docs: explain Template inheritance with Terraform modules (#8328 )

* docs: explain Template inheritance with Terraform modules * make fmt & title renaming --------- Co-authored-by: Eric <ericpaulsen@coder.com>
chore: pin terraform to 1.5.2 (#8322 )
2023-07-05 15:06:16 -04:00 · 2023-07-05 12:59:58 -05:00 · 2023-07-05 17:24:21 +00:00 · 2023-07-05 17:20:12 +00:00 · 2023-07-05 13:11:08 -04:00 · 2023-07-05 13:06:09 -04:00
6433 changed files with 356768 additions and 73449 deletions
@@ -0,0 +1,83 @@
+FROM ubuntu
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV EDITOR=vim
+
+RUN apt-get update && apt-get upgrade --yes
+
+RUN apt-get install --yes \
+	ca-certificates \
+	bash-completion \
+	build-essential \
+	curl \
+	cmake \
+	direnv \
+	emacs-nox \
+	gnupg \
+	htop \
+	jq \
+	less \
+	lsb-release \
+	lsof \
+	man-db \
+	nano \
+	neovim \
+	ssl-cert \
+	sudo \
+	unzip \
+	xz-utils \
+	zip
+
+# configure locales to UTF8
+RUN apt-get install locales && locale-gen en_US.UTF-8
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+# configure direnv
+RUN direnv hook bash >> $HOME/.bashrc
+
+# install nix
+RUN sh <(curl -L https://nixos.org/nix/install) --daemon
+
+RUN mkdir -p $HOME/.config/nix $HOME/.config/nixpkgs \
+	&& echo 'sandbox = false' >> $HOME/.config/nix/nix.conf \
+	&& echo '{ allowUnfree = true; }' >> $HOME/.config/nixpkgs/config.nix \
+	&& echo '. $HOME/.nix-profile/etc/profile.d/nix.sh' >> $HOME/.bashrc
+
+
+# install docker and configure daemon to use vfs as GitHub codespaces requires vfs
+# https://github.com/moby/moby/issues/13742#issuecomment-725197223
+RUN mkdir -p /etc/apt/keyrings \
+	&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+	&& echo \
+	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+	$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null \
+	&& apt-get update \
+	&& apt-get install --yes docker-ce docker-ce-cli containerd.io docker-compose-plugin \
+	&& mkdir -p /etc/docker \
+	&& echo '{"cgroup-parent":"/actions_job","storage-driver":"vfs"}' >> /etc/docker/daemon.json
+
+# install golang and language tooling
+ENV GO_VERSION=1.20
+ENV GOPATH=$HOME/go-packages
+ENV GOROOT=$HOME/go
+ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
+RUN curl -fsSL https://dl.google.com/go/go$GO_VERSION.linux-amd64.tar.gz | tar xzs
+RUN echo 'export PATH=$GOPATH/bin:$PATH' >> $HOME/.bashrc
+
+RUN bash -c ". $HOME/.bashrc \
+	go install -v golang.org/x/tools/gopls@latest \
+	&& go install -v mvdan.cc/sh/v3/cmd/shfmt@latest \
+	&& go install -v github.com/mikefarah/yq/v4@v4.30.6 \
+	"
+
+# install nodejs
+RUN bash -c "$(curl -fsSL https://deb.nodesource.com/setup_14.x)" \
+	&& apt-get install -y nodejs
+
+# install zstd
+RUN bash -c "$(curl -fsSL https://raw.githubusercontent.com/horta/zstd.install/main/install)"
+
+# install nfpm
+RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list \
+	&& apt update \
+	&& apt install nfpm
@@ -0,0 +1,24 @@
+// For format details, see https://aka.ms/devcontainer.json
+{
+  "name": "Development environments on your infrastructure",
+
+  // Sets the run context to one level up instead of the .devcontainer folder.
+  "context": ".",
+
+  // Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
+  "dockerFile": "Dockerfile",
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+
+  "postStartCommand": "dockerd",
+
+  // privileged is required by GitHub codespaces - https://github.com/microsoft/vscode-dev-containers/issues/727
+  "runArgs": [
+    "--cap-add=SYS_PTRACE",
+    "--security-opt",
+    "seccomp=unconfined",
+    "--privileged",
+    "--init"
+  ]
+}
@@ -0,0 +1,16 @@
+root = true
+
+[*]
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+indent_style = tab
+
+[*.{md,json,yaml,yml,tf,tfvars,nix}]
+indent_style = space
+indent_size = 2
+
+[coderd/database/dump.sql]
+indent_style = space
+indent_size = 4
@@ -1,5 +1,11 @@
 # Generated files
+coderd/apidoc/docs.go linguist-generated=true
+coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
 provisionersdk/proto/*.go linguist-generated=true
+*.tfplan.json linguist-generated=true
+*.tfstate.json linguist-generated=true
+*.tfstate.dot linguist-generated=true
+*.tfplan.dot linguist-generated=true
@@ -1,2 +0,0 @@
-site/ @coder/frontend
-site/src/xServices @presleyp
@@ -1,37 +0,0 @@
---
-name: Bug report
-about: Report a bug
-title: "Bug: "
-labels: ["bug :bug:", "needs grooming :razor:"]
---
-
-## OS Information
-
- OS:
- Browser (if applicable): 
- Architecture:
- `coder --version`:
-
-## Steps to Reproduce
-
-<!-- 1. -->
-<!-- 2. -->
-<!-- 3. -->
-
-## Expected
-
-<!-- What should happen? -->
-
-## Actual
-
-<!-- What actually happens? -->
-
-## Logs
-
-## Screenshot
-
-<!-- Ideally provide a screenshot, gif, video or screen recording. -->
-
-## Notes
-
-<!-- Anything else you want to share -->
@@ -1,5 +0,0 @@
-blank_issues_enabled: true
-contact_links:
-  - name: Question?
-    url: https://github.com/coder/coder/discussions/new?category=q-a
-    about: Ask for help on our GitHub Discussions board
@@ -1,12 +0,0 @@
---
-name: Documentation improvement
-about: Suggest a documentation improvement
-title: "Docs: "
-labels: ["documentation :memo:", "needs grooming :razor:"]
---
-
-## What is your suggestion?
-
-## How will this improve the docs?
-
-## Are you interested in submitting a PR for this?
@@ -1,14 +0,0 @@
---
-name: Feature request
-about: Suggest an idea to improve coder
-title: "Feat: "
-labels: ["new feature :sparkles:", "needs grooming :razor:"]
---
-
-## What is your suggestion?
-
-## Why do you want this feature?
-
-## Are there any workarounds to get this functionality today?
-
-## Are you interested in submitting a PR for this?
@@ -0,0 +1,68 @@
+name: "Setup Go"
+description: |
+  Sets up the Go environment for tests, builds, etc.
+inputs:
+  version:
+    description: "The Go version to use."
+    default: "1.20.5"
+runs:
+  using: "composite"
+  steps:
+    - name: Cache go toolchain
+      uses: buildjet/cache@v3
+      with:
+        path: |
+          ${{ runner.tool_cache }}/go/${{ inputs.version }}
+        key: gotoolchain-${{ runner.os }}-${{ inputs.version }}
+        restore-keys: |
+          gotoolchain-${{ runner.os }}-
+
+    - uses: buildjet/setup-go@v4
+      with:
+        # We do our own caching for implementation clarity.
+        cache: false
+        go-version: ${{ inputs.version }}
+
+    - name: Get cache dirs
+      shell: bash
+      run: |
+        set -x
+        echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_ENV
+        echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_ENV
+
+    # We split up GOMODCACHE from GOCACHE because the latter must be invalidated
+    # on code change, but the former can be kept.
+    - name: Cache $GOMODCACHE
+      uses: buildjet/cache@v3
+      with:
+        path: |
+          ${{ env.GOMODCACHE }}
+        key: gomodcache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-${{ github.job }}
+        restore-keys: |
+          gomodcache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}-
+          gomodcache-${{ runner.os }}-
+
+    - name: Cache $GOCACHE
+      uses: buildjet/cache@v3
+      with:
+        path: |
+          ${{ env.GOCACHE }}
+        # Job name must be included in the key for effective
+        # test cache reuse.
+        # The key format is intentionally different than GOMODCACHE, because any
+        # time a Go file changes we invalidate this cache, whereas GOMODCACHE
+        # is only invalidated when go.sum changes.
+        key: gocache-${{ runner.os }}-${{ github.job }}-${{ hashFiles('**/*.go', 'go.**') }}
+        restore-keys: |
+          gocache-${{ runner.os }}-${{ github.job }}-
+          gocache-${{ runner.os }}-
+
+    - name: Install gotestsum
+      shell: bash
+      run: go install gotest.tools/gotestsum@latest
+
+    # It isn't necessary that we ever do this, but it helps
+    # separate the "setup" from the "run" times.
+    - name: go mod download
+      shell: bash
+      run: go mod download -x
@@ -0,0 +1,15 @@
+name: "Setup Node"
+description: |
+  Sets up the node environment for tests, builds, etc.
+runs:
+  using: "composite"
+  steps:
+    - uses: buildjet/setup-node@v3
+      with:
+        node-version: 16.16.0
+        # See https://github.com/actions/setup-node#caching-global-packages-data
+        cache: "yarn"
+        cache-dependency-path: "site/yarn.lock"
+    - name: Install node_modules
+      shell: bash
+      run: ./scripts/yarn_install.sh
@@ -0,0 +1,11 @@
+name: "Setup Terraform"
+description: |
+  Sets up Terraform for tests, builds, etc.
+runs:
+  using: "composite"
+  steps:
+    - name: Install Terraform
+      uses: hashicorp/setup-terraform@v2
+      with:
+        terraform_version: 1.5.2
+        terraform_wrapper: false
@@ -0,0 +1,27 @@
+name: Upload tests to datadog
+if: always()
+inputs:
+  api-key:
+    description: "Datadog API key"
+    required: true
+runs:
+  using: "composite"
+  steps:
+    - shell: bash
+      run: |
+        owner=${{ github.repository_owner	 }}
+        echo "owner: $owner"
+        if [[  $owner != "coder" ]]; then
+          echo "Not a pull request from the main repo, skipping..."
+          exit 0
+        fi
+        if [[ -z "${{ inputs.api-key }}" ]]; then
+          # This can happen for dependabot.
+          echo "No API key provided, skipping..."
+          exit 0
+        fi
+        npm install -g @datadog/datadog-ci@2.10.0
+        datadog-ci junit upload --service coder ./gotests.xml \
+          --tags os:${{runner.os}} --tags runner_name:${{runner.name}}
+      env:
+        DATADOG_API_KEY: ${{ inputs.api-key }}
@@ -1,5 +1,7 @@
 codecov:
  require_ci_to_pass: false
+  notify:
+    after_n_builds: 5

 comment: false

@@ -7,19 +9,22 @@ github_checks:
  annotations: false

 coverage:
+  range: 50..75
+  round: down
+  precision: 2
  status:
    patch:
      default:
        informational: yes
    project:
      default:
-        target: 70%
-        informational: yes
+        target: 65%
+        informational: true

 ignore:
  # This is generated code.
  - coderd/database/models.go
-  - coderd/database/query.sql.go
+  - coderd/database/queries.sql.go
  - coderd/database/databasefake
  # These are generated or don't require tests.
  - cmd
@@ -29,6 +34,10 @@ ignore:
  - peerbroker/proto
  - provisionerd/proto
  - provisionersdk/proto
-  - scripts/datadog-cireport
+  - scripts
  - site/.storybook
  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest
@@ -6,6 +6,7 @@ updates:
      interval: "weekly"
      time: "06:00"
      timezone: "America/Chicago"
+    labels: []
    commit-message:
      prefix: "chore"
    ignore:
@@ -32,22 +33,44 @@ updates:
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "go"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch

-  - package-ecosystem: "npm"
-    directory: "/site/"
+  # Update our Dockerfile.
+  - package-ecosystem: "docker"
+    directory: "/scripts/"
    schedule:
      interval: "weekly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "typescript/js"
+    labels: []
    ignore:
+      # We need to coordinate terraform updates with the version hardcoded in
+      # our Go code.
+      - dependency-name: "terraform"
+
+  - package-ecosystem: "npm"
+    directory: "/site/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    reviewers:
+      - "coder/ts"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
      # Ignore major updates to Node.js types, because they need to
      # correspond to the Node.js engine version
      - dependency-name: "@types/node"
@@ -55,16 +78,37 @@ updates:
          - version-update:semver-major

  - package-ecosystem: "terraform"
-    directory: "/examples"
+    directory: "/examples/templates"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # We likely want to update this ourselves.
+      - dependency-name: "coder/coder"
+
+  # Update dogfood.
+  - package-ecosystem: "docker"
+    directory: "/dogfood/"
    schedule:
      interval: "weekly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
-    labels:
-      - "dependencies"
-      - "terraform"
+    labels: []
+
+  - package-ecosystem: "terraform"
+    directory: "/dogfood/"
+    schedule:
+      interval: "weekly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
    ignore:
-      # We likely want to update this ourselves.
      - dependency-name: "coder/coder"
@@ -1,13 +0,0 @@
-<!-- Help reviewers by listing the subtasks in this PR
-
-Here's an example:
-
-This PR adds a new feature to the CLI.
-
-## Subtasks
-
- [x] added a test for feature
-
-Fixes #345
-
-->
@@ -1,56 +0,0 @@
-###############################################################################
-# This file configures "Semantic Pull Requests", which is documented here:
-# https://github.com/zeke/semantic-pull-requests
-#
-# This action/spec implements the "Conventional Commits" RFC which is
-# available here:
-# https://www.notion.so/coderhq/Conventional-commits-1d51287f58b64026bb29393f277734ed
-###############################################################################
-
-# We have no valid scopes right now.
-# A scope should be added when commits aren't aligning with associated change anymore.
-scopes:
-
-# We only check that the PR title is semantic. The PR title is automatically
-# applied to the "Squash & Merge" flow as the suggested commit message, so this
-# should suffice unless someone drastically alters the message in that flow.
-titleOnly: true
-
-# Types are the 'tag' types in a commit or PR title. For example, in
-#
-# chore: fix thing
-#
-# 'chore' is the type.
-types:
-  # A build of any kind.
-  - build
-
-  # Any code task that operates outside of CI, docs, or the product. Examples
-  # include configurations, linters etc.
-  - chore
-
-  # Any work performed on CI.
-  - ci
-  
-  - example
-
-  # Work that directly implements or supports the implementation of a feature.
-  - feat
-
-  # A fix for either a released or unrelesed bug.
-  - fix
-
-  # A fix for a released bug (regression fix) that is intended for patch-release
-  # purposes.
-  - hotfix
-
-  # A refactor changes code structure without any behavioral change.
-  - refactor
-
-  # A git revert for any style of commit.
-  - revert
-
-  # Adding tests of any kind. Should be separate from feature or fix
-  # implementations. For example, if a commit adds a fix + test, it's a fix
-  # commit. If a commit is simply bumping coverage, it's a test commit.
-  - test
@@ -1,14 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 14
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 5
-# Only apply the stale logic to pulls, since we are using issues to manage work
-only: pulls
-# Label to apply when stale.
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no activity occurs in the next 5 days.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
@@ -1,60 +0,0 @@
-# Note: Chromatic is a separate workflow for coder.yaml as suggested by the
-# chromatic docs. Explicitly, Chromatic works best on 'push' instead of other
-# event types (like pull request), keep in mind that it works build-over-build
-# by storing snapshots.
-#
-# SEE: https://www.chromatic.com/docs/ci
-name: chromatic
-
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - "*"
-
-  pull_request:
-
-jobs:
-  deploy:
-    # REMARK: this is only used to build storybook and deploy it to Chromatic.
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          # Required by Chromatic for build-over-build history, otherwise we
-          # only get 1 commit on shallow checkout.
-          fetch-depth: 0
-
-      - name: Install dependencies
-        run: cd site && yarn
-
-      # This step is not meant for mainline because any detected changes to
-      # storybook snapshots will require manual approval/review in order for
-      # the check to pass. This is desired in PRs, but not in mainline.
-      - name: Publish to Chromatic (non-mainline)
-        if: github.ref != 'refs/heads/main'
-        uses: chromaui/action@v1
-        with:
-          buildScriptName: "storybook:build"
-          exitOnceUploaded: true
-          # Chromatic states its fine to make this token public. See:
-          # https://www.chromatic.com/docs/github-actions#forked-repositories
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
-
-      # This is a separate step for mainline only that auto accepts and changes
-      # instead of holding CI up. Since we squash/merge, this is defensive to
-      # avoid the same changeset from requiring review once squashed into
-      # main. Chromatic is supposed to be able to detect that we use squash
-      # commits, but it's good to be defensive in case, otherwise CI remains
-      # infinitely "in progress" in mainline unless we re-review each build.
-      - name: Publish to Chromatic (mainline)
-        if: github.ref == 'refs/heads/main'
-        uses: chromaui/action@v1
-        with:
-          autoAcceptChanges: true
-          buildScriptName: "storybook:build"
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
@@ -0,0 +1,576 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      docs-only: ${{ steps.filter.outputs.docs_count == steps.filter.outputs.all_count }}
+      go: ${{ steps.filter.outputs.go }}
+      ts: ${{ steps.filter.outputs.ts }}
+      k8s: ${{ steps.filter.outputs.k8s }}
+      ci: ${{ steps.filter.outputs.ci }}
+    steps:
+      - uses: actions/checkout@v3
+      # For pull requests it's not necessary to checkout the code
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            all:
+              - "**"
+            docs:
+              - "docs/**"
+              - "README.md"
+              - "examples/templates/**"
+              - "examples/web-server/**"
+              - "examples/monitoring/**"
+              - "examples/lima/**"
+            go:
+              - "**.sql"
+              - "**.go"
+              - "**.golden"
+              - "go.mod"
+              - "go.sum"
+              # Other non-Go files that may affect Go code:
+              - "**.rego"
+              - "**.sh"
+              - "**.tpl"
+              - "**.gotmpl"
+              - "**.gotpl"
+              - "Makefile"
+              - "site/static/error.html"
+              # Main repo directories for completeness in case other files are
+              # touched:
+              - "agent/**"
+              - "cli/**"
+              - "cmd/**"
+              - "coderd/**"
+              - "enterprise/**"
+              - "examples/*"
+              - "provisioner/**"
+              - "provisionerd/**"
+              - "provisionersdk/**"
+              - "pty/**"
+              - "scaletest/**"
+              - "tailnet/**"
+              - "testutil/**"
+            ts:
+              - "site/**"
+              - "Makefile"
+            k8s:
+              - "helm/**"
+              - "scripts/Dockerfile"
+              - "scripts/Dockerfile.base"
+              - "scripts/helm.sh"
+            ci:
+              - ".github/actions/**"
+              - ".github/workflows/ci.yaml"
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  lint:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+
+      - uses: ./.github/actions/setup-node
+
+      - name: Get golangci-lint cache dir
+        run: |
+          go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.2
+          dir=$(golangci-lint cache status | awk '/Dir/ { print $2 }')
+          echo "LINT_CACHE_DIR=$dir" >> $GITHUB_ENV
+
+      - name: golangci-lint cache
+        uses: buildjet/cache@v3
+        with:
+          path: |
+            ${{ env.LINT_CACHE_DIR }}
+          key: golangci-lint-${{ runner.os }}-${{ hashFiles('**/*.go') }}
+          restore-keys: |
+            golangci-lint-${{ runner.os }}-
+
+      # Check for any typos
+      - name: Check for typos
+        uses: crate-ci/typos@v1.14.12
+        with:
+          config: .github/workflows/typos.toml
+
+      - name: Fix the typos
+        if: ${{ failure() }}
+        run: |
+          echo "::notice:: you can automatically fix typos from your CLI:
+          cargo install typos-cli
+          typos -c .github/workflows/typos.toml -w"
+
+      # Needed for helm chart linting
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.9.2
+
+      - name: make lint
+        run: |
+          make --output-sync=line -j lint
+
+  gen:
+    timeout-minutes: 8
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.docs-only == 'false' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/setup-go
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.18.0/sqlc_1.18.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+
+      - name: go install tools
+        run: |
+          go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
+          go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
+          go install golang.org/x/tools/cmd/goimports@latest
+          go install github.com/mikefarah/yq/v4@v4.30.6
+          go install github.com/golang/mock/mockgen@v1.6.0
+
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # security.yaml
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
+
+      - name: make gen
+        run: "make --output-sync -j -B gen"
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh
+
+  fmt:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      - uses: buildjet/setup-node@v3
+        with:
+          node-version: 16.16.0
+
+      - uses: buildjet/setup-go@v4
+        with:
+          # This doesn't need caching. It's super fast anyways!
+          cache: false
+          go-version: 1.20.5
+
+      - name: Install prettier
+        # We only need prettier for fmt, so do not install all dependencies.
+        # There is no way to install a single package with yarn, so we have to
+        # make a new package.json with only prettier listed as a dependency.
+        # Then running `yarn` will only install prettier.
+        run: |
+          cd site
+          mv package.json package.json.bak
+          jq '{dependencies: {prettier: .devDependencies.prettier}}' < package.json.bak > package.json
+          yarn --frozen-lockfile
+          mv package.json.bak package.json
+
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
+
+      - name: make fmt
+        run: |
+          export PATH=${PATH}:$(go env GOPATH)/bin
+          make --output-sync -j -B fmt
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh
+
+  test-go:
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'buildjet-4vcpu-ubuntu-2204' || matrix.os == 'macos-latest' && github.repository_owner == 'coder' && 'macos-latest-xl' || matrix.os == 'windows-2019' && github.repository_owner == 'coder' && 'windows-latest-8-cores' || matrix.os }}
+    needs: changes
+    if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-2019
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-tf
+
+      - name: Test with Mock Database
+        id: test
+        shell: bash
+        run: |
+          # Code coverage is more computationally expensive and also
+          # prevents test caching, so we disable it on alternate operating
+          # systems.
+          if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
+            echo "cover=true" >> $GITHUB_OUTPUT
+            export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
+          else
+            echo "cover=false" >> $GITHUB_OUTPUT
+          fi
+
+          # By default Go will use the number of logical CPUs, which
+          # is a fine default.
+          PARALLEL_FLAG=""
+
+          export TS_DEBUG_DISCO=true
+          gotestsum --junitfile="gotests.xml" --jsonfile="gotests.json" \
+            --packages="./..." -- $PARALLEL_FLAG -short -failfast $COVERAGE_FLAGS
+
+      - name: Print test stats
+        if: success() || failure()
+        run: |
+          # Artifacts are not available after rerunning a job,
+          # so we need to print the test stats to the log.
+          go run ./scripts/ci-report/main.go gotests.json | tee gotests_stats.json
+
+      - uses: ./.github/actions/upload-datadog
+        if: success() || failure()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: steps.test.outputs.cover && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./gotests.coverage
+          flags: unittest-go-${{ matrix.os }}
+
+  test-go-pg:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    # This timeout must be greater than the timeout set by `go test` in
+    # `make test-postgres` to ensure we receive a trace of running
+    # goroutines. Setting this to the timeout +5m should work quite well
+    # even if some of the preceding steps are slow.
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-tf
+
+      - name: Test with PostgreSQL Database
+        run: |
+          export TS_DEBUG_DISCO=true
+          make test-postgres
+
+      - name: Print test stats
+        if: success() || failure()
+        run: |
+          # Artifacts are not available after rerunning a job,
+          # so we need to print the test stats to the log.
+          go run ./scripts/ci-report/main.go gotests.json | tee gotests_stats.json
+
+      - uses: ./.github/actions/upload-datadog
+        if: success() || failure()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./gotests.coverage
+          flags: unittest-go-postgres-linux
+
+  test-go-race:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-tf
+
+      - name: Run Tests
+        run: |
+          gotestsum --junitfile="gotests.xml" -- -race ./...
+
+      - uses: ./.github/actions/upload-datadog
+        if: always()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
+
+  deploy:
+    name: "deploy"
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    timeout-minutes: 30
+    needs: changes
+    if: |
+      github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+      && needs.changes.outputs.docs-only == 'false'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
+          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-node
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
+
+      - name: Install zstd
+        run: sudo apt-get install -y zstd
+
+      - name: Build Release
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_windows_amd64.zip \
+            build/coder_"$version"_linux_amd64.{tar.gz,deb}
+
+      - name: Install Release
+        run: |
+          set -euo pipefail
+
+          regions=(
+            # gcp-region-id instance-name systemd-service-name
+            "us-central1-a coder coder"
+            "australia-southeast1-b coder-sydney coder-workspace-proxy"
+            "europe-west3-c coder-europe coder-workspace-proxy"
+            "southamerica-east1-b coder-brazil coder-workspace-proxy"
+          )
+
+          deb_pkg="./build/coder_$(./scripts/version.sh)_linux_amd64.deb"
+          if [ ! -f "$deb_pkg" ]; then
+            echo "deb package not found: $deb_pkg"
+            ls -l ./build
+            exit 1
+          fi
+
+          gcloud config set project coder-dogfood
+          for region in "${regions[@]}"; do
+            echo "::group::$region"
+            set -- $region
+
+            set -x
+            gcloud config set compute/zone "$1"
+            gcloud compute scp "$deb_pkg" "${2}:/tmp/coder.deb"
+            gcloud compute ssh "$2" -- /bin/sh -c "set -eux; sudo dpkg -i --force-confdef /tmp/coder.deb; sudo systemctl daemon-reload; sudo service '$3' restart"
+            set +x
+
+            echo "::endgroup::"
+          done
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: coder
+          path: |
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.deb
+          retention-days: 7
+
+  test-js:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-node
+
+      - run: yarn test:ci --max-workers $(nproc)
+        working-directory: site
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./site/coverage/lcov.info
+          flags: unittest-js
+
+  test-e2e:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.go == 'true' || needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-node
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-tf
+
+      - name: Build
+        run: |
+          sudo npm install -g prettier
+          make -B site/out/index.html
+
+      - run: yarn playwright:install
+        working-directory: site
+
+      - run: yarn playwright:test
+        env:
+          DEBUG: pw:api
+        working-directory: site
+
+      - name: Upload Playwright Failed Tests
+        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./site/test-results/**/*.webm
+          retention-days: 7
+
+  chromatic:
+    # REMARK: this is only used to build storybook and deploy it to Chromatic.
+    runs-on: ubuntu-latest
+    needs: changes
+    if: needs.changes.outputs.ts == 'true' || needs.changes.outputs.ci == 'true' || github.ref == 'refs/heads/main'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Required by Chromatic for build-over-build history, otherwise we
+          # only get 1 commit on shallow checkout.
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-node
+
+      # This step is not meant for mainline because any detected changes to
+      # storybook snapshots will require manual approval/review in order for
+      # the check to pass. This is desired in PRs, but not in mainline.
+      - name: Publish to Chromatic (non-mainline)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        env:
+          NODE_OPTIONS: "--max_old_space_size=4096"
+          STORYBOOK: true
+        with:
+          buildScriptName: "storybook:build"
+          exitOnceUploaded: true
+          # Chromatic states its fine to make this token public. See:
+          # https://www.chromatic.com/docs/github-actions#forked-repositories
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+      # This is a separate step for mainline only that auto accepts and changes
+      # instead of holding CI up. Since we squash/merge, this is defensive to
+      # avoid the same changeset from requiring review once squashed into
+      # main. Chromatic is supposed to be able to detect that we use squash
+      # commits, but it's good to be defensive in case, otherwise CI remains
+      # infinitely "in progress" in mainline unless we re-review each build.
+      - name: Publish to Chromatic (mainline)
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        env:
+          NODE_OPTIONS: "--max_old_space_size=4096"
+          STORYBOOK: true
+        with:
+          autoAcceptChanges: true
+          buildScriptName: "storybook:build"
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+  required:
+    runs-on: ubuntu-latest
+    needs: [fmt, lint, gen, test-go, test-go-pg, test-go-race, test-js]
+    # Allow this job to run even if the needed jobs fail, are skipped or
+    # cancelled.
+    if: always()
+    steps:
+      - name: Ensure required checks
+        run: |
+          echo "Checking required checks"
+          echo "- fmt: ${{ needs.fmt.result }}"
+          echo "- lint: ${{ needs.lint.result }}"
+          echo "- gen: ${{ needs.gen.result }}"
+          echo "- test-go: ${{ needs.test-go.result }}"
+          echo "- test-go-pg: ${{ needs.test-go-pg.result }}"
+          echo "- test-go-race: ${{ needs.test-go-race.result }}"
+          echo "- test-js: ${{ needs.test-js.result }}"
+          echo
+
+          # We allow skipped jobs to pass, but not failed or cancelled jobs.
+          if [[ "${{ contains(needs.*.result, 'failure') }}" == "true" || "${{ contains(needs.*.result, 'cancelled') }}" == "true" ]]; then
+            echo "One of the required checks has failed or has been cancelled"
+            exit 1
+          fi
+
+          echo "Required checks have passed"
@@ -1,510 +0,0 @@
-name: coder
-
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - "*"
-
-  pull_request:
-
-  workflow_dispatch:
-
-permissions:
-  actions: none
-  checks: none
-  contents: read
-  deployments: none
-  issues: none
-  packages: none
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-jobs:
-  style-lint-golangci:
-    name: style/lint/golangci
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.2.0
-        with:
-          version: v1.46.0
-
-  style-lint-typescript:
-    name: "style/lint/typescript"
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: "yarn lint"
-        run: yarn lint
-        working-directory: site
-
-  gen:
-    name: "style/gen"
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: Install Protoc
-        uses: arduino/setup-protoc@v1
-        with:
-          version: "3.20.0"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-      - run: curl -sSL
-          https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz
-          | sudo tar -C /usr/bin -xz sqlc
-
-      - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
-      - run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
-      - run: go install golang.org/x/tools/cmd/goimports@latest
-      - run: "make --output-sync -j gen"
-      - run: ./scripts/check_unstaged.sh
-
-  style-fmt:
-    name: "style/fmt"
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: "make fmt"
-        run: "make --output-sync -j fmt"
-
-  test-go:
-    name: "test/go"
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 20
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-2022
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.6.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          repo: gotestyourself/gotestsum
-          tag: v1.7.0
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.2
-          terraform_wrapper: false
-
-      - name: Test with Mock Database
-        shell: bash
-        env:
-          GOCOUNT: ${{ runner.os == 'Windows' && 1 || 2 }}
-          GOMAXPROCS: ${{ runner.os == 'Windows' && 1 || 2 }}
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -timeout=3m -count=$GOCOUNT -short -failfast
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: fake
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./gotests.coverage
-          flags: unittest-go-${{ matrix.os }}
-          fail_ci_if_error: true
-
-  test-go-postgres:
-    name: "test/go/postgres"
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Install goreleaser
-        uses: jaxxstorm/action-install-gh-release@v1.6.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          repo: gotestyourself/gotestsum
-          tag: v1.7.0
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.2
-          terraform_wrapper: false
-
-      - name: Start PostgreSQL Database
-        env:
-          POSTGRES_PASSWORD: postgres
-          POSTGRES_USER: postgres
-          POSTGRES_DB: postgres
-          PGDATA: /tmp
-        run: |
-          docker run \
-            -e POSTGRES_PASSWORD=postgres \
-            -e POSTGRES_USER=postgres \
-            -e POSTGRES_DB=postgres \
-            -e PGDATA=/tmp \
-            -p 5432:5432 \
-            -d postgres:11 \
-            -c shared_buffers=1GB \
-            -c max_connections=1000
-          while ! pg_isready -h 127.0.0.1
-          do
-              echo "$(date) - waiting for database to start"
-              sleep 0.5
-          done
-
-      - name: Test with PostgreSQL Database
-        run: DB=ci gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage" -timeout=3m
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -count=1 -parallel=2 -race -failfast
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: postgresql
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./gotests.coverage
-          flags: unittest-go-postgres-${{ matrix.os }}
-          fail_ci_if_error: true
-
-  deploy:
-    name: "deploy"
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v0
-        with:
-          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
-          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
-
-      - name: Set up Google Cloud SDK
-        uses: google-github-actions/setup-gcloud@v0
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Build site
-        run: make site/out/index.html
-
-      - name: Build Release
-        uses: goreleaser/goreleaser-action@v2.9.1
-        with:
-          version: latest
-          args: release --snapshot --rm-dist --skip-sign
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: coder_linux_amd64.deb
-          path: ./dist/coder_*_linux_amd64.deb
-
-      - name: Install Release
-        run: |
-          gcloud config set project coder-dogfood
-          gcloud config set compute/zone us-central1-a
-          gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb
-          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
-          gcloud compute ssh coder -- sudo systemctl daemon-reload
-
-      - name: Start
-        run: gcloud compute ssh coder -- sudo service coder restart
-
-  test-js:
-    name: "test/js"
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "14"
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - run: yarn test:coverage
-        working-directory: site
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./site/coverage/lcov.info
-          flags: unittest-js
-          fail_ci_if_error: true
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
-
-  test-e2e:
-    name: "test/e2e/${{ matrix.os }}"
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 20
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.2
-          terraform_wrapper: false
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "14"
-
-      - uses: goreleaser/goreleaser-action@v2
-        with:
-          install-only: true
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Build
-        run: |
-          make site/out/index.html
-
-      - run: yarn playwright:install
-        working-directory: site
-
-      - run: yarn playwright:install-deps
-        working-directory: site
-
-      - run: yarn playwright:test
-        env:
-          DEBUG: pw:api
-        working-directory: site
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: e2e
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
@@ -0,0 +1,156 @@
+name: contrib
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types:
+      - opened
+      - closed
+      - synchronize
+      - labeled
+      - unlabeled
+      - opened
+      - reopened
+      - edited
+
+# Only run one instance per PR to ensure in-order execution.
+concurrency: pr-${{ github.ref }}
+
+jobs:
+  # Dependabot is annoying, but this makes it a bit less so.
+  auto-approve-dependabot:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: hmarr/auto-approve-action@v3
+        if: github.actor == 'dependabot[bot]'
+
+  cla:
+    runs-on: ubuntu-latest
+    steps:
+      - name: cla
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the below token should have repo scope and must be manually added by you in the repository's secret
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCOMMUNITY_GITHUB_TOKEN }}
+        with:
+          remote-organization-name: "coder"
+          remote-repository-name: "cla"
+          path-to-signatures: "v2022-09-04/signatures.json"
+          path-to-document: "https://github.com/coder/cla/blob/main/README.md"
+          # branch should not be protected
+          branch: "main"
+          allowlist: dependabot*
+
+  release-labels:
+    runs-on: ubuntu-latest
+    # Skip tagging for draft PRs.
+    if: ${{ github.event_name == 'pull_request_target' && success() && !github.event.pull_request.draft }}
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          # This script ensures PR title and labels are in sync:
+          #
+          # When release/breaking label is:
+          # - Added, rename PR title to include ! (e.g. feat!:)
+          # - Removed, rename PR title to strip ! (e.g. feat:)
+          #
+          # When title is:
+          # - Renamed (+!), add the release/breaking label
+          # - Renamed (-!), remove the release/breaking label
+          script: |
+            const releaseLabels = {
+              breaking: "release/breaking",
+            }
+
+            const { action, changes, label, pull_request } = context.payload
+            const { title } = pull_request
+            const labels = pull_request.labels.map((label) => label.name)
+            const isBreakingTitle = isBreaking(title)
+
+            // Debug information.
+            console.log("Action: %s", action)
+            console.log("Title: %s", title)
+            console.log("Labels: %s", labels.join(", "))
+
+            const params = {
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            }
+
+            if (action === "opened" || action === "reopened") {
+              if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
+                console.log('Add "%s" label', releaseLabels.breaking)
+                await github.rest.issues.addLabels({
+                  ...params,
+                  labels: [releaseLabels.breaking],
+                })
+              }
+            }
+
+            if (action === "edited" && changes.title) {
+              if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
+                console.log('Add "%s" label', releaseLabels.breaking)
+                await github.rest.issues.addLabels({
+                  ...params,
+                  labels: [releaseLabels.breaking],
+                })
+              }
+
+              if (!isBreakingTitle && labels.includes(releaseLabels.breaking)) {
+                const wasBreakingTitle = isBreaking(changes.title.from)
+                if (wasBreakingTitle) {
+                  console.log('Remove "%s" label', releaseLabels.breaking)
+                  await github.rest.issues.removeLabel({
+                    ...params,
+                    name: releaseLabels.breaking,
+                  })
+                } else {
+                  console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
+                  await github.rest.issues.update({
+                    ...params,
+                    title: toBreaking(title),
+                  })
+                }
+              }
+            }
+
+            if (action === "labeled") {
+              if (label.name === releaseLabels.breaking && !isBreakingTitle) {
+                console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
+                await github.rest.issues.update({
+                  ...params,
+                  title: toBreaking(title),
+                })
+              }
+            }
+
+            if (action === "unlabeled") {
+              if (label.name === releaseLabels.breaking && isBreakingTitle) {
+                console.log('Rename title from "%s" to "%s"', title, fromBreaking(title))
+                await github.rest.issues.update({
+                  ...params,
+                  title: fromBreaking(title),
+                })
+              }
+            }
+
+            function isBreaking(t) {
+              return t.split(" ")[0].endsWith("!:")
+            }
+
+            function toBreaking(t) {
+              const parts = t.split(" ")
+              return [parts[0].replace(/:$/, "!:"), ...parts.slice(1)].join(" ")
+            }
+
+            function fromBreaking(t) {
+              const parts = t.split(" ")
+              return [parts[0].replace(/!:$/, ":"), ...parts.slice(1)].join(" ")
+            }
@@ -0,0 +1,90 @@
+name: docker-base
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - scripts/Dockerfile.base
+      - scripts/Dockerfile
+
+  schedule:
+    # Run every week at 09:43 on Monday, Wednesday and Friday. We build this
+    # frequently to ensure that packages are up-to-date.
+    - cron: "43 9 * * 1,3,5"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for depot.dev authentication.
+  id-token: write
+
+# Avoid running multiple jobs for the same commit.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-docker-base
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'coder'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create empty base-build-context directory
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        uses: depot/build-push-action@v1
+        with:
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ghcr.io/coder/coder-base:latest
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
@@ -0,0 +1,76 @@
+name: dogfood
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "dogfood/**"
+      - ".github/workflows/dogfood.yaml"
+  # Uncomment these lines when testing with CI.
+  # pull_request:
+  #   paths:
+  #     - "dogfood/**"
+  #     - ".github/workflows/dogfood.yaml"
+  workflow_dispatch:
+
+jobs:
+  deploy_image:
+    runs-on: buildjet-4vcpu-ubuntu-2204
+    steps:
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v6.5
+
+      - name: "Branch name to Docker tag name"
+        id: docker-tag-name
+        run: |
+          tag=${{ steps.branch-name.outputs.current_branch }}
+          # Replace / with --, e.g. user/feature => user--feature.
+          tag=${tag//\//--}
+          echo "tag=${tag}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: "{{defaultContext}}:dogfood"
+          push: true
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline
+  deploy_template:
+    needs: deploy_image
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Get short commit SHA
+        id: vars
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      - name: "Get latest Coder binary from the server"
+        run: |
+          curl -fsSL "https://dev.coder.com/bin/coder-linux-amd64" -o "./coder"
+          chmod +x "./coder"
+      - name: "Push template"
+        run: |
+          ./coder templates push $CODER_TEMPLATE_NAME --directory $CODER_TEMPLATE_DIR --yes --name=$CODER_TEMPLATE_VERSION
+        env:
+          # Consumed by Coder CLI
+          CODER_URL: https://dev.coder.com
+          CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
+          # Template source & details
+          CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
+          CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
+          CODER_TEMPLATE_DIR: ./dogfood
@@ -0,0 +1,23 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "://localhost"
+    },
+    {
+      "pattern": "://.*.?example\\.com"
+    },
+    {
+      "pattern": "developer.github.com"
+    },
+    {
+      "pattern": "docs.github.com"
+    },
+    {
+      "pattern": "support.google.com"
+    },
+    {
+      "pattern": "tailscale.com"
+    }
+  ],
+  "aliveStatusCodes": [200, 0]
+}
@@ -0,0 +1,51 @@
+# The nightly-gauntlet runs tests that are either too flaky or too slow to block
+# every PR.
+name: nightly-gauntlet
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  go-race:
+    # While GitHub's toaster runners are likelier to flake, we want consistency
+    # between this environment and the regular test environment for DataDog
+    # statistics and to only show real workflow threats.
+    runs-on: "buildjet-8vcpu-ubuntu-2204"
+    # This runner costs 0.016 USD per minute,
+    # so 0.016 * 240 = 3.84 USD per run.
+    timeout-minutes: 240
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+      - uses: ./.github/actions/setup-tf
+
+      - name: Run Tests
+        run: |
+          # -race is likeliest to catch flaky tests
+          # due to correctness detection and its performance
+          # impact.
+          gotestsum --junitfile="gotests.xml" -- -timeout=240m -count=10 -race ./...
+
+      - uses: ./.github/actions/upload-datadog
+        if: always()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
+
+  go-timing:
+    # We run these tests with p=1 so we don't need a lot of compute.
+    runs-on: "buildjet-2vcpu-ubuntu-2204"
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: ./.github/actions/setup-go
+      - name: Run Tests
+        run: |
+          gotestsum --junitfile="gotests.xml" -- --tags="timing" -p=1 -run='_Timing/' ./...
+
+      - uses: ./.github/actions/upload-datadog
+        if: always()
+        with:
+          api-key: ${{ secrets.DATADOG_API_KEY }}
@@ -0,0 +1,16 @@
+# Filtering pull requests is much easier when we can reliably guarantee
+# that the "Assignee" field is populated.
+name: PR Auto Assign
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign-author:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: toshimaru/auto-author-assign@v1.6.2
@@ -0,0 +1,50 @@
+name: Cleanup PR
+on:
+  pull_request:
+    types: [closed]
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number"
+        required: true
+
+permissions:
+  packages: write
+
+jobs:
+  cleanup:
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Get PR number
+        id: pr_number
+        run: |
+          if [ -n "${{ github.event.pull_request.number }}" ]; then
+            echo "PR_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_OUTPUT
+          else
+            echo "PR_NUMBER=${{ github.event.inputs.pr_number }}" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Delete image
+        continue-on-error: true
+        uses: bots-house/ghcr-delete-image-action@v1.1.0
+        with:
+          owner: coder
+          name: coder-preview
+          token: ${{ secrets.GITHUB_TOKEN }}
+          tag: pr${{ steps.pr_number.outputs.PR_NUMBER }}
+
+      - name: Set up kubeconfig
+        run: |
+          set -euxo pipefail
+          mkdir -p ~/.kube
+          echo "${{ secrets.DELIVERYBOT_KUBECONFIG }}" > ~/.kube/config
+          export KUBECONFIG=~/.kube/config
+
+      - name: Delete helm release
+        run: |
+          set -euxo pipefail
+          helm delete --namespace "pr${{ steps.pr_number.outputs.PR_NUMBER }}" "pr${{ steps.pr_number.outputs.PR_NUMBER }}" || echo "helm release not found"
+
+      - name: "Remove PR namespace"
+        run: |
+          kubectl delete namespace "pr${{ steps.pr_number.outputs.PR_NUMBER }}" || echo "namespace not found"
@@ -0,0 +1,207 @@
+# This action will trigger when a PR is commentted containing /review-pr by a member of the org.
+name: Deploy PR
+on:
+  issue_comment:
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: "PR number"
+        required: true
+
+env:
+  REPO: ghcr.io/coder/coder-preview
+
+permissions:
+  contents: read
+  packages: write
+  pull-requests: write
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  pr_commented:
+    if: github.event_name == 'issue_comment' && contains(github.event.comment.body, '/deploy-pr') && github.event.comment.author_association == 'MEMBER' || github.event_name == 'workflow_dispatch'
+    outputs:
+      PR_NUMBER: ${{ steps.pr_number.outputs.PR_NUMBER }}
+      PR_TITLE: ${{ steps.pr_number.outputs.PR_TITLE }}
+      PR_URL: ${{ steps.pr_number.outputs.PR_URL }}
+      COMMENT_ID: ${{ steps.comment_id.outputs.comment-id }}
+      CODER_BASE_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_BASE_IMAGE_TAG }}
+      CODER_IMAGE_TAG: ${{ steps.set_tags.outputs.CODER_IMAGE_TAG }}
+
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Get PR number and title
+        id: pr_number
+        run: |
+          set -euxo pipefail
+          if [[ ${{ github.event_name }} == "workflow_dispatch" ]]; then
+            PR_NUMBER=${{ github.event.inputs.pr_number }}
+            PR_TITLE=$(curl -sSL -H "Authorization: token ${{ secrets.GITHUB_TOKEN }}" "https://api.github.com/repos/coder/coder/pulls/$PR_NUMBER" | jq -r '.title')
+          else
+            PR_NUMBER=${{ github.event.issue.number }}
+            PR_TITLE='${{ github.event.issue.title }}'
+          fi
+          echo "PR_URL=https://github.com/coder/coder/pull/$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "PR_NUMBER=$PR_NUMBER" >> $GITHUB_OUTPUT
+          echo "PR_TITLE=$PR_TITLE" >> $GITHUB_OUTPUT
+
+      - name: Set required tags
+        id: set_tags
+        run: |
+          set -euxo pipefail
+          echo "CODER_BASE_IMAGE_TAG=$CODER_BASE_IMAGE_TAG" >> $GITHUB_OUTPUT
+          echo "CODER_IMAGE_TAG=$CODER_IMAGE_TAG" >> $GITHUB_OUTPUT
+        env:
+          CODER_BASE_IMAGE_TAG: ghcr.io/coder/coder-preview-base:pr${{ steps.pr_number.outputs.PR_NUMBER }}
+          CODER_IMAGE_TAG: ghcr.io/coder/coder-preview:pr${{ steps.pr_number.outputs.PR_NUMBER }}
+
+      - name: Find Deploy Comment
+        if: github.event_name == 'issue_comment'
+        uses: peter-evans/find-comment@v2
+        id: fco
+        with:
+          issue-number: ${{ steps.pr_number.outputs.PR_NUMBER }}
+          comment-author: "github-actions[bot]"
+          body-includes: /deploy-pr
+
+      - name: React with Rocket
+        if: github.event_name == 'issue_comment'
+        id: comment_ido
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ steps.fco.outputs.comment-id }}
+          reactions: rocket
+
+      - name: Find Comment
+        uses: peter-evans/find-comment@v2
+        id: fc
+        with:
+          issue-number: ${{ steps.pr_number.outputs.PR_NUMBER }}
+          comment-author: "github-actions[bot]"
+          body-includes: This deployment will be deleted when the PR is closed
+
+      - name: Comment on PR
+        id: comment_id
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          comment-id: ${{ steps.fc.outputs.comment-id }}
+          issue-number: ${{ steps.pr_number.outputs.PR_NUMBER }}
+          edit-mode: replace
+          body: |
+            :rocket: Deploying PR ${{ steps.pr_number.outputs.PR_NUMBER }} ...
+            :warning: This deployment will be deleted when the PR is closed.
+
+  build:
+    needs: pr_commented
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    env:
+      DOCKER_CLI_EXPERIMENTAL: "enabled"
+      CODER_IMAGE_TAG: ${{ needs.pr_commented.outputs.coder_image_tag }}
+      PR_NUMBER: ${{ needs.pr_commented.outputs.pr_number }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-go
+
+      - uses: ./.github/actions/setup-node
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.18.0/sqlc_1.18.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+
+      - name: GHCR Login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push Linux amd64 Docker image
+        run: |
+          set -euxo pipefail
+          go mod download
+          make gen/mark-fresh
+          export DOCKER_IMAGE_NO_PREREQUISITES=true
+          version="$(./scripts/version.sh)"
+          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
+          make -j build/coder_linux_amd64
+          ./scripts/build_docker.sh \
+            --arch amd64 \
+            --target ${{ env.CODER_IMAGE_TAG }} \
+            --version $version \
+            --push \
+            build/coder_linux_amd64
+
+  deploy:
+    needs: [build, pr_commented]
+    if: needs.build.result == 'success'
+    runs-on: "ubuntu-latest"
+    env:
+      CODER_IMAGE_TAG: ${{ needs.pr_commented.outputs.CODER_IMAGE_TAG }}
+      PR_NUMBER: ${{ needs.pr_commented.outputs.PR_NUMBER }}
+      PR_TITLE: ${{ needs.pr_commented.outputs.PR_TITLE }}
+      PR_URL: ${{ needs.pr_commented.outputs.PR_URL }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: "Set up kubeconfig"
+        run: |
+          set -euxo pipefail
+          mkdir -p ~/.kube
+          echo "${{ secrets.DELIVERYBOT_KUBECONFIG }}" > ~/.kube/config
+          export KUBECONFIG=~/.kube/config
+
+      - name: "Create PR namespace"
+        run: |
+          set -euxo pipefail
+          # try to delete the namespace, but don't fail if it doesn't exist
+          kubectl delete namespace "pr${{ env.PR_NUMBER }}" || true
+          kubectl create namespace "pr${{ env.PR_NUMBER }}"
+
+      - name: "Install Helm chart"
+        run: |
+          helm upgrade --install pr${{ env.PR_NUMBER }}  ./helm \
+          --namespace "pr${{ env.PR_NUMBER }}" \
+          --set coder.image.repo=${{ env.REPO }} \
+          --set coder.image.tag=pr${{ env.PR_NUMBER }} \
+          --set coder.service.type=ClusterIP \
+          --set coder.env[0].name=CODER_ACCESS_URL \
+          --set coder.env[0].value="" \
+          --force
+
+      - name: "Get deployment URL"
+        id: deployment_url
+        run: |
+          set -euo pipefail
+          kubectl rollout status deployment/coder --namespace "pr${{ env.PR_NUMBER }}"
+          POD_NAME=$(kubectl get pods -n "pr${{ env.PR_NUMBER }}" | awk 'NR==2{print $1}')
+          CODER_ACCESS_URL=$(kubectl logs $POD_NAME -n "pr${{ env.PR_NUMBER }}" | grep "Web UI:" | awk -F ':' '{print $2":"$3}' | awk '{$1=$1};1')
+          echo "::add-mask::$CODER_ACCESS_URL"
+          echo "CODER_ACCESS_URL=$CODER_ACCESS_URL" >> $GITHUB_OUTPUT
+
+      - name: Send Slack notification
+        run: |
+          curl -s -o /dev/null -X POST -H 'Content-type: application/json' \
+          -d '{
+            "pr_number": "'"${{ env.PR_NUMBER }}"'",
+            "pr_url": "'"${{ env.PR_URL }}"'",
+            "pr_title": "'"${{ env.PR_TITLE }}"'",
+            "pr_access_url": "'"${{ steps.deployment_url.outputs.CODER_ACCESS_URL }}"'" }' ${{ secrets.PR_DEPLOYMENTS_SLACK_WEBHOOK }}
+          echo "Slack notification sent"
+
+      - name: Comment on PR
+        uses: peter-evans/create-or-update-comment@v3
+        with:
+          issue-number: ${{ env.PR_NUMBER }}
+          edit-mode: replace
+          comment-id: ${{ needs.pr_commented.outputs.COMMENT_ID }}
+          body: |
+            :heavy_check_mark: Deployed PR ${{ env.PR_NUMBER }} successfully.
+            :rocket: Access the deployment link [here](https://codercom.slack.com/archives/C05DNE982E8).
+            :warning: This deployment will be deleted when the PR is closed.
+          reactions: "+1"
@@ -1,70 +1,104 @@
-name: release
+# GitHub release workflow.
+name: Release
 on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
+    inputs:
+      dry_run:
+        description: Perform a dry-run release (devel). Note that ref must be an annotated tag when run without dry-run.
+        type: boolean
+        required: true
+        default: false
+
+permissions:
+  # Required to publish a release
+  contents: write
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}
+
+env:
+  # Use `inputs` (vs `github.event.inputs`) to ensure that booleans are actual
+  # booleans, not strings.
+  # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/
+  CODER_RELEASE: ${{ !inputs.dry_run }}
+  CODER_DRY_RUN: ${{ inputs.dry_run }}
+  # For some reason, setup-go won't actually pick up a new patch version if
+  # it has an old one cached. We need to manually specify the versions so we
+  # can get the latest release. Never use "~1.xx" here!
+  CODER_GO_VERSION: "1.20.5"

 jobs:
-  goreleaser:
-    runs-on: macos-latest
+  release:
+    name: Build and publish
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
    env:
      # Necessary for Docker manifest
      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    outputs:
+      version: ${{ steps.version.outputs.version }}
    steps:
-      # Docker is not included on macos-latest
-      - uses: docker-practice/actions-setup-docker@1.0.10
-
      - uses: actions/checkout@v3
        with:
          fetch-depth: 0

-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - name: Print version
+        id: version
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          echo "version=$version" >> $GITHUB_OUTPUT
+          # Speed up future version.sh calls.
+          echo "CODER_FORCE_VERSION=$version" >> $GITHUB_ENV
+          echo "$version"
+
+      - name: Create release notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # We always have to set this since there might be commits on
+          # main that didn't have a PR.
+          CODER_IGNORE_MISSING_COMMIT_METADATA: "1"
+        run: |
+          set -euo pipefail
+          ref=HEAD
+          old_version="$(git describe --abbrev=0 "$ref^1")"
+          version="$(./scripts/version.sh)"
+
+          # Generate notes.
+          release_notes_file="$(mktemp -t release_notes.XXXXXX)"
+          ./scripts/release/generate_release_notes.sh --old-version "$old_version" --new-version "$version" --ref "$ref" >> "$release_notes_file"
+          echo CODER_RELEASE_NOTES_FILE="$release_notes_file" >> $GITHUB_ENV
+
+      - name: Show release notes
+        run: |
+          set -euo pipefail
+          cat "$CODER_RELEASE_NOTES_FILE"

      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Install Gon
-        run: |
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
-
-      - name: Import Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
-          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+      - uses: ./.github/actions/setup-go

      - name: Cache Node
        id: cache-node
-        uses: actions/cache@v3
+        uses: buildjet/cache@v3
        with:
          path: |
            **/node_modules
@@ -73,18 +107,307 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

-      - name: Install make
-        run: brew install make
+      - name: Install nsis and zstd
+        run: sudo apt-get install -y nsis zstd

-      - name: Build Site
-        run: make site/out/index.html
+      - name: Install nfpm
+        run: |
+          set -euo pipefail
+          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
+          sudo dpkg -i /tmp/nfpm.deb
+          rm /tmp/nfpm.deb

-      - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@v2.9.1
+      - name: Install rcodesign
+        run: |
+          set -euo pipefail
+          wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-x86_64-unknown-linux-musl.tar.gz
+          sudo tar -xzf /tmp/rcodesign.tar.gz \
+            -C /usr/bin \
+            --strip-components=1 \
+            apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
+          rm /tmp/rcodesign.tar.gz
+
+      - name: Setup Apple Developer certificate and API key
+        run: |
+          set -euo pipefail
+          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12
+          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
+          echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8
+        env:
+          AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}
+
+      - name: Build binaries
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
+            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
+            build/coder_"$version"_windows_amd64_installer.exe \
+            build/coder_helm_"$version".tgz
+        env:
+          CODER_SIGN_DARWIN: "1"
+          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
+          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_FILE: /tmp/apple_apikey.p8
+
+      - name: Delete Apple Developer certificate and API key
+        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+
+      - name: Determine base image tag
+        id: image-base-tag
+        run: |
+          set -euo pipefail
+          if [[ "${CODER_RELEASE:-}" != *t* ]] || [[ "${CODER_DRY_RUN:-}" == *t* ]]; then
+            # Empty value means use the default and avoid building a fresh one.
+            echo "tag=" >> $GITHUB_OUTPUT
+          else
+            echo "tag=$(CODER_IMAGE_BASE=ghcr.io/coder/coder-base ./scripts/image_tag.sh)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create empty base-build-context directory
+        if: steps.image-base-tag.outputs.tag != ''
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/build-push-action@v1
        with:
-          version: latest
-          args: release --rm-dist
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ${{ steps.image-base-tag.outputs.tag }}
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw "${{ steps.image-base-tag.outputs.tag }}") || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
+
+      - name: Build Linux Docker images
+        run: |
+          set -euxo pipefail
+
+          # build Docker images for each architecture
+          version="$(./scripts/version.sh)"
+          make -j build/coder_"$version"_linux_{amd64,arm64,armv7}.tag
+
+          # we can't build multi-arch if the images aren't pushed, so quit now
+          # if dry-running
+          if [[ "$CODER_RELEASE" != *t* ]]; then
+            echo Skipping multi-arch docker builds due to dry-run.
+            exit 0
+          fi
+
+          # build and push multi-arch manifest, this depends on the other images
+          # being pushed so will automatically push them.
+          make -j push/build/coder_"$version"_linux.tag
+
+          # if the current version is equal to the highest (according to semver)
+          # version in the repo, also create a multi-arch image as ":latest" and
+          # push it
+          if [[ "$(git tag | grep '^v' | grep -vE '(rc|dev|-|\+|\/)' | sort -r --version-sort | head -n1)" == "v$(./scripts/version.sh)" ]]; then
+            ./scripts/build_docker_multiarch.sh \
+              --push \
+              --target "$(./scripts/image_tag.sh --version latest)" \
+              $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
+          fi
+        env:
+          CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}
+
+      - name: ls build
+        run: ls -lh build
+
+      - name: Publish release
+        run: |
+          set -euo pipefail
+
+          publish_args=()
+          if [[ $CODER_DRY_RUN == *t* ]]; then
+            publish_args+=(--dry-run)
+          fi
+          declare -p publish_args
+
+          ./scripts/release/publish.sh \
+            "${publish_args[@]}" \
+            --release-notes-file "$CODER_RELEASE_NOTES_FILE" \
+            ./build/*_installer.exe \
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          AC_USERNAME: ${{ secrets.AC_USERNAME }}
-          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup GCloud SDK
+        uses: "google-github-actions/setup-gcloud@v1"
+
+      - name: Publish Helm Chart
+        if: ${{ !inputs.dry_run }}
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          mkdir -p build/helm
+          cp "build/coder_helm_${version}.tgz" build/helm
+          gsutil cp gs://helm.coder.com/v2/index.yaml build/helm/index.yaml
+          helm repo index build/helm --url https://helm.coder.com/v2 --merge build/helm/index.yaml
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/coder_helm_${version}.tgz gs://helm.coder.com/v2
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/index.yaml gs://helm.coder.com/v2
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp helm/artifacthub-repo.yml gs://helm.coder.com/v2
+
+      - name: Upload artifacts to actions (if dry-run)
+        if: ${{ inputs.dry_run }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: release-artifacts
+          path: |
+            ./build/*_installer.exe
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.tgz
+            ./build/*.apk
+            ./build/*.deb
+            ./build/*.rpm
+          retention-days: 7
+
+      - name: Start Packer builds
+        if: ${{ !inputs.dry_run }}
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+          repository: coder/packages
+          event-type: coder-release
+          client-payload: '{"coder_version": "${{ steps.version.outputs.version }}"}'
+
+  publish-winget:
+    name: Publish to winget-pkgs
+    runs-on: windows-latest
+    needs: release
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - name: Install wingetcreate
+        run: |
+          Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
+
+      - name: Submit updated manifest to winget-pkgs
+        run: |
+          # The package version is the same as the tag minus the leading "v".
+          # The version in this output already has the leading "v" removed but
+          # we do it again to be safe.
+          $version = "${{ needs.release.outputs.version }}".Trim('v')
+
+          $release_assets = gh release view --repo coder/coder "v${version}" --json assets | `
+            ConvertFrom-Json
+          # Get the installer URL from the release assets.
+          $installer_url = $release_assets.assets | `
+            Where-Object name -Match ".*_windows_amd64_installer.exe$" | `
+            Select -ExpandProperty url
+
+          echo "Installer URL: ${installer_url}"
+          echo "Package version: ${version}"
+
+          # Bail if dry-run.
+          if ($env:CODER_DRY_RUN -match "t") {
+            echo "Skipping submission due to dry-run."
+            exit 0
+          }
+
+          # The URL "|X64" suffix forces the architecture as it cannot be
+          # sniffed properly from the URL. wingetcreate checks both the URL and
+          # binary magic bytes for the architecture and they need to both match,
+          # but they only check for `x64`, `win64` and `_64` in the URL. Our URL
+          # contains `amd64` which doesn't match sadly.
+          #
+          # wingetcreate will still do the binary magic bytes check, so if we
+          # accidentally change the architecture of the installer, it will fail
+          # submission.
+          .\wingetcreate.exe update Coder.Coder `
+            --submit `
+            --version "${version}" `
+            --urls "${installer_url}|X64" `
+            --token "$env:WINGET_GH_TOKEN"
+
+        env:
+          # For gh CLI:
+          GH_TOKEN: ${{ github.token }}
+          # For wingetcreate. We need a real token since we're pushing a commit
+          # to GitHub and then making a PR in a different repo.
+          WINGET_GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+
+      - name: Comment on PR
+        if: ${{ !inputs.dry_run }}
+        run: |
+          # Find the PR that wingetcreate just made.
+          $version = "${{ needs.release.outputs.version }}".Trim('v')
+          $pr_list = gh pr list --repo microsoft/winget-pkgs --search "author:cdrci Coder.Coder version ${version}" --limit 1 --json number | `
+            ConvertFrom-Json
+          $pr_number = $pr_list[0].number
+
+          gh pr comment --repo microsoft/winget-pkgs "${pr_number}" --body "🤖 cc: @deansheather @matifali"
+
+        env:
+          # For gh CLI. We need a real token since we're commenting on a PR in a
+          # different repo.
+          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
@@ -0,0 +1,167 @@
+name: "security"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+on:
+  workflow_dispatch:
+
+  schedule:
+    # Run every 6 hours Monday-Friday!
+    - cron: "0 0/6 * * 1-5"
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-security
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+env:
+  CODER_GO_VERSION: "1.20.5"
+
+jobs:
+  codeql:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go, javascript
+
+      - uses: ./.github/actions/setup-go
+
+      # Workaround to prevent CodeQL from building the dashboard.
+      - name: Remove Makefile
+        run: |
+          rm Makefile
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ CodeQL Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
+
+  trivy:
+    runs-on: ${{ github.repository_owner == 'coder' && 'buildjet-8vcpu-ubuntu-2204' || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: ./.github/actions/setup-go
+
+      - name: Cache Node
+        id: cache-node
+        uses: buildjet/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.18.0/sqlc_1.18.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
+      - name: Install mockgen
+        run: go install github.com/golang/mock/mockgen@v1.6.0
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.30
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.33
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile or the
+          # version in the comments will differ. This is also defined in
+          # ci.yaml.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
+
+      - name: Build Coder linux amd64 Docker image
+        id: build
+        run: |
+          set -euo pipefail
+
+          version="$(./scripts/version.sh)"
+          image_job="build/coder_${version}_linux_amd64.tag"
+
+          # This environment variable force make to not build packages and
+          # archives (which the Docker image depends on due to technical reasons
+          # related to concurrent FS writes).
+          export DOCKER_IMAGE_NO_PREREQUISITES=true
+          # This environment variables forces scripts/build_docker.sh to build
+          # the base image tag locally instead of using the cached version from
+          # the registry.
+          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
+
+          make -j "$image_job"
+          echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
+
+      - name: Run Prisma Cloud image scan
+        uses: PaloAltoNetworks/prisma-cloud-scan@v1
+        with:
+          pcc_console_url: ${{ secrets.PRISMA_CLOUD_URL }}
+          pcc_user: ${{ secrets.PRISMA_CLOUD_ACCESS_KEY }}
+          pcc_pass: ${{ secrets.PRISMA_CLOUD_SECRET_KEY }}
+          image_name: ${{ steps.build.outputs.image }}
+
+      - name: Scan image
+        id: sysdig-scan
+        uses: sysdiglabs/scan-action@v3
+        with:
+          image-tag: ${{ steps.build.outputs.image }}
+          sysdig-secure-token: ${{ secrets.SYSDIG_API_TOKEN }}
+          input-type: docker-daemon
+          sysdig-secure-url: https://app.us4.sysdig.com
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif
+          category: "Trivy"
+
+      - name: Upload Trivy scan results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy
+          path: trivy-results.sarif
+          retention-days: 7
+
+      - name: Send Slack notification on failure
+        if: ${{ failure() }}
+        run: |
+          msg="❌ Trivy Failed\n\nhttps://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          curl \
+            -qfsSL \
+            -X POST \
+            -H "Content-Type: application/json" \
+            --data "{\"content\": \"$msg\"}" \
+            "${{ secrets.SLACK_SECURITY_FAILURE_WEBHOOK_URL }}"
@@ -0,0 +1,66 @@
+name: Stale Issue, Banch and Old Workflows Cleanup
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+      actions: write
+    steps:
+      - uses: actions/stale@v8.0.0
+        with:
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          days-before-stale: 90
+          # Pull Requests become stale more quickly due to merge conflicts.
+          # Also, we promote minimizing WIP.
+          days-before-pr-stale: 7
+          days-before-pr-close: 3
+          # We rarely take action in response to the message, so avoid
+          # cluttering the issue and just close the oldies.
+          stale-pr-message: ""
+          stale-issue-message: ""
+          # Upped from 30 since we have a big tracker and was hitting the limit.
+          operations-per-run: 60
+          # Start with the oldest issues, always.
+          ascending: true
+  branches:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Run delete-old-branches-action
+        uses: beatlabs/delete-old-branches-action@v0.0.10
+        with:
+          repo_token: ${{ github.token }}
+          date: "6 months ago"
+          dry_run: false
+          delete_tags: false
+          # extra_protected_branch_regex: ^(foo|bar)$
+          exclude_open_pr_branches: true
+  del_runs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete PR Cleanup workflow runs
+        uses: Mattraks/delete-workflow-runs@v2
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          retain_days: 1
+          keep_minimum_runs: 1
+          delete_workflow_pattern: pr-cleanup.yaml
+
+      - name: Delete PR Deploy workflow skipped runs
+        uses: Mattraks/delete-workflow-runs@v2
+        with:
+          token: ${{ github.token }}
+          repository: ${{ github.repository }}
+          retain_days: 0
+          keep_minimum_runs: 0
+          delete_run_by_conclusion_pattern: skipped
+          delete_workflow_pattern: pr-deploy.yaml
@@ -0,0 +1,28 @@
+[default.extend-identifiers]
+alog = "alog"
+Jetbrains = "JetBrains"
+IST = "IST"
+MacOS = "macOS"
+AKS = "AKS"
+
+[default.extend-words]
+AKS = "AKS"
+# do as sudo replacement
+doas = "doas"
+darcula = "darcula"
+Hashi = "Hashi"
+trialer = "trialer"
+encrypter = "encrypter"
+
+[files]
+extend-exclude = [
+    "**.svg",
+    "**.png",
+    "**.lock",
+    "go.sum",
+    "go.mod",
+    # These files contain base64 strings that confuse the detector
+    "**XService**.ts",
+    "**identity.go",
+    "scripts/ci-report/testdata/**",
+]
@@ -0,0 +1,32 @@
+name: weekly-docs
+# runs every monday at 9 am
+on:
+  schedule:
+    - cron: "0 9 * * 1"
+  workflow_dispatch: # allows to run manually for testing
+
+jobs:
+  check-docs:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@master
+
+      - name: Check Markdown links
+        uses: gaurav-nelson/github-action-markdown-link-check@v1
+        id: markdown-link-check
+        # checks all markdown files from /docs including all subfolders
+        with:
+          use-quiet-mode: "yes"
+          use-verbose-mode: "yes"
+          config-file: ".github/workflows/mlc_config.json"
+          folder-path: "docs/"
+          file-path: "./README.md"
+
+      - name: Send Slack notification
+        if: failure()
+        run: |
+          curl -X POST -H 'Content-type: application/json' -d '{"msg":"Broken links found in the documentation. Please check the logs at ${{ env.LOGS_URL }}"}' ${{ secrets.DOCS_LINK_SLACK_WEBHOOK }}
+          echo "Sent Slack notification"
+        env:
+          LOGS_URL: https://github.com/coder/coder/actions/runs/${{ github.run_id }}
@@ -1,40 +1,63 @@
-###############################################################################
-#                                 NOTICE                                      #
-# If you change this file, kindly copy-pasta your change into .prettierignore #
-# and .eslintignore as well. See the following discussions to understand why  #
-# we have to resort to this duplication (at least for now):                   #
-#                                                                             #
-# https://github.com/prettier/prettier/issues/8048                            #
-# https://github.com/prettier/prettier/issues/8506                            #
-# https://github.com/prettier/prettier/issues/8679                            #
-###############################################################################
-
-node_modules
-vendor
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
 .eslintcache
-yarn-error.log
+.gitpod.yml
 .idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotests_stats.json
+gotests.json
+node_modules/
+vendor/
+yarn-error.log

-# Front-end ignore
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
 .next/
-site/.eslintcache
-site/.next/
-site/node_modules/
-site/storybook-static/
-site/test-results/
-site/yarn-error.log
-coverage/
 site/**/*.typegen.ts
 site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/states/*.json
+site/e2e/.auth.json
+site/playwright-report/*
+site/.swc
+site/dist/
+
+# Make target for updating golden files (any dir).
+.gen-golden

 # Build
-dist/
+/build/
+/dist/
 site/out/

+# Bundle analysis
+site/stats/
+
 *.tfstate
+*.tfstate.backup
 *.tfplan
 *.lock.hcl
 .terraform/

-.vscode/*.log
-**/*.swp
+**/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
+*.test
+
+# Loadtesting
+./scaletest/terraform/.terraform
+./scaletest/terraform/.terraform.lock.hcl
+scaletest/terraform/secrets.tfvars
+.terraform.tfstate.*
@@ -54,7 +54,6 @@ linters-settings:
      # - importShadow
      - indexAlloc
      - initClause
-      - ioutilDeprecated
      - mapKey
      - methodExprCall
      # - nestingReduce
@@ -103,7 +102,7 @@ linters-settings:
    settings:
      ruleguard:
        failOn: all
-        rules: rules.go
+        rules: "${configDir}/scripts/rules.go"

  staticcheck:
    # https://staticcheck.io/docs/options#checks
@@ -123,6 +122,8 @@ linters-settings:

  misspell:
    locale: US
+    ignore-words:
+      - trialer

  nestif:
    min-complexity: 4 # Min complexity of if statements (def 5, goal 4)
@@ -192,16 +193,18 @@ issues:
      linters:
        # We use assertions rather than explicitly checking errors in tests
        - errcheck
+        - forcetypeassert

  fix: true
  max-issues-per-linter: 0
  max-same-issues: 0

 run:
-  concurrency: 4
  skip-dirs:
    - node_modules
-  timeout: 5m
+  skip-files:
+    - scripts/rules.go
+  timeout: 10m

 # Over time, add more and more linters from
 # https://golangci-lint.run/usage/linters/ as the code improves.
@@ -211,7 +214,6 @@ linters:
    - asciicheck
    - bidichk
    - bodyclose
-    - deadcode
    - dogsled
    - errcheck
    - errname
@@ -233,10 +235,15 @@ linters:
    - noctx
    - paralleltest
    - revive
-    - rowserrcheck
-    - sqlclosecheck
+
+    # These don't work until the following issue is solved.
+    # https://github.com/golangci/golangci-lint/issues/2649
+    # - rowserrcheck
+    # - sqlclosecheck
+    # - structcheck
+    # - wastedassign
+
    - staticcheck
-    - structcheck
    - tenv
    # In Go, it's possible for a package to test it's internal functionality
    # without testing any exported functions. This is enabled to promote
@@ -250,5 +257,3 @@ linters:
    - typecheck
    - unconvert
    - unused
-    - varcheck
-    - wastedassign
@@ -1,165 +0,0 @@
-archives:
-  - id: coder-linux
-    builds: [coder-linux]
-    format: tar
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-  - id: coder-darwin
-    builds: [coder-darwin]
-    format: zip
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-  - id: coder-windows
-    builds: [coder-windows]
-    format: zip
-    files:
-      - src: docs/README.md
-        dst: README.md
-
-before:
-  hooks:
-    - go mod tidy
-    - rm -f site/out/bin/coder*
-
-builds:
-  - id: coder-slim
-    dir: cmd/coder
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin, linux, windows]
-    goarch: [amd64, arm, arm64]
-    goarm: ["7"]
-    # Only build arm 7 for Linux
-    ignore:
-      - goos: windows
-        goarm: "7"
-      - goos: darwin
-        goarm: "7"
-    hooks:
-      # The "trimprefix" appends ".exe" on Windows.
-      post: |
-        cp {{.Path}} site/out/bin/coder-{{ .Os }}-{{ .Arch }}{{ if .Arm }}v{{ .Arm }}{{ end }}{{ trimprefix .Name "coder" }}
-
-  - id: coder-linux
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [linux]
-    goarch: [amd64, arm, arm64]
-    goarm: ["7"]
-
-  - id: coder-windows
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [windows]
-    goarch: [amd64, arm64]
-
-  - id: coder-darwin
-    dir: cmd/coder
-    flags: [-tags=embed]
-    ldflags: ["-s -w -X github.com/coder/coder/buildinfo.tag={{ .Version }}"]
-    env: [CGO_ENABLED=0]
-    goos: [darwin]
-    goarch: [amd64, arm64]
-    hooks:
-      # This signs the binary that will be located inside the zip.
-      # MacOS requires the binary to be signed for notarization.
-      #
-      # If it doesn't successfully sign, the zip sign step will error.
-      post: |
-        sh -c 'codesign -s {{.Env.AC_APPLICATION_IDENTITY}} -f -v --timestamp --options runtime {{.Path}} || true'
-
-env:
-  # Apple identity for signing!
-  - AC_APPLICATION_IDENTITY=BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
-
-nfpms:
-  - id: packages
-    vendor: Coder
-    homepage: https://coder.com
-    maintainer: Coder <support@coder.com>
-    description: |
-      Provision development environments with infrastructure with code
-    formats:
-      - apk
-      - deb
-      - rpm
-    suggests:
-      - postgresql
-    builds:
-      - coder-linux
-    bindir: /usr/bin
-    contents:
-      - src: coder.env
-        dst: /etc/coder.d/coder.env
-        type: "config|noreplace"
-      - src: coder.service
-        dst: /usr/lib/systemd/system/coder.service
-
-dockers:
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-amd64"]
-    id: coder-linux
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/amd64
-      - --label=org.opencontainers.image.title=Coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Version }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-arm64"]
-    goarch: arm64
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/arm64/v8
-      - --label=org.opencontainers.image.title=coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Tag }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-  - image_templates: ["ghcr.io/coder/coder:{{ .Tag }}-armv7"]
-    goarch: arm
-    goarm: "7"
-    dockerfile: Dockerfile
-    use: buildx
-    build_flag_templates:
-      - --platform=linux/arm/v7
-      - --label=org.opencontainers.image.title=Coder
-      - --label=org.opencontainers.image.description=A tool for provisioning self-hosted development environments with Terraform.
-      - --label=org.opencontainers.image.url=https://github.com/coder/coder
-      - --label=org.opencontainers.image.source=https://github.com/coder/coder
-      - --label=org.opencontainers.image.version={{ .Tag }}
-      - --label=org.opencontainers.image.revision={{ .FullCommit }}
-      - --label=org.opencontainers.image.licenses=AGPL-3.0
-docker_manifests:
-  - name_template: ghcr.io/coder/coder:{{ .Tag }}
-    image_templates:
-      - ghcr.io/coder/coder:{{ .Tag }}-amd64
-      - ghcr.io/coder/coder:{{ .Tag }}-arm64
-      - ghcr.io/coder/coder:{{ .Tag }}-armv7
-
-release:
-  ids: [coder-linux, coder-darwin, coder-windows, packages]
-
-signs:
-  - ids: [coder-darwin]
-    artifacts: archive
-    cmd: ./scripts/sign_macos.sh
-    args: ["${artifact}"]
-    output: true
-
-snapshot:
-  name_template: "{{ .Version }}-devel+{{ .ShortCommit }}"
@@ -0,0 +1,80 @@
+# Code generated by Makefile (.gitignore .prettierignore.include). DO NOT EDIT.
+
+# .gitignore:
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
+.eslintcache
+.gitpod.yml
+.idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotests_stats.json
+gotests.json
+node_modules/
+vendor/
+yarn-error.log
+
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
+.next/
+site/**/*.typegen.ts
+site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/states/*.json
+site/e2e/.auth.json
+site/playwright-report/*
+site/.swc
+site/dist/
+
+# Make target for updating golden files (any dir).
+.gen-golden
+
+# Build
+/build/
+/dist/
+site/out/
+
+# Bundle analysis
+site/stats/
+
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.lock.hcl
+.terraform/
+
+**/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
+*.test
+
+# Loadtesting
+./scaletest/terraform/.terraform
+./scaletest/terraform/.terraform.lock.hcl
+scaletest/terraform/secrets.tfvars
+.terraform.tfstate.*
+# .prettierignore.include:
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
+
+# Generated files shouldn't be formatted.
+site/e2e/provisionerGenerated.ts
@@ -0,0 +1,13 @@
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
+
+# Generated files shouldn't be formatted.
+site/e2e/provisionerGenerated.ts
@@ -0,0 +1,16 @@
+# This config file is used in conjunction with `.editorconfig` to specify
+# formatting for prettier-supported files. See `.editorconfig` and
+# `site/.editorconfig`for whitespace formatting options.
+printWidth: 80
+semi: false
+trailingComma: all
+overrides:
+  - files:
+      - README.md
+    options:
+      proseWrap: preserve
+  - files:
+      - "site/**/*.yaml"
+      - "site/**/*.yml"
+    options:
+      proseWrap: always
@@ -0,0 +1,8 @@
+// Replace all NullTime with string
+replace github.com/coder/coder/codersdk.NullTime string
+// Prevent swaggo from rendering enums for time.Duration
+replace time.Duration int64
+// Do not expose "echo" provider
+replace github.com/coder/coder/codersdk.ProvisionerType string
+// Do not render netip.Addr
+replace netip.Addr string
@@ -1,5 +1,6 @@
 {
  "recommendations": [
+    "github.vscode-codeql",
    "golang.go",
    "hashicorp.terraform",
    "esbenp.prettier-vscode",
@@ -8,6 +9,7 @@
    "zxh404.vscode-proto3",
    "redhat.vscode-yaml",
    "streetsidesoftware.code-spell-checker",
-    "dbaeumer.vscode-eslint"
+    "dbaeumer.vscode-eslint",
+    "EditorConfig.EditorConfig"
  ]
 }
@@ -1,78 +1,187 @@
 {
  "cSpell.words": [
+    "afero",
+    "agentsdk",
+    "apps",
+    "ASKPASS",
+    "authcheck",
+    "autostop",
+    "awsidentity",
+    "bodyclose",
+    "buildinfo",
+    "buildname",
    "circbuf",
    "cliflag",
    "cliui",
+    "codecov",
    "coderd",
+    "coderdenttest",
    "coderdtest",
    "codersdk",
+    "cronstrue",
+    "databasefake",
+    "dbfake",
+    "dbgen",
+    "dbtype",
+    "DERP",
+    "derphttp",
+    "derpmap",
    "devel",
+    "devtunnel",
+    "dflags",
    "drpc",
    "drpcconn",
    "drpcmux",
    "drpcserver",
    "Dsts",
+    "embeddedpostgres",
+    "enablements",
+    "enterprisemeta",
+    "errgroup",
+    "eventsourcemock",
+    "Failf",
    "fatih",
+    "Formik",
+    "gitauth",
+    "gitsshkey",
    "goarch",
    "gographviz",
    "goleak",
+    "gonet",
    "gossh",
    "gsyslog",
+    "GTTY",
    "hashicorp",
    "hclsyntax",
+    "httpapi",
    "httpmw",
    "idtoken",
    "Iflag",
    "incpatch",
+    "ipnstate",
    "isatty",
    "Jobf",
+    "Keygen",
    "kirsle",
+    "Kubernetes",
    "ldflags",
+    "magicsock",
    "manifoldco",
+    "mapstructure",
    "mattn",
    "mitchellh",
    "moby",
+    "namesgenerator",
+    "namespacing",
+    "netaddr",
+    "netip",
+    "netmap",
+    "netns",
+    "netstack",
+    "nettype",
    "nfpms",
    "nhooyr",
+    "nmcfg",
    "nolint",
    "nosec",
    "ntqry",
    "OIDC",
    "oneof",
+    "opty",
+    "paralleltest",
    "parameterscopeid",
    "pqtype",
-    "promptui",
+    "prometheusmetrics",
+    "promhttp",
    "protobuf",
    "provisionerd",
+    "provisionerdserver",
    "provisionersdk",
    "ptty",
+    "ptys",
    "ptytest",
+    "quickstart",
+    "reconfig",
+    "replicasync",
    "retrier",
    "rpty",
+    "SCIM",
    "sdkproto",
+    "sdktrace",
    "Signup",
+    "slogtest",
+    "sourcemapped",
+    "Srcs",
+    "stdbuf",
    "stretchr",
+    "STTY",
+    "stuntest",
+    "tanstack",
+    "tailbroker",
+    "tailcfg",
+    "tailexchange",
+    "tailnet",
+    "tailnettest",
+    "Tailscale",
+    "tbody",
    "TCGETS",
    "tcpip",
    "TCSETS",
+    "templateversions",
+    "testdata",
+    "testid",
+    "testutil",
    "tfexec",
    "tfjson",
+    "tfplan",
    "tfstate",
+    "thead",
+    "tios",
+    "tmpdir",
+    "tokenconfig",
+    "tparallel",
+    "trialer",
    "trimprefix",
+    "tsdial",
+    "tslogger",
+    "tstun",
+    "turnconn",
+    "typegen",
+    "typesafe",
    "unconvert",
    "Untar",
+    "Userspace",
    "VMID",
+    "walkthrough",
    "weblinks",
    "webrtc",
+    "wgcfg",
+    "wgconfig",
+    "wgengine",
+    "wgmonitor",
+    "wgnet",
+    "workspaceagent",
+    "workspaceagents",
+    "workspaceapp",
+    "workspaceapps",
+    "workspacebuilds",
+    "workspacename",
+    "wsconncache",
+    "wsjson",
    "xerrors",
    "xstate",
    "yamux"
  ],
+  "cSpell.ignorePaths": ["site/package.json", ".vscode/settings.json"],
  "emeraldwalk.runonsave": {
    "commands": [
      {
        "match": "database/queries/*.sql",
        "cmd": "make gen"
+      },
+      {
+        "match": "provisionerd/proto/provisionerd.proto",
+        "cmd": "make provisionerd/proto/provisionerd.pb.go"
      }
    ]
  },
@@ -80,25 +189,27 @@
  "files.exclude": {
    "**/node_modules": true
  },
+  "search.exclude": {
+    "scripts/metricsdocgen/metrics": true,
+    "docs/api/*.md": true
+  },
  // Ensure files always have a newline.
  "files.insertFinalNewline": true,
  "go.lintTool": "golangci-lint",
  "go.lintFlags": ["--fast"],
  "go.lintOnSave": "package",
  "go.coverOnSave": true,
-  // The codersdk is used by coderd another other packages extensively.
-  // To reduce redundancy in tests, it's covered by other packages.
-  "go.testFlags": ["-short", "-coverpkg=./.,github.com/coder/coder/codersdk"],
  "go.coverageDecorator": {
    "type": "gutter",
-    "coveredHighlightColor": "rgba(64,128,128,0.5)",
-    "uncoveredHighlightColor": "rgba(128,64,64,0.25)",
-    "coveredBorderColor": "rgba(64,128,128,0.5)",
-    "uncoveredBorderColor": "rgba(128,64,64,0.25)",
    "coveredGutterStyle": "blockgreen",
    "uncoveredGutterStyle": "blockred"
  },
+  // The codersdk is used by coderd another other packages extensively.
+  // To reduce redundancy in tests, it's covered by other packages.
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": ["-short", "-coverpkg=./..."],
  // We often use a version of TypeScript that's ahead of the version shipped
  // with VS Code.
-  "typescript.tsdk": "./site/node_modules/typescript/lib",
+  "typescript.tsdk": "./site/node_modules/typescript/lib"
 }
@@ -1,6 +0,0 @@
-FROM alpine
-
-# Generated by goreleaser on `goreleaser release`
-ADD coder /opt/coder
-
-ENTRYPOINT [ "/opt/coder", "server" ]
@@ -0,0 +1,31 @@
+## Acceptance
+
+By using any software and associated documentation files under Coder 
+Technologies Inc.’s ("Coder") directory named "enterprise" ("Enterprise
+Software"), you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide, 
+non-sublicensable, non-transferable license to use, copy, distribute, make 
+available, modify and prepare derivative works of the Enterprise Software, in 
+each case subject to the limitations and conditions below.
+
+## Limitations
+
+You may not move, change, disable, or circumvent the license key functionality 
+in the software, and you may not remove or obscure any functionality in the 
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. 
+
+You agree that Coder and/or its licensors (as applicable) retain all right, 
+title and interest in and to all such modifications and/or patches.
+
+## Additional Terms
+
+This Enterprise Software may only be used in production, if you (and any entity 
+that you represent) have agreed to, and are in compliance with, the Coder’s 
+Terms of Service, available at https://coder.com/legal/terms-of-service, or 
+other agreement governing the use of the Software, as agreed by you and Coder. 
@@ -1,35 +1,390 @@
-.DEFAULT_GOAL := build
+# This is the Coder Makefile. The build directory for most tasks is `build/`.
+#
+# These are the targets you're probably looking for:
+# - clean
+# - build-fat: builds all "fat" binaries for all architectures
+# - build-slim: builds all "slim" binaries (no frontend or slim binaries
+#   embedded) for all architectures
+# - release: simulate a release (mostly, does not push images)
+# - build/coder(-slim)?_${os}_${arch}(.exe)?: build a single fat binary
+# - build/coder_${os}_${arch}.(zip|tar.gz): build a release archive
+# - build/coder_linux_${arch}.(apk|deb|rpm): build a release Linux package
+# - build/coder_${version}_linux_${arch}.tag: build a release Linux Docker image
+# - build/coder_helm.tgz: build a release Helm chart

-INSTALL_DIR=$(shell go env GOPATH)/bin
-GOOS=$(shell go env GOOS)
-GOARCH=$(shell go env GOARCH)
+.DEFAULT_GOAL := build-fat

-bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
-	@echo "== This builds binaries for command-line usage."
-	@echo "== Use \"make build\" to embed the site."
-	goreleaser build --snapshot --rm-dist --single-target
+# Use a single bash shell for each job, and immediately exit on failure
+SHELL := bash
+.SHELLFLAGS := -ceu
+.ONESHELL:

-build: dist/artifacts.json
-.PHONY: build
+# This doesn't work on directories.
+# See https://stackoverflow.com/questions/25752543/make-delete-on-error-for-directory-targets
+.DELETE_ON_ERROR:

-# Runs migrations to output a dump of the database.
-coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
-	go run coderd/database/dump/main.go
+# Don't print the commands in the file unless you specify VERBOSE. This is
+# essentially the same as putting "@" at the start of each line.
+ifndef VERBOSE
+.SILENT:
+endif

-# Generates Go code for querying the database.
-coderd/database/querier.go: coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
-	coderd/database/generate.sh
+# Create the output directories if they do not exist.
+$(shell mkdir -p build site/out/bin)

-dist/artifacts.json: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
-	goreleaser release --snapshot --rm-dist --skip-sign
+GOOS         := $(shell go env GOOS)
+GOARCH       := $(shell go env GOARCH)
+GOOS_BIN_EXT := $(if $(filter windows, $(GOOS)),.exe,)
+VERSION      := $(shell ./scripts/version.sh)
+
+# Use the highest ZSTD compression level in CI.
+ifdef CI
+ZSTDFLAGS := -22 --ultra
+else
+ZSTDFLAGS := -6
+endif
+
+# Common paths to exclude from find commands, this rule is written so
+# that it can be it can be used in a chain of AND statements (meaning
+# you can simply write `find . $(FIND_EXCLUSIONS) -name thing-i-want`).
+# Note, all find statements should be written with `.` or `./path` as
+# the search path so that these exclusions match.
+FIND_EXCLUSIONS= \
+	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path './site/out/*' -o -path './coderd/apidoc/*' \) -prune \)
+# Source files used for make targets, evaluated on use.
+GO_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.go')
+# All the shell files in the repo, excluding ignored files.
+SHELL_SRC_FILES := $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')
+
+# All ${OS}_${ARCH} combos we build for. Windows binaries have the .exe suffix.
+OS_ARCHES := \
+	linux_amd64 linux_arm64 linux_armv7 \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64.exe windows_arm64.exe
+
+# Archive formats and their corresponding ${OS}_${ARCH} combos.
+ARCHIVE_TAR_GZ := linux_amd64 linux_arm64 linux_armv7
+ARCHIVE_ZIP    := \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64 windows_arm64
+
+# All package formats we build and the ${OS}_${ARCH} combos we build them for.
+PACKAGE_FORMATS   := apk deb rpm
+PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
+
+# All architectures we build Docker images for (Linux only).
+DOCKER_ARCHES := amd64 arm64 armv7
+
+# Computed variables based on the above.
+CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
+CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
+CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
+CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
+CODER_ZIP_ARCHIVES       := $(foreach os_arch, $(ARCHIVE_ZIP), build/coder_$(VERSION)_$(os_arch).zip)
+CODER_ALL_ARCHIVES       := $(CODER_TAR_GZ_ARCHIVES) $(CODER_ZIP_ARCHIVES)
+CODER_ALL_PACKAGES       := $(foreach os_arch, $(PACKAGE_OS_ARCHES), $(addprefix build/coder_$(VERSION)_$(os_arch).,$(PACKAGE_FORMATS)))
+CODER_ARCH_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_$(VERSION)_linux_$(arch).tag)
+CODER_ARCH_IMAGES_PUSHED := $(addprefix push/, $(CODER_ARCH_IMAGES))
+CODER_MAIN_IMAGE         := build/coder_$(VERSION)_linux.tag
+
+CODER_SLIM_NOVERSION_BINARIES     := $(addprefix build/coder-slim_,$(OS_ARCHES))
+CODER_FAT_NOVERSION_BINARIES      := $(addprefix build/coder_,$(OS_ARCHES))
+CODER_ALL_NOVERSION_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_linux_$(arch).tag) build/coder_linux.tag
+CODER_ALL_NOVERSION_IMAGES_PUSHED := $(addprefix push/, $(CODER_ALL_NOVERSION_IMAGES))
+
+# If callers are only building Docker images and not the packages and archives,
+# we can skip those prerequisites as they are not actually required and only
+# specified to avoid concurrent write failures.
+ifdef DOCKER_IMAGE_NO_PREREQUISITES
+CODER_ARCH_IMAGE_PREREQUISITES :=
+else
+CODER_ARCH_IMAGE_PREREQUISITES := \
+	build/coder_$(VERSION)_%.apk \
+	build/coder_$(VERSION)_%.deb \
+	build/coder_$(VERSION)_%.rpm \
+	build/coder_$(VERSION)_%.tar.gz
+endif
+
+
+clean:
+	rm -rf build site/out
+	mkdir -p build site/out/bin
+	git restore site/out
+.PHONY: clean
+
+build-slim: $(CODER_SLIM_BINARIES)
+.PHONY: build-slim
+
+build-fat build-full build: $(CODER_FAT_BINARIES)
+.PHONY: build-fat build-full build
+
+release: $(CODER_FAT_BINARIES) $(CODER_ALL_ARCHIVES) $(CODER_ALL_PACKAGES) $(CODER_ARCH_IMAGES) build/coder_helm_$(VERSION).tgz
+.PHONY: release
+
+build/coder-slim_$(VERSION)_checksums.sha1: site/out/bin/coder.sha1
+	cp "$<" "$@"
+
+site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		openssl dgst -r -sha1 coder-* | tee coder.sha1
+	popd
+
+build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		tar cf "../../../build/$(@F)" coder-*
+	popd
+
+	# delete the uncompressed binaries from the embedded dir
+	rm -f site/out/bin/coder-*
+
+site/out/bin/coder.tar.zst: build/coder-slim_$(VERSION).tar.zst
+	cp "$<" "$@"
+
+build/coder-slim_$(VERSION).tar.zst: build/coder-slim_$(VERSION).tar
+	zstd $(ZSTDFLAGS) \
+		--force \
+		--long \
+		--no-progress \
+		-o "build/coder-slim_$(VERSION).tar.zst" \
+		"build/coder-slim_$(VERSION).tar"
+
+# Redirect from version-less targets to the versioned ones. There is a similar
+# target for slim binaries below.
+#
+# Called like this:
+#   make build/coder_linux_amd64
+#   make build/coder_windows_amd64.exe
+$(CODER_FAT_NOVERSION_BINARIES): build/coder_%: build/coder_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Same as above, but for slim binaries.
+#
+# Called like this:
+#   make build/coder-slim_linux_amd64
+#   make build/coder-slim_windows_amd64.exe
+$(CODER_SLIM_NOVERSION_BINARIES): build/coder-slim_%: build/coder-slim_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# "fat" binaries always depend on the site and the compressed slim binaries.
+$(CODER_FAT_BINARIES): \
+	site/out/index.html \
+	site/out/bin/coder.sha1 \
+	site/out/bin/coder.tar.zst
+
+# This is a handy block that parses the target to determine whether it's "slim"
+# or "fat", which OS was specified and which architecture was specified.
+#
+# It populates the following variables: mode, os, arch_ext, arch, ext (without
+# dot).
+define get-mode-os-arch-ext =
+	mode="$$([[ "$@" = build/coder-slim* ]] && echo "slim" || echo "fat")"
+	os="$$(echo $@ | cut -d_ -f3)"
+	arch_ext="$$(echo $@ | cut -d_ -f4)"
+	if [[ "$$arch_ext" == *.* ]]; then
+		arch="$$(echo $$arch_ext | cut -d. -f1)"
+		ext="$${arch_ext#*.}"
+	else
+		arch="$$arch_ext"
+		ext=""
+	fi
+endef
+
+# This task handles all builds, for both "fat" and "slim" binaries. It parses
+# the target name to get the metadata for the build, so it must be specified in
+# this format:
+#     build/coder(-slim)?_${version}_${os}_${arch}(.exe)?
+#
+# You should probably use the non-version targets above instead if you're
+# calling this manually.
+$(CODER_ALL_BINARIES): go.mod go.sum \
+	$(GO_SRC_FILES) \
+	$(shell find ./examples/templates)
+
+	$(get-mode-os-arch-ext)
+	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
+		echo "ERROR: Invalid build binary extension" 1>&2
+		exit 1
+	fi
+	if [[ "$$os" == "windows" ]] && [[ "$$ext" != exe ]]; then
+		echo "ERROR: Windows binaries must have an .exe extension." 1>&2
+		exit 1
+	fi
+
+	build_args=( \
+		--os "$$os" \
+		--arch "$$arch" \
+		--version "$(VERSION)" \
+		--output "$@" \
+	)
+	if [ "$$mode" == "slim" ]; then
+		build_args+=(--slim)
+	fi
+
+	./scripts/build_go.sh "$${build_args[@]}"
+
+	if [[ "$$mode" == "slim" ]]; then
+		dot_ext=""
+		if [[ "$$ext" != "" ]]; then
+			dot_ext=".$$ext"
+		fi
+
+		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
+	fi
+
+# This task builds all archives. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.${format}
+#
+# The following OS/arch/format combinations are supported:
+#     .tar.gz: linux_amd64, linux_arm64, linux_armv7
+#     .zip:    darwin_amd64, darwin_arm64, windows_amd64, windows_arm64
+#
+# This depends on all fat binaries because it's difficult to do dynamic
+# dependencies due to the .exe requirement on Windows. These targets are
+# typically only used during release anyways.
+$(CODER_ALL_ARCHIVES): $(CODER_FAT_BINARIES)
+	$(get-mode-os-arch-ext)
+	bin_ext=""
+	if [[ "$$os" == "windows" ]]; then
+		bin_ext=".exe"
+	fi
+
+	./scripts/archive.sh \
+		--format "$$ext" \
+		--os "$$os" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}$${bin_ext}"
+
+# This task builds all packages. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_linux_${arch}.${format}
+#
+# Supports apk, deb, rpm for all linux targets.
+#
+# This depends on all Linux fat binaries and archives because it's difficult to
+# do dynamic dependencies due to the extensions in the filenames. These targets
+# are typically only used during release anyways.
+#
+# Packages need to run after the archives are built, otherwise they cause tar
+# errors like "file changed as we read it".
+CODER_PACKAGE_DEPS := $(foreach os_arch, $(PACKAGE_OS_ARCHES), build/coder_$(VERSION)_$(os_arch) build/coder_$(VERSION)_$(os_arch).tar.gz)
+$(CODER_ALL_PACKAGES): $(CODER_PACKAGE_DEPS)
+	$(get-mode-os-arch-ext)
+
+	./scripts/package.sh \
+		--arch "$$arch" \
+		--format "$$ext" \
+		--version "$(VERSION)" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+# This task builds a Windows amd64 installer. Depends on makensis.
+build/coder_$(VERSION)_windows_amd64_installer.exe: build/coder_$(VERSION)_windows_amd64.exe
+	./scripts/build_windows_installer.sh \
+		--version "$(VERSION)" \
+		--output "$@" \
+		"$<"
+
+# Redirect from version-less Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES): build/coder_%: build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES)
+
+# Redirect from version-less push Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make push/build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES_PUSHED): push/build/coder_%: push/build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES_PUSHED)
+
+# This task builds all Docker images. It parses the target name to get the
+# metadata for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.tag
+#
+# Supports linux_amd64, linux_arm64, linux_armv7.
+#
+# Images need to run after the archives and packages are built, otherwise they
+# cause errors like "file changed as we read it".
+$(CODER_ARCH_IMAGES): build/coder_$(VERSION)_%.tag: build/coder_$(VERSION)_% $(CODER_ARCH_IMAGE_PREREQUISITES)
+	$(get-mode-os-arch-ext)
+
+	image_tag="$$(./scripts/image_tag.sh --arch "$$arch" --version "$(VERSION)")"
+	./scripts/build_docker.sh \
+		--arch "$$arch" \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+	echo "$$image_tag" > "$@"
+
+# Multi-arch Docker image. This requires all architecture-specific images to be
+# built AND pushed.
+$(CODER_MAIN_IMAGE): $(CODER_ARCH_IMAGES_PUSHED)
+	image_tag="$$(./scripts/image_tag.sh --version "$(VERSION)")"
+	./scripts/build_docker_multiarch.sh \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		$(foreach img, $^, "$$(cat "$(img:push/%=%)")")
+
+	echo "$$image_tag" > "$@"
+
+# Push a Docker image.
+$(CODER_ARCH_IMAGES_PUSHED): push/%: %
+	image_tag="$$(cat "$<")"
+	docker push "$$image_tag"
+.PHONY: $(CODER_ARCH_IMAGES_PUSHED)
+
+# Push the multi-arch Docker manifest.
+push/$(CODER_MAIN_IMAGE): $(CODER_MAIN_IMAGE)
+	image_tag="$$(cat "$<")"
+	docker manifest push "$$image_tag"
+.PHONY: push/$(CODER_MAIN_IMAGE)
+
+# Shortcut for Helm chart package.
+build/coder_helm.tgz: build/coder_helm_$(VERSION).tgz
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Helm chart package.
+build/coder_helm_$(VERSION).tgz:
+	./scripts/helm.sh \
+		--version "$(VERSION)" \
+		--output "$@"
+
+site/out/index.html: site/package.json $(shell find ./site $(FIND_EXCLUSIONS) -type f \( -name '*.ts' -o -name '*.tsx' \))
+	./scripts/yarn_install.sh
+	cd site
+	yarn build
+
+install: build/coder_$(VERSION)_$(GOOS)_$(GOARCH)$(GOOS_BIN_EXT)
+	install_dir="$$(go env GOPATH)/bin"
+	output_file="$${install_dir}/coder$(GOOS_BIN_EXT)"
+
+	mkdir -p "$$install_dir"
+	cp "$<" "$$output_file"
+.PHONY: install
+
+fmt: fmt/prettier fmt/terraform fmt/shfmt fmt/go
+.PHONY: fmt
+
+fmt/go:
+	# VS Code users should check out
+	# https://github.com/mvdan/gofumpt#visual-studio-code
+	go run mvdan.cc/gofumpt@v0.4.0 -w -l .
+.PHONY: fmt/go

 fmt/prettier:
-	@echo "--- prettier"
+	echo "--- prettier"
+	cd site
 # Avoid writing files in CI to reduce file write activity
 ifdef CI
-	cd site && yarn run format:check
+	yarn run format:check
 else
-	cd site && yarn run format:write
+	yarn run format:write
 endif
 .PHONY: fmt/prettier

@@ -37,36 +392,106 @@ fmt/terraform: $(wildcard *.tf)
 	terraform fmt -recursive
 .PHONY: fmt/terraform

-fmt: fmt/prettier fmt/terraform
-.PHONY: fmt
+fmt/shfmt: $(SHELL_SRC_FILES)
+	echo "--- shfmt"
+# Only do diff check in CI, errors on diff.
+ifdef CI
+	shfmt -d $(SHELL_SRC_FILES)
+else
+	shfmt -w $(SHELL_SRC_FILES)
+endif
+.PHONY: fmt/shfmt

-gen: coderd/database/querier.go peerbroker/proto/peerbroker.pb.go provisionersdk/proto/provisioner.pb.go provisionerd/proto/provisionerd.pb.go site/src/api/typesGenerated.ts
-
-install: build
-	@echo "--- Copying from bin to $(INSTALL_DIR)"
-	cp -r ./dist/coder-$(GOOS)_$(GOOS)_$(GOARCH)*/* $(INSTALL_DIR)
-	@echo "-- CLI available at $(shell ls $(INSTALL_DIR)/coder*)"
-.PHONY: install
-
-lint:
-	golangci-lint run
+lint: lint/shellcheck lint/go lint/ts lint/helm
 .PHONY: lint

-peerbroker/proto/peerbroker.pb.go: peerbroker/proto/peerbroker.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./peerbroker/proto/peerbroker.proto
+lint/ts:
+	cd site
+	yarn && yarn lint
+.PHONY: lint/ts

-provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./provisionerd/proto/provisionerd.proto
+lint/go:
+	./scripts/check_enterprise_imports.sh
+	go install github.com/golangci/golangci-lint/cmd/golangci-lint@v1.53.2
+	golangci-lint run
+.PHONY: lint/go
+
+# Use shfmt to determine the shell files, takes editorconfig into consideration.
+lint/shellcheck: $(SHELL_SRC_FILES)
+	echo "--- shellcheck"
+	shellcheck --external-sources $(SHELL_SRC_FILES)
+.PHONY: lint/shellcheck
+
+lint/helm:
+	cd helm
+	make lint
+.PHONY: lint/helm
+
+# all gen targets should be added here and to gen/mark-fresh
+gen: \
+	coderd/database/dump.sql \
+	coderd/database/querier.go \
+	coderd/database/dbmock/dbmock.go \
+	provisionersdk/proto/provisioner.pb.go \
+	provisionerd/proto/provisionerd.pb.go \
+	site/src/api/typesGenerated.ts \
+	coderd/rbac/object_gen.go \
+	docs/admin/prometheus.md \
+	docs/cli.md \
+	docs/admin/audit-logs.md \
+	coderd/apidoc/swagger.json \
+	.prettierignore.include \
+	.prettierignore \
+	site/.prettierrc.yaml \
+	site/.prettierignore \
+	site/.eslintignore
+.PHONY: gen
+
+# Mark all generated files as fresh so make thinks they're up-to-date. This is
+# used during releases so we don't run generation scripts.
+gen/mark-fresh:
+	files="\
+		coderd/database/dump.sql \
+		coderd/database/querier.go \
+		coderd/database/dbmock/dbmock.go \
+		provisionersdk/proto/provisioner.pb.go \
+		provisionerd/proto/provisionerd.pb.go \
+		site/src/api/typesGenerated.ts \
+		coderd/rbac/object_gen.go \
+		docs/admin/prometheus.md \
+		docs/cli.md \
+		docs/admin/audit-logs.md \
+		coderd/apidoc/swagger.json \
+		.prettierignore.include \
+		.prettierignore \
+		site/.prettierrc.yaml \
+		site/.prettierignore \
+		site/.eslintignore \
+	"
+	for file in $$files; do
+		echo "$$file"
+		if [ ! -f "$$file" ]; then
+			echo "File '$$file' does not exist"
+			exit 1
+		fi
+
+		# touch sets the mtime of the file to the current time
+		touch $$file
+	done
+.PHONY: gen/mark-fresh
+
+# Runs migrations to output a dump of the database schema after migrations are
+# applied.
+coderd/database/dump.sql: coderd/database/gen/dump/main.go $(wildcard coderd/database/migrations/*.sql)
+	go run ./coderd/database/gen/dump/main.go
+
+# Generates Go code for querying the database.
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
+	./coderd/database/generate.sh
+
+
+coderd/database/dbmock/dbmock.go: coderd/database/db.go coderd/database/querier.go
+	go generate ./coderd/database/dbmock/

 provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
@@ -76,16 +501,166 @@ provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 		--go-drpc_opt=paths=source_relative \
 		./provisionersdk/proto/provisioner.proto

-site/out/index.html: $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.tsx') $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.ts') site/package.json
-	./scripts/yarn_install.sh
-	cd site && yarn typegen
-	cd site && yarn build
-	# Restores GITKEEP files!
-	git checkout HEAD site/out
+provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
+	protoc \
+		--go_out=. \
+		--go_opt=paths=source_relative \
+		--go-drpc_out=. \
+		--go-drpc_opt=paths=source_relative \
+		./provisionerd/proto/provisionerd.proto

-site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find codersdk -type f -name '*.go')
+site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
 	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
-	cd site && yarn run format:types
+	cd site
+	yarn run format:types

-test:
-	gotestsum -- -v -short ./...
+coderd/rbac/object_gen.go: scripts/rbacgen/main.go coderd/rbac/object.go
+	go run scripts/rbacgen/main.go ./coderd/rbac > coderd/rbac/object_gen.go
+
+docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+	go run scripts/metricsdocgen/main.go
+	cd site
+	yarn run format:write:only ../docs/admin/prometheus.md
+
+docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES)
+	BASE_PATH="." go run ./scripts/clidocgen
+	cd site
+	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
+
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go coderd/rbac/object_gen.go
+	go run scripts/auditdocgen/main.go
+	cd site
+	yarn run format:write:only ../docs/admin/audit-logs.md
+
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) $(wildcard enterprise/wsproxy/wsproxysdk/*.go) coderd/database/querier.go .swaggo docs/manifest.json coderd/rbac/object_gen.go
+	./scripts/apidocgen/generate.sh
+	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
+
+update-golden-files: cli/testdata/.gen-golden helm/tests/testdata/.gen-golden scripts/ci-report/testdata/.gen-golden enterprise/cli/testdata/.gen-golden
+.PHONY: update-golden-files
+
+cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES)
+	go test ./cli -run="Test(CommandHelp|ServerYAML)" -update
+	touch "$@"
+
+enterprise/cli/testdata/.gen-golden: $(wildcard enterprise/cli/testdata/*.golden) $(wildcard cli/*.tpl) $(GO_SRC_FILES)
+	go test ./enterprise/cli -run="TestEnterpriseCommandHelp" -update
+	touch "$@"
+
+helm/tests/testdata/.gen-golden: $(wildcard helm/tests/testdata/*.yaml) $(wildcard helm/tests/testdata/*.golden) $(GO_SRC_FILES)
+	go test ./helm/tests -run=TestUpdateGoldenFiles -update
+	touch "$@"
+
+scripts/ci-report/testdata/.gen-golden: $(wildcard scripts/ci-report/testdata/*) $(wildcard scripts/ci-report/*.go)
+	go test ./scripts/ci-report -run=TestOutputMatchesGoldenFile -update
+	touch "$@"
+
+# Generate a prettierrc for the site package that uses relative paths for
+# overrides. This allows us to share the same prettier config between the
+# site and the root of the repo.
+site/.prettierrc.yaml: .prettierrc.yaml
+	. ./scripts/lib.sh
+	dependencies yq
+
+	echo "# Code generated by Makefile (../$<). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+
+	# Replace all listed override files with relative paths inside site/.
+	# - ./ -> ../
+	# - ./site -> ./
+	yq \
+		'.overrides[].files |= map(. | sub("^./"; "") | sub("^"; "../") | sub("../site/"; "./"))' \
+		"$<" >> "$@"
+
+# Combine .gitignore with .prettierignore.include to generate .prettierignore.
+.prettierignore: .gitignore .prettierignore.include
+	echo "# Code generated by Makefile ($^). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+	for f in $^; do
+		echo "# $${f}:" >> "$@"
+		cat "$$f" >> "$@"
+	done
+
+# Generate ignore files based on gitignore into the site directory. We turn all
+# rules into relative paths for the `site/` directory (where applicable),
+# following the pattern format defined by git:
+# https://git-scm.com/docs/gitignore#_pattern_format
+#
+# This is done for compatibility reasons, see:
+# https://github.com/prettier/prettier/issues/8048
+# https://github.com/prettier/prettier/issues/8506
+# https://github.com/prettier/prettier/issues/8679
+site/.eslintignore site/.prettierignore: .prettierignore Makefile
+	rm -f "$@"
+	touch "$@"
+	# Skip generated by header, inherit `.prettierignore` header as-is.
+	while read -r rule; do
+		# Remove leading ! if present to simplify rule, added back at the end.
+		tmp="$${rule#!}"
+		ignore="$${rule%"$$tmp"}"
+		rule="$$tmp"
+		case "$$rule" in
+			# Comments or empty lines (include).
+			\#*|'') ;;
+			# Generic rules (include).
+			\*\**) ;;
+			# Site prefixed rules (include).
+			site/*) rule="$${rule#site/}";;
+			./site/*) rule="$${rule#./site/}";;
+			# Rules that are non-generic and don't start with site (rewrite).
+			/*) rule=.."$$rule";;
+			*/?*) rule=../"$$rule";;
+			*) ;;
+		esac
+		echo "$${ignore}$${rule}" >> "$@"
+	done < "$<"
+
+test: test-clean
+	gotestsum --format standard-quiet -- -v -short ./...
+.PHONY: test
+
+# When updating -timeout for this test, keep in sync with
+# test-go-postgres (.github/workflows/coder.yaml).
+# Do add coverage flags so that test caching works.
+test-postgres: test-clean test-postgres-docker
+	# The postgres test is prone to failure, so we limit parallelism for
+	# more consistent execution.
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum \
+		--junitfile="gotests.xml" \
+		--jsonfile="gotests.json" \
+		--packages="./..." -- \
+		-timeout=20m \
+		-failfast
+.PHONY: test-postgres
+
+test-postgres-docker:
+	docker rm -f test-postgres-docker || true
+	docker run \
+		--env POSTGRES_PASSWORD=postgres \
+		--env POSTGRES_USER=postgres \
+		--env POSTGRES_DB=postgres \
+		--env PGDATA=/tmp \
+		--tmpfs /tmp \
+		--publish 5432:5432 \
+		--name test-postgres-docker \
+		--restart no \
+		--detach \
+		gcr.io/coder-dev-1/postgres:13 \
+		-c shared_buffers=1GB \
+		-c work_mem=1GB \
+		-c effective_cache_size=1GB \
+		-c max_connections=1000 \
+		-c fsync=off \
+		-c synchronous_commit=off \
+		-c full_page_writes=off \
+		-c log_statement=all
+	while ! pg_isready -h 127.0.0.1
+	do
+		echo "$(date) - waiting for database to start"
+		sleep 0.5
+	done
+.PHONY: test-postgres-docker
+
+test-clean:
+	go clean -testcache
+.PHONY: test-clean
@@ -0,0 +1,125 @@
+<div align="center">
+  <a href="https://coder.com#gh-light-mode-only">
+    <img src="./docs/images/logo-black.png" style="width: 128px">
+  </a>
+  <a href="https://coder.com#gh-dark-mode-only">
+    <img src="./docs/images/logo-white.png" style="width: 128px">
+  </a>
+
+  <h1>
+  Self-Hosted Remote Development Environments
+  </h1>
+
+  <a href="https://coder.com#gh-light-mode-only">
+    <img src="./docs/images/banner-black.png" style="width: 650px">
+  </a>
+  <a href="https://coder.com#gh-dark-mode-only">
+    <img src="./docs/images/banner-white.png" style="width: 650px">
+  </a>
+
+  <br>
+  <br>
+
+[Quickstart](#quickstart) | [Docs](https://coder.com/docs) | [Why Coder](https://coder.com/why) | [Enterprise](https://coder.com/docs/v2/latest/enterprise)
+
+[![discord](https://img.shields.io/discord/747933592273027093?label=discord)](https://discord.gg/coder)
+[![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
+[![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
+[![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder)](https://goreportcard.com/report/github.com/coder/coder)
+[![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)
+
+</div>
+
+[Coder](https://coder.com) enables organizations to set up development environments in the cloud. Environments are defined with Terraform, connected through a secure high-speed Wireguard® tunnel, and are automatically shut down when not in use to save on costs. Coder gives engineering teams the flexibility to use the cloud for workloads that are most beneficial to them.
+
+- Define development environments in Terraform
+  - EC2 VMs, Kubernetes Pods, Docker Containers, etc.
+- Automatically shutdown idle resources to save on costs
+- Onboard developers in seconds instead of days
+
+<p align="center">
+  <img src="./docs/images/hero-image.png">
+</p>
+
+## Quickstart
+
+The most convenient way to try Coder is to install it on your local machine and experiment with provisioning development environments using Docker (works on Linux, macOS, and Windows).
+
+```
+# First, install Coder
+curl -L https://coder.com/install.sh | sh
+
+# Start the Coder server (caches data in ~/.cache/coder)
+coder server
+
+# Navigate to http://localhost:3000 to create your initial user
+# Create a Docker template, and provision a workspace
+```
+
+## Install
+
+The easiest way to install Coder is to use our
+[install script](https://github.com/coder/coder/blob/main/install.sh) for Linux
+and macOS. For Windows, use the latest `..._installer.exe` file from GitHub
+Releases.
+
+```bash
+curl -L https://coder.com/install.sh | sh
+```
+
+You can run the install script with `--dry-run` to see the commands that will be used to install without executing them. You can modify the installation process by including flags. Run the install script with `--help` for reference.
+
+> See [install](docs/install) for additional methods.
+
+Once installed, you can start a production deployment<sup>1</sup> with a single command:
+
+```console
+# Automatically sets up an external access URL on *.try.coder.app
+coder server
+
+# Requires a PostgreSQL instance (version 13 or higher) and external access URL
+coder server --postgres-url <url> --access-url <url>
+```
+
+> <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
+
+Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/install) for a full walkthrough.
+
+## Documentation
+
+Browse our docs [here](https://coder.com/docs/v2) or visit a specific section below:
+
+- [**Templates**](https://coder.com/docs/v2/latest/templates): Templates are written in Terraform and describe the infrastructure for workspaces
+- [**Workspaces**](https://coder.com/docs/v2/latest/workspaces): Workspaces contain the IDEs, dependencies, and configuration information needed for software development
+- [**IDEs**](https://coder.com/docs/v2/latest/ides): Connect your existing editor to a workspace
+- [**Administration**](https://coder.com/docs/v2/latest/admin): Learn how to operate Coder
+- [**Enterprise**](https://coder.com/docs/v2/latest/enterprise): Learn about our paid features built for large teams
+
+## Community and Support
+
+Feel free to [open an issue](https://github.com/coder/coder/issues/new) if you have questions, run into bugs, or have a feature request.
+
+[Join our Discord](https://discord.gg/coder) to provide feedback on in-progress features, and chat with the community using Coder!
+
+## Contributing
+
+Contributions are welcome! Read the [contributing docs](https://coder.com/docs/v2/latest/CONTRIBUTING) to get started.
+
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).
+
+## Related
+
+We are always working on new integrations. Feel free to open an issue to request an integration. Contributions are welcome in any official or community repositories.
+
+### Official
+
+- [**VS Code Extension**](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote): Open any Coder workspace in VS Code with a single click
+- [**JetBrains Gateway Extension**](https://plugins.jetbrains.com/plugin/19620-coder): Open any Coder workspace in JetBrains Gateway with a single click
+- [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
+
+### Community
+
+- [**Provision Coder with Terraform**](https://github.com/ElliotG/coder-oss-tf): Provision Coder on Google GKE, Azure AKS, AWS EKS, DigitalOcean DOKS, IBMCloud K8s, OVHCloud K8s, and Scaleway K8s Kapsule with Terraform
+- [**Coder GitHub Action**](https://github.com/marketplace/actions/update-coder-template): A GitHub Action that updates Coder templates
+- [**Various Templates**](./examples/templates/community-templates.md): Hetzner Cloud, Docker in Docker, and other templates the community has built.
@@ -0,0 +1,73 @@
+# Coder Security
+
+Coder welcomes feedback from security researchers and the general public
+to help improve our security. If you believe you have discovered a vulnerability,
+privacy issue, exposed data, or other security issues in any of our assets, we
+want to hear from you. This policy outlines steps for reporting vulnerabilities
+to us, what we expect, what you can expect from us.
+
+You can see the pretty version [here](https://coder.com/security/policy)
+
+# Why Coder's security matters
+
+If an attacker could fully compromise a Coder installation, they could spin
+up expensive workstations, steal valuable credentials, or steal proprietary
+source code. We take this risk very seriously and employ routine pen testing,
+vulnerability scanning, and code reviews. We also welcome the contributions
+from the community that helped make this product possible.
+
+# Where should I report security issues?
+
+Please report security issues to security@coder.com, providing
+all relevant information. The more details you provide, the easier it will be
+for us to triage and fix the issue.
+
+# Out of Scope
+
+Our primary concern is around an abuse of the Coder application that allows
+an attacker to gain access to another users workspace, or spin up unwanted
+workspaces.
+
+- DOS/DDOS attacks affecting availability --> While we do support rate limiting
+  of requests, we primarily leave this to the owner of the Coder installation. Our
+  rationale is that a DOS attack only affecting availability is not a valuable
+  target for attackers.
+- Abuse of a compromised user credential --> If a user credential is compromised
+  outside of the Coder ecosystem, then we consider it beyond the scope of our application.
+  However, if an unprivileged user could escalate their permissions or gain access
+  to another workspace, that is a cause for concern.
+- Vulnerabilities in third party systems --> Vulnerabilities discovered in
+  out-of-scope systems should be reported to the appropriate vendor or applicable authority.
+
+# Our Commitments
+
+When working with us, according to this policy, you can expect us to:
+
+- Respond to your report promptly, and work with you to understand and validate your report;
+- Strive to keep you informed about the progress of a vulnerability as it is processed;
+- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
+- Extend Safe Harbor for your vulnerability research that is related to this policy.
+
+# Our Expectations
+
+In participating in our vulnerability disclosure program in good faith, we ask that you:
+
+- Play by the rules, including following this policy and any other relevant agreements.
+  If there is any inconsistency between this policy and any other applicable terms, the
+  terms of this policy will prevail;
+- Report any vulnerability you’ve discovered promptly;
+- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or
+  harming user experience;
+- Use only the Official Channels to discuss vulnerability information with us;
+- Provide us a reasonable amount of time (at least 90 days from the initial report) to
+  resolve the issue before you disclose it publicly;
+- Perform testing only on in-scope systems, and respect systems and activities which
+  are out-of-scope;
+- If a vulnerability provides unintended access to data: Limit the amount of data you
+  access to the minimum required for effectively demonstrating a Proof of Concept; and
+  cease testing and submit a report immediately if you encounter any user data during testing,
+  such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI),
+  credit card data, or proprietary information;
+- You should only interact with test accounts you own or with explicit permission from
+- the account holder; and
+- Do not engage in extortion.
@@ -0,0 +1,848 @@
+package agentssh
+
+import (
+	"bufio"
+	"context"
+	"crypto/rand"
+	"crypto/rsa"
+	"errors"
+	"fmt"
+	"io"
+	"net"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/pkg/sftp"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/spf13/afero"
+	"go.uber.org/atomic"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+
+	"github.com/coder/coder/agent/usershell"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/pty"
+)
+
+const (
+	// MagicSessionErrorCode indicates that something went wrong with the session, rather than the
+	// command just returning a nonzero exit code, and is chosen as an arbitrary, high number
+	// unlikely to shadow other exit codes, which are typically 1, 2, 3, etc.
+	MagicSessionErrorCode = 229
+
+	// MagicSessionTypeEnvironmentVariable is used to track the purpose behind an SSH connection.
+	// This is stripped from any commands being executed, and is counted towards connection stats.
+	MagicSessionTypeEnvironmentVariable = "CODER_SSH_SESSION_TYPE"
+	// MagicSessionTypeVSCode is set in the SSH config by the VS Code extension to identify itself.
+	MagicSessionTypeVSCode = "vscode"
+	// MagicSessionTypeJetBrains is set in the SSH config by the JetBrains extension to identify itself.
+	MagicSessionTypeJetBrains = "jetbrains"
+)
+
+type Server struct {
+	mu        sync.RWMutex // Protects following.
+	fs        afero.Fs
+	listeners map[net.Listener]struct{}
+	conns     map[net.Conn]struct{}
+	sessions  map[ssh.Session]struct{}
+	closing   chan struct{}
+	// Wait for goroutines to exit, waited without
+	// a lock on mu but protected by closing.
+	wg sync.WaitGroup
+
+	logger       slog.Logger
+	srv          *ssh.Server
+	x11SocketDir string
+
+	Env           map[string]string
+	AgentToken    func() string
+	Manifest      *atomic.Pointer[agentsdk.Manifest]
+	ServiceBanner *atomic.Pointer[codersdk.ServiceBannerConfig]
+
+	connCountVSCode     atomic.Int64
+	connCountJetBrains  atomic.Int64
+	connCountSSHSession atomic.Int64
+
+	metrics *sshServerMetrics
+}
+
+func NewServer(ctx context.Context, logger slog.Logger, prometheusRegistry *prometheus.Registry, fs afero.Fs, maxTimeout time.Duration, x11SocketDir string) (*Server, error) {
+	// Clients' should ignore the host key when connecting.
+	// The agent needs to authenticate with coderd to SSH,
+	// so SSH authentication doesn't improve security.
+	randomHostKey, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, err
+	}
+	randomSigner, err := gossh.NewSignerFromKey(randomHostKey)
+	if err != nil {
+		return nil, err
+	}
+	if x11SocketDir == "" {
+		x11SocketDir = filepath.Join(os.TempDir(), ".X11-unix")
+	}
+
+	forwardHandler := &ssh.ForwardedTCPHandler{}
+	unixForwardHandler := &forwardedUnixHandler{log: logger}
+
+	metrics := newSSHServerMetrics(prometheusRegistry)
+	s := &Server{
+		listeners:    make(map[net.Listener]struct{}),
+		fs:           fs,
+		conns:        make(map[net.Conn]struct{}),
+		sessions:     make(map[ssh.Session]struct{}),
+		logger:       logger,
+		x11SocketDir: x11SocketDir,
+
+		metrics: metrics,
+	}
+
+	srv := &ssh.Server{
+		ChannelHandlers: map[string]ssh.ChannelHandler{
+			"direct-tcpip":                   ssh.DirectTCPIPHandler,
+			"direct-streamlocal@openssh.com": directStreamLocalHandler,
+			"session":                        ssh.DefaultSessionHandler,
+		},
+		ConnectionFailedCallback: func(conn net.Conn, err error) {
+			s.logger.Warn(ctx, "ssh connection failed",
+				slog.F("remote_addr", conn.RemoteAddr()),
+				slog.F("local_addr", conn.LocalAddr()),
+				slog.Error(err))
+			metrics.failedConnectionsTotal.Add(1)
+		},
+		ConnectionCompleteCallback: func(conn *gossh.ServerConn, err error) {
+			s.logger.Info(ctx, "ssh connection complete",
+				slog.F("remote_addr", conn.RemoteAddr()),
+				slog.F("local_addr", conn.LocalAddr()),
+				slog.Error(err))
+		},
+		Handler:     s.sessionHandler,
+		HostSigners: []ssh.Signer{randomSigner},
+		LocalPortForwardingCallback: func(ctx ssh.Context, destinationHost string, destinationPort uint32) bool {
+			// Allow local port forwarding all!
+			s.logger.Debug(ctx, "local port forward",
+				slog.F("destination_host", destinationHost),
+				slog.F("destination_port", destinationPort))
+			return true
+		},
+		PtyCallback: func(ctx ssh.Context, pty ssh.Pty) bool {
+			return true
+		},
+		ReversePortForwardingCallback: func(ctx ssh.Context, bindHost string, bindPort uint32) bool {
+			// Allow reverse port forwarding all!
+			s.logger.Debug(ctx, "local port forward",
+				slog.F("bind_host", bindHost),
+				slog.F("bind_port", bindPort))
+			return true
+		},
+		RequestHandlers: map[string]ssh.RequestHandler{
+			"tcpip-forward":                          forwardHandler.HandleSSHRequest,
+			"cancel-tcpip-forward":                   forwardHandler.HandleSSHRequest,
+			"streamlocal-forward@openssh.com":        unixForwardHandler.HandleSSHRequest,
+			"cancel-streamlocal-forward@openssh.com": unixForwardHandler.HandleSSHRequest,
+		},
+		X11Callback: s.x11Callback,
+		ServerConfigCallback: func(ctx ssh.Context) *gossh.ServerConfig {
+			return &gossh.ServerConfig{
+				NoClientAuth: true,
+			}
+		},
+		SubsystemHandlers: map[string]ssh.SubsystemHandler{
+			"sftp": s.sessionHandler,
+		},
+	}
+
+	// The MaxTimeout functionality has been substituted with the introduction of the KeepAlive feature.
+	// In cases where very short timeouts are set, the SSH server will automatically switch to the connection timeout for both read and write operations.
+	if maxTimeout >= 3*time.Second {
+		srv.ClientAliveCountMax = 3
+		srv.ClientAliveInterval = maxTimeout / time.Duration(srv.ClientAliveCountMax)
+		srv.MaxTimeout = 0
+	} else {
+		srv.MaxTimeout = maxTimeout
+	}
+
+	s.srv = srv
+	return s, nil
+}
+
+type ConnStats struct {
+	Sessions  int64
+	VSCode    int64
+	JetBrains int64
+}
+
+func (s *Server) ConnStats() ConnStats {
+	return ConnStats{
+		Sessions:  s.connCountSSHSession.Load(),
+		VSCode:    s.connCountVSCode.Load(),
+		JetBrains: s.connCountJetBrains.Load(),
+	}
+}
+
+func (s *Server) sessionHandler(session ssh.Session) {
+	logger := s.logger.With(slog.F("remote_addr", session.RemoteAddr()), slog.F("local_addr", session.LocalAddr()))
+	logger.Info(session.Context(), "handling ssh session")
+	ctx := session.Context()
+	if !s.trackSession(session, true) {
+		// See (*Server).Close() for why we call Close instead of Exit.
+		_ = session.Close()
+		logger.Info(ctx, "unable to accept new session, server is closing")
+		return
+	}
+	defer s.trackSession(session, false)
+
+	extraEnv := make([]string, 0)
+	x11, hasX11 := session.X11()
+	if hasX11 {
+		handled := s.x11Handler(session.Context(), x11)
+		if !handled {
+			_ = session.Exit(1)
+			logger.Error(ctx, "x11 handler failed")
+			return
+		}
+		extraEnv = append(extraEnv, fmt.Sprintf("DISPLAY=:%d.0", x11.ScreenNumber))
+	}
+
+	switch ss := session.Subsystem(); ss {
+	case "":
+	case "sftp":
+		s.sftpHandler(session)
+		return
+	default:
+		logger.Warn(ctx, "unsupported subsystem", slog.F("subsystem", ss))
+		_ = session.Exit(1)
+		return
+	}
+
+	err := s.sessionStart(session, extraEnv)
+	var exitError *exec.ExitError
+	if xerrors.As(err, &exitError) {
+		logger.Info(ctx, "ssh session returned", slog.Error(exitError))
+		_ = session.Exit(exitError.ExitCode())
+		return
+	}
+	if err != nil {
+		logger.Warn(ctx, "ssh session failed", slog.Error(err))
+		// This exit code is designed to be unlikely to be confused for a legit exit code
+		// from the process.
+		_ = session.Exit(MagicSessionErrorCode)
+		return
+	}
+	logger.Info(ctx, "normal ssh session exit")
+	_ = session.Exit(0)
+}
+
+func (s *Server) sessionStart(session ssh.Session, extraEnv []string) (retErr error) {
+	ctx := session.Context()
+	env := append(session.Environ(), extraEnv...)
+	var magicType string
+	for index, kv := range env {
+		if !strings.HasPrefix(kv, MagicSessionTypeEnvironmentVariable) {
+			continue
+		}
+		magicType = strings.TrimPrefix(kv, MagicSessionTypeEnvironmentVariable+"=")
+		env = append(env[:index], env[index+1:]...)
+	}
+	switch magicType {
+	case MagicSessionTypeVSCode:
+		s.connCountVSCode.Add(1)
+		defer s.connCountVSCode.Add(-1)
+	case MagicSessionTypeJetBrains:
+		s.connCountJetBrains.Add(1)
+		defer s.connCountJetBrains.Add(-1)
+	case "":
+		s.connCountSSHSession.Add(1)
+		defer s.connCountSSHSession.Add(-1)
+	default:
+		s.logger.Warn(ctx, "invalid magic ssh session type specified", slog.F("type", magicType))
+	}
+
+	magicTypeLabel := magicTypeMetricLabel(magicType)
+	sshPty, windowSize, isPty := session.Pty()
+
+	cmd, err := s.CreateCommand(ctx, session.RawCommand(), env)
+	if err != nil {
+		ptyLabel := "no"
+		if isPty {
+			ptyLabel = "yes"
+		}
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, ptyLabel, "create_command").Add(1)
+		return err
+	}
+
+	if ssh.AgentRequested(session) {
+		l, err := ssh.NewAgentListener()
+		if err != nil {
+			ptyLabel := "no"
+			if isPty {
+				ptyLabel = "yes"
+			}
+
+			s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, ptyLabel, "listener").Add(1)
+			return xerrors.Errorf("new agent listener: %w", err)
+		}
+		defer l.Close()
+		go ssh.ForwardAgentConnections(l, session)
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", "SSH_AUTH_SOCK", l.Addr().String()))
+	}
+
+	if isPty {
+		return s.startPTYSession(session, magicTypeLabel, cmd, sshPty, windowSize)
+	}
+	return s.startNonPTYSession(session, magicTypeLabel, cmd.AsExec())
+}
+
+func (s *Server) startNonPTYSession(session ssh.Session, magicTypeLabel string, cmd *exec.Cmd) error {
+	s.metrics.sessionsTotal.WithLabelValues(magicTypeLabel, "no").Add(1)
+
+	cmd.Stdout = session
+	cmd.Stderr = session.Stderr()
+	// This blocks forever until stdin is received if we don't
+	// use StdinPipe. It's unknown what causes this.
+	stdinPipe, err := cmd.StdinPipe()
+	if err != nil {
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "no", "stdin_pipe").Add(1)
+		return xerrors.Errorf("create stdin pipe: %w", err)
+	}
+	go func() {
+		_, err := io.Copy(stdinPipe, session)
+		if err != nil {
+			s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "no", "stdin_io_copy").Add(1)
+		}
+		_ = stdinPipe.Close()
+	}()
+	err = cmd.Start()
+	if err != nil {
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "no", "start_command").Add(1)
+		return xerrors.Errorf("start: %w", err)
+	}
+	return cmd.Wait()
+}
+
+// ptySession is the interface to the ssh.Session that startPTYSession uses
+// we use an interface here so that we can fake it in tests.
+type ptySession interface {
+	io.ReadWriter
+	Context() ssh.Context
+	DisablePTYEmulation()
+	RawCommand() string
+}
+
+func (s *Server) startPTYSession(session ptySession, magicTypeLabel string, cmd *pty.Cmd, sshPty ssh.Pty, windowSize <-chan ssh.Window) (retErr error) {
+	s.metrics.sessionsTotal.WithLabelValues(magicTypeLabel, "yes").Add(1)
+
+	ctx := session.Context()
+	// Disable minimal PTY emulation set by gliderlabs/ssh (NL-to-CRNL).
+	// See https://github.com/coder/coder/issues/3371.
+	session.DisablePTYEmulation()
+
+	if isLoginShell(session.RawCommand()) {
+		serviceBanner := s.ServiceBanner.Load()
+		if serviceBanner != nil {
+			err := showServiceBanner(session, serviceBanner)
+			if err != nil {
+				s.logger.Error(ctx, "agent failed to show service banner", slog.Error(err))
+				s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "service_banner").Add(1)
+			}
+		}
+	}
+
+	if !isQuietLogin(session.RawCommand()) {
+		manifest := s.Manifest.Load()
+		if manifest != nil {
+			err := showMOTD(session, manifest.MOTDFile)
+			if err != nil {
+				s.logger.Error(ctx, "agent failed to show MOTD", slog.Error(err))
+				s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "motd").Add(1)
+			}
+		} else {
+			s.logger.Warn(ctx, "metadata lookup failed, unable to show MOTD")
+		}
+	}
+
+	cmd.Env = append(cmd.Env, fmt.Sprintf("TERM=%s", sshPty.Term))
+
+	// The pty package sets `SSH_TTY` on supported platforms.
+	ptty, process, err := pty.Start(cmd, pty.WithPTYOption(
+		pty.WithSSHRequest(sshPty),
+		pty.WithLogger(slog.Stdlib(ctx, s.logger, slog.LevelInfo)),
+	))
+	if err != nil {
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "start_command").Add(1)
+		return xerrors.Errorf("start command: %w", err)
+	}
+	defer func() {
+		closeErr := ptty.Close()
+		if closeErr != nil {
+			s.logger.Warn(ctx, "failed to close tty", slog.Error(closeErr))
+			s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "close").Add(1)
+			if retErr == nil {
+				retErr = closeErr
+			}
+		}
+	}()
+	go func() {
+		for win := range windowSize {
+			resizeErr := ptty.Resize(uint16(win.Height), uint16(win.Width))
+			// If the pty is closed, then command has exited, no need to log.
+			if resizeErr != nil && !errors.Is(resizeErr, pty.ErrClosed) {
+				s.logger.Warn(ctx, "failed to resize tty", slog.Error(resizeErr))
+				s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "resize").Add(1)
+			}
+		}
+	}()
+
+	go func() {
+		_, err := io.Copy(ptty.InputWriter(), session)
+		if err != nil {
+			s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "input_io_copy").Add(1)
+		}
+	}()
+
+	// We need to wait for the command output to finish copying.  It's safe to
+	// just do this copy on the main handler goroutine because one of two things
+	// will happen:
+	//
+	// 1. The command completes & closes the TTY, which then triggers an error
+	//    after we've Read() all the buffered data from the PTY.
+	// 2. The client hangs up, which cancels the command's Context, and go will
+	//    kill the command's process.  This then has the same effect as (1).
+	n, err := io.Copy(session, ptty.OutputReader())
+	s.logger.Debug(ctx, "copy output done", slog.F("bytes", n), slog.Error(err))
+	if err != nil {
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "output_io_copy").Add(1)
+		return xerrors.Errorf("copy error: %w", err)
+	}
+	// We've gotten all the output, but we need to wait for the process to
+	// complete so that we can get the exit code.  This returns
+	// immediately if the TTY was closed as part of the command exiting.
+	err = process.Wait()
+	var exitErr *exec.ExitError
+	// ExitErrors just mean the command we run returned a non-zero exit code, which is normal
+	// and not something to be concerned about.  But, if it's something else, we should log it.
+	if err != nil && !xerrors.As(err, &exitErr) {
+		s.logger.Warn(ctx, "process wait exited with error", slog.Error(err))
+		s.metrics.sessionErrors.WithLabelValues(magicTypeLabel, "yes", "wait").Add(1)
+	}
+	if err != nil {
+		return xerrors.Errorf("process wait: %w", err)
+	}
+	return nil
+}
+
+func (s *Server) sftpHandler(session ssh.Session) {
+	s.metrics.sftpConnectionsTotal.Add(1)
+
+	ctx := session.Context()
+
+	// Typically sftp sessions don't request a TTY, but if they do,
+	// we must ensure the gliderlabs/ssh CRLF emulation is disabled.
+	// Otherwise sftp will be broken. This can happen if a user sets
+	// `RequestTTY force` in their SSH config.
+	session.DisablePTYEmulation()
+
+	var opts []sftp.ServerOption
+	// Change current working directory to the users home
+	// directory so that SFTP connections land there.
+	homedir, err := userHomeDir()
+	if err != nil {
+		s.logger.Warn(ctx, "get sftp working directory failed, unable to get home dir", slog.Error(err))
+	} else {
+		opts = append(opts, sftp.WithServerWorkingDirectory(homedir))
+	}
+
+	server, err := sftp.NewServer(session, opts...)
+	if err != nil {
+		s.logger.Debug(ctx, "initialize sftp server", slog.Error(err))
+		return
+	}
+	defer server.Close()
+
+	err = server.Serve()
+	if errors.Is(err, io.EOF) {
+		// Unless we call `session.Exit(0)` here, the client won't
+		// receive `exit-status` because `(*sftp.Server).Close()`
+		// calls `Close()` on the underlying connection (session),
+		// which actually calls `channel.Close()` because it isn't
+		// wrapped. This causes sftp clients to receive a non-zero
+		// exit code. Typically sftp clients don't echo this exit
+		// code but `scp` on macOS does (when using the default
+		// SFTP backend).
+		_ = session.Exit(0)
+		return
+	}
+	s.logger.Warn(ctx, "sftp server closed with error", slog.Error(err))
+	s.metrics.sftpServerErrors.Add(1)
+	_ = session.Exit(1)
+}
+
+// CreateCommand processes raw command input with OpenSSH-like behavior.
+// If the script provided is empty, it will default to the users shell.
+// This injects environment variables specified by the user at launch too.
+func (s *Server) CreateCommand(ctx context.Context, script string, env []string) (*pty.Cmd, error) {
+	currentUser, err := user.Current()
+	if err != nil {
+		return nil, xerrors.Errorf("get current user: %w", err)
+	}
+	username := currentUser.Username
+
+	shell, err := usershell.Get(username)
+	if err != nil {
+		return nil, xerrors.Errorf("get user shell: %w", err)
+	}
+
+	manifest := s.Manifest.Load()
+	if manifest == nil {
+		return nil, xerrors.Errorf("no metadata was provided")
+	}
+
+	// OpenSSH executes all commands with the users current shell.
+	// We replicate that behavior for IDE support.
+	caller := "-c"
+	if runtime.GOOS == "windows" {
+		caller = "/c"
+	}
+	args := []string{caller, script}
+
+	// gliderlabs/ssh returns a command slice of zero
+	// when a shell is requested.
+	if len(script) == 0 {
+		args = []string{}
+		if runtime.GOOS != "windows" {
+			// On Linux and macOS, we should start a login
+			// shell to consume juicy environment variables!
+			args = append(args, "-l")
+		}
+	}
+
+	cmd := pty.CommandContext(ctx, shell, args...)
+	cmd.Dir = manifest.Directory
+
+	// If the metadata directory doesn't exist, we run the command
+	// in the users home directory.
+	_, err = os.Stat(cmd.Dir)
+	if cmd.Dir == "" || err != nil {
+		// Default to user home if a directory is not set.
+		homedir, err := userHomeDir()
+		if err != nil {
+			return nil, xerrors.Errorf("get home dir: %w", err)
+		}
+		cmd.Dir = homedir
+	}
+	cmd.Env = append(os.Environ(), env...)
+	executablePath, err := os.Executable()
+	if err != nil {
+		return nil, xerrors.Errorf("getting os executable: %w", err)
+	}
+	// Set environment variables reliable detection of being inside a
+	// Coder workspace.
+	cmd.Env = append(cmd.Env, "CODER=true")
+	cmd.Env = append(cmd.Env, fmt.Sprintf("USER=%s", username))
+	// Git on Windows resolves with UNIX-style paths.
+	// If using backslashes, it's unable to find the executable.
+	unixExecutablePath := strings.ReplaceAll(executablePath, "\\", "/")
+	cmd.Env = append(cmd.Env, fmt.Sprintf(`GIT_SSH_COMMAND=%s gitssh --`, unixExecutablePath))
+
+	// Specific Coder subcommands require the agent token exposed!
+	cmd.Env = append(cmd.Env, fmt.Sprintf("CODER_AGENT_TOKEN=%s", s.AgentToken()))
+
+	// Set SSH connection environment variables (these are also set by OpenSSH
+	// and thus expected to be present by SSH clients). Since the agent does
+	// networking in-memory, trying to provide accurate values here would be
+	// nonsensical. For now, we hard code these values so that they're present.
+	srcAddr, srcPort := "0.0.0.0", "0"
+	dstAddr, dstPort := "0.0.0.0", "0"
+	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CLIENT=%s %s %s", srcAddr, srcPort, dstPort))
+	cmd.Env = append(cmd.Env, fmt.Sprintf("SSH_CONNECTION=%s %s %s %s", srcAddr, srcPort, dstAddr, dstPort))
+
+	// This adds the ports dialog to code-server that enables
+	// proxying a port dynamically.
+	cmd.Env = append(cmd.Env, fmt.Sprintf("VSCODE_PROXY_URI=%s", manifest.VSCodePortProxyURI))
+
+	// Hide Coder message on code-server's "Getting Started" page
+	cmd.Env = append(cmd.Env, "CS_DISABLE_GETTING_STARTED_OVERRIDE=true")
+
+	// Load environment variables passed via the agent.
+	// These should override all variables we manually specify.
+	for envKey, value := range manifest.EnvironmentVariables {
+		// Expanding environment variables allows for customization
+		// of the $PATH, among other variables. Customers can prepend
+		// or append to the $PATH, so allowing expand is required!
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, os.ExpandEnv(value)))
+	}
+
+	// Agent-level environment variables should take over all!
+	// This is used for setting agent-specific variables like "CODER_AGENT_TOKEN".
+	for envKey, value := range s.Env {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, value))
+	}
+
+	return cmd, nil
+}
+
+func (s *Server) Serve(l net.Listener) (retErr error) {
+	s.logger.Info(context.Background(), "started serving listener", slog.F("listen_addr", l.Addr()))
+	defer func() {
+		s.logger.Info(context.Background(), "stopped serving listener",
+			slog.F("listen_addr", l.Addr()), slog.Error(retErr))
+	}()
+	defer l.Close()
+
+	s.trackListener(l, true)
+	defer s.trackListener(l, false)
+	for {
+		conn, err := l.Accept()
+		if err != nil {
+			return err
+		}
+		go s.handleConn(l, conn)
+	}
+}
+
+func (s *Server) handleConn(l net.Listener, c net.Conn) {
+	logger := s.logger.With(
+		slog.F("remote_addr", c.RemoteAddr()),
+		slog.F("local_addr", c.LocalAddr()),
+		slog.F("listen_addr", l.Addr()))
+	defer c.Close()
+
+	if !s.trackConn(l, c, true) {
+		// Server is closed or we no longer want
+		// connections from this listener.
+		logger.Info(context.Background(), "received connection after server closed")
+		return
+	}
+	defer s.trackConn(l, c, false)
+	logger.Info(context.Background(), "started serving connection")
+	// note: srv.ConnectionCompleteCallback logs completion of the connection
+	s.srv.HandleConn(c)
+}
+
+// trackListener registers the listener with the server. If the server is
+// closing, the function will block until the server is closed.
+//
+//nolint:revive
+func (s *Server) trackListener(l net.Listener, add bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if add {
+		for s.closing != nil {
+			closing := s.closing
+			// Wait until close is complete before
+			// serving a new listener.
+			s.mu.Unlock()
+			<-closing
+			s.mu.Lock()
+		}
+		s.wg.Add(1)
+		s.listeners[l] = struct{}{}
+		return
+	}
+	s.wg.Done()
+	delete(s.listeners, l)
+}
+
+// trackConn registers the connection with the server. If the server is
+// closed or the listener is closed, the connection is not registered
+// and should be closed.
+//
+//nolint:revive
+func (s *Server) trackConn(l net.Listener, c net.Conn, add bool) (ok bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if add {
+		found := false
+		for ll := range s.listeners {
+			if l == ll {
+				found = true
+				break
+			}
+		}
+		if s.closing != nil || !found {
+			// Server or listener closed.
+			return false
+		}
+		s.wg.Add(1)
+		s.conns[c] = struct{}{}
+		return true
+	}
+	s.wg.Done()
+	delete(s.conns, c)
+	return true
+}
+
+// trackSession registers the session with the server. If the server is
+// closing, the session is not registered and should be closed.
+//
+//nolint:revive
+func (s *Server) trackSession(ss ssh.Session, add bool) (ok bool) {
+	s.mu.Lock()
+	defer s.mu.Unlock()
+	if add {
+		if s.closing != nil {
+			// Server closed.
+			return false
+		}
+		s.wg.Add(1)
+		s.sessions[ss] = struct{}{}
+		return true
+	}
+	s.wg.Done()
+	delete(s.sessions, ss)
+	return true
+}
+
+// Close the server and all active connections. Server can be re-used
+// after Close is done.
+func (s *Server) Close() error {
+	s.mu.Lock()
+
+	// Guard against multiple calls to Close and
+	// accepting new connections during close.
+	if s.closing != nil {
+		s.mu.Unlock()
+		return xerrors.New("server is closing")
+	}
+	s.closing = make(chan struct{})
+
+	// Close all active sessions to gracefully
+	// terminate client connections.
+	for ss := range s.sessions {
+		// We call Close on the underlying channel here because we don't
+		// want to send an exit status to the client (via Exit()).
+		// Typically OpenSSH clients will return 255 as the exit status.
+		_ = ss.Close()
+	}
+
+	// Close all active listeners and connections.
+	for l := range s.listeners {
+		_ = l.Close()
+	}
+	for c := range s.conns {
+		_ = c.Close()
+	}
+
+	// Close the underlying SSH server.
+	err := s.srv.Close()
+
+	s.mu.Unlock()
+	s.wg.Wait() // Wait for all goroutines to exit.
+
+	s.mu.Lock()
+	close(s.closing)
+	s.closing = nil
+	s.mu.Unlock()
+
+	return err
+}
+
+// Shutdown gracefully closes all active SSH connections and stops
+// accepting new connections.
+//
+// Shutdown is not implemented.
+func (*Server) Shutdown(_ context.Context) error {
+	// TODO(mafredri): Implement shutdown, SIGHUP running commands, etc.
+	return nil
+}
+
+func isLoginShell(rawCommand string) bool {
+	return len(rawCommand) == 0
+}
+
+// isQuietLogin checks if the SSH server should perform a quiet login or not.
+//
+// https://github.com/openssh/openssh-portable/blob/25bd659cc72268f2858c5415740c442ee950049f/session.c#L816
+func isQuietLogin(rawCommand string) bool {
+	// We are always quiet unless this is a login shell.
+	if !isLoginShell(rawCommand) {
+		return true
+	}
+
+	// Best effort, if we can't get the home directory,
+	// we can't lookup .hushlogin.
+	homedir, err := userHomeDir()
+	if err != nil {
+		return false
+	}
+
+	_, err = os.Stat(filepath.Join(homedir, ".hushlogin"))
+	return err == nil
+}
+
+// showServiceBanner will write the service banner if enabled and not blank
+// along with a blank line for spacing.
+func showServiceBanner(session io.Writer, banner *codersdk.ServiceBannerConfig) error {
+	if banner.Enabled && banner.Message != "" {
+		// The banner supports Markdown so we might want to parse it but Markdown is
+		// still fairly readable in its raw form.
+		message := strings.TrimSpace(banner.Message) + "\n\n"
+		return writeWithCarriageReturn(strings.NewReader(message), session)
+	}
+	return nil
+}
+
+// showMOTD will output the message of the day from
+// the given filename to dest, if the file exists.
+//
+// https://github.com/openssh/openssh-portable/blob/25bd659cc72268f2858c5415740c442ee950049f/session.c#L784
+func showMOTD(dest io.Writer, filename string) error {
+	if filename == "" {
+		return nil
+	}
+
+	f, err := os.Open(filename)
+	if err != nil {
+		if xerrors.Is(err, os.ErrNotExist) {
+			// This is not an error, there simply isn't a MOTD to show.
+			return nil
+		}
+		return xerrors.Errorf("open MOTD: %w", err)
+	}
+	defer f.Close()
+
+	return writeWithCarriageReturn(f, dest)
+}
+
+// writeWithCarriageReturn writes each line with a carriage return to ensure
+// that each line starts at the beginning of the terminal.
+func writeWithCarriageReturn(src io.Reader, dest io.Writer) error {
+	s := bufio.NewScanner(src)
+	for s.Scan() {
+		_, err := fmt.Fprint(dest, s.Text()+"\r\n")
+		if err != nil {
+			return xerrors.Errorf("write line: %w", err)
+		}
+	}
+	if err := s.Err(); err != nil {
+		return xerrors.Errorf("read line: %w", err)
+	}
+	return nil
+}
+
+// userHomeDir returns the home directory of the current user, giving
+// priority to the $HOME environment variable.
+func userHomeDir() (string, error) {
+	// First we check the environment.
+	homedir, err := os.UserHomeDir()
+	if err == nil {
+		return homedir, nil
+	}
+
+	// As a fallback, we try the user information.
+	u, err := user.Current()
+	if err != nil {
+		return "", xerrors.Errorf("current user: %w", err)
+	}
+	return u.HomeDir, nil
+}
@@ -0,0 +1,197 @@
+//go:build !windows
+
+package agentssh
+
+import (
+	"bufio"
+	"context"
+	"io"
+	"net"
+	"testing"
+
+	gliderssh "github.com/gliderlabs/ssh"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/pty"
+	"github.com/coder/coder/testutil"
+
+	"cdr.dev/slog/sloggers/slogtest"
+)
+
+const longScript = `
+echo "started"
+sleep 30
+echo "done"
+`
+
+// Test_sessionStart_orphan tests running a command that takes a long time to
+// exit normally, and terminate the SSH session context early to verify that we
+// return quickly and don't leave the command running as an "orphan" with no
+// active SSH session.
+func Test_sessionStart_orphan(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
+	defer cancel()
+	logger := slogtest.Make(t, nil)
+	s, err := NewServer(ctx, logger, prometheus.NewRegistry(), afero.NewMemMapFs(), 0, "")
+	require.NoError(t, err)
+	defer s.Close()
+
+	// Here we're going to call the handler directly with a faked SSH session
+	// that just uses io.Pipes instead of a network socket.  There is a large
+	// variation in the time between closing the socket from the client side and
+	// the SSH server canceling the session Context, which would lead to a flaky
+	// test if we did it that way.  So instead, we directly cancel the context
+	// in this test.
+	sessionCtx, sessionCancel := context.WithCancel(ctx)
+	toClient, fromClient, sess := newTestSession(sessionCtx)
+	ptyInfo := gliderssh.Pty{}
+	windowSize := make(chan gliderssh.Window)
+	close(windowSize)
+	// the command gets the session context so that Go will terminate it when
+	// the session expires.
+	cmd := pty.CommandContext(sessionCtx, "sh", "-c", longScript)
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+
+		// we don't really care what the error is here.  In the larger scenario,
+		// the client has disconnected, so we can't return any error information
+		// to them.
+		_ = s.startPTYSession(sess, "ssh", cmd, ptyInfo, windowSize)
+	}()
+
+	readDone := make(chan struct{})
+	go func() {
+		defer close(readDone)
+		s := bufio.NewScanner(toClient)
+		assert.True(t, s.Scan())
+		txt := s.Text()
+		assert.Equal(t, "started", txt, "output corrupted")
+	}()
+
+	waitForChan(ctx, t, readDone, "read timeout")
+	// process is started, and should be sleeping for ~30 seconds
+
+	sessionCancel()
+
+	// now, we wait for the handler to complete.  If it does so before the
+	// main test timeout, we consider this a pass.  If not, it indicates
+	// that the server isn't properly shutting down sessions when they are
+	// disconnected client side, which could lead to processes hanging around
+	// indefinitely.
+	waitForChan(ctx, t, done, "handler timeout")
+
+	err = fromClient.Close()
+	require.NoError(t, err)
+}
+
+func waitForChan(ctx context.Context, t *testing.T, c <-chan struct{}, msg string) {
+	t.Helper()
+	select {
+	case <-c:
+		// OK!
+	case <-ctx.Done():
+		t.Fatal(msg)
+	}
+}
+
+type testSession struct {
+	ctx testSSHContext
+
+	// c2p is the client -> pty buffer
+	toPty *io.PipeReader
+	// p2c is the pty -> client buffer
+	fromPty *io.PipeWriter
+}
+
+type testSSHContext struct {
+	context.Context
+}
+
+func newTestSession(ctx context.Context) (toClient *io.PipeReader, fromClient *io.PipeWriter, s ptySession) {
+	toClient, fromPty := io.Pipe()
+	toPty, fromClient := io.Pipe()
+
+	return toClient, fromClient, &testSession{
+		ctx:     testSSHContext{ctx},
+		toPty:   toPty,
+		fromPty: fromPty,
+	}
+}
+
+func (s *testSession) Context() gliderssh.Context {
+	return s.ctx
+}
+
+func (*testSession) DisablePTYEmulation() {}
+
+// RawCommand returns "quiet logon" so that the PTY handler doesn't attempt to
+// write the message of the day, which will interfere with our tests.  It writes
+// the message of the day if it's a shell login (zero length RawCommand()).
+func (*testSession) RawCommand() string { return "quiet logon" }
+
+func (s *testSession) Read(p []byte) (n int, err error) {
+	return s.toPty.Read(p)
+}
+
+func (s *testSession) Write(p []byte) (n int, err error) {
+	return s.fromPty.Write(p)
+}
+
+func (testSSHContext) Lock() {
+	panic("not implemented")
+}
+
+func (testSSHContext) Unlock() {
+	panic("not implemented")
+}
+
+// User returns the username used when establishing the SSH connection.
+func (testSSHContext) User() string {
+	panic("not implemented")
+}
+
+// SessionID returns the session hash.
+func (testSSHContext) SessionID() string {
+	panic("not implemented")
+}
+
+// ClientVersion returns the version reported by the client.
+func (testSSHContext) ClientVersion() string {
+	panic("not implemented")
+}
+
+// ServerVersion returns the version reported by the server.
+func (testSSHContext) ServerVersion() string {
+	panic("not implemented")
+}
+
+// RemoteAddr returns the remote address for this connection.
+func (testSSHContext) RemoteAddr() net.Addr {
+	panic("not implemented")
+}
+
+// LocalAddr returns the local address for this connection.
+func (testSSHContext) LocalAddr() net.Addr {
+	panic("not implemented")
+}
+
+// Permissions returns the Permissions object used for this connection.
+func (testSSHContext) Permissions() *gliderssh.Permissions {
+	panic("not implemented")
+}
+
+// SetValue allows you to easily write new values into the underlying context.
+func (testSSHContext) SetValue(_, _ interface{}) {
+	panic("not implemented")
+}
+
+func (testSSHContext) KeepAlive() *gliderssh.SessionKeepAlive {
+	panic("not implemented")
+}
@@ -0,0 +1,144 @@
+// Package agentssh_test provides tests for basic functinoality of the agentssh
+// package, more test coverage can be found in the `agent` and `cli` package(s).
+package agentssh_test
+
+import (
+	"bytes"
+	"context"
+	"net"
+	"strings"
+	"sync"
+	"testing"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/atomic"
+	"go.uber.org/goleak"
+	"golang.org/x/crypto/ssh"
+
+	"cdr.dev/slog/sloggers/slogtest"
+
+	"github.com/coder/coder/agent/agentssh"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+func TestMain(m *testing.M) {
+	goleak.VerifyTestMain(m)
+}
+
+func TestNewServer_ServeClient(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	logger := slogtest.Make(t, nil)
+	s, err := agentssh.NewServer(ctx, logger, prometheus.NewRegistry(), afero.NewMemMapFs(), 0, "")
+	require.NoError(t, err)
+	defer s.Close()
+
+	// The assumption is that these are set before serving SSH connections.
+	s.AgentToken = func() string { return "" }
+	s.Manifest = atomic.NewPointer(&agentsdk.Manifest{})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := s.Serve(ln)
+		assert.Error(t, err) // Server is closed.
+	}()
+
+	c := sshClient(t, ln.Addr().String())
+
+	var b bytes.Buffer
+	sess, err := c.NewSession()
+	sess.Stdout = &b
+	require.NoError(t, err)
+	err = sess.Start("echo hello")
+	require.NoError(t, err)
+
+	err = sess.Wait()
+	require.NoError(t, err)
+
+	require.Equal(t, "hello", strings.TrimSpace(b.String()))
+
+	err = s.Close()
+	require.NoError(t, err)
+	<-done
+}
+
+func TestNewServer_CloseActiveConnections(t *testing.T) {
+	t.Parallel()
+
+	ctx := context.Background()
+	logger := slogtest.Make(t, &slogtest.Options{IgnoreErrors: true})
+	s, err := agentssh.NewServer(ctx, logger, prometheus.NewRegistry(), afero.NewMemMapFs(), 0, "")
+	require.NoError(t, err)
+	defer s.Close()
+
+	// The assumption is that these are set before serving SSH connections.
+	s.AgentToken = func() string { return "" }
+	s.Manifest = atomic.NewPointer(&agentsdk.Manifest{})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	var wg sync.WaitGroup
+	wg.Add(2)
+	go func() {
+		defer wg.Done()
+		err := s.Serve(ln)
+		assert.Error(t, err) // Server is closed.
+	}()
+
+	pty := ptytest.New(t)
+
+	doClose := make(chan struct{})
+	go func() {
+		defer wg.Done()
+		c := sshClient(t, ln.Addr().String())
+		sess, err := c.NewSession()
+		sess.Stdin = pty.Input()
+		sess.Stdout = pty.Output()
+		sess.Stderr = pty.Output()
+
+		assert.NoError(t, err)
+		err = sess.Start("")
+		assert.NoError(t, err)
+
+		close(doClose)
+		err = sess.Wait()
+		assert.Error(t, err)
+	}()
+
+	<-doClose
+	err = s.Close()
+	require.NoError(t, err)
+
+	wg.Wait()
+}
+
+func sshClient(t *testing.T, addr string) *ssh.Client {
+	conn, err := net.Dial("tcp", addr)
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = conn.Close()
+	})
+
+	sshConn, channels, requests, err := ssh.NewClientConn(conn, "localhost:22", &ssh.ClientConfig{
+		HostKeyCallback: ssh.InsecureIgnoreHostKey(), //nolint:gosec // This is a test.
+	})
+	require.NoError(t, err)
+	t.Cleanup(func() {
+		_ = sshConn.Close()
+	})
+	c := ssh.NewClient(sshConn, channels, requests)
+	t.Cleanup(func() {
+		_ = c.Close()
+	})
+	return c
+}
@@ -0,0 +1,47 @@
+package agentssh
+
+import (
+	"context"
+	"io"
+	"sync"
+)
+
+// Bicopy copies all of the data between the two connections and will close them
+// after one or both of them are done writing. If the context is canceled, both
+// of the connections will be closed.
+func Bicopy(ctx context.Context, c1, c2 io.ReadWriteCloser) {
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+
+	defer func() {
+		_ = c1.Close()
+		_ = c2.Close()
+	}()
+
+	var wg sync.WaitGroup
+	copyFunc := func(dst io.WriteCloser, src io.Reader) {
+		defer func() {
+			wg.Done()
+			// If one side of the copy fails, ensure the other one exits as
+			// well.
+			cancel()
+		}()
+		_, _ = io.Copy(dst, src)
+	}
+
+	wg.Add(2)
+	go copyFunc(c1, c2)
+	go copyFunc(c2, c1)
+
+	// Convert waitgroup to a channel so we can also wait on the context.
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		wg.Wait()
+	}()
+
+	select {
+	case <-ctx.Done():
+	case <-done:
+	}
+}
@@ -0,0 +1,203 @@
+package agentssh
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+)
+
+// streamLocalForwardPayload describes the extra data sent in a
+// streamlocal-forward@openssh.com containing the socket path to bind to.
+type streamLocalForwardPayload struct {
+	SocketPath string
+}
+
+// forwardedStreamLocalPayload describes the data sent as the payload in the new
+// channel request when a Unix connection is accepted by the listener.
+type forwardedStreamLocalPayload struct {
+	SocketPath string
+	Reserved   uint32
+}
+
+// forwardedUnixHandler is a clone of ssh.ForwardedTCPHandler that does
+// streamlocal forwarding (aka. unix forwarding) instead of TCP forwarding.
+type forwardedUnixHandler struct {
+	sync.Mutex
+	log      slog.Logger
+	forwards map[string]net.Listener
+}
+
+func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server, req *gossh.Request) (bool, []byte) {
+	h.Lock()
+	if h.forwards == nil {
+		h.forwards = make(map[string]net.Listener)
+	}
+	h.Unlock()
+	conn, ok := ctx.Value(ssh.ContextKeyConn).(*gossh.ServerConn)
+	if !ok {
+		h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")
+		return false, nil
+	}
+
+	switch req.Type {
+	case "streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+
+		addr := reqPayload.SocketPath
+		h.Lock()
+		_, ok := h.forwards[addr]
+		h.Unlock()
+		if ok {
+			h.log.Warn(ctx, "SSH unix forward request for socket path that is already being forwarded (maybe to another client?)",
+				slog.F("socket_path", addr),
+			)
+			return false, nil
+		}
+
+		// Create socket parent dir if not exists.
+		parentDir := filepath.Dir(addr)
+		err = os.MkdirAll(parentDir, 0o700)
+		if err != nil {
+			h.log.Warn(ctx, "create parent dir for SSH unix forward request",
+				slog.F("parent_dir", parentDir),
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		ln, err := net.Listen("unix", addr)
+		if err != nil {
+			h.log.Warn(ctx, "listen on Unix socket for SSH unix forward request",
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		// The listener needs to successfully start before it can be added to
+		// the map, so we don't have to worry about checking for an existing
+		// listener.
+		//
+		// This is also what the upstream TCP version of this code does.
+		h.Lock()
+		h.forwards[addr] = ln
+		h.Unlock()
+
+		ctx, cancel := context.WithCancel(ctx)
+		go func() {
+			<-ctx.Done()
+			_ = ln.Close()
+		}()
+		go func() {
+			defer cancel()
+
+			for {
+				c, err := ln.Accept()
+				if err != nil {
+					if !xerrors.Is(err, net.ErrClosed) {
+						h.log.Warn(ctx, "accept on local Unix socket for SSH unix forward request",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+					}
+					// closed below
+					break
+				}
+				payload := gossh.Marshal(&forwardedStreamLocalPayload{
+					SocketPath: addr,
+				})
+
+				go func() {
+					ch, reqs, err := conn.OpenChannel("forwarded-streamlocal@openssh.com", payload)
+					if err != nil {
+						h.log.Warn(ctx, "open SSH channel to forward Unix connection to client",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+						_ = c.Close()
+						return
+					}
+					go gossh.DiscardRequests(reqs)
+					Bicopy(ctx, ch, c)
+				}()
+			}
+
+			h.Lock()
+			ln2, ok := h.forwards[addr]
+			if ok && ln2 == ln {
+				delete(h.forwards, addr)
+			}
+			h.Unlock()
+			_ = ln.Close()
+		}()
+
+		return true, nil
+
+	case "cancel-streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+		h.Lock()
+		ln, ok := h.forwards[reqPayload.SocketPath]
+		h.Unlock()
+		if ok {
+			_ = ln.Close()
+		}
+		return true, nil
+
+	default:
+		return false, nil
+	}
+}
+
+// directStreamLocalPayload describes the extra data sent in a
+// direct-streamlocal@openssh.com channel request containing the socket path.
+type directStreamLocalPayload struct {
+	SocketPath string
+
+	Reserved1 string
+	Reserved2 uint32
+}
+
+func directStreamLocalHandler(_ *ssh.Server, _ *gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {
+	var reqPayload directStreamLocalPayload
+	err := gossh.Unmarshal(newChan.ExtraData(), &reqPayload)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, "could not parse direct-streamlocal@openssh.com channel payload")
+		return
+	}
+
+	var dialer net.Dialer
+	dconn, err := dialer.DialContext(ctx, "unix", reqPayload.SocketPath)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, fmt.Sprintf("dial unix socket %q: %+v", reqPayload.SocketPath, err.Error()))
+		return
+	}
+
+	ch, reqs, err := newChan.Accept()
+	if err != nil {
+		_ = dconn.Close()
+		return
+	}
+	go gossh.DiscardRequests(reqs)
+
+	Bicopy(ctx, ch, dconn)
+}
@@ -0,0 +1,82 @@
+package agentssh
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+type sshServerMetrics struct {
+	failedConnectionsTotal prometheus.Counter
+	sftpConnectionsTotal   prometheus.Counter
+	sftpServerErrors       prometheus.Counter
+	x11HandlerErrors       *prometheus.CounterVec
+	sessionsTotal          *prometheus.CounterVec
+	sessionErrors          *prometheus.CounterVec
+}
+
+func newSSHServerMetrics(registerer prometheus.Registerer) *sshServerMetrics {
+	failedConnectionsTotal := prometheus.NewCounter(prometheus.CounterOpts{
+		Namespace: "agent", Subsystem: "ssh_server", Name: "failed_connections_total",
+	})
+	registerer.MustRegister(failedConnectionsTotal)
+
+	sftpConnectionsTotal := prometheus.NewCounter(prometheus.CounterOpts{
+		Namespace: "agent", Subsystem: "ssh_server", Name: "sftp_connections_total",
+	})
+	registerer.MustRegister(sftpConnectionsTotal)
+
+	sftpServerErrors := prometheus.NewCounter(prometheus.CounterOpts{
+		Namespace: "agent", Subsystem: "ssh_server", Name: "sftp_server_errors_total",
+	})
+	registerer.MustRegister(sftpServerErrors)
+
+	x11HandlerErrors := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: "agent",
+			Subsystem: "x11_handler",
+			Name:      "errors_total",
+		},
+		[]string{"error_type"},
+	)
+	registerer.MustRegister(x11HandlerErrors)
+
+	sessionsTotal := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: "agent",
+			Subsystem: "sessions",
+			Name:      "total",
+		},
+		[]string{"magic_type", "pty"},
+	)
+	registerer.MustRegister(sessionsTotal)
+
+	sessionErrors := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: "agent",
+			Subsystem: "sessions",
+			Name:      "errors_total",
+		},
+		[]string{"magic_type", "pty", "error_type"},
+	)
+	registerer.MustRegister(sessionErrors)
+
+	return &sshServerMetrics{
+		failedConnectionsTotal: failedConnectionsTotal,
+		sftpConnectionsTotal:   sftpConnectionsTotal,
+		sftpServerErrors:       sftpServerErrors,
+		x11HandlerErrors:       x11HandlerErrors,
+		sessionsTotal:          sessionsTotal,
+		sessionErrors:          sessionErrors,
+	}
+}
+
+func magicTypeMetricLabel(magicType string) string {
+	switch magicType {
+	case MagicSessionTypeVSCode:
+	case MagicSessionTypeJetBrains:
+	case "":
+		magicType = "ssh"
+	default:
+		magicType = "unknown"
+	}
+	return magicType
+}
@@ -0,0 +1,200 @@
+package agentssh
+
+import (
+	"context"
+	"encoding/binary"
+	"encoding/hex"
+	"errors"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"strconv"
+	"time"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/gofrs/flock"
+	"github.com/spf13/afero"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+)
+
+// x11Callback is called when the client requests X11 forwarding.
+// It adds an Xauthority entry to the Xauthority file.
+func (s *Server) x11Callback(ctx ssh.Context, x11 ssh.X11) bool {
+	hostname, err := os.Hostname()
+	if err != nil {
+		s.logger.Warn(ctx, "failed to get hostname", slog.Error(err))
+		s.metrics.x11HandlerErrors.WithLabelValues("hostname").Add(1)
+		return false
+	}
+
+	err = s.fs.MkdirAll(s.x11SocketDir, 0o700)
+	if err != nil {
+		s.logger.Warn(ctx, "failed to make the x11 socket dir", slog.F("dir", s.x11SocketDir), slog.Error(err))
+		s.metrics.x11HandlerErrors.WithLabelValues("socker_dir").Add(1)
+		return false
+	}
+
+	err = addXauthEntry(ctx, s.fs, hostname, strconv.Itoa(int(x11.ScreenNumber)), x11.AuthProtocol, x11.AuthCookie)
+	if err != nil {
+		s.logger.Warn(ctx, "failed to add Xauthority entry", slog.Error(err))
+		s.metrics.x11HandlerErrors.WithLabelValues("xauthority").Add(1)
+		return false
+	}
+	return true
+}
+
+// x11Handler is called when a session has requested X11 forwarding.
+// It listens for X11 connections and forwards them to the client.
+func (s *Server) x11Handler(ctx ssh.Context, x11 ssh.X11) bool {
+	serverConn, valid := ctx.Value(ssh.ContextKeyConn).(*gossh.ServerConn)
+	if !valid {
+		s.logger.Warn(ctx, "failed to get server connection")
+		return false
+	}
+	// We want to overwrite the socket so that subsequent connections will succeed.
+	socketPath := filepath.Join(s.x11SocketDir, fmt.Sprintf("X%d", x11.ScreenNumber))
+	err := os.Remove(socketPath)
+	if err != nil && !errors.Is(err, os.ErrNotExist) {
+		s.logger.Warn(ctx, "failed to remove existing X11 socket", slog.Error(err))
+		return false
+	}
+	listener, err := net.Listen("unix", socketPath)
+	if err != nil {
+		s.logger.Warn(ctx, "failed to listen for X11", slog.Error(err))
+		return false
+	}
+	s.trackListener(listener, true)
+
+	go func() {
+		defer listener.Close()
+		defer s.trackListener(listener, false)
+		handledFirstConnection := false
+
+		for {
+			conn, err := listener.Accept()
+			if err != nil {
+				if errors.Is(err, net.ErrClosed) {
+					return
+				}
+				s.logger.Warn(ctx, "failed to accept X11 connection", slog.Error(err))
+				return
+			}
+			if x11.SingleConnection && handledFirstConnection {
+				s.logger.Warn(ctx, "X11 connection rejected because single connection is enabled")
+				_ = conn.Close()
+				continue
+			}
+			handledFirstConnection = true
+
+			unixConn, ok := conn.(*net.UnixConn)
+			if !ok {
+				s.logger.Warn(ctx, fmt.Sprintf("failed to cast connection to UnixConn. got: %T", conn))
+				return
+			}
+			unixAddr, ok := unixConn.LocalAddr().(*net.UnixAddr)
+			if !ok {
+				s.logger.Warn(ctx, fmt.Sprintf("failed to cast local address to UnixAddr. got: %T", unixConn.LocalAddr()))
+				return
+			}
+
+			channel, reqs, err := serverConn.OpenChannel("x11", gossh.Marshal(struct {
+				OriginatorAddress string
+				OriginatorPort    uint32
+			}{
+				OriginatorAddress: unixAddr.Name,
+				OriginatorPort:    0,
+			}))
+			if err != nil {
+				s.logger.Warn(ctx, "failed to open X11 channel", slog.Error(err))
+				return
+			}
+			go gossh.DiscardRequests(reqs)
+			go Bicopy(ctx, conn, channel)
+		}
+	}()
+	return true
+}
+
+// addXauthEntry adds an Xauthority entry to the Xauthority file.
+// The Xauthority file is located at ~/.Xauthority.
+func addXauthEntry(ctx context.Context, fs afero.Fs, host string, display string, authProtocol string, authCookie string) error {
+	// Get the Xauthority file path
+	homeDir, err := os.UserHomeDir()
+	if err != nil {
+		return xerrors.Errorf("failed to get user home directory: %w", err)
+	}
+
+	xauthPath := filepath.Join(homeDir, ".Xauthority")
+
+	lock := flock.New(xauthPath)
+	defer lock.Close()
+	ok, err := lock.TryLockContext(ctx, 100*time.Millisecond)
+	if !ok {
+		return xerrors.Errorf("failed to lock Xauthority file: %w", err)
+	}
+	if err != nil {
+		return xerrors.Errorf("failed to lock Xauthority file: %w", err)
+	}
+
+	// Open or create the Xauthority file
+	file, err := fs.OpenFile(xauthPath, os.O_RDWR|os.O_CREATE|os.O_APPEND, 0o600)
+	if err != nil {
+		return xerrors.Errorf("failed to open Xauthority file: %w", err)
+	}
+	defer file.Close()
+
+	// Convert the authCookie from hex string to byte slice
+	authCookieBytes, err := hex.DecodeString(authCookie)
+	if err != nil {
+		return xerrors.Errorf("failed to decode auth cookie: %w", err)
+	}
+
+	// Write Xauthority entry
+	family := uint16(0x0100) // FamilyLocal
+	err = binary.Write(file, binary.BigEndian, family)
+	if err != nil {
+		return xerrors.Errorf("failed to write family: %w", err)
+	}
+
+	err = binary.Write(file, binary.BigEndian, uint16(len(host)))
+	if err != nil {
+		return xerrors.Errorf("failed to write host length: %w", err)
+	}
+	_, err = file.WriteString(host)
+	if err != nil {
+		return xerrors.Errorf("failed to write host: %w", err)
+	}
+
+	err = binary.Write(file, binary.BigEndian, uint16(len(display)))
+	if err != nil {
+		return xerrors.Errorf("failed to write display length: %w", err)
+	}
+	_, err = file.WriteString(display)
+	if err != nil {
+		return xerrors.Errorf("failed to write display: %w", err)
+	}
+
+	err = binary.Write(file, binary.BigEndian, uint16(len(authProtocol)))
+	if err != nil {
+		return xerrors.Errorf("failed to write auth protocol length: %w", err)
+	}
+	_, err = file.WriteString(authProtocol)
+	if err != nil {
+		return xerrors.Errorf("failed to write auth protocol: %w", err)
+	}
+
+	err = binary.Write(file, binary.BigEndian, uint16(len(authCookieBytes)))
+	if err != nil {
+		return xerrors.Errorf("failed to write auth cookie length: %w", err)
+	}
+	_, err = file.Write(authCookieBytes)
+	if err != nil {
+		return xerrors.Errorf("failed to write auth cookie: %w", err)
+	}
+
+	return nil
+}
@@ -0,0 +1,100 @@
+package agentssh_test
+
+import (
+	"context"
+	"encoding/hex"
+	"net"
+	"os"
+	"path/filepath"
+	"runtime"
+	"testing"
+
+	"github.com/gliderlabs/ssh"
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"go.uber.org/atomic"
+	gossh "golang.org/x/crypto/ssh"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent/agentssh"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestServer_X11(t *testing.T) {
+	t.Parallel()
+	if runtime.GOOS != "linux" {
+		t.Skip("X11 forwarding is only supported on Linux")
+	}
+
+	ctx := context.Background()
+	logger := slogtest.Make(t, nil).Leveled(slog.LevelDebug)
+	fs := afero.NewOsFs()
+	dir := t.TempDir()
+	s, err := agentssh.NewServer(ctx, logger, prometheus.NewRegistry(), fs, 0, dir)
+	require.NoError(t, err)
+	defer s.Close()
+
+	// The assumption is that these are set before serving SSH connections.
+	s.AgentToken = func() string { return "" }
+	s.Manifest = atomic.NewPointer(&agentsdk.Manifest{})
+
+	ln, err := net.Listen("tcp", "127.0.0.1:0")
+	require.NoError(t, err)
+
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := s.Serve(ln)
+		assert.Error(t, err) // Server is closed.
+	}()
+
+	c := sshClient(t, ln.Addr().String())
+
+	sess, err := c.NewSession()
+	require.NoError(t, err)
+
+	reply, err := sess.SendRequest("x11-req", true, gossh.Marshal(ssh.X11{
+		AuthProtocol: "MIT-MAGIC-COOKIE-1",
+		AuthCookie:   hex.EncodeToString([]byte("cookie")),
+		ScreenNumber: 0,
+	}))
+	require.NoError(t, err)
+	assert.True(t, reply)
+
+	err = sess.Shell()
+	require.NoError(t, err)
+
+	x11Chans := c.HandleChannelOpen("x11")
+	payload := "hello world"
+	require.Eventually(t, func() bool {
+		conn, err := net.Dial("unix", filepath.Join(dir, "X0"))
+		if err == nil {
+			_, err = conn.Write([]byte(payload))
+			assert.NoError(t, err)
+			_ = conn.Close()
+		}
+		return err == nil
+	}, testutil.WaitShort, testutil.IntervalFast)
+
+	x11 := <-x11Chans
+	ch, reqs, err := x11.Accept()
+	require.NoError(t, err)
+	go gossh.DiscardRequests(reqs)
+	got := make([]byte, len(payload))
+	_, err = ch.Read(got)
+	require.NoError(t, err)
+	assert.Equal(t, payload, string(got))
+	_ = ch.Close()
+	_ = s.Close()
+	<-done
+
+	// Ensure the Xauthority file was written!
+	home, err := os.UserHomeDir()
+	require.NoError(t, err)
+	_, err = fs.Stat(filepath.Join(home, ".Xauthority"))
+	require.NoError(t, err)
+}
@@ -0,0 +1,57 @@
+package agent
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/go-chi/chi"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func (a *agent) apiHandler() http.Handler {
+	r := chi.NewRouter()
+	r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{
+			Message: "Hello from the agent!",
+		})
+	})
+
+	// Make a copy to ensure the map is not modified after the handler is
+	// created.
+	cpy := make(map[int]string)
+	for k, b := range a.ignorePorts {
+		cpy[k] = b
+	}
+
+	lp := &listeningPortsHandler{ignorePorts: cpy}
+	r.Get("/api/v0/listening-ports", lp.handler)
+
+	return r
+}
+
+type listeningPortsHandler struct {
+	mut         sync.Mutex
+	ports       []codersdk.WorkspaceAgentListeningPort
+	mtime       time.Time
+	ignorePorts map[int]string
+}
+
+// handler returns a list of listening ports. This is tested by coderd's
+// TestWorkspaceAgentListeningPorts test.
+func (lp *listeningPortsHandler) handler(rw http.ResponseWriter, r *http.Request) {
+	ports, err := lp.getListeningPorts()
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Could not scan for listening ports.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.WorkspaceAgentListeningPortsResponse{
+		Ports: ports,
+	})
+}
@@ -0,0 +1,182 @@
+package agent
+
+import (
+	"context"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/retry"
+)
+
+// WorkspaceAgentApps fetches the workspace apps.
+type WorkspaceAgentApps func(context.Context) ([]codersdk.WorkspaceApp, error)
+
+// PostWorkspaceAgentAppHealth updates the workspace app health.
+type PostWorkspaceAgentAppHealth func(context.Context, agentsdk.PostAppHealthsRequest) error
+
+// WorkspaceAppHealthReporter is a function that checks and reports the health of the workspace apps until the passed context is canceled.
+type WorkspaceAppHealthReporter func(ctx context.Context)
+
+// NewWorkspaceAppHealthReporter creates a WorkspaceAppHealthReporter that reports app health to coderd.
+func NewWorkspaceAppHealthReporter(logger slog.Logger, apps []codersdk.WorkspaceApp, postWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth) WorkspaceAppHealthReporter {
+	runHealthcheckLoop := func(ctx context.Context) error {
+		// no need to run this loop if no apps for this workspace.
+		if len(apps) == 0 {
+			return nil
+		}
+
+		hasHealthchecksEnabled := false
+		health := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+		for _, app := range apps {
+			if app.Health == codersdk.WorkspaceAppHealthDisabled {
+				continue
+			}
+			health[app.ID] = app.Health
+			hasHealthchecksEnabled = true
+		}
+
+		// no need to run this loop if no health checks are configured.
+		if !hasHealthchecksEnabled {
+			return nil
+		}
+
+		// run a ticker for each app health check.
+		var mu sync.RWMutex
+		failures := make(map[uuid.UUID]int, 0)
+		for _, nextApp := range apps {
+			if !shouldStartTicker(nextApp) {
+				continue
+			}
+			app := nextApp
+			go func() {
+				t := time.NewTicker(time.Duration(app.Healthcheck.Interval) * time.Second)
+				defer t.Stop()
+
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-t.C:
+					}
+					// we set the http timeout to the healthcheck interval to prevent getting too backed up.
+					client := &http.Client{
+						Timeout: time.Duration(app.Healthcheck.Interval) * time.Second,
+					}
+					err := func() error {
+						req, err := http.NewRequestWithContext(ctx, http.MethodGet, app.Healthcheck.URL, nil)
+						if err != nil {
+							return err
+						}
+						res, err := client.Do(req)
+						if err != nil {
+							return err
+						}
+						// successful healthcheck is a non-5XX status code
+						_ = res.Body.Close()
+						if res.StatusCode >= http.StatusInternalServerError {
+							return xerrors.Errorf("error status code: %d", res.StatusCode)
+						}
+
+						return nil
+					}()
+					if err != nil {
+						mu.Lock()
+						if failures[app.ID] < int(app.Healthcheck.Threshold) {
+							// increment the failure count and keep status the same.
+							// we will change it when we hit the threshold.
+							failures[app.ID]++
+						} else {
+							// set to unhealthy if we hit the failure threshold.
+							// we stop incrementing at the threshold to prevent the failure value from increasing forever.
+							health[app.ID] = codersdk.WorkspaceAppHealthUnhealthy
+						}
+						mu.Unlock()
+					} else {
+						mu.Lock()
+						// we only need one successful health check to be considered healthy.
+						health[app.ID] = codersdk.WorkspaceAppHealthHealthy
+						failures[app.ID] = 0
+						mu.Unlock()
+					}
+
+					t.Reset(time.Duration(app.Healthcheck.Interval) * time.Second)
+				}
+			}()
+		}
+
+		mu.Lock()
+		lastHealth := copyHealth(health)
+		mu.Unlock()
+		reportTicker := time.NewTicker(time.Second)
+		defer reportTicker.Stop()
+		// every second we check if the health values of the apps have changed
+		// and if there is a change we will report the new values.
+		for {
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-reportTicker.C:
+				mu.RLock()
+				changed := healthChanged(lastHealth, health)
+				mu.RUnlock()
+				if !changed {
+					continue
+				}
+
+				mu.Lock()
+				lastHealth = copyHealth(health)
+				mu.Unlock()
+				err := postWorkspaceAgentAppHealth(ctx, agentsdk.PostAppHealthsRequest{
+					Healths: lastHealth,
+				})
+				if err != nil {
+					logger.Error(ctx, "failed to report workspace app stat", slog.Error(err))
+				}
+			}
+		}
+	}
+
+	return func(ctx context.Context) {
+		for r := retry.New(time.Second, 30*time.Second); r.Wait(ctx); {
+			err := runHealthcheckLoop(ctx)
+			if err == nil || xerrors.Is(err, context.Canceled) || xerrors.Is(err, context.DeadlineExceeded) {
+				return
+			}
+			logger.Error(ctx, "failed running workspace app reporter", slog.Error(err))
+		}
+	}
+}
+
+func shouldStartTicker(app codersdk.WorkspaceApp) bool {
+	return app.Healthcheck.URL != "" && app.Healthcheck.Interval > 0 && app.Healthcheck.Threshold > 0
+}
+
+func healthChanged(old map[uuid.UUID]codersdk.WorkspaceAppHealth, new map[uuid.UUID]codersdk.WorkspaceAppHealth) bool {
+	for name, newValue := range new {
+		oldValue, found := old[name]
+		if !found {
+			return true
+		}
+		if newValue != oldValue {
+			return true
+		}
+	}
+
+	return false
+}
+
+func copyHealth(h1 map[uuid.UUID]codersdk.WorkspaceAppHealth) map[uuid.UUID]codersdk.WorkspaceAppHealth {
+	h2 := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+	for k, v := range h1 {
+		h2[k] = v
+	}
+
+	return h2
+}
@@ -0,0 +1,207 @@
+package agent_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestAppHealth_Healthy(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug:        "app1",
+			Healthcheck: codersdk.Healthcheck{},
+			Health:      codersdk.WorkspaceAppHealthDisabled,
+		},
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		nil,
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	apps, err := getApps(ctx)
+	require.NoError(t, err)
+	require.EqualValues(t, codersdk.WorkspaceAppHealthDisabled, apps[0].Health)
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[1].Health == codersdk.WorkspaceAppHealthHealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_500(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusInternalServerError, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_Timeout(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// sleep longer than the interval to cause the health check to time out
+			time.Sleep(2 * time.Second)
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_NotSpamming(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+
+	counter := new(int32)
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			atomic.AddInt32(counter, 1)
+		}),
+	}
+	_, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	// Ensure we haven't made more than 2 (expected 1 + 1 for buffer) requests in the last second.
+	// if there is a bug where we are spamming the healthcheck route this will catch it.
+	time.Sleep(time.Second)
+	require.LessOrEqual(t, atomic.LoadInt32(counter), int32(2))
+}
+
+func setupAppReporter(ctx context.Context, t *testing.T, apps []codersdk.WorkspaceApp, handlers []http.Handler) (agent.WorkspaceAgentApps, func()) {
+	closers := []func(){}
+	for i, handler := range handlers {
+		if handler == nil {
+			continue
+		}
+		ts := httptest.NewServer(handler)
+		app := apps[i]
+		app.Healthcheck.URL = ts.URL
+		apps[i] = app
+		closers = append(closers, ts.Close)
+	}
+
+	var mu sync.Mutex
+	workspaceAgentApps := func(context.Context) ([]codersdk.WorkspaceApp, error) {
+		mu.Lock()
+		defer mu.Unlock()
+		var newApps []codersdk.WorkspaceApp
+		return append(newApps, apps...), nil
+	}
+	postWorkspaceAgentAppHealth := func(_ context.Context, req agentsdk.PostAppHealthsRequest) error {
+		mu.Lock()
+		for id, health := range req.Healths {
+			for i, app := range apps {
+				if app.ID != id {
+					continue
+				}
+				app.Health = health
+				apps[i] = app
+			}
+		}
+		mu.Unlock()
+
+		return nil
+	}
+
+	go agent.NewWorkspaceAppHealthReporter(slogtest.Make(t, nil).Leveled(slog.LevelDebug), apps, postWorkspaceAgentAppHealth)(ctx)
+
+	return workspaceAgentApps, func() {
+		for _, closeFn := range closers {
+			closeFn()
+		}
+	}
+}
@@ -1,77 +0,0 @@
-package agent
-
-import (
-	"context"
-	"fmt"
-	"net"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker/proto"
-)
-
-// ReconnectingPTYRequest is sent from the client to the server
-// to pipe data to a PTY.
-type ReconnectingPTYRequest struct {
-	Data   string `json:"data"`
-	Height uint16 `json:"height"`
-	Width  uint16 `json:"width"`
-}
-
-// Conn wraps a peer connection with helper functions to
-// communicate with the agent.
-type Conn struct {
-	// Negotiator is responsible for exchanging messages.
-	Negotiator proto.DRPCPeerBrokerClient
-
-	*peer.Conn
-}
-
-// ReconnectingPTY returns a connection serving a TTY that can
-// be reconnected to via ID.
-func (c *Conn) ReconnectingPTY(id string, height, width uint16) (net.Conn, error) {
-	channel, err := c.Dial(context.Background(), fmt.Sprintf("%s:%d:%d", id, height, width), &peer.ChannelOptions{
-		Protocol: "reconnecting-pty",
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("pty: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSH dials the built-in SSH server.
-func (c *Conn) SSH() (net.Conn, error) {
-	channel, err := c.Dial(context.Background(), "ssh", &peer.ChannelOptions{
-		Protocol: "ssh",
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("dial: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSHClient calls SSH to create a client that uses a weak cipher
-// for high throughput.
-func (c *Conn) SSHClient() (*ssh.Client, error) {
-	netConn, err := c.SSH()
-	if err != nil {
-		return nil, xerrors.Errorf("ssh: %w", err)
-	}
-	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
-		// SSH host validation isn't helpful, because obtaining a peer
-		// connection already signifies user-intent to dial a workspace.
-		// #nosec
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("ssh conn: %w", err)
-	}
-	return ssh.NewClient(sshConn, channels, requests), nil
-}
-
-func (c *Conn) Close() error {
-	_ = c.Negotiator.DRPCConn().Close()
-	return c.Conn.Close()
-}
@@ -0,0 +1,130 @@
+package agent
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/prometheus/client_golang/prometheus"
+	prompb "github.com/prometheus/client_model/go"
+	"tailscale.com/util/clientmetric"
+
+	"cdr.dev/slog"
+
+	"github.com/coder/coder/codersdk/agentsdk"
+)
+
+type agentMetrics struct {
+	connectionsTotal      prometheus.Counter
+	reconnectingPTYErrors *prometheus.CounterVec
+}
+
+func newAgentMetrics(registerer prometheus.Registerer) *agentMetrics {
+	connectionsTotal := prometheus.NewCounter(prometheus.CounterOpts{
+		Namespace: "agent", Subsystem: "reconnecting_pty", Name: "connections_total",
+	})
+	registerer.MustRegister(connectionsTotal)
+
+	reconnectingPTYErrors := prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Namespace: "agent",
+			Subsystem: "reconnecting_pty",
+			Name:      "errors_total",
+		},
+		[]string{"error_type"},
+	)
+	registerer.MustRegister(reconnectingPTYErrors)
+
+	return &agentMetrics{
+		connectionsTotal:      connectionsTotal,
+		reconnectingPTYErrors: reconnectingPTYErrors,
+	}
+}
+
+func (a *agent) collectMetrics(ctx context.Context) []agentsdk.AgentMetric {
+	var collected []agentsdk.AgentMetric
+
+	// Tailscale internal metrics
+	metrics := clientmetric.Metrics()
+	for _, m := range metrics {
+		if isIgnoredMetric(m.Name()) {
+			continue
+		}
+
+		collected = append(collected, agentsdk.AgentMetric{
+			Name:  m.Name(),
+			Type:  asMetricType(m.Type()),
+			Value: float64(m.Value()),
+		})
+	}
+
+	metricFamilies, err := a.prometheusRegistry.Gather()
+	if err != nil {
+		a.logger.Error(ctx, "can't gather agent metrics", slog.Error(err))
+		return collected
+	}
+
+	for _, metricFamily := range metricFamilies {
+		for _, metric := range metricFamily.GetMetric() {
+			labels := toAgentMetricLabels(metric.Label)
+
+			if metric.Counter != nil {
+				collected = append(collected, agentsdk.AgentMetric{
+					Name:   metricFamily.GetName(),
+					Type:   agentsdk.AgentMetricTypeCounter,
+					Value:  metric.Counter.GetValue(),
+					Labels: labels,
+				})
+			} else if metric.Gauge != nil {
+				collected = append(collected, agentsdk.AgentMetric{
+					Name:   metricFamily.GetName(),
+					Type:   agentsdk.AgentMetricTypeGauge,
+					Value:  metric.Gauge.GetValue(),
+					Labels: labels,
+				})
+			} else {
+				a.logger.Error(ctx, "unsupported metric type", slog.F("type", metricFamily.Type.String()))
+			}
+		}
+	}
+	return collected
+}
+
+func toAgentMetricLabels(metricLabels []*prompb.LabelPair) []agentsdk.AgentMetricLabel {
+	if len(metricLabels) == 0 {
+		return nil
+	}
+
+	labels := make([]agentsdk.AgentMetricLabel, 0, len(metricLabels))
+	for _, metricLabel := range metricLabels {
+		labels = append(labels, agentsdk.AgentMetricLabel{
+			Name:  metricLabel.GetName(),
+			Value: metricLabel.GetValue(),
+		})
+	}
+	return labels
+}
+
+// isIgnoredMetric checks if the metric should be ignored, as Coder agent doesn't use related features.
+// Expected metric families: magicsock_*, derp_*, tstun_*, netcheck_*, portmap_*, etc.
+func isIgnoredMetric(metricName string) bool {
+	if strings.HasPrefix(metricName, "dns_") ||
+		strings.HasPrefix(metricName, "controlclient_") ||
+		strings.HasPrefix(metricName, "peerapi_") ||
+		strings.HasPrefix(metricName, "profiles_") ||
+		strings.HasPrefix(metricName, "tstun_") {
+		return true
+	}
+	return false
+}
+
+func asMetricType(typ clientmetric.Type) agentsdk.AgentMetricType {
+	switch typ {
+	case clientmetric.TypeGauge:
+		return agentsdk.AgentMetricTypeGauge
+	case clientmetric.TypeCounter:
+		return agentsdk.AgentMetricTypeCounter
+	default:
+		panic(fmt.Sprintf("unknown metric type: %d", typ))
+	}
+}
@@ -0,0 +1,69 @@
+//go:build linux || (windows && amd64)
+
+package agent
+
+import (
+	"time"
+
+	"github.com/cakturk/go-netstat/netstat"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+	lp.mut.Lock()
+	defer lp.mut.Unlock()
+
+	if time.Since(lp.mtime) < time.Second {
+		// copy
+		ports := make([]codersdk.WorkspaceAgentListeningPort, len(lp.ports))
+		copy(ports, lp.ports)
+		return ports, nil
+	}
+
+	tabs, err := netstat.TCPSocks(func(s *netstat.SockTabEntry) bool {
+		return s.State == netstat.Listen
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("scan listening ports: %w", err)
+	}
+
+	seen := make(map[uint16]struct{}, len(tabs))
+	ports := []codersdk.WorkspaceAgentListeningPort{}
+	for _, tab := range tabs {
+		if tab.LocalAddr == nil || tab.LocalAddr.Port < codersdk.WorkspaceAgentMinimumListeningPort {
+			continue
+		}
+
+		// Ignore ports that we've been told to ignore.
+		if _, ok := lp.ignorePorts[int(tab.LocalAddr.Port)]; ok {
+			continue
+		}
+
+		// Don't include ports that we've already seen. This can happen on
+		// Windows, and maybe on Linux if you're using a shared listener socket.
+		if _, ok := seen[tab.LocalAddr.Port]; ok {
+			continue
+		}
+		seen[tab.LocalAddr.Port] = struct{}{}
+
+		procName := ""
+		if tab.Process != nil {
+			procName = tab.Process.Name
+		}
+		ports = append(ports, codersdk.WorkspaceAgentListeningPort{
+			ProcessName: procName,
+			Network:     "tcp",
+			Port:        tab.LocalAddr.Port,
+		})
+	}
+
+	lp.ports = ports
+	lp.mtime = time.Now()
+
+	// copy
+	ports = make([]codersdk.WorkspaceAgentListeningPort, len(lp.ports))
+	copy(ports, lp.ports)
+	return ports, nil
+}
@@ -0,0 +1,12 @@
+//go:build !linux && !(windows && amd64)
+
+package agent
+
+import "github.com/coder/coder/codersdk"
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+	// Can't scan for ports on non-linux or non-windows_amd64 systems at the
+	// moment. The UI will not show any "no ports found" message to the user, so
+	// the user won't suspect a thing.
+	return []codersdk.WorkspaceAgentListeningPort{}, nil
+}
@@ -0,0 +1,4 @@
+// Package reaper contains logic for reaping subprocesses. It is
+// specifically used in the agent to avoid the accumulation of
+// zombie processes.
+package reaper
@@ -0,0 +1,41 @@
+package reaper
+
+import (
+	"os"
+
+	"github.com/hashicorp/go-reap"
+)
+
+type Option func(o *options)
+
+// WithExecArgs specifies the exec arguments for the fork exec call.
+// By default the same arguments as the parent are used as dictated by
+// os.Args. Since ForkReap calls a fork-exec it is the responsibility of
+// the caller to avoid fork-bombing oneself.
+func WithExecArgs(args ...string) Option {
+	return func(o *options) {
+		o.ExecArgs = args
+	}
+}
+
+// WithPIDCallback sets the channel that reaped child process PIDs are pushed
+// onto.
+func WithPIDCallback(ch reap.PidCh) Option {
+	return func(o *options) {
+		o.PIDs = ch
+	}
+}
+
+// WithCatchSignals sets the signals that are caught and forwarded to the
+// child process. By default no signals are forwarded.
+func WithCatchSignals(sigs ...os.Signal) Option {
+	return func(o *options) {
+		o.CatchSignals = sigs
+	}
+}
+
+type options struct {
+	ExecArgs     []string
+	PIDs         reap.PidCh
+	CatchSignals []os.Signal
+}
@@ -0,0 +1,12 @@
+//go:build !linux
+
+package reaper
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return false
+}
+
+func ForkReap(_ ...Option) error {
+	return nil
+}
@@ -0,0 +1,102 @@
+//go:build linux
+
+package reaper_test
+
+import (
+	"fmt"
+	"os"
+	"os/exec"
+	"os/signal"
+	"syscall"
+	"testing"
+	"time"
+
+	"github.com/hashicorp/go-reap"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/testutil"
+)
+
+// TestReap checks that's the reaper is successfully reaping
+// exited processes and passing the PIDs through the shared
+// channel.
+//
+//nolint:paralleltest
+func TestReap(t *testing.T) {
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if testutil.InCI() {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	pids := make(reap.PidCh, 1)
+	err := reaper.ForkReap(
+		reaper.WithPIDCallback(pids),
+		// Provide some argument that immediately exits.
+		reaper.WithExecArgs("/bin/sh", "-c", "exit 0"),
+	)
+	require.NoError(t, err)
+
+	cmd := exec.Command("tail", "-f", "/dev/null")
+	err = cmd.Start()
+	require.NoError(t, err)
+
+	cmd2 := exec.Command("tail", "-f", "/dev/null")
+	err = cmd2.Start()
+	require.NoError(t, err)
+
+	err = cmd.Process.Kill()
+	require.NoError(t, err)
+
+	err = cmd2.Process.Kill()
+	require.NoError(t, err)
+
+	expectedPIDs := []int{cmd.Process.Pid, cmd2.Process.Pid}
+
+	for i := 0; i < len(expectedPIDs); i++ {
+		select {
+		case <-time.After(testutil.WaitShort):
+			t.Fatalf("Timed out waiting for process")
+		case pid := <-pids:
+			require.Contains(t, expectedPIDs, pid)
+		}
+	}
+}
+
+//nolint:paralleltest // Signal handling.
+func TestReapInterrupt(t *testing.T) {
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if testutil.InCI() {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	errC := make(chan error, 1)
+	pids := make(reap.PidCh, 1)
+
+	// Use signals to notify when the child process is ready for the
+	//  next step of our test.
+	usrSig := make(chan os.Signal, 1)
+	signal.Notify(usrSig, syscall.SIGUSR1, syscall.SIGUSR2)
+	defer signal.Stop(usrSig)
+
+	go func() {
+		errC <- reaper.ForkReap(
+			reaper.WithPIDCallback(pids),
+			reaper.WithCatchSignals(os.Interrupt),
+			// Signal propagation does not extend to children of children, so
+			// we create a little bash script to ensure sleep is interrupted.
+			reaper.WithExecArgs("/bin/sh", "-c", fmt.Sprintf("pid=0; trap 'kill -USR2 %d; kill -TERM $pid' INT; sleep 10 &\npid=$!; kill -USR1 %d; wait", os.Getpid(), os.Getpid())),
+		)
+	}()
+
+	require.Equal(t, <-usrSig, syscall.SIGUSR1)
+	err := syscall.Kill(os.Getpid(), syscall.SIGINT)
+	require.NoError(t, err)
+	require.Equal(t, <-usrSig, syscall.SIGUSR2)
+
+	require.NoError(t, <-errC)
+}
@@ -0,0 +1,86 @@
+//go:build linux
+
+package reaper
+
+import (
+	"os"
+	"os/signal"
+	"syscall"
+
+	"github.com/hashicorp/go-reap"
+	"golang.org/x/xerrors"
+)
+
+// IsInitProcess returns true if the current process's PID is 1.
+func IsInitProcess() bool {
+	return os.Getpid() == 1
+}
+
+func catchSignals(pid int, sigs []os.Signal) {
+	if len(sigs) == 0 {
+		return
+	}
+
+	sc := make(chan os.Signal, 1)
+	signal.Notify(sc, sigs...)
+	defer signal.Stop(sc)
+
+	for {
+		s := <-sc
+		sig, ok := s.(syscall.Signal)
+		if ok {
+			_ = syscall.Kill(pid, sig)
+		}
+	}
+}
+
+// ForkReap spawns a goroutine that reaps children. In order to avoid
+// complications with spawning `exec.Commands` in the same process that
+// is reaping, we forkexec a child process. This prevents a race between
+// the reaper and an exec.Command waiting for its process to complete.
+// The provided 'pids' channel may be nil if the caller does not care about the
+// reaped children PIDs.
+func ForkReap(opt ...Option) error {
+	opts := &options{
+		ExecArgs: os.Args,
+	}
+
+	for _, o := range opt {
+		o(opts)
+	}
+
+	go reap.ReapChildren(opts.PIDs, nil, nil, nil)
+
+	pwd, err := os.Getwd()
+	if err != nil {
+		return xerrors.Errorf("get wd: %w", err)
+	}
+
+	pattrs := &syscall.ProcAttr{
+		Dir: pwd,
+		Env: os.Environ(),
+		Sys: &syscall.SysProcAttr{
+			Setsid: true,
+		},
+		Files: []uintptr{
+			uintptr(syscall.Stdin),
+			uintptr(syscall.Stdout),
+			uintptr(syscall.Stderr),
+		},
+	}
+
+	//#nosec G204
+	pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+	if err != nil {
+		return xerrors.Errorf("fork exec: %w", err)
+	}
+
+	go catchSignals(pid, opts.CatchSignals)
+
+	var wstatus syscall.WaitStatus
+	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	for xerrors.Is(err, syscall.EINTR) {
+		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
+	}
+	return err
+}
@@ -3,6 +3,6 @@ package usershell
 import "os"

 // Get returns the $SHELL environment variable.
-func Get(username string) (string, error) {
+func Get(_ string) (string, error) {
 	return os.Getenv("SHELL"), nil
 }
@@ -4,7 +4,11 @@ import "os/exec"

 // Get returns the command prompt binary name.
 func Get(username string) (string, error) {
-	_, err := exec.LookPath("powershell.exe")
+	_, err := exec.LookPath("pwsh.exe")
+	if err == nil {
+		return "pwsh.exe", nil
+	}
+	_, err = exec.LookPath("powershell.exe")
 	if err == nil {
 		return "powershell.exe", nil
 	}
@@ -3,6 +3,7 @@ package buildinfo
 import (
 	"fmt"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"

@@ -20,8 +21,17 @@ var (
 	version     string
 	readVersion sync.Once

-	// Injected with ldflags at build!
-	tag string
+	// Updated by buildinfo_slim.go on start.
+	slim bool
+
+	// Injected with ldflags at build, see scripts/build_go.sh
+	tag  string
+	agpl string // either "true" or "false", ldflags does not support bools
+)
+
+const (
+	// develPrefix is prefixed to developer versions of the application.
+	develPrefix = "v0.0.0-devel"
 )

 // Version returns the semantic version of the build.
@@ -35,7 +45,7 @@ func Version() string {
 		if tag == "" {
 			// This occurs when the tag hasn't been injected,
 			// like when using "go run".
-			version = "v0.0.0-devel" + revision
+			version = develPrefix + revision
 			return
 		}
 		version = "v" + tag
@@ -48,6 +58,35 @@ func Version() string {
 	return version
 }

+// VersionsMatch compares the two versions. It assumes the versions match if
+// the major and the minor versions are equivalent. Patch versions are
+// disregarded. If it detects that either version is a developer build it
+// returns true.
+func VersionsMatch(v1, v2 string) bool {
+	// Developer versions are disregarded...hopefully they know what they are
+	// doing.
+	if strings.HasPrefix(v1, develPrefix) || strings.HasPrefix(v2, develPrefix) {
+		return true
+	}
+
+	return semver.MajorMinor(v1) == semver.MajorMinor(v2)
+}
+
+// IsDev returns true if this is a development build.
+func IsDev() bool {
+	return strings.HasPrefix(Version(), develPrefix)
+}
+
+// IsSlim returns true if this is a slim build.
+func IsSlim() bool {
+	return slim
+}
+
+// IsAGPL returns true if this is an AGPL build.
+func IsAGPL() bool {
+	return strings.Contains(agpl, "t")
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.
@@ -0,0 +1,7 @@
+//go:build slim
+
+package buildinfo
+
+func init() {
+	slim = true
+}
@@ -1,6 +1,7 @@
 package buildinfo_test

 import (
+	"fmt"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -29,4 +30,70 @@ func TestBuildInfo(t *testing.T) {
 		_, valid := buildinfo.Time()
 		require.False(t, valid)
 	})
+
+	t.Run("VersionsMatch", func(t *testing.T) {
+		t.Parallel()
+
+		type testcase struct {
+			name        string
+			v1          string
+			v2          string
+			expectMatch bool
+		}
+
+		cases := []testcase{
+			{
+				name:        "OK",
+				v1:          "v1.2.3",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Test that we return true if a developer version is detected.
+			// Developers do not need to be warned of mismatched versions.
+			{
+				name:        "DevelIgnored",
+				v1:          "v0.0.0-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Our CI instance uses a "-devel" prerelease
+			// flag. This is not the same as a developer WIP build.
+			{
+				name:        "DevelPreleaseNotIgnored",
+				v1:          "v1.1.1-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: false,
+			},
+			{
+				name:        "MajorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v0.1.2",
+				expectMatch: false,
+			},
+			{
+				name:        "MinorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v1.3.2",
+				expectMatch: false,
+			},
+			// Different patches are ok, breaking changes are not allowed
+			// in patches.
+			{
+				name:        "PatchMismatch",
+				v1:          "v1.2.3+hash.whocares",
+				v2:          "v1.2.4+somestuff.hm.ok",
+				expectMatch: true,
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+				require.Equal(t, c.expectMatch, buildinfo.VersionsMatch(c.v1, c.v2),
+					fmt.Sprintf("expected match=%v for version %s and %s", c.expectMatch, c.v1, c.v2),
+				)
+			})
+		}
+	})
 }
@@ -2,142 +2,483 @@ package cli

 import (
 	"context"
+	"fmt"
+	"io"
 	"net/http"
+	"net/http/pprof"
 	"net/url"
 	"os"
+	"os/signal"
 	"path/filepath"
+	"runtime"
+	"strconv"
+	"sync"
 	"time"

 	"cloud.google.com/go/compute/metadata"
-	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
+	"gopkg.in/natefinch/lumberjack.v2"
+	"tailscale.com/util/clientmetric"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/common/expfmt"

 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
-
+	"cdr.dev/slog/sloggers/slogjson"
+	"cdr.dev/slog/sloggers/slogstackdriver"
 	"github.com/coder/coder/agent"
-	"github.com/coder/coder/cli/cliflag"
+	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/cli/clibase"
 	"github.com/coder/coder/codersdk"
-	"github.com/coder/retry"
-
-	"gopkg.in/natefinch/lumberjack.v2"
+	"github.com/coder/coder/codersdk/agentsdk"
 )

-func workspaceAgent() *cobra.Command {
+func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 	var (
-		auth string
+		auth                string
+		logDir              string
+		pprofAddress        string
+		noReap              bool
+		sshMaxTimeout       time.Duration
+		tailnetListenPort   int64
+		prometheusAddress   string
+		debugAddress        string
+		slogHumanPath       string
+		slogJSONPath        string
+		slogStackdriverPath string
 	)
-	cmd := &cobra.Command{
-		Use: "agent",
+	cmd := &clibase.Cmd{
+		Use:   "agent",
+		Short: `Starts the Coder workspace agent.`,
 		// This command isn't useful to manually execute.
 		Hidden: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			rawURL, err := cmd.Flags().GetString(varAgentURL)
-			if err != nil {
-				return xerrors.Errorf("CODER_AGENT_URL must be set: %w", err)
-			}
-			coderURL, err := url.Parse(rawURL)
-			if err != nil {
-				return xerrors.Errorf("parse %q: %w", rawURL, err)
+		Handler: func(inv *clibase.Invocation) error {
+			ctx, cancel := context.WithCancel(inv.Context())
+			defer cancel()
+
+			var (
+				ignorePorts = map[int]string{}
+				isLinux     = runtime.GOOS == "linux"
+
+				sinks      = []slog.Sink{}
+				logClosers = []func() error{}
+			)
+			defer func() {
+				for _, closer := range logClosers {
+					_ = closer()
+				}
+			}()
+
+			addSinkIfProvided := func(sinkFn func(io.Writer) slog.Sink, loc string) error {
+				switch loc {
+				case "":
+					// Do nothing.
+
+				case "/dev/stderr":
+					sinks = append(sinks, sinkFn(inv.Stderr))
+
+				case "/dev/stdout":
+					sinks = append(sinks, sinkFn(inv.Stdout))
+
+				default:
+					fi, err := os.OpenFile(loc, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0o644)
+					if err != nil {
+						return xerrors.Errorf("open log file %q: %w", loc, err)
+					}
+					sinks = append(sinks, sinkFn(fi))
+					logClosers = append(logClosers, fi.Close)
+				}
+				return nil
 			}

-			logWriter := &lumberjack.Logger{
-				Filename: filepath.Join(os.TempDir(), "coder-agent.log"),
-				MaxSize:  5, // MB
+			if err := addSinkIfProvided(sloghuman.Sink, slogHumanPath); err != nil {
+				return xerrors.Errorf("add human sink: %w", err)
 			}
+			if err := addSinkIfProvided(slogjson.Sink, slogJSONPath); err != nil {
+				return xerrors.Errorf("add json sink: %w", err)
+			}
+			if err := addSinkIfProvided(slogstackdriver.Sink, slogStackdriverPath); err != nil {
+				return xerrors.Errorf("add stackdriver sink: %w", err)
+			}
+
+			// Spawn a reaper so that we don't accumulate a ton
+			// of zombie processes.
+			if reaper.IsInitProcess() && !noReap && isLinux {
+				logWriter := &lumberjackWriteCloseFixer{w: &lumberjack.Logger{
+					Filename: filepath.Join(logDir, "coder-agent-init.log"),
+					MaxSize:  5, // MB
+					// Without this, rotated logs will never be deleted.
+					MaxBackups: 1,
+				}}
+				defer logWriter.Close()
+
+				sinks = append(sinks, sloghuman.Sink(logWriter))
+				logger := slog.Make(sinks...).Leveled(slog.LevelDebug)
+
+				logger.Info(ctx, "spawning reaper process")
+				// Do not start a reaper on the child process. It's important
+				// to do this else we fork bomb ourselves.
+				args := append(os.Args, "--no-reap")
+				err := reaper.ForkReap(
+					reaper.WithExecArgs(args...),
+					reaper.WithCatchSignals(InterruptSignals...),
+				)
+				if err != nil {
+					logger.Error(ctx, "agent process reaper unable to fork", slog.Error(err))
+					return xerrors.Errorf("fork reap: %w", err)
+				}
+
+				logger.Info(ctx, "reaper process exiting")
+				return nil
+			}
+
+			// Handle interrupt signals to allow for graceful shutdown,
+			// note that calling stopNotify disables the signal handler
+			// and the next interrupt will terminate the program (you
+			// probably want cancel instead).
+			//
+			// Note that we don't want to handle these signals in the
+			// process that runs as PID 1, that's why we do this after
+			// the reaper forked.
+			ctx, stopNotify := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stopNotify()
+
+			// DumpHandler does signal handling, so we call it after the
+			// reaper.
+			go DumpHandler(ctx)
+
+			logWriter := &lumberjackWriteCloseFixer{w: &lumberjack.Logger{
+				Filename: filepath.Join(logDir, "coder-agent.log"),
+				MaxSize:  5, // MB
+				// Without this, rotated logs will never be deleted.
+				MaxBackups: 1,
+			}}
 			defer logWriter.Close()
-			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
-			client := codersdk.New(coderURL)
+
+			sinks = append(sinks, sloghuman.Sink(logWriter))
+			logger := slog.Make(sinks...).Leveled(slog.LevelDebug)
+
+			version := buildinfo.Version()
+			logger.Info(ctx, "agent is starting now",
+				slog.F("url", r.agentURL),
+				slog.F("auth", auth),
+				slog.F("version", version),
+			)
+			client := agentsdk.New(r.agentURL)
+			client.SDK.Logger = logger
+			// Set a reasonable timeout so requests can't hang forever!
+			// The timeout needs to be reasonably long, because requests
+			// with large payloads can take a bit. e.g. startup scripts
+			// may take a while to insert.
+			client.SDK.HTTPClient.Timeout = 30 * time.Second
+
+			// Enable pprof handler
+			// This prevents the pprof import from being accidentally deleted.
+			_ = pprof.Handler
+			pprofSrvClose := ServeHandler(ctx, logger, nil, pprofAddress, "pprof")
+			defer pprofSrvClose()
+			if port, err := extractPort(pprofAddress); err == nil {
+				ignorePorts[port] = "pprof"
+			}
+
+			if port, err := extractPort(prometheusAddress); err == nil {
+				ignorePorts[port] = "prometheus"
+			}
+
+			if port, err := extractPort(debugAddress); err == nil {
+				ignorePorts[port] = "debug"
+			}

 			// exchangeToken returns a session token.
 			// This is abstracted to allow for the same looping condition
 			// regardless of instance identity auth type.
-			var exchangeToken func(context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error)
+			var exchangeToken func(context.Context) (agentsdk.AuthenticateResponse, error)
 			switch auth {
 			case "token":
-				token, err := cmd.Flags().GetString(varAgentToken)
+				token, err := inv.ParsedFlags().GetString(varAgentToken)
 				if err != nil {
 					return xerrors.Errorf("CODER_AGENT_TOKEN must be set for token auth: %w", err)
 				}
-				client.SessionToken = token
+				client.SetSessionToken(token)
 			case "google-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var gcpClient *metadata.Client
-				gcpClientRaw := cmd.Context().Value("gcp-client")
+				gcpClientRaw := ctx.Value("gcp-client")
 				if gcpClientRaw != nil {
 					gcpClient, _ = gcpClientRaw.(*metadata.Client)
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthGoogleInstanceIdentity(ctx, "", gcpClient)
 				}
 			case "aws-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var awsClient *http.Client
-				awsClientRaw := cmd.Context().Value("aws-client")
+				awsClientRaw := ctx.Value("aws-client")
 				if awsClientRaw != nil {
 					awsClient, _ = awsClientRaw.(*http.Client)
 					if awsClient != nil {
-						client.HTTPClient = awsClient
+						client.SDK.HTTPClient = awsClient
 					}
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceAWSInstanceIdentity(ctx)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthAWSInstanceIdentity(ctx)
 				}
 			case "azure-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var azureClient *http.Client
-				azureClientRaw := cmd.Context().Value("azure-client")
+				azureClientRaw := ctx.Value("azure-client")
 				if azureClientRaw != nil {
 					azureClient, _ = azureClientRaw.(*http.Client)
 					if azureClient != nil {
-						client.HTTPClient = azureClient
+						client.SDK.HTTPClient = azureClient
 					}
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceAzureInstanceIdentity(ctx)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthAzureInstanceIdentity(ctx)
 				}
 			}

-			if exchangeToken != nil {
-				// Agent's can start before resources are returned from the provisioner
-				// daemon. If there are many resources being provisioned, this time
-				// could be significant. This is arbitrarily set at an hour to prevent
-				// tons of idle agents from pinging coderd.
-				ctx, cancelFunc := context.WithTimeout(cmd.Context(), time.Hour)
-				defer cancelFunc()
-				for retry.New(100*time.Millisecond, 5*time.Second).Wait(ctx) {
-					var response codersdk.WorkspaceAgentAuthenticateResponse
+			executablePath, err := os.Executable()
+			if err != nil {
+				return xerrors.Errorf("getting os executable: %w", err)
+			}
+			err = os.Setenv("PATH", fmt.Sprintf("%s%c%s", os.Getenv("PATH"), filepath.ListSeparator, filepath.Dir(executablePath)))
+			if err != nil {
+				return xerrors.Errorf("add executable to $PATH: %w", err)
+			}

-					response, err = exchangeToken(ctx)
+			prometheusRegistry := prometheus.NewRegistry()
+			subsystem := inv.Environ.Get(agent.EnvAgentSubsystem)
+			agnt := agent.New(agent.Options{
+				Client:            client,
+				Logger:            logger,
+				LogDir:            logDir,
+				TailnetListenPort: uint16(tailnetListenPort),
+				ExchangeToken: func(ctx context.Context) (string, error) {
+					if exchangeToken == nil {
+						return client.SDK.SessionToken(), nil
+					}
+					resp, err := exchangeToken(ctx)
 					if err != nil {
-						logger.Warn(ctx, "authenticate workspace", slog.F("method", auth), slog.Error(err))
-						continue
+						return "", err
 					}
-					client.SessionToken = response.SessionToken
-					logger.Info(ctx, "authenticated", slog.F("method", auth))
-					break
-				}
-				if err != nil {
-					return xerrors.Errorf("agent failed to authenticate in time: %w", err)
-				}
-			}
-
-			closer := agent.New(client.ListenWorkspaceAgent, &agent.Options{
-				Logger: logger,
-				EnvironmentVariables: map[string]string{
-					// Override the "CODER_AGENT_TOKEN" variable in all
-					// shells so "gitssh" works!
-					"CODER_AGENT_TOKEN": client.SessionToken,
+					client.SetSessionToken(resp.SessionToken)
+					return resp.SessionToken, nil
 				},
+				EnvironmentVariables: map[string]string{
+					"GIT_ASKPASS": executablePath,
+				},
+				IgnorePorts:   ignorePorts,
+				SSHMaxTimeout: sshMaxTimeout,
+				Subsystem:     codersdk.AgentSubsystem(subsystem),
+
+				PrometheusRegistry: prometheusRegistry,
 			})
-			<-cmd.Context().Done()
-			return closer.Close()
+
+			prometheusSrvClose := ServeHandler(ctx, logger, prometheusMetricsHandler(prometheusRegistry, logger), prometheusAddress, "prometheus")
+			defer prometheusSrvClose()
+
+			debugSrvClose := ServeHandler(ctx, logger, agnt.HTTPDebug(), debugAddress, "debug")
+			defer debugSrvClose()
+
+			<-ctx.Done()
+			return agnt.Close()
+		},
+	}
+
+	cmd.Options = clibase.OptionSet{
+		{
+			Flag:        "auth",
+			Default:     "token",
+			Description: "Specify the authentication type to use for the agent.",
+			Env:         "CODER_AGENT_AUTH",
+			Value:       clibase.StringOf(&auth),
+		},
+		{
+			Flag:        "log-dir",
+			Default:     os.TempDir(),
+			Description: "Specify the location for the agent log files.",
+			Env:         "CODER_AGENT_LOG_DIR",
+			Value:       clibase.StringOf(&logDir),
+		},
+		{
+			Flag:        "pprof-address",
+			Default:     "127.0.0.1:6060",
+			Env:         "CODER_AGENT_PPROF_ADDRESS",
+			Value:       clibase.StringOf(&pprofAddress),
+			Description: "The address to serve pprof.",
+		},
+		{
+			Flag: "no-reap",
+
+			Env:         "",
+			Description: "Do not start a process reaper.",
+			Value:       clibase.BoolOf(&noReap),
+		},
+		{
+			Flag: "ssh-max-timeout",
+			// tcpip.KeepaliveIdleOption = 72h + 1min (forwardTCPSockOpts() in tailnet/conn.go)
+			Default:     "72h",
+			Env:         "CODER_AGENT_SSH_MAX_TIMEOUT",
+			Description: "Specify the max timeout for a SSH connection, it is advisable to set it to a minimum of 60s, but no more than 72h.",
+			Value:       clibase.DurationOf(&sshMaxTimeout),
+		},
+		{
+			Flag:        "tailnet-listen-port",
+			Default:     "0",
+			Env:         "CODER_AGENT_TAILNET_LISTEN_PORT",
+			Description: "Specify a static port for Tailscale to use for listening.",
+			Value:       clibase.Int64Of(&tailnetListenPort),
+		},
+		{
+			Flag:        "prometheus-address",
+			Default:     "127.0.0.1:2112",
+			Env:         "CODER_AGENT_PROMETHEUS_ADDRESS",
+			Value:       clibase.StringOf(&prometheusAddress),
+			Description: "The bind address to serve Prometheus metrics.",
+		},
+		{
+			Flag:        "debug-address",
+			Default:     "127.0.0.1:2113",
+			Env:         "CODER_AGENT_DEBUG_ADDRESS",
+			Value:       clibase.StringOf(&debugAddress),
+			Description: "The bind address to serve a debug HTTP server.",
+		},
+		{
+			Name:        "Human Log Location",
+			Description: "Output human-readable logs to a given file.",
+			Flag:        "log-human",
+			Env:         "CODER_AGENT_LOGGING_HUMAN",
+			Default:     "/dev/stderr",
+			Value:       clibase.StringOf(&slogHumanPath),
+		},
+		{
+			Name:        "JSON Log Location",
+			Description: "Output JSON logs to a given file.",
+			Flag:        "log-json",
+			Env:         "CODER_AGENT_LOGGING_JSON",
+			Default:     "",
+			Value:       clibase.StringOf(&slogJSONPath),
+		},
+		{
+			Name:        "Stackdriver Log Location",
+			Description: "Output Stackdriver compatible logs to a given file.",
+			Flag:        "log-stackdriver",
+			Env:         "CODER_AGENT_LOGGING_STACKDRIVER",
+			Default:     "",
+			Value:       clibase.StringOf(&slogStackdriverPath),
 		},
 	}

-	cliflag.StringVarP(cmd.Flags(), &auth, "auth", "", "CODER_AGENT_AUTH", "token", "Specify the authentication type to use for the agent")
 	return cmd
 }
+
+func ServeHandler(ctx context.Context, logger slog.Logger, handler http.Handler, addr, name string) (closeFunc func()) {
+	logger.Debug(ctx, "http server listening", slog.F("addr", addr), slog.F("name", name))
+
+	// ReadHeaderTimeout is purposefully not enabled. It caused some issues with
+	// websockets over the dev tunnel.
+	// See: https://github.com/coder/coder/pull/3730
+	//nolint:gosec
+	srv := &http.Server{
+		Addr:    addr,
+		Handler: handler,
+	}
+	go func() {
+		err := srv.ListenAndServe()
+		if err != nil && !xerrors.Is(err, http.ErrServerClosed) {
+			logger.Error(ctx, "http server listen", slog.F("name", name), slog.Error(err))
+		}
+	}()
+
+	return func() {
+		_ = srv.Close()
+	}
+}
+
+// lumberjackWriteCloseFixer is a wrapper around an io.WriteCloser that
+// prevents writes after Close. This is necessary because lumberjack
+// re-opens the file on Write.
+type lumberjackWriteCloseFixer struct {
+	w      io.WriteCloser
+	mu     sync.Mutex // Protects following.
+	closed bool
+}
+
+func (c *lumberjackWriteCloseFixer) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.closed = true
+	return c.w.Close()
+}
+
+func (c *lumberjackWriteCloseFixer) Write(p []byte) (int, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.closed {
+		return 0, io.ErrClosedPipe
+	}
+	return c.w.Write(p)
+}
+
+// extractPort handles different url strings.
+// - localhost:6060
+// - http://localhost:6060
+func extractPort(u string) (int, error) {
+	port, firstError := urlPort(u)
+	if firstError == nil {
+		return port, nil
+	}
+
+	// Try with a scheme
+	port, err := urlPort("http://" + u)
+	if err == nil {
+		return port, nil
+	}
+	return -1, xerrors.Errorf("invalid url %q: %w", u, firstError)
+}
+
+// urlPort extracts the port from a valid URL.
+func urlPort(u string) (int, error) {
+	parsed, err := url.Parse(u)
+	if err != nil {
+		return -1, xerrors.Errorf("invalid url %q: %w", u, err)
+	}
+	if parsed.Port() != "" {
+		port, err := strconv.ParseUint(parsed.Port(), 10, 16)
+		if err == nil && port > 0 && port < 1<<16 {
+			return int(port), nil
+		}
+	}
+	return -1, xerrors.Errorf("invalid port: %s", u)
+}
+
+func prometheusMetricsHandler(prometheusRegistry *prometheus.Registry, logger slog.Logger) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/plain")
+
+		// Based on: https://github.com/tailscale/tailscale/blob/280255acae604796a1113861f5a84e6fa2dc6121/ipn/localapi/localapi.go#L489
+		clientmetric.WritePrometheusExpositionFormat(w)
+
+		metricFamilies, err := prometheusRegistry.Gather()
+		if err != nil {
+			logger.Error(context.Background(), "Prometheus handler can't gather metric families", slog.Error(err))
+			return
+		}
+
+		for _, metricFamily := range metricFamilies {
+			_, err = expfmt.MetricFamilyToText(w, metricFamily)
+			if err != nil {
+				logger.Error(context.Background(), "expfmt.MetricFamilyToText failed", slog.Error(err))
+				return
+			}
+		}
+	})
+}
@@ -0,0 +1,69 @@
+package cli
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_extractPort(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name      string
+		urlString string
+		want      int
+		wantErr   bool
+	}{
+		{
+			name:      "Empty",
+			urlString: "",
+			wantErr:   true,
+		},
+		{
+			name:      "NoScheme",
+			urlString: "localhost:6060",
+			want:      6060,
+		},
+		{
+			name:      "WithScheme",
+			urlString: "http://localhost:6060",
+			want:      6060,
+		},
+		{
+			name:      "NoPort",
+			urlString: "http://localhost",
+			wantErr:   true,
+		},
+		{
+			name:      "NoPortNoScheme",
+			urlString: "localhost",
+			wantErr:   true,
+		},
+		{
+			name:      "OnlyPort",
+			urlString: "6060",
+			wantErr:   true,
+		},
+		{
+			name:      "127.0.0.1",
+			urlString: "127.0.0.1:2113",
+			want:      2113,
+			wantErr:   false,
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			got, err := extractPort(tt.urlString)
+			if tt.wantErr {
+				require.Error(t, err, fmt.Sprintf("extractPort(%v)", tt.urlString))
+			} else {
+				require.NoError(t, err, fmt.Sprintf("extractPort(%v)", tt.urlString))
+				require.Equal(t, tt.want, got, fmt.Sprintf("extractPort(%v)", tt.urlString))
+			}
+		})
+	}
+}
@@ -2,30 +2,79 @@ package cli_test

 import (
 	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"

+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

+	"github.com/coder/coder/agent"
 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
 )

 func TestWorkspaceAgent(t *testing.T) {
 	t.Parallel()
+
+	t.Run("LogDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		authToken := uuid.NewString()
+		client := coderdtest.New(t, &coderdtest.Options{
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		logDir := t.TempDir()
+		inv, _ := clitest.New(t,
+			"agent",
+			"--auth", "token",
+			"--agent-token", authToken,
+			"--agent-url", client.URL.String(),
+			"--log-dir", logDir,
+		)
+
+		pty := ptytest.New(t).Attach(inv)
+
+		clitest.Start(t, inv)
+		ctx := inv.Context()
+		pty.ExpectMatchContext(ctx, "agent is starting now")
+
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+
+		info, err := os.Stat(filepath.Join(logDir, "coder-agent.log"))
+		require.NoError(t, err)
+		require.Greater(t, info.Size(), int64(0))
+	})
+
 	t.Run("Azure", func(t *testing.T) {
 		t.Parallel()
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AzureCertificates: certificates,
+			AzureCertificates:        certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -46,26 +95,24 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
-		ctx, cancelFunc := context.WithCancel(context.Background())
-		defer cancelFunc()
-		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "azure-client", metadataClient)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
-		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		inv, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
+		inv = inv.WithContext(
+			//nolint:revive,staticcheck
+			context.WithValue(inv.Context(), "azure-client", metadataClient),
+		)
+		ctx := inv.Context()
+		clitest.Start(t, inv)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, workspace.LatestBuild.Resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
-		cancelFunc()
+		require.True(t, dialer.AwaitReachable(ctx))
 	})

 	t.Run("AWS", func(t *testing.T) {
@@ -73,13 +120,13 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AWSCertificates: certificates,
+			AWSCertificates:          certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -100,40 +147,38 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
-		ctx, cancelFunc := context.WithCancel(context.Background())
-		defer cancelFunc()
-		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "aws-client", metadataClient)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
-		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		inv, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
+		inv = inv.WithContext(
+			//nolint:revive,staticcheck
+			context.WithValue(inv.Context(), "aws-client", metadataClient),
+		)
+		clitest.Start(t, inv)
+		ctx := inv.Context()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
-		cancelFunc()
+		require.True(t, dialer.AwaitReachable(ctx))
 	})

 	t.Run("GoogleCloud", func(t *testing.T) {
 		t.Parallel()
 		instanceID := "instanceidentifier"
-		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
+		validator, metadataClient := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
+			GoogleTokenValidator:     validator,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
-		coderdtest.NewProvisionerDaemon(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -154,25 +199,82 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
-		ctx, cancelFunc := context.WithCancel(context.Background())
-		defer cancelFunc()
-		go func() {
-			// A linting error occurs for weakly typing the context value here,
-			// but it seems reasonable for a one-off test.
-			// nolint
-			ctx = context.WithValue(ctx, "gcp-client", metadata)
-			err := cmd.ExecuteContext(ctx)
-			require.NoError(t, err)
-		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		inv, cfg := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
+		ptytest.New(t).Attach(inv)
+		clitest.SetupConfig(t, client, cfg)
+		clitest.Start(t,
+			inv.WithContext(
+				//nolint:revive,staticcheck
+				context.WithValue(inv.Context(), "gcp-client", metadataClient),
+			),
+		)
+
+		ctx := inv.Context()
+
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
+		require.True(t, dialer.AwaitReachable(ctx))
+		sshClient, err := dialer.SSHClient(ctx)
 		require.NoError(t, err)
-		cancelFunc()
+		defer sshClient.Close()
+		session, err := sshClient.NewSession()
+		require.NoError(t, err)
+		defer session.Close()
+		key := "CODER_AGENT_TOKEN"
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		token, err := session.CombinedOutput(command)
+		require.NoError(t, err)
+		_, err = uuid.Parse(strings.TrimSpace(string(token)))
+		require.NoError(t, err)
+	})
+
+	t.Run("PostStartup", func(t *testing.T) {
+		t.Parallel()
+
+		authToken := uuid.NewString()
+		client := coderdtest.New(t, &coderdtest.Options{
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse:          echo.ParseComplete,
+			ProvisionApply: echo.ProvisionApplyWithAgent(authToken),
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		logDir := t.TempDir()
+		inv, _ := clitest.New(t,
+			"agent",
+			"--auth", "token",
+			"--agent-token", authToken,
+			"--agent-url", client.URL.String(),
+			"--log-dir", logDir,
+		)
+		// Set the subsystem for the agent.
+		inv.Environ.Set(agent.EnvAgentSubsystem, string(codersdk.AgentSubsystemEnvbox))
+
+		pty := ptytest.New(t).Attach(inv)
+
+		clitest.Start(t, inv)
+		pty.ExpectMatchContext(inv.Context(), "agent is starting now")
+
+		resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		require.Len(t, resources, 1)
+		require.Len(t, resources[0].Agents, 1)
+		require.Equal(t, codersdk.AgentSubsystemEnvbox, resources[0].Agents[0].Subsystem)
 	})
 }
@@ -1,167 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/coder/coder/coderd/autobuild/schedule"
-	"github.com/coder/coder/codersdk"
-)
-
-const autostartDescriptionLong = `To have your workspace build automatically at a regular time you can enable autostart.
-When enabling autostart, provide the minute, hour, and day(s) of week.
-The default schedule is at 09:00 in your local timezone (TZ env, UTC by default).
-`
-
-func autostart() *cobra.Command {
-	autostartCmd := &cobra.Command{
-		Annotations: workspaceCommand,
-		Use:         "autostart enable <workspace>",
-		Short:       "schedule a workspace to automatically start at a regular time",
-		Long:        autostartDescriptionLong,
-		Example:     "coder autostart enable my-workspace --minute 30 --hour 9 --days 1-5 --tz Europe/Dublin",
-	}
-
-	autostartCmd.AddCommand(autostartShow())
-	autostartCmd.AddCommand(autostartEnable())
-	autostartCmd.AddCommand(autostartDisable())
-
-	return autostartCmd
-}
-
-func autostartShow() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:  "show <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			if workspace.AutostartSchedule == "" {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "not enabled\n")
-				return nil
-			}
-
-			validSchedule, err := schedule.Weekly(workspace.AutostartSchedule)
-			if err != nil {
-				// This should never happen.
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "invalid autostart schedule %q for workspace %s: %s\n", workspace.AutostartSchedule, workspace.Name, err.Error())
-				return nil
-			}
-
-			next := validSchedule.Next(time.Now())
-			loc, _ := time.LoadLocation(validSchedule.Timezone())
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-				"schedule: %s\ntimezone: %s\nnext:     %s\n",
-				validSchedule.Cron(),
-				validSchedule.Timezone(),
-				next.In(loc),
-			)
-
-			return nil
-		},
-	}
-	return cmd
-}
-
-func autostartEnable() *cobra.Command {
-	// yes some of these are technically numbers but the cron library will do that work
-	var autostartMinute string
-	var autostartHour string
-	var autostartDayOfWeek string
-	var autostartTimezone string
-	cmd := &cobra.Command{
-		Use:  "enable <workspace_name> <schedule>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			spec := fmt.Sprintf("CRON_TZ=%s %s %s * * %s", autostartTimezone, autostartMinute, autostartHour, autostartDayOfWeek)
-			validSchedule, err := schedule.Weekly(spec)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostart(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-				Schedule: validSchedule.String(),
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will automatically start at %s.\n\n", workspace.Name, validSchedule.Next(time.Now()))
-
-			return nil
-		},
-	}
-
-	cmd.Flags().StringVar(&autostartMinute, "minute", "0", "autostart minute")
-	cmd.Flags().StringVar(&autostartHour, "hour", "9", "autostart hour")
-	cmd.Flags().StringVar(&autostartDayOfWeek, "days", "1-5", "autostart day(s) of week")
-	tzEnv := os.Getenv("TZ")
-	if tzEnv == "" {
-		tzEnv = "UTC"
-	}
-	cmd.Flags().StringVar(&autostartTimezone, "tz", tzEnv, "autostart timezone")
-	return cmd
-}
-
-func autostartDisable() *cobra.Command {
-	return &cobra.Command{
-		Use:  "disable <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostart(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-				Schedule: "",
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will no longer automatically start.\n\n", workspace.Name)
-
-			return nil
-		},
-	}
-}
@@ -1,165 +0,0 @@
-package cli_test
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/codersdk"
-)
-
-func TestAutostart(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ShowOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostart", "show", workspace.Name}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		err := client.UpdateWorkspaceAutostart(ctx, workspace.ID, codersdk.UpdateWorkspaceAutostartRequest{
-			Schedule: sched,
-		})
-		require.NoError(t, err)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		// CRON_TZ gets stripped
-		require.Contains(t, stdoutBuf.String(), "schedule: 30 17 * * 1-5")
-	})
-
-	t.Run("EnableDisableOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			tz        = "Europe/Dublin"
-			cmdArgs   = []string{"autostart", "enable", workspace.Name, "--minute", "30", "--hour", "9", "--days", "1-5", "--tz", tz}
-			sched     = "CRON_TZ=Europe/Dublin 30 9 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will automatically start at", "unexpected output")
-
-		// Ensure autostart schedule updated
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, sched, updated.AutostartSchedule, "expected autostart schedule to be set")
-
-		// Disable schedule
-		cmd, root = clitest.New(t, "autostart", "disable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will no longer automatically start", "unexpected output")
-
-		// Ensure autostart schedule updated
-		updated, err = client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Empty(t, updated.AutostartSchedule, "expected autostart schedule to not be set")
-	})
-
-	t.Run("Enable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostart", "enable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 404: no workspace found by name", "unexpected error")
-	})
-
-	t.Run("Disable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostart", "disable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 404: no workspace found by name", "unexpected error")
-	})
-
-	t.Run("Enable_DefaultSchedule", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-		)
-
-		// check current TZ env var
-		currTz := os.Getenv("TZ")
-		if currTz == "" {
-			currTz = "UTC"
-		}
-		expectedSchedule := fmt.Sprintf("CRON_TZ=%s 0 9 * * 1-5", currTz)
-		cmd, root := clitest.New(t, "autostart", "enable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-
-		// Ensure nothing happened
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, expectedSchedule, updated.AutostartSchedule, "expected default autostart schedule")
-	})
-}
@@ -1,167 +0,0 @@
-package cli
-
-import (
-	"fmt"
-	"os"
-	"time"
-
-	"github.com/spf13/cobra"
-
-	"github.com/coder/coder/coderd/autobuild/schedule"
-	"github.com/coder/coder/codersdk"
-)
-
-const autostopDescriptionLong = `To have your workspace stop automatically at a regular time you can enable autostop.
-When enabling autostop, provide the minute, hour, and day(s) of week.
-The default autostop schedule is at 18:00 in your local timezone (TZ env, UTC by default).
-`
-
-func autostop() *cobra.Command {
-	autostopCmd := &cobra.Command{
-		Annotations: workspaceCommand,
-		Use:         "autostop enable <workspace>",
-		Short:       "schedule a workspace to automatically stop at a regular time",
-		Long:        autostopDescriptionLong,
-		Example:     "coder autostop enable my-workspace --minute 0 --hour 18 --days 1-5 -tz Europe/Dublin",
-	}
-
-	autostopCmd.AddCommand(autostopShow())
-	autostopCmd.AddCommand(autostopEnable())
-	autostopCmd.AddCommand(autostopDisable())
-
-	return autostopCmd
-}
-
-func autostopShow() *cobra.Command {
-	cmd := &cobra.Command{
-		Use:  "show <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			if workspace.AutostopSchedule == "" {
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "not enabled\n")
-				return nil
-			}
-
-			validSchedule, err := schedule.Weekly(workspace.AutostopSchedule)
-			if err != nil {
-				// This should never happen.
-				_, _ = fmt.Fprintf(cmd.OutOrStdout(), "invalid autostop schedule %q for workspace %s: %s\n", workspace.AutostopSchedule, workspace.Name, err.Error())
-				return nil
-			}
-
-			next := validSchedule.Next(time.Now())
-			loc, _ := time.LoadLocation(validSchedule.Timezone())
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(),
-				"schedule: %s\ntimezone: %s\nnext:     %s\n",
-				validSchedule.Cron(),
-				validSchedule.Timezone(),
-				next.In(loc),
-			)
-
-			return nil
-		},
-	}
-	return cmd
-}
-
-func autostopEnable() *cobra.Command {
-	// yes some of these are technically numbers but the cron library will do that work
-	var autostopMinute string
-	var autostopHour string
-	var autostopDayOfWeek string
-	var autostopTimezone string
-	cmd := &cobra.Command{
-		Use:  "enable <workspace_name> <schedule>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			spec := fmt.Sprintf("CRON_TZ=%s %s %s * * %s", autostopTimezone, autostopMinute, autostopHour, autostopDayOfWeek)
-			validSchedule, err := schedule.Weekly(spec)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostop(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-				Schedule: validSchedule.String(),
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will automatically stop at %s.\n\n", workspace.Name, validSchedule.Next(time.Now()))
-
-			return nil
-		},
-	}
-
-	cmd.Flags().StringVar(&autostopMinute, "minute", "0", "autostop minute")
-	cmd.Flags().StringVar(&autostopHour, "hour", "18", "autostop hour")
-	cmd.Flags().StringVar(&autostopDayOfWeek, "days", "1-5", "autostop day(s) of week")
-	tzEnv := os.Getenv("TZ")
-	if tzEnv == "" {
-		tzEnv = "UTC"
-	}
-	cmd.Flags().StringVar(&autostopTimezone, "tz", tzEnv, "autostop timezone")
-	return cmd
-}
-
-func autostopDisable() *cobra.Command {
-	return &cobra.Command{
-		Use:  "disable <workspace_name>",
-		Args: cobra.ExactArgs(1),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
-			if err != nil {
-				return err
-			}
-			organization, err := currentOrganization(cmd, client)
-			if err != nil {
-				return err
-			}
-
-			workspace, err := client.WorkspaceByOwnerAndName(cmd.Context(), organization.ID, codersdk.Me, args[0])
-			if err != nil {
-				return err
-			}
-
-			err = client.UpdateWorkspaceAutostop(cmd.Context(), workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-				Schedule: "",
-			})
-			if err != nil {
-				return err
-			}
-
-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace will no longer automatically stop.\n\n", workspace.Name)
-
-			return nil
-		},
-	}
-}
@@ -1,165 +0,0 @@
-package cli_test
-
-import (
-	"bytes"
-	"context"
-	"fmt"
-	"os"
-	"testing"
-
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/clitest"
-	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/codersdk"
-)
-
-func TestAutostop(t *testing.T) {
-	t.Parallel()
-
-	t.Run("ShowOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostop", "show", workspace.Name}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		err := client.UpdateWorkspaceAutostop(ctx, workspace.ID, codersdk.UpdateWorkspaceAutostopRequest{
-			Schedule: sched,
-		})
-		require.NoError(t, err)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		// CRON_TZ gets stripped
-		require.Contains(t, stdoutBuf.String(), "schedule: 30 17 * * 1-5")
-	})
-
-	t.Run("EnableDisableOK", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-			cmdArgs   = []string{"autostop", "enable", workspace.Name, "--minute", "30", "--hour", "17", "--days", "1-5", "--tz", "Europe/Dublin"}
-			sched     = "CRON_TZ=Europe/Dublin 30 17 * * 1-5"
-			stdoutBuf = &bytes.Buffer{}
-		)
-
-		cmd, root := clitest.New(t, cmdArgs...)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will automatically stop at", "unexpected output")
-
-		// Ensure autostop schedule updated
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, sched, updated.AutostopSchedule, "expected autostop schedule to be set")
-
-		// Disable schedule
-		cmd, root = clitest.New(t, "autostop", "disable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-		cmd.SetOut(stdoutBuf)
-
-		err = cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-		require.Contains(t, stdoutBuf.String(), "will no longer automatically stop", "unexpected output")
-
-		// Ensure autostop schedule updated
-		updated, err = client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Empty(t, updated.AutostopSchedule, "expected autostop schedule to not be set")
-	})
-
-	t.Run("Enable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostop", "enable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 404: no workspace found by name", "unexpected error")
-	})
-
-	t.Run("Disable_NotFound", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			client  = coderdtest.New(t, nil)
-			_       = coderdtest.NewProvisionerDaemon(t, client)
-			user    = coderdtest.CreateFirstUser(t, client)
-			version = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_       = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		)
-
-		cmd, root := clitest.New(t, "autostop", "disable", "doesnotexist")
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.ErrorContains(t, err, "status code 404: no workspace found by name", "unexpected error")
-	})
-
-	t.Run("Enable_DefaultSchedule", func(t *testing.T) {
-		t.Parallel()
-
-		var (
-			ctx       = context.Background()
-			client    = coderdtest.New(t, nil)
-			_         = coderdtest.NewProvisionerDaemon(t, client)
-			user      = coderdtest.CreateFirstUser(t, client)
-			version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
-			_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-			project   = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-			workspace = coderdtest.CreateWorkspace(t, client, user.OrganizationID, project.ID)
-		)
-
-		// check current TZ env var
-		currTz := os.Getenv("TZ")
-		if currTz == "" {
-			currTz = "UTC"
-		}
-		expectedSchedule := fmt.Sprintf("CRON_TZ=%s 0 18 * * 1-5", currTz)
-
-		cmd, root := clitest.New(t, "autostop", "enable", workspace.Name)
-		clitest.SetupConfig(t, client, root)
-
-		err := cmd.Execute()
-		require.NoError(t, err, "unexpected error")
-
-		// Ensure nothing happened
-		updated, err := client.Workspace(ctx, workspace.ID)
-		require.NoError(t, err, "fetch updated workspace")
-		require.Equal(t, expectedSchedule, updated.AutostopSchedule, "expected default autostop schedule")
-	})
-}
@@ -0,0 +1,80 @@
+// Package clibase offers an all-in-one solution for a highly configurable CLI
+// application. Within Coder, we use it for all of our subcommands, which
+// demands more functionality than cobra/viber offers.
+//
+// The Command interface is loosely based on the chi middleware pattern and
+// http.Handler/HandlerFunc.
+package clibase
+
+import (
+	"strings"
+
+	"golang.org/x/exp/maps"
+)
+
+// Group describes a hierarchy of groups that an option or command belongs to.
+type Group struct {
+	Parent      *Group `json:"parent,omitempty"`
+	Name        string `json:"name,omitempty"`
+	YAML        string `json:"yaml,omitempty"`
+	Description string `json:"description,omitempty"`
+}
+
+// Ancestry returns the group and all of its parents, in order.
+func (g *Group) Ancestry() []Group {
+	if g == nil {
+		return nil
+	}
+
+	groups := []Group{*g}
+	for p := g.Parent; p != nil; p = p.Parent {
+		// Prepend to the slice so that the order is correct.
+		groups = append([]Group{*p}, groups...)
+	}
+	return groups
+}
+
+func (g *Group) FullName() string {
+	var names []string
+	for _, g := range g.Ancestry() {
+		names = append(names, g.Name)
+	}
+	return strings.Join(names, " / ")
+}
+
+// Annotations is an arbitrary key-mapping used to extend the Option and Command types.
+// Its methods won't panic if the map is nil.
+type Annotations map[string]string
+
+// Mark sets a value on the annotations map, creating one
+// if it doesn't exist. Mark does not mutate the original and
+// returns a copy. It is suitable for chaining.
+func (a Annotations) Mark(key string, value string) Annotations {
+	var aa Annotations
+	if a != nil {
+		aa = maps.Clone(a)
+	} else {
+		aa = make(Annotations)
+	}
+	aa[key] = value
+	return aa
+}
+
+// IsSet returns true if the key is set in the annotations map.
+func (a Annotations) IsSet(key string) bool {
+	if a == nil {
+		return false
+	}
+	_, ok := a[key]
+	return ok
+}
+
+// Get retrieves a key from the map, returning false if the key is not found
+// or the map is nil.
+func (a Annotations) Get(key string) (string, bool) {
+	if a == nil {
+		return "", false
+	}
+	v, ok := a[key]
+	return v, ok
+}
@@ -0,0 +1,567 @@
+package clibase
+
+import (
+	"context"
+	"errors"
+	"flag"
+	"fmt"
+	"io"
+	"os"
+	"strings"
+	"unicode"
+
+	"github.com/spf13/pflag"
+	"golang.org/x/exp/slices"
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+)
+
+// Cmd describes an executable command.
+type Cmd struct {
+	// Parent is the direct parent of the command.
+	Parent *Cmd
+	// Children is a list of direct descendants.
+	Children []*Cmd
+	// Use is provided in form "command [flags] [args...]".
+	Use string
+
+	// Aliases is a list of alternative names for the command.
+	Aliases []string
+
+	// Short is a one-line description of the command.
+	Short string
+
+	// Hidden determines whether the command should be hidden from help.
+	Hidden bool
+
+	// RawArgs determines whether the command should receive unparsed arguments.
+	// No flags are parsed when set, and the command is responsible for parsing
+	// its own flags.
+	RawArgs bool
+
+	// Long is a detailed description of the command,
+	// presented on its help page. It may contain examples.
+	Long        string
+	Options     OptionSet
+	Annotations Annotations
+
+	// Middleware is called before the Handler.
+	// Use Chain() to combine multiple middlewares.
+	Middleware  MiddlewareFunc
+	Handler     HandlerFunc
+	HelpHandler HandlerFunc
+}
+
+// AddSubcommands adds the given subcommands, setting their
+// Parent field automatically.
+func (c *Cmd) AddSubcommands(cmds ...*Cmd) {
+	for _, cmd := range cmds {
+		cmd.Parent = c
+		c.Children = append(c.Children, cmd)
+	}
+}
+
+// Walk calls fn for the command and all its children.
+func (c *Cmd) Walk(fn func(*Cmd)) {
+	fn(c)
+	for _, child := range c.Children {
+		child.Parent = c
+		child.Walk(fn)
+	}
+}
+
+// PrepareAll performs initialization and linting on the command and all its children.
+func (c *Cmd) PrepareAll() error {
+	if c.Use == "" {
+		return xerrors.New("command must have a Use field so that it has a name")
+	}
+	var merr error
+
+	for i := range c.Options {
+		opt := &c.Options[i]
+		if opt.Name == "" {
+			switch {
+			case opt.Flag != "":
+				opt.Name = opt.Flag
+			case opt.Env != "":
+				opt.Name = opt.Env
+			case opt.YAML != "":
+				opt.Name = opt.YAML
+			default:
+				merr = errors.Join(merr, xerrors.Errorf("option must have a Name, Flag, Env or YAML field"))
+			}
+		}
+		if opt.Description != "" {
+			// Enforce that description uses sentence form.
+			if unicode.IsLower(rune(opt.Description[0])) {
+				merr = errors.Join(merr, xerrors.Errorf("option %q description should start with a capital letter", opt.Name))
+			}
+			if !strings.HasSuffix(opt.Description, ".") {
+				merr = errors.Join(merr, xerrors.Errorf("option %q description should end with a period", opt.Name))
+			}
+		}
+	}
+
+	slices.SortFunc(c.Options, func(a, b Option) bool {
+		return a.Name < b.Name
+	})
+	slices.SortFunc(c.Children, func(a, b *Cmd) bool {
+		return a.Name() < b.Name()
+	})
+	for _, child := range c.Children {
+		child.Parent = c
+		err := child.PrepareAll()
+		if err != nil {
+			merr = errors.Join(merr, xerrors.Errorf("command %v: %w", child.Name(), err))
+		}
+	}
+	return merr
+}
+
+// Name returns the first word in the Use string.
+func (c *Cmd) Name() string {
+	return strings.Split(c.Use, " ")[0]
+}
+
+// FullName returns the full invocation name of the command,
+// as seen on the command line.
+func (c *Cmd) FullName() string {
+	var names []string
+	if c.Parent != nil {
+		names = append(names, c.Parent.FullName())
+	}
+	names = append(names, c.Name())
+	return strings.Join(names, " ")
+}
+
+// FullName returns usage of the command, preceded
+// by the usage of its parents.
+func (c *Cmd) FullUsage() string {
+	var uses []string
+	if c.Parent != nil {
+		uses = append(uses, c.Parent.FullName())
+	}
+	uses = append(uses, c.Use)
+	return strings.Join(uses, " ")
+}
+
+// FullOptions returns the options of the command and its parents.
+func (c *Cmd) FullOptions() OptionSet {
+	var opts OptionSet
+	if c.Parent != nil {
+		opts = append(opts, c.Parent.FullOptions()...)
+	}
+	opts = append(opts, c.Options...)
+	return opts
+}
+
+// Invoke creates a new invocation of the command, with
+// stdio discarded.
+//
+// The returned invocation is not live until Run() is called.
+func (c *Cmd) Invoke(args ...string) *Invocation {
+	return &Invocation{
+		Command: c,
+		Args:    args,
+		Stdout:  io.Discard,
+		Stderr:  io.Discard,
+		Stdin:   strings.NewReader(""),
+	}
+}
+
+// Invocation represents an instance of a command being executed.
+type Invocation struct {
+	ctx         context.Context
+	Command     *Cmd
+	parsedFlags *pflag.FlagSet
+	Args        []string
+	// Environ is a list of environment variables. Use EnvsWithPrefix to parse
+	// os.Environ.
+	Environ Environ
+	Stdout  io.Writer
+	Stderr  io.Writer
+	Stdin   io.Reader
+}
+
+// WithOS returns the invocation as a main package, filling in the invocation's unset
+// fields with OS defaults.
+func (inv *Invocation) WithOS() *Invocation {
+	return inv.with(func(i *Invocation) {
+		i.Stdout = os.Stdout
+		i.Stderr = os.Stderr
+		i.Stdin = os.Stdin
+		i.Args = os.Args[1:]
+		i.Environ = ParseEnviron(os.Environ(), "")
+	})
+}
+
+func (inv *Invocation) Context() context.Context {
+	if inv.ctx == nil {
+		return context.Background()
+	}
+	return inv.ctx
+}
+
+func (inv *Invocation) ParsedFlags() *pflag.FlagSet {
+	if inv.parsedFlags == nil {
+		panic("flags not parsed, has Run() been called?")
+	}
+	return inv.parsedFlags
+}
+
+type runState struct {
+	allArgs      []string
+	commandDepth int
+
+	flagParseErr error
+}
+
+func copyFlagSetWithout(fs *pflag.FlagSet, without string) *pflag.FlagSet {
+	fs2 := pflag.NewFlagSet("", pflag.ContinueOnError)
+	fs2.Usage = func() {}
+	fs.VisitAll(func(f *pflag.Flag) {
+		if f.Name == without {
+			return
+		}
+		fs2.AddFlag(f)
+	})
+	return fs2
+}
+
+// run recursively executes the command and its children.
+// allArgs is wired through the stack so that global flags can be accepted
+// anywhere in the command invocation.
+func (inv *Invocation) run(state *runState) error {
+	err := inv.Command.Options.ParseEnv(inv.Environ)
+	if err != nil {
+		return xerrors.Errorf("parsing env: %w", err)
+	}
+
+	// Now the fun part, argument parsing!
+
+	children := make(map[string]*Cmd)
+	for _, child := range inv.Command.Children {
+		child.Parent = inv.Command
+		for _, name := range append(child.Aliases, child.Name()) {
+			if _, ok := children[name]; ok {
+				return xerrors.Errorf("duplicate command name: %s", name)
+			}
+			children[name] = child
+		}
+	}
+
+	if inv.parsedFlags == nil {
+		inv.parsedFlags = pflag.NewFlagSet(inv.Command.Name(), pflag.ContinueOnError)
+		// We handle Usage ourselves.
+		inv.parsedFlags.Usage = func() {}
+	}
+
+	// If we find a duplicate flag, we want the deeper command's flag to override
+	// the shallow one. Unfortunately, pflag has no way to remove a flag, so we
+	// have to create a copy of the flagset without a value.
+	inv.Command.Options.FlagSet().VisitAll(func(f *pflag.Flag) {
+		if inv.parsedFlags.Lookup(f.Name) != nil {
+			inv.parsedFlags = copyFlagSetWithout(inv.parsedFlags, f.Name)
+		}
+		inv.parsedFlags.AddFlag(f)
+	})
+
+	var parsedArgs []string
+
+	if !inv.Command.RawArgs {
+		// Flag parsing will fail on intermediate commands in the command tree,
+		// so we check the error after looking for a child command.
+		state.flagParseErr = inv.parsedFlags.Parse(state.allArgs)
+		parsedArgs = inv.parsedFlags.Args()
+	}
+
+	// Set value sources for flags.
+	for i, opt := range inv.Command.Options {
+		if fl := inv.parsedFlags.Lookup(opt.Flag); fl != nil && fl.Changed {
+			inv.Command.Options[i].ValueSource = ValueSourceFlag
+		}
+	}
+
+	// Read YAML configs, if any.
+	for _, opt := range inv.Command.Options {
+		path, ok := opt.Value.(*YAMLConfigPath)
+		if !ok || path.String() == "" {
+			continue
+		}
+
+		byt, err := os.ReadFile(path.String())
+		if err != nil {
+			return xerrors.Errorf("reading yaml: %w", err)
+		}
+
+		var n yaml.Node
+		err = yaml.Unmarshal(byt, &n)
+		if err != nil {
+			return xerrors.Errorf("decoding yaml: %w", err)
+		}
+
+		err = inv.Command.Options.UnmarshalYAML(&n)
+		if err != nil {
+			return xerrors.Errorf("applying yaml: %w", err)
+		}
+	}
+
+	err = inv.Command.Options.SetDefaults()
+	if err != nil {
+		return xerrors.Errorf("setting defaults: %w", err)
+	}
+
+	// Run child command if found (next child only)
+	// We must do subcommand detection after flag parsing so we don't mistake flag
+	// values for subcommand names.
+	if len(parsedArgs) > state.commandDepth {
+		nextArg := parsedArgs[state.commandDepth]
+		if child, ok := children[nextArg]; ok {
+			child.Parent = inv.Command
+			inv.Command = child
+			state.commandDepth++
+			return inv.run(state)
+		}
+	}
+
+	// Flag parse errors are irrelevant for raw args commands.
+	if !inv.Command.RawArgs && state.flagParseErr != nil && !errors.Is(state.flagParseErr, pflag.ErrHelp) {
+		return xerrors.Errorf(
+			"parsing flags (%v) for %q: %w",
+			state.allArgs,
+			inv.Command.FullName(), state.flagParseErr,
+		)
+	}
+
+	if inv.Command.RawArgs {
+		// If we're at the root command, then the name is omitted
+		// from the arguments, so we can just use the entire slice.
+		if state.commandDepth == 0 {
+			inv.Args = state.allArgs
+		} else {
+			argPos, err := findArg(inv.Command.Name(), state.allArgs, inv.parsedFlags)
+			if err != nil {
+				panic(err)
+			}
+			inv.Args = state.allArgs[argPos+1:]
+		}
+	} else {
+		// In non-raw-arg mode, we want to skip over flags.
+		inv.Args = parsedArgs[state.commandDepth:]
+	}
+
+	mw := inv.Command.Middleware
+	if mw == nil {
+		mw = Chain()
+	}
+
+	ctx := inv.ctx
+	if ctx == nil {
+		ctx = context.Background()
+	}
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer cancel()
+	inv = inv.WithContext(ctx)
+
+	if inv.Command.Handler == nil || errors.Is(state.flagParseErr, pflag.ErrHelp) {
+		if inv.Command.HelpHandler == nil {
+			return xerrors.Errorf("no handler or help for command %s", inv.Command.FullName())
+		}
+		return inv.Command.HelpHandler(inv)
+	}
+
+	err = mw(inv.Command.Handler)(inv)
+	if err != nil {
+		return &RunCommandError{
+			Cmd: inv.Command,
+			Err: err,
+		}
+	}
+	return nil
+}
+
+type RunCommandError struct {
+	Cmd *Cmd
+	Err error
+}
+
+func (e *RunCommandError) Unwrap() error {
+	return e.Err
+}
+
+func (e *RunCommandError) Error() string {
+	return fmt.Sprintf("running command %q: %+v", e.Cmd.FullName(), e.Err)
+}
+
+// findArg returns the index of the first occurrence of arg in args, skipping
+// over all flags.
+func findArg(want string, args []string, fs *pflag.FlagSet) (int, error) {
+	for i := 0; i < len(args); i++ {
+		arg := args[i]
+		if !strings.HasPrefix(arg, "-") {
+			if arg == want {
+				return i, nil
+			}
+			continue
+		}
+
+		// This is a flag!
+		if strings.Contains(arg, "=") {
+			// The flag contains the value in the same arg, just skip.
+			continue
+		}
+
+		// We need to check if NoOptValue is set, then we should not wait
+		// for the next arg to be the value.
+		f := fs.Lookup(strings.TrimLeft(arg, "-"))
+		if f == nil {
+			return -1, xerrors.Errorf("unknown flag: %s", arg)
+		}
+		if f.NoOptDefVal != "" {
+			continue
+		}
+
+		if i == len(args)-1 {
+			return -1, xerrors.Errorf("flag %s requires a value", arg)
+		}
+
+		// Skip the value.
+		i++
+	}
+
+	return -1, xerrors.Errorf("arg %s not found", want)
+}
+
+// Run executes the command.
+// If two command share a flag name, the first command wins.
+//
+//nolint:revive
+func (inv *Invocation) Run() (err error) {
+	defer func() {
+		// Pflag is panicky, so additional context is helpful in tests.
+		if flag.Lookup("test.v") == nil {
+			return
+		}
+		if r := recover(); r != nil {
+			err = xerrors.Errorf("panic recovered for %s: %v", inv.Command.FullName(), r)
+			panic(err)
+		}
+	}()
+	// We close Stdin to prevent deadlocks, e.g. when the command
+	// has ended but an io.Copy is still reading from Stdin.
+	defer func() {
+		if inv.Stdin == nil {
+			return
+		}
+		rc, ok := inv.Stdin.(io.ReadCloser)
+		if !ok {
+			return
+		}
+		e := rc.Close()
+		err = errors.Join(err, e)
+	}()
+	err = inv.run(&runState{
+		allArgs: inv.Args,
+	})
+	return err
+}
+
+// WithContext returns a copy of the Invocation with the given context.
+func (inv *Invocation) WithContext(ctx context.Context) *Invocation {
+	return inv.with(func(i *Invocation) {
+		i.ctx = ctx
+	})
+}
+
+// with returns a copy of the Invocation with the given function applied.
+func (inv *Invocation) with(fn func(*Invocation)) *Invocation {
+	i2 := *inv
+	fn(&i2)
+	return &i2
+}
+
+// MiddlewareFunc returns the next handler in the chain,
+// or nil if there are no more.
+type MiddlewareFunc func(next HandlerFunc) HandlerFunc
+
+func chain(ms ...MiddlewareFunc) MiddlewareFunc {
+	return MiddlewareFunc(func(next HandlerFunc) HandlerFunc {
+		if len(ms) > 0 {
+			return chain(ms[1:]...)(ms[0](next))
+		}
+		return next
+	})
+}
+
+// Chain returns a Handler that first calls middleware in order.
+//
+//nolint:revive
+func Chain(ms ...MiddlewareFunc) MiddlewareFunc {
+	// We need to reverse the array to provide top-to-bottom execution
+	// order when defining a command.
+	reversed := make([]MiddlewareFunc, len(ms))
+	for i := range ms {
+		reversed[len(ms)-1-i] = ms[i]
+	}
+	return chain(reversed...)
+}
+
+func RequireNArgs(want int) MiddlewareFunc {
+	return RequireRangeArgs(want, want)
+}
+
+// RequireRangeArgs returns a Middleware that requires the number of arguments
+// to be between start and end (inclusive). If end is -1, then the number of
+// arguments must be at least start.
+func RequireRangeArgs(start, end int) MiddlewareFunc {
+	if start < 0 {
+		panic("start must be >= 0")
+	}
+	return func(next HandlerFunc) HandlerFunc {
+		return func(i *Invocation) error {
+			got := len(i.Args)
+			switch {
+			case start == end && got != start:
+				switch start {
+				case 0:
+					if len(i.Command.Children) > 0 {
+						return xerrors.Errorf("unrecognized subcommand %q", i.Args[0])
+					}
+					return xerrors.Errorf("wanted no args but got %v %v", got, i.Args)
+				default:
+					return xerrors.Errorf(
+						"wanted %v args but got %v %v",
+						start,
+						got,
+						i.Args,
+					)
+				}
+			case start > 0 && end == -1:
+				switch {
+				case got < start:
+					return xerrors.Errorf(
+						"wanted at least %v args but got %v",
+						start,
+						got,
+					)
+				default:
+					return next(i)
+				}
+			case start > end:
+				panic("start must be <= end")
+			case got < start || got > end:
+				return xerrors.Errorf(
+					"wanted between %v and %v args but got %v",
+					start, end,
+					got,
+				)
+			default:
+				return next(i)
+			}
+		}
+	}
+}
+
+// HandlerFunc handles an Invocation of a command.
+type HandlerFunc func(i *Invocation) error
@@ -0,0 +1,635 @@
+package clibase_test
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"os"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/clibase"
+)
+
+// ioBufs is the standard input, output, and error for a command.
+type ioBufs struct {
+	Stdin  bytes.Buffer
+	Stdout bytes.Buffer
+	Stderr bytes.Buffer
+}
+
+// fakeIO sets Stdin, Stdout, and Stderr to buffers.
+func fakeIO(i *clibase.Invocation) *ioBufs {
+	var b ioBufs
+	i.Stdout = &b.Stdout
+	i.Stderr = &b.Stderr
+	i.Stdin = &b.Stdin
+	return &b
+}
+
+func TestCommand(t *testing.T) {
+	t.Parallel()
+
+	cmd := func() *clibase.Cmd {
+		var (
+			verbose bool
+			lower   bool
+			prefix  string
+		)
+		return &clibase.Cmd{
+			Use: "root [subcommand]",
+			Options: clibase.OptionSet{
+				clibase.Option{
+					Name:  "verbose",
+					Flag:  "verbose",
+					Value: clibase.BoolOf(&verbose),
+				},
+				clibase.Option{
+					Name:  "prefix",
+					Flag:  "prefix",
+					Value: clibase.StringOf(&prefix),
+				},
+			},
+			Children: []*clibase.Cmd{
+				{
+					Use:   "toupper [word]",
+					Short: "Converts a word to upper case",
+					Middleware: clibase.Chain(
+						clibase.RequireNArgs(1),
+					),
+					Aliases: []string{"up"},
+					Options: clibase.OptionSet{
+						clibase.Option{
+							Name:  "lower",
+							Flag:  "lower",
+							Value: clibase.BoolOf(&lower),
+						},
+					},
+					Handler: (func(i *clibase.Invocation) error {
+						i.Stdout.Write([]byte(prefix))
+						w := i.Args[0]
+						if lower {
+							w = strings.ToLower(w)
+						} else {
+							w = strings.ToUpper(w)
+						}
+						_, _ = i.Stdout.Write(
+							[]byte(
+								w,
+							),
+						)
+						if verbose {
+							i.Stdout.Write([]byte("!!!"))
+						}
+						return nil
+					}),
+				},
+			},
+		}
+	}
+
+	t.Run("SimpleOK", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke("toupper", "hello")
+		io := fakeIO(i)
+		i.Run()
+		require.Equal(t, "HELLO", io.Stdout.String())
+	})
+
+	t.Run("Alias", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"up", "hello",
+		)
+		io := fakeIO(i)
+		i.Run()
+		require.Equal(t, "HELLO", io.Stdout.String())
+	})
+
+	t.Run("NoSubcommand", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"na",
+		)
+		io := fakeIO(i)
+		err := i.Run()
+		require.Empty(t, io.Stdout.String())
+		require.Error(t, err)
+	})
+
+	t.Run("BadArgs", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"toupper",
+		)
+		io := fakeIO(i)
+		err := i.Run()
+		require.Empty(t, io.Stdout.String())
+		require.Error(t, err)
+	})
+
+	t.Run("UnknownFlags", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"toupper", "--unknown",
+		)
+		io := fakeIO(i)
+		err := i.Run()
+		require.Empty(t, io.Stdout.String())
+		require.Error(t, err)
+	})
+
+	t.Run("Verbose", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"--verbose", "toupper", "hello",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "HELLO!!!", io.Stdout.String())
+	})
+
+	t.Run("Verbose=", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"--verbose=true", "toupper", "hello",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "HELLO!!!", io.Stdout.String())
+	})
+
+	t.Run("PrefixSpace", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"--prefix", "conv: ", "toupper", "hello",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "conv: HELLO", io.Stdout.String())
+	})
+
+	t.Run("GlobalFlagsAnywhere", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"toupper", "--prefix", "conv: ", "hello", "--verbose",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "conv: HELLO!!!", io.Stdout.String())
+	})
+
+	t.Run("LowerVerbose", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"toupper", "--verbose", "hello", "--lower",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "hello!!!", io.Stdout.String())
+	})
+
+	t.Run("ParsedFlags", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"toupper", "--verbose", "hello", "--lower",
+		)
+		_ = fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t,
+			"true",
+			i.ParsedFlags().Lookup("verbose").Value.String(),
+		)
+	})
+
+	t.Run("NoDeepChild", func(t *testing.T) {
+		t.Parallel()
+		i := cmd().Invoke(
+			"root", "level", "level", "toupper", "--verbose", "hello", "--lower",
+		)
+		fio := fakeIO(i)
+		require.Error(t, i.Run(), fio.Stdout.String())
+	})
+}
+
+func TestCommand_DeepNest(t *testing.T) {
+	t.Parallel()
+	cmd := &clibase.Cmd{
+		Use: "1",
+		Children: []*clibase.Cmd{
+			{
+				Use: "2",
+				Children: []*clibase.Cmd{
+					{
+						Use: "3",
+						Handler: func(i *clibase.Invocation) error {
+							i.Stdout.Write([]byte("3"))
+							return nil
+						},
+					},
+				},
+			},
+		},
+	}
+	inv := cmd.Invoke("2", "3")
+	stdio := fakeIO(inv)
+	err := inv.Run()
+	require.NoError(t, err)
+	require.Equal(t, "3", stdio.Stdout.String())
+}
+
+func TestCommand_FlagOverride(t *testing.T) {
+	t.Parallel()
+	var flag string
+
+	cmd := &clibase.Cmd{
+		Use: "1",
+		Options: clibase.OptionSet{
+			{
+				Name:  "flag",
+				Flag:  "f",
+				Value: clibase.DiscardValue,
+			},
+		},
+		Children: []*clibase.Cmd{
+			{
+				Use: "2",
+				Options: clibase.OptionSet{
+					{
+						Name:  "flag",
+						Flag:  "f",
+						Value: clibase.StringOf(&flag),
+					},
+				},
+				Handler: func(i *clibase.Invocation) error {
+					return nil
+				},
+			},
+		},
+	}
+
+	err := cmd.Invoke("2", "--f", "mhmm").Run()
+	require.NoError(t, err)
+
+	require.Equal(t, "mhmm", flag)
+}
+
+func TestCommand_MiddlewareOrder(t *testing.T) {
+	t.Parallel()
+
+	mw := func(letter string) clibase.MiddlewareFunc {
+		return func(next clibase.HandlerFunc) clibase.HandlerFunc {
+			return (func(i *clibase.Invocation) error {
+				_, _ = i.Stdout.Write([]byte(letter))
+				return next(i)
+			})
+		}
+	}
+
+	cmd := &clibase.Cmd{
+		Use:   "toupper [word]",
+		Short: "Converts a word to upper case",
+		Middleware: clibase.Chain(
+			mw("A"),
+			mw("B"),
+			mw("C"),
+		),
+		Handler: (func(i *clibase.Invocation) error {
+			return nil
+		}),
+	}
+
+	i := cmd.Invoke(
+		"hello", "world",
+	)
+	io := fakeIO(i)
+	require.NoError(t, i.Run())
+	require.Equal(t, "ABC", io.Stdout.String())
+}
+
+func TestCommand_RawArgs(t *testing.T) {
+	t.Parallel()
+
+	cmd := func() *clibase.Cmd {
+		return &clibase.Cmd{
+			Use: "root",
+			Options: clibase.OptionSet{
+				{
+					Name:  "password",
+					Flag:  "password",
+					Value: clibase.StringOf(new(string)),
+				},
+			},
+			Children: []*clibase.Cmd{
+				{
+					Use:     "sushi <args...>",
+					Short:   "Throws back raw output",
+					RawArgs: true,
+					Handler: (func(i *clibase.Invocation) error {
+						if v := i.ParsedFlags().Lookup("password").Value.String(); v != "codershack" {
+							return xerrors.Errorf("password %q is wrong!", v)
+						}
+						i.Stdout.Write([]byte(strings.Join(i.Args, " ")))
+						return nil
+					}),
+				},
+			},
+		}
+	}
+
+	t.Run("OK", func(t *testing.T) {
+		// Flag parsed before the raw arg command should still work.
+		t.Parallel()
+
+		i := cmd().Invoke(
+			"--password", "codershack", "sushi", "hello", "--verbose", "world",
+		)
+		io := fakeIO(i)
+		require.NoError(t, i.Run())
+		require.Equal(t, "hello --verbose world", io.Stdout.String())
+	})
+
+	t.Run("BadFlag", func(t *testing.T) {
+		// Verbose before the raw arg command should fail.
+		t.Parallel()
+
+		i := cmd().Invoke(
+			"--password", "codershack", "--verbose", "sushi", "hello", "world",
+		)
+		io := fakeIO(i)
+		require.Error(t, i.Run())
+		require.Empty(t, io.Stdout.String())
+	})
+
+	t.Run("NoPassword", func(t *testing.T) {
+		// Flag parsed before the raw arg command should still work.
+		t.Parallel()
+		i := cmd().Invoke(
+			"sushi", "hello", "--verbose", "world",
+		)
+		_ = fakeIO(i)
+		require.Error(t, i.Run())
+	})
+}
+
+func TestCommand_RootRaw(t *testing.T) {
+	t.Parallel()
+	cmd := &clibase.Cmd{
+		RawArgs: true,
+		Handler: func(i *clibase.Invocation) error {
+			i.Stdout.Write([]byte(strings.Join(i.Args, " ")))
+			return nil
+		},
+	}
+
+	inv := cmd.Invoke("hello", "--verbose", "--friendly")
+	stdio := fakeIO(inv)
+	err := inv.Run()
+	require.NoError(t, err)
+
+	require.Equal(t, "hello --verbose --friendly", stdio.Stdout.String())
+}
+
+func TestCommand_HyphenHyphen(t *testing.T) {
+	t.Parallel()
+	cmd := &clibase.Cmd{
+		Handler: (func(i *clibase.Invocation) error {
+			i.Stdout.Write([]byte(strings.Join(i.Args, " ")))
+			return nil
+		}),
+	}
+
+	inv := cmd.Invoke("--", "--verbose", "--friendly")
+	stdio := fakeIO(inv)
+	err := inv.Run()
+	require.NoError(t, err)
+
+	require.Equal(t, "--verbose --friendly", stdio.Stdout.String())
+}
+
+func TestCommand_ContextCancels(t *testing.T) {
+	t.Parallel()
+
+	var gotCtx context.Context
+
+	cmd := &clibase.Cmd{
+		Handler: (func(i *clibase.Invocation) error {
+			gotCtx = i.Context()
+			if err := gotCtx.Err(); err != nil {
+				return xerrors.Errorf("unexpected context error: %w", i.Context().Err())
+			}
+			return nil
+		}),
+	}
+
+	err := cmd.Invoke().Run()
+	require.NoError(t, err)
+
+	require.Error(t, gotCtx.Err())
+}
+
+func TestCommand_Help(t *testing.T) {
+	t.Parallel()
+
+	cmd := func() *clibase.Cmd {
+		return &clibase.Cmd{
+			Use: "root",
+			HelpHandler: (func(i *clibase.Invocation) error {
+				i.Stdout.Write([]byte("abdracadabra"))
+				return nil
+			}),
+			Handler: (func(i *clibase.Invocation) error {
+				return xerrors.New("should not be called")
+			}),
+		}
+	}
+
+	t.Run("NoHandler", func(t *testing.T) {
+		t.Parallel()
+
+		c := cmd()
+		c.HelpHandler = nil
+		err := c.Invoke("--help").Run()
+		require.Error(t, err)
+	})
+
+	t.Run("Long", func(t *testing.T) {
+		t.Parallel()
+
+		inv := cmd().Invoke("--help")
+		stdio := fakeIO(inv)
+		err := inv.Run()
+		require.NoError(t, err)
+
+		require.Contains(t, stdio.Stdout.String(), "abdracadabra")
+	})
+
+	t.Run("Short", func(t *testing.T) {
+		t.Parallel()
+
+		inv := cmd().Invoke("-h")
+		stdio := fakeIO(inv)
+		err := inv.Run()
+		require.NoError(t, err)
+
+		require.Contains(t, stdio.Stdout.String(), "abdracadabra")
+	})
+}
+
+func TestCommand_SliceFlags(t *testing.T) {
+	t.Parallel()
+
+	cmd := func(want ...string) *clibase.Cmd {
+		var got []string
+		return &clibase.Cmd{
+			Use: "root",
+			Options: clibase.OptionSet{
+				{
+					Name:    "arr",
+					Flag:    "arr",
+					Default: "bad,bad,bad",
+					Value:   clibase.StringArrayOf(&got),
+				},
+			},
+			Handler: (func(i *clibase.Invocation) error {
+				require.Equal(t, want, got)
+				return nil
+			}),
+		}
+	}
+
+	err := cmd("good", "good", "good").Invoke("--arr", "good", "--arr", "good", "--arr", "good").Run()
+	require.NoError(t, err)
+
+	err = cmd("bad", "bad", "bad").Invoke().Run()
+	require.NoError(t, err)
+}
+
+func TestCommand_EmptySlice(t *testing.T) {
+	t.Parallel()
+
+	cmd := func(want ...string) *clibase.Cmd {
+		var got []string
+		return &clibase.Cmd{
+			Use: "root",
+			Options: clibase.OptionSet{
+				{
+					Name:    "arr",
+					Flag:    "arr",
+					Default: "def,def,def",
+					Env:     "ARR",
+					Value:   clibase.StringArrayOf(&got),
+				},
+			},
+			Handler: (func(i *clibase.Invocation) error {
+				require.Equal(t, want, got)
+				return nil
+			}),
+		}
+	}
+
+	// Base-case, uses default.
+	err := cmd("def", "def", "def").Invoke().Run()
+	require.NoError(t, err)
+
+	// Empty-env uses default, too.
+	inv := cmd("def", "def", "def").Invoke()
+	inv.Environ.Set("ARR", "")
+	require.NoError(t, err)
+
+	// Reset to nothing at all via flag.
+	inv = cmd().Invoke("--arr", "")
+	inv.Environ.Set("ARR", "cant see")
+	err = inv.Run()
+	require.NoError(t, err)
+
+	// Reset to a specific value with flag.
+	inv = cmd("great").Invoke("--arr", "great")
+	inv.Environ.Set("ARR", "")
+	err = inv.Run()
+	require.NoError(t, err)
+}
+
+func TestCommand_DefaultsOverride(t *testing.T) {
+	t.Parallel()
+
+	test := func(name string, want string, fn func(t *testing.T, inv *clibase.Invocation)) {
+		t.Run(name, func(t *testing.T) {
+			t.Parallel()
+
+			var (
+				got    string
+				config clibase.YAMLConfigPath
+			)
+			cmd := &clibase.Cmd{
+				Options: clibase.OptionSet{
+					{
+						Name:    "url",
+						Flag:    "url",
+						Default: "def.com",
+						Env:     "URL",
+						Value:   clibase.StringOf(&got),
+						YAML:    "url",
+					},
+					{
+						Name:    "config",
+						Flag:    "config",
+						Default: "",
+						Value:   &config,
+					},
+				},
+				Handler: (func(i *clibase.Invocation) error {
+					_, _ = fmt.Fprintf(i.Stdout, "%s", got)
+					return nil
+				}),
+			}
+
+			inv := cmd.Invoke()
+			stdio := fakeIO(inv)
+			fn(t, inv)
+			err := inv.Run()
+			require.NoError(t, err)
+			require.Equal(t, want, stdio.Stdout.String())
+		})
+	}
+
+	test("DefaultOverNothing", "def.com", func(t *testing.T, inv *clibase.Invocation) {})
+
+	test("FlagOverDefault", "good.com", func(t *testing.T, inv *clibase.Invocation) {
+		inv.Args = []string{"--url", "good.com"}
+	})
+
+	test("EnvOverDefault", "good.com", func(t *testing.T, inv *clibase.Invocation) {
+		inv.Environ.Set("URL", "good.com")
+	})
+
+	test("FlagOverEnv", "good.com", func(t *testing.T, inv *clibase.Invocation) {
+		inv.Environ.Set("URL", "bad.com")
+		inv.Args = []string{"--url", "good.com"}
+	})
+
+	test("FlagOverYAML", "good.com", func(t *testing.T, inv *clibase.Invocation) {
+		fi, err := os.CreateTemp(t.TempDir(), "config.yaml")
+		require.NoError(t, err)
+		defer fi.Close()
+
+		_, err = fi.WriteString("url: bad.com")
+		require.NoError(t, err)
+
+		inv.Args = []string{"--config", fi.Name(), "--url", "good.com"}
+	})
+
+	test("YAMLOverDefault", "good.com", func(t *testing.T, inv *clibase.Invocation) {
+		fi, err := os.CreateTemp(t.TempDir(), "config.yaml")
+		require.NoError(t, err)
+		defer fi.Close()
+
+		_, err = fi.WriteString("url: good.com")
+		require.NoError(t, err)
+
+		inv.Args = []string{"--config", fi.Name()}
+	})
+}
@@ -0,0 +1,76 @@
+package clibase
+
+import "strings"
+
+// name returns the name of the environment variable.
+func envName(line string) string {
+	return strings.ToUpper(
+		strings.SplitN(line, "=", 2)[0],
+	)
+}
+
+// value returns the value of the environment variable.
+func envValue(line string) string {
+	tokens := strings.SplitN(line, "=", 2)
+	if len(tokens) < 2 {
+		return ""
+	}
+	return tokens[1]
+}
+
+// Var represents a single environment variable of form
+// NAME=VALUE.
+type EnvVar struct {
+	Name  string
+	Value string
+}
+
+type Environ []EnvVar
+
+func (e Environ) ToOS() []string {
+	var env []string
+	for _, v := range e {
+		env = append(env, v.Name+"="+v.Value)
+	}
+	return env
+}
+
+func (e Environ) Lookup(name string) (string, bool) {
+	for _, v := range e {
+		if v.Name == name {
+			return v.Value, true
+		}
+	}
+	return "", false
+}
+
+func (e Environ) Get(name string) string {
+	v, _ := e.Lookup(name)
+	return v
+}
+
+func (e *Environ) Set(name, value string) {
+	for i, v := range *e {
+		if v.Name == name {
+			(*e)[i].Value = value
+			return
+		}
+	}
+	*e = append(*e, EnvVar{Name: name, Value: value})
+}
+
+// ParseEnviron returns all environment variables starting with
+// prefix without said prefix.
+func ParseEnviron(environ []string, prefix string) Environ {
+	var filtered []EnvVar
+	for _, line := range environ {
+		name := envName(line)
+		if strings.HasPrefix(name, prefix) {
+			filtered = append(filtered, EnvVar{
+				Name:  strings.TrimPrefix(name, prefix),
+				Value: envValue(line),
+			})
+		}
+	}
+	return filtered
+}
@@ -0,0 +1,44 @@
+package clibase_test
+
+import (
+	"reflect"
+	"testing"
+
+	"github.com/coder/coder/cli/clibase"
+)
+
+func TestFilterNamePrefix(t *testing.T) {
+	t.Parallel()
+	type args struct {
+		environ []string
+		prefix  string
+	}
+	tests := []struct {
+		name string
+		args args
+		want clibase.Environ
+	}{
+		{"empty", args{[]string{}, "SHIRE"}, nil},
+		{
+			"ONE",
+			args{
+				[]string{
+					"SHIRE_BRANDYBUCK=hmm",
+				},
+				"SHIRE_",
+			},
+			[]clibase.EnvVar{
+				{Name: "BRANDYBUCK", Value: "hmm"},
+			},
+		},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			if got := clibase.ParseEnviron(tt.args.environ, tt.args.prefix); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("FilterNamePrefix() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
@@ -0,0 +1,231 @@
+package clibase
+
+import (
+	"os"
+	"strings"
+
+	"github.com/hashicorp/go-multierror"
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+)
+
+type ValueSource string
+
+const (
+	ValueSourceNone    ValueSource = ""
+	ValueSourceFlag    ValueSource = "flag"
+	ValueSourceEnv     ValueSource = "env"
+	ValueSourceYAML    ValueSource = "yaml"
+	ValueSourceDefault ValueSource = "default"
+)
+
+// Option is a configuration option for a CLI application.
+type Option struct {
+	Name        string `json:"name,omitempty"`
+	Description string `json:"description,omitempty"`
+
+	// Flag is the long name of the flag used to configure this option. If unset,
+	// flag configuring is disabled.
+	Flag string `json:"flag,omitempty"`
+	// FlagShorthand is the one-character shorthand for the flag. If unset, no
+	// shorthand is used.
+	FlagShorthand string `json:"flag_shorthand,omitempty"`
+
+	// Env is the environment variable used to configure this option. If unset,
+	// environment configuring is disabled.
+	Env string `json:"env,omitempty"`
+
+	// YAML is the YAML key used to configure this option. If unset, YAML
+	// configuring is disabled.
+	YAML string `json:"yaml,omitempty"`
+
+	// Default is parsed into Value if set.
+	Default string `json:"default,omitempty"`
+	// Value includes the types listed in values.go.
+	Value pflag.Value `json:"value,omitempty"`
+
+	// Annotations enable extensions to clibase higher up in the stack. It's useful for
+	// help formatting and documentation generation.
+	Annotations Annotations `json:"annotations,omitempty"`
+
+	// Group is a group hierarchy that helps organize this option in help, configs
+	// and other documentation.
+	Group *Group `json:"group,omitempty"`
+
+	// UseInstead is a list of options that should be used instead of this one.
+	// The field is used to generate a deprecation warning.
+	UseInstead []Option `json:"use_instead,omitempty"`
+
+	Hidden bool `json:"hidden,omitempty"`
+
+	ValueSource ValueSource `json:"value_source,omitempty"`
+}
+
+func (o Option) YAMLPath() string {
+	if o.YAML == "" {
+		return ""
+	}
+	var gs []string
+	for _, g := range o.Group.Ancestry() {
+		gs = append(gs, g.YAML)
+	}
+	return strings.Join(append(gs, o.YAML), ".")
+}
+
+// OptionSet is a group of options that can be applied to a command.
+type OptionSet []Option
+
+// Add adds the given Options to the OptionSet.
+func (s *OptionSet) Add(opts ...Option) {
+	*s = append(*s, opts...)
+}
+
+// Filter will only return options that match the given filter. (return true)
+func (s OptionSet) Filter(filter func(opt Option) bool) OptionSet {
+	cpy := make(OptionSet, 0)
+	for _, opt := range s {
+		if filter(opt) {
+			cpy = append(cpy, opt)
+		}
+	}
+	return cpy
+}
+
+// FlagSet returns a pflag.FlagSet for the OptionSet.
+func (s *OptionSet) FlagSet() *pflag.FlagSet {
+	if s == nil {
+		return &pflag.FlagSet{}
+	}
+
+	fs := pflag.NewFlagSet("", pflag.ContinueOnError)
+	for _, opt := range *s {
+		if opt.Flag == "" {
+			continue
+		}
+		var noOptDefValue string
+		{
+			no, ok := opt.Value.(NoOptDefValuer)
+			if ok {
+				noOptDefValue = no.NoOptDefValue()
+			}
+		}
+
+		val := opt.Value
+		if val == nil {
+			val = DiscardValue
+		}
+
+		fs.AddFlag(&pflag.Flag{
+			Name:        opt.Flag,
+			Shorthand:   opt.FlagShorthand,
+			Usage:       opt.Description,
+			Value:       val,
+			DefValue:    "",
+			Changed:     false,
+			Deprecated:  "",
+			NoOptDefVal: noOptDefValue,
+			Hidden:      opt.Hidden,
+		})
+	}
+	fs.Usage = func() {
+		_, _ = os.Stderr.WriteString("Override (*FlagSet).Usage() to print help text.\n")
+	}
+	return fs
+}
+
+// ParseEnv parses the given environment variables into the OptionSet.
+// Use EnvsWithPrefix to filter out prefixes.
+func (s *OptionSet) ParseEnv(vs []EnvVar) error {
+	if s == nil {
+		return nil
+	}
+
+	var merr *multierror.Error
+
+	// We parse environment variables first instead of using a nested loop to
+	// avoid N*M complexity when there are a lot of options and environment
+	// variables.
+	envs := make(map[string]string)
+	for _, v := range vs {
+		envs[v.Name] = v.Value
+	}
+
+	for i, opt := range *s {
+		if opt.Env == "" {
+			continue
+		}
+
+		envVal, ok := envs[opt.Env]
+		// Currently, empty values are treated as if the environment variable is
+		// unset. This behavior is technically not correct as there is now no
+		// way for a user to change a Default value to an empty string from
+		// the environment. Unfortunately, we have old configuration files
+		// that rely on the faulty behavior.
+		//
+		// TODO: We should remove this hack in May 2023, when deployments
+		// have had months to migrate to the new behavior.
+		if !ok || envVal == "" {
+			continue
+		}
+
+		(*s)[i].ValueSource = ValueSourceEnv
+		if err := opt.Value.Set(envVal); err != nil {
+			merr = multierror.Append(
+				merr, xerrors.Errorf("parse %q: %w", opt.Name, err),
+			)
+		}
+	}
+
+	return merr.ErrorOrNil()
+}
+
+// SetDefaults sets the default values for each Option, skipping values
+// that already have a value source.
+func (s *OptionSet) SetDefaults() error {
+	if s == nil {
+		return nil
+	}
+
+	var merr *multierror.Error
+
+	for i, opt := range *s {
+		// Skip values that may have already been set by the user.
+		if opt.ValueSource != ValueSourceNone {
+			continue
+		}
+
+		if opt.Default == "" {
+			continue
+		}
+
+		if opt.Value == nil {
+			merr = multierror.Append(
+				merr,
+				xerrors.Errorf(
+					"parse %q: no Value field set\nFull opt: %+v",
+					opt.Name, opt,
+				),
+			)
+			continue
+		}
+		(*s)[i].ValueSource = ValueSourceDefault
+		if err := opt.Value.Set(opt.Default); err != nil {
+			merr = multierror.Append(
+				merr, xerrors.Errorf("parse %q: %w", opt.Name, err),
+			)
+		}
+	}
+	return merr.ErrorOrNil()
+}
+
+// ByName returns the Option with the given name, or nil if no such option
+// exists.
+func (s *OptionSet) ByName(name string) *Option {
+	for i := range *s {
+		opt := &(*s)[i]
+		if opt.Name == name {
+			return opt
+		}
+	}
+	return nil
+}
@@ -0,0 +1,169 @@
+package clibase_test
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clibase"
+)
+
+func TestOptionSet_ParseFlags(t *testing.T) {
+	t.Parallel()
+
+	t.Run("SimpleString", func(t *testing.T) {
+		t.Parallel()
+
+		var workspaceName clibase.String
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:          "Workspace Name",
+				Value:         &workspaceName,
+				Flag:          "workspace-name",
+				FlagShorthand: "n",
+			},
+		}
+
+		var err error
+		err = os.FlagSet().Parse([]string{"--workspace-name", "foo"})
+		require.NoError(t, err)
+		require.EqualValues(t, "foo", workspaceName)
+
+		err = os.FlagSet().Parse([]string{"-n", "f"})
+		require.NoError(t, err)
+		require.EqualValues(t, "f", workspaceName)
+	})
+
+	t.Run("StringArray", func(t *testing.T) {
+		t.Parallel()
+
+		var names clibase.StringArray
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:          "name",
+				Value:         &names,
+				Flag:          "name",
+				FlagShorthand: "n",
+			},
+		}
+
+		err := os.SetDefaults()
+		require.NoError(t, err)
+
+		err = os.FlagSet().Parse([]string{"--name", "foo", "--name", "bar"})
+		require.NoError(t, err)
+		require.EqualValues(t, []string{"foo", "bar"}, names)
+	})
+
+	t.Run("ExtraFlags", func(t *testing.T) {
+		t.Parallel()
+
+		var workspaceName clibase.String
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:  "Workspace Name",
+				Value: &workspaceName,
+			},
+		}
+
+		err := os.FlagSet().Parse([]string{"--some-unknown", "foo"})
+		require.Error(t, err)
+	})
+}
+
+func TestOptionSet_ParseEnv(t *testing.T) {
+	t.Parallel()
+
+	t.Run("SimpleString", func(t *testing.T) {
+		t.Parallel()
+
+		var workspaceName clibase.String
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:  "Workspace Name",
+				Value: &workspaceName,
+				Env:   "WORKSPACE_NAME",
+			},
+		}
+
+		err := os.ParseEnv([]clibase.EnvVar{
+			{Name: "WORKSPACE_NAME", Value: "foo"},
+		})
+		require.NoError(t, err)
+		require.EqualValues(t, "foo", workspaceName)
+	})
+
+	t.Run("EmptyValue", func(t *testing.T) {
+		t.Parallel()
+
+		var workspaceName clibase.String
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:    "Workspace Name",
+				Value:   &workspaceName,
+				Default: "defname",
+				Env:     "WORKSPACE_NAME",
+			},
+		}
+
+		err := os.SetDefaults()
+		require.NoError(t, err)
+
+		err = os.ParseEnv(clibase.ParseEnviron([]string{"CODER_WORKSPACE_NAME="}, "CODER_"))
+		require.NoError(t, err)
+		require.EqualValues(t, "defname", workspaceName)
+	})
+
+	t.Run("StringSlice", func(t *testing.T) {
+		t.Parallel()
+
+		var actual clibase.StringArray
+		expected := []string{"foo", "bar", "baz"}
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:  "name",
+				Value: &actual,
+				Env:   "NAMES",
+			},
+		}
+
+		err := os.SetDefaults()
+		require.NoError(t, err)
+
+		err = os.ParseEnv([]clibase.EnvVar{
+			{Name: "NAMES", Value: "foo,bar,baz"},
+		})
+		require.NoError(t, err)
+		require.EqualValues(t, expected, actual)
+	})
+
+	t.Run("StructMapStringString", func(t *testing.T) {
+		t.Parallel()
+
+		var actual clibase.Struct[map[string]string]
+		expected := map[string]string{"foo": "bar", "baz": "zap"}
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:  "labels",
+				Value: &actual,
+				Env:   "LABELS",
+			},
+		}
+
+		err := os.SetDefaults()
+		require.NoError(t, err)
+
+		err = os.ParseEnv([]clibase.EnvVar{
+			{Name: "LABELS", Value: `{"foo":"bar","baz":"zap"}`},
+		})
+		require.NoError(t, err)
+		require.EqualValues(t, expected, actual.Value)
+	})
+}
@@ -0,0 +1,444 @@
+package clibase
+
+import (
+	"encoding/csv"
+	"encoding/json"
+	"fmt"
+	"net"
+	"net/url"
+	"reflect"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/spf13/pflag"
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+)
+
+// NoOptDefValuer describes behavior when no
+// option is passed into the flag.
+//
+// This is useful for boolean or otherwise binary flags.
+type NoOptDefValuer interface {
+	NoOptDefValue() string
+}
+
+// values.go contains a standard set of value types that can be used as
+// Option Values.
+
+type Int64 int64
+
+func Int64Of(i *int64) *Int64 {
+	return (*Int64)(i)
+}
+
+func (i *Int64) Set(s string) error {
+	ii, err := strconv.ParseInt(s, 10, 64)
+	*i = Int64(ii)
+	return err
+}
+
+func (i Int64) Value() int64 {
+	return int64(i)
+}
+
+func (i Int64) String() string {
+	return strconv.Itoa(int(i))
+}
+
+func (Int64) Type() string {
+	return "int"
+}
+
+type Bool bool
+
+func BoolOf(b *bool) *Bool {
+	return (*Bool)(b)
+}
+
+func (b *Bool) Set(s string) error {
+	if s == "" {
+		*b = Bool(false)
+		return nil
+	}
+	bb, err := strconv.ParseBool(s)
+	*b = Bool(bb)
+	return err
+}
+
+func (*Bool) NoOptDefValue() string {
+	return "true"
+}
+
+func (b Bool) String() string {
+	return strconv.FormatBool(bool(b))
+}
+
+func (b Bool) Value() bool {
+	return bool(b)
+}
+
+func (Bool) Type() string {
+	return "bool"
+}
+
+type String string
+
+func StringOf(s *string) *String {
+	return (*String)(s)
+}
+
+func (*String) NoOptDefValue() string {
+	return ""
+}
+
+func (s *String) Set(v string) error {
+	*s = String(v)
+	return nil
+}
+
+func (s String) String() string {
+	return string(s)
+}
+
+func (s String) Value() string {
+	return string(s)
+}
+
+func (String) Type() string {
+	return "string"
+}
+
+var _ pflag.SliceValue = &StringArray{}
+
+// StringArray is a slice of strings that implements pflag.Value and pflag.SliceValue.
+type StringArray []string
+
+func StringArrayOf(ss *[]string) *StringArray {
+	return (*StringArray)(ss)
+}
+
+func (s *StringArray) Append(v string) error {
+	*s = append(*s, v)
+	return nil
+}
+
+func (s *StringArray) Replace(vals []string) error {
+	*s = vals
+	return nil
+}
+
+func (s *StringArray) GetSlice() []string {
+	return *s
+}
+
+func readAsCSV(v string) ([]string, error) {
+	return csv.NewReader(strings.NewReader(v)).Read()
+}
+
+func writeAsCSV(vals []string) string {
+	var sb strings.Builder
+	err := csv.NewWriter(&sb).Write(vals)
+	if err != nil {
+		return fmt.Sprintf("error: %s", err)
+	}
+	return sb.String()
+}
+
+func (s *StringArray) Set(v string) error {
+	if v == "" {
+		*s = nil
+		return nil
+	}
+	ss, err := readAsCSV(v)
+	if err != nil {
+		return err
+	}
+	*s = append(*s, ss...)
+	return nil
+}
+
+func (s StringArray) String() string {
+	return writeAsCSV([]string(s))
+}
+
+func (s StringArray) Value() []string {
+	return []string(s)
+}
+
+func (StringArray) Type() string {
+	return "string-array"
+}
+
+type Duration time.Duration
+
+func DurationOf(d *time.Duration) *Duration {
+	return (*Duration)(d)
+}
+
+func (d *Duration) Set(v string) error {
+	dd, err := time.ParseDuration(v)
+	*d = Duration(dd)
+	return err
+}
+
+func (d *Duration) Value() time.Duration {
+	return time.Duration(*d)
+}
+
+func (d *Duration) String() string {
+	return time.Duration(*d).String()
+}
+
+func (Duration) Type() string {
+	return "duration"
+}
+
+func (d *Duration) MarshalYAML() (interface{}, error) {
+	return yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Value: d.String(),
+	}, nil
+}
+
+func (d *Duration) UnmarshalYAML(n *yaml.Node) error {
+	return d.Set(n.Value)
+}
+
+type URL url.URL
+
+func URLOf(u *url.URL) *URL {
+	return (*URL)(u)
+}
+
+func (u *URL) Set(v string) error {
+	uu, err := url.Parse(v)
+	if err != nil {
+		return err
+	}
+	*u = URL(*uu)
+	return nil
+}
+
+func (u *URL) String() string {
+	uu := url.URL(*u)
+	return uu.String()
+}
+
+func (u *URL) MarshalYAML() (interface{}, error) {
+	return yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Value: u.String(),
+	}, nil
+}
+
+func (u *URL) UnmarshalYAML(n *yaml.Node) error {
+	return u.Set(n.Value)
+}
+
+func (u *URL) MarshalJSON() ([]byte, error) {
+	return json.Marshal(u.String())
+}
+
+func (u *URL) UnmarshalJSON(b []byte) error {
+	var s string
+	err := json.Unmarshal(b, &s)
+	if err != nil {
+		return err
+	}
+	return u.Set(s)
+}
+
+func (*URL) Type() string {
+	return "url"
+}
+
+func (u *URL) Value() *url.URL {
+	return (*url.URL)(u)
+}
+
+// HostPort is a host:port pair.
+type HostPort struct {
+	Host string
+	Port string
+}
+
+func (hp *HostPort) Set(v string) error {
+	if v == "" {
+		return xerrors.Errorf("must not be empty")
+	}
+	var err error
+	hp.Host, hp.Port, err = net.SplitHostPort(v)
+	return err
+}
+
+func (hp *HostPort) String() string {
+	if hp.Host == "" && hp.Port == "" {
+		return ""
+	}
+	// Warning: net.JoinHostPort must be used over concatenation to support
+	// IPv6 addresses.
+	return net.JoinHostPort(hp.Host, hp.Port)
+}
+
+func (hp *HostPort) MarshalJSON() ([]byte, error) {
+	return json.Marshal(hp.String())
+}
+
+func (hp *HostPort) UnmarshalJSON(b []byte) error {
+	var s string
+	err := json.Unmarshal(b, &s)
+	if err != nil {
+		return err
+	}
+	if s == "" {
+		hp.Host = ""
+		hp.Port = ""
+		return nil
+	}
+	return hp.Set(s)
+}
+
+func (hp *HostPort) MarshalYAML() (interface{}, error) {
+	return yaml.Node{
+		Kind:  yaml.ScalarNode,
+		Value: hp.String(),
+	}, nil
+}
+
+func (hp *HostPort) UnmarshalYAML(n *yaml.Node) error {
+	return hp.Set(n.Value)
+}
+
+func (*HostPort) Type() string {
+	return "host:port"
+}
+
+var (
+	_ yaml.Marshaler   = new(Struct[struct{}])
+	_ yaml.Unmarshaler = new(Struct[struct{}])
+)
+
+// Struct is a special value type that encodes an arbitrary struct.
+// It implements the flag.Value interface, but in general these values should
+// only be accepted via config for ergonomics.
+//
+// The string encoding type is YAML.
+type Struct[T any] struct {
+	Value T
+}
+
+func (s *Struct[T]) Set(v string) error {
+	return yaml.Unmarshal([]byte(v), &s.Value)
+}
+
+func (s *Struct[T]) String() string {
+	byt, err := yaml.Marshal(s.Value)
+	if err != nil {
+		return "decode failed: " + err.Error()
+	}
+	return string(byt)
+}
+
+func (s *Struct[T]) MarshalYAML() (interface{}, error) {
+	var n yaml.Node
+	err := n.Encode(s.Value)
+	if err != nil {
+		return nil, err
+	}
+	return n, nil
+}
+
+func (s *Struct[T]) UnmarshalYAML(n *yaml.Node) error {
+	// HACK: for compatibility with flags, we use nil slices instead of empty
+	// slices. In most cases, nil slices and empty slices are treated
+	// the same, so this behavior may be removed at some point.
+	if typ := reflect.TypeOf(s.Value); typ.Kind() == reflect.Slice && len(n.Content) == 0 {
+		reflect.ValueOf(&s.Value).Elem().Set(reflect.Zero(typ))
+		return nil
+	}
+	return n.Decode(&s.Value)
+}
+
+func (s *Struct[T]) Type() string {
+	return fmt.Sprintf("struct[%T]", s.Value)
+}
+
+func (s *Struct[T]) MarshalJSON() ([]byte, error) {
+	return json.Marshal(s.Value)
+}
+
+func (s *Struct[T]) UnmarshalJSON(b []byte) error {
+	return json.Unmarshal(b, &s.Value)
+}
+
+// DiscardValue does nothing but implements the pflag.Value interface.
+// It's useful in cases where you want to accept an option, but access the
+// underlying value directly instead of through the Option methods.
+var DiscardValue discardValue
+
+type discardValue struct{}
+
+func (discardValue) Set(string) error {
+	return nil
+}
+
+func (discardValue) String() string {
+	return ""
+}
+
+func (discardValue) Type() string {
+	return "discard"
+}
+
+var _ pflag.Value = (*Enum)(nil)
+
+type Enum struct {
+	Choices []string
+	Value   *string
+}
+
+func EnumOf(v *string, choices ...string) *Enum {
+	return &Enum{
+		Choices: choices,
+		Value:   v,
+	}
+}
+
+func (e *Enum) Set(v string) error {
+	for _, c := range e.Choices {
+		if v == c {
+			*e.Value = v
+			return nil
+		}
+	}
+	return xerrors.Errorf("invalid choice: %s, should be one of %v", v, e.Choices)
+}
+
+func (e *Enum) Type() string {
+	return fmt.Sprintf("enum[%v]", strings.Join(e.Choices, "|"))
+}
+
+func (e *Enum) String() string {
+	return *e.Value
+}
+
+var _ pflag.Value = (*YAMLConfigPath)(nil)
+
+// YAMLConfigPath is a special value type that encodes a path to a YAML
+// configuration file where options are read from.
+type YAMLConfigPath string
+
+func (p *YAMLConfigPath) Set(v string) error {
+	*p = YAMLConfigPath(v)
+	return nil
+}
+
+func (p *YAMLConfigPath) String() string {
+	return string(*p)
+}
+
+func (*YAMLConfigPath) Type() string {
+	return "yaml-config-path"
+}
@@ -0,0 +1,295 @@
+package clibase
+
+import (
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/mitchellh/go-wordwrap"
+	"golang.org/x/xerrors"
+	"gopkg.in/yaml.v3"
+)
+
+var (
+	_ yaml.Marshaler   = new(OptionSet)
+	_ yaml.Unmarshaler = new(OptionSet)
+)
+
+// deepMapNode returns the mapping node at the given path,
+// creating it if it doesn't exist.
+func deepMapNode(n *yaml.Node, path []string, headComment string) *yaml.Node {
+	if len(path) == 0 {
+		return n
+	}
+
+	// Name is every two nodes.
+	for i := 0; i < len(n.Content)-1; i += 2 {
+		if n.Content[i].Value == path[0] {
+			// Found matching name, recurse.
+			return deepMapNode(n.Content[i+1], path[1:], headComment)
+		}
+	}
+
+	// Not found, create it.
+	nameNode := yaml.Node{
+		Kind:        yaml.ScalarNode,
+		Value:       path[0],
+		HeadComment: headComment,
+	}
+	valueNode := yaml.Node{
+		Kind: yaml.MappingNode,
+	}
+	n.Content = append(n.Content, &nameNode)
+	n.Content = append(n.Content, &valueNode)
+	return deepMapNode(&valueNode, path[1:], headComment)
+}
+
+// MarshalYAML converts the option set to a YAML node, that can be
+// converted into bytes via yaml.Marshal.
+//
+// The node is returned to enable post-processing higher up in
+// the stack.
+//
+// It is isomorphic with FromYAML.
+func (s *OptionSet) MarshalYAML() (any, error) {
+	root := yaml.Node{
+		Kind: yaml.MappingNode,
+	}
+
+	for _, opt := range *s {
+		if opt.YAML == "" {
+			continue
+		}
+
+		defValue := opt.Default
+		if defValue == "" {
+			defValue = "<unset>"
+		}
+		comment := wordwrap.WrapString(
+			fmt.Sprintf("%s\n(default: %s, type: %s)", opt.Description, defValue, opt.Value.Type()),
+			80,
+		)
+		nameNode := yaml.Node{
+			Kind:        yaml.ScalarNode,
+			Value:       opt.YAML,
+			HeadComment: comment,
+		}
+		var valueNode yaml.Node
+		if opt.Value == nil {
+			valueNode = yaml.Node{
+				Kind:  yaml.ScalarNode,
+				Value: "null",
+			}
+		} else if m, ok := opt.Value.(yaml.Marshaler); ok {
+			v, err := m.MarshalYAML()
+			if err != nil {
+				return nil, xerrors.Errorf(
+					"marshal %q: %w", opt.Name, err,
+				)
+			}
+			valueNode, ok = v.(yaml.Node)
+			if !ok {
+				return nil, xerrors.Errorf(
+					"marshal %q: unexpected underlying type %T",
+					opt.Name, v,
+				)
+			}
+		} else {
+			// The all-other types case.
+			//
+			// A bit of a hack, we marshal and then unmarshal to get
+			// the underlying node.
+			byt, err := yaml.Marshal(opt.Value)
+			if err != nil {
+				return nil, xerrors.Errorf(
+					"marshal %q: %w", opt.Name, err,
+				)
+			}
+
+			var docNode yaml.Node
+			err = yaml.Unmarshal(byt, &docNode)
+			if err != nil {
+				return nil, xerrors.Errorf(
+					"unmarshal %q: %w", opt.Name, err,
+				)
+			}
+			if len(docNode.Content) != 1 {
+				return nil, xerrors.Errorf(
+					"unmarshal %q: expected one node, got %d",
+					opt.Name, len(docNode.Content),
+				)
+			}
+
+			valueNode = *docNode.Content[0]
+		}
+		var group []string
+		for _, g := range opt.Group.Ancestry() {
+			if g.YAML == "" {
+				return nil, xerrors.Errorf(
+					"group yaml name is empty for %q, groups: %+v",
+					opt.Name,
+					opt.Group,
+				)
+			}
+			group = append(group, g.YAML)
+		}
+		var groupDesc string
+		if opt.Group != nil {
+			groupDesc = wordwrap.WrapString(opt.Group.Description, 80)
+		}
+		parentValueNode := deepMapNode(
+			&root, group,
+			groupDesc,
+		)
+		parentValueNode.Content = append(
+			parentValueNode.Content,
+			&nameNode,
+			&valueNode,
+		)
+	}
+	return &root, nil
+}
+
+// mapYAMLNodes converts parent into a map with keys of form "group.subgroup.option"
+// and values as the corresponding YAML nodes.
+func mapYAMLNodes(parent *yaml.Node) (map[string]*yaml.Node, error) {
+	if parent.Kind != yaml.MappingNode {
+		return nil, xerrors.Errorf("expected mapping node, got type %v", parent.Kind)
+	}
+	if len(parent.Content)%2 != 0 {
+		return nil, xerrors.Errorf("expected an even number of k/v pairs, got %d", len(parent.Content))
+	}
+	var (
+		key  string
+		m    = make(map[string]*yaml.Node, len(parent.Content)/2)
+		merr error
+	)
+	for i, child := range parent.Content {
+		if i%2 == 0 {
+			if child.Kind != yaml.ScalarNode {
+				// We immediately because the rest of the code is bound to fail
+				// if we don't know to expect a key or a value.
+				return nil, xerrors.Errorf("expected scalar node for key, got type %v", child.Kind)
+			}
+			key = child.Value
+			continue
+		}
+
+		// We don't know if this is a grouped simple option or complex option,
+		// so we store both "key" and "group.key". Since we're storing pointers,
+		// the additional memory is of little concern.
+		m[key] = child
+		if child.Kind != yaml.MappingNode {
+			continue
+		}
+
+		sub, err := mapYAMLNodes(child)
+		if err != nil {
+			merr = errors.Join(merr, xerrors.Errorf("mapping node %q: %w", key, err))
+			continue
+		}
+		for k, v := range sub {
+			m[key+"."+k] = v
+		}
+	}
+
+	return m, nil
+}
+
+func (o *Option) setFromYAMLNode(n *yaml.Node) error {
+	o.ValueSource = ValueSourceYAML
+	if um, ok := o.Value.(yaml.Unmarshaler); ok {
+		return um.UnmarshalYAML(n)
+	}
+
+	switch n.Kind {
+	case yaml.ScalarNode:
+		return o.Value.Set(n.Value)
+	case yaml.SequenceNode:
+		// We treat empty values as nil for consistency with other option
+		// mechanisms.
+		if len(n.Content) == 0 {
+			o.Value = nil
+			return nil
+		}
+		return n.Decode(o.Value)
+	case yaml.MappingNode:
+		return xerrors.Errorf("mapping nodes must implement yaml.Unmarshaler")
+	default:
+		return xerrors.Errorf("unexpected node kind %v", n.Kind)
+	}
+}
+
+// UnmarshalYAML converts the given YAML node into the option set.
+// It is isomorphic with ToYAML.
+func (s *OptionSet) UnmarshalYAML(rootNode *yaml.Node) error {
+	// The rootNode will be a DocumentNode if it's read from a file. We do
+	// not support multiple documents in a single file.
+	if rootNode.Kind == yaml.DocumentNode {
+		if len(rootNode.Content) != 1 {
+			return xerrors.Errorf("expected one node in document, got %d", len(rootNode.Content))
+		}
+		rootNode = rootNode.Content[0]
+	}
+
+	yamlNodes, err := mapYAMLNodes(rootNode)
+	if err != nil {
+		return xerrors.Errorf("mapping nodes: %w", err)
+	}
+
+	matchedNodes := make(map[string]*yaml.Node, len(yamlNodes))
+
+	var merr error
+	for i := range *s {
+		opt := &(*s)[i]
+		if opt.YAML == "" {
+			continue
+		}
+		var group []string
+		for _, g := range opt.Group.Ancestry() {
+			if g.YAML == "" {
+				return xerrors.Errorf(
+					"group yaml name is empty for %q, groups: %+v",
+					opt.Name,
+					opt.Group,
+				)
+			}
+			group = append(group, g.YAML)
+			delete(yamlNodes, strings.Join(group, "."))
+		}
+
+		key := strings.Join(append(group, opt.YAML), ".")
+		node, ok := yamlNodes[key]
+		if !ok {
+			continue
+		}
+
+		matchedNodes[key] = node
+		if opt.ValueSource != ValueSourceNone {
+			continue
+		}
+		if err := opt.setFromYAMLNode(node); err != nil {
+			merr = errors.Join(merr, xerrors.Errorf("setting %q: %w", opt.YAML, err))
+		}
+	}
+
+	// Remove all matched nodes and their descendants from yamlNodes so we
+	// can accurately report unknown options.
+	for k := range yamlNodes {
+		var key string
+		for _, part := range strings.Split(k, ".") {
+			if key != "" {
+				key += "."
+			}
+			key += part
+			if _, ok := matchedNodes[key]; ok {
+				delete(yamlNodes, k)
+			}
+		}
+	}
+	for k := range yamlNodes {
+		merr = errors.Join(merr, xerrors.Errorf("unknown option %q", k))
+	}
+
+	return merr
+}
@@ -0,0 +1,202 @@
+package clibase_test
+
+import (
+	"testing"
+
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/require"
+	"golang.org/x/exp/slices"
+	"gopkg.in/yaml.v3"
+
+	"github.com/coder/coder/cli/clibase"
+)
+
+func TestOptionSet_YAML(t *testing.T) {
+	t.Parallel()
+
+	t.Run("RequireKey", func(t *testing.T) {
+		t.Parallel()
+		var workspaceName clibase.String
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:    "Workspace Name",
+				Value:   &workspaceName,
+				Default: "billie",
+			},
+		}
+
+		node, err := os.MarshalYAML()
+		require.NoError(t, err)
+		require.Len(t, node.(*yaml.Node).Content, 0)
+	})
+
+	t.Run("SimpleString", func(t *testing.T) {
+		t.Parallel()
+
+		var workspaceName clibase.String
+
+		os := clibase.OptionSet{
+			clibase.Option{
+				Name:        "Workspace Name",
+				Value:       &workspaceName,
+				Default:     "billie",
+				Description: "The workspace's name.",
+				Group:       &clibase.Group{YAML: "names"},
+				YAML:        "workspaceName",
+			},
+		}
+
+		err := os.SetDefaults()
+		require.NoError(t, err)
+
+		n, err := os.MarshalYAML()
+		require.NoError(t, err)
+		// Visually inspect for now.
+		byt, err := yaml.Marshal(n)
+		require.NoError(t, err)
+		t.Logf("Raw YAML:\n%s", string(byt))
+	})
+}
+
+func TestOptionSet_YAMLUnknownOptions(t *testing.T) {
+	t.Parallel()
+	os := clibase.OptionSet{
+		{
+			Name:        "Workspace Name",
+			Default:     "billie",
+			Description: "The workspace's name.",
+			YAML:        "workspaceName",
+			Value:       new(clibase.String),
+		},
+	}
+
+	const yamlDoc = `something: else`
+	err := yaml.Unmarshal([]byte(yamlDoc), &os)
+	require.Error(t, err)
+	require.Empty(t, os[0].Value.String())
+
+	os[0].YAML = "something"
+
+	err = yaml.Unmarshal([]byte(yamlDoc), &os)
+	require.NoError(t, err)
+
+	require.Equal(t, "else", os[0].Value.String())
+}
+
+// TestOptionSet_YAMLIsomorphism tests that the YAML representations of an
+// OptionSet converts to the same OptionSet when read back in.
+func TestOptionSet_YAMLIsomorphism(t *testing.T) {
+	t.Parallel()
+	// This is used to form a generic.
+	//nolint:unused
+	type kid struct {
+		Name string `yaml:"name"`
+		Age  int    `yaml:"age"`
+	}
+
+	for _, tc := range []struct {
+		name      string
+		os        clibase.OptionSet
+		zeroValue func() pflag.Value
+	}{
+		{
+			name: "SimpleString",
+			os: clibase.OptionSet{
+				{
+					Name:        "Workspace Name",
+					Default:     "billie",
+					Description: "The workspace's name.",
+					Group:       &clibase.Group{YAML: "names"},
+					YAML:        "workspaceName",
+				},
+			},
+			zeroValue: func() pflag.Value {
+				return clibase.StringOf(new(string))
+			},
+		},
+		{
+			name: "Array",
+			os: clibase.OptionSet{
+				{
+					YAML:    "names",
+					Default: "jill,jack,joan",
+				},
+			},
+			zeroValue: func() pflag.Value {
+				return clibase.StringArrayOf(&[]string{})
+			},
+		},
+		{
+			name: "ComplexObject",
+			os: clibase.OptionSet{
+				{
+					YAML: "kids",
+					Default: `- name: jill
+  age: 12
+- name: jack
+  age: 13`,
+				},
+			},
+			zeroValue: func() pflag.Value {
+				return &clibase.Struct[[]kid]{}
+			},
+		},
+		{
+			name: "DeepGroup",
+			os: clibase.OptionSet{
+				{
+					YAML:    "names",
+					Default: "jill,jack,joan",
+					Group:   &clibase.Group{YAML: "kids", Parent: &clibase.Group{YAML: "family"}},
+				},
+			},
+			zeroValue: func() pflag.Value {
+				return clibase.StringArrayOf(&[]string{})
+			},
+		},
+	} {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+
+			// Set initial values.
+			for i := range tc.os {
+				tc.os[i].Value = tc.zeroValue()
+			}
+			err := tc.os.SetDefaults()
+			require.NoError(t, err)
+
+			y, err := tc.os.MarshalYAML()
+			require.NoError(t, err)
+
+			toByt, err := yaml.Marshal(y)
+			require.NoError(t, err)
+
+			t.Logf("Raw YAML:\n%s", string(toByt))
+
+			var y2 yaml.Node
+			err = yaml.Unmarshal(toByt, &y2)
+			require.NoError(t, err)
+
+			os2 := slices.Clone(tc.os)
+			for i := range os2 {
+				os2[i].Value = tc.zeroValue()
+				os2[i].ValueSource = clibase.ValueSourceNone
+			}
+
+			// os2 values should be zeroed whereas tc.os should be
+			// set to defaults.
+			// This check makes sure we aren't mixing pointers.
+			require.NotEqual(t, tc.os, os2)
+			err = os2.UnmarshalYAML(&y2)
+			require.NoError(t, err)
+
+			want := tc.os
+			for i := range want {
+				want[i].ValueSource = clibase.ValueSourceYAML
+			}
+
+			require.Equal(t, tc.os, os2)
+		})
+	}
+}
@@ -1,88 +0,0 @@
-// Package cliflag extends flagset with environment variable defaults.
-//
-// Usage:
-//
-// cliflag.String(root.Flags(), &address, "address", "a", "CODER_ADDRESS", "127.0.0.1:3000", "The address to serve the API and dashboard")
-//
-// Will produce the following usage docs:
-//
-//   -a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
-//
-package cliflag
-
-import (
-	"fmt"
-	"os"
-	"strconv"
-	"strings"
-
-	"github.com/spf13/pflag"
-)
-
-// String sets a string flag on the given flag set.
-func String(flagset *pflag.FlagSet, name, shorthand, env, def, usage string) {
-	v, ok := os.LookupEnv(env)
-	if !ok || v == "" {
-		v = def
-	}
-	flagset.StringP(name, shorthand, v, fmtUsage(usage, env))
-}
-
-// StringVarP sets a string flag on the given flag set.
-func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string, env string, def string, usage string) {
-	v, ok := os.LookupEnv(env)
-	if !ok || v == "" {
-		v = def
-	}
-	flagset.StringVarP(p, name, shorthand, v, fmtUsage(usage, env))
-}
-
-func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shorthand string, env string, def []string, usage string) {
-	val, ok := os.LookupEnv(env)
-	if ok {
-		def = strings.Split(val, ",")
-	}
-	flagset.StringArrayVarP(ptr, name, shorthand, def, usage)
-}
-
-// Uint8VarP sets a uint8 flag on the given flag set.
-func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string, env string, def uint8, usage string) {
-	val, ok := os.LookupEnv(env)
-	if !ok || val == "" {
-		flagset.Uint8VarP(ptr, name, shorthand, def, fmtUsage(usage, env))
-		return
-	}
-
-	vi64, err := strconv.ParseUint(val, 10, 8)
-	if err != nil {
-		flagset.Uint8VarP(ptr, name, shorthand, def, fmtUsage(usage, env))
-		return
-	}
-
-	flagset.Uint8VarP(ptr, name, shorthand, uint8(vi64), fmtUsage(usage, env))
-}
-
-// BoolVarP sets a bool flag on the given flag set.
-func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string, env string, def bool, usage string) {
-	val, ok := os.LookupEnv(env)
-	if !ok || val == "" {
-		flagset.BoolVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
-		return
-	}
-
-	valb, err := strconv.ParseBool(val)
-	if err != nil {
-		flagset.BoolVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
-		return
-	}
-
-	flagset.BoolVarP(ptr, name, shorthand, valb, fmtUsage(usage, env))
-}
-
-func fmtUsage(u string, env string) string {
-	if env == "" {
-		return fmt.Sprintf("%s.", u)
-	}
-
-	return fmt.Sprintf("%s - consumes $%s.", u, env)
-}
@@ -1,187 +0,0 @@
-package cliflag_test
-
-import (
-	"fmt"
-	"strconv"
-	"testing"
-
-	"github.com/spf13/pflag"
-	"github.com/stretchr/testify/require"
-
-	"github.com/coder/coder/cli/cliflag"
-	"github.com/coder/coder/cryptorand"
-)
-
-// Testcliflag cannot run in parallel because it uses t.Setenv.
-//nolint:paralleltest
-func TestCliflag(t *testing.T) {
-	t.Run("StringDefault", func(t *testing.T) {
-		flagset, name, shorthand, env, usage := randomFlag()
-		def, _ := cryptorand.String(10)
-		cliflag.String(flagset, name, shorthand, env, def, usage)
-		got, err := flagset.GetString(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
-	})
-
-	t.Run("StringEnvVar", func(t *testing.T) {
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.String(10)
-		t.Setenv(env, envValue)
-		def, _ := cryptorand.String(10)
-		cliflag.String(flagset, name, shorthand, env, def, usage)
-		got, err := flagset.GetString(name)
-		require.NoError(t, err)
-		require.Equal(t, envValue, got)
-	})
-
-	t.Run("StringVarPDefault", func(t *testing.T) {
-		var ptr string
-		flagset, name, shorthand, env, usage := randomFlag()
-		def, _ := cryptorand.String(10)
-
-		cliflag.StringVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetString(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
-	})
-
-	t.Run("StringVarPEnvVar", func(t *testing.T) {
-		var ptr string
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.String(10)
-		t.Setenv(env, envValue)
-		def, _ := cryptorand.String(10)
-
-		cliflag.StringVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetString(name)
-		require.NoError(t, err)
-		require.Equal(t, envValue, got)
-	})
-
-	t.Run("EmptyEnvVar", func(t *testing.T) {
-		var ptr string
-		flagset, name, shorthand, _, usage := randomFlag()
-		def, _ := cryptorand.String(10)
-
-		cliflag.StringVarP(flagset, &ptr, name, shorthand, "", def, usage)
-		got, err := flagset.GetString(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-		require.Contains(t, flagset.FlagUsages(), usage)
-		require.NotContains(t, flagset.FlagUsages(), " - consumes")
-	})
-
-	t.Run("StringArrayDefault", func(t *testing.T) {
-		var ptr []string
-		flagset, name, shorthand, env, usage := randomFlag()
-		def := []string{"hello"}
-		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetStringArray(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-	})
-
-	t.Run("StringArrayEnvVar", func(t *testing.T) {
-		var ptr []string
-		flagset, name, shorthand, env, usage := randomFlag()
-		t.Setenv(env, "wow,test")
-		cliflag.StringArrayVarP(flagset, &ptr, name, shorthand, env, nil, usage)
-		got, err := flagset.GetStringArray(name)
-		require.NoError(t, err)
-		require.Equal(t, []string{"wow", "test"}, got)
-	})
-
-	t.Run("IntDefault", func(t *testing.T) {
-		var ptr uint8
-		flagset, name, shorthand, env, usage := randomFlag()
-		def, _ := cryptorand.Int63n(10)
-
-		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
-		got, err := flagset.GetUint8(name)
-		require.NoError(t, err)
-		require.Equal(t, uint8(def), got)
-		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
-	})
-
-	t.Run("IntEnvVar", func(t *testing.T) {
-		var ptr uint8
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.Int63n(10)
-		t.Setenv(env, strconv.FormatUint(uint64(envValue), 10))
-		def, _ := cryptorand.Int()
-
-		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
-		got, err := flagset.GetUint8(name)
-		require.NoError(t, err)
-		require.Equal(t, uint8(envValue), got)
-	})
-
-	t.Run("IntFailParse", func(t *testing.T) {
-		var ptr uint8
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.String(10)
-		t.Setenv(env, envValue)
-		def, _ := cryptorand.Int63n(10)
-
-		cliflag.Uint8VarP(flagset, &ptr, name, shorthand, env, uint8(def), usage)
-		got, err := flagset.GetUint8(name)
-		require.NoError(t, err)
-		require.Equal(t, uint8(def), got)
-	})
-
-	t.Run("BoolDefault", func(t *testing.T) {
-		var ptr bool
-		flagset, name, shorthand, env, usage := randomFlag()
-		def, _ := cryptorand.Bool()
-
-		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetBool(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
-	})
-
-	t.Run("BoolEnvVar", func(t *testing.T) {
-		var ptr bool
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.Bool()
-		t.Setenv(env, strconv.FormatBool(envValue))
-		def, _ := cryptorand.Bool()
-
-		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetBool(name)
-		require.NoError(t, err)
-		require.Equal(t, envValue, got)
-	})
-
-	t.Run("BoolFailParse", func(t *testing.T) {
-		var ptr bool
-		flagset, name, shorthand, env, usage := randomFlag()
-		envValue, _ := cryptorand.String(10)
-		t.Setenv(env, envValue)
-		def, _ := cryptorand.Bool()
-
-		cliflag.BoolVarP(flagset, &ptr, name, shorthand, env, def, usage)
-		got, err := flagset.GetBool(name)
-		require.NoError(t, err)
-		require.Equal(t, def, got)
-	})
-}
-
-func randomFlag() (*pflag.FlagSet, string, string, string, string) {
-	fsname, _ := cryptorand.String(10)
-	flagset := pflag.NewFlagSet(fsname, pflag.PanicOnError)
-	name, _ := cryptorand.String(10)
-	shorthand, _ := cryptorand.String(1)
-	env, _ := cryptorand.String(10)
-	usage, _ := cryptorand.String(10)
-
-	return flagset, name, shorthand, env, usage
-}
@@ -0,0 +1,314 @@
+package clistat
+
+import (
+	"bufio"
+	"bytes"
+	"strconv"
+	"strings"
+
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+	"tailscale.com/types/ptr"
+)
+
+// Paths for CGroupV1.
+// Ref: https://www.kernel.org/doc/Documentation/cgroup-v1/cpuacct.txt
+const (
+	// CPU usage of all tasks in cgroup in nanoseconds.
+	cgroupV1CPUAcctUsage = "/sys/fs/cgroup/cpu/cpuacct.usage"
+	// Alternate path
+	cgroupV1CPUAcctUsageAlt = "/sys/fs/cgroup/cpu,cpuacct/cpuacct.usage"
+	// CFS quota and period for cgroup in MICROseconds
+	cgroupV1CFSQuotaUs  = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us"
+	cgroupV1CFSPeriodUs = "/sys/fs/cgroup/cpu,cpuacct/cpu.cfs_period_us"
+	// Maximum memory usable by cgroup in bytes
+	cgroupV1MemoryMaxUsageBytes = "/sys/fs/cgroup/memory/memory.max_usage_in_bytes"
+	// Current memory usage of cgroup in bytes
+	cgroupV1MemoryUsageBytes = "/sys/fs/cgroup/memory/memory.usage_in_bytes"
+	// Other memory stats - we are interested in total_inactive_file
+	cgroupV1MemoryStat = "/sys/fs/cgroup/memory/memory.stat"
+)
+
+// Paths for CGroupV2.
+// Ref: https://docs.kernel.org/admin-guide/cgroup-v2.html
+const (
+	// Contains quota and period in microseconds separated by a space.
+	cgroupV2CPUMax = "/sys/fs/cgroup/cpu.max"
+	// Contains current CPU usage under usage_usec
+	cgroupV2CPUStat = "/sys/fs/cgroup/cpu.stat"
+	// Contains current cgroup memory usage in bytes.
+	cgroupV2MemoryUsageBytes = "/sys/fs/cgroup/memory.current"
+	// Contains max cgroup memory usage in bytes.
+	cgroupV2MemoryMaxBytes = "/sys/fs/cgroup/memory.max"
+	// Other memory stats - we are interested in total_inactive_file
+	cgroupV2MemoryStat = "/sys/fs/cgroup/memory.stat"
+)
+
+// ContainerCPU returns the CPU usage of the container cgroup.
+// This is calculated as difference of two samples of the
+// CPU usage of the container cgroup.
+// The total is read from the relevant path in /sys/fs/cgroup.
+// If there is no limit set, the total is assumed to be the
+// number of host cores multiplied by the CFS period.
+// If the system is not containerized, this always returns nil.
+func (s *Statter) ContainerCPU() (*Result, error) {
+	// Firstly, check if we are containerized.
+	if ok, err := IsContainerized(s.fs); err != nil || !ok {
+		return nil, nil //nolint: nilnil
+	}
+
+	total, err := s.cGroupCPUTotal()
+	if err != nil {
+		return nil, xerrors.Errorf("get total cpu: %w", err)
+	}
+
+	used1, err := s.cGroupCPUUsed()
+	if err != nil {
+		return nil, xerrors.Errorf("get cgroup CPU usage: %w", err)
+	}
+
+	// The measurements in /sys/fs/cgroup are counters.
+	// We need to wait for a bit to get a difference.
+	// Note that someone could reset the counter in the meantime.
+	// We can't do anything about that.
+	s.wait(s.sampleInterval)
+
+	used2, err := s.cGroupCPUUsed()
+	if err != nil {
+		return nil, xerrors.Errorf("get cgroup CPU usage: %w", err)
+	}
+
+	if used2 < used1 {
+		// Someone reset the counter. Best we can do is count from zero.
+		used1 = 0
+	}
+
+	r := &Result{
+		Unit:   "cores",
+		Used:   used2 - used1,
+		Total:  ptr.To(total),
+		Prefix: PrefixDefault,
+	}
+	return r, nil
+}
+
+func (s *Statter) cGroupCPUTotal() (used float64, err error) {
+	if s.isCGroupV2() {
+		return s.cGroupV2CPUTotal()
+	}
+
+	// Fall back to CGroupv1
+	return s.cGroupV1CPUTotal()
+}
+
+func (s *Statter) cGroupCPUUsed() (used float64, err error) {
+	if s.isCGroupV2() {
+		return s.cGroupV2CPUUsed()
+	}
+
+	return s.cGroupV1CPUUsed()
+}
+
+func (s *Statter) isCGroupV2() bool {
+	// Check for the presence of /sys/fs/cgroup/cpu.max
+	_, err := s.fs.Stat(cgroupV2CPUMax)
+	return err == nil
+}
+
+func (s *Statter) cGroupV2CPUUsed() (used float64, err error) {
+	usageUs, err := readInt64Prefix(s.fs, cgroupV2CPUStat, "usage_usec")
+	if err != nil {
+		return 0, xerrors.Errorf("get cgroupv2 cpu used: %w", err)
+	}
+	periodUs, err := readInt64SepIdx(s.fs, cgroupV2CPUMax, " ", 1)
+	if err != nil {
+		return 0, xerrors.Errorf("get cpu period: %w", err)
+	}
+
+	return float64(usageUs) / float64(periodUs), nil
+}
+
+func (s *Statter) cGroupV2CPUTotal() (total float64, err error) {
+	var quotaUs, periodUs int64
+	periodUs, err = readInt64SepIdx(s.fs, cgroupV2CPUMax, " ", 1)
+	if err != nil {
+		return 0, xerrors.Errorf("get cpu period: %w", err)
+	}
+
+	quotaUs, err = readInt64SepIdx(s.fs, cgroupV2CPUMax, " ", 0)
+	if err != nil {
+		// Fall back to number of cores
+		quotaUs = int64(s.nproc) * periodUs
+	}
+
+	return float64(quotaUs) / float64(periodUs), nil
+}
+
+func (s *Statter) cGroupV1CPUTotal() (float64, error) {
+	periodUs, err := readInt64(s.fs, cgroupV1CFSPeriodUs)
+	if err != nil {
+		return 0, xerrors.Errorf("read cpu period: %w", err)
+	}
+
+	quotaUs, err := readInt64(s.fs, cgroupV1CFSQuotaUs)
+	if err != nil {
+		return 0, xerrors.Errorf("read cpu quota: %w", err)
+	}
+
+	if quotaUs < 0 {
+		// Fall back to the number of cores
+		quotaUs = int64(s.nproc) * periodUs
+	}
+
+	return float64(quotaUs) / float64(periodUs), nil
+}
+
+func (s *Statter) cGroupV1CPUUsed() (float64, error) {
+	usageNs, err := readInt64(s.fs, cgroupV1CPUAcctUsage)
+	if err != nil {
+		// try alternate path
+		usageNs, err = readInt64(s.fs, cgroupV1CPUAcctUsageAlt)
+		if err != nil {
+			return 0, xerrors.Errorf("read cpu used: %w", err)
+		}
+	}
+
+	// usage is in ns, convert to us
+	usageNs /= 1000
+	periodUs, err := readInt64(s.fs, cgroupV1CFSPeriodUs)
+	if err != nil {
+		return 0, xerrors.Errorf("get cpu period: %w", err)
+	}
+
+	return float64(usageNs) / float64(periodUs), nil
+}
+
+// ContainerMemory returns the memory usage of the container cgroup.
+// If the system is not containerized, this always returns nil.
+func (s *Statter) ContainerMemory(p Prefix) (*Result, error) {
+	if ok, err := IsContainerized(s.fs); err != nil || !ok {
+		return nil, nil //nolint:nilnil
+	}
+
+	if s.isCGroupV2() {
+		return s.cGroupV2Memory(p)
+	}
+
+	// Fall back to CGroupv1
+	return s.cGroupV1Memory(p)
+}
+
+func (s *Statter) cGroupV2Memory(p Prefix) (*Result, error) {
+	maxUsageBytes, err := readInt64(s.fs, cgroupV2MemoryMaxBytes)
+	if err != nil {
+		return nil, xerrors.Errorf("read memory total: %w", err)
+	}
+
+	currUsageBytes, err := readInt64(s.fs, cgroupV2MemoryUsageBytes)
+	if err != nil {
+		return nil, xerrors.Errorf("read memory usage: %w", err)
+	}
+
+	inactiveFileBytes, err := readInt64Prefix(s.fs, cgroupV2MemoryStat, "inactive_file")
+	if err != nil {
+		return nil, xerrors.Errorf("read memory stats: %w", err)
+	}
+
+	return &Result{
+		Total:  ptr.To(float64(maxUsageBytes)),
+		Used:   float64(currUsageBytes - inactiveFileBytes),
+		Unit:   "B",
+		Prefix: p,
+	}, nil
+}
+
+func (s *Statter) cGroupV1Memory(p Prefix) (*Result, error) {
+	maxUsageBytes, err := readInt64(s.fs, cgroupV1MemoryMaxUsageBytes)
+	if err != nil {
+		return nil, xerrors.Errorf("read memory total: %w", err)
+	}
+
+	// need a space after total_rss so we don't hit something else
+	usageBytes, err := readInt64(s.fs, cgroupV1MemoryUsageBytes)
+	if err != nil {
+		return nil, xerrors.Errorf("read memory usage: %w", err)
+	}
+
+	totalInactiveFileBytes, err := readInt64Prefix(s.fs, cgroupV1MemoryStat, "total_inactive_file")
+	if err != nil {
+		return nil, xerrors.Errorf("read memory stats: %w", err)
+	}
+
+	// Total memory used is usage - total_inactive_file
+	return &Result{
+		Total:  ptr.To(float64(maxUsageBytes)),
+		Used:   float64(usageBytes - totalInactiveFileBytes),
+		Unit:   "B",
+		Prefix: p,
+	}, nil
+}
+
+// read an int64 value from path
+func readInt64(fs afero.Fs, path string) (int64, error) {
+	data, err := afero.ReadFile(fs, path)
+	if err != nil {
+		return 0, xerrors.Errorf("read %s: %w", path, err)
+	}
+
+	val, err := strconv.ParseInt(string(bytes.TrimSpace(data)), 10, 64)
+	if err != nil {
+		return 0, xerrors.Errorf("parse %s: %w", path, err)
+	}
+
+	return val, nil
+}
+
+// read an int64 value from path at field idx separated by sep
+func readInt64SepIdx(fs afero.Fs, path, sep string, idx int) (int64, error) {
+	data, err := afero.ReadFile(fs, path)
+	if err != nil {
+		return 0, xerrors.Errorf("read %s: %w", path, err)
+	}
+
+	parts := strings.Split(string(data), sep)
+	if len(parts) < idx {
+		return 0, xerrors.Errorf("expected line %q to have at least %d parts", string(data), idx+1)
+	}
+
+	val, err := strconv.ParseInt(strings.TrimSpace(parts[idx]), 10, 64)
+	if err != nil {
+		return 0, xerrors.Errorf("parse %s: %w", path, err)
+	}
+
+	return val, nil
+}
+
+// read the first int64 value from path prefixed with prefix
+func readInt64Prefix(fs afero.Fs, path, prefix string) (int64, error) {
+	data, err := afero.ReadFile(fs, path)
+	if err != nil {
+		return 0, xerrors.Errorf("read %s: %w", path, err)
+	}
+
+	scn := bufio.NewScanner(bytes.NewReader(data))
+	for scn.Scan() {
+		line := scn.Text()
+		if !strings.HasPrefix(line, prefix) {
+			continue
+		}
+
+		parts := strings.Fields(line)
+		if len(parts) != 2 {
+			return 0, xerrors.Errorf("parse %s: expected two fields but got %s", path, line)
+		}
+
+		val, err := strconv.ParseInt(strings.TrimSpace(parts[1]), 10, 64)
+		if err != nil {
+			return 0, xerrors.Errorf("parse %s: %w", path, err)
+		}
+
+		return val, nil
+	}
+
+	return 0, xerrors.Errorf("parse %s: did not find line with prefix %s", path, prefix)
+}
@@ -0,0 +1,61 @@
+package clistat
+
+import (
+	"bufio"
+	"bytes"
+	"os"
+
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+)
+
+const (
+	procMounts    = "/proc/mounts"
+	procOneCgroup = "/proc/1/cgroup"
+)
+
+// IsContainerized returns whether the host is containerized.
+// This is adapted from https://github.com/elastic/go-sysinfo/tree/main/providers/linux/container.go#L31
+// with modifications to support Sysbox containers.
+// On non-Linux platforms, it always returns false.
+func IsContainerized(fs afero.Fs) (ok bool, err error) {
+	cgData, err := afero.ReadFile(fs, procOneCgroup)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("read file %s: %w", procOneCgroup, err)
+	}
+
+	scn := bufio.NewScanner(bytes.NewReader(cgData))
+	for scn.Scan() {
+		line := scn.Bytes()
+		if bytes.Contains(line, []byte("docker")) ||
+			bytes.Contains(line, []byte(".slice")) ||
+			bytes.Contains(line, []byte("lxc")) ||
+			bytes.Contains(line, []byte("kubepods")) {
+			return true, nil
+		}
+	}
+
+	// Last-ditch effort to detect Sysbox containers.
+	// Check if we have anything mounted as type sysboxfs in /proc/mounts
+	mountsData, err := afero.ReadFile(fs, procMounts)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return false, nil
+		}
+		return false, xerrors.Errorf("read file %s: %w", procMounts, err)
+	}
+
+	scn = bufio.NewScanner(bytes.NewReader(mountsData))
+	for scn.Scan() {
+		line := scn.Bytes()
+		if bytes.Contains(line, []byte("sysboxfs")) {
+			return true, nil
+		}
+	}
+
+	// If we get here, we are _probably_ not running in a container.
+	return false, nil
+}
@@ -0,0 +1,27 @@
+//go:build !windows
+
+package clistat
+
+import (
+	"syscall"
+
+	"tailscale.com/types/ptr"
+)
+
+// Disk returns the disk usage of the given path.
+// If path is empty, it returns the usage of the root directory.
+func (*Statter) Disk(p Prefix, path string) (*Result, error) {
+	if path == "" {
+		path = "/"
+	}
+	var stat syscall.Statfs_t
+	if err := syscall.Statfs(path, &stat); err != nil {
+		return nil, err
+	}
+	var r Result
+	r.Total = ptr.To(float64(stat.Blocks * uint64(stat.Bsize)))
+	r.Used = float64(stat.Blocks-stat.Bfree) * float64(stat.Bsize)
+	r.Unit = "B"
+	r.Prefix = p
+	return &r, nil
+}
@@ -0,0 +1,36 @@
+package clistat
+
+import (
+	"golang.org/x/sys/windows"
+	"tailscale.com/types/ptr"
+)
+
+// Disk returns the disk usage of the given path.
+// If path is empty, it defaults to C:\
+func (*Statter) Disk(p Prefix, path string) (*Result, error) {
+	if path == "" {
+		path = `C:\`
+	}
+
+	pathPtr, err := windows.UTF16PtrFromString(path)
+	if err != nil {
+		return nil, err
+	}
+
+	var freeBytes, totalBytes, availBytes uint64
+	if err := windows.GetDiskFreeSpaceEx(
+		pathPtr,
+		&freeBytes,
+		&totalBytes,
+		&availBytes,
+	); err != nil {
+		return nil, err
+	}
+
+	var r Result
+	r.Total = ptr.To(float64(totalBytes))
+	r.Used = float64(totalBytes - freeBytes)
+	r.Unit = "B"
+	r.Prefix = p
+	return &r, nil
+}
@@ -0,0 +1,236 @@
+package clistat
+
+import (
+	"math"
+	"runtime"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/elastic/go-sysinfo"
+	"github.com/spf13/afero"
+	"golang.org/x/xerrors"
+	"tailscale.com/types/ptr"
+
+	sysinfotypes "github.com/elastic/go-sysinfo/types"
+)
+
+// Prefix is a scale multiplier for a result.
+// Used when creating a human-readable representation.
+type Prefix float64
+
+const (
+	PrefixDefault = 1.0
+	PrefixKibi    = 1024.0
+	PrefixMebi    = PrefixKibi * 1024.0
+	PrefixGibi    = PrefixMebi * 1024.0
+	PrefixTebi    = PrefixGibi * 1024.0
+)
+
+var (
+	PrefixHumanKibi = "Ki"
+	PrefixHumanMebi = "Mi"
+	PrefixHumanGibi = "Gi"
+	PrefixHumanTebi = "Ti"
+)
+
+func (s *Prefix) String() string {
+	switch *s {
+	case PrefixKibi:
+		return "Ki"
+	case PrefixMebi:
+		return "Mi"
+	case PrefixGibi:
+		return "Gi"
+	case PrefixTebi:
+		return "Ti"
+	default:
+		return ""
+	}
+}
+
+func ParsePrefix(s string) Prefix {
+	switch s {
+	case PrefixHumanKibi:
+		return PrefixKibi
+	case PrefixHumanMebi:
+		return PrefixMebi
+	case PrefixHumanGibi:
+		return PrefixGibi
+	case PrefixHumanTebi:
+		return PrefixTebi
+	default:
+		return PrefixDefault
+	}
+}
+
+// Result is a generic result type for a statistic.
+// Total is the total amount of the resource available.
+// It is nil if the resource is not a finite quantity.
+// Unit is the unit of the resource.
+// Used is the amount of the resource used.
+type Result struct {
+	Total  *float64 `json:"total"`
+	Unit   string   `json:"unit"`
+	Used   float64  `json:"used"`
+	Prefix Prefix   `json:"-"`
+}
+
+// String returns a human-readable representation of the result.
+func (r *Result) String() string {
+	if r == nil {
+		return "-"
+	}
+
+	scale := 1.0
+	if r.Prefix != 0.0 {
+		scale = float64(r.Prefix)
+	}
+
+	var sb strings.Builder
+	var usedScaled, totalScaled float64
+	usedScaled = r.Used / scale
+	_, _ = sb.WriteString(humanizeFloat(usedScaled))
+	if r.Total != (*float64)(nil) {
+		_, _ = sb.WriteString("/")
+		totalScaled = *r.Total / scale
+		_, _ = sb.WriteString(humanizeFloat(totalScaled))
+	}
+
+	_, _ = sb.WriteString(" ")
+	_, _ = sb.WriteString(r.Prefix.String())
+	_, _ = sb.WriteString(r.Unit)
+
+	if r.Total != (*float64)(nil) && *r.Total > 0 {
+		_, _ = sb.WriteString(" (")
+		pct := r.Used / *r.Total * 100.0
+		_, _ = sb.WriteString(strconv.FormatFloat(pct, 'f', 0, 64))
+		_, _ = sb.WriteString("%)")
+	}
+
+	return strings.TrimSpace(sb.String())
+}
+
+func humanizeFloat(f float64) string {
+	// humanize.FtoaWithDigits does not round correctly.
+	prec := precision(f)
+	rat := math.Pow(10, float64(prec))
+	rounded := math.Round(f*rat) / rat
+	return strconv.FormatFloat(rounded, 'f', -1, 64)
+}
+
+// limit precision to 3 digits at most to preserve space
+func precision(f float64) int {
+	fabs := math.Abs(f)
+	if fabs == 0.0 {
+		return 0
+	}
+	if fabs < 1.0 {
+		return 3
+	}
+	if fabs < 10.0 {
+		return 2
+	}
+	if fabs < 100.0 {
+		return 1
+	}
+	return 0
+}
+
+// Statter is a system statistics collector.
+// It is a thin wrapper around the elastic/go-sysinfo library.
+type Statter struct {
+	hi             sysinfotypes.Host
+	fs             afero.Fs
+	sampleInterval time.Duration
+	nproc          int
+	wait           func(time.Duration)
+}
+
+type Option func(*Statter)
+
+// WithSampleInterval sets the sample interval for the statter.
+func WithSampleInterval(d time.Duration) Option {
+	return func(s *Statter) {
+		s.sampleInterval = d
+	}
+}
+
+// WithFS sets the fs for the statter.
+func WithFS(fs afero.Fs) Option {
+	return func(s *Statter) {
+		s.fs = fs
+	}
+}
+
+func New(opts ...Option) (*Statter, error) {
+	hi, err := sysinfo.Host()
+	if err != nil {
+		return nil, xerrors.Errorf("get host info: %w", err)
+	}
+	s := &Statter{
+		hi:             hi,
+		fs:             afero.NewReadOnlyFs(afero.NewOsFs()),
+		sampleInterval: 100 * time.Millisecond,
+		nproc:          runtime.NumCPU(),
+		wait: func(d time.Duration) {
+			<-time.After(d)
+		},
+	}
+	for _, opt := range opts {
+		opt(s)
+	}
+	return s, nil
+}
+
+// HostCPU returns the CPU usage of the host. This is calculated by
+// taking two samples of CPU usage and calculating the difference.
+// Total will always be equal to the number of cores.
+// Used will be an estimate of the number of cores used during the sample interval.
+// This is calculated by taking the difference between the total and idle HostCPU time
+// and scaling it by the number of cores.
+// Units are in "cores".
+func (s *Statter) HostCPU() (*Result, error) {
+	r := &Result{
+		Unit:   "cores",
+		Total:  ptr.To(float64(s.nproc)),
+		Prefix: PrefixDefault,
+	}
+	c1, err := s.hi.CPUTime()
+	if err != nil {
+		return nil, xerrors.Errorf("get first cpu sample: %w", err)
+	}
+	s.wait(s.sampleInterval)
+	c2, err := s.hi.CPUTime()
+	if err != nil {
+		return nil, xerrors.Errorf("get second cpu sample: %w", err)
+	}
+	total := c2.Total() - c1.Total()
+	if total == 0 {
+		return r, nil // no change
+	}
+	idle := c2.Idle - c1.Idle
+	used := total - idle
+	scaleFactor := float64(s.nproc) / total.Seconds()
+	r.Used = used.Seconds() * scaleFactor
+	return r, nil
+}
+
+// HostMemory returns the memory usage of the host, in gigabytes.
+func (s *Statter) HostMemory(p Prefix) (*Result, error) {
+	r := &Result{
+		Unit:   "B",
+		Prefix: p,
+	}
+	hm, err := s.hi.Memory()
+	if err != nil {
+		return nil, xerrors.Errorf("get memory info: %w", err)
+	}
+	r.Total = ptr.To(float64(hm.Total))
+	// On Linux, hm.Used equates to MemTotal - MemFree in /proc/stat.
+	// This includes buffers and cache.
+	// So use MemAvailable instead, which only equates to physical memory.
+	// On Windows, this is also calculated as Total - Available.
+	r.Used = float64(hm.Total - hm.Available)
+	return r, nil
+}
@@ -0,0 +1,345 @@
+package clistat
+
+import (
+	"testing"
+	"time"
+
+	"github.com/spf13/afero"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"tailscale.com/types/ptr"
+)
+
+func TestResultString(t *testing.T) {
+	t.Parallel()
+	for _, tt := range []struct {
+		Expected string
+		Result   Result
+	}{
+		{
+			Expected: "1.23/5.68 quatloos (22%)",
+			Result:   Result{Used: 1.234, Total: ptr.To(5.678), Unit: "quatloos"},
+		},
+		{
+			Expected: "0/0 HP",
+			Result:   Result{Used: 0.0, Total: ptr.To(0.0), Unit: "HP"},
+		},
+		{
+			Expected: "123 seconds",
+			Result:   Result{Used: 123.01, Total: nil, Unit: "seconds"},
+		},
+		{
+			Expected: "12.3",
+			Result:   Result{Used: 12.34, Total: nil, Unit: ""},
+		},
+		{
+			Expected: "1.5 KiB",
+			Result:   Result{Used: 1536, Total: nil, Unit: "B", Prefix: PrefixKibi},
+		},
+		{
+			Expected: "1.23 things",
+			Result:   Result{Used: 1.234, Total: nil, Unit: "things"},
+		},
+		{
+			Expected: "0/100 TiB (0%)",
+			Result:   Result{Used: 1, Total: ptr.To(100.0 * float64(PrefixTebi)), Unit: "B", Prefix: PrefixTebi},
+		},
+		{
+			Expected: "0.5/8 cores (6%)",
+			Result:   Result{Used: 0.5, Total: ptr.To(8.0), Unit: "cores"},
+		},
+	} {
+		assert.Equal(t, tt.Expected, tt.Result.String())
+	}
+}
+
+func TestStatter(t *testing.T) {
+	t.Parallel()
+
+	// We cannot make many assertions about the data we get back
+	// for host-specific measurements because these tests could
+	// and should run successfully on any OS.
+	// The best we can do is assert that it is non-zero.
+	t.Run("HostOnly", func(t *testing.T) {
+		t.Parallel()
+		fs := initFS(t, fsHostOnly)
+		s, err := New(WithFS(fs))
+		require.NoError(t, err)
+		t.Run("HostCPU", func(t *testing.T) {
+			t.Parallel()
+			cpu, err := s.HostCPU()
+			require.NoError(t, err)
+			// assert.NotZero(t, cpu.Used) // HostCPU can sometimes be zero.
+			assert.NotZero(t, cpu.Total)
+			assert.Equal(t, "cores", cpu.Unit)
+		})
+
+		t.Run("HostMemory", func(t *testing.T) {
+			t.Parallel()
+			mem, err := s.HostMemory(PrefixDefault)
+			require.NoError(t, err)
+			assert.NotZero(t, mem.Used)
+			assert.NotZero(t, mem.Total)
+			assert.Equal(t, "B", mem.Unit)
+		})
+
+		t.Run("HostDisk", func(t *testing.T) {
+			t.Parallel()
+			disk, err := s.Disk(PrefixDefault, "") // default to home dir
+			require.NoError(t, err)
+			assert.NotZero(t, disk.Used)
+			assert.NotZero(t, disk.Total)
+			assert.Equal(t, "B", disk.Unit)
+		})
+	})
+
+	// Sometimes we do need to "fake" some stuff
+	// that happens while we wait.
+	withWait := func(waitF func(time.Duration)) Option {
+		return func(s *Statter) {
+			s.wait = waitF
+		}
+	}
+
+	// Other times we just want things to run fast.
+	withNoWait := func(s *Statter) {
+		s.wait = func(time.Duration) {}
+	}
+
+	// We don't want to use the actual host CPU here.
+	withNproc := func(n int) Option {
+		return func(s *Statter) {
+			s.nproc = n
+		}
+	}
+
+	// For container-specific measurements, everything we need
+	// can be read from the filesystem. We control the FS, so
+	// we control the data.
+	t.Run("CGroupV1", func(t *testing.T) {
+		t.Parallel()
+		t.Run("ContainerCPU/Limit", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV1)
+			fakeWait := func(time.Duration) {
+				// Fake 1 second in ns of usage
+				mungeFS(t, fs, cgroupV1CPUAcctUsage, "100000000")
+			}
+			s, err := New(WithFS(fs), withWait(fakeWait))
+			require.NoError(t, err)
+			cpu, err := s.ContainerCPU()
+			require.NoError(t, err)
+			require.NotNil(t, cpu)
+			assert.Equal(t, 1.0, cpu.Used)
+			require.NotNil(t, cpu.Total)
+			assert.Equal(t, 2.5, *cpu.Total)
+			assert.Equal(t, "cores", cpu.Unit)
+		})
+
+		t.Run("ContainerCPU/NoLimit", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV1NoLimit)
+			fakeWait := func(time.Duration) {
+				// Fake 1 second in ns of usage
+				mungeFS(t, fs, cgroupV1CPUAcctUsage, "100000000")
+			}
+			s, err := New(WithFS(fs), withNproc(2), withWait(fakeWait))
+			require.NoError(t, err)
+			cpu, err := s.ContainerCPU()
+			require.NoError(t, err)
+			require.NotNil(t, cpu)
+			assert.Equal(t, 1.0, cpu.Used)
+			require.NotNil(t, cpu.Total)
+			assert.Equal(t, 2.0, *cpu.Total)
+			assert.Equal(t, "cores", cpu.Unit)
+		})
+
+		t.Run("ContainerMemory", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV1)
+			s, err := New(WithFS(fs), withNoWait)
+			require.NoError(t, err)
+			mem, err := s.ContainerMemory(PrefixDefault)
+			require.NoError(t, err)
+			require.NotNil(t, mem)
+			assert.Equal(t, 268435456.0, mem.Used)
+			assert.NotNil(t, mem.Total)
+			assert.Equal(t, 1073741824.0, *mem.Total)
+			assert.Equal(t, "B", mem.Unit)
+		})
+	})
+
+	t.Run("CGroupV2", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("ContainerCPU/Limit", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV2)
+			fakeWait := func(time.Duration) {
+				mungeFS(t, fs, cgroupV2CPUStat, "usage_usec 100000")
+			}
+			s, err := New(WithFS(fs), withWait(fakeWait))
+			require.NoError(t, err)
+			cpu, err := s.ContainerCPU()
+			require.NoError(t, err)
+			require.NotNil(t, cpu)
+			assert.Equal(t, 1.0, cpu.Used)
+			require.NotNil(t, cpu.Total)
+			assert.Equal(t, 2.5, *cpu.Total)
+			assert.Equal(t, "cores", cpu.Unit)
+		})
+
+		t.Run("ContainerCPU/NoLimit", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV2NoLimit)
+			fakeWait := func(time.Duration) {
+				mungeFS(t, fs, cgroupV2CPUStat, "usage_usec 100000")
+			}
+			s, err := New(WithFS(fs), withNproc(2), withWait(fakeWait))
+			require.NoError(t, err)
+			cpu, err := s.ContainerCPU()
+			require.NoError(t, err)
+			require.NotNil(t, cpu)
+			assert.Equal(t, 1.0, cpu.Used)
+			require.NotNil(t, cpu.Total)
+			assert.Equal(t, 2.0, *cpu.Total)
+			assert.Equal(t, "cores", cpu.Unit)
+		})
+
+		t.Run("ContainerMemory", func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, fsContainerCgroupV2)
+			s, err := New(WithFS(fs), withNoWait)
+			require.NoError(t, err)
+			mem, err := s.ContainerMemory(PrefixDefault)
+			require.NoError(t, err)
+			require.NotNil(t, mem)
+			assert.Equal(t, 268435456.0, mem.Used)
+			assert.NotNil(t, mem.Total)
+			assert.Equal(t, 1073741824.0, *mem.Total)
+			assert.Equal(t, "B", mem.Unit)
+		})
+	})
+}
+
+func TestIsContainerized(t *testing.T) {
+	t.Parallel()
+
+	for _, tt := range []struct {
+		Name     string
+		FS       map[string]string
+		Expected bool
+		Error    string
+	}{
+		{
+			Name:     "Empty",
+			FS:       map[string]string{},
+			Expected: false,
+			Error:    "",
+		},
+		{
+			Name:     "BareMetal",
+			FS:       fsHostOnly,
+			Expected: false,
+			Error:    "",
+		},
+		{
+			Name:     "Docker",
+			FS:       fsContainerCgroupV1,
+			Expected: true,
+			Error:    "",
+		},
+		{
+			Name:     "Sysbox",
+			FS:       fsContainerSysbox,
+			Expected: true,
+			Error:    "",
+		},
+	} {
+		tt := tt
+		t.Run(tt.Name, func(t *testing.T) {
+			t.Parallel()
+			fs := initFS(t, tt.FS)
+			actual, err := IsContainerized(fs)
+			if tt.Error == "" {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.Expected, actual)
+			} else {
+				assert.ErrorContains(t, err, tt.Error)
+				assert.False(t, actual)
+			}
+		})
+	}
+}
+
+// helper function for initializing a fs
+func initFS(t testing.TB, m map[string]string) afero.Fs {
+	t.Helper()
+	fs := afero.NewMemMapFs()
+	for k, v := range m {
+		mungeFS(t, fs, k, v)
+	}
+	return fs
+}
+
+// helper function for writing v to fs under path k
+func mungeFS(t testing.TB, fs afero.Fs, k, v string) {
+	t.Helper()
+	require.NoError(t, afero.WriteFile(fs, k, []byte(v+"\n"), 0o600))
+}
+
+var (
+	fsHostOnly = map[string]string{
+		procOneCgroup: "0::/",
+		procMounts:    "/dev/sda1 / ext4 rw,relatime 0 0",
+	}
+	fsContainerSysbox = map[string]string{
+		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+sysboxfs /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		cgroupV2CPUMax:  "250000 100000",
+		cgroupV2CPUStat: "usage_usec 0",
+	}
+	fsContainerCgroupV2 = map[string]string{
+		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		cgroupV2CPUMax:           "250000 100000",
+		cgroupV2CPUStat:          "usage_usec 0",
+		cgroupV2MemoryMaxBytes:   "1073741824",
+		cgroupV2MemoryUsageBytes: "536870912",
+		cgroupV2MemoryStat:       "inactive_file 268435456",
+	}
+	fsContainerCgroupV2NoLimit = map[string]string{
+		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		cgroupV2CPUMax:           "max 100000",
+		cgroupV2CPUStat:          "usage_usec 0",
+		cgroupV2MemoryMaxBytes:   "1073741824",
+		cgroupV2MemoryUsageBytes: "536870912",
+		cgroupV2MemoryStat:       "inactive_file 268435456",
+	}
+	fsContainerCgroupV1 = map[string]string{
+		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		cgroupV1CPUAcctUsage:        "0",
+		cgroupV1CFSQuotaUs:          "250000",
+		cgroupV1CFSPeriodUs:         "100000",
+		cgroupV1MemoryMaxUsageBytes: "1073741824",
+		cgroupV1MemoryUsageBytes:    "536870912",
+		cgroupV1MemoryStat:          "total_inactive_file 268435456",
+	}
+	fsContainerCgroupV1NoLimit = map[string]string{
+		procOneCgroup: "0::/docker/aa86ac98959eeedeae0ecb6e0c9ddd8ae8b97a9d0fdccccf7ea7a474f4e0bb1f",
+		procMounts: `overlay / overlay rw,relatime,lowerdir=/some/path:/some/path,upperdir=/some/path:/some/path,workdir=/some/path:/some/path 0 0
+proc /proc/sys proc ro,nosuid,nodev,noexec,relatime 0 0`,
+		cgroupV1CPUAcctUsage:        "0",
+		cgroupV1CFSQuotaUs:          "-1",
+		cgroupV1CFSPeriodUs:         "100000",
+		cgroupV1MemoryMaxUsageBytes: "1073741824",
+		cgroupV1MemoryUsageBytes:    "536870912",
+		cgroupV1MemoryStat:          "total_inactive_file 268435456",
+	}
+)
--- a/Show More
+++ b/Show More