+# GitHub release workflow.
 name: release
 on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
+    inputs:
+      snapshot:
+        description: Force a dev version to be generated, implies dry_run.
+        type: boolean
+        required: true
+      dry_run:
+        description: Perform a dry-run release.
+        type: boolean
+        required: true
+
+permissions:
+  # Required to publish a release
+  contents: write
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+
+env:
+  CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}

 jobs:
-  goreleaser:
-    runs-on: macos-latest
+  release:
+    runs-on: ubuntu-latest
    env:
      # Necessary for Docker manifest
      DOCKER_CLI_EXPERIMENTAL: "enabled"
    steps:
-      # Docker is not included on macos-latest
-      - uses: docker-practice/actions-setup-docker@1.0.10
-
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
-
-      - name: Install Gon
-        run: |
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
-
-      - name: Import Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
-          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+          go-version: "~1.19"

      - name: Cache Node
        id: cache-node
@@ -73,18 +65,115 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

-      - name: Install make
-        run: brew install make
+      - name: Install nfpm
+        run: |
+          set -euo pipefail
+          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
+          sudo dpkg -i /tmp/nfpm.deb
+      - name: Install zstd
+        run: sudo apt-get install -y zstd

-      - name: Build Site
-        run: make site/out/index.html
+      - name: Install rcodesign
+        run: |
+          set -euo pipefail

-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
-        with:
-          version: latest
-          args: release --rm-dist
+          # Install a prebuilt binary of rcodesign for linux amd64. Once the
+          # following PR is merged and released upstream, we can download
+          # directly from GitHub releases instead:
+          #   https://github.com/indygreg/PyOxidizer/pull/635
+          wget -O /tmp/rcodesign https://cdn.discordapp.com/attachments/283356472258199552/1016767245717872700/rcodesign
+          sudo install --mode 755 /tmp/rcodesign /usr/local/bin/rcodesign
+
+      - name: Setup Apple Developer certificate and API key
+        run: |
+          set -euo pipefail
+          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12
+          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
+          echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8
+        env:
+          AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
+
+      - name: Build binaries
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
+            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
+            build/coder_helm_"$version".tgz
+        env:
+          CODER_SIGN_DARWIN: "1"
+          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
+          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_FILE: /tmp/apple_apikey.p8
+
+      - name: Delete Apple Developer certificate and API key
+        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+
+      - name: Build Linux Docker images
+        run: |
+          set -euxo pipefail
+
+          # build Docker images for each architecture
+          version="$(./scripts/version.sh)"
+          make -j build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
+          # we can't build multi-arch if the images aren't pushed, so quit now
+          # if dry-running
+          if [[ "$CODER_RELEASE" != *t* ]]; then
+            echo Skipping multi-arch docker builds due to dry-run.
+            exit 0
+          fi
+
+          # build and push multi-arch manifest, this depends on the other images
+          # being pushed so will automatically push them.
+          make -j push/build/coder_"$version"_linux.tag
+
+          # if the current version is equal to the highest (according to semver)
+          # version in the repo, also create a multi-arch image as ":latest" and
+          # push it
+          if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then
+            ./scripts/build_docker_multiarch.sh \
+              --push \
+              --target "$(./scripts/image_tag.sh --version latest)" \
+              $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
+          fi
+
+      - name: ls build
+        run: ls -lh build
+
+      - name: Publish release
+        run: |
+          ./scripts/publish_release.sh \
+            ${{ (github.event.inputs.dry_run || github.event.inputs.snapshot) && '--dry-run' }} \
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AC_USERNAME: ${{ secrets.AC_USERNAME }}
-          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+
+      - name: Upload artifacts to actions (if dry-run or snapshot)
+        if: ${{ github.event.inputs.dry_run || github.event.inputs.snapshot }}
+        uses: actions/upload-artifact@v2
+        with:
+          name: release-artifacts
+          path: |
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.tgz
+            ./build/*.apk
+            ./build/*.deb
+            ./build/*.rpm
+          retention-days: 7
@@ -0,0 +1,35 @@
+name: Stale Issue Cron
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      # v5.1.0 has a weird bug that makes stalebot add then remove its own label
+      # https://github.com/actions/stale/pull/775
+      - uses: actions/stale@v5.0.0
+        with:
+          stale-issue-label: stale
+          stale-pr-label: stale
+          # Pull Requests become stale more quickly due to merge conflicts.
+          # Also, we promote minimizing WIP.
+          days-before-pr-stale: 7
+          days-before-pr-close: 3
+          stale-pr-message: >
+            This Pull Request is becoming stale. In order to minimize WIP, 
+            prevent merge conflicts and keep the tracker readable, I'm going
+            close to this PR in 3 days if there isn't more activity.
+          stale-issue-message: >
+            This issue is becoming stale. In order to keep the tracker readable
+            and actionable, I'm going close to this issue in 7 days if there 
+            isn't more activity.
+          # Upped from 30 since we have a big tracker and was hitting the limit.
+          operations-per-run: 60
+          # Start with the oldest issues, always.
+          ascending: true
@@ -0,0 +1,19 @@
+[default.extend-identifiers]
+alog = "alog"
+Jetbrains = "JetBrains"
+IST = "IST"
+MacOS = "macOS"
+
+[default.extend-words]
+
+[files]
+extend-exclude = [
+    "**.svg",
+    "**.png",
+    "**.lock",
+    "go.sum",
+    "go.mod",
+    # These files contain base64 strings that confuse the detector
+    "**XService**.ts",
+    "**identity.go",
+]
@@ -0,0 +1,18 @@
+name: Welcome
+on:
+  pull_request:
+    types: [opened]
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: wow-actions/welcome@v1
+        with:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          FIRST_PR_REACTIONS: '+1, hooray, rocket, heart'
+          FIRST_PR_COMMENT: |
+            👋 Welcome @{{ author }} to Coder! Yo @coder/docs this is @{{ author }}'s first pull-request here! 
+          FIRST_PR_MERGED: |
+            🎉 Thanks for the contribution @{{ author }}! Yo @coder/docs @{{ author }}'s first contribution has been merged! 👀👀👀
@@ -13,7 +13,10 @@ node_modules
 vendor
 .eslintcache
 yarn-error.log
+gotests.coverage
 .idea
+.gitpod.yml
+.DS_Store

 # Front-end ignore
 .next/
@@ -28,13 +31,18 @@ site/**/*.typegen.ts
 site/build-storybook.log

 # Build
+build/
 dist/
 site/out/

 *.tfstate
+*.tfstate.backup
 *.tfplan
 *.lock.hcl
 .terraform/

 .vscode/*.log
+.vscode/launch.json
 **/*.swp
+.coderv2/*
+**/__debug_bin
@@ -103,7 +103,7 @@ linters-settings:
    settings:
      ruleguard:
        failOn: all
-        rules: rules.go
+        rules: '${configDir}/scripts/rules.go'

  staticcheck:
    # https://staticcheck.io/docs/options#checks
@@ -201,6 +201,8 @@ run:
  concurrency: 4
  skip-dirs:
    - node_modules
+  skip-files:
+    - scripts/rules.go
  timeout: 5m

 # Over time, add more and more linters from
@@ -1,165 +0,0 @@
-archives:
-  - id: coder-linux
-    builds: [coder-linux]
-    format: tar.gz
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-  - id: coder-darwin
-    builds: [coder-darwin]
-    format: zip
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-  - id: coder-windows
-    builds: [coder-windows]
-    format: zip
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-before:
-  hooks:
-    - go mod tidy
-    - rm -f site/out/bin/coder*
-
-builds:
-  - id: coder-slim
-    dir: cmd/coder
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64, arm, arm64]
-    goarm: ["7"]
-    # Only build arm 7 for Linux
-    ignore:
-      - goos: windows
-        goarm: "7"
-      - goos: darwin
-        goarm: "7"
-    hooks:
-      # The "trimprefix" appends ".exe" on Windows.
-      post: |
-        cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ trimprefix .Name "coder" }}
-
-  - id: coder-linux
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [linux]
-    goarch: [amd64, arm, arm64]
-    goarm: ["7"]
-
-  - id: coder-windows
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [windows]
-    goarch: [amd64, arm64]
-
-  - id: coder-darwin
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin]
-    goarch: [amd64, arm64]
-    hooks:
-      # This signs the binary that will be located inside the zip.
-      # MacOS requires the binary to be signed for notarization.
-      #
-      # If it doesn't successfully sign, the zip sign step will error.
-      post: |
-        sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'
-
-env:
-  # Apple identity for signing!
-  - AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
-
-nfpms:
-  - id: packages
-    vendor: Coder
-    homepage: https://coder.com
-    maintainer: Coder <support@coder.com>
-    description: |
-      Provision development environments with infrastructure with code
-    formats:
-      - apk
-      - deb
-      - rpm
-    suggests:
-      - postgresql
-    builds:
-      - coder-linux
-    bindir: /usr/bin
-    contents:
-      - src: coder.env
-        dst: /etc/coder.d/coder.env
-        type: "config|noreplace"
-      - src: coder.service
-        dst: /usr/lib/systemd/system/coder.service
-
-dockers:
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-amd64"]
-    id: coder-linux
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/amd64
-      - --label=org.opencontainers.image.title=Coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Version }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-arm64"]
-    goarch: arm64
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/arm64/v8
-      - --label=org.opencontainers.image.title=coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Tag }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-armv7"]
-    goarch: arm
-    goarm: "7"
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/arm/v7
-      - --label=org.opencontainers.image.title=Coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Tag }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-docker_manifests:
-  - name_template: ghcr.io/coder/coder:{{ .Tag }}
-    image_templates:
-      - ghcr.io/coder/coder:{{ .Tag }}-amd64
-      - ghcr.io/coder/coder:{{ .Tag }}-arm64
-      - ghcr.io/coder/coder:{{ .Tag }}-armv7
-
-release:
-  ids: [coder-linux, coder-darwin, coder-windows, packages]
-
-signs:
-  - ids: [coder-darwin]
-    artifacts: archive
-    cmd: ./scripts/sign_macos.sh
-    args: ["${artifact}"]
-    output: true
-
-snapshot:
-  name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"
@@ -8,6 +8,7 @@
    "zxh404.vscode-proto3",
    "redhat.vscode-yaml",
    "streetsidesoftware.code-spell-checker",
-    "dbaeumer.vscode-eslint"
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig"
  ]
 }
@@ -1,11 +1,23 @@
 {
  "cSpell.words": [
+    "apps",
+    "awsidentity",
+    "bodyclose",
+    "buildinfo",
+    "buildname",
    "circbuf",
    "cliflag",
    "cliui",
+    "codecov",
+    "Codespaces",
    "coderd",
    "coderdtest",
    "codersdk",
+    "cronstrue",
+    "databasefake",
+    "DERP",
+    "derphttp",
+    "derpmap",
    "devel",
    "drpc",
    "drpcconn",
@@ -13,61 +25,130 @@
    "drpcserver",
    "Dsts",
    "fatih",
+    "Formik",
+    "gitsshkey",
    "goarch",
    "gographviz",
    "goleak",
+    "gonet",
    "gossh",
    "gsyslog",
+    "GTTY",
    "hashicorp",
    "hclsyntax",
+    "httpapi",
    "httpmw",
    "idtoken",
    "Iflag",
    "incpatch",
+    "ipnstate",
    "isatty",
    "Jobf",
+    "Keygen",
    "kirsle",
+    "Kubernetes",
    "ldflags",
+    "magicsock",
    "manifoldco",
+    "mapstructure",
    "mattn",
    "mitchellh",
    "moby",
+    "namesgenerator",
+    "namespacing",
+    "netaddr",
+    "netip",
+    "netmap",
+    "netns",
+    "netstack",
+    "nettype",
    "nfpms",
    "nhooyr",
+    "nmcfg",
    "nolint",
    "nosec",
    "ntqry",
    "OIDC",
    "oneof",
+    "opty",
+    "paralleltest",
    "parameterscopeid",
    "pqtype",
+    "prometheusmetrics",
    "promptui",
    "protobuf",
    "provisionerd",
    "provisionersdk",
    "ptty",
+    "ptys",
    "ptytest",
+    "quickstart",
+    "reconfig",
    "retrier",
    "rpty",
    "sdkproto",
+    "sdktrace",
    "Signup",
+    "slogtest",
+    "sourcemapped",
+    "Srcs",
    "stretchr",
+    "STTY",
+    "stuntest",
+    "tailbroker",
+    "tailcfg",
+    "tailexchange",
+    "tailnet",
+    "tailnettest",
+    "Tailscale",
    "TCGETS",
    "tcpip",
    "TCSETS",
+    "templateversions",
+    "testdata",
+    "testid",
+    "testutil",
    "tfexec",
    "tfjson",
+    "tfplan",
    "tfstate",
+    "tios",
+    "tparallel",
    "trimprefix",
+    "tsdial",
+    "tslogger",
+    "tstun",
+    "turnconn",
+    "typegen",
+    "typesafe",
    "unconvert",
    "Untar",
+    "Userspace",
    "VMID",
+    "walkthrough",
    "weblinks",
    "webrtc",
+    "wgcfg",
+    "wgconfig",
+    "wgengine",
+    "wgmonitor",
+    "wgnet",
+    "workspaceagent",
+    "workspaceagents",
+    "workspaceapp",
+    "workspaceapps",
+    "workspacebuilds",
+    "workspacename",
+    "wsconncache",
+    "wsjson",
    "xerrors",
    "xstate",
    "yamux"
  ],
+  "cSpell.ignorePaths": [
+    "site/package.json",
+    ".vscode/settings.json"
+  ],
  "emeraldwalk.runonsave": {
    "commands": [
      {
@@ -76,7 +157,7 @@
      },
      {
        "match": "provisionerd/proto/provisionerd.proto",
-        "cmd": "make provisionerd/proto/provisionerd.pb.go",
+        "cmd": "make provisionerd/proto/provisionerd.pb.go"
      }
    ]
  },
@@ -90,19 +171,20 @@
  "go.lintFlags": ["--fast"],
  "go.lintOnSave": "package",
  "go.coverOnSave": true,
-  // The codersdk is used by coderd another other packages extensively.
-  // To reduce redundancy in tests, it's covered by other packages.
-  "go.testFlags": ["-short", "-coverpkg=./.,github.com/coder/coder/codersdk"],
  "go.coverageDecorator": {
    "type": "gutter",
-    "coveredHighlightColor": "rgba(64,128,128,0.5)",
-    "uncoveredHighlightColor": "rgba(128,64,64,0.25)",
-    "coveredBorderColor": "rgba(64,128,128,0.5)",
-    "uncoveredBorderColor": "rgba(128,64,64,0.25)",
    "coveredGutterStyle": "blockgreen",
    "uncoveredGutterStyle": "blockred"
  },
+  // The codersdk is used by coderd another other packages extensively.
+  // To reduce redundancy in tests, it's covered by other packages.
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": [
+    "-short",
+    "-coverpkg=./..."
+  ],
  // We often use a version of TypeScript that's ahead of the version shipped
  // with VS Code.
-  "typescript.tsdk": "./site/node_modules/typescript/lib",
+  "typescript.tsdk": "./site/node_modules/typescript/lib"
 }
@@ -0,0 +1,12 @@
+# Adopters 
+[!["Join us on
+Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=green)](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=adopters.md) [![Twitter
+Follow](https://img.shields.io/twitter/follow/coderhq?label=%40coderhq&style=social)](https://twitter.com/coderhq)
+
+🦩 _If you're using Coder in your organization, please try to add your company name to this list. It really helps the project to gain momentum and credibility. It's a small contribution back to the project with a big impact. You can do this by by editing this file and contributing your changes via a pull-request on GitHub._
+
+> 👋 _If you are considering using Coder in your organization please introduce yourself via https://coder.com/demo_ 🙇🏻‍♂️
+
+| Organization                                                                | Contact                                                                                                                                                                                                                                                          | Description of Use                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
+| --------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Coder](https://www.coder.com)                                              | [@coderhq](https://twitter.com/coderhq)                                                                                                                                                                                                                     | Coder builds coder with Coder.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    |
@@ -1,6 +1,31 @@
-FROM alpine
+# This is the multi-arch Dockerfile used for Coder. Since it's multi-arch and
+# cross-compiled, it cannot have ANY "RUN" commands. All binaries are built
+# using the go toolchain on the host and then copied into the build context by
+# scripts/build_docker.sh.
+FROM alpine:latest

-# Generated by goreleaser on `goreleaser release`
-ADD coder /opt/coder
+# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
+# in the build script.
+ARG CODER_VERSION
+LABEL \
+	org.opencontainers.image.title="Coder" \
+	org.opencontainers.image.description="A tool for provisioning self-hosted development environments with Terraform." \
+	org.opencontainers.image.url="https://github.com/coder/coder" \
+	org.opencontainers.image.source="https://github.com/coder/coder" \
+	org.opencontainers.image.version="$CODER_VERSION" \
+	org.opencontainers.image.licenses="AGPL-3.0"
+
+# The coder binary is injected by scripts/build_docker.sh.
+COPY --chown=coder:coder --chmod=755 coder /opt/coder
+
+# Create coder group and user. We cannot use `addgroup` and `adduser` because
+# they won't work if we're building the image for a different architecture.
+COPY --chown=root:root --chmod=644 group passwd /etc/
+COPY --chown=coder:coder --chmod=700 empty-dir /home/coder
+
+USER coder:coder
+ENV HOME=/home/coder
+ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt
+WORKDIR /home/coder

 ENTRYPOINT [ "/opt/coder", "server" ]
@@ -0,0 +1,31 @@
+## Acceptance
+
+By using any software and associated documentation files under Coder 
+Technologies Inc.’s ("Coder") directory named "enterprise" ("Enterprise
+Software"), you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide, 
+non-sublicensable, non-transferable license to use, copy, distribute, make 
+available, modify and prepare derivative works of the Enterprise Software, in 
+each case subject to the limitations and conditions below.
+
+## Limitations
+
+You may not move, change, disable, or circumvent the license key functionality 
+in the software, and you may not remove or obscure any functionality in the 
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. 
+
+You agree that Coder and/or its licensors (as applicable) retain all right, 
+title and interest in and to all such modifications and/or patches.
+
+## Additional Terms
+
+This Enterprise Software may only be used in production, if you (and any entity 
+that you represent) have agreed to, and are in compliance with, the Coder’s 
+Terms of Service, available at https://coder.com/legal/terms-of-service, or 
+other agreement governing the use of the Software, as agreed by you and Coder. 
@@ -1,39 +1,356 @@
-.DEFAULT_GOAL := build
+# This is the Coder Makefile. The build directory for most tasks is `build/`.
+#
+# These are the targets you're probably looking for:
+# - clean
+# - build-fat: builds all "fat" binaries for all architectures
+# - build-slim: builds all "slim" binaries (no frontend or slim binaries
+#   embedded) for all architectures
+# - release: simulate a release (mostly, does not push images)
+# - build/coder(-slim)?_${os}_${arch}(.exe)?: build a single fat binary
+# - build/coder_${os}_${arch}.(zip|tar.gz): build a release archive
+# - build/coder_linux_${arch}.(apk|deb|rpm): build a release Linux package
+# - build/coder_${version}_linux_${arch}.tag: build a release Linux Docker image
+# - build/coder_helm.tgz: build a release Helm chart

-INSTALL_DIR=$(shell go env GOPATH)/bin
-GOOS=$(shell go env GOOS)
-GOARCH=$(shell go env GOARCH)
+.DEFAULT_GOAL := build-fat

-bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
-	@echo "== This builds binaries for command-line usage."
-	@echo "== Use \"make build\" to embed the site."
-	goreleaser build --snapshot --rm-dist --single-target
+# Use a single bash shell for each job, and immediately exit on failure
+SHELL := bash
+.SHELLFLAGS := -ceu
+.ONESHELL:

-build: dist/artifacts.json
-.PHONY: build
+# This doesn't work on directories.
+# See https://stackoverflow.com/questions/25752543/make-delete-on-error-for-directory-targets
+.DELETE_ON_ERROR:

-# Runs migrations to output a dump of the database.
-coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
-	go run coderd/database/dump/main.go
+# Don't print the commands in the file unless you specify VERBOSE. This is
+# essentially the same as putting "@" at the start of each line.
+ifndef VERBOSE
+.SILENT:
+endif

-# Generates Go code for querying the database.
-coderd/database/querier.go: coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
-	coderd/database/generate.sh
+# Create the output directories if they do not exist.
+$(shell mkdir -p build site/out/bin)

-dev: build
-	./scripts/develop.sh
-.PHONY: dev
+GOOS         := $(shell go env GOOS)
+GOARCH       := $(shell go env GOARCH)
+GOOS_BIN_EXT := $(if $(filter windows, $(GOOS)),.exe,)
+VERSION      := $(shell ./scripts/version.sh)

-dist/artifacts.json: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
-	goreleaser release --snapshot --rm-dist --skip-sign
+# Use the highest ZSTD compression level in CI.
+ifdef CI
+ZSTDFLAGS := -22 --ultra
+else
+ZSTDFLAGS := -6
+endif
+
+# All ${OS}_${ARCH} combos we build for. Windows binaries have the .exe suffix.
+OS_ARCHES := \
+	linux_amd64 linux_arm64 linux_armv7 \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64.exe windows_arm64.exe
+
+# Archive formats and their corresponding ${OS}_${ARCH} combos.
+ARCHIVE_TAR_GZ := linux_amd64 linux_arm64 linux_armv7
+ARCHIVE_ZIP    := \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64 windows_arm64
+
+# All package formats we build and the ${OS}_${ARCH} combos we build them for.
+PACKAGE_FORMATS   := apk deb rpm
+PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
+
+# All architectures we build Docker images for (Linux only).
+DOCKER_ARCHES := amd64 arm64 armv7
+
+# Computed variables based on the above.
+CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
+CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
+CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
+CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
+CODER_ZIP_ARCHIVES       := $(foreach os_arch, $(ARCHIVE_ZIP), build/coder_$(VERSION)_$(os_arch).zip)
+CODER_ALL_ARCHIVES       := $(CODER_TAR_GZ_ARCHIVES) $(CODER_ZIP_ARCHIVES)
+CODER_ALL_PACKAGES       := $(foreach os_arch, $(PACKAGE_OS_ARCHES), $(addprefix build/coder_$(VERSION)_$(os_arch).,$(PACKAGE_FORMATS)))
+CODER_ARCH_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_$(VERSION)_linux_$(arch).tag)
+CODER_ARCH_IMAGES_PUSHED := $(addprefix push/, $(CODER_ARCH_IMAGES))
+CODER_MAIN_IMAGE         := build/coder_$(VERSION)_linux.tag
+
+CODER_SLIM_NOVERSION_BINARIES     := $(addprefix build/coder-slim_,$(OS_ARCHES))
+CODER_FAT_NOVERSION_BINARIES      := $(addprefix build/coder_,$(OS_ARCHES))
+CODER_ALL_NOVERSION_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_linux_$(arch).tag) build/coder_linux.tag
+CODER_ALL_NOVERSION_IMAGES_PUSHED := $(addprefix push/, $(CODER_ALL_NOVERSION_IMAGES))
+
+
+clean:
+	rm -rf build site/out
+	mkdir -p build site/out/bin
+	git restore site/out
+.PHONY: clean
+
+build-slim: $(CODER_SLIM_BINARIES)
+.PHONY: build-slim
+
+build-fat build-full build: $(CODER_FAT_BINARIES)
+.PHONY: build-fat build-full build
+
+release: $(CODER_FAT_BINARIES) $(CODER_ALL_ARCHIVES) $(CODER_ALL_PACKAGES) $(CODER_ARCH_IMAGES) build/coder_helm_$(VERSION).tgz
+.PHONY: release
+
+build/coder-slim_$(VERSION)_checksums.sha1 site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		openssl dgst -r -sha1 coder-* | tee coder.sha1
+	popd
+
+	cp "site/out/bin/coder.sha1" "build/coder-slim_$(VERSION)_checksums.sha1"
+
+build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		tar cf "../../../build/$(@F)" coder-*
+	popd
+
+build/coder-slim_$(VERSION).tar.zst site/out/bin/coder.tar.zst: build/coder-slim_$(VERSION).tar
+	zstd $(ZSTDFLAGS) \
+		--force \
+		--long \
+		--no-progress \
+		-o "build/coder-slim_$(VERSION).tar.zst" \
+		"build/coder-slim_$(VERSION).tar"
+
+	cp "build/coder-slim_$(VERSION).tar.zst" "site/out/bin/coder.tar.zst"
+	# delete the uncompressed binaries from the embedded dir
+	rm site/out/bin/coder-*
+
+# Redirect from version-less targets to the versioned ones. There is a similar
+# target for slim binaries below.
+#
+# Called like this:
+#   make build/coder_linux_amd64
+#   make build/coder_windows_amd64.exe
+$(CODER_FAT_NOVERSION_BINARIES): build/coder_%: build/coder_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Same as above, but for slim binaries.
+#
+# Called like this:
+#   make build/coder-slim_linux_amd64
+#   make build/coder-slim_windows_amd64.exe
+$(CODER_SLIM_NOVERSION_BINARIES): build/coder-slim_%: build/coder-slim_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# "fat" binaries always depend on the site and the compressed slim binaries.
+$(CODER_FAT_BINARIES): \
+	site/out/index.html \
+	site/out/bin/coder.sha1 \
+	site/out/bin/coder.tar.zst
+
+# This is a handy block that parses the target to determine whether it's "slim"
+# or "fat", which OS was specified and which architecture was specified.
+#
+# It populates the following variables: mode, os, arch_ext, arch, ext (without
+# dot).
+define get-mode-os-arch-ext =
+	mode="$$([[ "$@" = build/coder-slim* ]] && echo "slim" || echo "fat")"
+	os="$$(echo $@ | cut -d_ -f3)"
+	arch_ext="$$(echo $@ | cut -d_ -f4)"
+	if [[ "$$arch_ext" == *.* ]]; then
+		arch="$$(echo $$arch_ext | cut -d. -f1)"
+		ext="$${arch_ext#*.}"
+	else
+		arch="$$arch_ext"
+		ext=""
+	fi
+endef
+
+# This task handles all builds, for both "fat" and "slim" binaries. It parses
+# the target name to get the metadata for the build, so it must be specified in
+# this format:
+#     build/coder(-slim)?_${version}_${os}_${arch}(.exe)?
+#
+# You should probably use the non-version targets above instead if you're
+# calling this manually.
+$(CODER_ALL_BINARIES): go.mod go.sum \
+	$(shell find . -not -path './vendor/*' -type f -name '*.go') \
+	$(shell find ./examples/templates)
+
+	$(get-mode-os-arch-ext)
+	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
+		echo "ERROR: Invalid build binary extension" 1>&2
+		exit 1
+	fi
+	if [[ "$$os" == "windows" ]] && [[ "$$ext" != exe ]]; then
+		echo "ERROR: Windows binaries must have an .exe extension." 1>&2
+		exit 1
+	fi
+
+	build_args=( \
+		--os "$$os" \
+		--arch "$$arch" \
+		--version "$(VERSION)" \
+		--output "$@" \
+	)
+	if [ "$$mode" == "slim" ]; then
+		build_args+=(--slim)
+	fi
+
+	./scripts/build_go.sh "$${build_args[@]}"
+
+	if [[ "$$mode" == "slim" ]]; then
+		dot_ext=""
+		if [[ "$$ext" != "" ]]; then
+			dot_ext=".$$ext"
+		fi
+
+		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
+	fi
+
+# This task builds all archives. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.${format}
+#
+# The following OS/arch/format combinations are supported:
+#     .tar.gz: linux_amd64, linux_arm64, linux_armv7
+#     .zip:    darwin_amd64, darwin_arm64, windows_amd64, windows_arm64
+#
+# This depends on all fat binaries because it's difficult to do dynamic
+# dependencies due to the .exe requirement on Windows. These targets are
+# typically only used during release anyways.
+$(CODER_ALL_ARCHIVES): $(CODER_FAT_BINARIES)
+	$(get-mode-os-arch-ext)
+	bin_ext=""
+	if [[ "$$os" == "windows" ]]; then
+		bin_ext=".exe"
+	fi
+
+	./scripts/archive.sh \
+		--format "$$ext" \
+		--os "$$os" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}$${bin_ext}"
+
+# This task builds all packages. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_linux_${arch}.${format}
+#
+# Supports apk, deb, rpm for all linux targets.
+#
+# This depends on all Linux fat binaries and archives because it's difficult to
+# do dynamic dependencies due to the extensions in the filenames. These targets
+# are typically only used during release anyways.
+#
+# Packages need to run after the archives are built, otherwise they cause tar
+# errors like "file changed as we read it".
+CODER_PACKAGE_DEPS := $(foreach os_arch, $(PACKAGE_OS_ARCHES), build/coder_$(VERSION)_$(os_arch) build/coder_$(VERSION)_$(os_arch).tar.gz)
+$(CODER_ALL_PACKAGES): $(CODER_PACKAGE_DEPS)
+	$(get-mode-os-arch-ext)
+
+	./scripts/package.sh \
+		--arch "$$arch" \
+		--format "$$ext" \
+		--version "$(VERSION)" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+# Redirect from version-less Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES): build/coder_%: build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES)
+
+# Redirect from version-less push Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make push/build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES_PUSHED): push/build/coder_%: push/build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES_PUSHED)
+
+# This task builds all Docker images. It parses the target name to get the
+# metadata for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.tag
+#
+# Supports linux_amd64, linux_arm64, linux_armv7.
+#
+# Images need to run after the archives and packages are built, otherwise they
+# cause errors like "file changed as we read it".
+$(CODER_ARCH_IMAGES): build/coder_$(VERSION)_%.tag: \
+	build/coder_$(VERSION)_% \
+	build/coder_$(VERSION)_%.apk \
+	build/coder_$(VERSION)_%.deb \
+	build/coder_$(VERSION)_%.rpm \
+	build/coder_$(VERSION)_%.tar.gz
+
+	$(get-mode-os-arch-ext)
+
+	image_tag="$$(./scripts/image_tag.sh --arch "$$arch" --version "$(VERSION)")"
+	./scripts/build_docker.sh \
+		--arch "$$arch" \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+	echo "$$image_tag" > "$@"
+
+# Multi-arch Docker image. This requires all architecture-specific images to be
+# built AND pushed.
+$(CODER_MAIN_IMAGE): $(CODER_ARCH_IMAGES_PUSHED)
+	image_tag="$$(./scripts/image_tag.sh --version "$(VERSION)")"
+	./scripts/build_docker_multiarch.sh \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		$(foreach img, $^, "$$(cat "$(img:push/%=%)")")
+
+	echo "$$image_tag" > "$@"
+
+# Push a Docker image.
+$(CODER_ARCH_IMAGES_PUSHED): push/%: %
+	image_tag="$$(cat "$<")"
+	docker push "$$image_tag"
+.PHONY: $(CODER_ARCH_IMAGES_PUSHED)
+
+# Push the multi-arch Docker manifest.
+push/$(CODER_MAIN_IMAGE): $(CODER_MAIN_IMAGE)
+	image_tag="$$(cat "$<")"
+	docker manifest push "$$image_tag"
+.PHONY: push/$(CODER_MAIN_IMAGE)
+
+# Shortcut for Helm chart package.
+build/coder_helm.tgz: build/coder_helm_$(VERSION).tgz
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Helm chart package.
+build/coder_helm_$(VERSION).tgz:
+	./scripts/helm.sh \
+		--version "$(VERSION)" \
+		--output "$@"
+
+site/out/index.html: $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.tsx') $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.ts') site/package.json
+	./scripts/yarn_install.sh
+	cd site
+	yarn typegen
+	yarn build
+
+install: build/coder_$(VERSION)_$(GOOS)_$(GOARCH)$(GOOS_BIN_EXT)
+	install_dir="$$(go env GOPATH)/bin"
+	output_file="$${install_dir}/coder$(GOOS_BIN_EXT)"
+
+	mkdir -p "$$install_dir"
+	cp "$<" "$$output_file"
+.PHONY: install
+
+fmt: fmt/prettier fmt/terraform fmt/shfmt
+.PHONY: fmt

 fmt/prettier:
-	@echo "--- prettier"
+	echo "--- prettier"
+	cd site
 # Avoid writing files in CI to reduce file write activity
 ifdef CI
-	cd site && yarn run format:check
+	yarn run format:check
 else
-	cd site && yarn run format:write
+	yarn run format:write
 endif
 .PHONY: fmt/prettier

@@ -41,36 +358,63 @@ fmt/terraform: $(wildcard *.tf)
 	terraform fmt -recursive
 .PHONY: fmt/terraform

-fmt: fmt/prettier fmt/terraform
-.PHONY: fmt
+fmt/shfmt: $(shell shfmt -f .)
+	echo "--- shfmt"
+# Only do diff check in CI, errors on diff.
+ifdef CI
+	shfmt -d $(shell shfmt -f .)
+else
+	shfmt -w $(shell shfmt -f .)
+endif
+.PHONY: fmt/shfmt

-gen: coderd/database/querier.go peerbroker/proto/peerbroker.pb.go provisionersdk/proto/provisioner.pb.go provisionerd/proto/provisionerd.pb.go site/src/api/typesGenerated.ts
-
-install: build
-	@echo "--- Copying from bin to $(INSTALL_DIR)"
-	cp -r ./dist/coder-$(GOOS)_$(GOOS)_$(GOARCH)*/* $(INSTALL_DIR)
-	@echo "-- CLI available at $(shell ls $(INSTALL_DIR)/coder*)"
-.PHONY: install
-
-lint:
-	golangci-lint run
+lint: lint/shellcheck lint/go
 .PHONY: lint

-peerbroker/proto/peerbroker.pb.go: peerbroker/proto/peerbroker.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./peerbroker/proto/peerbroker.proto
+lint/go:
+	./scripts/check_enterprise_imports.sh
+	golangci-lint run
+.PHONY: lint/go

-provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./provisionerd/proto/provisionerd.proto
+# Use shfmt to determine the shell files, takes editorconfig into consideration.
+lint/shellcheck: $(shell shfmt -f .)
+	echo "--- shellcheck"
+	shellcheck --external-sources $(shell shfmt -f .)
+.PHONY: lint/shellcheck
+
+# all gen targets should be added here and to gen/mark-fresh
+gen: \
+	coderd/database/dump.sql \
+	coderd/database/querier.go \
+	provisionersdk/proto/provisioner.pb.go \
+	provisionerd/proto/provisionerd.pb.go \
+	site/src/api/typesGenerated.ts
+.PHONY: gen
+
+# Mark all generated files as fresh so make thinks they're up-to-date. This is
+# used during releases so we don't run generation scripts.
+gen/mark-fresh:
+	files="coderd/database/dump.sql coderd/database/querier.go provisionersdk/proto/provisioner.pb.go provisionerd/proto/provisionerd.pb.go site/src/api/typesGenerated.ts"
+	for file in $$files; do
+		echo "$$file"
+		if [ ! -f "$$file" ]; then
+			echo "File '$$file' does not exist"
+			exit 1
+		fi
+
+		# touch sets the mtime of the file to the current time
+		touch $$file
+	done
+.PHONY: gen/mark-fresh
+
+# Runs migrations to output a dump of the database schema after migrations are
+# applied.
+coderd/database/dump.sql: coderd/database/gen/dump/main.go $(wildcard coderd/database/migrations/*.sql)
+	go run ./coderd/database/gen/dump/main.go
+
+# Generates Go code for querying the database.
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql) coderd/database/gen/enum/main.go
+	./coderd/database/generate.sh

 provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
@@ -80,16 +424,57 @@ provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 		--go-drpc_opt=paths=source_relative \
 		./provisionersdk/proto/provisioner.proto

-site/out/index.html: $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.tsx') $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.ts') site/package.json
-	./scripts/yarn_install.sh
-	cd site && yarn typegen
-	cd site && yarn build
-	# Restores GITKEEP files!
-	git checkout HEAD site/out
+provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
+	protoc \
+		--go_out=. \
+		--go_opt=paths=source_relative \
+		--go-drpc_out=. \
+		--go-drpc_opt=paths=source_relative \
+		./provisionerd/proto/provisionerd.proto

 site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find codersdk -type f -name '*.go')
 	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
-	cd site && yarn run format:types
+	cd site
+	yarn run format:types

-test:
+test: test-clean
 	gotestsum -- -v -short ./...
+.PHONY: test
+
+# When updating -timeout for this test, keep in sync with
+# test-go-postgres (.github/workflows/coder.yaml).
+test-postgres: test-clean test-postgres-docker
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum --junitfile="gotests.xml" --packages="./..." -- \
+		-covermode=atomic -coverprofile="gotests.coverage" -timeout=20m \
+		-coverpkg=./... \
+		-count=1 -race -failfast
+.PHONY: test-postgres
+
+test-postgres-docker:
+	docker rm -f test-postgres-docker || true
+	docker run \
+		--env POSTGRES_PASSWORD=postgres \
+		--env POSTGRES_USER=postgres \
+		--env POSTGRES_DB=postgres \
+		--env PGDATA=/tmp \
+		--tmpfs /tmp \
+		--publish 5432:5432 \
+		--name test-postgres-docker \
+		--restart no \
+		--detach \
+		postgres:13 \
+		-c shared_buffers=1GB \
+		-c max_connections=1000 \
+		-c fsync=off \
+		-c synchronous_commit=off \
+		-c full_page_writes=off
+	while ! pg_isready -h 127.0.0.1
+	do
+		echo "$(date) - waiting for database to start"
+		sleep 0.5
+	done
+.PHONY: test-postgres-docker
+
+test-clean:
+	go clean -testcache
+.PHONY: test-clean
@@ -0,0 +1,102 @@
+# Coder
+
+[!["Join us on
+Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=green)](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md)
+[![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[![Go Reference](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
+[![Twitter
+Follow](https://img.shields.io/twitter/follow/coderhq?label=%40coderhq&style=social)](https://twitter.com/coderhq)
+
+Coder creates remote development machines so your team can develop from anywhere.
+
+<p align="center">
+  <img src="./docs/images/hero-image.png">
+</p>
+
+**Manage less**
+
+- Ensure your entire team is using the same tools and resources
+  - Rollout critical updates to your developers with one command
+- Automatically shut down expensive cloud resources
+- Keep your source code and data behind your firewall
+
+**Code more**
+
+- Build and test faster
+  - Leveraging cloud CPUs, RAM, network speeds, etc.
+- Access your environment from any place on any client (even an iPad)
+- Onboard instantly then stay up to date continuously
+
+## Getting Started
+
+> **Note**:
+> Coder is in a beta state. [Report issues here](https://github.com/coder/coder/issues/new).
+
+The easiest way to install Coder is to use our [install script](https://github.com/coder/coder/blob/main/install.sh) for Linux and macOS.
+
+To install, run:
+
+```bash
+curl -L https://coder.com/install.sh | sh
+```
+
+You can preview what occurs during the install process:
+
+```bash
+curl -L https://coder.com/install.sh | sh -s -- --dry-run
+```
+
+You can modify the installation process by including flags. Run the help command for reference:
+
+```bash
+curl -L https://coder.com/install.sh | sh -s -- --help
+```
+
+> See [install](docs/install) for additional methods.
+
+Once installed, you can start a production deployment<sup>1</sup> with a single command:
+
+```sh
+# Automatically sets up an external access URL on *.try.coder.app
+coder server --tunnel
+
+# Requires a PostgreSQL instance and external access URL
+coder server --postgres-url <url> --access-url <url>
+```
+
+> <sup>1</sup> The embedded database is great for trying out Coder with small deployments, but do consider using an external database for increased assurance and control.
+
+Use `coder --help` to get a complete list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/coder-oss/latest/quickstart) for a full walkthrough.
+
+## Documentation
+
+Visit our docs [here](https://coder.com/docs/coder-oss).
+
+## Comparison
+
+Please file [an issue](https://github.com/coder/coder/issues/new) if any information is out of date. Also refer to: [What Coder is not](https://coder.com/docs/coder-oss/latest/index#what-coder-is-not).
+
+| Tool                                                        | Type     | Delivery Model     | Cost                          | Environments                                                                                                                                               |
+| :---------------------------------------------------------- | :------- | :----------------- | :---------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Coder](https://github.com/coder/coder)                     | Platform | OSS + Self-Managed | Pay your cloud                | All [Terraform](https://www.terraform.io/registry/providers) resources, all clouds, multi-architecture: Linux, Mac, Windows, containers, VMs, amd64, arm64 |
+| [code-server](https://github.com/cdr/code-server)           | Web IDE  | OSS + Self-Managed | Pay your cloud                | Linux, Mac, Windows, containers, VMs, amd64, arm64                                                                                                         |
+| [Coder (Classic)](https://coder.com/docs)                   | Platform | Self-Managed       | Pay your cloud + license fees | Kubernetes Linux Containers                                                                                                                                |
+| [GitHub Codespaces](https://github.com/features/codespaces) | Platform | SaaS               | 2x Azure Compute              | Linux containers                                                                                                                                           |
+
+---
+
+_Last updated: 5/27/22_
+
+## Community and Support
+
+Join our community on [Discord](https://coder.com/chat?utm_source=github.com/coder/coder&utm_medium=github&utm_campaign=readme.md) and [Twitter](https://twitter.com/coderhq)!
+
+[Suggest improvements and report problems](https://github.com/coder/coder/issues/new/choose)
+
+## Contributing
+
+If you're using Coder in your organization, please try to add your company name to the [ADOPTERS.md](./ADOPTERS.md). It really helps the project to gain momentum and credibility. It's a small contribution back to the project with a big impact. 
+
+Read the [contributing docs](https://coder.com/docs/coder-oss/latest/CONTRIBUTING).
+
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).
@@ -4,11 +4,13 @@ import (
 	"context"
 	"crypto/rand"
 	"crypto/rsa"
+	"encoding/binary"
 	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"os/user"
@@ -20,62 +22,75 @@ import (
 	"time"

 	"github.com/armon/circbuf"
+	"github.com/gliderlabs/ssh"
 	"github.com/google/uuid"
-
+	"github.com/pkg/sftp"
 	"go.uber.org/atomic"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+	"tailscale.com/net/speedtest"
+	"tailscale.com/tailcfg"

 	"cdr.dev/slog"
 	"github.com/coder/coder/agent/usershell"
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty"
+	"github.com/coder/coder/tailnet"
 	"github.com/coder/retry"
+)

-	"github.com/pkg/sftp"
+const (
+	ProtocolReconnectingPTY = "reconnecting-pty"
+	ProtocolSSH             = "ssh"
+	ProtocolDial            = "dial"

-	"github.com/gliderlabs/ssh"
-	gossh "golang.org/x/crypto/ssh"
-	"golang.org/x/xerrors"
+	// MagicSessionErrorCode indicates that something went wrong with the session, rather than the
+	// command just returning a nonzero exit code, and is chosen as an arbitrary, high number
+	// unlikely to shadow other exit codes, which are typically 1, 2, 3, etc.
+	MagicSessionErrorCode = 229
 )

 type Options struct {
-	ReconnectingPTYTimeout time.Duration
-	EnvironmentVariables   map[string]string
-	Logger                 slog.Logger
+	CoordinatorDialer           CoordinatorDialer
+	FetchMetadata               FetchMetadata
+	StatsReporter               StatsReporter
+	WorkspaceAgentApps          WorkspaceAgentApps
+	PostWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth
+	ReconnectingPTYTimeout      time.Duration
+	EnvironmentVariables        map[string]string
+	Logger                      slog.Logger
 }

-type Metadata struct {
-	OwnerEmail           string            `json:"owner_email"`
-	OwnerUsername        string            `json:"owner_username"`
-	EnvironmentVariables map[string]string `json:"environment_variables"`
-	StartupScript        string            `json:"startup_script"`
-	Directory            string            `json:"directory"`
-}
+// CoordinatorDialer is a function that constructs a new broker.
+// A dialer must be passed in to allow for reconnects.
+type CoordinatorDialer func(context.Context) (net.Conn, error)

-type Dialer func(ctx context.Context, logger slog.Logger) (Metadata, *peerbroker.Listener, error)
+// FetchMetadata is a function to obtain metadata for the agent.
+type FetchMetadata func(context.Context) (codersdk.WorkspaceAgentMetadata, error)

-func New(dialer Dialer, options *Options) io.Closer {
-	if options == nil {
-		options = &Options{}
-	}
+func New(options Options) io.Closer {
 	if options.ReconnectingPTYTimeout == 0 {
 		options.ReconnectingPTYTimeout = 5 * time.Minute
 	}
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	server := &agent{
-		dialer:                 dialer,
-		reconnectingPTYTimeout: options.ReconnectingPTYTimeout,
-		logger:                 options.Logger,
-		closeCancel:            cancelFunc,
-		closed:                 make(chan struct{}),
-		envVars:                options.EnvironmentVariables,
+		reconnectingPTYTimeout:      options.ReconnectingPTYTimeout,
+		logger:                      options.Logger,
+		closeCancel:                 cancelFunc,
+		closed:                      make(chan struct{}),
+		envVars:                     options.EnvironmentVariables,
+		coordinatorDialer:           options.CoordinatorDialer,
+		fetchMetadata:               options.FetchMetadata,
+		stats:                       &Stats{},
+		statsReporter:               options.StatsReporter,
+		workspaceAgentApps:          options.WorkspaceAgentApps,
+		postWorkspaceAgentAppHealth: options.PostWorkspaceAgentAppHealth,
 	}
 	server.init(ctx)
 	return server
 }

 type agent struct {
-	dialer Dialer
 	logger slog.Logger

 	reconnectingPTYs       sync.Map
@@ -89,18 +104,25 @@ type agent struct {
 	envVars map[string]string
 	// metadata is atomic because values can change after reconnection.
 	metadata      atomic.Value
-	startupScript atomic.Bool
+	fetchMetadata FetchMetadata
 	sshServer     *ssh.Server
+
+	network                     *tailnet.Conn
+	coordinatorDialer           CoordinatorDialer
+	stats                       *Stats
+	statsReporter               StatsReporter
+	workspaceAgentApps          WorkspaceAgentApps
+	postWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth
 }

 func (a *agent) run(ctx context.Context) {
-	var metadata Metadata
-	var peerListener *peerbroker.Listener
+	var metadata codersdk.WorkspaceAgentMetadata
 	var err error
 	// An exponential back-off occurs when the connection is failing to dial.
 	// This is to prevent server spam in case of a coderd outage.
 	for retrier := retry.New(50*time.Millisecond, 10*time.Second); retrier.Wait(ctx); {
-		metadata, peerListener, err = a.dialer(ctx, a.logger)
+		a.logger.Info(ctx, "connecting")
+		metadata, err = a.fetchMetadata(ctx)
 		if err != nil {
 			if errors.Is(err, context.Canceled) {
 				return
@@ -111,7 +133,7 @@ func (a *agent) run(ctx context.Context) {
 			a.logger.Warn(context.Background(), "failed to dial", slog.Error(err))
 			continue
 		}
-		a.logger.Info(context.Background(), "connected")
+		a.logger.Info(context.Background(), "fetched metadata")
 		break
 	}
 	select {
@@ -121,106 +143,214 @@ func (a *agent) run(ctx context.Context) {
 	}
 	a.metadata.Store(metadata)

-	if a.startupScript.CAS(false, true) {
-		// The startup script has not ran yet!
-		go func() {
-			err := a.runStartupScript(ctx, metadata.StartupScript)
-			if errors.Is(err, context.Canceled) {
-				return
-			}
-			if err != nil {
-				a.logger.Warn(ctx, "agent script failed", slog.Error(err))
-			}
-		}()
-	}
-
-	for {
-		conn, err := peerListener.Accept()
-		if err != nil {
-			if a.isClosed() {
-				return
-			}
-			a.logger.Debug(ctx, "peer listener accept exited; restarting connection", slog.Error(err))
-			a.run(ctx)
+	// The startup script has not ran yet!
+	go func() {
+		err := a.runStartupScript(ctx, metadata.StartupScript)
+		if errors.Is(err, context.Canceled) {
 			return
 		}
-		a.closeMutex.Lock()
-		a.connCloseWait.Add(1)
-		a.closeMutex.Unlock()
-		go a.handlePeerConn(ctx, conn)
+		if err != nil {
+			a.logger.Warn(ctx, "agent script failed", slog.Error(err))
+		}
+	}()
+
+	if metadata.DERPMap != nil {
+		go a.runTailnet(ctx, metadata.DERPMap)
+	}
+
+	if a.workspaceAgentApps != nil && a.postWorkspaceAgentAppHealth != nil {
+		go NewWorkspaceAppHealthReporter(a.logger, a.workspaceAgentApps, a.postWorkspaceAgentAppHealth)(ctx)
 	}
 }

-func (*agent) runStartupScript(ctx context.Context, script string) error {
+func (a *agent) runTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) {
+	a.closeMutex.Lock()
+	defer a.closeMutex.Unlock()
+	if a.isClosed() {
+		return
+	}
+	if a.network != nil {
+		a.network.SetDERPMap(derpMap)
+		return
+	}
+	var err error
+	a.network, err = tailnet.NewConn(&tailnet.Options{
+		Addresses: []netip.Prefix{netip.PrefixFrom(codersdk.TailnetIP, 128)},
+		DERPMap:   derpMap,
+		Logger:    a.logger.Named("tailnet"),
+	})
+	if err != nil {
+		a.logger.Critical(ctx, "create tailnet", slog.Error(err))
+		return
+	}
+	a.network.SetForwardTCPCallback(func(conn net.Conn, listenerExists bool) net.Conn {
+		if listenerExists {
+			// If a listener already exists, we would double-wrap the conn.
+			return conn
+		}
+		return a.stats.wrapConn(conn)
+	})
+	go a.runCoordinator(ctx)
+
+	sshListener, err := a.network.Listen("tcp", ":"+strconv.Itoa(codersdk.TailnetSSHPort))
+	if err != nil {
+		a.logger.Critical(ctx, "listen for ssh", slog.Error(err))
+		return
+	}
+	go func() {
+		for {
+			conn, err := sshListener.Accept()
+			if err != nil {
+				return
+			}
+			go a.sshServer.HandleConn(a.stats.wrapConn(conn))
+		}
+	}()
+	reconnectingPTYListener, err := a.network.Listen("tcp", ":"+strconv.Itoa(codersdk.TailnetReconnectingPTYPort))
+	if err != nil {
+		a.logger.Critical(ctx, "listen for reconnecting pty", slog.Error(err))
+		return
+	}
+	go func() {
+		for {
+			conn, err := reconnectingPTYListener.Accept()
+			if err != nil {
+				a.logger.Debug(ctx, "accept pty failed", slog.Error(err))
+				return
+			}
+			conn = a.stats.wrapConn(conn)
+			// This cannot use a JSON decoder, since that can
+			// buffer additional data that is required for the PTY.
+			rawLen := make([]byte, 2)
+			_, err = conn.Read(rawLen)
+			if err != nil {
+				continue
+			}
+			length := binary.LittleEndian.Uint16(rawLen)
+			data := make([]byte, length)
+			_, err = conn.Read(data)
+			if err != nil {
+				continue
+			}
+			var msg codersdk.ReconnectingPTYInit
+			err = json.Unmarshal(data, &msg)
+			if err != nil {
+				continue
+			}
+			go a.handleReconnectingPTY(ctx, msg, conn)
+		}
+	}()
+	speedtestListener, err := a.network.Listen("tcp", ":"+strconv.Itoa(codersdk.TailnetSpeedtestPort))
+	if err != nil {
+		a.logger.Critical(ctx, "listen for speedtest", slog.Error(err))
+		return
+	}
+	go func() {
+		for {
+			conn, err := speedtestListener.Accept()
+			if err != nil {
+				a.logger.Debug(ctx, "speedtest listener failed", slog.Error(err))
+				return
+			}
+			a.closeMutex.Lock()
+			a.connCloseWait.Add(1)
+			a.closeMutex.Unlock()
+			go func() {
+				defer a.connCloseWait.Done()
+				_ = speedtest.ServeConn(conn)
+			}()
+		}
+	}()
+}
+
+// runCoordinator listens for nodes and updates the self-node as it changes.
+func (a *agent) runCoordinator(ctx context.Context) {
+	for {
+		reconnect := a.runCoordinatorWithRetry(ctx)
+		if !reconnect {
+			return
+		}
+	}
+}
+
+func (a *agent) runCoordinatorWithRetry(ctx context.Context) (reconnect bool) {
+	var coordinator net.Conn
+	var err error
+	// An exponential back-off occurs when the connection is failing to dial.
+	// This is to prevent server spam in case of a coderd outage.
+	for retrier := retry.New(50*time.Millisecond, 10*time.Second); retrier.Wait(ctx); {
+		coordinator, err = a.coordinatorDialer(ctx)
+		if err != nil {
+			if errors.Is(err, context.Canceled) {
+				return false
+			}
+			if a.isClosed() {
+				return false
+			}
+			a.logger.Warn(context.Background(), "failed to dial", slog.Error(err))
+			continue
+		}
+		//nolint:revive // Defer is ok because we're exiting this loop.
+		defer coordinator.Close()
+		a.logger.Info(context.Background(), "connected to coordination server")
+		break
+	}
+	select {
+	case <-ctx.Done():
+		return false
+	default:
+	}
+	sendNodes, errChan := tailnet.ServeCoordinator(coordinator, a.network.UpdateNodes)
+	a.network.SetNodeCallback(sendNodes)
+	select {
+	case <-ctx.Done():
+		return false
+	case err := <-errChan:
+		if a.isClosed() {
+			return false
+		}
+		if errors.Is(err, context.Canceled) {
+			return false
+		}
+		a.logger.Debug(ctx, "node broker accept exited; restarting connection", slog.Error(err))
+		return true
+	}
+}
+
+func (a *agent) runStartupScript(ctx context.Context, script string) error {
 	if script == "" {
 		return nil
 	}
-	currentUser, err := user.Current()
-	if err != nil {
-		return xerrors.Errorf("get current user: %w", err)
-	}
-	username := currentUser.Username

-	shell, err := usershell.Get(username)
-	if err != nil {
-		return xerrors.Errorf("get user shell: %w", err)
-	}
-
-	writer, err := os.OpenFile(filepath.Join(os.TempDir(), "coder-startup-script.log"), os.O_CREATE|os.O_RDWR, 0600)
+	writer, err := os.OpenFile(filepath.Join(os.TempDir(), "coder-startup-script.log"), os.O_CREATE|os.O_RDWR, 0o600)
 	if err != nil {
 		return xerrors.Errorf("open startup script log file: %w", err)
 	}
 	defer func() {
 		_ = writer.Close()
 	}()
-	caller := "-c"
-	if runtime.GOOS == "windows" {
-		caller = "/c"
+
+	cmd, err := a.createCommand(ctx, script, nil)
+	if err != nil {
+		return xerrors.Errorf("create command: %w", err)
 	}
-	cmd := exec.CommandContext(ctx, shell, caller, script)
 	cmd.Stdout = writer
 	cmd.Stderr = writer
 	err = cmd.Run()
 	if err != nil {
+		// cmd.Run does not return a context canceled error, it returns "signal: killed".
+		if ctx.Err() != nil {
+			return ctx.Err()
+		}
+
 		return xerrors.Errorf("run: %w", err)
 	}
+
 	return nil
 }

-func (a *agent) handlePeerConn(ctx context.Context, conn *peer.Conn) {
-	go func() {
-		select {
-		case <-a.closed:
-		case <-conn.Closed():
-		}
-		_ = conn.Close()
-		a.connCloseWait.Done()
-	}()
-	for {
-		channel, err := conn.Accept(ctx)
-		if err != nil {
-			if errors.Is(err, peer.ErrClosed) || a.isClosed() {
-				return
-			}
-			a.logger.Debug(ctx, "accept channel from peer connection", slog.Error(err))
-			return
-		}
-
-		switch channel.Protocol() {
-		case "ssh":
-			go a.sshServer.HandleConn(channel.NetConn())
-		case "reconnecting-pty":
-			go a.handleReconnectingPTY(ctx, channel.Label(), channel.NetConn())
-		default:
-			a.logger.Warn(ctx, "unhandled protocol from channel",
-				slog.F("protocol", channel.Protocol()),
-				slog.F("label", channel.Label()),
-			)
-		}
-	}
-}
-
 func (a *agent) init(ctx context.Context) {
+	a.logger.Info(ctx, "generating host key")
 	// Clients' should ignore the host key when connecting.
 	// The agent needs to authenticate with coderd to SSH,
 	// so SSH authentication doesn't improve security.
@@ -244,9 +374,17 @@ func (a *agent) init(ctx context.Context) {
 		},
 		Handler: func(session ssh.Session) {
 			err := a.handleSSHSession(session)
+			var exitError *exec.ExitError
+			if xerrors.As(err, &exitError) {
+				a.logger.Debug(ctx, "ssh session returned", slog.Error(exitError))
+				_ = session.Exit(exitError.ExitCode())
+				return
+			}
 			if err != nil {
 				a.logger.Warn(ctx, "ssh session failed", slog.Error(err))
-				_ = session.Exit(1)
+				// This exit code is designed to be unlikely to be confused for a legit exit code
+				// from the process.
+				_ = session.Exit(MagicSessionErrorCode)
 				return
 			}
 		},
@@ -279,6 +417,8 @@ func (a *agent) init(ctx context.Context) {
 		},
 		SubsystemHandlers: map[string]ssh.SubsystemHandler{
 			"sftp": func(session ssh.Session) {
+				session.DisablePTYEmulation()
+
 				server, err := sftp.NewServer(session)
 				if err != nil {
 					a.logger.Debug(session.Context(), "initialize sftp server", slog.Error(err))
@@ -295,6 +435,21 @@ func (a *agent) init(ctx context.Context) {
 	}

 	go a.run(ctx)
+	if a.statsReporter != nil {
+		cl, err := a.statsReporter(ctx, a.logger, func() *codersdk.AgentStats {
+			return a.stats.Copy()
+		})
+		if err != nil {
+			a.logger.Error(ctx, "report stats", slog.Error(err))
+			return
+		}
+		a.connCloseWait.Add(1)
+		go func() {
+			defer a.connCloseWait.Done()
+			<-a.closed
+			cl.Close()
+		}()
+	}
 }

 // createCommand processes raw command input with OpenSSH-like behavior.
@@ -316,7 +471,7 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 	if rawMetadata == nil {
 		return nil, xerrors.Errorf("no metadata was provided: %w", err)
 	}
-	metadata, valid := rawMetadata.(Metadata)
+	metadata, valid := rawMetadata.(codersdk.WorkspaceAgentMetadata)
 	if !valid {
 		return nil, xerrors.Errorf("metadata is the wrong type: %T", metadata)
 	}
@@ -326,6 +481,11 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 	command := rawCommand
 	if len(command) == 0 {
 		command = shell
+		if runtime.GOOS != "windows" {
+			// On Linux and macOS, we should start a login
+			// shell to consume juicy environment variables!
+			command += " -l"
+		}
 	}

 	// OpenSSH executes all commands with the users current shell.
@@ -345,54 +505,90 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 	if err != nil {
 		return nil, xerrors.Errorf("getting os executable: %w", err)
 	}
+	// Set environment variables reliable detection of being inside a
+	// Coder workspace.
+	cmd.Env = append(cmd.Env, "CODER=true")
+
+	cmd.Env = append(cmd.Env, fmt.Sprintf("USER=%s", username))
 	// Git on Windows resolves with UNIX-style paths.
 	// If using backslashes, it's unable to find the executable.
-	executablePath = strings.ReplaceAll(executablePath, "\\", "/")
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND=%s gitssh --`, executablePath))
-	// These prevent the user from having to specify _anything_ to successfully commit.
-	// Both author and committer must be set!
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_AUTHOR_EMAIL=%s`, metadata.OwnerEmail))
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_COMMITTER_EMAIL=%s`, metadata.OwnerEmail))
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_AUTHOR_NAME=%s`, metadata.OwnerUsername))
-	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_COMMITTER_NAME=%s`, metadata.OwnerUsername))
+	unixExecutablePath := strings.ReplaceAll(executablePath, "\\", "/")
+	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND=%s gitssh --`, unixExecutablePath))
+
+	// Set SSH connection environment variables (these are also set by OpenSSH
+	// and thus expected to be present by SSH clients). Since the agent does
+	// networking in-memory, trying to provide accurate values here would be
+	// nonsensical. For now, we hard code these values so that they're present.
+	srcAddr, srcPort := "0.0.0.0", "0"
+	dstAddr, dstPort := "0.0.0.0", "0"
+	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CLIENT=%s %s %s", srcAddr, srcPort, dstPort))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CONNECTION=%s %s %s %s", srcAddr, srcPort, dstAddr, dstPort))

 	// Load environment variables passed via the agent.
 	// These should override all variables we manually specify.
-	for key, value := range metadata.EnvironmentVariables {
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, value))
+	for envKey, value := range metadata.EnvironmentVariables {
+		// Expanding environment variables allows for customization
+		// of the $PATH, among other variables. Customers can prepend
+		// or append to the $PATH, so allowing expand is required!
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, os.ExpandEnv(value)))
 	}

 	// Agent-level environment variables should take over all!
 	// This is used for setting agent-specific variables like "CODER_AGENT_TOKEN".
-	for key, value := range a.envVars {
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, value))
+	for envKey, value := range a.envVars {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, value))
 	}

 	return cmd, nil
 }

-func (a *agent) handleSSHSession(session ssh.Session) error {
-	cmd, err := a.createCommand(session.Context(), session.RawCommand(), session.Environ())
+func (a *agent) handleSSHSession(session ssh.Session) (retErr error) {
+	ctx := session.Context()
+	cmd, err := a.createCommand(ctx, session.RawCommand(), session.Environ())
 	if err != nil {
 		return err
 	}

+	if ssh.AgentRequested(session) {
+		l, err := ssh.NewAgentListener()
+		if err != nil {
+			return xerrors.Errorf("new agent listener: %w", err)
+		}
+		defer l.Close()
+		go ssh.ForwardAgentConnections(l, session)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", "SSH_AUTH_SOCK", l.Addr().String()))
+	}
+
 	sshPty, windowSize, isPty := session.Pty()
 	if isPty {
+		// Disable minimal PTY emulation set by gliderlabs/ssh (NL-to-CRNL).
+		// See https://github.com/coder/coder/issues/3371.
+		session.DisablePTYEmulation()
+
 		cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", sshPty.Term))
-		ptty, process, err := pty.Start(cmd)
+
+		// The pty package sets `SSH_TTY` on supported platforms.
+		ptty, process, err := pty.Start(cmd, pty.WithPTYOption(
+			pty.WithSSHRequest(sshPty),
+			pty.WithLogger(slog.Stdlib(ctx, a.logger, slog.LevelInfo)),
+		))
 		if err != nil {
 			return xerrors.Errorf("start command: %w", err)
 		}
-		err = ptty.Resize(uint16(sshPty.Window.Height), uint16(sshPty.Window.Width))
-		if err != nil {
-			return xerrors.Errorf("resize ptty: %w", err)
-		}
+		defer func() {
+			closeErr := ptty.Close()
+			if closeErr != nil {
+				a.logger.Warn(ctx, "failed to close tty", slog.Error(closeErr))
+				if retErr == nil {
+					retErr = closeErr
+				}
+			}
+		}()
 		go func() {
 			for win := range windowSize {
-				err = ptty.Resize(uint16(win.Height), uint16(win.Width))
-				if err != nil {
-					a.logger.Warn(context.Background(), "failed to resize tty", slog.Error(err))
+				resizeErr := ptty.Resize(uint16(win.Height), uint16(win.Width))
+				if resizeErr != nil {
+					a.logger.Warn(ctx, "failed to resize tty", slog.Error(resizeErr))
 				}
 			}
 		}()
@@ -402,9 +598,14 @@ func (a *agent) handleSSHSession(session ssh.Session) error {
 		go func() {
 			_, _ = io.Copy(session, ptty.Output())
 		}()
-		_, _ = process.Wait()
-		_ = ptty.Close()
-		return nil
+		err = process.Wait()
+		var exitErr *exec.ExitError
+		// ExitErrors just mean the command we run returned a non-zero exit code, which is normal
+		// and not something to be concerned about.  But, if it's something else, we should log it.
+		if err != nil && !xerrors.As(err, &exitErr) {
+			a.logger.Warn(ctx, "wait error", slog.Error(err))
+		}
+		return err
 	}

 	cmd.Stdout = session
@@ -417,6 +618,7 @@ func (a *agent) handleSSHSession(session ssh.Session) error {
 	}
 	go func() {
 		_, _ = io.Copy(stdinPipe, session)
+		_ = stdinPipe.Close()
 	}()
 	err = cmd.Start()
 	if err != nil {
@@ -425,60 +627,36 @@ func (a *agent) handleSSHSession(session ssh.Session) error {
 	return cmd.Wait()
 }

-func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn net.Conn) {
+func (a *agent) handleReconnectingPTY(ctx context.Context, msg codersdk.ReconnectingPTYInit, conn net.Conn) {
 	defer conn.Close()

-	// The ID format is referenced in conn.go.
-	// <uuid>:<height>:<width>
-	idParts := strings.Split(rawID, ":")
-	if len(idParts) != 3 {
-		a.logger.Warn(ctx, "client sent invalid id format", slog.F("raw-id", rawID))
-		return
-	}
-	id := idParts[0]
-	// Enforce a consistent format for IDs.
-	_, err := uuid.Parse(id)
-	if err != nil {
-		a.logger.Warn(ctx, "client sent reconnection token that isn't a uuid", slog.F("id", id), slog.Error(err))
-		return
-	}
-	// Parse the initial terminal dimensions.
-	height, err := strconv.Atoi(idParts[1])
-	if err != nil {
-		a.logger.Warn(ctx, "client sent invalid height", slog.F("id", id), slog.F("height", idParts[1]))
-		return
-	}
-	width, err := strconv.Atoi(idParts[2])
-	if err != nil {
-		a.logger.Warn(ctx, "client sent invalid width", slog.F("id", id), slog.F("width", idParts[2]))
-		return
-	}
-
 	var rpty *reconnectingPTY
-	rawRPTY, ok := a.reconnectingPTYs.Load(id)
+	rawRPTY, ok := a.reconnectingPTYs.Load(msg.ID)
 	if ok {
 		rpty, ok = rawRPTY.(*reconnectingPTY)
 		if !ok {
-			a.logger.Warn(ctx, "found invalid type in reconnecting pty map", slog.F("id", id))
+			a.logger.Error(ctx, "found invalid type in reconnecting pty map", slog.F("id", msg.ID))
+			return
 		}
 	} else {
 		// Empty command will default to the users shell!
-		cmd, err := a.createCommand(ctx, "", nil)
+		cmd, err := a.createCommand(ctx, msg.Command, nil)
 		if err != nil {
-			a.logger.Warn(ctx, "create reconnecting pty command", slog.Error(err))
+			a.logger.Error(ctx, "create reconnecting pty command", slog.Error(err))
 			return
 		}
 		cmd.Env = append(cmd.Env, "TERM=xterm-256color")

-		ptty, process, err := pty.Start(cmd)
+		// Default to buffer 64KiB.
+		circularBuffer, err := circbuf.NewBuffer(64 << 10)
 		if err != nil {
-			a.logger.Warn(ctx, "start reconnecting pty command", slog.F("id", id))
+			a.logger.Error(ctx, "create circular buffer", slog.Error(err))
+			return
 		}

-		// Default to buffer 64KB.
-		circularBuffer, err := circbuf.NewBuffer(64 * 1024)
+		ptty, process, err := pty.Start(cmd)
 		if err != nil {
-			a.logger.Warn(ctx, "create circular buffer", slog.Error(err))
+			a.logger.Error(ctx, "start reconnecting pty command", slog.F("id", msg.ID))
 			return
 		}

@@ -493,7 +671,7 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 			timeout:        time.AfterFunc(a.reconnectingPTYTimeout, cancelFunc),
 			circularBuffer: circularBuffer,
 		}
-		a.reconnectingPTYs.Store(id, rpty)
+		a.reconnectingPTYs.Store(msg.ID, rpty)
 		go func() {
 			// CommandContext isn't respected for Windows PTYs right now,
 			// so we need to manually track the lifecycle.
@@ -506,7 +684,7 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 		go func() {
 			// If the process dies randomly, we should
 			// close the pty.
-			_, _ = process.Wait()
+			_ = process.Wait()
 			rpty.Close()
 		}()
 		go func() {
@@ -522,7 +700,7 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 				_, err = rpty.circularBuffer.Write(part)
 				rpty.circularBufferMutex.Unlock()
 				if err != nil {
-					a.logger.Error(ctx, "reconnecting pty write buffer", slog.Error(err), slog.F("id", id))
+					a.logger.Error(ctx, "reconnecting pty write buffer", slog.Error(err), slog.F("id", msg.ID))
 					break
 				}
 				rpty.activeConnsMutex.Lock()
@@ -536,22 +714,22 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 			// ID from memory.
 			_ = process.Kill()
 			rpty.Close()
-			a.reconnectingPTYs.Delete(id)
+			a.reconnectingPTYs.Delete(msg.ID)
 			a.connCloseWait.Done()
 		}()
 	}
 	// Resize the PTY to initial height + width.
-	err = rpty.ptty.Resize(uint16(height), uint16(width))
+	err := rpty.ptty.Resize(msg.Height, msg.Width)
 	if err != nil {
 		// We can continue after this, it's not fatal!
-		a.logger.Error(ctx, "resize reconnecting pty", slog.F("id", id), slog.Error(err))
+		a.logger.Error(ctx, "resize reconnecting pty", slog.F("id", msg.ID), slog.Error(err))
 	}
 	// Write any previously stored data for the TTY.
 	rpty.circularBufferMutex.RLock()
 	_, err = conn.Write(rpty.circularBuffer.Bytes())
 	rpty.circularBufferMutex.RUnlock()
 	if err != nil {
-		a.logger.Warn(ctx, "write reconnecting pty buffer", slog.F("id", id), slog.Error(err))
+		a.logger.Warn(ctx, "write reconnecting pty buffer", slog.F("id", msg.ID), slog.Error(err))
 		return
 	}
 	connectionID := uuid.NewString()
@@ -590,19 +768,19 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 		rpty.activeConnsMutex.Unlock()
 	}()
 	decoder := json.NewDecoder(conn)
-	var req ReconnectingPTYRequest
+	var req codersdk.ReconnectingPTYRequest
 	for {
 		err = decoder.Decode(&req)
 		if xerrors.Is(err, io.EOF) {
 			return
 		}
 		if err != nil {
-			a.logger.Warn(ctx, "reconnecting pty buffer read error", slog.F("id", id), slog.Error(err))
+			a.logger.Warn(ctx, "reconnecting pty buffer read error", slog.F("id", msg.ID), slog.Error(err))
 			return
 		}
 		_, err = rpty.ptty.Input().Write([]byte(req.Data))
 		if err != nil {
-			a.logger.Warn(ctx, "write to reconnecting pty", slog.F("id", id), slog.Error(err))
+			a.logger.Warn(ctx, "write to reconnecting pty", slog.F("id", msg.ID), slog.Error(err))
 			return
 		}
 		// Check if a resize needs to happen!
@@ -612,7 +790,7 @@ func (a *agent) handleReconnectingPTY(ctx context.Context, rawID string, conn ne
 		err = rpty.ptty.Resize(req.Height, req.Width)
 		if err != nil {
 			// We can continue after this, it's not fatal!
-			a.logger.Error(ctx, "resize reconnecting pty", slog.F("id", id), slog.Error(err))
+			a.logger.Error(ctx, "resize reconnecting pty", slog.F("id", msg.ID), slog.Error(err))
 		}
 	}
 }
@@ -635,6 +813,9 @@ func (a *agent) Close() error {
 	}
 	close(a.closed)
 	a.closeCancel()
+	if a.network != nil {
+		_ = a.network.Close()
+	}
 	_ = a.sshServer.Close()
 	a.connCloseWait.Wait()
 	return nil
@@ -659,6 +840,55 @@ func (r *reconnectingPTY) Close() {
 		_ = conn.Close()
 	}
 	_ = r.ptty.Close()
+	r.circularBufferMutex.Lock()
 	r.circularBuffer.Reset()
+	r.circularBufferMutex.Unlock()
 	r.timeout.Stop()
 }
+
+// Bicopy copies all of the data between the two connections and will close them
+// after one or both of them are done writing. If the context is canceled, both
+// of the connections will be closed.
+func Bicopy(ctx context.Context, c1, c2 io.ReadWriteCloser) {
+	defer c1.Close()
+	defer c2.Close()
+
+	var wg sync.WaitGroup
+	copyFunc := func(dst io.WriteCloser, src io.Reader) {
+		defer wg.Done()
+		_, _ = io.Copy(dst, src)
+	}
+
+	wg.Add(2)
+	go copyFunc(c1, c2)
+	go copyFunc(c2, c1)
+
+	// Convert waitgroup to a channel so we can also wait on the context.
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		wg.Wait()
+	}()
+
+	select {
+	case <-ctx.Done():
+	case <-done:
+	}
+}
+
+// ExpandRelativeHomePath expands the tilde at the beginning of a path to the
+// current user's home directory and returns a full absolute path.
+func ExpandRelativeHomePath(in string) (string, error) {
+	usr, err := user.Current()
+	if err != nil {
+		return "", xerrors.Errorf("get current user details: %w", err)
+	}
+
+	if in == "~" {
+		in = usr.HomeDir
+	} else if strings.HasPrefix(in, "~/") {
+		in = filepath.Join(usr.HomeDir, in[2:])
+	}
+
+	return filepath.Abs(in)
+}
@@ -1,23 +1,31 @@
 package agent_test

 import (
+	"bufio"
 	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net"
+	"net/netip"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"runtime"
 	"strconv"
 	"strings"
+	"sync"
 	"testing"
 	"time"

+	"golang.org/x/xerrors"
+	"tailscale.com/net/speedtest"
+
+	scp "github.com/bramvdbogaerde/go-scp"
 	"github.com/google/uuid"
-	"github.com/pion/webrtc/v3"
+	"github.com/pion/udp"
 	"github.com/pkg/sftp"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"
 	"golang.org/x/crypto/ssh"
@@ -27,11 +35,11 @@ import (
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"
 	"github.com/coder/coder/agent"
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker"
-	"github.com/coder/coder/peerbroker/proto"
-	"github.com/coder/coder/provisionersdk"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/tailnet"
+	"github.com/coder/coder/tailnet/tailnettest"
+	"github.com/coder/coder/testutil"
 )

 func TestMain(m *testing.M) {
@@ -40,9 +48,55 @@ func TestMain(m *testing.M) {

 func TestAgent(t *testing.T) {
 	t.Parallel()
+	t.Run("Stats", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("SSH", func(t *testing.T) {
+			t.Parallel()
+			conn, stats := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+
+			sshClient, err := conn.SSHClient()
+			require.NoError(t, err)
+			defer sshClient.Close()
+			session, err := sshClient.NewSession()
+			require.NoError(t, err)
+			defer session.Close()
+
+			assert.EqualValues(t, 1, (<-stats).NumConns)
+			assert.Greater(t, (<-stats).RxBytes, int64(0))
+			assert.Greater(t, (<-stats).TxBytes, int64(0))
+		})
+
+		t.Run("ReconnectingPTY", func(t *testing.T) {
+			t.Parallel()
+
+			conn, stats := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+
+			ptyConn, err := conn.ReconnectingPTY(uuid.NewString(), 128, 128, "/bin/bash")
+			require.NoError(t, err)
+			defer ptyConn.Close()
+
+			data, err := json.Marshal(codersdk.ReconnectingPTYRequest{
+				Data: "echo test\r\n",
+			})
+			require.NoError(t, err)
+			_, err = ptyConn.Write(data)
+			require.NoError(t, err)
+
+			var s *codersdk.AgentStats
+			require.Eventuallyf(t, func() bool {
+				var ok bool
+				s, ok = (<-stats)
+				return ok && s.NumConns > 0 && s.RxBytes > 0 && s.TxBytes > 0
+			}, testutil.WaitLong, testutil.IntervalFast,
+				"never saw stats: %+v", s,
+			)
+		})
+	})
+
 	t.Run("SessionExec", func(t *testing.T) {
 		t.Parallel()
-		session := setupSSHSession(t, agent.Metadata{})
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})

 		command := "echo test"
 		if runtime.GOOS == "windows" {
@@ -55,7 +109,7 @@ func TestAgent(t *testing.T) {

 	t.Run("GitSSH", func(t *testing.T) {
 		t.Parallel()
-		session := setupSSHSession(t, agent.Metadata{})
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})
 		command := "sh -c 'echo $GIT_SSH_COMMAND'"
 		if runtime.GOOS == "windows" {
 			command = "cmd.exe /c echo %GIT_SSH_COMMAND%"
@@ -65,7 +119,7 @@ func TestAgent(t *testing.T) {
 		require.True(t, strings.HasSuffix(strings.TrimSpace(string(output)), "gitssh --"))
 	})

-	t.Run("SessionTTY", func(t *testing.T) {
+	t.Run("SessionTTYShell", func(t *testing.T) {
 		t.Parallel()
 		if runtime.GOOS == "windows" {
 			// This might be our implementation, or ConPTY itself.
@@ -73,7 +127,7 @@ func TestAgent(t *testing.T) {
 			// it seems like it could be either.
 			t.Skip("ConPTY appears to be inconsistent on Windows.")
 		}
-		session := setupSSHSession(t, agent.Metadata{})
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})
 		command := "bash"
 		if runtime.GOOS == "windows" {
 			command = "cmd.exe"
@@ -99,6 +153,29 @@ func TestAgent(t *testing.T) {
 		require.NoError(t, err)
 	})

+	t.Run("SessionTTYExitCode", func(t *testing.T) {
+		t.Parallel()
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})
+		command := "areallynotrealcommand"
+		err := session.RequestPty("xterm", 128, 128, ssh.TerminalModes{})
+		require.NoError(t, err)
+		ptty := ptytest.New(t)
+		require.NoError(t, err)
+		session.Stdout = ptty.Output()
+		session.Stderr = ptty.Output()
+		session.Stdin = ptty.Input()
+		err = session.Start(command)
+		require.NoError(t, err)
+		err = session.Wait()
+		exitErr := &ssh.ExitError{}
+		require.True(t, xerrors.As(err, &exitErr))
+		if runtime.GOOS == "windows" {
+			assert.Equal(t, 1, exitErr.ExitStatus())
+		} else {
+			assert.Equal(t, 127, exitErr.ExitStatus())
+		}
+	})
+
 	t.Run("LocalForwarding", func(t *testing.T) {
 		t.Parallel()
 		random, err := net.Listen("tcp", "127.0.0.1:0")
@@ -116,10 +193,12 @@ func TestAgent(t *testing.T) {
 		localPort := tcpAddr.Port
 		done := make(chan struct{})
 		go func() {
+			defer close(done)
 			conn, err := local.Accept()
-			require.NoError(t, err)
+			if !assert.NoError(t, err) {
+				return
+			}
 			_ = conn.Close()
-			close(done)
 		}()

 		err = setupSSHCommand(t, []string{"-L", fmt.Sprintf("%d:127.0.0.1:%d", randomPort, localPort)}, []string{"echo", "test"}).Start()
@@ -133,8 +212,10 @@ func TestAgent(t *testing.T) {

 	t.Run("SFTP", func(t *testing.T) {
 		t.Parallel()
-		sshClient, err := setupAgent(t, agent.Metadata{}, 0).SSHClient()
+		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+		sshClient, err := conn.SSHClient()
 		require.NoError(t, err)
+		defer sshClient.Close()
 		client, err := sftp.NewClient(sshClient)
 		require.NoError(t, err)
 		tempFile := filepath.Join(t.TempDir(), "sftp")
@@ -146,11 +227,28 @@ func TestAgent(t *testing.T) {
 		require.NoError(t, err)
 	})

+	t.Run("SCP", func(t *testing.T) {
+		t.Parallel()
+
+		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+		sshClient, err := conn.SSHClient()
+		require.NoError(t, err)
+		defer sshClient.Close()
+		scpClient, err := scp.NewClientBySSH(sshClient)
+		require.NoError(t, err)
+		tempFile := filepath.Join(t.TempDir(), "scp")
+		content := "hello world"
+		err = scpClient.CopyFile(context.Background(), strings.NewReader(content), tempFile, "0755")
+		require.NoError(t, err)
+		_, err = os.Stat(tempFile)
+		require.NoError(t, err)
+	})
+
 	t.Run("EnvironmentVariables", func(t *testing.T) {
 		t.Parallel()
 		key := "EXAMPLE"
 		value := "value"
-		session := setupSSHSession(t, agent.Metadata{
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{
 			EnvironmentVariables: map[string]string{
 				key: value,
 			},
@@ -164,13 +262,79 @@ func TestAgent(t *testing.T) {
 		require.Equal(t, value, strings.TrimSpace(string(output)))
 	})

+	t.Run("EnvironmentVariableExpansion", func(t *testing.T) {
+		t.Parallel()
+		key := "EXAMPLE"
+		session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{
+			EnvironmentVariables: map[string]string{
+				key: "$SOMETHINGNOTSET",
+			},
+		})
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		output, err := session.Output(command)
+		require.NoError(t, err)
+		expect := ""
+		if runtime.GOOS == "windows" {
+			expect = "%EXAMPLE%"
+		}
+		// Output should be empty, because the variable is not set!
+		require.Equal(t, expect, strings.TrimSpace(string(output)))
+	})
+
+	t.Run("Coder env vars", func(t *testing.T) {
+		t.Parallel()
+
+		for _, key := range []string{"CODER"} {
+			key := key
+			t.Run(key, func(t *testing.T) {
+				t.Parallel()
+
+				session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})
+				command := "sh -c 'echo $" + key + "'"
+				if runtime.GOOS == "windows" {
+					command = "cmd.exe /c echo %" + key + "%"
+				}
+				output, err := session.Output(command)
+				require.NoError(t, err)
+				require.NotEmpty(t, strings.TrimSpace(string(output)))
+			})
+		}
+	})
+
+	t.Run("SSH connection env vars", func(t *testing.T) {
+		t.Parallel()
+
+		// Note: the SSH_TTY environment variable should only be set for TTYs.
+		// For some reason this test produces a TTY locally and a non-TTY in CI
+		// so we don't test for the absence of SSH_TTY.
+		for _, key := range []string{"SSH_CONNECTION", "SSH_CLIENT"} {
+			key := key
+			t.Run(key, func(t *testing.T) {
+				t.Parallel()
+
+				session := setupSSHSession(t, codersdk.WorkspaceAgentMetadata{})
+				command := "sh -c 'echo $" + key + "'"
+				if runtime.GOOS == "windows" {
+					command = "cmd.exe /c echo %" + key + "%"
+				}
+				output, err := session.Output(command)
+				require.NoError(t, err)
+				require.NotEmpty(t, strings.TrimSpace(string(output)))
+			})
+		}
+	})
+
 	t.Run("StartupScript", func(t *testing.T) {
 		t.Parallel()
-		tempPath := filepath.Join(os.TempDir(), "content.txt")
+		tempPath := filepath.Join(t.TempDir(), "content.txt")
 		content := "somethingnice"
-		setupAgent(t, agent.Metadata{
-			StartupScript: "echo " + content + " > " + tempPath,
+		setupAgent(t, codersdk.WorkspaceAgentMetadata{
+			StartupScript: fmt.Sprintf("echo %s > %s", content, tempPath),
 		}, 0)
+
 		var gotContent string
 		require.Eventually(t, func() bool {
 			content, err := os.ReadFile(tempPath)
@@ -183,11 +347,13 @@ func TestAgent(t *testing.T) {
 			if runtime.GOOS == "windows" {
 				// Windows uses UTF16! 🪟🪟🪟
 				content, _, err = transform.Bytes(unicode.UTF16(unicode.LittleEndian, unicode.UseBOM).NewDecoder(), content)
-				require.NoError(t, err)
+				if !assert.NoError(t, err) {
+					return false
+				}
 			}
 			gotContent = string(content)
 			return true
-		}, 15*time.Second, 100*time.Millisecond)
+		}, testutil.WaitMedium, testutil.IntervalMedium)
 		require.Equal(t, content, strings.TrimSpace(gotContent))
 	})

@@ -199,61 +365,165 @@ func TestAgent(t *testing.T) {
 			// it seems like it could be either.
 			t.Skip("ConPTY appears to be inconsistent on Windows.")
 		}
-		conn := setupAgent(t, agent.Metadata{}, 0)
-		id := uuid.NewString()
-		netConn, err := conn.ReconnectingPTY(id, 100, 100)
-		require.NoError(t, err)

-		data, err := json.Marshal(agent.ReconnectingPTYRequest{
+		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+		id := uuid.NewString()
+		netConn, err := conn.ReconnectingPTY(id, 100, 100, "/bin/bash")
+		require.NoError(t, err)
+		bufRead := bufio.NewReader(netConn)
+
+		// Brief pause to reduce the likelihood that we send keystrokes while
+		// the shell is simultaneously sending a prompt.
+		time.Sleep(100 * time.Millisecond)
+
+		data, err := json.Marshal(codersdk.ReconnectingPTYRequest{
 			Data: "echo test\r\n",
 		})
 		require.NoError(t, err)
 		_, err = netConn.Write(data)
 		require.NoError(t, err)

-		findEcho := func() {
+		expectLine := func(matcher func(string) bool) {
 			for {
-				read, err := netConn.Read(data)
+				line, err := bufRead.ReadString('\n')
 				require.NoError(t, err)
-				if strings.Contains(string(data[:read]), "test") {
+				if matcher(line) {
 					break
 				}
 			}
 		}

+		matchEchoCommand := func(line string) bool {
+			return strings.Contains(line, "echo test")
+		}
+		matchEchoOutput := func(line string) bool {
+			return strings.Contains(line, "test") && !strings.Contains(line, "echo")
+		}
+
 		// Once for typing the command...
-		findEcho()
+		expectLine(matchEchoCommand)
 		// And another time for the actual output.
-		findEcho()
+		expectLine(matchEchoOutput)

 		_ = netConn.Close()
-		netConn, err = conn.ReconnectingPTY(id, 100, 100)
+		netConn, err = conn.ReconnectingPTY(id, 100, 100, "/bin/bash")
 		require.NoError(t, err)
+		bufRead = bufio.NewReader(netConn)

 		// Same output again!
-		findEcho()
-		findEcho()
+		expectLine(matchEchoCommand)
+		expectLine(matchEchoOutput)
+	})
+
+	t.Run("Dial", func(t *testing.T) {
+		t.Parallel()
+
+		cases := []struct {
+			name  string
+			setup func(t *testing.T) net.Listener
+		}{
+			{
+				name: "TCP",
+				setup: func(t *testing.T) net.Listener {
+					l, err := net.Listen("tcp", "127.0.0.1:0")
+					require.NoError(t, err, "create TCP listener")
+					return l
+				},
+			},
+			{
+				name: "UDP",
+				setup: func(t *testing.T) net.Listener {
+					addr := net.UDPAddr{
+						IP:   net.ParseIP("127.0.0.1"),
+						Port: 0,
+					}
+					l, err := udp.Listen("udp", &addr)
+					require.NoError(t, err, "create UDP listener")
+					return l
+				},
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+
+				// Setup listener
+				l := c.setup(t)
+				defer l.Close()
+				go func() {
+					for {
+						c, err := l.Accept()
+						if err != nil {
+							return
+						}
+
+						go testAccept(t, c)
+					}
+				}()
+
+				conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
+				require.Eventually(t, func() bool {
+					_, err := conn.Ping()
+					return err == nil
+				}, testutil.WaitMedium, testutil.IntervalFast)
+				conn1, err := conn.DialContext(context.Background(), l.Addr().Network(), l.Addr().String())
+				require.NoError(t, err)
+				defer conn1.Close()
+				conn2, err := conn.DialContext(context.Background(), l.Addr().Network(), l.Addr().String())
+				require.NoError(t, err)
+				defer conn2.Close()
+				testDial(t, conn2)
+				testDial(t, conn1)
+				time.Sleep(150 * time.Millisecond)
+			})
+		}
+	})
+
+	t.Run("Speedtest", func(t *testing.T) {
+		t.Parallel()
+		if testing.Short() {
+			t.Skip("The minimum duration for a speedtest is hardcoded in Tailscale to 5s!")
+		}
+		derpMap := tailnettest.RunDERPAndSTUN(t)
+		conn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{
+			DERPMap: derpMap,
+		}, 0)
+		defer conn.Close()
+		res, err := conn.Speedtest(speedtest.Upload, 250*time.Millisecond)
+		require.NoError(t, err)
+		t.Logf("%.2f MBits/s", res[len(res)-1].MBitsPerSecond())
 	})
 }

 func setupSSHCommand(t *testing.T, beforeArgs []string, afterArgs []string) *exec.Cmd {
-	agentConn := setupAgent(t, agent.Metadata{}, 0)
+	agentConn, _ := setupAgent(t, codersdk.WorkspaceAgentMetadata{}, 0)
 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
+	waitGroup := sync.WaitGroup{}
 	go func() {
+		defer listener.Close()
 		for {
 			conn, err := listener.Accept()
 			if err != nil {
 				return
 			}
 			ssh, err := agentConn.SSH()
-			require.NoError(t, err)
-			go io.Copy(conn, ssh)
-			go io.Copy(ssh, conn)
+			if err != nil {
+				_ = conn.Close()
+				return
+			}
+			waitGroup.Add(1)
+			go func() {
+				agent.Bicopy(context.Background(), conn, ssh)
+				waitGroup.Done()
+			}()
 		}
 	}()
 	t.Cleanup(func() {
 		_ = listener.Close()
+		waitGroup.Wait()
 	})
 	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
 	require.True(t, valid)
@@ -265,41 +535,139 @@ func setupSSHCommand(t *testing.T, beforeArgs []string, afterArgs []string) *exe
 	return exec.Command("ssh", args...)
 }

-func setupSSHSession(t *testing.T, options agent.Metadata) *ssh.Session {
-	sshClient, err := setupAgent(t, options, 0).SSHClient()
+func setupSSHSession(t *testing.T, options codersdk.WorkspaceAgentMetadata) *ssh.Session {
+	conn, _ := setupAgent(t, options, 0)
+	sshClient, err := conn.SSHClient()
 	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = sshClient.Close()
+	})
 	session, err := sshClient.NewSession()
 	require.NoError(t, err)
 	return session
 }

-func setupAgent(t *testing.T, metadata agent.Metadata, ptyTimeout time.Duration) *agent.Conn {
-	client, server := provisionersdk.TransportPipe()
-	closer := agent.New(func(ctx context.Context, logger slog.Logger) (agent.Metadata, *peerbroker.Listener, error) {
-		listener, err := peerbroker.Listen(server, nil)
-		return metadata, listener, err
-	}, &agent.Options{
+type closeFunc func() error
+
+func (c closeFunc) Close() error {
+	return c()
+}
+
+func setupAgent(t *testing.T, metadata codersdk.WorkspaceAgentMetadata, ptyTimeout time.Duration) (
+	*codersdk.AgentConn,
+	<-chan *codersdk.AgentStats,
+) {
+	if metadata.DERPMap == nil {
+		metadata.DERPMap = tailnettest.RunDERPAndSTUN(t)
+	}
+	coordinator := tailnet.NewCoordinator()
+	agentID := uuid.New()
+	statsCh := make(chan *codersdk.AgentStats)
+	closer := agent.New(agent.Options{
+		FetchMetadata: func(ctx context.Context) (codersdk.WorkspaceAgentMetadata, error) {
+			return metadata, nil
+		},
+		CoordinatorDialer: func(ctx context.Context) (net.Conn, error) {
+			clientConn, serverConn := net.Pipe()
+			closed := make(chan struct{})
+			t.Cleanup(func() {
+				_ = serverConn.Close()
+				_ = clientConn.Close()
+				<-closed
+			})
+			go func() {
+				_ = coordinator.ServeAgent(serverConn, agentID)
+				close(closed)
+			}()
+			return clientConn, nil
+		},
 		Logger:                 slogtest.Make(t, nil).Leveled(slog.LevelDebug),
 		ReconnectingPTYTimeout: ptyTimeout,
+		StatsReporter: func(ctx context.Context, log slog.Logger, statsFn func() *codersdk.AgentStats) (io.Closer, error) {
+			doneCh := make(chan struct{})
+			ctx, cancel := context.WithCancel(ctx)
+
+			go func() {
+				defer close(doneCh)
+
+				t := time.NewTicker(time.Millisecond * 100)
+				defer t.Stop()
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-t.C:
+					}
+					select {
+					case statsCh <- statsFn():
+					case <-ctx.Done():
+						return
+					default:
+						// We don't want to send old stats.
+						continue
+					}
+				}
+			}()
+			return closeFunc(func() error {
+				cancel()
+				<-doneCh
+				close(statsCh)
+				return nil
+			}), nil
+		},
 	})
 	t.Cleanup(func() {
-		_ = client.Close()
-		_ = server.Close()
 		_ = closer.Close()
 	})
-	api := proto.NewDRPCPeerBrokerClient(provisionersdk.Conn(client))
-	stream, err := api.NegotiateConnection(context.Background())
-	require.NoError(t, err)
-	conn, err := peerbroker.Dial(stream, []webrtc.ICEServer{}, &peer.ConnOptions{
-		Logger: slogtest.Make(t, nil),
+	conn, err := tailnet.NewConn(&tailnet.Options{
+		Addresses: []netip.Prefix{netip.PrefixFrom(tailnet.IP(), 128)},
+		DERPMap:   metadata.DERPMap,
+		Logger:    slogtest.Make(t, nil).Named("client").Leveled(slog.LevelDebug),
 	})
 	require.NoError(t, err)
+	clientConn, serverConn := net.Pipe()
 	t.Cleanup(func() {
+		_ = clientConn.Close()
+		_ = serverConn.Close()
 		_ = conn.Close()
 	})
-
-	return &agent.Conn{
-		Negotiator: api,
-		Conn:       conn,
-	}
+	go coordinator.ServeClient(serverConn, uuid.New(), agentID)
+	sendNode, _ := tailnet.ServeCoordinator(clientConn, func(node []*tailnet.Node) error {
+		return conn.UpdateNodes(node)
+	})
+	conn.SetNodeCallback(sendNode)
+	return &codersdk.AgentConn{
+		Conn: conn,
+	}, statsCh
+}
+
+var dialTestPayload = []byte("dean-was-here123")
+
+func testDial(t *testing.T, c net.Conn) {
+	t.Helper()
+
+	assertWritePayload(t, c, dialTestPayload)
+	assertReadPayload(t, c, dialTestPayload)
+}
+
+func testAccept(t *testing.T, c net.Conn) {
+	t.Helper()
+	defer c.Close()
+
+	assertReadPayload(t, c, dialTestPayload)
+	assertWritePayload(t, c, dialTestPayload)
+}
+
+func assertReadPayload(t *testing.T, r io.Reader, payload []byte) {
+	b := make([]byte, len(payload)+16)
+	n, err := r.Read(b)
+	assert.NoError(t, err, "read payload")
+	assert.Equal(t, len(payload), n, "read payload length does not match")
+	assert.Equal(t, payload, b[:n])
+}
+
+func assertWritePayload(t *testing.T, w io.Writer, payload []byte) {
+	n, err := w.Write(payload)
+	assert.NoError(t, err, "write payload")
+	assert.Equal(t, len(payload), n, "payload length does not match")
 }
@@ -0,0 +1,184 @@
+package agent
+
+import (
+	"context"
+	"net/http"
+	"sync"
+	"time"
+
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+// WorkspaceAgentApps fetches the workspace apps.
+type WorkspaceAgentApps func(context.Context) ([]codersdk.WorkspaceApp, error)
+
+// PostWorkspaceAgentAppHealth updates the workspace app health.
+type PostWorkspaceAgentAppHealth func(context.Context, codersdk.PostWorkspaceAppHealthsRequest) error
+
+// WorkspaceAppHealthReporter is a function that checks and reports the health of the workspace apps until the passed context is canceled.
+type WorkspaceAppHealthReporter func(ctx context.Context)
+
+// NewWorkspaceAppHealthReporter creates a WorkspaceAppHealthReporter that reports app health to coderd.
+func NewWorkspaceAppHealthReporter(logger slog.Logger, workspaceAgentApps WorkspaceAgentApps, postWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth) WorkspaceAppHealthReporter {
+	runHealthcheckLoop := func(ctx context.Context) error {
+		apps, err := workspaceAgentApps(ctx)
+		if err != nil {
+			if xerrors.Is(err, context.Canceled) {
+				return nil
+			}
+			return xerrors.Errorf("getting workspace apps: %w", err)
+		}
+
+		// no need to run this loop if no apps for this workspace.
+		if len(apps) == 0 {
+			return nil
+		}
+
+		hasHealthchecksEnabled := false
+		health := make(map[string]codersdk.WorkspaceAppHealth, 0)
+		for _, app := range apps {
+			health[app.Name] = app.Health
+			if !hasHealthchecksEnabled && app.Health != codersdk.WorkspaceAppHealthDisabled {
+				hasHealthchecksEnabled = true
+			}
+		}
+
+		// no need to run this loop if no health checks are configured.
+		if !hasHealthchecksEnabled {
+			return nil
+		}
+
+		// run a ticker for each app health check.
+		var mu sync.RWMutex
+		failures := make(map[string]int, 0)
+		for _, nextApp := range apps {
+			if !shouldStartTicker(nextApp) {
+				continue
+			}
+			app := nextApp
+			t := time.NewTicker(time.Duration(app.Healthcheck.Interval) * time.Second)
+			go func() {
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-t.C:
+					}
+					// we set the http timeout to the healthcheck interval to prevent getting too backed up.
+					client := &http.Client{
+						Timeout: time.Duration(app.Healthcheck.Interval) * time.Second,
+					}
+					err := func() error {
+						req, err := http.NewRequestWithContext(ctx, http.MethodGet, app.Healthcheck.URL, nil)
+						if err != nil {
+							return err
+						}
+						res, err := client.Do(req)
+						if err != nil {
+							return err
+						}
+						// successful healthcheck is a non-5XX status code
+						res.Body.Close()
+						if res.StatusCode >= http.StatusInternalServerError {
+							return xerrors.Errorf("error status code: %d", res.StatusCode)
+						}
+
+						return nil
+					}()
+					if err != nil {
+						mu.Lock()
+						if failures[app.Name] < int(app.Healthcheck.Threshold) {
+							// increment the failure count and keep status the same.
+							// we will change it when we hit the threshold.
+							failures[app.Name]++
+						} else {
+							// set to unhealthy if we hit the failure threshold.
+							// we stop incrementing at the threshold to prevent the failure value from increasing forever.
+							health[app.Name] = codersdk.WorkspaceAppHealthUnhealthy
+						}
+						mu.Unlock()
+					} else {
+						mu.Lock()
+						// we only need one successful health check to be considered healthy.
+						health[app.Name] = codersdk.WorkspaceAppHealthHealthy
+						failures[app.Name] = 0
+						mu.Unlock()
+					}
+
+					t.Reset(time.Duration(app.Healthcheck.Interval) * time.Second)
+				}
+			}()
+		}
+
+		mu.Lock()
+		lastHealth := copyHealth(health)
+		mu.Unlock()
+		reportTicker := time.NewTicker(time.Second)
+		// every second we check if the health values of the apps have changed
+		// and if there is a change we will report the new values.
+		for {
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-reportTicker.C:
+				mu.RLock()
+				changed := healthChanged(lastHealth, health)
+				mu.RUnlock()
+				if !changed {
+					continue
+				}
+
+				mu.Lock()
+				lastHealth = copyHealth(health)
+				mu.Unlock()
+				err := postWorkspaceAgentAppHealth(ctx, codersdk.PostWorkspaceAppHealthsRequest{
+					Healths: lastHealth,
+				})
+				if err != nil {
+					logger.Error(ctx, "failed to report workspace app stat", slog.Error(err))
+				}
+			}
+		}
+	}
+
+	return func(ctx context.Context) {
+		for r := retry.New(time.Second, 30*time.Second); r.Wait(ctx); {
+			err := runHealthcheckLoop(ctx)
+			if err == nil || xerrors.Is(err, context.Canceled) || xerrors.Is(err, context.DeadlineExceeded) {
+				return
+			}
+			logger.Error(ctx, "failed running workspace app reporter", slog.Error(err))
+		}
+	}
+}
+
+func shouldStartTicker(app codersdk.WorkspaceApp) bool {
+	return app.Healthcheck.URL != "" && app.Healthcheck.Interval > 0 && app.Healthcheck.Threshold > 0
+}
+
+func healthChanged(old map[string]codersdk.WorkspaceAppHealth, new map[string]codersdk.WorkspaceAppHealth) bool {
+	for name, newValue := range new {
+		oldValue, found := old[name]
+		if !found {
+			return true
+		}
+		if newValue != oldValue {
+			return true
+		}
+	}
+
+	return false
+}
+
+func copyHealth(h1 map[string]codersdk.WorkspaceAppHealth) map[string]codersdk.WorkspaceAppHealth {
+	h2 := make(map[string]codersdk.WorkspaceAppHealth, 0)
+	for k, v := range h1 {
+		h2[k] = v
+	}
+
+	return h2
+}
@@ -0,0 +1,209 @@
+package agent_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestAppHealth(t *testing.T) {
+	t.Parallel()
+	t.Run("Healthy", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		apps := []codersdk.WorkspaceApp{
+			{
+				Name:        "app1",
+				Healthcheck: codersdk.Healthcheck{},
+				Health:      codersdk.WorkspaceAppHealthDisabled,
+			},
+			{
+				Name: "app2",
+				Healthcheck: codersdk.Healthcheck{
+					// URL: We don't set the URL for this test because the setup will
+					// create a httptest server for us and set it for us.
+					Interval:  1,
+					Threshold: 1,
+				},
+				Health: codersdk.WorkspaceAppHealthInitializing,
+			},
+		}
+		handlers := []http.Handler{
+			nil,
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				httpapi.Write(r.Context(), w, http.StatusOK, nil)
+			}),
+		}
+		getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+		defer closeFn()
+		apps, err := getApps(ctx)
+		require.NoError(t, err)
+		require.EqualValues(t, codersdk.WorkspaceAppHealthDisabled, apps[0].Health)
+		require.Eventually(t, func() bool {
+			apps, err := getApps(ctx)
+			if err != nil {
+				return false
+			}
+
+			return apps[1].Health == codersdk.WorkspaceAppHealthHealthy
+		}, testutil.WaitLong, testutil.IntervalSlow)
+	})
+
+	t.Run("500", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		apps := []codersdk.WorkspaceApp{
+			{
+				Name: "app2",
+				Healthcheck: codersdk.Healthcheck{
+					// URL: We don't set the URL for this test because the setup will
+					// create a httptest server for us and set it for us.
+					Interval:  1,
+					Threshold: 1,
+				},
+				Health: codersdk.WorkspaceAppHealthInitializing,
+			},
+		}
+		handlers := []http.Handler{
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				httpapi.Write(r.Context(), w, http.StatusInternalServerError, nil)
+			}),
+		}
+		getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+		defer closeFn()
+		require.Eventually(t, func() bool {
+			apps, err := getApps(ctx)
+			if err != nil {
+				return false
+			}
+
+			return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+		}, testutil.WaitLong, testutil.IntervalSlow)
+	})
+
+	t.Run("Timeout", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		apps := []codersdk.WorkspaceApp{
+			{
+				Name: "app2",
+				Healthcheck: codersdk.Healthcheck{
+					// URL: We don't set the URL for this test because the setup will
+					// create a httptest server for us and set it for us.
+					Interval:  1,
+					Threshold: 1,
+				},
+				Health: codersdk.WorkspaceAppHealthInitializing,
+			},
+		}
+		handlers := []http.Handler{
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				// sleep longer than the interval to cause the health check to time out
+				time.Sleep(2 * time.Second)
+				httpapi.Write(r.Context(), w, http.StatusOK, nil)
+			}),
+		}
+		getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+		defer closeFn()
+		require.Eventually(t, func() bool {
+			apps, err := getApps(ctx)
+			if err != nil {
+				return false
+			}
+
+			return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+		}, testutil.WaitLong, testutil.IntervalSlow)
+	})
+
+	t.Run("NotSpamming", func(t *testing.T) {
+		t.Parallel()
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+		apps := []codersdk.WorkspaceApp{
+			{
+				Name: "app2",
+				Healthcheck: codersdk.Healthcheck{
+					// URL: We don't set the URL for this test because the setup will
+					// create a httptest server for us and set it for us.
+					Interval:  1,
+					Threshold: 1,
+				},
+				Health: codersdk.WorkspaceAppHealthInitializing,
+			},
+		}
+
+		var counter = new(int32)
+		handlers := []http.Handler{
+			http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				atomic.AddInt32(counter, 1)
+			}),
+		}
+		_, closeFn := setupAppReporter(ctx, t, apps, handlers)
+		defer closeFn()
+		// Ensure we haven't made more than 2 (expected 1 + 1 for buffer) requests in the last second.
+		// if there is a bug where we are spamming the healthcheck route this will catch it.
+		time.Sleep(time.Second)
+		require.LessOrEqual(t, *counter, int32(2))
+	})
+}
+
+func setupAppReporter(ctx context.Context, t *testing.T, apps []codersdk.WorkspaceApp, handlers []http.Handler) (agent.WorkspaceAgentApps, func()) {
+	closers := []func(){}
+	for i, handler := range handlers {
+		if handler == nil {
+			continue
+		}
+		ts := httptest.NewServer(handler)
+		app := apps[i]
+		app.Healthcheck.URL = ts.URL
+		apps[i] = app
+		closers = append(closers, ts.Close)
+	}
+
+	var mu sync.Mutex
+	workspaceAgentApps := func(context.Context) ([]codersdk.WorkspaceApp, error) {
+		mu.Lock()
+		defer mu.Unlock()
+		var newApps []codersdk.WorkspaceApp
+		return append(newApps, apps...), nil
+	}
+	postWorkspaceAgentAppHealth := func(_ context.Context, req codersdk.PostWorkspaceAppHealthsRequest) error {
+		mu.Lock()
+		for name, health := range req.Healths {
+			for i, app := range apps {
+				if app.Name != name {
+					continue
+				}
+				app.Health = health
+				apps[i] = app
+			}
+		}
+		mu.Unlock()
+
+		return nil
+	}
+
+	go agent.NewWorkspaceAppHealthReporter(slogtest.Make(t, nil).Leveled(slog.LevelDebug), workspaceAgentApps, postWorkspaceAgentAppHealth)(ctx)
+
+	return workspaceAgentApps, func() {
+		for _, closeFn := range closers {
+			closeFn()
+		}
+	}
+}
@@ -1,77 +0,0 @@
-package agent
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker/proto"
-)
-
-// ReconnectingPTYRequest is sent from the client to the server
-// to pipe data to a PTY.
-type ReconnectingPTYRequest struct {
-	Data   string `json:"data"`
-	Height uint16 `json:"height"`
-	Width  uint16 `json:"width"`
-}
-
-// Conn wraps a peer connection with helper functions to
-// communicate with the agent.
-type Conn struct {
-	// Negotiator is responsible for exchanging messages.
-	Negotiator proto.DRPCPeerBrokerClient
-
-	*peer.Conn
-}
-
-// ReconnectingPTY returns a connection serving a TTY that can
-// be reconnected to via ID.
-func (c *Conn) ReconnectingPTY(id string, height, width uint16) (net.Conn, error) {
-	channel, err := c.Dial(context.Background(), fmt.Sprintf("%s:%d:%d", id, height, width), &peer.ChannelOptions{
-		Protocol: "reconnecting-pty",
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("pty: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSH dials the built-in SSH server.
-func (c *Conn) SSH() (net.Conn, error) {
-	channel, err := c.Dial(context.Background(), "ssh", &peer.ChannelOptions{
-		Protocol: "ssh",
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("dial: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSHClient calls SSH to create a client that uses a weak cipher
-// for high throughput.
-func (c *Conn) SSHClient() (*ssh.Client, error) {
-	netConn, err := c.SSH()
-	if err != nil {
-		return nil, xerrors.Errorf("ssh: %w", err)
-	}
-	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
-		// SSH host validation isn't helpful, because obtaining a peer
-		// connection already signifies user-intent to dial a workspace.
-		// #nosec
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("ssh conn: %w", err)
-	}
-	return ssh.NewClient(sshConn, channels, requests), nil
-}
-
-func (c *Conn) Close() error {
-	_ = c.Negotiator.DRPCConn().Close()
-	return c.Conn.Close()
-}
@@ -0,0 +1,4 @@
+// Package reaper contains logic for reaping subprocesses. It is
+// specifically used in the agent to avoid the accumulation of
+// zombie processes.
+package reaper
@@ -0,0 +1,28 @@
+package reaper
+
+import "github.com/hashicorp/go-reap"
+
+type Option func(o *options)
+
+// WithExecArgs specifies the exec arguments for the fork exec call.
+// By default the same arguments as the parent are used as dictated by
+// os.Args. Since ForkReap calls a fork-exec it is the responsibility of
+// the caller to avoid fork-bombing oneself.
+func WithExecArgs(args ...string) Option {
+	return func(o *options) {
+		o.ExecArgs = args
+	}
+}
+
+// WithPIDCallback sets the channel that reaped child process PIDs are pushed
+// onto.
+func WithPIDCallback(ch reap.PidCh) Option {
+	return func(o *options) {
+		o.PIDs = ch
+	}
+}
+
+type options struct {
+	ExecArgs []string
+	PIDs     reap.PidCh
+}
@@ -0,0 +1,12 @@
+//go:build !linux
+
+package reaper
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return false
+}
+
+func ForkReap(_ ...Option) error {
+	return nil
+}
@@ -0,0 +1,66 @@
+//go:build linux
+
+package reaper_test
+
+import (
+	"os"
+	"os/exec"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-reap"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/testutil"
+)
+
+func TestReap(t *testing.T) {
+	t.Parallel()
+
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if _, ok := os.LookupEnv("CI"); ok {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	// OK checks that's the reaper is successfully reaping
+	// exited processes and passing the PIDs through the shared
+	// channel.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+		pids := make(reap.PidCh, 1)
+		err := reaper.ForkReap(
+			reaper.WithPIDCallback(pids),
+			// Provide some argument that immediately exits.
+			reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
+		)
+		require.NoError(t, err)
+
+		cmd := exec.Command("tail", "-f", "/dev/null")
+		err = cmd.Start()
+		require.NoError(t, err)
+
+		cmd2 := exec.Command("tail", "-f", "/dev/null")
+		err = cmd2.Start()
+		require.NoError(t, err)
+
+		err = cmd.Process.Kill()
+		require.NoError(t, err)
+
+		err = cmd2.Process.Kill()
+		require.NoError(t, err)
+
+		expectedPIDs := []int{cmd.Process.Pid, cmd2.Process.Pid}
+
+		for i := 0; i < len(expectedPIDs); i++ {
+			select {
+			case <-time.After(testutil.WaitShort):
+				t.Fatalf("Timed out waiting for process")
+			case pid := <-pids:
+				require.Contains(t, expectedPIDs, pid)
+			}
+		}
+	})
+}
@@ -0,0 +1,63 @@
+//go:build linux
+
+package reaper
+
+import (
+	"os"
+	"syscall"
+
+	"github.com/hashicorp/go-reap"
+	"golang.org/x/xerrors"
+)
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return os.Getpid() == 1
+}
+
+// ForkReap spawns a goroutine that reaps children. In order to avoid
+// complications with spawning `exec.Commands` in the same process that
+// is reaping, we forkexec a child process. This prevents a race between
+// the reaper and an exec.Command waiting for its process to complete.
+// The provided 'pids' channel may be nil if the caller does not care about the
+// reaped children PIDs.
+func ForkReap(opt ...Option) error {
+	opts := &options{
+		ExecArgs: os.Args,
+	}
+
+	for _, o := range opt {
+		o(opts)
+	}
+
+	go reap.ReapChildren(opts.PIDs, nil, nil, nil)
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return xerrors.Errorf("get wd: %w", err)
+	}
+
+	pattrs := &syscall.ProcAttr{
+		Dir: pwd,
+		Env: os.Environ(),
+		Sys: &syscall.SysProcAttr{
+			Setsid: true,
+		},
+		Files: []uintptr{
+			uintptr(syscall.Stdin),
+			uintptr(syscall.Stdout),
+			uintptr(syscall.Stderr),
+		},
+	}
+
+	//#nosec G204
+	pid, _ := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+
+	var wstatus syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	for xerrors.Is(err, syscall.EINTR) {
+		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	}
+
+	return nil
+}
@@ -0,0 +1,68 @@
+package agent
+
+import (
+	"context"
+	"io"
+	"net"
+	"sync/atomic"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/codersdk"
+)
+
+// statsConn wraps a net.Conn with statistics.
+type statsConn struct {
+	*Stats
+	net.Conn `json:"-"`
+}
+
+var _ net.Conn = new(statsConn)
+
+func (c *statsConn) Read(b []byte) (n int, err error) {
+	n, err = c.Conn.Read(b)
+	atomic.AddInt64(&c.RxBytes, int64(n))
+	return n, err
+}
+
+func (c *statsConn) Write(b []byte) (n int, err error) {
+	n, err = c.Conn.Write(b)
+	atomic.AddInt64(&c.TxBytes, int64(n))
+	return n, err
+}
+
+var _ net.Conn = new(statsConn)
+
+// Stats records the Agent's network connection statistics for use in
+// user-facing metrics and debugging.
+// Each member value must be written and read with atomic.
+type Stats struct {
+	NumConns int64 `json:"num_comms"`
+	RxBytes  int64 `json:"rx_bytes"`
+	TxBytes  int64 `json:"tx_bytes"`
+}
+
+func (s *Stats) Copy() *codersdk.AgentStats {
+	return &codersdk.AgentStats{
+		NumConns: atomic.LoadInt64(&s.NumConns),
+		RxBytes:  atomic.LoadInt64(&s.RxBytes),
+		TxBytes:  atomic.LoadInt64(&s.TxBytes),
+	}
+}
+
+// wrapConn returns a new connection that records statistics.
+func (s *Stats) wrapConn(conn net.Conn) net.Conn {
+	atomic.AddInt64(&s.NumConns, 1)
+	cs := &statsConn{
+		Stats: s,
+		Conn:  conn,
+	}
+
+	return cs
+}
+
+// StatsReporter periodically accept and records agent stats.
+type StatsReporter func(
+	ctx context.Context,
+	log slog.Logger,
+	stats func() *codersdk.AgentStats,
+) (io.Closer, error)
@@ -3,6 +3,6 @@ package usershell
 import "os"

 // Get returns the $SHELL environment variable.
-func Get(username string) (string, error) {
+func Get(_ string) (string, error) {
 	return os.Getenv("SHELL"), nil
 }
@@ -3,6 +3,7 @@ package buildinfo
 import (
 	"fmt"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"

@@ -24,6 +25,11 @@ var (
 	tag string
 )

+const (
+	// develPrefix is prefixed to developer versions of the application.
+	develPrefix = "v0.0.0-devel"
+)
+
 // Version returns the semantic version of the build.
 // Use golang.org/x/mod/semver to compare versions.
 func Version() string {
@@ -35,7 +41,7 @@ func Version() string {
 		if tag == "" {
 			// This occurs when the tag hasn't been injected,
 			// like when using "go run".
-			version = "v0.0.0-devel" + revision
+			version = develPrefix + revision
 			return
 		}
 		version = "v" + tag
@@ -48,6 +54,20 @@ func Version() string {
 	return version
 }

+// VersionsMatch compares the two versions. It assumes the versions match if
+// the major and the minor versions are equivalent. Patch versions are
+// disregarded. If it detects that either version is a developer build it
+// returns true.
+func VersionsMatch(v1, v2 string) bool {
+	// Developer versions are disregarded...hopefully they know what they are
+	// doing.
+	if strings.HasPrefix(v1, develPrefix) || strings.HasPrefix(v2, develPrefix) {
+		return true
+	}
+
+	return semver.MajorMinor(v1) == semver.MajorMinor(v2)
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.
@@ -1,6 +1,7 @@
 package buildinfo_test

 import (
+	"fmt"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -29,4 +30,70 @@ func TestBuildInfo(t *testing.T) {
 		_, valid := buildinfo.Time()
 		require.False(t, valid)
 	})
+
+	t.Run("VersionsMatch", func(t *testing.T) {
+		t.Parallel()
+
+		type testcase struct {
+			name        string
+			v1          string
+			v2          string
+			expectMatch bool
+		}
+
+		cases := []testcase{
+			{
+				name:        "OK",
+				v1:          "v1.2.3",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Test that we return true if a developer version is detected.
+			// Developers do not need to be warned of mismatched versions.
+			{
+				name:        "DevelIgnored",
+				v1:          "v0.0.0-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Our CI instance uses a "-devel" prerelease
+			// flag. This is not the same as a developer WIP build.
+			{
+				name:        "DevelPreleaseNotIgnored",
+				v1:          "v1.1.1-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: false,
+			},
+			{
+				name:        "MajorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v0.1.2",
+				expectMatch: false,
+			},
+			{
+				name:        "MinorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v1.3.2",
+				expectMatch: false,
+			},
+			// Different patches are ok, breaking changes are not allowed
+			// in patches.
+			{
+				name:        "PatchMismatch",
+				v1:          "v1.2.3+hash.whocares",
+				v2:          "v1.2.4+somestuff.hm.ok",
+				expectMatch: true,
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+				require.Equal(t, c.expectMatch, buildinfo.VersionsMatch(c.v1, c.v2),
+					fmt.Sprintf("expected match=%v for version %s and %s", c.expectMatch, c.v1, c.v2),
+				)
+			})
+		}
+	})
 }
@@ -2,30 +2,36 @@ package cli

 import (
 	"context"
+	"fmt"
 	"net/http"
+	_ "net/http/pprof" //nolint: gosec
 	"net/url"
 	"os"
 	"path/filepath"
+	"runtime"
 	"time"

 	"cloud.google.com/go/compute/metadata"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
+	"gopkg.in/natefinch/lumberjack.v2"

 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
-
 	"github.com/coder/coder/agent"
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/retry"
-
-	"gopkg.in/natefinch/lumberjack.v2"
 )

 func workspaceAgent() *cobra.Command {
 	var (
-		auth string
+		auth         string
+		pprofEnabled bool
+		pprofAddress string
+		noReap       bool
 	)
 	cmd := &cobra.Command{
 		Use: "agent",
@@ -47,8 +53,44 @@ func workspaceAgent() *cobra.Command {
 			}
 			defer logWriter.Close()
 			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
+
+			isLinux := runtime.GOOS == "linux"
+
+			// Spawn a reaper so that we don't accumulate a ton
+			// of zombie processes.
+			if reaper.IsInitProcess() && !noReap && isLinux {
+				logger.Info(cmd.Context(), "spawning reaper process")
+				// Do not start a reaper on the child process. It's important
+				// to do this else we fork bomb ourselves.
+				args := append(os.Args, "--no-reap")
+				err := reaper.ForkReap(reaper.WithExecArgs(args...))
+				if err != nil {
+					logger.Error(cmd.Context(), "failed to reap", slog.Error(err))
+					return xerrors.Errorf("fork reap: %w", err)
+				}
+
+				logger.Info(cmd.Context(), "reaper process exiting")
+				return nil
+			}
+
+			version := buildinfo.Version()
+			logger.Info(cmd.Context(), "starting agent",
+				slog.F("url", coderURL),
+				slog.F("auth", auth),
+				slog.F("version", version),
+			)
 			client := codersdk.New(coderURL)

+			if pprofEnabled {
+				srvClose := serveHandler(cmd.Context(), logger, nil, pprofAddress, "pprof")
+				defer srvClose()
+			} else {
+				// If pprof wasn't enabled at startup, allow a
+				// `kill -USR1 $agent_pid` to start it (on Unix).
+				srvClose := agentStartPPROFOnUSR1(cmd.Context(), logger, pprofAddress)
+				defer srvClose()
+			}
+
 			// exchangeToken returns a session token.
 			// This is abstracted to allow for the same looping condition
 			// regardless of instance identity auth type.
@@ -102,6 +144,7 @@ func workspaceAgent() *cobra.Command {
 			}

 			if exchangeToken != nil {
+				logger.Info(cmd.Context(), "exchanging identity token")
 				// Agent's can start before resources are returned from the provisioner
 				// daemon. If there are many resources being provisioned, this time
 				// could be significant. This is arbitrarily set at an hour to prevent
@@ -125,13 +168,39 @@ func workspaceAgent() *cobra.Command {
 				}
 			}

-			closer := agent.New(client.ListenWorkspaceAgent, &agent.Options{
-				Logger: logger,
+			ctx, cancelFunc := context.WithTimeout(cmd.Context(), time.Hour)
+			defer cancelFunc()
+			for retry.New(100*time.Millisecond, 5*time.Second).Wait(ctx) {
+				err := client.PostWorkspaceAgentVersion(cmd.Context(), version)
+				if err != nil {
+					logger.Warn(cmd.Context(), "post agent version: %w", slog.Error(err), slog.F("version", version))
+					continue
+				}
+				logger.Info(ctx, "updated agent version", slog.F("version", version))
+				break
+			}
+
+			executablePath, err := os.Executable()
+			if err != nil {
+				return xerrors.Errorf("getting os executable: %w", err)
+			}
+			err = os.Setenv("PATH", fmt.Sprintf("%s%c%s", os.Getenv("PATH"), filepath.ListSeparator, filepath.Dir(executablePath)))
+			if err != nil {
+				return xerrors.Errorf("add executable to $PATH: %w", err)
+			}
+
+			closer := agent.New(agent.Options{
+				FetchMetadata: client.WorkspaceAgentMetadata,
+				Logger:        logger,
 				EnvironmentVariables: map[string]string{
 					// Override the "CODER_AGENT_TOKEN" variable in all
 					// shells so "gitssh" works!
 					"CODER_AGENT_TOKEN": client.SessionToken,
 				},
+				CoordinatorDialer:           client.ListenWorkspaceAgentTailnet,
+				StatsReporter:               client.AgentReportStats,
+				WorkspaceAgentApps:          client.WorkspaceAgentApps,
+				PostWorkspaceAgentAppHealth: client.PostWorkspaceAgentAppHealth,
 			})
 			<-cmd.Context().Done()
 			return closer.Close()
@@ -139,5 +208,8 @@ func workspaceAgent() *cobra.Command {
 	}

 	cliflag.StringVarP(cmd.Flags(), &auth, "auth", "", "CODER_AGENT_AUTH", "token", "Specify the authentication type to use for the agent")
+	cliflag.BoolVarP(cmd.Flags(), &pprofEnabled, "pprof-enable", "", "CODER_AGENT_PPROF_ENABLE", false, "Enable serving pprof metrics on the address defined by --pprof-address.")
+	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
+	cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
 	return cmd
 }
@@ -4,12 +4,16 @@ import (
 	"context"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"cdr.dev/slog"
+
 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/testutil"
 )

 func TestWorkspaceAgent(t *testing.T) {
@@ -19,10 +23,10 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AzureCertificates: certificates,
+			AzureCertificates:        certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
 			Provision: []*proto.Provision_Response{{
@@ -49,23 +53,29 @@ func TestWorkspaceAgent(t *testing.T) {
 		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
+		errC := make(chan error)
 		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "azure-client", metadataClient)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "azure-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
 		}()
 		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
 		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
 		require.NoError(t, err)
-		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgentTailnet(ctx, slog.Logger{}, resources[0].Agents[0].ID)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
+		require.Eventually(t, func() bool {
+			_, err := dialer.Ping()
+			return err == nil
+		}, testutil.WaitMedium, testutil.IntervalFast)
 		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
 	})

 	t.Run("AWS", func(t *testing.T) {
@@ -73,10 +83,10 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AWSCertificates: certificates,
+			AWSCertificates:          certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
 			Provision: []*proto.Provision_Response{{
@@ -103,23 +113,29 @@ func TestWorkspaceAgent(t *testing.T) {
 		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
+		errC := make(chan error)
 		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "aws-client", metadataClient)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "aws-client", metadataClient)
+			errC <- cmd.ExecuteContext(ctx)
 		}()
 		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
 		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
 		require.NoError(t, err)
-		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgentTailnet(ctx, slog.Logger{}, resources[0].Agents[0].ID)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
+		require.Eventually(t, func() bool {
+			_, err := dialer.Ping()
+			return err == nil
+		}, testutil.WaitMedium, testutil.IntervalFast)
 		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
 	})

 	t.Run("GoogleCloud", func(t *testing.T) {
@@ -127,10 +143,10 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
+			GoogleTokenValidator:     validator,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
 			Provision: []*proto.Provision_Response{{
@@ -157,22 +173,28 @@ func TestWorkspaceAgent(t *testing.T) {
 		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
+		errC := make(chan error)
 		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "gcp-client", metadata)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
+			// A linting error occurs for weakly typing the context value here.
+			//nolint // The above seems reasonable for a one-off test.
+			ctx := context.WithValue(ctx, "gcp-client", metadata)
+			errC <- cmd.ExecuteContext(ctx)
 		}()
 		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
 		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
 		require.NoError(t, err)
-		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
+		dialer, err := client.DialWorkspaceAgentTailnet(ctx, slog.Logger{}, resources[0].Agents[0].ID)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
+		require.Eventually(t, func() bool {
+			_, err := dialer.Ping()
+			return err == nil
+		}, testutil.WaitMedium, testutil.IntervalFast)
 		cancelFunc()
+		err = <-errC
+		require.NoError(t, err)
 	})
 }
@@ -0,0 +1,38 @@
+//go:build !windows
+
+package cli
+
+import (
+	"context"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"cdr.dev/slog"
+)
+
+func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
+	ctx, cancel := context.WithCancel(ctx)
+
+	usr1 := make(chan os.Signal, 1)
+	signal.Notify(usr1, syscall.SIGUSR1)
+	go func() {
+		defer close(usr1)
+		defer signal.Stop(usr1)
+
+		select {
+		case <-usr1:
+			signal.Stop(usr1)
+			srvClose := serveHandler(ctx, logger, nil, pprofAddress, "pprof")
+			defer srvClose()
+		case <-ctx.Done():
+			return
+		}
+		<-ctx.Done() // Prevent defer close until done.
+	}()
+
+	return func() {
+		cancel()
+		<-usr1 // Wait until usr1 is closed, ensures srvClose was run.
+	}
+}
@@ -0,0 +1,12 @@
+package cli
+
+import (
+	"context"
+
+	"cdr.dev/slog"
+)
+
+// agentStartPPROFOnUSR1 is no-op on Windows (no SIGUSR1 signal).
+func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
+	return func() {}
+}
@@ -1,167 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/coder/coder/coderd/autobuild/schedule"
-	"github.com/coder/coder/codersdk"
-)
-
-const autostartDescriptionLong = `To have your workspace build automatically at a regular time you can enable autostart.
-When enabling autostart, provide the minute, hour, and day(s) of week.
-The default schedule is at 09:00 in your local timezone (TZ env, UTC by default).
-`
-
-func autostart() *cobra.Command {
-	autostartCmd := &cobra.Command{
-		Annotations: workspaceCommand,
-		Use:         "autostart enable <workspace>",
-		Short:       "schedule a workspace to automatically start at a regular time",
-		Long:        autostartDescriptionLong,
-		Example:     "coder autostart enable my-workspace --minute 30 --hour 9 --days 1-5 --tz Europe/Dublin",
-	}
-
-	autostartCmd.AddCommand(autostartShow())
-	autostartCmd.AddCommand(autostartEnable())
-	autostartCmd.AddCommand(autostartDisable())
-
-	return autostartCmd
-}
-
-func autostartShow() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:  "show <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			if workspace.AutostartSchedule == "" {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "not enabled\n")
-				return nil
-			}
-
-			validSchedule, err := schedule.Weekly(workspace.AutostartSchedule)
-			if err != nil {
-				// This should never happen.
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "invalid autostart schedule %q for workspace %s: %s\n", workspace.AutostartSchedule, workspace.Name, err.Error())
-				return nil
-			}
-
-			next := validSchedule.Next(time.Now())
-			loc, _ := time.LoadLocation(validSchedule.Timezone())
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-				"schedule: %s\ntimezone: %s\nnext:     %s\n",
-				validSchedule.Cron(),
-				validSchedule.Timezone(),
-				next.In(loc),
-			)
-
-			return nil
-		},
-	}
-	return cmd
-}
-
-func autostartEnable() *cobra.Command {
-	// yes some of these are technically numbers but the cron library will do that work
-	var autostartMinute string
-	var autostartHour string
-	var autostartDayOfWeek string
-	var autostartTimezone string
-	cmd := &cobra.Command{
-		Use:  "enable <workspace_name> <schedule>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			spec := fmt.Sprintf("CRON_TZ=%s %s %s * * %s", autostartTimezone, autostartMinute, autostartHour, autostartDayOfWeek)
-			validSchedule, err := schedule.Weekly(spec)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostart(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-				Schedule: validSchedule.String(),
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will automatically start at %s.\n\n", workspace.Name, validSchedule.Next(time.Now()))
-
-			return nil
-		},
-	}
-
-	cmd.Flags().StringVar(&autostartMinute, "minute", "0", "autostart minute")
-	cmd.Flags().StringVar(&autostartHour, "hour", "9", "autostart hour")
-	cmd.Flags().StringVar(&autostartDayOfWeek, "days", "1-5", "autostart day(s) of week")
-	tzEnv := os.Getenv("TZ")
-	if tzEnv == "" {
-		tzEnv = "UTC"
-	}
-	cmd.Flags().StringVar(&autostartTimezone, "tz", tzEnv, "autostart timezone")
-	return cmd
-}
-
-func autostartDisable() *cobra.Command {
-	return &cobra.Command{
-		Use:  "disable <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostart(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-				Schedule: "",
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will no longer automatically start.\n\n", workspace.Name)
-
-			return nil
-		},
-	}
-}
@@ -1,165 +0,0 @@
-package cli_test
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/codersdk"
-)
-
-func TestAutostart(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ShowOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostart", "show", workspace.Name}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		err := client.UpdateWorkspaceAutostart(ctx, workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-			Schedule: sched,
-		})
-		require.NoError(t, err)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		// CRON_TZ gets stripped
-		require.Contains(t, stdoutBuf.String(), "schedule: 30 17 * * 1-5")
-	})
-
-	t.Run("EnableDisableOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			tz        = "Europe/Dublin"
-			cmdArgs   = []string{"autostart", "enable", workspace.Name, "--minute", "30", "--hour", "9", "--days", "1-5", "--tz", tz}
-			sched     = "CRON_TZ=Europe/Dublin 30 9 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will automatically start at", "unexpected output")
-
-		// Ensure autostart schedule updated
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, sched, updated.AutostartSchedule, "expected autostart schedule to be set")
-
-		// Disable schedule
-		cmd, root = clitest.New(t, "autostart", "disable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will no longer automatically start", "unexpected output")
-
-		// Ensure autostart schedule updated
-		updated, err = client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Empty(t, updated.AutostartSchedule, "expected autostart schedule to not be set")
-	})
-
-	t.Run("Enable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostart", "enable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 403: forbidden", "unexpected error")
-	})
-
-	t.Run("Disable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostart", "disable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 403: forbidden", "unexpected error")
-	})
-
-	t.Run("Enable_DefaultSchedule", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-		)
-
-		// check current TZ env var
-		currTz := os.Getenv("TZ")
-		if currTz == "" {
-			currTz = "UTC"
-		}
-		expectedSchedule := fmt.Sprintf("CRON_TZ=%s 0 9 * * 1-5", currTz)
-		cmd, root := clitest.New(t, "autostart", "enable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-
-		// Ensure nothing happened
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, expectedSchedule, updated.AutostartSchedule, "expected default autostart schedule")
-	})
-}
@@ -1,167 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/coder/coder/coderd/autobuild/schedule"
-	"github.com/coder/coder/codersdk"
-)
-
-const autostopDescriptionLong = `To have your workspace stop automatically at a regular time you can enable autostop.
-When enabling autostop, provide the minute, hour, and day(s) of week.
-The default autostop schedule is at 18:00 in your local timezone (TZ env, UTC by default).
-`
-
-func autostop() *cobra.Command {
-	autostopCmd := &cobra.Command{
-		Annotations: workspaceCommand,
-		Use:         "autostop enable <workspace>",
-		Short:       "schedule a workspace to automatically stop at a regular time",
-		Long:        autostopDescriptionLong,
-		Example:     "coder autostop enable my-workspace --minute 0 --hour 18 --days 1-5 -tz Europe/Dublin",
-	}
-
-	autostopCmd.AddCommand(autostopShow())
-	autostopCmd.AddCommand(autostopEnable())
-	autostopCmd.AddCommand(autostopDisable())
-
-	return autostopCmd
-}
-
-func autostopShow() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:  "show <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			if workspace.AutostopSchedule == "" {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "not enabled\n")
-				return nil
-			}
-
-			validSchedule, err := schedule.Weekly(workspace.AutostopSchedule)
-			if err != nil {
-				// This should never happen.
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "invalid autostop schedule %q for workspace %s: %s\n", workspace.AutostopSchedule, workspace.Name, err.Error())
-				return nil
-			}
-
-			next := validSchedule.Next(time.Now())
-			loc, _ := time.LoadLocation(validSchedule.Timezone())
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-				"schedule: %s\ntimezone: %s\nnext:     %s\n",
-				validSchedule.Cron(),
-				validSchedule.Timezone(),
-				next.In(loc),
-			)
-
-			return nil
-		},
-	}
-	return cmd
-}
-
-func autostopEnable() *cobra.Command {
-	// yes some of these are technically numbers but the cron library will do that work
-	var autostopMinute string
-	var autostopHour string
-	var autostopDayOfWeek string
-	var autostopTimezone string
-	cmd := &cobra.Command{
-		Use:  "enable <workspace_name> <schedule>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			spec := fmt.Sprintf("CRON_TZ=%s %s %s * * %s", autostopTimezone, autostopMinute, autostopHour, autostopDayOfWeek)
-			validSchedule, err := schedule.Weekly(spec)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostop(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-				Schedule: validSchedule.String(),
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will automatically stop at %s.\n\n", workspace.Name, validSchedule.Next(time.Now()))
-
-			return nil
-		},
-	}
-
-	cmd.Flags().StringVar(&autostopMinute, "minute", "0", "autostop minute")
-	cmd.Flags().StringVar(&autostopHour, "hour", "18", "autostop hour")
-	cmd.Flags().StringVar(&autostopDayOfWeek, "days", "1-5", "autostop day(s) of week")
-	tzEnv := os.Getenv("TZ")
-	if tzEnv == "" {
-		tzEnv = "UTC"
-	}
-	cmd.Flags().StringVar(&autostopTimezone, "tz", tzEnv, "autostop timezone")
-	return cmd
-}
-
-func autostopDisable() *cobra.Command {
-	return &cobra.Command{
-		Use:  "disable <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostop(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-				Schedule: "",
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will no longer automatically stop.\n\n", workspace.Name)
-
-			return nil
-		},
-	}
-}
@@ -1,165 +0,0 @@
-package cli_test
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/codersdk"
-)
-
-func TestAutostop(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ShowOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostop", "show", workspace.Name}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		err := client.UpdateWorkspaceAutostop(ctx, workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-			Schedule: sched,
-		})
-		require.NoError(t, err)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		// CRON_TZ gets stripped
-		require.Contains(t, stdoutBuf.String(), "schedule: 30 17 * * 1-5")
-	})
-
-	t.Run("EnableDisableOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostop", "enable", workspace.Name, "--minute", "30", "--hour", "17", "--days", "1-5", "--tz", "Europe/Dublin"}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will automatically stop at", "unexpected output")
-
-		// Ensure autostop schedule updated
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, sched, updated.AutostopSchedule, "expected autostop schedule to be set")
-
-		// Disable schedule
-		cmd, root = clitest.New(t, "autostop", "disable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will no longer automatically stop", "unexpected output")
-
-		// Ensure autostop schedule updated
-		updated, err = client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Empty(t, updated.AutostopSchedule, "expected autostop schedule to not be set")
-	})
-
-	t.Run("Enable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostop", "enable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 403: forbidden", "unexpected error")
-	})
-
-	t.Run("Disable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostop", "disable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 403: forbidden", "unexpected error")
-	})
-
-	t.Run("Enable_DefaultSchedule", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-		)
-
-		// check current TZ env var
-		currTz := os.Getenv("TZ")
-		if currTz == "" {
-			currTz = "UTC"
-		}
-		expectedSchedule := fmt.Sprintf("CRON_TZ=%s 0 18 * * 1-5", currTz)
-
-		cmd, root := clitest.New(t, "autostop", "enable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-
-		// Ensure nothing happened
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, expectedSchedule, updated.AutostopSchedule, "expected default autostop schedule")
-	})
-}
@@ -6,8 +6,7 @@
 //
 // Will produce the following usage docs:
 //
-//   -a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
-//
+//	-a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
 package cliflag

 import (
@@ -15,10 +14,37 @@ import (
 	"os"
 	"strconv"
 	"strings"
+	"time"

+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+
+	"github.com/coder/coder/cli/cliui"
 )

+// IsSetBool returns the value of the boolean flag if it is set.
+// It returns false if the flag isn't set or if any error occurs attempting
+// to parse the value of the flag.
+func IsSetBool(cmd *cobra.Command, name string) bool {
+	val, ok := IsSet(cmd, name)
+	if !ok {
+		return false
+	}
+
+	b, err := strconv.ParseBool(val)
+	return err == nil && b
+}
+
+// IsSet returns the string value of the flag and whether it was set.
+func IsSet(cmd *cobra.Command, name string) (string, bool) {
+	flag := cmd.Flag(name)
+	if flag == nil {
+		return "", false
+	}
+
+	return flag.Value.String(), flag.Changed
+}
+
 // String sets a string flag on the given flag set.
 func String(flagset *pflag.FlagSet, name, shorthand, env, def, usage string) {
 	v, ok := os.LookupEnv(env)
@@ -37,6 +63,18 @@ func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string
 	flagset.StringVarP(p, name, shorthand, v, fmtUsage(usage, env))
 }

+func StringArray(flagset *pflag.FlagSet, name, shorthand, env string, def []string, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		if v == "" {
+			def = []string{}
+		} else {
+			def = strings.Split(v, ",")
+		}
+	}
+	flagset.StringArrayP(name, shorthand, def, fmtUsage(usage, env))
+}
+
 func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shorthand string, env string, def []string, usage string) {
 	val, ok := os.LookupEnv(env)
 	if ok {
@@ -46,7 +84,7 @@ func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shortha
 			def = strings.Split(val, ",")
 		}
 	}
-	flagset.StringArrayVarP(ptr, name, shorthand, def, usage)
+	flagset.StringArrayVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
 }

 // Uint8VarP sets a uint8 flag on the given flag set.
@@ -66,6 +104,39 @@ func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string
 	flagset.Uint8VarP(ptr, name, shorthand, uint8(vi64), fmtUsage(usage, env))
 }

+// IntVarP sets a uint8 flag on the given flag set.
+func IntVarP(flagset *pflag.FlagSet, ptr *int, name string, shorthand string, env string, def int, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	vi64, err := strconv.ParseUint(val, 10, 8)
+	if err != nil {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.IntVarP(ptr, name, shorthand, int(vi64), fmtUsage(usage, env))
+}
+
+func Bool(flagset *pflag.FlagSet, name, shorthand, env string, def bool, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := strconv.ParseBool(val)
+	if err != nil {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.BoolP(name, shorthand, valb, fmtUsage(usage, env))
+}
+
 // BoolVarP sets a bool flag on the given flag set.
 func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string, env string, def bool, usage string) {
 	val, ok := os.LookupEnv(env)
@@ -83,10 +154,32 @@ func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string,
 	flagset.BoolVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
 }

-func fmtUsage(u string, env string) string {
-	if env == "" {
-		return fmt.Sprintf("%s.", u)
+// DurationVarP sets a time.Duration flag on the given flag set.
+func DurationVarP(flagset *pflag.FlagSet, ptr *time.Duration, name string, shorthand string, env string, def time.Duration, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
 	}

-	return fmt.Sprintf("%s - consumes $%s.", u, env)
+	valb, err := time.ParseDuration(val)
+	if err != nil {
+		flagset.DurationVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.DurationVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
+}
+
+func fmtUsage(u string, env string) string {
+	if env != "" {
+		// Avoid double dotting.
+		dot := "."
+		if strings.HasSuffix(u, ".") {
+			dot = ""
+		}
+		u = fmt.Sprintf("%s%s\n"+cliui.Styles.Placeholder.Render("Consumes $%s"), u, dot, env)
+	}
+
+	return u
 }
@@ -4,6 +4,7 @@ import (
 	"fmt"
 	"strconv"
 	"testing"
+	"time"

 	"github.com/spf13/pflag"
 	"github.com/stretchr/testify/require"
@@ -13,6 +14,7 @@ import (
 )

 // Testcliflag cannot run in parallel because it uses t.Setenv.
+//
 //nolint:paralleltest
 func TestCliflag(t *testing.T) {
 	t.Run("StringDefault", func(t *testing.T) {
@@ -23,7 +25,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("StringEnvVar", func(t *testing.T) {
@@ -47,7 +49,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("StringVarPEnvVar", func(t *testing.T) {
@@ -73,7 +75,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.NotContains(t, flagset.FlagUsages(), " - consumes")
+		require.NotContains(t, flagset.FlagUsages(), "Consumes")
 	})

 	t.Run("StringArrayDefault", func(t *testing.T) {
@@ -106,7 +108,7 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, []string{}, got)
 	})

-	t.Run("IntDefault", func(t *testing.T) {
+	t.Run("UInt8Default", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		def, _ := cryptorand.Int63n(10)
@@ -116,10 +118,10 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, uint8(def), got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

-	t.Run("IntEnvVar", func(t *testing.T) {
+	t.Run("UInt8EnvVar", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.Int63n(10)
@@ -132,7 +134,7 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(envValue), got)
 	})

-	t.Run("IntFailParse", func(t *testing.T) {
+	t.Run("UInt8FailParse", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.String(10)
@@ -145,6 +147,45 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(def), got)
 	})

+	t.Run("IntDefault", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("IntEnvVar", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Int63n(10)
+		t.Setenv(env, strconv.FormatUint(uint64(envValue), 10))
+		def, _ := cryptorand.Int()
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(envValue), got)
+	})
+
+	t.Run("IntFailParse", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+	})
+
 	t.Run("BoolDefault", func(t *testing.T) {
 		var ptr bool
 		flagset, name, shorthand, env, usage := randomFlag()
@@ -155,7 +196,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("BoolEnvVar", func(t *testing.T) {
@@ -183,6 +224,45 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 	})
+
+	t.Run("DurationDefault", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("DurationEnvVar", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Duration()
+		t.Setenv(env, envValue.String())
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, envValue, got)
+	})
+
+	t.Run("DurationFailParse", func(t *testing.T) {
+		var ptr time.Duration
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Duration()
+
+		cliflag.DurationVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetDuration(name)
+		require.NoError(t, err)
+		require.Equal(t, def, got)
+	})
 }

 func randomFlag() (*pflag.FlagSet, string, string, string, string) {
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"errors"
 	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"testing"
@@ -21,10 +22,22 @@ import (
 // New creates a CLI instance with a configuration pointed to a
 // temporary testing directory.
 func New(t *testing.T, args ...string) (*cobra.Command, config.Root) {
-	cmd := cli.Root()
+	return NewWithSubcommands(t, cli.AGPL(), args...)
+}
+
+func NewWithSubcommands(
+	t *testing.T, subcommands []*cobra.Command, args ...string,
+) (*cobra.Command, config.Root) {
+	cmd := cli.Root(subcommands)
 	dir := t.TempDir()
 	root := config.Root(dir)
 	cmd.SetArgs(append([]string{"--global-config", dir}, args...))
+
+	// We could consider using writers
+	// that log via t.Log here instead.
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
 	return cmd, root
 }

@@ -40,6 +53,9 @@ func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
 // new temporary testing directory.
 func CreateTemplateVersionSource(t *testing.T, responses *echo.Responses) string {
 	directory := t.TempDir()
+	f, err := ioutil.TempFile(directory, "*.tf")
+	require.NoError(t, err)
+	f.Close()
 	data, err := echo.Tar(responses)
 	require.NoError(t, err)
 	extractTar(t, data, directory)
@@ -3,7 +3,6 @@ package clitest_test
 import (
 	"testing"

-	"github.com/stretchr/testify/require"
 	"go.uber.org/goleak"

 	"github.com/coder/coder/cli/clitest"
@@ -25,8 +24,7 @@ func TestCli(t *testing.T) {
 	cmd.SetIn(pty.Input())
 	cmd.SetOut(pty.Output())
 	go func() {
-		err := cmd.Execute()
-		require.NoError(t, err)
+		_ = cmd.Execute()
 	}()
 	pty.ExpectMatch("coder")
 }
@@ -79,7 +79,7 @@ func Agent(ctx context.Context, writer io.Writer, opts AgentOptions) error {
 		defer resourceMutex.Unlock()
 		message := "Don't panic, your workspace is booting up!"
 		if agent.Status == codersdk.WorkspaceAgentDisconnected {
-			message = "The workspace agent lost connection! Wait for it to reconnect or run: " + Styles.Code.Render("coder rebuild "+opts.WorkspaceName)
+			message = "The workspace agent lost connection! Wait for it to reconnect or restart your workspace."
 		}
 		// This saves the cursor position, then defers clearing from the cursor
 		// position to the end of the screen.
@@ -6,7 +6,7 @@ import (
 	"time"

 	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"
 	"go.uber.org/atomic"

 	"github.com/coder/coder/cli/cliui"
@@ -43,7 +43,7 @@ func TestAgent(t *testing.T) {
 	go func() {
 		defer close(done)
 		err := cmd.Execute()
-		require.NoError(t, err)
+		assert.NoError(t, err)
 	}()
 	ptty.ExpectMatch("lost connection")
 	disconnected.Store(true)
@@ -26,6 +26,7 @@ var Styles = struct {
 	Checkmark,
 	Code,
 	Crossmark,
+	DateTimeStamp,
 	Error,
 	Field,
 	Keyword,
@@ -33,7 +34,7 @@ var Styles = struct {
 	Placeholder,
 	Prompt,
 	FocusedPrompt,
-	Fuschia,
+	Fuchsia,
 	Logo,
 	Warn,
 	Wrap lipgloss.Style
@@ -42,15 +43,16 @@ var Styles = struct {
 	Checkmark:     defaultStyles.Checkmark,
 	Code:          defaultStyles.Code,
 	Crossmark:     defaultStyles.Error.Copy().SetString("✘"),
+	DateTimeStamp: defaultStyles.LabelDim,
 	Error:         defaultStyles.Error,
 	Field:         defaultStyles.Code.Copy().Foreground(lipgloss.AdaptiveColor{Light: "#000000", Dark: "#FFFFFF"}),
 	Keyword:       defaultStyles.Keyword,
 	Paragraph:     defaultStyles.Paragraph,
-	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.Color("240")),
+	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#585858", Dark: "#4d46b3"}),
 	Prompt:        defaultStyles.Prompt.Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
 	FocusedPrompt: defaultStyles.FocusedPrompt.Foreground(lipgloss.Color("#651fff")),
-	Fuschia:       defaultStyles.SelectedMenuItem.Copy(),
+	Fuchsia:       defaultStyles.SelectedMenuItem.Copy(),
 	Logo:          defaultStyles.Logo.SetString("Coder"),
 	Warn:          lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#04B575", Dark: "#ECFD65"}),
-	Wrap:          defaultStyles.Wrap,
+	Wrap:          lipgloss.NewStyle().Width(80),
 }
@@ -10,7 +10,7 @@ import (
 	"github.com/coder/coder/codersdk"
 )

-func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.TemplateVersionParameterSchema) (string, error) {
+func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ParameterSchema) (string, error) {
 	_, _ = fmt.Fprintln(cmd.OutOrStdout(), Styles.Bold.Render("var."+parameterSchema.Name))
 	if parameterSchema.Description != "" {
 		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+strings.TrimSpace(strings.Join(strings.Split(parameterSchema.Description, "\n"), "\n  "))+"\n")
@@ -30,6 +30,7 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.TemplateVersio
 		_, _ = fmt.Fprint(cmd.OutOrStdout(), "\033[1A")
 		value, err = Select(cmd, SelectOptions{
 			Options:    options,
+			Default:    parameterSchema.DefaultSourceValue,
 			HideSearch: true,
 		})
 		if err == nil {
@@ -37,9 +38,25 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.TemplateVersio
 			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+Styles.Prompt.String()+Styles.Field.Render(value))
 		}
 	} else {
+		text := "Enter a value"
+		if parameterSchema.DefaultSourceValue != "" {
+			text += fmt.Sprintf(" (default: %q)", parameterSchema.DefaultSourceValue)
+		}
+		text += ":"
+
 		value, err = Prompt(cmd, PromptOptions{
-			Text: Styles.Bold.Render("Enter a value:"),
+			Text: Styles.Bold.Render(text),
 		})
+		value = strings.TrimSpace(value)
 	}
-	return value, err
+	if err != nil {
+		return "", err
+	}
+
+	// If they didn't specify anything, use the default value if set.
+	if len(options) == 0 && value == "" {
+		value = parameterSchema.DefaultSourceValue
+	}
+
+	return value, nil
 }
@@ -24,18 +24,45 @@ type PromptOptions struct {
 	Validate  func(string) error
 }

+const skipPromptFlag = "yes"
+
+func AllowSkipPrompt(cmd *cobra.Command) {
+	cmd.Flags().BoolP(skipPromptFlag, "y", false, "Bypass prompts")
+}
+
+const (
+	ConfirmYes = "yes"
+	ConfirmNo  = "no"
+)
+
 // Prompt asks the user for input.
 func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
+	// If the cmd has a "yes" flag for skipping confirm prompts, honor it.
+	// If it's not a "Confirm" prompt, then don't skip. As the default value of
+	// "yes" makes no sense.
+	if opts.IsConfirm && cmd.Flags().Lookup(skipPromptFlag) != nil {
+		if skip, _ := cmd.Flags().GetBool(skipPromptFlag); skip {
+			return ConfirmYes, nil
+		}
+	}
+
 	_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.FocusedPrompt.String()+opts.Text+" ")
 	if opts.IsConfirm {
-		opts.Default = "yes"
-		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+Styles.Bold.Render("yes")+Styles.Placeholder.Render("/no) ")))
+		if len(opts.Default) == 0 {
+			opts.Default = ConfirmYes
+		}
+		renderedYes := Styles.Placeholder.Render(ConfirmYes)
+		renderedNo := Styles.Placeholder.Render(ConfirmNo)
+		if opts.Default == ConfirmYes {
+			renderedYes = Styles.Bold.Render(ConfirmYes)
+		} else {
+			renderedNo = Styles.Bold.Render(ConfirmNo)
+		}
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+renderedYes+Styles.Placeholder.Render("/"+renderedNo+Styles.Placeholder.Render(") "))))
 	} else if opts.Default != "" {
 		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+opts.Default+") "))
 	}
 	interrupt := make(chan os.Signal, 1)
-	signal.Notify(interrupt, os.Interrupt)
-	defer signal.Stop(interrupt)

 	errCh := make(chan error, 1)
 	lineCh := make(chan string)
@@ -45,8 +72,12 @@ func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {

 		inFile, isInputFile := cmd.InOrStdin().(*os.File)
 		if opts.Secret && isInputFile && isatty.IsTerminal(inFile.Fd()) {
+			// we don't install a signal handler here because speakeasy has its own
 			line, err = speakeasy.Ask("")
 		} else {
+			signal.Notify(interrupt, os.Interrupt)
+			defer signal.Stop(interrupt)
+
 			reader := bufio.NewReader(cmd.InOrStdin())
 			line, err = reader.ReadString('\n')

@@ -1,14 +1,21 @@
 package cliui_test

 import (
+	"bytes"
 	"context"
+	"io"
+	"os"
+	"os/exec"
 	"testing"

 	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/pty"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestPrompt(t *testing.T) {
@@ -20,8 +27,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			msgChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -37,8 +44,8 @@ func TestPrompt(t *testing.T) {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text:      "Example",
 				IsConfirm: true,
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -46,6 +53,47 @@ func TestPrompt(t *testing.T) {
 		require.Equal(t, "yes", <-doneChan)
 	})

+	t.Run("Skip", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		var buf bytes.Buffer
+
+		// Copy all data written out to a buffer. When we close the ptty, we can
+		// no longer read from the ptty.Output(), but we can read what was
+		// written to the buffer.
+		dataRead, doneReading := context.WithTimeout(context.Background(), testutil.WaitShort)
+		go func() {
+			// This will throw an error sometimes. The underlying ptty
+			// has its own cleanup routines in t.Cleanup. Instead of
+			// trying to control the close perfectly, just let the ptty
+			// double close. This error isn't important, we just
+			// want to know the ptty is done sending output.
+			_, _ = io.Copy(&buf, ptty.Output())
+			doneReading()
+		}()
+
+		doneChan := make(chan string)
+		go func() {
+			resp, err := newPrompt(ptty, cliui.PromptOptions{
+				Text:      "ShouldNotSeeThis",
+				IsConfirm: true,
+			}, func(cmd *cobra.Command) {
+				cliui.AllowSkipPrompt(cmd)
+				cmd.SetArgs([]string{"-y"})
+			})
+			assert.NoError(t, err)
+			doneChan <- resp
+		}()
+
+		require.Equal(t, "yes", <-doneChan)
+		// Close the reader to end the io.Copy
+		require.NoError(t, ptty.Close(), "close eof reader")
+		// Wait for the IO copy to finish
+		<-dataRead.Done()
+		// Timeout error means the output was hanging
+		require.ErrorIs(t, dataRead.Err(), context.Canceled, "should be canceled")
+		require.Len(t, buf.Bytes(), 0, "expect no output")
+	})
 	t.Run("JSON", func(t *testing.T) {
 		t.Parallel()
 		ptty := ptytest.New(t)
@@ -53,8 +101,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -69,8 +117,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -85,8 +133,8 @@ func TestPrompt(t *testing.T) {
 		go func() {
 			resp, err := newPrompt(ptty, cliui.PromptOptions{
 				Text: "Example",
-			})
-			require.NoError(t, err)
+			}, nil)
+			assert.NoError(t, err)
 			doneChan <- resp
 		}()
 		ptty.ExpectMatch("Example")
@@ -97,7 +145,7 @@ func TestPrompt(t *testing.T) {
 	})
 }

-func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions) (string, error) {
+func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions, cmdOpt func(cmd *cobra.Command)) (string, error) {
 	value := ""
 	cmd := &cobra.Command{
 		RunE: func(cmd *cobra.Command, args []string) error {
@@ -106,7 +154,67 @@ func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions) (string, error) {
 			return err
 		},
 	}
-	cmd.SetOutput(ptty.Output())
+	// Optionally modify the cmd
+	if cmdOpt != nil {
+		cmdOpt(cmd)
+	}
+	cmd.SetOut(ptty.Output())
+	cmd.SetErr(ptty.Output())
 	cmd.SetIn(ptty.Input())
 	return value, cmd.ExecuteContext(context.Background())
 }
+
+func TestPasswordTerminalState(t *testing.T) {
+	if os.Getenv("TEST_SUBPROCESS") == "1" {
+		passwordHelper()
+		return
+	}
+	t.Parallel()
+
+	ptty := ptytest.New(t)
+	ptyWithFlags, ok := ptty.PTY.(pty.WithFlags)
+	if !ok {
+		t.Skip("unable to check PTY local echo on this platform")
+	}
+
+	cmd := exec.Command(os.Args[0], "-test.run=TestPasswordTerminalState") //nolint:gosec
+	cmd.Env = append(os.Environ(), "TEST_SUBPROCESS=1")
+	// connect the child process's stdio to the PTY directly, not via a pipe
+	cmd.Stdin = ptty.Input().Reader
+	cmd.Stdout = ptty.Output().Writer
+	cmd.Stderr = ptty.Output().Writer
+	err := cmd.Start()
+	require.NoError(t, err)
+	process := cmd.Process
+	defer process.Kill()
+
+	ptty.ExpectMatch("Password: ")
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && !echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is on while reading password")
+
+	err = process.Signal(os.Interrupt)
+	require.NoError(t, err)
+	_, err = process.Wait()
+	require.NoError(t, err)
+
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is off after reading password")
+}
+
+// nolint:unused
+func passwordHelper() {
+	cmd := &cobra.Command{
+		Run: func(cmd *cobra.Command, args []string) {
+			cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:   "Password:",
+				Secret: true,
+			})
+		},
+	}
+	cmd.ExecuteContext(context.Background())
+}
@@ -1,6 +1,7 @@
 package cliui

 import (
+	"bytes"
 	"context"
 	"fmt"
 	"io"
@@ -12,7 +13,6 @@ import (
 	"github.com/google/uuid"
 	"golang.org/x/xerrors"

-	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/codersdk"
 )

@@ -22,7 +22,7 @@ func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Clie
 			build, err := client.WorkspaceBuild(ctx, build)
 			return build.Job, err
 		},
-		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
 			return client.WorkspaceBuildLogsAfter(ctx, build, before)
 		},
 	})
@@ -31,11 +31,14 @@ func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Clie
 type ProvisionerJobOptions struct {
 	Fetch  func() (codersdk.ProvisionerJob, error)
 	Cancel func() error
-	Logs   func() (<-chan codersdk.ProvisionerJobLog, error)
+	Logs   func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error)

 	FetchInterval time.Duration
 	// Verbose determines whether debug and trace logs will be shown.
 	Verbose bool
+	// Silent determines whether log output will be shown unless there is an
+	// error.
+	Silent bool
 }

 // ProvisionerJob renders a provisioner job with interactive cancellation.
@@ -129,17 +132,36 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp
 	// The initial stage needs to print after the signal handler has been registered.
 	printStage()

-	logs, err := opts.Logs()
+	logs, closer, err := opts.Logs()
 	if err != nil {
 		return xerrors.Errorf("logs: %w", err)
 	}
+	defer closer.Close()
+
+	var (
+		// logOutput is where log output is written
+		logOutput = writer
+		// logBuffer is where logs are buffered if opts.Silent is true
+		logBuffer = &bytes.Buffer{}
+	)
+	if opts.Silent {
+		logOutput = logBuffer
+	}
+	flushLogBuffer := func() {
+		if opts.Silent {
+			_, _ = io.Copy(writer, logBuffer)
+		}
+	}

 	ticker := time.NewTicker(opts.FetchInterval)
+	defer ticker.Stop()
 	for {
 		select {
 		case err = <-errChan:
+			flushLogBuffer()
 			return err
 		case <-ctx.Done():
+			flushLogBuffer()
 			return ctx.Err()
 		case <-ticker.C:
 			updateJob()
@@ -161,30 +183,35 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp
 				}
 				err = xerrors.New(job.Error)
 				jobMutex.Unlock()
+				flushLogBuffer()
 				return err
 			}
+
 			output := ""
 			switch log.Level {
-			case database.LogLevelTrace, database.LogLevelDebug:
+			case codersdk.LogLevelTrace, codersdk.LogLevelDebug:
 				if !opts.Verbose {
 					continue
 				}
 				output = Styles.Placeholder.Render(log.Output)
-			case database.LogLevelError:
+			case codersdk.LogLevelError:
 				output = defaultStyles.Error.Render(log.Output)
-			case database.LogLevelWarn:
+			case codersdk.LogLevelWarn:
 				output = Styles.Warn.Render(log.Output)
-			case database.LogLevelInfo:
+			case codersdk.LogLevelInfo:
 				output = log.Output
 			}
+
 			jobMutex.Lock()
 			if log.Stage != currentStage && log.Stage != "" {
 				updateStage(log.Stage, log.CreatedAt)
 				jobMutex.Unlock()
 				continue
 			}
-			_, _ = fmt.Fprintf(writer, "%s %s\n", Styles.Placeholder.Render(" "), output)
-			didLogBetweenStage = true
+			_, _ = fmt.Fprintf(logOutput, "%s %s\n", Styles.Placeholder.Render(" "), output)
+			if !opts.Silent {
+				didLogBetweenStage = true
+			}
 			jobMutex.Unlock()
 		}
 	}
@@ -2,6 +2,7 @@ package cliui_test

 import (
 	"context"
+	"io"
 	"os"
 	"runtime"
 	"sync"
@@ -9,7 +10,7 @@ import (
 	"time"

 	"github.com/spf13/cobra"
-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/database"
@@ -90,9 +91,9 @@ func TestProvisionerJob(t *testing.T) {
 		go func() {
 			<-test.Next
 			currentProcess, err := os.FindProcess(os.Getpid())
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			err = currentProcess.Signal(os.Interrupt)
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			<-test.Next
 			test.JobMutex.Lock()
 			test.Job.Status = codersdk.ProvisionerJobCanceled
@@ -136,8 +137,10 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 				Cancel: func() error {
 					return nil
 				},
-				Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-					return logs, nil
+				Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+					return logs, closeFunc(func() error {
+						return nil
+					}), nil
 				},
 			})
 		},
@@ -150,7 +153,7 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 		defer close(done)
 		err := cmd.ExecuteContext(context.Background())
 		if err != nil {
-			require.ErrorIs(t, err, cliui.Canceled)
+			assert.ErrorIs(t, err, cliui.Canceled)
 		}
 	}()
 	t.Cleanup(func() {
@@ -164,3 +167,9 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 		PTY:      ptty,
 	}
 }
+
+type closeFunc func() error
+
+func (c closeFunc) Close() error {
+	return c()
+}
@@ -7,8 +7,10 @@ import (
 	"strconv"

 	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/mod/semver"

 	"github.com/coder/coder/coderd/database"
+
 	"github.com/coder/coder/codersdk"
 )

@@ -17,18 +19,19 @@ type WorkspaceResourcesOptions struct {
 	HideAgentState bool
 	HideAccess     bool
 	Title          string
+	ServerVersion  string
 }

 // WorkspaceResources displays the connection status and tree-view of provided resources.
 // ┌────────────────────────────────────────────────────────────────────────────┐
 // │ RESOURCE                     STATUS               ACCESS                   │
 // ├────────────────────────────────────────────────────────────────────────────┤
-// │ google_compute_disk.root     persistent                                    │
+// │ google_compute_disk.root                                                   │
 // ├────────────────────────────────────────────────────────────────────────────┤
-// │ google_compute_instance.dev  ephemeral                                     │
+// │ google_compute_instance.dev                                                │
 // │ └─ dev (linux, amd64)        ⦾ connecting [10s]    coder ssh dev.dev       │
 // ├────────────────────────────────────────────────────────────────────────────┤
-// │ kubernetes_pod.dev           ephemeral                                     │
+// │ kubernetes_pod.dev                                                         │
 // │ ├─ go (linux, amd64)         ⦿ connected           coder ssh dev.go        │
 // │ └─ postgres (linux, amd64)   ⦾ disconnected [4s]   coder ssh dev.postgres  │
 // └────────────────────────────────────────────────────────────────────────────┘
@@ -38,26 +41,17 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 		return resources[i].Type < resources[j].Type
 	})

-	// Address on stop indexes whether a resource still exists when in the stopped transition.
-	addressOnStop := map[string]codersdk.WorkspaceResource{}
-	for _, resource := range resources {
-		if resource.Transition != database.WorkspaceTransitionStop {
-			continue
-		}
-		addressOnStop[resource.Type+"."+resource.Name] = resource
-	}
-	// Displayed stores whether a resource has already been shown.
-	// Resources can be stored with numerous states, which we
-	// process prior to display.
-	displayed := map[string]struct{}{}
-
 	tableWriter := table.NewWriter()
 	if options.Title != "" {
 		tableWriter.SetTitle(options.Title)
 	}
 	tableWriter.SetStyle(table.StyleLight)
 	tableWriter.Style().Options.SeparateColumns = false
-	row := table.Row{"Resource", "Status"}
+	row := table.Row{"Resource"}
+	if !options.HideAgentState {
+		row = append(row, "Status")
+		row = append(row, "Version")
+	}
 	if !options.HideAccess {
 		row = append(row, "Access")
 	}
@@ -76,50 +70,20 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 			continue
 		}
 		resourceAddress := resource.Type + "." + resource.Name
-		if _, shown := displayed[resourceAddress]; shown {
-			// The same resource can have multiple transitions.
-			continue
-		}
-		displayed[resourceAddress] = struct{}{}

 		// Sort agents by name for consistent output.
 		sort.Slice(resource.Agents, func(i, j int) bool {
 			return resource.Agents[i].Name < resource.Agents[j].Name
 		})
-		_, existsOnStop := addressOnStop[resourceAddress]
-		resourceState := "ephemeral"
-		if existsOnStop {
-			resourceState = "persistent"
-		}
+
 		// Display a line for the resource.
 		tableWriter.AppendRow(table.Row{
 			Styles.Bold.Render(resourceAddress),
-			Styles.Placeholder.Render(resourceState),
+			"",
 			"",
 		})
 		// Display all agents associated with the resource.
 		for index, agent := range resource.Agents {
-			sshCommand := "coder ssh " + options.WorkspaceName
-			if totalAgents > 1 {
-				sshCommand += "." + agent.Name
-			}
-			sshCommand = Styles.Code.Render(sshCommand)
-			var agentStatus string
-			if !options.HideAgentState {
-				switch agent.Status {
-				case codersdk.WorkspaceAgentConnecting:
-					since := database.Now().Sub(agent.CreatedAt)
-					agentStatus = Styles.Warn.Render("⦾ connecting") + " " +
-						Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
-				case codersdk.WorkspaceAgentDisconnected:
-					since := database.Now().Sub(*agent.DisconnectedAt)
-					agentStatus = Styles.Error.Render("⦾ disconnected") + " " +
-						Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
-				case codersdk.WorkspaceAgentConnected:
-					agentStatus = Styles.Keyword.Render("⦿ connected")
-				}
-			}
-
 			pipe := "├"
 			if index == len(resource.Agents)-1 {
 				pipe = "└"
@@ -127,9 +91,22 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 			row := table.Row{
 				// These tree from a resource!
 				fmt.Sprintf("%s─ %s (%s, %s)", pipe, agent.Name, agent.OperatingSystem, agent.Architecture),
-				agentStatus,
+			}
+			if !options.HideAgentState {
+				var agentStatus string
+				var agentVersion string
+				if !options.HideAgentState {
+					agentStatus = renderAgentStatus(agent)
+					agentVersion = renderAgentVersion(agent.Version, options.ServerVersion)
+				}
+				row = append(row, agentStatus, agentVersion)
 			}
 			if !options.HideAccess {
+				sshCommand := "coder ssh " + options.WorkspaceName
+				if totalAgents > 1 {
+					sshCommand += "." + agent.Name
+				}
+				sshCommand = Styles.Code.Render(sshCommand)
 				row = append(row, sshCommand)
 			}
 			tableWriter.AppendRow(row)
@@ -139,3 +116,34 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 	_, err := fmt.Fprintln(writer, tableWriter.Render())
 	return err
 }
+
+func renderAgentStatus(agent codersdk.WorkspaceAgent) string {
+	switch agent.Status {
+	case codersdk.WorkspaceAgentConnecting:
+		since := database.Now().Sub(agent.CreatedAt)
+		return Styles.Warn.Render("⦾ connecting") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentDisconnected:
+		since := database.Now().Sub(*agent.DisconnectedAt)
+		return Styles.Error.Render("⦾ disconnected") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentConnected:
+		return Styles.Keyword.Render("⦿ connected")
+	default:
+		return Styles.Warn.Render("○ unknown")
+	}
+}
+
+func renderAgentVersion(agentVersion, serverVersion string) string {
+	if agentVersion == "" {
+		agentVersion = "(unknown)"
+	}
+	if !semver.IsValid(serverVersion) || !semver.IsValid(agentVersion) {
+		return Styles.Placeholder.Render(agentVersion)
+	}
+	outdated := semver.Compare(agentVersion, serverVersion) < 0
+	if outdated {
+		return Styles.Warn.Render(agentVersion + " (outdated)")
+	}
+	return Styles.Keyword.Render(agentVersion)
+}
@@ -0,0 +1,50 @@
+package cliui
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRenderAgentVersion(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		agentVersion  string
+		serverVersion string
+		expected      string
+	}{
+		{
+			name:          "OK",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.3",
+			expected:      "v1.2.3",
+		},
+		{
+			name:          "Outdated",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.4",
+			expected:      "v1.2.3 (outdated)",
+		},
+		{
+			name:          "AgentUnknown",
+			agentVersion:  "",
+			serverVersion: "v1.2.4",
+			expected:      "(unknown)",
+		},
+		{
+			name:          "ServerUnknown",
+			agentVersion:  "v1.2.3",
+			serverVersion: "",
+			expected:      "v1.2.3",
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			actual := renderAgentVersion(testCase.agentVersion, testCase.serverVersion)
+			assert.Equal(t, testCase.expected, actual)
+		})
+	}
+}
@@ -4,7 +4,7 @@ import (
 	"testing"
 	"time"

-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/database"
@@ -22,7 +22,7 @@ func TestWorkspaceResources(t *testing.T) {
 			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
 				Type:       "google_compute_instance",
 				Name:       "dev",
-				Transition: database.WorkspaceTransitionStart,
+				Transition: codersdk.WorkspaceTransitionStart,
 				Agents: []codersdk.WorkspaceAgent{{
 					Name:            "dev",
 					Status:          codersdk.WorkspaceAgentConnected,
@@ -32,7 +32,7 @@ func TestWorkspaceResources(t *testing.T) {
 			}}, cliui.WorkspaceResourcesOptions{
 				WorkspaceName: "example",
 			})
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			close(done)
 		}()
 		ptty.ExpectMatch("coder ssh example")
@@ -46,15 +46,15 @@ func TestWorkspaceResources(t *testing.T) {
 		done := make(chan struct{})
 		go func() {
 			err := cliui.WorkspaceResources(ptty.Output(), []codersdk.WorkspaceResource{{
-				Transition: database.WorkspaceTransitionStart,
+				Transition: codersdk.WorkspaceTransitionStart,
 				Type:       "google_compute_disk",
 				Name:       "root",
 			}, {
-				Transition: database.WorkspaceTransitionStop,
+				Transition: codersdk.WorkspaceTransitionStop,
 				Type:       "google_compute_disk",
 				Name:       "root",
 			}, {
-				Transition: database.WorkspaceTransitionStart,
+				Transition: codersdk.WorkspaceTransitionStart,
 				Type:       "google_compute_instance",
 				Name:       "dev",
 				Agents: []codersdk.WorkspaceAgent{{
@@ -65,7 +65,7 @@ func TestWorkspaceResources(t *testing.T) {
 					Architecture:    "amd64",
 				}},
 			}, {
-				Transition: database.WorkspaceTransitionStart,
+				Transition: codersdk.WorkspaceTransitionStart,
 				Type:       "kubernetes_pod",
 				Name:       "dev",
 				Agents: []codersdk.WorkspaceAgent{{
@@ -85,7 +85,7 @@ func TestWorkspaceResources(t *testing.T) {
 				HideAgentState: false,
 				HideAccess:     false,
 			})
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			close(done)
 		}()
 		ptty.ExpectMatch("google_compute_disk.root")
@@ -35,7 +35,9 @@ func init() {
 }

 type SelectOptions struct {
-	Options    []string
+	Options []string
+	// Default will be highlighted first if it's a valid option.
+	Default    string
 	Size       int
 	HideSearch bool
 }
@@ -50,9 +52,16 @@ func Select(cmd *cobra.Command, opts SelectOptions) (string, error) {
 	if flag.Lookup("test.v") != nil {
 		return opts.Options[0], nil
 	}
+
+	var defaultOption interface{}
+	if opts.Default != "" {
+		defaultOption = opts.Default
+	}
+
 	var value string
 	err := survey.AskOne(&survey.Select{
 		Options:  opts.Options,
+		Default:  defaultOption,
 		PageSize: opts.Size,
 	}, &value, survey.WithIcons(func(is *survey.IconSet) {
 		is.Help.Text = "Type to search"
@@ -5,6 +5,7 @@ import (
 	"testing"

 	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/cliui"
@@ -21,7 +22,7 @@ func TestSelect(t *testing.T) {
 			resp, err := newSelect(ptty, cliui.SelectOptions{
 				Options: []string{"First", "Second"},
 			})
-			require.NoError(t, err)
+			assert.NoError(t, err)
 			msgChan <- resp
 		}()
 		require.Equal(t, "First", <-msgChan)
@@ -1,9 +1,14 @@
 package cliui

 import (
+	"fmt"
+	"reflect"
 	"strings"
+	"time"

+	"github.com/fatih/structtag"
 	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/xerrors"
 )

 // Table creates a new table with standardized styles.
@@ -41,3 +46,262 @@ func FilterTableColumns(header table.Row, columns []string) []table.ColumnConfig
 	}
 	return columnConfigs
 }
+
+// DisplayTable renders a table as a string. The input argument must be a slice
+// of structs. At least one field in the struct must have a `table:""` tag
+// containing the name of the column in the outputted table.
+//
+// Nested structs are processed if the field has the `table:"$NAME,recursive"`
+// tag and their fields will be named as `$PARENT_NAME $NAME`. If the tag is
+// malformed or a field is marked as recursive but does not contain a struct or
+// a pointer to a struct, this function will return an error (even with an empty
+// input slice).
+//
+// If sort is empty, the input order will be used. If filterColumns is empty or
+// nil, all available columns are included.
+func DisplayTable(out any, sort string, filterColumns []string) (string, error) {
+	v := reflect.Indirect(reflect.ValueOf(out))
+
+	if v.Kind() != reflect.Slice {
+		return "", xerrors.Errorf("DisplayTable called with a non-slice type")
+	}
+
+	// Get the list of table column headers.
+	headersRaw, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		return "", xerrors.Errorf("get table headers recursively for type %q: %w", v.Type().Elem().String(), err)
+	}
+	if len(headersRaw) == 0 {
+		return "", xerrors.New(`no table headers found on the input type, make sure there is at least one "table" struct tag`)
+	}
+	headers := make(table.Row, len(headersRaw))
+	for i, header := range headersRaw {
+		headers[i] = header
+	}
+
+	// Verify that the given sort column and filter columns are valid.
+	if sort != "" || len(filterColumns) != 0 {
+		headersMap := make(map[string]string, len(headersRaw))
+		for _, header := range headersRaw {
+			headersMap[strings.ToLower(header)] = header
+		}
+
+		if sort != "" {
+			sort = strings.ToLower(strings.ReplaceAll(sort, "_", " "))
+			h, ok := headersMap[sort]
+			if !ok {
+				return "", xerrors.Errorf(`specified sort column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			sort = h
+		}
+
+		for i, column := range filterColumns {
+			column := strings.ToLower(strings.ReplaceAll(column, "_", " "))
+			h, ok := headersMap[column]
+			if !ok {
+				return "", xerrors.Errorf(`specified filter column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			filterColumns[i] = h
+		}
+	}
+
+	// Verify that the given sort column is valid.
+	if sort != "" {
+		sort = strings.ReplaceAll(sort, "_", " ")
+		found := false
+		for _, header := range headersRaw {
+			if strings.EqualFold(sort, header) {
+				found = true
+				sort = header
+				break
+			}
+		}
+		if !found {
+			return "", xerrors.Errorf("specified sort column %q not found in table headers, available columns are %q", sort, strings.Join(headersRaw, `", "`))
+		}
+	}
+
+	// Setup the table formatter.
+	tw := Table()
+	tw.AppendHeader(headers)
+	tw.SetColumnConfigs(FilterTableColumns(headers, filterColumns))
+	if sort != "" {
+		tw.SortBy([]table.SortBy{{
+			Name: sort,
+		}})
+	}
+
+	// Write each struct to the table.
+	for i := 0; i < v.Len(); i++ {
+		// Format the row as a slice.
+		rowMap, err := valueToTableMap(v.Index(i))
+		if err != nil {
+			return "", xerrors.Errorf("get table row map %v: %w", i, err)
+		}
+
+		rowSlice := make([]any, len(headers))
+		for i, h := range headersRaw {
+			v, ok := rowMap[h]
+			if !ok {
+				v = nil
+			}
+
+			// Special type formatting.
+			switch val := v.(type) {
+			case time.Time:
+				v = val.Format(time.Stamp)
+			case *time.Time:
+				if val != nil {
+					v = val.Format(time.Stamp)
+				}
+			case fmt.Stringer:
+				if val != nil {
+					v = val.String()
+				}
+			}
+
+			rowSlice[i] = v
+		}
+
+		tw.AppendRow(table.Row(rowSlice))
+	}
+
+	return tw.Render(), nil
+}
+
+// parseTableStructTag returns the name of the field according to the `table`
+// struct tag. If the table tag does not exist or is "-", an empty string is
+// returned. If the table tag is malformed, an error is returned.
+//
+// The returned name is transformed from "snake_case" to "normal text".
+func parseTableStructTag(field reflect.StructField) (name string, recurse bool, err error) {
+	tags, err := structtag.Parse(string(field.Tag))
+	if err != nil {
+		return "", false, xerrors.Errorf("parse struct field tag %q: %w", string(field.Tag), err)
+	}
+
+	tag, err := tags.Get("table")
+	if err != nil || tag.Name == "-" {
+		// tags.Get only returns an error if the tag is not found.
+		return "", false, nil
+	}
+
+	recursive := false
+	for _, opt := range tag.Options {
+		if opt == "recursive" {
+			recursive = true
+			continue
+		}
+
+		return "", false, xerrors.Errorf("unknown option %q in struct field tag", opt)
+	}
+
+	return strings.ReplaceAll(tag.Name, "_", " "), recursive, nil
+}
+
+func isStructOrStructPointer(t reflect.Type) bool {
+	return t.Kind() == reflect.Struct || (t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct)
+}
+
+// typeToTableHeaders converts a type to a slice of column names. If the given
+// type is invalid (not a struct or a pointer to a struct, has invalid table
+// tags, etc.), an error is returned.
+func typeToTableHeaders(t reflect.Type) ([]string, error) {
+	if !isStructOrStructPointer(t) {
+		return nil, xerrors.Errorf("typeToTableHeaders called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if t.Kind() == reflect.Pointer {
+		t = t.Elem()
+	}
+
+	headers := []string{}
+	for i := 0; i < t.NumField(); i++ {
+		field := t.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %q: %w", field.Name, t.String(), err)
+		}
+		if name == "" {
+			continue
+		}
+
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, t.String())
+			}
+
+			childNames, err := typeToTableHeaders(fieldType)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field header names for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for _, childName := range childNames {
+				headers = append(headers, fmt.Sprintf("%s %s", name, childName))
+			}
+			continue
+		}
+
+		headers = append(headers, name)
+	}
+
+	return headers, nil
+}
+
+// valueToTableMap converts a struct to a map of column name to value. If the
+// given type is invalid (not a struct or a pointer to a struct, has invalid
+// table tags, etc.), an error is returned.
+func valueToTableMap(val reflect.Value) (map[string]any, error) {
+	if !isStructOrStructPointer(val.Type()) {
+		return nil, xerrors.Errorf("valueToTableMap called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if val.Kind() == reflect.Pointer {
+		if val.IsNil() {
+			// No data for this struct, so return an empty map. All values will
+			// be rendered as nil in the resulting table.
+			return map[string]any{}, nil
+		}
+
+		val = val.Elem()
+	}
+
+	row := map[string]any{}
+	for i := 0; i < val.NumField(); i++ {
+		field := val.Type().Field(i)
+		fieldVal := val.Field(i)
+		name, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %T: %w", field.Name, val, err)
+		}
+		if name == "" {
+			continue
+		}
+
+		// Recurse if it's a struct.
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, fieldType.String())
+			}
+
+			// valueToTableMap does nothing on pointers so we don't need to
+			// filter here.
+			childMap, err := valueToTableMap(fieldVal)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field values for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for childName, childValue := range childMap {
+				row[fmt.Sprintf("%s %s", name, childName)] = childValue
+			}
+			continue
+		}
+
+		// Otherwise, we just use the field value.
+		row[name] = val.Field(i).Interface()
+	}
+
+	return row, nil
+}
@@ -0,0 +1,352 @@
+package cliui_test
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+type stringWrapper struct {
+	str string
+}
+
+var _ fmt.Stringer = stringWrapper{}
+
+func (s stringWrapper) String() string {
+	return s.str
+}
+
+type tableTest1 struct {
+	Name        string      `table:"name"`
+	NotIncluded string      // no table tag
+	Age         int         `table:"age"`
+	Roles       []string    `table:"roles"`
+	Sub1        tableTest2  `table:"sub_1,recursive"`
+	Sub2        *tableTest2 `table:"sub_2,recursive"`
+	Sub3        tableTest3  `table:"sub 3,recursive"`
+	Sub4        tableTest2  `table:"sub 4"` // not recursive
+
+	// Types with special formatting.
+	Time    time.Time  `table:"time"`
+	TimePtr *time.Time `table:"time_ptr"`
+}
+
+type tableTest2 struct {
+	Name        stringWrapper `table:"name"`
+	Age         int           `table:"age"`
+	NotIncluded string        `table:"-"`
+}
+
+type tableTest3 struct {
+	NotIncluded string     // no table tag
+	Sub         tableTest2 `table:"inner,recursive"`
+}
+
+func Test_DisplayTable(t *testing.T) {
+	t.Parallel()
+
+	someTime := time.Date(2022, 8, 2, 15, 49, 10, 0, time.Local)
+	in := []tableTest1{
+		{
+			Name:  "foo",
+			Age:   10,
+			Roles: []string{"a", "b", "c"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "foo1"},
+				Age:  11,
+			},
+			Sub2: &tableTest2{
+				Name: stringWrapper{str: "foo2"},
+				Age:  12,
+			},
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "foo3"},
+					Age:  13,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "foo4"},
+				Age:  14,
+			},
+			Time:    someTime,
+			TimePtr: &someTime,
+		},
+		{
+			Name:  "bar",
+			Age:   20,
+			Roles: []string{"a"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "bar1"},
+				Age:  21,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "bar3"},
+					Age:  23,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "bar4"},
+				Age:  24,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+		{
+			Name:  "baz",
+			Age:   30,
+			Roles: nil,
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "baz1"},
+				Age:  31,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "baz3"},
+					Age:  33,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "baz4"},
+				Age:  34,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+	}
+
+	// This test tests skipping fields without table tags, recursion, pointer
+	// dereferencing, and nil pointer skipping.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME             TIME PTR
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  Aug  2 15:49:10  Aug  2 15:49:10
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  Aug  2 15:49:10  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  Aug  2 15:49:10  <nil>
+		`
+
+		// Test with non-pointer values.
+		out, err := cliui.DisplayTable(in, "", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+
+		// Test with pointer values.
+		inPtr := make([]*tableTest1, len(in))
+		for i, v := range in {
+			v := v
+			inPtr[i] = &v
+		}
+		out, err = cliui.DisplayTable(inPtr, "", nil)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Sort", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME             TIME PTR
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  Aug  2 15:49:10  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  Aug  2 15:49:10  <nil>
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  Aug  2 15:49:10  Aug  2 15:49:10
+		`
+
+		out, err := cliui.DisplayTable(in, "name", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Filter", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  SUB 1 NAME  SUB 3 INNER NAME  TIME
+foo   foo1        foo3              Aug  2 15:49:10
+bar   bar1        bar3              Aug  2 15:49:10
+baz   baz1        baz3              Aug  2 15:49:10
+		`
+
+		out, err := cliui.DisplayTable(in, "", []string{"name", "sub_1_name", "sub_3 inner name", "time"})
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	// This test ensures that safeties against invalid use of `table` tags
+	// causes errors (even without data).
+	t.Run("Errors", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("NotSlice", func(t *testing.T) {
+			t.Parallel()
+
+			var in string
+			_, err := cliui.DisplayTable(in, "", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadSortColumn", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "bad_column_does_not_exist", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadFilterColumns", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "", []string{"name", "bad_column_does_not_exist"})
+			require.Error(t, err)
+		})
+
+		t.Run("Interfaces", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []any
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []any{tableTest1{}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NotStruct", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []string
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []string{"foo", "bar", "baz"}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NoTableTags", func(t *testing.T) {
+			t.Parallel()
+
+			type noTableTagsTest struct {
+				Field string `json:"field"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noTableTagsTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noTableTagsTest{{Field: "hi"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/NoName", func(t *testing.T) {
+			t.Parallel()
+
+			type noNameTest struct {
+				Field string `table:""`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noNameTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noNameTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/BadSyntax", func(t *testing.T) {
+			t.Parallel()
+
+			type invalidSyntaxTest struct {
+				Field string `table:"asda,asdjada"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []invalidSyntaxTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []invalidSyntaxTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+	})
+}
+
+// compareTables normalizes the incoming table lines
+func compareTables(t *testing.T, expected, out string) {
+	t.Helper()
+
+	expectedLines := strings.Split(strings.TrimSpace(expected), "\n")
+	gotLines := strings.Split(strings.TrimSpace(out), "\n")
+	assert.Equal(t, len(expectedLines), len(gotLines), "expected line count does not match generated line count")
+
+	// Map the expected and got lines to normalize them.
+	expectedNormalized := make([]string, len(expectedLines))
+	gotNormalized := make([]string, len(gotLines))
+	normalizeLine := func(s string) string {
+		return strings.Join(strings.Fields(strings.TrimSpace(s)), " ")
+	}
+	for i, s := range expectedLines {
+		expectedNormalized[i] = normalizeLine(s)
+	}
+	for i, s := range gotLines {
+		gotNormalized[i] = normalizeLine(s)
+	}
+
+	require.Equal(t, expectedNormalized, gotNormalized, "expected lines to match generated lines")
+}
@@ -21,6 +21,22 @@ func (r Root) Organization() File {
 	return File(filepath.Join(string(r), "organization"))
 }

+func (r Root) DotfilesURL() File {
+	return File(filepath.Join(string(r), "dotfilesurl"))
+}
+
+func (r Root) PostgresPath() string {
+	return filepath.Join(string(r), "postgres")
+}
+
+func (r Root) PostgresPassword() File {
+	return File(filepath.Join(r.PostgresPath(), "password"))
+}
+
+func (r Root) PostgresPort() File {
+	return File(filepath.Join(r.PostgresPath(), "port"))
+}
+
 // File provides convenience methods for interacting with *os.File.
 type File string

@@ -1,157 +1,548 @@
 package cli

 import (
+	"bufio"
+	"bytes"
+	"context"
+	"errors"
 	"fmt"
+	"io"
+	"io/fs"
 	"os"
 	"path/filepath"
 	"runtime"
+	"sort"
 	"strings"
-	"sync"

 	"github.com/cli/safeexec"
+	"github.com/pkg/diff"
+	"github.com/pkg/diff/write"
 	"github.com/spf13/cobra"
+	"golang.org/x/exp/slices"
 	"golang.org/x/sync/errgroup"
 	"golang.org/x/xerrors"

 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
-	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/codersdk"
 )

-const sshStartToken = "# ------------START-CODER-----------"
-const sshStartMessage = `# This was generated by "coder config-ssh".
+const (
+	sshDefaultConfigFileName = "~/.ssh/config"
+	sshStartToken            = "# ------------START-CODER-----------"
+	sshEndToken              = "# ------------END-CODER------------"
+	sshConfigSectionHeader   = "# This section is managed by coder. DO NOT EDIT."
+	sshConfigDocsHeader      = `
 #
-# To remove this blob, run:
-#
-#    coder config-ssh --remove
-#
-# You should not hand-edit this section, unless you are deleting it.`
-const sshEndToken = "# ------------END-CODER------------"
+# You should not hand-edit this section unless you are removing it, all
+# changes will be lost when running "coder config-ssh".
+`
+	sshConfigOptionsHeader = `#
+# Last config-ssh options:
+`
+)
+
+// sshConfigOptions represents options that can be stored and read
+// from the coder config in ~/.ssh/coder.
+type sshConfigOptions struct {
+	sshOptions []string
+}
+
+func (o sshConfigOptions) equal(other sshConfigOptions) bool {
+	// Compare without side-effects or regard to order.
+	opt1 := slices.Clone(o.sshOptions)
+	sort.Strings(opt1)
+	opt2 := slices.Clone(other.sshOptions)
+	sort.Strings(opt2)
+	return slices.Equal(opt1, opt2)
+}
+
+func (o sshConfigOptions) asList() (list []string) {
+	for _, opt := range o.sshOptions {
+		list = append(list, fmt.Sprintf("ssh-option: %s", opt))
+	}
+	return list
+}
+
+type sshWorkspaceConfig struct {
+	Name  string
+	Hosts []string
+}
+
+func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]sshWorkspaceConfig, error) {
+	workspaces, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+		Owner: codersdk.Me,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	var errGroup errgroup.Group
+	workspaceConfigs := make([]sshWorkspaceConfig, len(workspaces))
+	for i, workspace := range workspaces {
+		i := i
+		workspace := workspace
+		errGroup.Go(func() error {
+			resources, err := client.TemplateVersionResources(ctx, workspace.LatestBuild.TemplateVersionID)
+			if err != nil {
+				return err
+			}
+
+			wc := sshWorkspaceConfig{Name: workspace.Name}
+			var agents []codersdk.WorkspaceAgent
+			for _, resource := range resources {
+				if resource.Transition != codersdk.WorkspaceTransitionStart {
+					continue
+				}
+				agents = append(agents, resource.Agents...)
+			}
+
+			// handle both WORKSPACE and WORKSPACE.AGENT syntax
+			if len(agents) == 1 {
+				wc.Hosts = append(wc.Hosts, workspace.Name)
+			}
+			for _, agent := range agents {
+				hostname := workspace.Name + "." + agent.Name
+				wc.Hosts = append(wc.Hosts, hostname)
+			}
+
+			workspaceConfigs[i] = wc
+
+			return nil
+		})
+	}
+	err = errGroup.Wait()
+	if err != nil {
+		return nil, err
+	}
+
+	return workspaceConfigs, nil
+}
+
+func sshPrepareWorkspaceConfigs(ctx context.Context, client *codersdk.Client) (receive func() ([]sshWorkspaceConfig, error)) {
+	wcC := make(chan []sshWorkspaceConfig, 1)
+	errC := make(chan error, 1)
+	go func() {
+		wc, err := sshFetchWorkspaceConfigs(ctx, client)
+		wcC <- wc
+		errC <- err
+	}()
+	return func() ([]sshWorkspaceConfig, error) {
+		return <-wcC, <-errC
+	}
+}

 func configSSH() *cobra.Command {
 	var (
 		sshConfigFile    string
-		sshOptions       []string
+		sshConfigOpts    sshConfigOptions
+		usePreviousOpts  bool
+		dryRun           bool
 		skipProxyCommand bool
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "config-ssh",
-		Short:       "Populate your SSH config with Host entries for all of your workspaces",
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+		Short:       "Add an SSH Host entry for your workspaces \"ssh coder.workspace\"",
+		Example: formatExamples(
+			example{
+				Description: "You can use -o (or --ssh-option) so set SSH options to be used for all your workspaces",
+				Command:     "coder config-ssh -o ForwardAgent=yes",
+			},
+			example{
+				Description: "You can use --dry-run (or -n) to see the changes that would be made",
+				Command:     "coder config-ssh --dry-run",
+			},
+		),
+		Args: cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-			if strings.HasPrefix(sshConfigFile, "~/") {
-				dirname, _ := os.UserHomeDir()
-				sshConfigFile = filepath.Join(dirname, sshConfigFile[2:])
-			}
-			// Doesn't matter if this fails, because we write the file anyways.
-			sshConfigContentRaw, _ := os.ReadFile(sshConfigFile)
-			sshConfigContent := string(sshConfigContentRaw)
-			startIndex := strings.Index(sshConfigContent, sshStartToken)
-			endIndex := strings.Index(sshConfigContent, sshEndToken)
-			if startIndex != -1 && endIndex != -1 {
-				sshConfigContent = sshConfigContent[:startIndex-1] + sshConfigContent[endIndex+len(sshEndToken):]
-			}

-			workspaces, err := client.WorkspacesByOwner(cmd.Context(), organization.ID, codersdk.Me)
-			if err != nil {
-				return err
-			}
-			if len(workspaces) == 0 {
-				return xerrors.New("You don't have any workspaces!")
-			}
+			recvWorkspaceConfigs := sshPrepareWorkspaceConfigs(cmd.Context(), client)

-			binaryFile, err := currentBinPath(cmd)
+			out := cmd.OutOrStdout()
+			if dryRun {
+				// Print everything except diff to stderr so
+				// that it's possible to capture the diff.
+				out = cmd.OutOrStderr()
+			}
+			coderBinary, err := currentBinPath(out)
 			if err != nil {
 				return err
 			}
+			escapedCoderBinary, err := sshConfigExecEscape(coderBinary)
+			if err != nil {
+				return xerrors.Errorf("escape coder binary for ssh failed: %w", err)
+			}

 			root := createConfig(cmd)
-			sshConfigContent += "\n" + sshStartToken + "\n" + sshStartMessage + "\n\n"
-			sshConfigContentMutex := sync.Mutex{}
-			var errGroup errgroup.Group
-			for _, workspace := range workspaces {
-				workspace := workspace
-				errGroup.Go(func() error {
-					resources, err := client.TemplateVersionResources(cmd.Context(), workspace.LatestBuild.TemplateVersionID)
-					if err != nil {
-						return err
-					}
-					for _, resource := range resources {
-						if resource.Transition != database.WorkspaceTransitionStart {
-							continue
-						}
-						for _, agent := range resource.Agents {
-							sshConfigContentMutex.Lock()
-							hostname := workspace.Name
-							if len(resource.Agents) > 1 {
-								hostname += "." + agent.Name
-							}
-							configOptions := []string{
-								"Host coder." + hostname,
-							}
-							for _, option := range sshOptions {
-								configOptions = append(configOptions, "\t"+option)
-							}
-							configOptions = append(configOptions,
-								"\tHostName coder."+hostname,
-								"\tConnectTimeout=0",
-								"\tStrictHostKeyChecking=no",
-								// Without this, the "REMOTE HOST IDENTITY CHANGED"
-								// message will appear.
-								"\tUserKnownHostsFile=/dev/null",
-								// This disables the "Warning: Permanently added 'hostname' (RSA) to the list of known hosts."
-								// message from appearing on every SSH. This happens because we ignore the known hosts.
-								"\tLogLevel ERROR",
-							)
-							if !skipProxyCommand {
-								configOptions = append(configOptions, fmt.Sprintf("\tProxyCommand %q --global-config %q ssh --stdio %s", binaryFile, root, hostname))
-							}
-							sshConfigContent += strings.Join(configOptions, "\n") + "\n"
-							sshConfigContentMutex.Unlock()
-						}
-					}
-					return nil
+			escapedGlobalConfig, err := sshConfigExecEscape(string(root))
+			if err != nil {
+				return xerrors.Errorf("escape global config for ssh failed: %w", err)
+			}
+
+			homedir, err := os.UserHomeDir()
+			if err != nil {
+				return xerrors.Errorf("user home dir failed: %w", err)
+			}
+
+			if strings.HasPrefix(sshConfigFile, "~/") {
+				sshConfigFile = filepath.Join(homedir, sshConfigFile[2:])
+			}
+
+			// Only allow not-exist errors to avoid trashing
+			// the users SSH config.
+			configRaw, err := os.ReadFile(sshConfigFile)
+			if err != nil && !errors.Is(err, fs.ErrNotExist) {
+				return xerrors.Errorf("read ssh config failed: %w", err)
+			}
+
+			// Keep track of changes we are making.
+			var changes []string
+
+			// Parse the previous configuration only if config-ssh
+			// has been run previously.
+			var lastConfig *sshConfigOptions
+			if section, ok := sshConfigGetCoderSection(configRaw); ok {
+				c := sshConfigParseLastOptions(bytes.NewReader(section))
+				lastConfig = &c
+			}
+
+			// Avoid prompting in diff mode (unexpected behavior)
+			// or when a previous config does not exist.
+			if usePreviousOpts && lastConfig != nil {
+				sshConfigOpts = *lastConfig
+			} else if lastConfig != nil && !sshConfigOpts.equal(*lastConfig) {
+				newOpts := sshConfigOpts.asList()
+				newOptsMsg := "\n\n  New options: none"
+				if len(newOpts) > 0 {
+					newOptsMsg = fmt.Sprintf("\n\n  New options:\n    * %s", strings.Join(newOpts, "\n    * "))
+				}
+				oldOpts := lastConfig.asList()
+				oldOptsMsg := "\n\n  Previous options: none"
+				if len(oldOpts) > 0 {
+					oldOptsMsg = fmt.Sprintf("\n\n  Previous options:\n    * %s", strings.Join(oldOpts, "\n    * "))
+				}
+
+				line, err := cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("New options differ from previous options:%s%s\n\n  Use new options?", newOptsMsg, oldOptsMsg),
+					IsConfirm: true,
 				})
+				if err != nil {
+					if line == "" && xerrors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					// Selecting "no" will use the last config.
+					sshConfigOpts = *lastConfig
+				} else {
+					changes = append(changes, "Use new SSH options")
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
 			}
-			err = errGroup.Wait()
+
+			configModified := configRaw
+
+			buf := &bytes.Buffer{}
+			before, after := sshConfigSplitOnCoderSection(configModified)
+			// Write the first half of the users config file to buf.
+			_, _ = buf.Write(before)
+
+			// Write comment and store the provided options as part
+			// of the config for future (re)use.
+			newline := len(before) > 0
+			sshConfigWriteSectionHeader(buf, newline, sshConfigOpts)
+
+			workspaceConfigs, err := recvWorkspaceConfigs()
 			if err != nil {
-				return err
+				return xerrors.Errorf("fetch workspace configs failed: %w", err)
 			}
-			sshConfigContent += "\n" + sshEndToken
-			err = os.MkdirAll(filepath.Dir(sshConfigFile), os.ModePerm)
-			if err != nil {
-				return err
+			// Ensure stable sorting of output.
+			slices.SortFunc(workspaceConfigs, func(a, b sshWorkspaceConfig) bool {
+				return a.Name < b.Name
+			})
+			for _, wc := range workspaceConfigs {
+				sort.Strings(wc.Hosts)
+				// Write agent configuration.
+				for _, hostname := range wc.Hosts {
+					configOptions := []string{
+						"Host coder." + hostname,
+					}
+					for _, option := range sshConfigOpts.sshOptions {
+						configOptions = append(configOptions, "\t"+option)
+					}
+					configOptions = append(configOptions,
+						"\tHostName coder."+hostname,
+						"\tConnectTimeout=0",
+						"\tStrictHostKeyChecking=no",
+						// Without this, the "REMOTE HOST IDENTITY CHANGED"
+						// message will appear.
+						"\tUserKnownHostsFile=/dev/null",
+						// This disables the "Warning: Permanently added 'hostname' (RSA) to the list of known hosts."
+						// message from appearing on every SSH. This happens because we ignore the known hosts.
+						"\tLogLevel ERROR",
+					)
+					if !skipProxyCommand {
+						configOptions = append(
+							configOptions,
+							fmt.Sprintf(
+								"\tProxyCommand %s --global-config %s ssh --stdio %s",
+								escapedCoderBinary, escapedGlobalConfig, hostname,
+							),
+						)
+					}
+
+					_, _ = buf.WriteString(strings.Join(configOptions, "\n"))
+					_ = buf.WriteByte('\n')
+				}
 			}
-			err = os.WriteFile(sshConfigFile, []byte(sshConfigContent), os.ModePerm)
-			if err != nil {
-				return err
+
+			sshConfigWriteSectionEnd(buf)
+
+			// Write the remainder of the users config file to buf.
+			_, _ = buf.Write(after)
+
+			if !bytes.Equal(configModified, buf.Bytes()) {
+				changes = append(changes, fmt.Sprintf("Update the coder section in %s", sshConfigFile))
+				configModified = buf.Bytes()
+			}
+
+			if len(changes) == 0 {
+				_, _ = fmt.Fprintf(out, "No changes to make.\n")
+				return nil
+			}
+
+			if dryRun {
+				_, _ = fmt.Fprintf(out, "Dry run, the following changes would be made to your SSH configuration:\n\n  * %s\n\n", strings.Join(changes, "\n  * "))
+
+				color := isTTYOut(cmd)
+				diff, err := diffBytes(sshConfigFile, configRaw, configModified, color)
+				if err != nil {
+					return xerrors.Errorf("diff failed: %w", err)
+				}
+				if len(diff) > 0 {
+					// Write diff to stdout.
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s", diff)
+				}
+
+				return nil
+			}
+
+			if len(changes) > 0 {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("The following changes will be made to your SSH configuration:\n\n    * %s\n\n  Continue?", strings.Join(changes, "\n    * ")),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return nil
+				}
+				// Only print when prompts are shown.
+				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
+					_, _ = fmt.Fprint(out, "\n")
+				}
+			}
+
+			if !bytes.Equal(configRaw, configModified) {
+				err = writeWithTempFileAndMove(sshConfigFile, bytes.NewReader(configModified))
+				if err != nil {
+					return xerrors.Errorf("write ssh config failed: %w", err)
+				}
+			}
+
+			if len(workspaceConfigs) > 0 {
+				_, _ = fmt.Fprintln(out, "You should now be able to ssh into your workspace.")
+				_, _ = fmt.Fprintf(out, "For example, try running:\n\n\t$ ssh coder.%s\n", workspaceConfigs[0].Name)
+			} else {
+				_, _ = fmt.Fprint(out, "You don't have any workspaces yet, try creating one with:\n\n\t$ coder create <workspace>\n")
 			}
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "An auto-generated ssh config was written to %q\n", sshConfigFile)
-			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "You should now be able to ssh into your workspace")
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "For example, try running\n\n\t$ ssh coder.%s\n\n", workspaces[0].Name)
 			return nil
 		},
 	}
-	cliflag.StringVarP(cmd.Flags(), &sshConfigFile, "ssh-config-file", "", "CODER_SSH_CONFIG_FILE", "~/.ssh/config", "Specifies the path to an SSH config.")
-	cmd.Flags().StringArrayVarP(&sshOptions, "ssh-option", "o", []string{}, "Specifies additional SSH options to embed in each host stanza.")
+	cliflag.StringVarP(cmd.Flags(), &sshConfigFile, "ssh-config-file", "", "CODER_SSH_CONFIG_FILE", sshDefaultConfigFileName, "Specifies the path to an SSH config.")
+	cmd.Flags().StringArrayVarP(&sshConfigOpts.sshOptions, "ssh-option", "o", []string{}, "Specifies additional SSH options to embed in each host stanza.")
+	cmd.Flags().BoolVarP(&dryRun, "dry-run", "n", false, "Perform a trial run with no changes made, showing a diff at the end.")
 	cmd.Flags().BoolVarP(&skipProxyCommand, "skip-proxy-command", "", false, "Specifies whether the ProxyCommand option should be skipped. Useful for testing.")
 	_ = cmd.Flags().MarkHidden("skip-proxy-command")
+	cliflag.BoolVarP(cmd.Flags(), &usePreviousOpts, "use-previous-options", "", "CODER_SSH_USE_PREVIOUS_OPTIONS", false, "Specifies whether or not to keep options from previous run of config-ssh.")
+	cliui.AllowSkipPrompt(cmd)

 	return cmd
 }

+//nolint:revive
+func sshConfigWriteSectionHeader(w io.Writer, addNewline bool, o sshConfigOptions) {
+	nl := "\n"
+	if !addNewline {
+		nl = ""
+	}
+	_, _ = fmt.Fprint(w, nl+sshStartToken+"\n")
+	_, _ = fmt.Fprint(w, sshConfigSectionHeader)
+	_, _ = fmt.Fprint(w, sshConfigDocsHeader)
+	if len(o.sshOptions) > 0 {
+		_, _ = fmt.Fprint(w, sshConfigOptionsHeader)
+		for _, opt := range o.sshOptions {
+			_, _ = fmt.Fprintf(w, "# :%s=%s\n", "ssh-option", opt)
+		}
+	}
+	_, _ = fmt.Fprint(w, "#\n")
+}
+
+func sshConfigWriteSectionEnd(w io.Writer) {
+	_, _ = fmt.Fprint(w, sshEndToken+"\n")
+}
+
+func sshConfigParseLastOptions(r io.Reader) (o sshConfigOptions) {
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "# :") {
+			line = strings.TrimPrefix(line, "# :")
+			parts := strings.SplitN(line, "=", 2)
+			switch parts[0] {
+			case "ssh-option":
+				o.sshOptions = append(o.sshOptions, parts[1])
+			default:
+				// Unknown option, ignore.
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		panic(err)
+	}
+
+	return o
+}
+
+func sshConfigGetCoderSection(data []byte) (section []byte, ok bool) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		return data[startIndex : endIndex+len(sshEndToken)], true
+	}
+	return nil, false
+}
+
+// sshConfigSplitOnCoderSection splits the SSH config into two sections,
+// before contains the lines before sshStartToken and after contains the
+// lines after sshEndToken.
+func sshConfigSplitOnCoderSection(data []byte) (before, after []byte) {
+	startIndex := bytes.Index(data, []byte(sshStartToken))
+	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex != -1 && endIndex != -1 {
+		// We use -1 and +1 here to also include the preceding
+		// and trailing newline, where applicable.
+		start := startIndex
+		if start > 0 {
+			start--
+		}
+		end := endIndex + len(sshEndToken)
+		if end < len(data) {
+			end++
+		}
+		return data[:start], data[end:]
+	}
+
+	return data, nil
+}
+
+// writeWithTempFileAndMove writes to a temporary file in the same
+// directory as path and renames the temp file to the file provided in
+// path. This ensure we avoid trashing the file we are writing due to
+// unforeseen circumstance like filesystem full, command killed, etc.
+func writeWithTempFileAndMove(path string, r io.Reader) (err error) {
+	dir := filepath.Dir(path)
+	name := filepath.Base(path)
+
+	// Ensure that e.g. the ~/.ssh directory exists.
+	if err = os.MkdirAll(dir, 0o700); err != nil {
+		return xerrors.Errorf("create directory: %w", err)
+	}
+
+	// Create a tempfile in the same directory for ensuring write
+	// operation does not fail.
+	f, err := os.CreateTemp(dir, fmt.Sprintf(".%s.", name))
+	if err != nil {
+		return xerrors.Errorf("create temp file failed: %w", err)
+	}
+	defer func() {
+		if err != nil {
+			_ = os.Remove(f.Name()) // Cleanup in case a step failed.
+		}
+	}()
+
+	_, err = io.Copy(f, r)
+	if err != nil {
+		_ = f.Close()
+		return xerrors.Errorf("write temp file failed: %w", err)
+	}
+
+	err = f.Close()
+	if err != nil {
+		return xerrors.Errorf("close temp file failed: %w", err)
+	}
+
+	err = os.Rename(f.Name(), path)
+	if err != nil {
+		return xerrors.Errorf("rename temp file failed: %w", err)
+	}
+
+	return nil
+}
+
+// sshConfigExecEscape quotes the string if it contains spaces, as per
+// `man 5 ssh_config`. However, OpenSSH uses exec in the users shell to
+// run the command, and as such the formatting/escape requirements
+// cannot simply be covered by `fmt.Sprintf("%q", path)`.
+//
+// Always escaping the path with `fmt.Sprintf("%q", path)` usually works
+// on most platforms, but double quotes sometimes break on Windows 10
+// (see #2853). This function takes a best-effort approach to improving
+// compatibility and covering edge cases.
+//
+// Given the following ProxyCommand:
+//
+//	ProxyCommand "/path/with space/coder" ssh --stdio work
+//
+// This is ~what OpenSSH would execute:
+//
+//	/bin/bash -c '"/path/with space/to/coder" ssh --stdio workspace'
+//
+// However, since it's actually an arg in C, the contents inside the
+// single quotes are interpreted as is, e.g. if there was a '\t', it
+// would be the literal string '\t', not a tab.
+//
+// See:
+//   - https://github.com/coder/coder/issues/2853
+//   - https://github.com/openssh/openssh-portable/blob/V_9_0_P1/sshconnect.c#L158-L167
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/sshconnect.c#L231-L293
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/contrib/win32/win32compat/w32fd.c#L1075-L1100
+func sshConfigExecEscape(path string) (string, error) {
+	// This is unlikely to ever happen, but newlines are allowed on
+	// certain filesystems, but cannot be used inside ssh config.
+	if strings.ContainsAny(path, "\n") {
+		return "", xerrors.Errorf("invalid path: %s", path)
+	}
+	// In the unlikely even that a path contains quotes, they must be
+	// escaped so that they are not interpreted as shell quotes.
+	if strings.Contains(path, "\"") {
+		path = strings.ReplaceAll(path, "\"", "\\\"")
+	}
+	// A space or a tab requires quoting, but tabs must not be escaped
+	// (\t) since OpenSSH interprets it as a literal \t, not a tab.
+	if strings.ContainsAny(path, " \t") {
+		path = fmt.Sprintf("\"%s\"", path) //nolint:gocritic // We don't want %q here.
+	}
+	return path, nil
+}
+
 // currentBinPath returns the path to the coder binary suitable for use in ssh
 // ProxyCommand.
-func currentBinPath(cmd *cobra.Command) (string, error) {
+func currentBinPath(w io.Writer) (string, error) {
 	exePath, err := os.Executable()
 	if err != nil {
 		return "", xerrors.Errorf("get executable path: %w", err)
@@ -167,11 +558,12 @@ func currentBinPath(cmd *cobra.Command) (string, error) {
 	// correctly. Check if the current executable is in $PATH, and warn the user
 	// if it isn't.
 	if err != nil && runtime.GOOS == "windows" {
-		cliui.Warn(cmd.OutOrStdout(),
+		cliui.Warn(w,
 			"The current executable is not in $PATH.",
 			"This may lead to problems connecting to your workspace via SSH.",
 			fmt.Sprintf("Please move %q to a location in your $PATH (such as System32) and run `%s config-ssh` again.", binName, binName),
 		)
+		_, _ = fmt.Fprint(w, "\n")
 		// Return the exePath so SSH at least works outside of Msys2.
 		return exePath, nil
 	}
@@ -179,13 +571,39 @@ func currentBinPath(cmd *cobra.Command) (string, error) {
 	// Warn the user if the current executable is not the same as the one in
 	// $PATH.
 	if filepath.Clean(pathPath) != filepath.Clean(exePath) {
-		cliui.Warn(cmd.OutOrStdout(),
+		cliui.Warn(w,
 			"The current executable path does not match the executable path found in $PATH.",
 			"This may cause issues connecting to your workspace via SSH.",
 			fmt.Sprintf("\tCurrent executable path: %q", exePath),
 			fmt.Sprintf("\tExecutable path in $PATH: %q", pathPath),
 		)
+		_, _ = fmt.Fprint(w, "\n")
 	}

-	return binName, nil
+	return exePath, nil
+}
+
+// diffBytes takes two byte slices and diffs them as if they were in a
+// file named name.
+// nolint: revive // Color is an option, not a control coupling.
+func diffBytes(name string, b1, b2 []byte, color bool) ([]byte, error) {
+	var buf bytes.Buffer
+	var opts []write.Option
+	if color {
+		opts = append(opts, write.TerminalColor())
+	}
+	err := diff.Text(name, name, b1, b2, &buf, opts...)
+	if err != nil {
+		return nil, err
+	}
+	b := buf.Bytes()
+	// Check if diff only output two lines, if yes, there's no diff.
+	//
+	// Example:
+	// 	--- /home/user/.ssh/config
+	// 	+++ /home/user/.ssh/config
+	if bytes.Count(b, []byte{'\n'}) == 2 {
+		b = nil
+	}
+	return b, nil
 }
@@ -0,0 +1,62 @@
+package cli
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+// This test tries to mimic the behavior of OpenSSH
+// when executing e.g. a ProxyCommand.
+func Test_sshConfigExecEscape(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		path    string
+		wantErr bool
+		windows bool
+	}{
+		{"no spaces", "simple", false, true},
+		{"spaces", "path with spaces", false, true},
+		{"quotes", "path with \"quotes\"", false, false},
+		{"backslashes", "path with \\backslashes", false, false},
+		{"tabs", "path with \ttabs", false, false},
+		{"newline fails", "path with \nnewline", true, false},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			if runtime.GOOS == "windows" {
+				t.Skip("Windows doesn't typically execute via /bin/sh or cmd.exe, so this test is not applicable.")
+			}
+
+			dir := filepath.Join(t.TempDir(), tt.path)
+			err := os.MkdirAll(dir, 0o755)
+			require.NoError(t, err)
+			bin := filepath.Join(dir, "coder")
+			contents := []byte("#!/bin/sh\necho yay\n")
+			err = os.WriteFile(bin, contents, 0o755) //nolint:gosec
+			require.NoError(t, err)
+
+			escaped, err := sshConfigExecEscape(bin)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			b, err := exec.Command("/bin/sh", "-c", escaped).CombinedOutput() //nolint:gosec
+			require.NoError(t, err)
+			got := strings.TrimSpace(string(b))
+			require.Equal(t, "yay", got)
+		})
+	}
+}
@@ -1,18 +1,25 @@
 package cli_test

 import (
+	"bufio"
+	"bytes"
 	"context"
+	"fmt"
 	"io"
 	"net"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"testing"

 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/slogtest"

 	"github.com/coder/coder/agent"
@@ -24,12 +31,40 @@ import (
 	"github.com/coder/coder/pty/ptytest"
 )

+func sshConfigFileName(t *testing.T) (sshConfig string) {
+	t.Helper()
+	tmpdir := t.TempDir()
+	dotssh := filepath.Join(tmpdir, ".ssh")
+	err := os.Mkdir(dotssh, 0o700)
+	require.NoError(t, err)
+	n := filepath.Join(dotssh, "config")
+	return n
+}
+
+func sshConfigFileCreate(t *testing.T, name string, data io.Reader) {
+	t.Helper()
+	t.Logf("Writing %s", name)
+	f, err := os.Create(name)
+	require.NoError(t, err)
+	n, err := io.Copy(f, data)
+	t.Logf("Wrote %d", n)
+	require.NoError(t, err)
+	err = f.Close()
+	require.NoError(t, err)
+}
+
+func sshConfigFileRead(t *testing.T, name string) string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+	return string(b)
+}
+
 func TestConfigSSH(t *testing.T) {
 	t.Parallel()

-	client := coderdtest.New(t, nil)
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 	user := coderdtest.CreateFirstUser(t, client)
-	coderdtest.NewProvisionerDaemon(t, client)
 	authToken := uuid.NewString()
 	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 		Parse: echo.ParseComplete,
@@ -71,47 +106,56 @@ func TestConfigSSH(t *testing.T) {
 	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 	agentClient := codersdk.New(client.URL)
 	agentClient.SessionToken = authToken
-	agentCloser := agent.New(agentClient.ListenWorkspaceAgent, &agent.Options{
-		Logger: slogtest.Make(t, nil),
+	agentCloser := agent.New(agent.Options{
+		FetchMetadata:     agentClient.WorkspaceAgentMetadata,
+		CoordinatorDialer: agentClient.ListenWorkspaceAgentTailnet,
+		Logger:            slogtest.Make(t, nil).Named("agent"),
 	})
-	t.Cleanup(func() {
+	defer func() {
 		_ = agentCloser.Close()
-	})
-	tempFile, err := os.CreateTemp(t.TempDir(), "")
-	require.NoError(t, err)
-	_ = tempFile.Close()
+	}()
 	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-	agentConn, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
+	agentConn, err := client.DialWorkspaceAgentTailnet(context.Background(), slog.Logger{}, resources[0].Agents[0].ID)
 	require.NoError(t, err)
 	defer agentConn.Close()

 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
-	t.Cleanup(func() {
+	defer func() {
 		_ = listener.Close()
-	})
+	}()
+	copyDone := make(chan struct{})
 	go func() {
+		defer close(copyDone)
+		var wg sync.WaitGroup
 		for {
 			conn, err := listener.Accept()
 			if err != nil {
-				return
+				break
 			}
 			ssh, err := agentConn.SSH()
-			require.NoError(t, err)
-			go io.Copy(conn, ssh)
-			go io.Copy(ssh, conn)
+			assert.NoError(t, err)
+			wg.Add(2)
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(conn, ssh)
+			}()
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(ssh, conn)
+			}()
 		}
+		wg.Wait()
 	}()
-	t.Cleanup(func() {
-		_ = listener.Close()
-	})
+
+	sshConfigFile := sshConfigFileName(t)

 	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
 	require.True(t, valid)
 	cmd, root := clitest.New(t, "config-ssh",
 		"--ssh-option", "HostName "+tcpAddr.IP.String(),
 		"--ssh-option", "Port "+strconv.Itoa(tcpAddr.Port),
-		"--ssh-config-file", tempFile.Name(),
+		"--ssh-config-file", sshConfigFile,
 		"--skip-proxy-command")
 	clitest.SetupConfig(t, client, root)
 	doneChan := make(chan struct{})
@@ -121,15 +165,571 @@ func TestConfigSSH(t *testing.T) {
 	go func() {
 		defer close(doneChan)
 		err := cmd.Execute()
-		require.NoError(t, err)
+		assert.NoError(t, err)
 	}()
+
+	matches := []struct {
+		match, write string
+	}{
+		{match: "Continue?", write: "yes"},
+	}
+	for _, m := range matches {
+		pty.ExpectMatch(m.match)
+		pty.WriteLine(m.write)
+	}
+
 	<-doneChan

-	t.Log(tempFile.Name())
+	home := filepath.Dir(filepath.Dir(sshConfigFile))
 	// #nosec
-	sshCmd := exec.Command("ssh", "-F", tempFile.Name(), "coder."+workspace.Name, "echo", "test")
-	sshCmd.Stderr = os.Stderr
+	sshCmd := exec.Command("ssh", "-F", sshConfigFile, "coder."+workspace.Name, "echo", "test")
+	pty = ptytest.New(t)
+	// Set HOME because coder config is included from ~/.ssh/coder.
+	sshCmd.Env = append(sshCmd.Env, fmt.Sprintf("HOME=%s", home))
+	sshCmd.Stderr = pty.Output()
 	data, err := sshCmd.Output()
 	require.NoError(t, err)
 	require.Equal(t, "test", strings.TrimSpace(string(data)))
+
+	_ = listener.Close()
+	<-copyDone
+}
+
+func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
+	t.Parallel()
+
+	headerStart := strings.Join([]string{
+		"# ------------START-CODER-----------",
+		"# This section is managed by coder. DO NOT EDIT.",
+		"#",
+		"# You should not hand-edit this section unless you are removing it, all",
+		"# changes will be lost when running \"coder config-ssh\".",
+		"#",
+	}, "\n")
+	headerEnd := "# ------------END-CODER------------"
+	baseHeader := strings.Join([]string{
+		headerStart,
+		headerEnd,
+	}, "\n")
+
+	type writeConfig struct {
+		ssh string
+	}
+	type wantConfig struct {
+		ssh string
+	}
+	type match struct {
+		match, write string
+	}
+	tests := []struct {
+		name        string
+		args        []string
+		matches     []match
+		writeConfig writeConfig
+		wantConfig  wantConfig
+		wantErr     bool
+	}{
+		{
+			name: "Config file is created",
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is written after user content",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Section is not moved on re-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+		},
+		{
+			name: "Section is not moved on re-run with new options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					baseHeader,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					"Host myhost",
+					"	HostName myhost",
+					"",
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+					"Host otherhost",
+					"	HostName otherhost",
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Adds newline at EOF",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Do not prompt for new options on first run",
+			writeConfig: writeConfig{
+				ssh: "",
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are no previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "Prompt for new options when there are previous options",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "yes"},
+			},
+		},
+		{
+			name: "No prompt on no changes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=yes"},
+		},
+		{
+			name: "No changes when continue = no",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--ssh-option", "ForwardAgent=no"},
+			matches: []match{
+				{match: "Use new options?", write: "yes"},
+				{match: "Continue?", write: "no"},
+			},
+		},
+		{
+			name: "Do not prompt when using --yes",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					// Last options overwritten.
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{"--yes"},
+		},
+		{
+			name: "Do not prompt for new options when prev opts flag is set",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					headerStart,
+					"# Last config-ssh options:",
+					"# :ssh-option=ForwardAgent=yes",
+					"#",
+					headerEnd,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--use-previous-options",
+				"--yes",
+			},
+		},
+		{
+			name: "Do not overwrite config when using --dry-run",
+			writeConfig: writeConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			wantConfig: wantConfig{
+				ssh: strings.Join([]string{
+					baseHeader,
+					"",
+				}, "\n"),
+			},
+			args: []string{
+				"--ssh-option", "ForwardAgent=yes",
+				"--dry-run",
+				"--yes",
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+				user      = coderdtest.CreateFirstUser(t, client)
+				version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+				_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+				project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+				workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
+				_         = coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+			)
+
+			// Prepare ssh config files.
+			sshConfigName := sshConfigFileName(t)
+			if tt.writeConfig.ssh != "" {
+				sshConfigFileCreate(t, sshConfigName, strings.NewReader(tt.writeConfig.ssh))
+			}
+
+			args := []string{
+				"config-ssh",
+				"--ssh-config-file", sshConfigName,
+			}
+			args = append(args, tt.args...)
+			cmd, root := clitest.New(t, args...)
+			clitest.SetupConfig(t, client, root)
+
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			done := tGo(t, func() {
+				err := cmd.Execute()
+				if !tt.wantErr {
+					assert.NoError(t, err)
+				} else {
+					assert.Error(t, err)
+				}
+			})
+
+			for _, m := range tt.matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-done
+
+			if tt.wantConfig.ssh != "" {
+				got := sshConfigFileRead(t, sshConfigName)
+				assert.Equal(t, tt.wantConfig.ssh, got)
+			}
+		})
+	}
+}
+
+func TestConfigSSH_Hostnames(t *testing.T) {
+	t.Parallel()
+
+	type resourceSpec struct {
+		name   string
+		agents []string
+	}
+	tests := []struct {
+		name      string
+		resources []resourceSpec
+		expected  []string
+	}{
+		{
+			name: "one resource with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "one resource with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1", "agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+		{
+			name: "two resources with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar"},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "two resources with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar", agents: []string{"agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var resources []*proto.Resource
+			for _, resourceSpec := range tt.resources {
+				resource := &proto.Resource{
+					Name: resourceSpec.name,
+					Type: "aws_instance",
+				}
+				for _, agentName := range resourceSpec.agents {
+					resource.Agents = append(resource.Agents, &proto.Agent{
+						Id:   uuid.NewString(),
+						Name: agentName,
+					})
+				}
+				resources = append(resources, resource)
+			}
+
+			provisionResponse := []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: resources,
+					},
+				},
+			}}
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			// authToken := uuid.NewString()
+			version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+				Parse:           echo.ParseComplete,
+				ProvisionDryRun: provisionResponse,
+				Provision:       provisionResponse,
+			})
+			coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+			sshConfigFile := sshConfigFileName(t)
+
+			cmd, root := clitest.New(t, "config-ssh", "--ssh-config-file", sshConfigFile)
+			clitest.SetupConfig(t, client, root)
+			doneChan := make(chan struct{})
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			go func() {
+				defer close(doneChan)
+				err := cmd.Execute()
+				assert.NoError(t, err)
+			}()
+
+			matches := []struct {
+				match, write string
+			}{
+				{match: "Continue?", write: "yes"},
+			}
+			for _, m := range matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-doneChan
+
+			var expectedHosts []string
+			for _, hostnamePattern := range tt.expected {
+				hostname := strings.ReplaceAll(hostnamePattern, "@", workspace.Name)
+				expectedHosts = append(expectedHosts, hostname)
+			}
+
+			hosts := sshConfigFileParseHosts(t, sshConfigFile)
+			require.ElementsMatch(t, expectedHosts, hosts)
+		})
+	}
+}
+
+// sshConfigFileParseHosts reads a file in the format of .ssh/config and extracts
+// the hostnames that are listed in "Host" directives.
+func sshConfigFileParseHosts(t *testing.T, name string) []string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+
+	var result []string
+	lineScanner := bufio.NewScanner(bytes.NewBuffer(b))
+	for lineScanner.Scan() {
+		line := lineScanner.Text()
+		line = strings.TrimSpace(line)
+
+		tokenScanner := bufio.NewScanner(bytes.NewBufferString(line))
+		tokenScanner.Split(bufio.ScanWords)
+		ok := tokenScanner.Scan()
+		if ok && tokenScanner.Text() == "Host" {
+			for tokenScanner.Scan() {
+				result = append(result, tokenScanner.Text())
+			}
+		}
+	}
+
+	return result
 }
@@ -0,0 +1,6 @@
+package cli
+
+const (
+	timeFormat = "3:04PM MST"
+	dateFormat = "Jan 2, 2006"
+)
@@ -2,6 +2,7 @@ package cli

 import (
 	"fmt"
+	"io"
 	"time"

 	"github.com/spf13/cobra"
@@ -10,21 +11,24 @@ import (

 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
-	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/util/ptr"
 	"github.com/coder/coder/codersdk"
 )

 func create() *cobra.Command {
 	var (
-		workspaceName string
+		parameterFile string
 		templateName  string
+		startAt       string
+		stopAfter     time.Duration
+		workspaceName string
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "create [name]",
-		Short:       "Create a workspace from a template",
+		Short:       "Create a workspace",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
@@ -42,7 +46,7 @@ func create() *cobra.Command {
 				workspaceName, err = cliui.Prompt(cmd, cliui.PromptOptions{
 					Text: "Specify a name for your workspace:",
 					Validate: func(workspaceName string) error {
-						_, err = client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, workspaceName)
+						_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
 						if err == nil {
 							return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
 						}
@@ -54,7 +58,7 @@ func create() *cobra.Command {
 				}
 			}

-			_, err = client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, workspaceName)
+			_, err = client.WorkspaceByOwnerAndName(cmd.Context(), codersdk.Me, workspaceName, codersdk.WorkspaceOptions{})
 			if err == nil {
 				return xerrors.Errorf("A workspace already exists named %q!", workspaceName)
 			}
@@ -69,7 +73,7 @@ func create() *cobra.Command {
 				}

 				slices.SortFunc(templates, func(a, b codersdk.Template) bool {
-					return a.WorkspaceOwnerCount > b.WorkspaceOwnerCount
+					return a.ActiveUserCount > b.ActiveUserCount
 				})

 				templateNames := make([]string, 0, len(templates))
@@ -78,13 +82,13 @@ func create() *cobra.Command {
 				for _, template := range templates {
 					templateName := template.Name

-					if template.WorkspaceOwnerCount > 0 {
-						developerText := "developer"
-						if template.WorkspaceOwnerCount != 1 {
-							developerText = "developers"
-						}
-
-						templateName += cliui.Styles.Placeholder.Render(fmt.Sprintf(" (used by %d %s)", template.WorkspaceOwnerCount, developerText))
+					if template.ActiveUserCount > 0 {
+						templateName += cliui.Styles.Placeholder.Render(
+							fmt.Sprintf(
+								" (used by %s)",
+								formatActiveDevelopers(template.ActiveUserCount),
+							),
+						)
 					}

 					templateNames = append(templateNames, templateName)
@@ -108,47 +112,20 @@ func create() *cobra.Command {
 				}
 			}

-			templateVersion, err := client.TemplateVersion(cmd.Context(), template.ActiveVersionID)
-			if err != nil {
-				return err
-			}
-			parameterSchemas, err := client.TemplateVersionSchema(cmd.Context(), templateVersion.ID)
-			if err != nil {
-				return err
-			}
-
-			printed := false
-			parameters := make([]codersdk.CreateParameterRequest, 0)
-			for _, parameterSchema := range parameterSchemas {
-				if !parameterSchema.AllowOverrideSource {
-					continue
-				}
-				if !printed {
-					_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("This template has customizable parameters. Values can be changed after create, but may have unintended side effects (like data loss).")+"\r\n")
-					printed = true
-				}
-				value, err := cliui.ParameterSchema(cmd, parameterSchema)
+			var schedSpec *string
+			if startAt != "" {
+				sched, err := parseCLISchedule(startAt)
 				if err != nil {
 					return err
 				}
-				parameters = append(parameters, codersdk.CreateParameterRequest{
-					Name:              parameterSchema.Name,
-					SourceValue:       value,
-					SourceScheme:      database.ParameterSourceSchemeData,
-					DestinationScheme: parameterSchema.DefaultDestinationScheme,
-				})
+				schedSpec = ptr.Ref(sched.String())
 			}
-			_, _ = fmt.Fprintln(cmd.OutOrStdout())

-			resources, err := client.TemplateVersionResources(cmd.Context(), templateVersion.ID)
-			if err != nil {
-				return err
-			}
-			err = cliui.WorkspaceResources(cmd.OutOrStdout(), resources, cliui.WorkspaceResourcesOptions{
-				WorkspaceName: workspaceName,
-				// Since agent's haven't connected yet, hiding this makes more sense.
-				HideAgentState: true,
-				Title:          "Workspace Preview",
+			parameters, err := prepWorkspaceBuild(cmd, client, prepWorkspaceBuildArgs{
+				Template:         template,
+				ExistingParams:   []codersdk.Parameter{},
+				ParameterFile:    parameterFile,
+				NewWorkspaceName: workspaceName,
 			})
 			if err != nil {
 				return err
@@ -162,38 +139,147 @@ func create() *cobra.Command {
 				return err
 			}

-			before := time.Now()
-			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.CreateWorkspaceRequest{
-				TemplateID:      template.ID,
-				Name:            workspaceName,
-				ParameterValues: parameters,
+			after := time.Now()
+			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.Me, codersdk.CreateWorkspaceRequest{
+				TemplateID:        template.ID,
+				Name:              workspaceName,
+				AutostartSchedule: schedSpec,
+				TTLMillis:         ptr.Ref(stopAfter.Milliseconds()),
+				ParameterValues:   parameters,
 			})
 			if err != nil {
 				return err
 			}

-			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID, before)
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID, after)
 			if err != nil {
 				return err
 			}

-			resources, err = client.WorkspaceResourcesByBuild(cmd.Context(), workspace.LatestBuild.ID)
-			if err != nil {
-				return err
-			}
-
-			err = cliui.WorkspaceResources(cmd.OutOrStdout(), resources, cliui.WorkspaceResourcesOptions{
-				WorkspaceName: workspaceName,
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "The %s workspace has been created!\n", cliui.Styles.Keyword.Render(workspace.Name))
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been created at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
 			return nil
 		},
 	}

+	cliui.AllowSkipPrompt(cmd)
 	cliflag.StringVarP(cmd.Flags(), &templateName, "template", "t", "CODER_TEMPLATE_NAME", "", "Specify a template name.")
+	cliflag.StringVarP(cmd.Flags(), &parameterFile, "parameter-file", "", "CODER_PARAMETER_FILE", "", "Specify a file path with parameter values.")
+	cliflag.StringVarP(cmd.Flags(), &startAt, "start-at", "", "CODER_WORKSPACE_START_AT", "", "Specify the workspace autostart schedule. Check `coder schedule start --help` for the syntax.")
+	cliflag.DurationVarP(cmd.Flags(), &stopAfter, "stop-after", "", "CODER_WORKSPACE_STOP_AFTER", 8*time.Hour, "Specify a duration after which the workspace should shut down (e.g. 8h).")
 	return cmd
 }
+
+type prepWorkspaceBuildArgs struct {
+	Template         codersdk.Template
+	ExistingParams   []codersdk.Parameter
+	ParameterFile    string
+	NewWorkspaceName string
+}
+
+// prepWorkspaceBuild will ensure a workspace build will succeed on the latest template version.
+// Any missing params will be prompted to the user.
+func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWorkspaceBuildArgs) ([]codersdk.CreateParameterRequest, error) {
+	ctx := cmd.Context()
+	templateVersion, err := client.TemplateVersion(ctx, args.Template.ActiveVersionID)
+	if err != nil {
+		return nil, err
+	}
+	parameterSchemas, err := client.TemplateVersionSchema(ctx, templateVersion.ID)
+	if err != nil {
+		return nil, err
+	}
+
+	// parameterMapFromFile can be nil if parameter file is not specified
+	var parameterMapFromFile map[string]string
+	useParamFile := false
+	if args.ParameterFile != "" {
+		useParamFile = true
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("Attempting to read the variables from the parameter file.")+"\r\n")
+		parameterMapFromFile, err = createParameterMapFromFile(args.ParameterFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+	disclaimerPrinted := false
+	parameters := make([]codersdk.CreateParameterRequest, 0)
+PromptParamLoop:
+	for _, parameterSchema := range parameterSchemas {
+		if !parameterSchema.AllowOverrideSource {
+			continue
+		}
+		if !disclaimerPrinted {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("This template has customizable parameters. Values can be changed after create, but may have unintended side effects (like data loss).")+"\r\n")
+			disclaimerPrinted = true
+		}
+
+		// Param file is all or nothing
+		if !useParamFile {
+			for _, e := range args.ExistingParams {
+				if e.Name == parameterSchema.Name {
+					// If the param already exists, we do not need to prompt it again.
+					// The workspace scope will reuse params for each build.
+					continue PromptParamLoop
+				}
+			}
+		}
+
+		parameterValue, err := getParameterValueFromMapOrInput(cmd, parameterMapFromFile, parameterSchema)
+		if err != nil {
+			return nil, err
+		}
+
+		parameters = append(parameters, codersdk.CreateParameterRequest{
+			Name:              parameterSchema.Name,
+			SourceValue:       parameterValue,
+			SourceScheme:      codersdk.ParameterSourceSchemeData,
+			DestinationScheme: parameterSchema.DefaultDestinationScheme,
+		})
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout())
+
+	// Run a dry-run with the given parameters to check correctness
+	after := time.Now()
+	dryRun, err := client.CreateTemplateVersionDryRun(cmd.Context(), templateVersion.ID, codersdk.CreateTemplateVersionDryRunRequest{
+		WorkspaceName:   args.NewWorkspaceName,
+		ParameterValues: parameters,
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("begin workspace dry-run: %w", err)
+	}
+	_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Planning workspace...")
+	err = cliui.ProvisionerJob(cmd.Context(), cmd.OutOrStdout(), cliui.ProvisionerJobOptions{
+		Fetch: func() (codersdk.ProvisionerJob, error) {
+			return client.TemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Cancel: func() error {
+			return client.CancelTemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
+		},
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+			return client.TemplateVersionDryRunLogsAfter(cmd.Context(), templateVersion.ID, dryRun.ID, after)
+		},
+		// Don't show log output for the dry-run unless there's an error.
+		Silent: true,
+	})
+	if err != nil {
+		// TODO (Dean): reprompt for parameter values if we deem it to
+		// be a validation error
+		return nil, xerrors.Errorf("dry-run workspace: %w", err)
+	}
+
+	resources, err := client.TemplateVersionDryRunResources(cmd.Context(), templateVersion.ID, dryRun.ID)
+	if err != nil {
+		return nil, xerrors.Errorf("get workspace dry-run resources: %w", err)
+	}
+
+	err = cliui.WorkspaceResources(cmd.OutOrStdout(), resources, cliui.WorkspaceResourcesOptions{
+		WorkspaceName: args.NewWorkspaceName,
+		// Since agents haven't connected yet, hiding this makes more sense.
+		HideAgentState: true,
+		Title:          "Workspace Preview",
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	return parameters, nil
+}
@@ -1,87 +1,112 @@
 package cli_test

 import (
+	"context"
+	"fmt"
+	"os"
 	"testing"
+	"time"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestCreate(t *testing.T) {
 	t.Parallel()
 	t.Run("Create", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, nil)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           echo.ParseComplete,
+			Provision:       provisionCompleteWithAgent,
+			ProvisionDryRun: provisionCompleteWithAgent,
+		})
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		args := []string{
+			"create",
+			"my-workspace",
+			"--template", template.Name,
+			"--start-at", "9:30AM Mon-Fri US/Central",
+			"--stop-after", "8h",
+		}
+		cmd, root := clitest.New(t, args...)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		matches := []struct {
+			match string
+			write string
+		}{
+			{match: "compute.main"},
+			{match: "smith (linux, i386)"},
+			{match: "Confirm create", write: "yes"},
+		}
+		for _, m := range matches {
+			pty.ExpectMatch(m.match)
+			if len(m.write) > 0 {
+				pty.WriteLine(m.write)
+			}
+		}
+		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(context.Background(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			if assert.NotNil(t, ws.AutostartSchedule) {
+				assert.Equal(t, *ws.AutostartSchedule, "CRON_TZ=US/Central 30 9 * * Mon-Fri")
+			}
+			if assert.NotNil(t, ws.TTLMillis) {
+				assert.Equal(t, *ws.TTLMillis, 8*time.Hour.Milliseconds())
+			}
+		}
+	})
+
+	t.Run("CreateFromListWithSkip", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "my-workspace", "-y")
+
+		member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		clitest.SetupConfig(t, member, root)
+		cmdCtx, done := context.WithTimeout(context.Background(), testutil.WaitLong)
+		go func() {
+			defer done()
+			err := cmd.ExecuteContext(cmdCtx)
+			assert.NoError(t, err)
+		}()
+		// No pty interaction needed since we use the -y skip prompt flag
+		<-cmdCtx.Done()
+		require.ErrorIs(t, cmdCtx.Err(), context.Canceled)
+	})
+
+	t.Run("FromNothing", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
-		clitest.SetupConfig(t, client, root)
-		doneChan := make(chan struct{})
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		go func() {
-			defer close(doneChan)
-			err := cmd.Execute()
-			require.NoError(t, err)
-		}()
-		matches := []string{
-			"Confirm create", "yes",
-		}
-		for i := 0; i < len(matches); i += 2 {
-			match := matches[i]
-			value := matches[i+1]
-			pty.ExpectMatch(match)
-			pty.WriteLine(value)
-		}
-		<-doneChan
-	})
-	t.Run("CreateFromList", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		cmd, root := clitest.New(t, "create", "my-workspace")
-		clitest.SetupConfig(t, client, root)
-		doneChan := make(chan struct{})
-		pty := ptytest.New(t)
-		cmd.SetIn(pty.Input())
-		cmd.SetOut(pty.Output())
-		go func() {
-			defer close(doneChan)
-			err := cmd.Execute()
-			require.NoError(t, err)
-		}()
-		matches := []string{
-			"Confirm create", "yes",
-		}
-		for i := 0; i < len(matches); i += 2 {
-			match := matches[i]
-			value := matches[i+1]
-			pty.ExpectMatch(match)
-			pty.WriteLine(value)
-		}
-		<-doneChan
-	})
-	t.Run("FromNothing", func(t *testing.T) {
-		t.Parallel()
-		client := coderdtest.New(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		cmd, root := clitest.New(t, "create", "")
 		clitest.SetupConfig(t, client, root)
 		doneChan := make(chan struct{})
@@ -91,7 +116,7 @@ func TestCreate(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := cmd.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()
 		matches := []string{
 			"Specify a name", "my-workspace",
@@ -104,37 +129,116 @@ func TestCreate(t *testing.T) {
 			pty.WriteLine(value)
 		}
 		<-doneChan
+
+		ws, err := client.WorkspaceByOwnerAndName(cmd.Context(), "testuser", "my-workspace", codersdk.WorkspaceOptions{})
+		if assert.NoError(t, err, "expected workspace to be created") {
+			assert.Equal(t, ws.TemplateName, template.Name)
+			assert.Nil(t, ws.AutostartSchedule, "expected workspace autostart schedule to be nil")
+		}
 	})
+
 	t.Run("WithParameter", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, nil)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
+
+		defaultValue := "something"
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse: []*proto.Parse_Response{{
-				Type: &proto.Parse_Response_Complete{
-					Complete: &proto.Parse_Complete{
-						ParameterSchemas: []*proto.ParameterSchema{{
-							AllowOverrideSource: true,
-							Name:                "region",
-							Description:         "description",
-							DefaultSource: &proto.ParameterSource{
-								Scheme: proto.ParameterSource_DATA,
-								Value:  "something",
-							},
-							DefaultDestination: &proto.ParameterDestination{
-								Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
-							},
-						}},
-					},
-				},
-			}},
+			Parse:           createTestParseResponseWithDefault(defaultValue),
+			Provision:       echo.ProvisionComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			fmt.Sprintf("Enter a value (default: %q):", defaultValue), "bingo",
+			"Enter a value:", "boingo",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           createTestParseResponseWithDefault(defaultValue),
+			Provision:       echo.ProvisionComplete,
+			ProvisionDryRun: echo.ProvisionComplete,
+		})
+
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region: \"bingo\"\nusername: \"boingo\"")
+		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Specify a name", "my-workspace",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("WithParameterFileNotContainingTheValue", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+
+		defaultValue := "something"
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:           createTestParseResponseWithDefault(defaultValue),
 			Provision:       echo.ProvisionComplete,
 			ProvisionDryRun: echo.ProvisionComplete,
 		})
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		cmd, root := clitest.New(t, "create", "")
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("zone: \"bananas\"")
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name, "--parameter-file", parameterFile.Name())
 		clitest.SetupConfig(t, client, root)
 		doneChan := make(chan struct{})
 		pty := ptytest.New(t)
@@ -143,19 +247,88 @@ func TestCreate(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := cmd.Execute()
-			require.NoError(t, err)
+			assert.EqualError(t, err, "Parameter value absent in parameter file for \"region\"!")
 		}()
-		matches := []string{
-			"Specify a name", "my-workspace",
-			"Enter a value", "bananas",
-			"Confirm create?", "yes",
-		}
-		for i := 0; i < len(matches); i += 2 {
-			match := matches[i]
-			value := matches[i+1]
-			pty.ExpectMatch(match)
-			pty.WriteLine(value)
-		}
 		<-doneChan
 	})
+
+	t.Run("FailedDryRun", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: []*proto.Parse_Response{{
+				Type: &proto.Parse_Response_Complete{
+					Complete: &proto.Parse_Complete{
+						ParameterSchemas: echo.ParameterSuccess,
+					},
+				},
+			}},
+			ProvisionDryRun: []*proto.Provision_Response{
+				{
+					Type: &proto.Provision_Response_Complete{
+						Complete: &proto.Provision_Complete{},
+					},
+				},
+			},
+		})
+
+		tempDir := t.TempDir()
+		parameterFile, err := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		require.NoError(t, err)
+		defer parameterFile.Close()
+		_, _ = parameterFile.WriteString(fmt.Sprintf("%s: %q", echo.ParameterExecKey, echo.ParameterError("fail")))
+
+		// The template import job should end up failed, but we need it to be
+		// succeeded so the dry-run can begin.
+		version = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		require.Equal(t, codersdk.ProvisionerJobSucceeded, version.Job.Status, "job is not failed")
+
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		cmd, root := clitest.New(t, "create", "test", "--parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+
+		err = cmd.Execute()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "dry-run workspace")
+	})
+}
+
+func createTestParseResponseWithDefault(defaultValue string) []*proto.Parse_Response {
+	return []*proto.Parse_Response{{
+		Type: &proto.Parse_Response_Complete{
+			Complete: &proto.Parse_Complete{
+				ParameterSchemas: []*proto.ParameterSchema{
+					{
+						AllowOverrideSource: true,
+						Name:                "region",
+						Description:         "description 1",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							Value:  defaultValue,
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+					{
+						AllowOverrideSource: true,
+						Name:                "username",
+						Description:         "description 2",
+						DefaultSource: &proto.ParameterSource{
+							Scheme: proto.ParameterSource_DATA,
+							// No default value
+							Value: "",
+						},
+						DefaultDestination: &proto.ParameterDestination{
+							Scheme: proto.ParameterDestination_PROVISIONER_VARIABLE,
+						},
+					},
+				},
+			},
+		},
+	}}
 }
@@ -1,44 +1,75 @@
 package cli

 import (
+	"fmt"
 	"time"

 	"github.com/spf13/cobra"

 	"github.com/coder/coder/cli/cliui"
-	"github.com/coder/coder/coderd/database"
 	"github.com/coder/coder/codersdk"
 )

 // nolint
-func delete() *cobra.Command {
-	return &cobra.Command{
+func deleteWorkspace() *cobra.Command {
+	var orphan bool
+	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "delete <workspace>",
 		Short:       "Delete a workspace",
 		Aliases:     []string{"rm"},
 		Args:        cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-			before := time.Now()
-			build, err := client.CreateWorkspaceBuild(cmd.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
-				Transition: database.WorkspaceTransitionDelete,
+			_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Confirm delete workspace?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
 			})
 			if err != nil {
 				return err
 			}
-			return cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID, before)
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+			workspace, err := namedWorkspace(cmd, client, args[0])
+			if err != nil {
+				return err
+			}
+
+			var state []byte
+
+			if orphan {
+				cliui.Warn(
+					cmd.ErrOrStderr(),
+					"Orphaning workspace requires template edit permission",
+				)
+			}
+
+			before := time.Now()
+			build, err := client.CreateWorkspaceBuild(cmd.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
+				Transition:       codersdk.WorkspaceTransitionDelete,
+				ProvisionerState: state,
+				Orphan:           orphan,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID, before)
+			if err != nil {
+				return err
+			}
+
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been deleted at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
+			return nil
 		},
 	}
+	cmd.Flags().BoolVar(&orphan, "orphan", false,
+		`Delete a workspace without deleting its resources. This can delete a
+workspace in a broken state, but may also lead to unaccounted cloud resources.`,
+	)
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
 }
@@ -0,0 +1,125 @@
+package cli_test
+
+import (
+	"context"
+	"io"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestDelete(t *testing.T) {
+	t.Parallel()
+	t.Run("WithParameter", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+	})
+
+	t.Run("Orphan", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y", "--orphan")
+
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+	})
+
+	t.Run("DifferentUser", func(t *testing.T) {
+		t.Parallel()
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		adminUser := coderdtest.CreateFirstUser(t, adminClient)
+		orgID := adminUser.OrganizationID
+		client := coderdtest.CreateAnotherUser(t, adminClient, orgID)
+		user, err := client.User(context.Background(), codersdk.Me)
+		require.NoError(t, err)
+
+		version := coderdtest.CreateTemplateVersion(t, adminClient, orgID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, adminClient, version.ID)
+		template := coderdtest.CreateTemplate(t, adminClient, orgID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, root := clitest.New(t, "delete", user.Username+"/"+workspace.Name, "-y")
+		clitest.SetupConfig(t, adminClient, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+
+		pty.ExpectMatch("Cleaning Up")
+		<-doneChan
+
+		workspace, err = client.Workspace(context.Background(), workspace.ID)
+		require.ErrorContains(t, err, "was deleted")
+	})
+
+	t.Run("InvalidWorkspaceIdentifier", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		cmd, root := clitest.New(t, "delete", "a/b/c", "-y")
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.ErrorContains(t, err, "invalid workspace name: \"a/b/c\"")
+		}()
+		<-doneChan
+	})
+}
@@ -0,0 +1,282 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"io/fs"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/cli/cliui"
+)
+
+func dotfiles() *cobra.Command {
+	var symlinkDir string
+	cmd := &cobra.Command{
+		Use:   "dotfiles [git_repo_url]",
+		Args:  cobra.ExactArgs(1),
+		Short: "Checkout and install a dotfiles repository from a Git URL",
+		Example: formatExamples(
+			example{
+				Description: "Check out and install a dotfiles repository without prompts",
+				Command:     "coder dotfiles --yes git@github.com:example/dotfiles.git",
+			},
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var (
+				dotfilesRepoDir = "dotfiles"
+				gitRepo         = args[0]
+				cfg             = createConfig(cmd)
+				cfgDir          = string(cfg)
+				dotfilesDir     = filepath.Join(cfgDir, dotfilesRepoDir)
+				// This follows the same pattern outlined by others in the market:
+				// https://github.com/coder/coder/pull/1696#issue-1245742312
+				installScriptSet = []string{
+					"install.sh",
+					"install",
+					"bootstrap.sh",
+					"bootstrap",
+					"script/bootstrap",
+					"setup.sh",
+					"setup",
+					"script/setup",
+				}
+			)
+
+			_, _ = fmt.Fprint(cmd.OutOrStdout(), "Checking if dotfiles repository already exists...\n")
+			dotfilesExists, err := dirExists(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("checking dir %s: %w", dotfilesDir, err)
+			}
+
+			moved := false
+			if dotfilesExists {
+				du, err := cfg.DotfilesURL().Read()
+				if err != nil && !errors.Is(err, os.ErrNotExist) {
+					return xerrors.Errorf("reading dotfiles url config: %w", err)
+				}
+				// if the git url has changed we create a backup and clone fresh
+				if gitRepo != du {
+					backupDir := fmt.Sprintf("%s_backup_%s", dotfilesDir, time.Now().Format(time.RFC3339))
+					_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      fmt.Sprintf("The dotfiles URL has changed from %q to %q.\n  Coder will backup the existing repo to %s.\n\n  Continue?", du, gitRepo, backupDir),
+						IsConfirm: true,
+					})
+					if err != nil {
+						return err
+					}
+
+					err = os.Rename(dotfilesDir, backupDir)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", dotfilesDir, err)
+					}
+					_, _ = fmt.Fprint(cmd.OutOrStdout(), "Done backup up dotfiles.\n")
+					dotfilesExists = false
+					moved = true
+				}
+			}
+
+			var (
+				gitCmdDir   string
+				subcommands []string
+				promptText  string
+			)
+			if dotfilesExists {
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Found dotfiles repository at %s\n", dotfilesDir)
+				gitCmdDir = dotfilesDir
+				subcommands = []string{"pull", "--ff-only"}
+				promptText = fmt.Sprintf("Pulling latest from %s into directory %s.\n  Continue?", gitRepo, dotfilesDir)
+			} else {
+				if !moved {
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Did not find dotfiles repository at %s\n", dotfilesDir)
+				}
+				gitCmdDir = cfgDir
+				subcommands = []string{"clone", args[0], dotfilesRepoDir}
+				promptText = fmt.Sprintf("Cloning %s into directory %s.\n\n  Continue?", gitRepo, dotfilesDir)
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      promptText,
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			// ensure command dir exists
+			err = os.MkdirAll(gitCmdDir, 0750)
+			if err != nil {
+				return xerrors.Errorf("ensuring dir at %s: %w", gitCmdDir, err)
+			}
+
+			// check if git ssh command already exists so we can just wrap it
+			gitsshCmd := os.Getenv("GIT_SSH_COMMAND")
+			if gitsshCmd == "" {
+				gitsshCmd = "ssh"
+			}
+
+			// clone or pull repo
+			c := exec.CommandContext(cmd.Context(), "git", subcommands...)
+			c.Dir = gitCmdDir
+			c.Env = append(os.Environ(), fmt.Sprintf(`GIT_SSH_COMMAND=%s -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no`, gitsshCmd))
+			c.Stdout = cmd.OutOrStdout()
+			c.Stderr = cmd.ErrOrStderr()
+			err = c.Run()
+			if err != nil {
+				if !dotfilesExists {
+					return err
+				}
+				// if the repo exists we soft fail the update operation and try to continue
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Failed to update repo, continuing..."))
+			}
+
+			// save git repo url so we can detect changes next time
+			err = cfg.DotfilesURL().Write(gitRepo)
+			if err != nil {
+				return xerrors.Errorf("writing dotfiles url config: %w", err)
+			}
+
+			files, err := os.ReadDir(dotfilesDir)
+			if err != nil {
+				return xerrors.Errorf("reading files in dir %s: %w", dotfilesDir, err)
+			}
+
+			var dotfiles []string
+			for _, f := range files {
+				// make sure we do not copy `.git*` files
+				if strings.HasPrefix(f.Name(), ".") && !strings.HasPrefix(f.Name(), ".git") {
+					dotfiles = append(dotfiles, f.Name())
+				}
+			}
+
+			script := findScript(installScriptSet, files)
+			if script != "" {
+				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+					Text:      fmt.Sprintf("Running install script %s.\n\n  Continue?", script),
+					IsConfirm: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Running %s...\n", script)
+				// it is safe to use a variable command here because it's from
+				// a filtered list of pre-approved install scripts
+				// nolint:gosec
+				scriptCmd := exec.CommandContext(cmd.Context(), filepath.Join(dotfilesDir, script))
+				scriptCmd.Dir = dotfilesDir
+				scriptCmd.Stdout = cmd.OutOrStdout()
+				scriptCmd.Stderr = cmd.ErrOrStderr()
+				err = scriptCmd.Run()
+				if err != nil {
+					return xerrors.Errorf("running %s: %w", script, err)
+				}
+
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+				return nil
+			}
+
+			if len(dotfiles) == 0 {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "No install scripts or dotfiles found, nothing to do.")
+				return nil
+			}
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "No install scripts found, symlinking dotfiles to home directory.\n\n  Continue?",
+				IsConfirm: true,
+			})
+			if err != nil {
+				return err
+			}
+
+			if symlinkDir == "" {
+				symlinkDir, err = os.UserHomeDir()
+				if err != nil {
+					return xerrors.Errorf("getting user home: %w", err)
+				}
+			}
+
+			for _, df := range dotfiles {
+				from := filepath.Join(dotfilesDir, df)
+				to := filepath.Join(symlinkDir, df)
+				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Symlinking %s to %s...\n", from, to)
+
+				isRegular, err := isRegular(to)
+				if err != nil {
+					return xerrors.Errorf("checking symlink for %s: %w", to, err)
+				}
+				// move conflicting non-symlink files to file.ext.bak
+				if isRegular {
+					backup := fmt.Sprintf("%s.bak", to)
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Moving %s to %s...\n", to, backup)
+					err = os.Rename(to, backup)
+					if err != nil {
+						return xerrors.Errorf("renaming dir %s: %w", to, err)
+					}
+				}
+
+				err = os.Symlink(from, to)
+				if err != nil {
+					return xerrors.Errorf("symlinking %s to %s: %w", from, to, err)
+				}
+			}
+
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "Dotfiles installation complete.")
+			return nil
+		},
+	}
+	cliui.AllowSkipPrompt(cmd)
+	cliflag.StringVarP(cmd.Flags(), &symlinkDir, "symlink-dir", "", "CODER_SYMLINK_DIR", "", "Specifies the directory for the dotfiles symlink destinations. If empty will use $HOME.")
+
+	return cmd
+}
+
+// dirExists checks if the path exists and is a directory.
+func dirExists(name string) (bool, error) {
+	fi, err := os.Stat(name)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+
+		return false, xerrors.Errorf("stat dir: %w", err)
+	}
+	if !fi.IsDir() {
+		return false, xerrors.New("exists but not a directory")
+	}
+
+	return true, nil
+}
+
+// findScript will find the first file that matches the script set.
+func findScript(scriptSet []string, files []fs.DirEntry) string {
+	for _, i := range scriptSet {
+		for _, f := range files {
+			if f.Name() == i {
+				return f.Name()
+			}
+		}
+	}
+
+	return ""
+}
+
+// isRegular detects if the file exists and is not a symlink.
+func isRegular(to string) (bool, error) {
+	fi, err := os.Lstat(to)
+	if err != nil {
+		if errors.Is(err, os.ErrNotExist) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("lstat %s: %w", to, err)
+	}
+
+	return fi.Mode().IsRegular(), nil
+}
@@ -0,0 +1,141 @@
+package cli_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/cryptorand"
+)
+
+// nolint:paralleltest
+func TestDotfiles(t *testing.T) {
+	t.Run("MissingArg", func(t *testing.T) {
+		cmd, _ := clitest.New(t, "dotfiles")
+		err := cmd.Execute()
+		require.Error(t, err)
+	})
+	t.Run("NoInstallScript", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+	})
+	t.Run("InstallScript", func(t *testing.T) {
+		if runtime.GOOS == "windows" {
+			t.Skip("install scripts on windows require sh and aren't very practical")
+		}
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, "install.sh"), []byte("#!/bin/bash\necho wow > "+filepath.Join(string(root), ".bashrc")), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", "install.sh")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add install.sh"`)
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow\n")
+	})
+	t.Run("SymlinkBackup", func(t *testing.T) {
+		_, root := clitest.New(t)
+		testRepo := testGitRepo(t, root)
+
+		// nolint:gosec
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		require.NoError(t, err)
+
+		// add a conflicting file at destination
+		// nolint:gosec
+		err = os.WriteFile(filepath.Join(string(root), ".bashrc"), []byte("backup"), 0750)
+		require.NoError(t, err)
+
+		c := exec.Command("git", "add", ".bashrc")
+		c.Dir = testRepo
+		err = c.Run()
+		require.NoError(t, err)
+
+		c = exec.Command("git", "commit", "-m", `"add .bashrc"`)
+		c.Dir = testRepo
+		out, err := c.CombinedOutput()
+		require.NoError(t, err, string(out))
+
+		cmd, _ := clitest.New(t, "dotfiles", "--global-config", string(root), "--symlink-dir", string(root), "-y", testRepo)
+		err = cmd.Execute()
+		require.NoError(t, err)
+
+		b, err := os.ReadFile(filepath.Join(string(root), ".bashrc"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "wow")
+
+		// check for backup file
+		b, err = os.ReadFile(filepath.Join(string(root), ".bashrc.bak"))
+		require.NoError(t, err)
+		require.Equal(t, string(b), "backup")
+	})
+}
+
+func testGitRepo(t *testing.T, root config.Root) string {
+	r, err := cryptorand.String(8)
+	require.NoError(t, err)
+	dir := filepath.Join(string(root), fmt.Sprintf("test-repo-%s", r))
+	err = os.MkdirAll(dir, 0750)
+	require.NoError(t, err)
+
+	c := exec.Command("git", "init")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.email", "ci@coder.com")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	c = exec.Command("git", "config", "user.name", "C I")
+	c.Dir = dir
+	err = c.Run()
+	require.NoError(t, err)
+
+	return dir
+}
@@ -1,9 +1,15 @@
 package cli

 import (
+	"bufio"
+	"bytes"
+	"context"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
+	"os/signal"
+	"path/filepath"
 	"strings"

 	"github.com/spf13/cobra"
@@ -13,16 +19,30 @@ import (
 )

 func gitssh() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:    "gitssh",
 		Hidden: true,
 		Short:  `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			env := os.Environ()
+
+			// Catch interrupt signals to ensure the temporary private
+			// key file is cleaned up on most cases.
+			ctx, stop := signal.NotifyContext(ctx, interruptSignals...)
+			defer stop()
+
+			// Early check so errors are reported immediately.
+			identityFiles, err := parseIdentityFilesForHost(ctx, args, env)
+			if err != nil {
+				return err
+			}
+
 			client, err := createAgentClient(cmd)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
-			key, err := client.AgentGitSSHKey(cmd.Context())
+			key, err := client.AgentGitSSHKey(ctx)
 			if err != nil {
 				return xerrors.Errorf("get agent git ssh token: %w", err)
 			}
@@ -44,8 +64,23 @@ func gitssh() *cobra.Command {
 				return xerrors.Errorf("close temp gitsshkey file: %w", err)
 			}

-			args = append([]string{"-i", privateKeyFile.Name()}, args...)
-			c := exec.CommandContext(cmd.Context(), "ssh", args...)
+			// Append our key, giving precedence to user keys. Note that
+			// OpenSSH server are typically configured with MaxAuthTries
+			// set to the default value of 6. This means that only the 6
+			// first keys can be tried. However, we will assume that if
+			// a user has configured 6+ keys for a host, they know what
+			// they're doing. This behavior is critical if a server has
+			// been configured with MaxAuthTries set to 1.
+			identityFiles = append(identityFiles, privateKeyFile.Name())
+
+			var identityArgs []string
+			for _, id := range identityFiles {
+				identityArgs = append(identityArgs, "-i", id)
+			}
+
+			args = append(identityArgs, args...)
+			c := exec.CommandContext(ctx, "ssh", args...)
+			c.Env = append(c.Env, env...)
 			c.Stderr = cmd.ErrOrStderr()
 			c.Stdout = cmd.OutOrStdout()
 			c.Stdin = cmd.InOrStdin()
@@ -69,4 +104,86 @@ func gitssh() *cobra.Command {
 			return nil
 		},
 	}
+
+	return cmd
+}
+
+// fallbackIdentityFiles is the list of identity files SSH tries when
+// none have been defined for a host.
+var fallbackIdentityFiles = strings.Join([]string{
+	"identityfile ~/.ssh/id_rsa",
+	"identityfile ~/.ssh/id_dsa",
+	"identityfile ~/.ssh/id_ecdsa",
+	"identityfile ~/.ssh/id_ecdsa_sk",
+	"identityfile ~/.ssh/id_ed25519",
+	"identityfile ~/.ssh/id_ed25519_sk",
+	"identityfile ~/.ssh/id_xmss",
+}, "\n")
+
+// parseIdentityFilesForHost uses ssh -G to discern what SSH keys have
+// been enabled for the host (via the users SSH config) and returns a
+// list of existing identity files.
+//
+// We do this because when no keys are defined for a host, SSH uses
+// fallback keys (see above). However, by passing `-i` to attach our
+// private key, we're effectively disabling the fallback keys.
+//
+// Example invocation:
+//
+//	ssh -G -o SendEnv=GIT_PROTOCOL git@github.com git-upload-pack 'coder/coder'
+//
+// The extra arguments work without issue and lets us run the command
+// as-is without stripping out the excess (git-upload-pack 'coder/coder').
+func parseIdentityFilesForHost(ctx context.Context, args, env []string) (identityFiles []string, error error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil, xerrors.Errorf("get user home dir failed: %w", err)
+	}
+
+	var outBuf bytes.Buffer
+	var r io.Reader = &outBuf
+
+	args = append([]string{"-G"}, args...)
+	cmd := exec.CommandContext(ctx, "ssh", args...)
+	cmd.Env = append(cmd.Env, env...)
+	cmd.Stdout = &outBuf
+	cmd.Stderr = io.Discard
+	err = cmd.Run()
+	if err != nil {
+		// If ssh -G failed, the SSH version is likely too old, fallback
+		// to using the default identity files.
+		r = strings.NewReader(fallbackIdentityFiles)
+	}
+
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "identityfile ") {
+			id := strings.TrimPrefix(line, "identityfile ")
+			if strings.HasPrefix(id, "~/") {
+				id = home + id[1:]
+			}
+			// OpenSSH on Windows is weird, it supports using (and does
+			// use) mixed \ and / in paths.
+			//
+			// Example: C:\Users\ZeroCool/.ssh/known_hosts
+			//
+			// To check the file existence in Go, though, we want to use
+			// proper Windows paths.
+			// OpenSSH is amazing, this will work on Windows too:
+			// C:\Users\ZeroCool/.ssh/id_rsa
+			id = filepath.FromSlash(id)
+
+			// Only include the identity file if it exists.
+			if _, err := os.Stat(id); err == nil {
+				identityFiles = append(identityFiles, id)
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		// This should never happen, the check is for completeness.
+		return nil, xerrors.Errorf("scan ssh output: %w", err)
+	}
+
+	return identityFiles, nil
 }
@@ -2,8 +2,16 @@ package cli_test

 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net"
+	"os"
+	"path/filepath"
+	"strings"
 	"sync/atomic"
 	"testing"

@@ -17,92 +25,236 @@ import (
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

+func prepareTestGitSSH(ctx context.Context, t *testing.T) (*codersdk.Client, string, gossh.PublicKey) {
+	t.Helper()
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	user := coderdtest.CreateFirstUser(t, client)
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer t.Cleanup(cancel) // Defer so that cancel is the first cleanup.
+
+	// get user public key
+	keypair, err := client.GitSSHKey(ctx, codersdk.Me)
+	require.NoError(t, err)
+	//nolint:dogsled
+	pubkey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
+	require.NoError(t, err)
+
+	// setup template
+	agentToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:           echo.ParseComplete,
+		ProvisionDryRun: echo.ProvisionComplete,
+		Provision: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "somename",
+						Type: "someinstance",
+						Agents: []*proto.Agent{{
+							Auth: &proto.Agent_Token{
+								Token: agentToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	// start workspace agent
+	cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
+	agentClient := client
+	clitest.SetupConfig(t, agentClient, root)
+
+	errC := make(chan error, 1)
+	go func() {
+		errC <- cmd.ExecuteContext(ctx)
+	}()
+	t.Cleanup(func() { require.NoError(t, <-errC) })
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+	return agentClient, agentToken, pubkey
+}
+
+func serveSSHForGitSSH(t *testing.T, handler func(ssh.Session), pubkeys ...gossh.PublicKey) *net.TCPAddr {
+	t.Helper()
+
+	// start ssh server
+	l, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = l.Close() })
+
+	serveOpts := []ssh.Option{
+		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			for _, pubkey := range pubkeys {
+				if ssh.KeysEqual(pubkey, key) {
+					return true
+				}
+			}
+			return false
+		}),
+	}
+	errC := make(chan error, 1)
+	go func() {
+		// as long as we get a successful session we don't care if the server errors
+		errC <- ssh.Serve(l, handler, serveOpts...)
+	}()
+	t.Cleanup(func() {
+		_ = l.Close() // Ensure server shutdown.
+		<-errC
+	})
+
+	// start ssh session
+	addr, ok := l.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+
+	return addr
+}
+
+func writePrivateKeyToFile(t *testing.T, name string, key *ecdsa.PrivateKey) {
+	t.Helper()
+
+	b, err := x509.MarshalPKCS8PrivateKey(key)
+	require.NoError(t, err)
+	b = pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: b,
+	})
+
+	err = os.WriteFile(name, b, 0o600)
+	require.NoError(t, err)
+}
+
 func TestGitSSH(t *testing.T) {
 	t.Parallel()
 	t.Run("Dial", func(t *testing.T) {
-		client := coderdtest.New(t, nil)
-		user := coderdtest.CreateFirstUser(t, client)
+		t.Parallel()

-		// get user public key
-		keypair, err := client.GitSSHKey(context.Background(), codersdk.Me)
-		require.NoError(t, err)
-		publicKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
-		require.NoError(t, err)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()

-		// setup provisioner
-		agentToken := uuid.NewString()
-		coderdtest.NewProvisionerDaemon(t, client)
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           echo.ParseComplete,
-			ProvisionDryRun: echo.ProvisionComplete,
-			Provision: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
-						Resources: []*proto.Resource{{
-							Name: "somename",
-							Type: "someinstance",
-							Agents: []*proto.Agent{{
-								Auth: &proto.Agent_Token{
-									Token: agentToken,
-								},
-							}},
-						}},
-					},
-				},
-			}},
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		// start workspace agent
-		cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
-		agentClient := client
-		clitest.SetupConfig(t, agentClient, root)
-		ctx, cancelFunc := context.WithCancel(context.Background())
-		defer cancelFunc()
-		go func() {
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
-		}()
-
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(context.Background(), workspace.LatestBuild.ID)
-		require.NoError(t, err)
-		dialer, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
-		require.NoError(t, err)
-		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
-
-		// start ssh server
-		l, err := net.Listen("tcp", "localhost:0")
-		require.NoError(t, err)
-		defer l.Close()
-		publicKeyOption := ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
-			return ssh.KeysEqual(publicKey, key)
-		})
+		client, token, pubkey := prepareTestGitSSH(ctx, t)
 		var inc int64
-		go func() {
-			// as long as we get a successful session we don't care if the server errors
-			_ = ssh.Serve(l, func(s ssh.Session) {
-				atomic.AddInt64(&inc, 1)
-				t.Log("got authenticated session")
-				err := s.Exit(0)
-				require.NoError(t, err)
-			}, publicKeyOption)
-		}()
+		errC := make(chan error, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			atomic.AddInt64(&inc, 1)
+			t.Log("got authenticated session")
+			select {
+			case errC <- s.Exit(0):
+			default:
+				t.Error("error channel is full")
+			}
+		}, pubkey)

-		// start ssh session
-		addr, ok := l.Addr().(*net.TCPAddr)
-		require.True(t, ok)
 		// set to agent config dir
-		cmd, _ = clitest.New(t, "gitssh", "--agent-url", agentClient.URL.String(), "--agent-token", agentToken, "--", fmt.Sprintf("-p%d", addr.Port), "-o", "StrictHostKeyChecking=no", "127.0.0.1")
-		err = cmd.ExecuteContext(context.Background())
+		cmd, _ := clitest.New(t,
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			fmt.Sprintf("-p%d", addr.Port),
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes",
+			"127.0.0.1",
+		)
+		err := cmd.ExecuteContext(ctx)
 		require.NoError(t, err)
 		require.EqualValues(t, 1, inc)
+
+		err = <-errC
+		require.NoError(t, err, "error in agent execute")
+	})
+
+	t.Run("Local SSH Keys", func(t *testing.T) {
+		t.Parallel()
+
+		home := t.TempDir()
+		sshdir := filepath.Join(home, ".ssh")
+		err := os.MkdirAll(sshdir, 0o700)
+		require.NoError(t, err)
+
+		idFile := filepath.Join(sshdir, "id_ed25519")
+		privkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		require.NoError(t, err)
+		localPubkey, err := gossh.NewPublicKey(&privkey.PublicKey)
+		require.NoError(t, err)
+		writePrivateKeyToFile(t, idFile, privkey)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		client, token, coderPubkey := prepareTestGitSSH(ctx, t)
+
+		authkey := make(chan gossh.PublicKey, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			t.Logf("authenticated with: %s", gossh.MarshalAuthorizedKey(s.PublicKey()))
+			select {
+			case authkey <- s.PublicKey():
+			default:
+				t.Error("authkey channel is full")
+			}
+		}, localPubkey, coderPubkey)
+
+		// Create a new config which sets an identity file.
+		config := filepath.Join(sshdir, "config")
+		knownHosts := filepath.Join(sshdir, "known_hosts")
+		err = os.WriteFile(config, []byte(strings.Join([]string{
+			"Host mytest",
+			"  HostName 127.0.0.1",
+			fmt.Sprintf("  Port %d", addr.Port),
+			"  StrictHostKeyChecking no",
+			"  UserKnownHostsFile=" + knownHosts,
+			"  IdentitiesOnly yes",
+			"  IdentityFile=" + idFile,
+		}, "\n")), 0o600)
+		require.NoError(t, err)
+
+		pty := ptytest.New(t)
+		cmdArgs := []string{
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			"-F", config,
+			"mytest",
+		}
+		// Test authentication via local private key.
+		cmd, _ := clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, localPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
+
+		// Delete the local private key.
+		err = os.Remove(idFile)
+		require.NoError(t, err)
+
+		// With the local file deleted, the coder key should be used.
+		cmd, _ = clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, coderPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
 	})
 }
@@ -2,42 +2,93 @@ package cli

 import (
 	"fmt"
-	"strings"
 	"time"

 	"github.com/google/uuid"
-	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/spf13/cobra"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/autobuild/schedule"
-	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/util/ptr"
 	"github.com/coder/coder/codersdk"
 )

+type workspaceListRow struct {
+	Workspace  string `table:"workspace"`
+	Template   string `table:"template"`
+	Status     string `table:"status"`
+	LastBuilt  string `table:"last built"`
+	Outdated   bool   `table:"outdated"`
+	StartsAt   string `table:"starts at"`
+	StopsAfter string `table:"stops after"`
+}
+
+func workspaceListRowFromWorkspace(now time.Time, usersByID map[uuid.UUID]codersdk.User, workspace codersdk.Workspace) workspaceListRow {
+	status := codersdk.WorkspaceDisplayStatus(workspace.LatestBuild.Job.Status, workspace.LatestBuild.Transition)
+
+	lastBuilt := now.UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
+	autostartDisplay := "-"
+	if !ptr.NilOrEmpty(workspace.AutostartSchedule) {
+		if sched, err := schedule.Weekly(*workspace.AutostartSchedule); err == nil {
+			autostartDisplay = fmt.Sprintf("%s %s (%s)", sched.Time(), sched.DaysOfWeek(), sched.Location())
+		}
+	}
+
+	autostopDisplay := "-"
+	if !ptr.NilOrZero(workspace.TTLMillis) {
+		dur := time.Duration(*workspace.TTLMillis) * time.Millisecond
+		autostopDisplay = durationDisplay(dur)
+		if !workspace.LatestBuild.Deadline.IsZero() && workspace.LatestBuild.Deadline.Time.After(now) && status == "Running" {
+			remaining := time.Until(workspace.LatestBuild.Deadline.Time)
+			autostopDisplay = fmt.Sprintf("%s (%s)", autostopDisplay, relative(remaining))
+		}
+	}
+
+	user := usersByID[workspace.OwnerID]
+	return workspaceListRow{
+		Workspace:  user.Username + "/" + workspace.Name,
+		Template:   workspace.TemplateName,
+		Status:     status,
+		LastBuilt:  durationDisplay(lastBuilt),
+		Outdated:   workspace.Outdated,
+		StartsAt:   autostartDisplay,
+		StopsAfter: autostopDisplay,
+	}
+}
+
 func list() *cobra.Command {
 	var (
-		columns []string
+		all          bool
+		columns      []string
+		defaultQuery = "owner:me"
+		searchQuery  string
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "list",
-		Short:       "List all workspaces",
+		Short:       "List workspaces",
 		Aliases:     []string{"ls"},
+		Args:        cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
-			workspaces, err := client.WorkspacesByUser(cmd.Context(), codersdk.Me)
+			filter := codersdk.WorkspaceFilter{
+				FilterQuery: searchQuery,
+			}
+			if all && searchQuery == defaultQuery {
+				filter.FilterQuery = ""
+			}
+			workspaces, err := client.Workspaces(cmd.Context(), filter)
 			if err != nil {
 				return err
 			}
 			if len(workspaces) == 0 {
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
-				_, _ = fmt.Fprintln(cmd.OutOrStdout())
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+cliui.Styles.Code.Render("coder create <name>"))
-				_, _ = fmt.Fprintln(cmd.OutOrStdout())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "  "+cliui.Styles.Code.Render("coder create <name>"))
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
 				return nil
 			}
 			users, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
@@ -49,96 +100,25 @@ func list() *cobra.Command {
 				usersByID[user.ID] = user
 			}

-			tableWriter := cliui.Table()
-			header := table.Row{"workspace", "template", "status", "last built", "outdated", "autostart", "autostop"}
-			tableWriter.AppendHeader(header)
-			tableWriter.SortBy([]table.SortBy{{
-				Name: "workspace",
-			}})
-			tableWriter.SetColumnConfigs(cliui.FilterTableColumns(header, columns))
-
-			for _, workspace := range workspaces {
-				status := ""
-				inProgress := false
-				if workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobRunning ||
-					workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobCanceling {
-					inProgress = true
-				}
-
-				switch workspace.LatestBuild.Transition {
-				case database.WorkspaceTransitionStart:
-					status = "Running"
-					if inProgress {
-						status = "Starting"
-					}
-				case database.WorkspaceTransitionStop:
-					status = "Stopped"
-					if inProgress {
-						status = "Stopping"
-					}
-				case database.WorkspaceTransitionDelete:
-					status = "Deleted"
-					if inProgress {
-						status = "Deleting"
-					}
-				}
-				if workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobFailed {
-					status = "Failed"
-				}
-
-				duration := time.Now().UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
-				if duration > time.Hour {
-					duration = duration.Truncate(time.Hour)
-				}
-				if duration > time.Minute {
-					duration = duration.Truncate(time.Minute)
-				}
-				days := 0
-				for duration.Hours() > 24 {
-					days++
-					duration -= 24 * time.Hour
-				}
-				durationDisplay := duration.String()
-				if days > 0 {
-					durationDisplay = fmt.Sprintf("%dd%s", days, durationDisplay)
-				}
-				if strings.HasSuffix(durationDisplay, "m0s") {
-					durationDisplay = durationDisplay[:len(durationDisplay)-2]
-				}
-				if strings.HasSuffix(durationDisplay, "h0m") {
-					durationDisplay = durationDisplay[:len(durationDisplay)-2]
-				}
-
-				autostartDisplay := "-"
-				if workspace.AutostartSchedule != "" {
-					if sched, err := schedule.Weekly(workspace.AutostartSchedule); err == nil {
-						autostartDisplay = sched.Cron()
-					}
-				}
-
-				autostopDisplay := "-"
-				if workspace.AutostopSchedule != "" {
-					if sched, err := schedule.Weekly(workspace.AutostopSchedule); err == nil {
-						autostopDisplay = sched.Cron()
-					}
-				}
-
-				user := usersByID[workspace.OwnerID]
-				tableWriter.AppendRow(table.Row{
-					user.Username + "/" + workspace.Name,
-					workspace.TemplateName,
-					status,
-					durationDisplay,
-					workspace.Outdated,
-					autostartDisplay,
-					autostopDisplay,
-				})
+			now := time.Now()
+			displayWorkspaces := make([]workspaceListRow, len(workspaces))
+			for i, workspace := range workspaces {
+				displayWorkspaces[i] = workspaceListRowFromWorkspace(now, usersByID, workspace)
 			}
-			_, err = fmt.Fprintln(cmd.OutOrStdout(), tableWriter.Render())
+
+			out, err := cliui.DisplayTable(displayWorkspaces, "workspace", columns)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
 			return err
 		},
 	}
+	cmd.Flags().BoolVarP(&all, "all", "a", false,
+		"Specifies whether all workspaces will be listed or not.")
 	cmd.Flags().StringArrayVarP(&columns, "column", "c", nil,
 		"Specify a column to filter in the table.")
+	cmd.Flags().StringVar(&searchQuery, "search", defaultQuery, "Search for a workspace with a query.")
 	return cmd
 }
@@ -1,22 +1,23 @@
 package cli_test

 import (
+	"context"
 	"testing"

-	"github.com/stretchr/testify/require"
+	"github.com/stretchr/testify/assert"

 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestList(t *testing.T) {
 	t.Parallel()
 	t.Run("Single", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, nil)
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
@@ -24,17 +25,21 @@ func TestList(t *testing.T) {
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 		cmd, root := clitest.New(t, "ls")
 		clitest.SetupConfig(t, client, root)
-		doneChan := make(chan struct{})
 		pty := ptytest.New(t)
 		cmd.SetIn(pty.Input())
 		cmd.SetOut(pty.Output())
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+		done := make(chan any)
 		go func() {
-			defer close(doneChan)
-			err := cmd.Execute()
-			require.NoError(t, err)
+			errC := cmd.ExecuteContext(ctx)
+			assert.NoError(t, errC)
+			close(done)
 		}()
 		pty.ExpectMatch(workspace.Name)
-		pty.ExpectMatch("Running")
-		<-doneChan
+		pty.ExpectMatch("Started")
+		cancelFunc()
+		<-done
 	})
 }
@@ -8,6 +8,7 @@ import (
 	"os"
 	"os/exec"
 	"os/user"
+	"path"
 	"runtime"
 	"strings"

@@ -16,6 +17,7 @@ import (
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"

+	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 )
@@ -36,9 +38,14 @@ func init() {
 }

 func login() *cobra.Command {
-	return &cobra.Command{
+	var (
+		email    string
+		username string
+		password string
+	)
+	cmd := &cobra.Command{
 		Use:   "login <url>",
-		Short: "Authenticate with a Coder deployment",
+		Short: "Authenticate with Coder deployment",
 		Args:  cobra.ExactArgs(1),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			rawURL := args[0]
@@ -59,77 +66,100 @@ func login() *cobra.Command {
 				serverURL.Scheme = "https"
 			}

-			client := codersdk.New(serverURL)
+			client, err := createUnauthenticatedClient(cmd, serverURL)
+			if err != nil {
+				return err
+			}
+
+			// Try to check the version of the server prior to logging in.
+			// It may be useful to warn the user if they are trying to login
+			// on a very old client.
+			err = checkVersions(cmd, client)
+			if err != nil {
+				// Checking versions isn't a fatal error so we print a warning
+				// and proceed.
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Warn.Render(err.Error()))
+			}
+
 			hasInitialUser, err := client.HasFirstUser(cmd.Context())
 			if err != nil {
-				return xerrors.Errorf("has initial user: %w", err)
+				return xerrors.Errorf("Failed to check server %q for first user, is the URL correct and is coder accessible from your browser? Error - has initial user: %w", serverURL.String(), err)
 			}
 			if !hasInitialUser {
-				if !isTTY(cmd) {
-					return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
-				}
 				_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"Your Coder deployment hasn't been set up!\n")

-				_, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:      "Would you like to create the first user?",
-					Default:   "yes",
-					IsConfirm: true,
-				})
-				if errors.Is(err, cliui.Canceled) {
-					return nil
-				}
-				if err != nil {
-					return err
-				}
-				currentUser, err := user.Current()
-				if err != nil {
-					return xerrors.Errorf("get current user: %w", err)
-				}
-				username, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:    "What " + cliui.Styles.Field.Render("username") + " would you like?",
-					Default: currentUser.Username,
-				})
-				if errors.Is(err, cliui.Canceled) {
-					return nil
-				}
-				if err != nil {
-					return xerrors.Errorf("pick username prompt: %w", err)
-				}
-
-				email, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text: "What's your " + cliui.Styles.Field.Render("email") + "?",
-					Validate: func(s string) error {
-						err := validator.New().Var(s, "email")
-						if err != nil {
-							return xerrors.New("That's not a valid email address!")
-						}
-						return err
-					},
-				})
-				if err != nil {
-					return xerrors.Errorf("specify email prompt: %w", err)
-				}
-
-				password, err := cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
-					Secret:   true,
-					Validate: cliui.ValidateNotEmpty,
-				})
-				if err != nil {
-					return xerrors.Errorf("specify password prompt: %w", err)
-				}
-				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
-					Secret: true,
-					Validate: func(s string) error {
-						if s != password {
-							return xerrors.Errorf("Passwords do not match")
-						}
+				if username == "" {
+					if !isTTY(cmd) {
+						return xerrors.New("the initial user cannot be created in non-interactive mode. use the API")
+					}
+					_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:      "Would you like to create the first user?",
+						Default:   cliui.ConfirmYes,
+						IsConfirm: true,
+					})
+					if errors.Is(err, cliui.Canceled) {
 						return nil
-					},
-				})
-				if err != nil {
-					return xerrors.Errorf("confirm password prompt: %w", err)
+					}
+					if err != nil {
+						return err
+					}
+					currentUser, err := user.Current()
+					if err != nil {
+						return xerrors.Errorf("get current user: %w", err)
+					}
+					username, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text:    "What " + cliui.Styles.Field.Render("username") + " would you like?",
+						Default: currentUser.Username,
+					})
+					if errors.Is(err, cliui.Canceled) {
+						return nil
+					}
+					if err != nil {
+						return xerrors.Errorf("pick username prompt: %w", err)
+					}
+				}
+
+				if email == "" {
+					email, err = cliui.Prompt(cmd, cliui.PromptOptions{
+						Text: "What's your " + cliui.Styles.Field.Render("email") + "?",
+						Validate: func(s string) error {
+							err := validator.New().Var(s, "email")
+							if err != nil {
+								return xerrors.New("That's not a valid email address!")
+							}
+							return err
+						},
+					})
+					if err != nil {
+						return xerrors.Errorf("specify email prompt: %w", err)
+					}
+				}
+
+				if password == "" {
+					var matching bool
+
+					for !matching {
+						password, err = cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:     "Enter a " + cliui.Styles.Field.Render("password") + ":",
+							Secret:   true,
+							Validate: cliui.ValidateNotEmpty,
+						})
+						if err != nil {
+							return xerrors.Errorf("specify password prompt: %w", err)
+						}
+						confirm, err := cliui.Prompt(cmd, cliui.PromptOptions{
+							Text:   "Confirm " + cliui.Styles.Field.Render("password") + ":",
+							Secret: true,
+						})
+						if err != nil {
+							return xerrors.Errorf("confirm password prompt: %w", err)
+						}
+
+						matching = confirm == password
+						if !matching {
+							_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Error.Render("Passwords do not match"))
+						}
+					}
 				}

 				_, err = client.CreateFirstUser(cmd.Context(), codersdk.CreateFirstUserRequest{
@@ -164,14 +194,16 @@ func login() *cobra.Command {
 					cliui.Styles.Paragraph.Render(fmt.Sprintf("Welcome to Coder, %s! You're authenticated.", cliui.Styles.Keyword.Render(username)))+"\n")

 				_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-					cliui.Styles.Paragraph.Render("Get started by creating a template: "+cliui.Styles.Code.Render("coder templates create"))+"\n")
+					cliui.Styles.Paragraph.Render("Get started by creating a template: "+cliui.Styles.Code.Render("coder templates init"))+"\n")
 				return nil
 			}

 			sessionToken, _ := cmd.Flags().GetString(varToken)
 			if sessionToken == "" {
 				authURL := *serverURL
-				authURL.Path = serverURL.Path + "/cli-auth"
+				// Don't use filepath.Join, we don't want to use the os separator
+				// for a url.
+				authURL.Path = path.Join(serverURL.Path, "/cli-auth")
 				if err := openURL(cmd, authURL.String()); err != nil {
 					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "Open the following in your browser:\n\n\t%s\n\n", authURL.String())
 				} else {
@@ -216,6 +248,10 @@ func login() *cobra.Command {
 			return nil
 		},
 	}
+	cliflag.StringVarP(cmd.Flags(), &email, "email", "e", "CODER_EMAIL", "", "Specifies an email address to authenticate with.")
+	cliflag.StringVarP(cmd.Flags(), &username, "username", "u", "CODER_USERNAME", "", "Specifies a username to authenticate with.")
+	cliflag.StringVarP(cmd.Flags(), &password, "password", "p", "CODER_PASSWORD", "", "Specifies a password to authenticate with.")
+	return cmd
 }

 // isWSL determines if coder-cli is running within Windows Subsystem for Linux
@@ -2,11 +2,14 @@ package cli_test

 import (
 	"context"
+	"fmt"
 	"testing"

+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/pty/ptytest"
 )
@@ -21,6 +24,15 @@ func TestLogin(t *testing.T) {
 		require.Error(t, err)
 	})

+	t.Run("InitialUserBadLoginURL", func(t *testing.T) {
+		t.Parallel()
+		badLoginURL := "https://fcca2077f06e68aaf9"
+		root, _ := clitest.New(t, "login", badLoginURL)
+		err := root.Execute()
+		errMsg := fmt.Sprintf("Failed to check server %q for first user, is the URL correct and is coder accessible from your browser?", badLoginURL)
+		require.ErrorContains(t, err, errMsg)
+	})
+
 	t.Run("InitialUserTTY", func(t *testing.T) {
 		t.Parallel()
 		client := coderdtest.New(t, nil)
@@ -35,7 +47,7 @@ func TestLogin(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()

 		matches := []string{
@@ -55,6 +67,26 @@ func TestLogin(t *testing.T) {
 		<-doneChan
 	})

+	t.Run("InitialUserFlags", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, nil)
+		// The --force-tty flag is required on Windows, because the `isatty` library does not
+		// accurately detect Windows ptys when they are not attached to a process:
+		// https://github.com/mattn/go-isatty/issues/59
+		doneChan := make(chan struct{})
+		root, _ := clitest.New(t, "login", client.URL.String(), "--username", "testuser", "--email", "user@coder.com", "--password", "password")
+		pty := ptytest.New(t)
+		root.SetIn(pty.Input())
+		root.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := root.Execute()
+			assert.NoError(t, err)
+		}()
+		pty.ExpectMatch("Welcome to Coder")
+		<-doneChan
+	})
+
 	t.Run("InitialUserTTYConfirmPasswordFailAndReprompt", func(t *testing.T) {
 		t.Parallel()
 		ctx, cancel := context.WithCancel(context.Background())
@@ -71,7 +103,7 @@ func TestLogin(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := root.ExecuteContext(ctx)
-			require.ErrorIs(t, err, context.Canceled)
+			assert.NoError(t, err)
 		}()

 		matches := []string{
@@ -87,9 +119,15 @@ func TestLogin(t *testing.T) {
 			pty.ExpectMatch(match)
 			pty.WriteLine(value)
 		}
+
+		// Validate that we reprompt for matching passwords.
 		pty.ExpectMatch("Passwords do not match")
-		pty.ExpectMatch("password") // Re-prompt password.
-		cancel()
+		pty.ExpectMatch("Enter a " + cliui.Styles.Field.Render("password"))
+
+		pty.WriteLine("pass")
+		pty.ExpectMatch("Confirm")
+		pty.WriteLine("pass")
+		pty.ExpectMatch("Welcome to Coder")
 		<-doneChan
 	})

@@ -106,7 +144,7 @@ func TestLogin(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := root.Execute()
-			require.NoError(t, err)
+			assert.NoError(t, err)
 		}()

 		pty.ExpectMatch("Paste your token here:")
@@ -131,7 +169,7 @@ func TestLogin(t *testing.T) {
 			defer close(doneChan)
 			err := root.ExecuteContext(ctx)
 			// An error is expected in this case, since the login wasn't successful:
-			require.Error(t, err)
+			assert.Error(t, err)
 		}()

 		pty.ExpectMatch("Paste your token here:")
@@ -0,0 +1,77 @@
+package cli
+
+import (
+	"fmt"
+	"os"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+func logout() *cobra.Command {
+	cmd := &cobra.Command{
+		Use:   "logout",
+		Short: "Unauthenticate your local session",
+		RunE: func(cmd *cobra.Command, args []string) error {
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			var errors []error
+
+			config := createConfig(cmd)
+
+			_, err = cliui.Prompt(cmd, cliui.PromptOptions{
+				Text:      "Are you sure you want to log out?",
+				IsConfirm: true,
+				Default:   cliui.ConfirmYes,
+			})
+			if err != nil {
+				return err
+			}
+
+			err = client.Logout(cmd.Context())
+			if err != nil {
+				errors = append(errors, xerrors.Errorf("logout api: %w", err))
+			}
+
+			err = config.URL().Delete()
+			// Only throw error if the URL configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove URL file: %w", err))
+			}
+
+			err = config.Session().Delete()
+			// Only throw error if the session configuration file is present,
+			// otherwise the user is already logged out, and we proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove session file: %w", err))
+			}
+
+			err = config.Organization().Delete()
+			// If the organization configuration file is absent, we still proceed
+			if err != nil && !os.IsNotExist(err) {
+				errors = append(errors, xerrors.Errorf("remove organization file: %w", err))
+			}
+
+			if len(errors) > 0 {
+				var errorStringBuilder strings.Builder
+				for _, err := range errors {
+					_, _ = fmt.Fprint(&errorStringBuilder, "\t"+err.Error()+"\n")
+				}
+				errorString := strings.TrimRight(errorStringBuilder.String(), "\n")
+				return xerrors.New("Failed to log out.\n" + errorString)
+			}
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), caret+"You are no longer logged in. You can log in using 'coder login <url>'.\n")
+			return nil
+		},
+	}
+
+	cliui.AllowSkipPrompt(cmd)
+	return cmd
+}
@@ -0,0 +1,217 @@
+package cli_test
+
+import (
+	"fmt"
+	"os"
+	"regexp"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestLogout(t *testing.T) {
+	t.Parallel()
+	t.Run("Logout", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NoError(t, err)
+			assert.NoFileExists(t, string(config.URL()))
+			assert.NoFileExists(t, string(config.Session()))
+		}()
+
+		pty.ExpectMatch("Are you sure you want to log out?")
+		pty.WriteLine("yes")
+		pty.ExpectMatch("You are no longer logged in. You can log in using 'coder login <url>'.")
+		<-logoutChan
+	})
+	t.Run("SkipPrompt", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config), "-y")
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NoError(t, err)
+			assert.NoFileExists(t, string(config.URL()))
+			assert.NoFileExists(t, string(config.Session()))
+		}()
+
+		pty.ExpectMatch("You are no longer logged in. You can log in using 'coder login <url>'.")
+		<-logoutChan
+	})
+	t.Run("NoURLFile", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		err := os.Remove(string(config.URL()))
+		require.NoError(t, err)
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.EqualError(t, err, "You are not logged in. Try logging in using 'coder login <url>'.")
+		}()
+
+		<-logoutChan
+	})
+	t.Run("NoSessionFile", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		err := os.Remove(string(config.Session()))
+		require.NoError(t, err)
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err = logout.Execute()
+			assert.EqualError(t, err, "You are not logged in. Try logging in using 'coder login <url>'.")
+		}()
+
+		<-logoutChan
+	})
+	t.Run("CannotDeleteFiles", func(t *testing.T) {
+		t.Parallel()
+
+		pty := ptytest.New(t)
+		config := login(t, pty)
+
+		// Ensure session files exist.
+		require.FileExists(t, string(config.URL()))
+		require.FileExists(t, string(config.Session()))
+
+		var (
+			err         error
+			urlFile     *os.File
+			sessionFile *os.File
+		)
+		if runtime.GOOS == "windows" {
+			// Opening the files so Windows does not allow deleting them.
+			urlFile, err = os.Open(string(config.URL()))
+			require.NoError(t, err)
+			sessionFile, err = os.Open(string(config.Session()))
+			require.NoError(t, err)
+		} else {
+			// Changing the permissions to throw error during deletion.
+			err = os.Chmod(string(config), 0500)
+			require.NoError(t, err)
+		}
+		defer func() {
+			if runtime.GOOS == "windows" {
+				// Closing the opened files for cleanup.
+				err = urlFile.Close()
+				assert.NoError(t, err)
+				err = sessionFile.Close()
+				assert.NoError(t, err)
+			} else {
+				// Setting the permissions back for cleanup.
+				err = os.Chmod(string(config), 0o700)
+				assert.NoError(t, err)
+			}
+		}()
+
+		logoutChan := make(chan struct{})
+		logout, _ := clitest.New(t, "logout", "--global-config", string(config))
+
+		logout.SetIn(pty.Input())
+		logout.SetOut(pty.Output())
+
+		go func() {
+			defer close(logoutChan)
+			err := logout.Execute()
+			assert.NotNil(t, err)
+			var errorMessage string
+			if runtime.GOOS == "windows" {
+				errorMessage = "The process cannot access the file because it is being used by another process."
+			} else {
+				errorMessage = "permission denied"
+			}
+			errRegex := regexp.MustCompile(fmt.Sprintf("Failed to log out.\n\tremove URL file: .+: %s\n\tremove session file: .+: %s", errorMessage, errorMessage))
+			assert.Regexp(t, errRegex, err.Error())
+		}()
+
+		pty.ExpectMatch("Are you sure you want to log out?")
+		pty.WriteLine("yes")
+		<-logoutChan
+	})
+}
+
+func login(t *testing.T, pty *ptytest.PTY) config.Root {
+	t.Helper()
+
+	client := coderdtest.New(t, nil)
+	coderdtest.CreateFirstUser(t, client)
+
+	doneChan := make(chan struct{})
+	root, cfg := clitest.New(t, "login", "--force-tty", client.URL.String(), "--no-open")
+	root.SetIn(pty.Input())
+	root.SetOut(pty.Output())
+	go func() {
+		defer close(doneChan)
+		err := root.Execute()
+		assert.NoError(t, err)
+	}()
+
+	pty.ExpectMatch("Paste your token here:")
+	pty.WriteLine(client.SessionToken)
+	pty.ExpectMatch("Welcome to Coder")
+	<-doneChan
+
+	return cfg
+}
@@ -0,0 +1,57 @@
+package cli
+
+import (
+	"os"
+
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+
+	"github.com/spf13/cobra"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+// Reads a YAML file and populates a string -> string map.
+// Throws an error if the file name is empty.
+func createParameterMapFromFile(parameterFile string) (map[string]string, error) {
+	if parameterFile != "" {
+		parameterMap := make(map[string]string)
+
+		parameterFileContents, err := os.ReadFile(parameterFile)
+
+		if err != nil {
+			return nil, err
+		}
+
+		err = yaml.Unmarshal(parameterFileContents, &parameterMap)
+
+		if err != nil {
+			return nil, err
+		}
+
+		return parameterMap, nil
+	}
+
+	return nil, xerrors.Errorf("Parameter file name is not specified")
+}
+
+// Returns a parameter value from a given map, if the map exists, else takes input from the user.
+// Throws an error if the map exists but does not include a value for the parameter.
+func getParameterValueFromMapOrInput(cmd *cobra.Command, parameterMap map[string]string, parameterSchema codersdk.ParameterSchema) (string, error) {
+	var parameterValue string
+	if parameterMap != nil {
+		var ok bool
+		parameterValue, ok = parameterMap[parameterSchema.Name]
+		if !ok {
+			return "", xerrors.Errorf("Parameter value absent in parameter file for %q!", parameterSchema.Name)
+		}
+	} else {
+		var err error
+		parameterValue, err = cliui.ParameterSchema(cmd, parameterSchema)
+		if err != nil {
+			return "", err
+		}
+	}
+	return parameterValue, nil
+}
@@ -0,0 +1,79 @@
+package cli
+
+import (
+	"os"
+	"runtime"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestCreateParameterMapFromFile(t *testing.T) {
+	t.Parallel()
+	t.Run("CreateParameterMapFromFile", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region: \"bananas\"\ndisk: \"20\"\n")
+
+		parameterMapFromFile, err := createParameterMapFromFile(parameterFile.Name())
+
+		expectedMap := map[string]string{
+			"region": "bananas",
+			"disk":   "20",
+		}
+
+		assert.Equal(t, expectedMap, parameterMapFromFile)
+		assert.Nil(t, err)
+
+		removeTmpDirUntilSuccess(t, tempDir)
+	})
+	t.Run("WithEmptyFilename", func(t *testing.T) {
+		t.Parallel()
+
+		parameterMapFromFile, err := createParameterMapFromFile("")
+
+		assert.Nil(t, parameterMapFromFile)
+		assert.EqualError(t, err, "Parameter file name is not specified")
+	})
+	t.Run("WithInvalidFilename", func(t *testing.T) {
+		t.Parallel()
+
+		parameterMapFromFile, err := createParameterMapFromFile("invalidFile.yaml")
+
+		assert.Nil(t, parameterMapFromFile)
+
+		// On Unix based systems, it is: `open invalidFile.yaml: no such file or directory`
+		// On Windows, it is `open invalidFile.yaml: The system cannot find the file specified.`
+		if runtime.GOOS == "windows" {
+			assert.EqualError(t, err, "open invalidFile.yaml: The system cannot find the file specified.")
+		} else {
+			assert.EqualError(t, err, "open invalidFile.yaml: no such file or directory")
+		}
+	})
+	t.Run("WithInvalidYAML", func(t *testing.T) {
+		t.Parallel()
+		tempDir := t.TempDir()
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString("region = \"bananas\"\ndisk = \"20\"\n")
+
+		parameterMapFromFile, err := createParameterMapFromFile(parameterFile.Name())
+
+		assert.Nil(t, parameterMapFromFile)
+		assert.EqualError(t, err, "yaml: unmarshal errors:\n  line 1: cannot unmarshal !!str `region ...` into map[string]string")
+
+		removeTmpDirUntilSuccess(t, tempDir)
+	})
+}
+
+// Need this for Windows because of a known issue with Go:
+// https://github.com/golang/go/issues/52986
+func removeTmpDirUntilSuccess(t *testing.T, tempDir string) {
+	t.Helper()
+	t.Cleanup(func() {
+		err := os.RemoveAll(tempDir)
+		for err != nil {
+			err = os.RemoveAll(tempDir)
+		}
+	})
+}
@@ -0,0 +1,28 @@
+package cli
+
+import (
+	"github.com/spf13/cobra"
+)
+
+func parameters() *cobra.Command {
+	cmd := &cobra.Command{
+		Short: "List parameters for a given scope",
+		Example: formatExamples(
+			example{
+				Command: "coder parameters list workspace my-workspace",
+			},
+		),
+		Use: "parameters",
+		// Currently hidden as this shows parameter values, not parameter
+		// schemes. Until we have a good way to distinguish the two, it's better
+		// not to add confusion or lock ourselves into a certain api.
+		// This cmd is still valuable debugging tool for devs to avoid
+		// constructing curl requests.
+		Hidden:  true,
+		Aliases: []string{"params"},
+	}
+	cmd.AddCommand(
+		parameterList(),
+	)
+	return cmd
+}
@@ -0,0 +1,86 @@
+package cli
+
+import (
+	"fmt"
+
+	"github.com/google/uuid"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func parameterList() *cobra.Command {
+	var (
+		columns []string
+	)
+	cmd := &cobra.Command{
+		Use:     "list",
+		Aliases: []string{"ls"},
+		Args:    cobra.ExactArgs(2),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			scope, name := args[0], args[1]
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			organization, err := currentOrganization(cmd, client)
+			if err != nil {
+				return xerrors.Errorf("get current organization: %w", err)
+			}
+
+			var scopeID uuid.UUID
+			switch codersdk.ParameterScope(scope) {
+			case codersdk.ParameterWorkspace:
+				workspace, err := namedWorkspace(cmd, client, name)
+				if err != nil {
+					return err
+				}
+				scopeID = workspace.ID
+			case codersdk.ParameterTemplate:
+				template, err := client.TemplateByName(cmd.Context(), organization.ID, name)
+				if err != nil {
+					return xerrors.Errorf("get workspace template: %w", err)
+				}
+				scopeID = template.ID
+			case codersdk.ParameterImportJob, "template_version":
+				scope = string(codersdk.ParameterImportJob)
+				scopeID, err = uuid.Parse(name)
+				if err != nil {
+					return xerrors.Errorf("%q must be a uuid for this scope type", name)
+				}
+
+				// Could be a template_version id or a job id. Check for the
+				// version id.
+				tv, err := client.TemplateVersion(cmd.Context(), scopeID)
+				if err == nil {
+					scopeID = tv.Job.ID
+				}
+
+			default:
+				return xerrors.Errorf("%q is an unsupported scope, use %v", scope, []codersdk.ParameterScope{
+					codersdk.ParameterWorkspace, codersdk.ParameterTemplate, codersdk.ParameterImportJob,
+				})
+			}
+
+			params, err := client.Parameters(cmd.Context(), codersdk.ParameterScope(scope), scopeID)
+			if err != nil {
+				return xerrors.Errorf("fetch params: %w", err)
+			}
+
+			out, err := cliui.DisplayTable(params, "name", columns)
+			if err != nil {
+				return xerrors.Errorf("render table: %w", err)
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
+			return err
+		},
+	}
+	cmd.Flags().StringArrayVarP(&columns, "column", "c", []string{"name", "scope", "destination scheme"},
+		"Specify a column to filter in the table.")
+	return cmd
+}
@@ -0,0 +1,318 @@
+package cli
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"strconv"
+	"strings"
+	"sync"
+	"syscall"
+	"time"
+
+	"github.com/pion/udp"
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+)
+
+func portForward() *cobra.Command {
+	var (
+		tcpForwards []string // <port>:<port>
+		udpForwards []string // <port>:<port>
+	)
+	cmd := &cobra.Command{
+		Use:     "port-forward <workspace>",
+		Short:   "Forward ports from machine to a workspace",
+		Aliases: []string{"tunnel"},
+		Args:    cobra.ExactArgs(1),
+		Example: formatExamples(
+			example{
+				Description: "Port forward a single TCP port from 1234 in the workspace to port 5678 on your local machine",
+				Command:     "coder port-forward <workspace> --tcp 5678:1234",
+			},
+			example{
+				Description: "Port forward a single UDP port from port 9000 to port 9000 on your local machine",
+				Command:     "coder port-forward <workspace> --udp 9000",
+			},
+			example{
+				Description: "Port forward multiple TCP ports and a UDP port",
+				Command:     "coder port-forward <workspace> --tcp 8080:8080 --tcp 9000:3000 --udp 5353:53",
+			},
+		),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx, cancel := context.WithCancel(cmd.Context())
+			defer cancel()
+
+			specs, err := parsePortForwards(tcpForwards, udpForwards)
+			if err != nil {
+				return xerrors.Errorf("parse port-forward specs: %w", err)
+			}
+			if len(specs) == 0 {
+				err = cmd.Help()
+				if err != nil {
+					return xerrors.Errorf("generate help output: %w", err)
+				}
+				return xerrors.New("no port-forwards requested")
+			}
+
+			client, err := CreateClient(cmd)
+			if err != nil {
+				return err
+			}
+
+			workspace, workspaceAgent, err := getWorkspaceAndAgent(ctx, cmd, client, codersdk.Me, args[0], false)
+			if err != nil {
+				return err
+			}
+			if workspace.LatestBuild.Transition != codersdk.WorkspaceTransitionStart {
+				return xerrors.New("workspace must be in start transition to port-forward")
+			}
+			if workspace.LatestBuild.Job.CompletedAt == nil {
+				err = cliui.WorkspaceBuild(ctx, cmd.ErrOrStderr(), client, workspace.LatestBuild.ID, workspace.CreatedAt)
+				if err != nil {
+					return err
+				}
+			}
+
+			err = cliui.Agent(ctx, cmd.ErrOrStderr(), cliui.AgentOptions{
+				WorkspaceName: workspace.Name,
+				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+					return client.WorkspaceAgent(ctx, workspaceAgent.ID)
+				},
+			})
+			if err != nil {
+				return xerrors.Errorf("await agent: %w", err)
+			}
+
+			conn, err := client.DialWorkspaceAgentTailnet(ctx, slog.Logger{}, workspaceAgent.ID)
+			if err != nil {
+				return err
+			}
+			defer conn.Close()
+
+			// Start all listeners.
+			var (
+				wg                = new(sync.WaitGroup)
+				listeners         = make([]net.Listener, len(specs))
+				closeAllListeners = func() {
+					for _, l := range listeners {
+						if l == nil {
+							continue
+						}
+						_ = l.Close()
+					}
+				}
+			)
+			defer closeAllListeners()
+
+			for i, spec := range specs {
+				l, err := listenAndPortForward(ctx, cmd, conn, wg, spec)
+				if err != nil {
+					return err
+				}
+				listeners[i] = l
+			}
+
+			// Wait for the context to be canceled or for a signal and close
+			// all listeners.
+			var closeErr error
+			wg.Add(1)
+			go func() {
+				defer wg.Done()
+
+				sigs := make(chan os.Signal, 1)
+				signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)
+
+				select {
+				case <-ctx.Done():
+					closeErr = ctx.Err()
+				case <-sigs:
+					_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Received signal, closing all listeners and active connections")
+					closeErr = xerrors.New("signal received")
+				}
+
+				cancel()
+				closeAllListeners()
+			}()
+
+			ticker := time.NewTicker(250 * time.Millisecond)
+			defer ticker.Stop()
+			for {
+				select {
+				case <-ctx.Done():
+					return ctx.Err()
+				case <-ticker.C:
+				}
+
+				_, err = conn.Ping()
+				if err != nil {
+					continue
+				}
+				break
+			}
+			ticker.Stop()
+			_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Ready!")
+			wg.Wait()
+			return closeErr
+		},
+	}
+
+	cmd.Flags().StringArrayVarP(&tcpForwards, "tcp", "p", []string{}, "Forward a TCP port from the workspace to the local machine")
+	cmd.Flags().StringArrayVar(&udpForwards, "udp", []string{}, "Forward a UDP port from the workspace to the local machine. The UDP connection has TCP-like semantics to support stateful UDP protocols")
+	return cmd
+}
+
+func listenAndPortForward(ctx context.Context, cmd *cobra.Command, conn *codersdk.AgentConn, wg *sync.WaitGroup, spec portForwardSpec) (net.Listener, error) {
+	_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Forwarding '%v://%v' locally to '%v://%v' in the workspace\n", spec.listenNetwork, spec.listenAddress, spec.dialNetwork, spec.dialAddress)
+
+	var (
+		l   net.Listener
+		err error
+	)
+	switch spec.listenNetwork {
+	case "tcp":
+		l, err = net.Listen(spec.listenNetwork, spec.listenAddress)
+	case "udp":
+		var host, port string
+		host, port, err = net.SplitHostPort(spec.listenAddress)
+		if err != nil {
+			return nil, xerrors.Errorf("split %q: %w", spec.listenAddress, err)
+		}
+
+		var portInt int
+		portInt, err = strconv.Atoi(port)
+		if err != nil {
+			return nil, xerrors.Errorf("parse port %v from %q as int: %w", port, spec.listenAddress, err)
+		}
+
+		l, err = udp.Listen(spec.listenNetwork, &net.UDPAddr{
+			IP:   net.ParseIP(host),
+			Port: portInt,
+		})
+	default:
+		return nil, xerrors.Errorf("unknown listen network %q", spec.listenNetwork)
+	}
+	if err != nil {
+		return nil, xerrors.Errorf("listen '%v://%v': %w", spec.listenNetwork, spec.listenAddress, err)
+	}
+
+	wg.Add(1)
+	go func(spec portForwardSpec) {
+		defer wg.Done()
+		for {
+			netConn, err := l.Accept()
+			if err != nil {
+				_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Error accepting connection from '%v://%v': %+v\n", spec.listenNetwork, spec.listenAddress, err)
+				_, _ = fmt.Fprintln(cmd.OutOrStderr(), "Killing listener")
+				return
+			}
+
+			go func(netConn net.Conn) {
+				defer netConn.Close()
+				remoteConn, err := conn.DialContext(ctx, spec.dialNetwork, spec.dialAddress)
+				if err != nil {
+					_, _ = fmt.Fprintf(cmd.OutOrStderr(), "Failed to dial '%v://%v' in workspace: %s\n", spec.dialNetwork, spec.dialAddress, err)
+					return
+				}
+				defer remoteConn.Close()
+
+				agent.Bicopy(ctx, netConn, remoteConn)
+			}(netConn)
+		}
+	}(spec)
+
+	return l, nil
+}
+
+type portForwardSpec struct {
+	listenNetwork string // tcp, udp
+	listenAddress string // <ip>:<port> or path
+
+	dialNetwork string // tcp, udp
+	dialAddress string // <ip>:<port> or path
+}
+
+func parsePortForwards(tcpSpecs, udpSpecs []string) ([]portForwardSpec, error) {
+	specs := []portForwardSpec{}
+
+	for _, spec := range tcpSpecs {
+		local, remote, err := parsePortPort(spec)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse TCP port-forward specification %q: %w", spec, err)
+		}
+
+		specs = append(specs, portForwardSpec{
+			listenNetwork: "tcp",
+			listenAddress: fmt.Sprintf("127.0.0.1:%v", local),
+			dialNetwork:   "tcp",
+			dialAddress:   fmt.Sprintf("127.0.0.1:%v", remote),
+		})
+	}
+
+	for _, spec := range udpSpecs {
+		local, remote, err := parsePortPort(spec)
+		if err != nil {
+			return nil, xerrors.Errorf("failed to parse UDP port-forward specification %q: %w", spec, err)
+		}
+
+		specs = append(specs, portForwardSpec{
+			listenNetwork: "udp",
+			listenAddress: fmt.Sprintf("127.0.0.1:%v", local),
+			dialNetwork:   "udp",
+			dialAddress:   fmt.Sprintf("127.0.0.1:%v", remote),
+		})
+	}
+
+	// Check for duplicate entries.
+	locals := map[string]struct{}{}
+	for _, spec := range specs {
+		localStr := fmt.Sprintf("%v:%v", spec.listenNetwork, spec.listenAddress)
+		if _, ok := locals[localStr]; ok {
+			return nil, xerrors.Errorf("local %v %v is specified twice", spec.listenNetwork, spec.listenAddress)
+		}
+		locals[localStr] = struct{}{}
+	}
+
+	return specs, nil
+}
+
+func parsePort(in string) (uint16, error) {
+	port, err := strconv.ParseUint(strings.TrimSpace(in), 10, 16)
+	if err != nil {
+		return 0, xerrors.Errorf("parse port %q: %w", in, err)
+	}
+	if port == 0 {
+		return 0, xerrors.New("port cannot be 0")
+	}
+
+	return uint16(port), nil
+}
+
+func parsePortPort(in string) (local uint16, remote uint16, err error) {
+	parts := strings.Split(in, ":")
+	if len(parts) > 2 {
+		return 0, 0, xerrors.Errorf("invalid port specification %q", in)
+	}
+	if len(parts) == 1 {
+		// Duplicate the single part
+		parts = append(parts, parts[0])
+	}
+
+	local, err = parsePort(parts[0])
+	if err != nil {
+		return 0, 0, xerrors.Errorf("parse local port from %q: %w", in, err)
+	}
+	remote, err = parsePort(parts[1])
+	if err != nil {
+		return 0, 0, xerrors.Errorf("parse remote port from %q: %w", in, err)
+	}
+
+	return local, remote, nil
+}
@@ -0,0 +1,422 @@
+package cli_test
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net"
+	"sync"
+	"testing"
+
+	"github.com/google/uuid"
+	"github.com/pion/udp"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/provisioner/echo"
+	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestPortForward(t *testing.T) {
+	t.Parallel()
+	t.Skip("These tests flake... a lot. It seems related to the Tailscale change, but all other tests pass...")
+
+	t.Run("None", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, nil)
+		_ = coderdtest.CreateFirstUser(t, client)
+
+		cmd, root := clitest.New(t, "port-forward", "blah")
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+
+		err := cmd.Execute()
+		require.Error(t, err)
+		require.ErrorContains(t, err, "no port-forwards")
+
+		// Check that the help was printed.
+		pty.ExpectMatch("port-forward <workspace>")
+	})
+
+	cases := []struct {
+		name    string
+		network string
+		// The flag to pass to `coder port-forward X` to port-forward this type
+		// of connection. Has two format args (both strings), the first is the
+		// local address and the second is the remote address.
+		flag string
+		// setupRemote creates a "remote" listener to emulate a service in the
+		// workspace.
+		setupRemote func(t *testing.T) net.Listener
+		// setupLocal returns an available port that the
+		// port-forward command will listen on "locally". Returns the address
+		// you pass to net.Dial, and the port/path you pass to `coder
+		// port-forward`.
+		setupLocal func(t *testing.T) (string, string)
+	}{
+		{
+			name:    "TCP",
+			network: "tcp",
+			flag:    "--tcp=%v:%v",
+			setupRemote: func(t *testing.T) net.Listener {
+				l, err := net.Listen("tcp", "127.0.0.1:0")
+				require.NoError(t, err, "create TCP listener")
+				return l
+			},
+			setupLocal: func(t *testing.T) (string, string) {
+				l, err := net.Listen("tcp", "127.0.0.1:0")
+				require.NoError(t, err, "create TCP listener to generate random port")
+				defer l.Close()
+
+				_, port, err := net.SplitHostPort(l.Addr().String())
+				require.NoErrorf(t, err, "split TCP address %q", l.Addr().String())
+				return l.Addr().String(), port
+			},
+		},
+		{
+			name:    "UDP",
+			network: "udp",
+			flag:    "--udp=%v:%v",
+			setupRemote: func(t *testing.T) net.Listener {
+				addr := net.UDPAddr{
+					IP:   net.ParseIP("127.0.0.1"),
+					Port: 0,
+				}
+				l, err := udp.Listen("udp", &addr)
+				require.NoError(t, err, "create UDP listener")
+				return l
+			},
+			setupLocal: func(t *testing.T) (string, string) {
+				addr := net.UDPAddr{
+					IP:   net.ParseIP("127.0.0.1"),
+					Port: 0,
+				}
+				l, err := udp.Listen("udp", &addr)
+				require.NoError(t, err, "create UDP listener to generate random port")
+				defer l.Close()
+
+				_, port, err := net.SplitHostPort(l.Addr().String())
+				require.NoErrorf(t, err, "split UDP address %q", l.Addr().String())
+				return l.Addr().String(), port
+			},
+		},
+	}
+
+	// Setup agent once to be shared between test-cases (avoid expensive
+	// non-parallel setup).
+	var (
+		client       = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user         = coderdtest.CreateFirstUser(t, client)
+		_, workspace = runAgent(t, client, user.UserID)
+	)
+
+	for _, c := range cases { //nolint:paralleltest // the `c := c` confuses the linter
+		c := c
+		// Delay parallel tests here because setupLocal reserves
+		// a free open port which is not guaranteed to be free
+		// between the listener closing and port-forward ready.
+		t.Run(c.name, func(t *testing.T) {
+			t.Run("OnePort", func(t *testing.T) {
+				p1 := setupTestListener(t, c.setupRemote(t))
+
+				// Create a flag that forwards from local to listener 1.
+				localAddress, localFlag := c.setupLocal(t)
+				flag := fmt.Sprintf(c.flag, localFlag, p1)
+
+				// Launch port-forward in a goroutine so we can start dialing
+				// the "local" listener.
+				cmd, root := clitest.New(t, "-v", "port-forward", workspace.Name, flag)
+				clitest.SetupConfig(t, client, root)
+				pty := ptytest.New(t)
+				cmd.SetIn(pty.Input())
+				cmd.SetOut(pty.Output())
+				cmd.SetErr(pty.Output())
+				ctx, cancel := context.WithCancel(context.Background())
+				defer cancel()
+				errC := make(chan error)
+				go func() {
+					errC <- cmd.ExecuteContext(ctx)
+				}()
+				pty.ExpectMatch("Ready!")
+
+				t.Parallel() // Port is reserved, enable parallel execution.
+
+				// Open two connections simultaneously and test them out of
+				// sync.
+				d := net.Dialer{Timeout: testutil.WaitShort}
+				c1, err := d.DialContext(ctx, c.network, localAddress)
+				require.NoError(t, err, "open connection 1 to 'local' listener")
+				defer c1.Close()
+				c2, err := d.DialContext(ctx, c.network, localAddress)
+				require.NoError(t, err, "open connection 2 to 'local' listener")
+				defer c2.Close()
+				testDial(t, c2)
+				testDial(t, c1)
+
+				cancel()
+				err = <-errC
+				require.ErrorIs(t, err, context.Canceled)
+			})
+
+			//nolint:paralleltest
+			t.Run("TwoPorts", func(t *testing.T) {
+				var (
+					p1 = setupTestListener(t, c.setupRemote(t))
+					p2 = setupTestListener(t, c.setupRemote(t))
+				)
+
+				// Create a flags for listener 1 and listener 2.
+				localAddress1, localFlag1 := c.setupLocal(t)
+				localAddress2, localFlag2 := c.setupLocal(t)
+				flag1 := fmt.Sprintf(c.flag, localFlag1, p1)
+				flag2 := fmt.Sprintf(c.flag, localFlag2, p2)
+
+				// Launch port-forward in a goroutine so we can start dialing
+				// the "local" listeners.
+				cmd, root := clitest.New(t, "-v", "port-forward", workspace.Name, flag1, flag2)
+				clitest.SetupConfig(t, client, root)
+				pty := ptytest.New(t)
+				cmd.SetIn(pty.Input())
+				cmd.SetOut(pty.Output())
+				cmd.SetErr(pty.Output())
+				ctx, cancel := context.WithCancel(context.Background())
+				defer cancel()
+				errC := make(chan error)
+				go func() {
+					errC <- cmd.ExecuteContext(ctx)
+				}()
+				pty.ExpectMatch("Ready!")
+
+				t.Parallel() // Port is reserved, enable parallel execution.
+
+				// Open a connection to both listener 1 and 2 simultaneously and
+				// then test them out of order.
+				d := net.Dialer{Timeout: testutil.WaitShort}
+				c1, err := d.DialContext(ctx, c.network, localAddress1)
+				require.NoError(t, err, "open connection 1 to 'local' listener 1")
+				defer c1.Close()
+				c2, err := d.DialContext(ctx, c.network, localAddress2)
+				require.NoError(t, err, "open connection 2 to 'local' listener 2")
+				defer c2.Close()
+				testDial(t, c2)
+				testDial(t, c1)
+
+				cancel()
+				err = <-errC
+				require.ErrorIs(t, err, context.Canceled)
+			})
+		})
+	}
+
+	// Test doing TCP and UDP at the same time.
+	//nolint:paralleltest
+	t.Run("All", func(t *testing.T) {
+		var (
+			dials = []addr{}
+			flags = []string{}
+		)
+
+		// Start listeners and populate arrays with the cases.
+		for _, c := range cases {
+			p := setupTestListener(t, c.setupRemote(t))
+
+			localAddress, localFlag := c.setupLocal(t)
+			dials = append(dials, addr{
+				network: c.network,
+				addr:    localAddress,
+			})
+			flags = append(flags, fmt.Sprintf(c.flag, localFlag, p))
+		}
+
+		// Launch port-forward in a goroutine so we can start dialing
+		// the "local" listeners.
+		cmd, root := clitest.New(t, append([]string{"-v", "port-forward", workspace.Name}, flags...)...)
+		clitest.SetupConfig(t, client, root)
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		ctx, cancel := context.WithCancel(context.Background())
+		defer cancel()
+		errC := make(chan error)
+		go func() {
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		pty.ExpectMatch("Ready!")
+
+		t.Parallel() // Port is reserved, enable parallel execution.
+
+		// Open connections to all items in the "dial" array.
+		var (
+			d     = net.Dialer{Timeout: testutil.WaitShort}
+			conns = make([]net.Conn, len(dials))
+		)
+		for i, a := range dials {
+			c, err := d.DialContext(ctx, a.network, a.addr)
+			require.NoErrorf(t, err, "open connection %v to 'local' listener %v", i+1, i+1)
+			t.Cleanup(func() {
+				_ = c.Close()
+			})
+			conns[i] = c
+		}
+
+		// Test each connection in reverse order.
+		for i := len(conns) - 1; i >= 0; i-- {
+			testDial(t, conns[i])
+		}
+
+		cancel()
+		err := <-errC
+		require.ErrorIs(t, err, context.Canceled)
+	})
+}
+
+// runAgent creates a fake workspace and starts an agent locally for that
+// workspace. The agent will be cleaned up on test completion.
+// nolint:unused
+func runAgent(t *testing.T, client *codersdk.Client, userID uuid.UUID) ([]codersdk.WorkspaceResource, codersdk.Workspace) {
+	ctx := context.Background()
+	user, err := client.User(ctx, userID.String())
+	require.NoError(t, err, "specified user does not exist")
+	require.Greater(t, len(user.OrganizationIDs), 0, "user has no organizations")
+	orgID := user.OrganizationIDs[0]
+
+	// Setup template
+	agentToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, orgID, &echo.Responses{
+		Parse:           echo.ParseComplete,
+		ProvisionDryRun: echo.ProvisionComplete,
+		Provision: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "somename",
+						Type: "someinstance",
+						Agents: []*proto.Agent{{
+							Auth: &proto.Agent_Token{
+								Token: agentToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+
+	// Create template and workspace
+	template := coderdtest.CreateTemplate(t, client, orgID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, orgID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	// Start workspace agent in a goroutine
+	cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
+	clitest.SetupConfig(t, client, root)
+	pty := ptytest.New(t)
+	cmd.SetIn(pty.Input())
+	cmd.SetOut(pty.Output())
+	cmd.SetErr(pty.Output())
+	errC := make(chan error)
+	agentCtx, agentCancel := context.WithCancel(ctx)
+	t.Cleanup(func() {
+		agentCancel()
+		err := <-errC
+		require.NoError(t, err)
+	})
+	go func() {
+		errC <- cmd.ExecuteContext(agentCtx)
+	}()
+
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+	resources, err := client.WorkspaceResourcesByBuild(context.Background(), workspace.LatestBuild.ID)
+	require.NoError(t, err)
+
+	return resources, workspace
+}
+
+// setupTestListener starts accepting connections and echoing a single packet.
+// Returns the listener and the listen port.
+func setupTestListener(t *testing.T, l net.Listener) string {
+	t.Helper()
+
+	// Wait for listener to completely exit before releasing.
+	done := make(chan struct{})
+	t.Cleanup(func() {
+		_ = l.Close()
+		<-done
+	})
+	go func() {
+		defer close(done)
+		// Guard against testAccept running require after test completion.
+		var wg sync.WaitGroup
+		defer wg.Wait()
+
+		for {
+			c, err := l.Accept()
+			if err != nil {
+				_ = l.Close()
+				return
+			}
+
+			wg.Add(1)
+			go func() {
+				testAccept(t, c)
+				wg.Done()
+			}()
+		}
+	}()
+
+	addr := l.Addr().String()
+	_, port, err := net.SplitHostPort(addr)
+	require.NoErrorf(t, err, "split non-Unix listen path %q", addr)
+	addr = port
+
+	return addr
+}
+
+var dialTestPayload = []byte("dean-was-here123")
+
+func testDial(t *testing.T, c net.Conn) {
+	t.Helper()
+
+	assertWritePayload(t, c, dialTestPayload)
+	assertReadPayload(t, c, dialTestPayload)
+}
+
+func testAccept(t *testing.T, c net.Conn) {
+	t.Helper()
+	defer c.Close()
+
+	assertReadPayload(t, c, dialTestPayload)
+	assertWritePayload(t, c, dialTestPayload)
+}
+
+func assertReadPayload(t *testing.T, r io.Reader, payload []byte) {
+	t.Helper()
+	b := make([]byte, len(payload)+16)
+	n, err := r.Read(b)
+	assert.NoError(t, err, "read payload")
+	assert.Equal(t, len(payload), n, "read payload length does not match")
+	assert.Equal(t, payload, b[:n])
+}
+
+func assertWritePayload(t *testing.T, w io.Writer, payload []byte) {
+	t.Helper()
+	n, err := w.Write(payload)
+	assert.NoError(t, err, "write payload")
+	assert.Equal(t, len(payload), n, "payload length does not match")
+}
+
+type addr struct {
+	network string
+	addr    string
+}
@@ -11,16 +11,39 @@ import (
 )

 func publickey() *cobra.Command {
-	return &cobra.Command{
+	var (
+		reset bool
+	)
+
+	cmd := &cobra.Command{
 		Use:     "publickey",
 		Aliases: []string{"pubkey"},
-		Short:   "Output your public key for Git operations",
+		Short:   "Output your Coder public key used for Git operations",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return xerrors.Errorf("create codersdk client: %w", err)
 			}

+			if reset {
+				// Confirm prompt if using --reset. We don't want to accidentally
+				// reset our public key.
+				_, err := cliui.Prompt(cmd, cliui.PromptOptions{
+					Text: "Confirm regenerate a new sshkey for your workspaces? This will require updating the key " +
+						"on any services it is registered with. This action cannot be reverted.",
+					IsConfirm: true,
+				})
+				if err != nil {
+					return err
+				}
+
+				// Reset the public key, let the retrieve re-read it.
+				_, err = client.RegenerateGitSSHKey(cmd.Context(), codersdk.Me)
+				if err != nil {
+					return err
+				}
+			}
+
 			key, err := client.GitSSHKey(cmd.Context(), codersdk.Me)
 			if err != nil {
 				return xerrors.Errorf("create codersdk client: %w", err)
@@ -40,4 +63,8 @@ func publickey() *cobra.Command {
 			return nil
 		},
 	}
+	cmd.Flags().BoolVar(&reset, "reset", false, "Regenerate your public key. This will require updating the key on any services it's registered with.")
+	cliui.AllowSkipPrompt(cmd)
+
+	return cmd
 }
@@ -13,6 +13,7 @@ import (
 func TestPublicKey(t *testing.T) {
 	t.Parallel()
 	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
 		client := coderdtest.New(t, nil)
 		_ = coderdtest.CreateFirstUser(t, client)
 		cmd, root := clitest.New(t, "publickey")
--- a/Show More
+++ b/Show More