docs: update example coder.conf file (#6319 )

Updated example configuration file to match the configuration in tutorial.
docs: clearer postgres sizing recommendations (#6302 )
2023-03-02 09:55:50 -06:00 · 2023-03-02 15:53:55 +00:00 · 2023-03-02 08:06:00 -06:00 · 2023-03-02 13:24:44 +00:00 · 2023-03-02 14:11:16 +01:00 · 2023-03-01 23:28:56 -06:00
5796 changed files with 226131 additions and 42730 deletions
@@ -0,0 +1,83 @@
+FROM ubuntu
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+ENV EDITOR=vim
+
+RUN apt-get update && apt-get upgrade --yes
+
+RUN apt-get install --yes \
+	ca-certificates \
+	bash-completion \
+	build-essential \
+	curl \
+	cmake \
+	direnv \
+	emacs-nox \
+	gnupg \
+	htop \
+	jq \
+	less \
+	lsb-release \
+	lsof \
+	man-db \
+	nano \
+	neovim \
+	ssl-cert \
+	sudo \
+	unzip \
+	xz-utils \
+	zip
+
+# configure locales to UTF8
+RUN apt-get install locales && locale-gen en_US.UTF-8
+ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'
+
+# configure direnv
+RUN direnv hook bash >> $HOME/.bashrc
+
+# install nix
+RUN sh <(curl -L https://nixos.org/nix/install) --daemon
+
+RUN mkdir -p $HOME/.config/nix $HOME/.config/nixpkgs \
+	&& echo 'sandbox = false' >> $HOME/.config/nix/nix.conf \
+	&& echo '{ allowUnfree = true; }' >> $HOME/.config/nixpkgs/config.nix \
+	&& echo '. $HOME/.nix-profile/etc/profile.d/nix.sh' >> $HOME/.bashrc
+
+
+# install docker and configure daemon to use vfs as GitHub codespaces requires vfs
+# https://github.com/moby/moby/issues/13742#issuecomment-725197223
+RUN mkdir -p /etc/apt/keyrings \
+	&& curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+	&& echo \
+	"deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
+	$(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null \
+	&& apt-get update \
+	&& apt-get install --yes docker-ce docker-ce-cli containerd.io docker-compose-plugin \
+	&& mkdir -p /etc/docker \
+	&& echo '{"cgroup-parent":"/actions_job","storage-driver":"vfs"}' >> /etc/docker/daemon.json
+
+# install golang and language tooling
+ENV GO_VERSION=1.20
+ENV GOPATH=$HOME/go-packages
+ENV GOROOT=$HOME/go
+ENV PATH=$GOROOT/bin:$GOPATH/bin:$PATH
+RUN curl -fsSL https://dl.google.com/go/go$GO_VERSION.linux-amd64.tar.gz | tar xzs
+RUN echo 'export PATH=$GOPATH/bin:$PATH' >> $HOME/.bashrc
+
+RUN bash -c ". $HOME/.bashrc \
+	go install -v golang.org/x/tools/gopls@latest \
+	&& go install -v mvdan.cc/sh/v3/cmd/shfmt@latest \
+	&& go install -v github.com/mikefarah/yq/v4@v4.30.6 \
+	"
+
+# install nodejs
+RUN bash -c "$(curl -fsSL https://deb.nodesource.com/setup_14.x)" \
+	&& apt-get install -y nodejs
+
+# install zstd
+RUN bash -c "$(curl -fsSL https://raw.githubusercontent.com/horta/zstd.install/main/install)"
+
+# install nfpm
+RUN echo 'deb [trusted=yes] https://repo.goreleaser.com/apt/ /' | sudo tee /etc/apt/sources.list.d/goreleaser.list \
+	&& apt update \
+	&& apt install nfpm
@@ -0,0 +1,24 @@
+// For format details, see https://aka.ms/devcontainer.json
+{
+  "name": "Development environments on your infrastructure",
+
+  // Sets the run context to one level up instead of the .devcontainer folder.
+  "context": ".",
+
+  // Update the 'dockerFile' property if you aren't using the standard 'Dockerfile' filename.
+  "dockerFile": "Dockerfile",
+
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  // "forwardPorts": [],
+
+  "postStartCommand": "dockerd",
+
+  // privileged is required by GitHub codespaces - https://github.com/microsoft/vscode-dev-containers/issues/727
+  "runArgs": [
+    "--cap-add=SYS_PTRACE",
+    "--security-opt",
+    "seccomp=unconfined",
+    "--privileged",
+    "--init"
+  ]
+}
@@ -7,7 +7,7 @@ trim_trailing_whitespace = true
 insert_final_newline = true
 indent_style = tab

-[*.{md,json,yaml,tf,tfvars}]
+[*.{md,json,yaml,yml,tf,tfvars,nix}]
 indent_style = space
 indent_size = 2

@@ -1,4 +1,6 @@
 # Generated files
+coderd/apidoc/docs.go linguist-generated=true
+coderd/apidoc/swagger.json linguist-generated=true
 coderd/database/dump.sql linguist-generated=true
 peerbroker/proto/*.go linguist-generated=true
 provisionerd/proto/*.go linguist-generated=true
@@ -1 +1,3 @@
-site/ @coder/frontend
+docs/ @coder/docs
+README.md @coder/docs
+ADOPTERS.md @coder/docs
@@ -1,9 +0,0 @@
-<!--- Provide a general summary of the issue in the Title above -->
-
-## Expected Behavior
-
-<!--- Tell us what should happen -->
-
-## Current Behavior
-
-<!--- Tell us what happens instead of the expected behavior -->
@@ -9,14 +9,17 @@ github_checks:
  annotations: false

 coverage:
+  range: 50..75
+  round: down
+  precision: 2
  status:
    patch:
      default:
        informational: yes
    project:
      default:
-        target: 70%
-        informational: yes
+        target: 65%
+        informational: true

 ignore:
  # This is generated code.
@@ -34,3 +37,7 @@ ignore:
  - scripts
  - site/.storybook
  - rules.go
+  # Packages used for writing tests.
+  - cli/clitest
+  - coderd/coderdtest
+  - pty/ptytest
@@ -3,7 +3,7 @@ updates:
  - package-ecosystem: "github-actions"
    directory: "/"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    labels: []
@@ -28,23 +28,32 @@ updates:
  - package-ecosystem: "gomod"
    directory: "/"
    schedule:
-      interval: "weekly"
-      time: "06:00"
-      timezone: "America/Chicago"
-    commit-message:
-      prefix: "chore"
-    labels: []
-
-  - package-ecosystem: "npm"
-    directory: "/site/"
-    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
      prefix: "chore"
    labels: []
    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
+
+  - package-ecosystem: "npm"
+    directory: "/site/"
+    schedule:
+      interval: "monthly"
+      time: "06:00"
+      timezone: "America/Chicago"
+    commit-message:
+      prefix: "chore"
+    labels: []
+    ignore:
+      # Ignore patch updates for all dependencies
+      - dependency-name: "*"
+        update-types:
+          - version-update:semver-patch
      # Ignore major updates to Node.js types, because they need to
      # correspond to the Node.js engine version
      - dependency-name: "@types/node"
@@ -54,7 +63,7 @@ updates:
  - package-ecosystem: "terraform"
    directory: "/examples/templates"
    schedule:
-      interval: "weekly"
+      interval: "monthly"
      time: "06:00"
      timezone: "America/Chicago"
    commit-message:
@@ -1,13 +1,3 @@
-<!-- Help reviewers by listing the subtasks in this PR
-
-Here's an example:
-
-This PR adds a new feature to the CLI.
-
-## Subtasks
-
- [x] added a test for feature
-
-Fixes #345
-
+<!--
+Check if your change requires documentation edits before merging: https://coder.com/docs/coder. Make edits in `docs/`.
 -->
@@ -1,56 +0,0 @@
-###############################################################################
-# This file configures "Semantic Pull Requests", which is documented here:
-# https://github.com/zeke/semantic-pull-requests
-#
-# This action/spec implements the "Conventional Commits" RFC which is
-# available here:
-# https://www.notion.so/coderhq/Conventional-commits-1d51287f58b64026bb29393f277734ed
-###############################################################################
-
-# We have no valid scopes right now.
-# A scope should be added when commits aren't aligning with associated change anymore.
-scopes:
-
-# We only check that the PR title is semantic. The PR title is automatically
-# applied to the "Squash & Merge" flow as the suggested commit message, so this
-# should suffice unless someone drastically alters the message in that flow.
-titleOnly: true
-
-# Types are the 'tag' types in a commit or PR title. For example, in
-#
-# chore: fix thing
-#
-# 'chore' is the type.
-types:
-  # A build of any kind.
-  - build
-
-  # Any code task that operates outside of CI, docs, or the product. Examples
-  # include configurations, linters etc.
-  - chore
-
-  # Any work performed on CI.
-  - ci
-  
-  - example
-
-  # Work that directly implements or supports the implementation of a feature.
-  - feat
-
-  # A fix for either a released or unrelesed bug.
-  - fix
-
-  # A fix for a released bug (regression fix) that is intended for patch-release
-  # purposes.
-  - hotfix
-
-  # A refactor changes code structure without any behavioral change.
-  - refactor
-
-  # A git revert for any style of commit.
-  - revert
-
-  # Adding tests of any kind. Should be separate from feature or fix
-  # implementations. For example, if a commit adds a fix + test, it's a fix
-  # commit. If a commit is simply bumping coverage, it's a test commit.
-  - test
@@ -1,12 +0,0 @@
-# Number of days of inactivity before an issue becomes stale
-daysUntilStale: 60
-# Number of days of inactivity before a stale issue is closed
-daysUntilClose: 7
-# Label to apply when stale.
-staleLabel: stale
-# Comment to post when marking an issue as stale. Set to `false` to disable
-markComment: >
-  This issue has been automatically marked as stale because it has not had
-  recent activity. It will be closed if no activity occurs in the next 5 days.
-# Comment to post when closing a stale issue. Set to `false` to disable
-closeComment: false
@@ -1,68 +0,0 @@
-# Note: Chromatic is a separate workflow for coder.yaml as suggested by the
-# chromatic docs. Explicitly, Chromatic works best on 'push' instead of other
-# event types (like pull request), keep in mind that it works build-over-build
-# by storing snapshots.
-#
-# SEE: https://www.chromatic.com/docs/ci
-name: chromatic
-
-# REMARK: We want Chromatic to run whenever anything in the FE or its deps
-#         change, including node_modules and generated code. Currently, all
-#         node_modules and generated code live in site. If any of these are
-#         hoisted, we'll want to adjust the paths filter to account for them.
-on:
-  push:
-    paths:
-      - site/**
-    branches:
-      - main
-    tags:
-      - "*"
-
-  pull_request:
-    paths:
-      - site/**
-
-jobs:
-  deploy:
-    # REMARK: this is only used to build storybook and deploy it to Chromatic.
-    runs-on: ubuntu-latest
-
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          # Required by Chromatic for build-over-build history, otherwise we
-          # only get 1 commit on shallow checkout.
-          fetch-depth: 0
-
-      - name: Install dependencies
-        run: cd site && yarn
-
-      # This step is not meant for mainline because any detected changes to
-      # storybook snapshots will require manual approval/review in order for
-      # the check to pass. This is desired in PRs, but not in mainline.
-      - name: Publish to Chromatic (non-mainline)
-        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@v1
-        with:
-          buildScriptName: "storybook:build"
-          exitOnceUploaded: true
-          # Chromatic states its fine to make this token public. See:
-          # https://www.chromatic.com/docs/github-actions#forked-repositories
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
-
-      # This is a separate step for mainline only that auto accepts and changes
-      # instead of holding CI up. Since we squash/merge, this is defensive to
-      # avoid the same changeset from requiring review once squashed into
-      # main. Chromatic is supposed to be able to detect that we use squash
-      # commits, but it's good to be defensive in case, otherwise CI remains
-      # infinitely "in progress" in mainline unless we re-review each build.
-      - name: Publish to Chromatic (mainline)
-        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
-        uses: chromaui/action@v1
-        with:
-          autoAcceptChanges: true
-          buildScriptName: "storybook:build"
-          projectToken: 695c25b6cb65
-          workingDir: "./site"
@@ -0,0 +1,646 @@
+name: ci
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+
+  workflow_dispatch:
+
+permissions:
+  actions: none
+  checks: none
+  contents: read
+  deployments: none
+  issues: none
+  packages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  lint:
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+
+      # Install Go!
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      # Check for any typos!
+      - name: Check for typos
+        uses: crate-ci/typos@v1.13.14
+        with:
+          config: .github/workflows/typos.toml
+      - name: Fix the typos
+        if: ${{ failure() }}
+        run: |
+          echo "::notice:: you can automatically fix typos from your CLI:
+          cargo install typos-cli
+          typos -c .github/workflows/typos.toml -w"
+
+      # Check for Go linting errors!
+      - name: Lint Go
+        uses: golangci/golangci-lint-action@v3.3.1
+        with:
+          version: v1.51.0
+
+      - name: Lint shell scripts
+        uses: ludeeus/action-shellcheck@2.0.0
+        env:
+          SHELLCHECK_OPTS: --external-sources
+        with:
+          ignore: node_modules
+
+      # Lint our dashboard!
+      - name: Cache node_modules
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+      - name: Lint TypeScript
+        run: yarn lint
+        working-directory: site
+
+      # Make sure the Helm chart is linted!
+      - name: Install helm
+        uses: azure/setup-helm@v3
+        with:
+          version: v3.9.2
+      - name: Lint Helm chart
+        run: |
+          cd helm
+          make lint
+
+      # Ensure AGPL and Enterprise are separated!
+      - name: Check for AGPL code importing Enterprise...
+        run: ./scripts/check_enterprise_imports.sh
+
+  changes:
+    runs-on: ubuntu-latest
+    outputs:
+      docs-only: ${{ steps.filter.outputs.docs_count == steps.filter.outputs.all_count }}
+      sh: ${{ steps.filter.outputs.sh }}
+      ts: ${{ steps.filter.outputs.ts }}
+      k8s: ${{ steps.filter.outputs.k8s }}
+    steps:
+      - uses: actions/checkout@v3
+      # For pull requests it's not necessary to checkout the code
+      - uses: dorny/paths-filter@v2
+        id: filter
+        with:
+          filters: |
+            all:
+              - '**'
+            docs:
+              - 'docs/**'
+              # For testing:
+              # - '.github/**'
+            sh:
+              - "**.sh"
+            ts:
+              - 'site/**'
+            k8s:
+              - 'helm/**'
+              - scripts/Dockerfile
+              - scripts/Dockerfile.base
+              - scripts/helm.sh
+      - id: debug
+        run: |
+          echo "${{ toJSON(steps.filter )}}"
+
+  gen:
+    timeout-minutes: 8
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    needs: changes
+    if: needs.changes.outputs.docs-only == 'false'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ github.job }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ github.job }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install sqlc
+        run: |
+          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.16.0/sqlc_1.16.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
+      - name: Install protoc-gen-go
+        run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
+      - name: Install protoc-gen-go-drpc
+        run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
+
+      - name: Install Protoc
+        run: |
+          # protoc must be in lockstep with our dogfood Dockerfile
+          # or the version in the comments will differ.
+          set -x
+          cd dogfood
+          DOCKER_BUILDKIT=1 docker build . --target proto -t protoc
+          protoc_path=/usr/local/bin/protoc
+          docker run --rm --entrypoint cat protoc /tmp/bin/protoc > $protoc_path
+          chmod +x $protoc_path
+          protoc --version
+
+      - name: make gen
+        run: "make --output-sync -j -B gen"
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh
+
+  fmt:
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+          submodules: true
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
+      - name: Install shfmt
+        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
+
+      - name: make fmt
+        run: |
+          export PATH=${PATH}:$(go env GOPATH)/bin
+          make --output-sync -j -B fmt
+
+      - name: Check for unstaged files
+        run: ./scripts/check_unstaged.sh
+
+  test-go:
+    runs-on: ${{ matrix.os == 'ubuntu-latest' && github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' ||  matrix.os == 'windows-2022' && github.repository_owner == 'coder' && 'windows-latest-8-cores'|| matrix.os }}
+    timeout-minutes: 20
+    strategy:
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+          - windows-2022
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      # Sadly the new "set output" syntax (of writing env vars to
+      # $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
+      # deprecated syntax here.
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "::set-output name=GOCACHE::$(go env GOCACHE)"
+          echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.9.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          repo: gotestyourself/gotestsum
+          tag: v1.9.0
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.9
+          terraform_wrapper: false
+
+      - name: Test with Mock Database
+        id: test
+        shell: bash
+        run: |
+          # Code coverage is more computationally expensive and also
+          # prevents test caching, so we disable it on alternate operating
+          # systems.
+          if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then
+            echo "cover=true" >> $GITHUB_OUTPUT
+            export COVERAGE_FLAGS='-covermode=atomic -coverprofile="gotests.coverage" -coverpkg=./...'
+          else
+            echo "cover=false" >> $GITHUB_OUTPUT
+          fi
+
+          gotestsum --junitfile="gotests.xml" --packages="./..." -- -parallel=8 -timeout=5m -short -failfast $COVERAGE_FLAGS
+
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotests-${{ matrix.os }}.xml
+          path: ./gotests.xml
+          retention-days: 30
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: steps.test.outputs.cover && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./gotests.coverage
+          flags: unittest-go-${{ matrix.os }}
+
+  test-go-psql:
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    # This timeout must be greater than the timeout set by `go test` in
+    # `make test-postgres` to ensure we receive a trace of running
+    # goroutines. Setting this to the timeout +5m should work quite well
+    # even if some of the preceding steps are slow.
+    timeout-minutes: 25
+    steps:
+      - uses: actions/checkout@v3
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum', '**/**.go') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Install gotestsum
+        uses: jaxxstorm/action-install-gh-release@v1.9.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          repo: gotestyourself/gotestsum
+          tag: v1.9.0
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.9
+          terraform_wrapper: false
+
+      - name: Test with PostgreSQL Database
+        run: |
+          make test-postgres
+
+      - uses: actions/upload-artifact@v3
+        if: success() || failure()
+        with:
+          name: gotests-postgres.xml
+          path: ./gotests.xml
+          retention-days: 30
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./gotests.coverage
+          flags: unittest-go-postgres-linux
+
+  deploy:
+    name: "deploy"
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    timeout-minutes: 30
+    needs: changes
+    if: |
+      github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
+      && needs.changes.outputs.docs-only == 'false'
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
+          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
+
+      - name: Set up Google Cloud SDK
+        uses: google-github-actions/setup-gcloud@v1
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-release-node-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install goimports
+        run: go install golang.org/x/tools/cmd/goimports@latest
+      - name: Install nfpm
+        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
+
+      - name: Install zstd
+        run: sudo apt-get install -y zstd
+
+      - name: Build Release
+        run: |
+          set -euo pipefail
+          go mod download
+
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_windows_amd64.zip \
+            build/coder_"$version"_linux_amd64.{tar.gz,deb}
+
+      - name: Install Release
+        run: |
+          gcloud config set project coder-dogfood
+          gcloud config set compute/zone us-central1-a
+          gcloud compute scp ./build/coder_*_linux_amd64.deb coder:/tmp/coder.deb
+          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
+          gcloud compute ssh coder -- sudo systemctl daemon-reload
+
+      - name: Start
+        run: gcloud compute ssh coder -- sudo service coder restart
+
+      - uses: actions/upload-artifact@v3
+        with:
+          name: coder
+          path: |
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.deb
+          retention-days: 7
+
+  test-js:
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16.16.0"
+
+      - name: Install node_modules
+        run: ./scripts/yarn_install.sh
+
+      - run: yarn test:ci
+        working-directory: site
+
+      - uses: codecov/codecov-action@v3
+        # This action has a tendency to error out unexpectedly, it has
+        # the `fail_ci_if_error` option that defaults to `false`, but
+        # that is no guarantee, see:
+        # https://github.com/codecov/codecov-action/issues/788
+        continue-on-error: true
+        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: ./site/coverage/lcov.info
+          flags: unittest-js
+
+  test-e2e:
+    needs:
+      - changes
+    if: needs.changes.outputs.docs-only == 'false'
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    timeout-minutes: 20
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-e2e-${{ hashFiles('**/yarn.lock') }}
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - uses: hashicorp/setup-terraform@v2
+        with:
+          terraform_version: 1.1.9
+          terraform_wrapper: false
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16.16.0"
+
+      - name: Echo Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOCACHE=$(go env GOCACHE)" >> $GITHUB_OUTPUT
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Build Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
+          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Build
+        run: |
+          sudo npm install -g prettier
+          make -B site/out/index.html
+
+      - run: yarn playwright:install
+        working-directory: site
+
+      - run: yarn playwright:test
+        env:
+          DEBUG: pw:api
+        working-directory: site
+
+      - name: Upload Playwright Failed Tests
+        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
+        uses: actions/upload-artifact@v3
+        with:
+          name: failed-test-videos
+          path: ./site/test-results/**/*.webm
+          retention-days: 7
+
+  chromatic:
+    # REMARK: this is only used to build storybook and deploy it to Chromatic.
+    runs-on: ubuntu-latest
+    needs:
+      - changes
+    if: needs.changes.outputs.ts == 'true'
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          # Required by Chromatic for build-over-build history, otherwise we
+          # only get 1 commit on shallow checkout.
+          fetch-depth: 0
+
+      - uses: actions/setup-node@v3
+        with:
+          node-version: "16.16.0"
+
+      - name: Install dependencies
+        run: cd site && yarn
+
+      # This step is not meant for mainline because any detected changes to
+      # storybook snapshots will require manual approval/review in order for
+      # the check to pass. This is desired in PRs, but not in mainline.
+      - name: Publish to Chromatic (non-mainline)
+        if: github.ref != 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          buildScriptName: "storybook:build"
+          exitOnceUploaded: true
+          # Chromatic states its fine to make this token public. See:
+          # https://www.chromatic.com/docs/github-actions#forked-repositories
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
+
+      # This is a separate step for mainline only that auto accepts and changes
+      # instead of holding CI up. Since we squash/merge, this is defensive to
+      # avoid the same changeset from requiring review once squashed into
+      # main. Chromatic is supposed to be able to detect that we use squash
+      # commits, but it's good to be defensive in case, otherwise CI remains
+      # infinitely "in progress" in mainline unless we re-review each build.
+      - name: Publish to Chromatic (mainline)
+        if: github.ref == 'refs/heads/main' && github.repository_owner == 'coder'
+        uses: chromaui/action@v1
+        with:
+          autoAcceptChanges: true
+          buildScriptName: "storybook:build"
+          projectToken: 695c25b6cb65
+          workingDir: "./site"
@@ -1,521 +0,0 @@
-name: coder
-
-on:
-  push:
-    branches:
-      - main
-    tags:
-      - "*"
-
-  pull_request:
-
-  workflow_dispatch:
-
-permissions:
-  actions: none
-  checks: none
-  contents: read
-  deployments: none
-  issues: none
-  packages: none
-  pull-requests: none
-  repository-projects: none
-  security-events: none
-  statuses: none
-
-# Cancel in-progress runs for pull requests when developers push
-# additional changes
-concurrency:
-  group: ${{ github.workflow }}-${{ github.ref }}
-  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
-
-jobs:
-  style-lint-golangci:
-    name: style/lint/golangci
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-      - name: golangci-lint
-        uses: golangci/golangci-lint-action@v3.2.0
-        with:
-          version: v1.46.0
-
-  style-lint-shellcheck:
-    name: style/lint/shellcheck
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-      - name: Run ShellCheck
-        uses: ludeeus/action-shellcheck@1.1.0
-        env:
-          SHELLCHECK_OPTS: --external-sources
-        with:
-          ignore: node_modules
-
-  style-lint-typescript:
-    name: "style/lint/typescript"
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: "yarn lint"
-        run: yarn lint
-        working-directory: site
-
-  gen:
-    name: "style/gen"
-    timeout-minutes: 5
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: Install Protoc
-        uses: arduino/setup-protoc@v1
-        with:
-          version: "3.20.0"
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-      - run: |
-          curl -sSL https://github.com/kyleconroy/sqlc/releases/download/v1.13.0/sqlc_1.13.0_linux_amd64.tar.gz | sudo tar -C /usr/bin -xz sqlc
-
-      - run: go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.26
-      - run: go install storj.io/drpc/cmd/protoc-gen-go-drpc@v0.0.26
-      - run: go install golang.org/x/tools/cmd/goimports@latest
-      - run: "make --output-sync -j -B gen"
-      - run: ./scripts/check_unstaged.sh
-
-  style-fmt:
-    name: "style/fmt"
-    runs-on: ubuntu-latest
-    timeout-minutes: 5
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          submodules: true
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - name: Install shfmt
-        run: go install mvdan.cc/sh/v3/cmd/shfmt@v3.5.0
-
-      - run: |
-          export PATH=${PATH}:$(go env GOPATH)/bin
-          make --output-sync -j -B fmt
-
-  test-go:
-    name: "test/go"
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 20
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-          - macos-latest
-          - windows-2022
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Install gotestsum
-        uses: jaxxstorm/action-install-gh-release@v1.7.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          repo: gotestyourself/gotestsum
-          tag: v1.7.0
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.9
-          terraform_wrapper: false
-
-      - name: Test with Mock Database
-        shell: bash
-        run: gotestsum --junitfile="gotests.xml" --packages="./..." --
-          -covermode=atomic -coverprofile="gotests.coverage"
-          -coverpkg=./...,github.com/coder/coder/codersdk
-          -timeout=5m -short -failfast
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: fake
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./gotests.coverage
-          flags: unittest-go-${{ matrix.os }}
-          # this flakes and sometimes fails the build
-          fail_ci_if_error: false
-
-  test-go-postgres:
-    name: "test/go/postgres"
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Install gotestsum
-        uses: jaxxstorm/action-install-gh-release@v1.7.1
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        with:
-          repo: gotestyourself/gotestsum
-          tag: v1.7.0
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.9
-          terraform_wrapper: false
-
-      - name: Test with PostgreSQL Database
-        run: make test-postgres
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_DATABASE: postgresql
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go gotests.xml
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./gotests.coverage
-          flags: unittest-go-postgres-${{ matrix.os }}
-          # this flakes and sometimes fails the build
-          fail_ci_if_error: false
-
-  deploy:
-    name: "deploy"
-    runs-on: ubuntu-latest
-    timeout-minutes: 30
-    if: github.ref == 'refs/heads/main' && !github.event.pull_request.head.repo.fork
-    permissions:
-      contents: read
-      id-token: write
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      - name: Authenticate to Google Cloud
-        uses: google-github-actions/auth@v0
-        with:
-          workload_identity_provider: projects/573722524737/locations/global/workloadIdentityPools/github/providers/github
-          service_account: coder-ci@coder-dogfood.iam.gserviceaccount.com
-
-      - name: Set up Google Cloud SDK
-        uses: google-github-actions/setup-gcloud@v0
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-release-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-release-node-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install nfpm
-        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
-
-      - name: Install zstd
-        run: sudo apt-get install -y zstd
-
-      - name: Build site
-        run: make -B site/out/index.html
-
-      - name: Build Release
-        run: |
-          set -euo pipefail
-          go mod download
-
-          mkdir -p ./dist
-          # build slim binaries
-          ./scripts/build_go_slim.sh \
-            --output ./dist/ \
-            --compress 22 \
-            linux:amd64,armv7,arm64 \
-            windows:amd64,arm64 \
-            darwin:amd64,arm64
-
-          # build linux amd64 packages
-          ./scripts/build_go_matrix.sh \
-            --output ./dist/ \
-            --package-linux \
-            linux:amd64
-
-      - name: Install Release
-        run: |
-          gcloud config set project coder-dogfood
-          gcloud config set compute/zone us-central1-a
-          gcloud compute scp ./dist/coder_*_linux_amd64.deb coder:/tmp/coder.deb
-          gcloud compute ssh coder -- sudo dpkg -i --force-confdef /tmp/coder.deb
-          gcloud compute ssh coder -- sudo systemctl daemon-reload
-
-      - name: Start
-        run: gcloud compute ssh coder -- sudo service coder restart
-
-      - uses: actions/upload-artifact@v3
-        with:
-          name: coder
-          path: |
-            ./dist/*.zip
-            ./dist/*.tar.gz
-            ./dist/*.apk
-            ./dist/*.deb
-            ./dist/*.rpm
-          retention-days: 7
-
-  test-js:
-    name: "test/js"
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "14"
-
-      - name: Install node_modules
-        run: ./scripts/yarn_install.sh
-
-      - run: yarn test:coverage
-        working-directory: site
-
-      - uses: codecov/codecov-action@v3
-        if: github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        with:
-          token: ${{ secrets.CODECOV_TOKEN }}
-          files: ./site/coverage/lcov.info
-          flags: unittest-js
-          # this flakes and sometimes fails the build
-          fail_ci_if_error: false
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: unit
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
-
-  test-e2e:
-    name: "test/e2e/${{ matrix.os }}"
-    runs-on: ${{ matrix.os }}
-    timeout-minutes: 20
-    strategy:
-      matrix:
-        os:
-          - ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      # Go is required for uploading the test results to datadog
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - uses: hashicorp/setup-terraform@v2
-        with:
-          terraform_version: 1.1.9
-          terraform_wrapper: false
-
-      - uses: actions/setup-node@v3
-        with:
-          node-version: "14"
-
-      - name: Echo Go Cache Paths
-        id: go-cache-paths
-        run: |
-          echo "::set-output name=go-build::$(go env GOCACHE)"
-          echo "::set-output name=go-mod::$(go env GOMODCACHE)"
-
-      - name: Go Build Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-build }}
-          key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.sum') }}
-
-      - name: Go Mod Cache
-        uses: actions/cache@v3
-        with:
-          path: ${{ steps.go-cache-paths.outputs.go-mod }}
-          key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
-
-      - name: Build
-        run: |
-          make -B site/out/index.html
-
-      - run: yarn playwright:install
-        working-directory: site
-
-      - run: yarn playwright:install-deps
-        working-directory: site
-
-      - run: yarn playwright:test
-        env:
-          DEBUG: pw:api
-        working-directory: site
-
-      - name: Upload DataDog Trace
-        if: always() && github.actor != 'dependabot[bot]' && runner.os == 'Linux' && !github.event.pull_request.head.repo.fork
-        env:
-          DATADOG_API_KEY: ${{ secrets.DATADOG_API_KEY }}
-          DD_CATEGORY: e2e
-          GIT_COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
-        run: go run scripts/datadog-cireport/main.go site/test-results/junit.xml
@@ -0,0 +1,169 @@
+name: contrib
+
+on:
+  issue_comment:
+    types: [created]
+  pull_request_target:
+    types:
+      - opened
+      - closed
+      - synchronize
+      - labeled
+      - unlabeled
+      - opened
+      - reopened
+      - edited
+
+# Only run one instance per PR to ensure in-order execution.
+concurrency: pr-${{ github.ref }}
+
+jobs:
+  # Dependabot is annoying, but this makes it a bit less so.
+  auto-approve:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: hmarr/auto-approve-action@v3
+        if: github.actor == 'dependabot[bot]'
+
+  cla:
+    runs-on: ubuntu-latest
+    steps:
+      - name: cla
+        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have read the CLA Document and I hereby sign the CLA') || github.event_name == 'pull_request_target'
+        uses: contributor-assistant/github-action@v2.3.0
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # the below token should have repo scope and must be manually added by you in the repository's secret
+          PERSONAL_ACCESS_TOKEN: ${{ secrets.CDRCOMMUNITY_GITHUB_TOKEN }}
+        with:
+          remote-organization-name: "coder"
+          remote-repository-name: "cla"
+          path-to-signatures: "v2022-09-04/signatures.json"
+          path-to-document: "https://github.com/coder/cla/blob/main/README.md"
+          # branch should not be protected
+          branch: "main"
+          allowlist: dependabot*
+
+  title:
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request_target'
+    steps:
+      - name: Validate PR title
+        uses: amannn/action-semantic-pull-request@v5
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          requireScope: false
+
+  release-labels:
+    runs-on: ubuntu-latest
+    # Depend on lint so that title is Conventional Commits-compatible.
+    needs: [title]
+    # Skip tagging for draft PRs.
+    if: ${{ github.event_name == 'pull_request_target' && success() && !github.event.pull_request.draft }}
+    steps:
+      - uses: actions/github-script@v6
+        with:
+          # This script ensures PR title and labels are in sync:
+          #
+          # When release/breaking label is:
+          # - Added, rename PR title to include ! (e.g. feat!:)
+          # - Removed, rename PR title to strip ! (e.g. feat:)
+          #
+          # When title is:
+          # - Renamed (+!), add the release/breaking label
+          # - Renamed (-!), remove the release/breaking label
+          script: |
+            const releaseLabels = {
+              breaking: "release/breaking",
+            }
+
+            const { action, changes, label, pull_request } = context.payload
+            const { title } = pull_request
+            const labels = pull_request.labels.map((label) => label.name)
+            const isBreakingTitle = isBreaking(title)
+
+            // Debug information.
+            console.log("Action: %s", action)
+            console.log("Title: %s", title)
+            console.log("Labels: %s", labels.join(", "))
+
+            const params = {
+              issue_number: context.issue.number,
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+            }
+
+            if (action === "opened" || action === "reopened") {
+              if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
+                console.log('Add "%s" label', releaseLabels.breaking)
+                await github.rest.issues.addLabels({
+                  ...params,
+                  labels: [releaseLabels.breaking],
+                })
+              }
+            }
+
+            if (action === "edited" && changes.title) {
+              if (isBreakingTitle && !labels.includes(releaseLabels.breaking)) {
+                console.log('Add "%s" label', releaseLabels.breaking)
+                await github.rest.issues.addLabels({
+                  ...params,
+                  labels: [releaseLabels.breaking],
+                })
+              }
+
+              if (!isBreakingTitle && labels.includes(releaseLabels.breaking)) {
+                const wasBreakingTitle = isBreaking(changes.title.from)
+                if (wasBreakingTitle) {
+                  console.log('Remove "%s" label', releaseLabels.breaking)
+                  await github.rest.issues.removeLabel({
+                    ...params,
+                    name: releaseLabels.breaking,
+                  })
+                } else {
+                  console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
+                  await github.rest.issues.update({
+                    ...params,
+                    title: toBreaking(title),
+                  })
+                }
+              }
+            }
+
+            if (action === "labeled") {
+              if (label.name === releaseLabels.breaking && !isBreakingTitle) {
+                console.log('Rename title from "%s" to "%s"', title, toBreaking(title))
+                await github.rest.issues.update({
+                  ...params,
+                  title: toBreaking(title),
+                })
+              }
+            }
+
+            if (action === "unlabeled") {
+              if (label.name === releaseLabels.breaking && isBreakingTitle) {
+                console.log('Rename title from "%s" to "%s"', title, fromBreaking(title))
+                await github.rest.issues.update({
+                  ...params,
+                  title: fromBreaking(title),
+                })
+              }
+            }
+
+            function isBreaking(t) {
+              return t.split(" ")[0].endsWith("!:")
+            }
+
+            function toBreaking(t) {
+              const parts = t.split(" ")
+              return [parts[0].replace(/:$/, "!:"), ...parts.slice(1)].join(" ")
+            }
+
+            function fromBreaking(t) {
+              const parts = t.split(" ")
+              return [parts[0].replace(/!:$/, ":"), ...parts.slice(1)].join(" ")
+            }
@@ -0,0 +1,90 @@
+name: docker-base
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - scripts/Dockerfile.base
+      - scripts/Dockerfile
+
+  schedule:
+    # Run every week at 09:43 on Monday, Wednesday and Friday. We build this
+    # frequently to ensure that packages are up-to-date.
+    - cron: "43 9 * * 1,3,5"
+
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for depot.dev authentication.
+  id-token: write
+
+# Avoid running multiple jobs for the same commit.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-docker-base
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: github.repository_owner == 'coder'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Docker login
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Create empty base-build-context directory
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        uses: depot/build-push-action@v1
+        with:
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ghcr.io/coder/coder-base:latest
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw ghcr.io/coder/coder-base:latest) || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7
@@ -0,0 +1,73 @@
+name: dogfood
+
+on:
+  push:
+    branches:
+      - main
+    paths:
+      - "dogfood/**"
+  pull_request:
+    paths:
+      - "dogfood/**"
+  workflow_dispatch:
+
+jobs:
+  deploy_image:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Get branch name
+        id: branch-name
+        uses: tj-actions/branch-names@v6.4
+
+      - name: "Branch name to Docker tag name"
+        id: docker-tag-name
+        run: |
+          tag=${{ steps.branch-name.outputs.current_branch }}
+          # Replace / with --, e.g. user/feature => user--feature.
+          tag=${tag//\//--}
+          echo "tag=${tag}" >> $GITHUB_OUTPUT
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to DockerHub
+        uses: docker/login-action@v2
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+
+      - name: Build and push
+        uses: docker/build-push-action@v4
+        with:
+          context: "{{defaultContext}}:dogfood"
+          push: true
+          tags: "codercom/oss-dogfood:${{ steps.docker-tag-name.outputs.tag }},codercom/oss-dogfood:latest"
+          cache-from: type=registry,ref=codercom/oss-dogfood:latest
+          cache-to: type=inline
+  deploy_template:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Get short commit SHA
+        id: vars
+        run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
+      - name: "Install latest Coder"
+        run: |
+          curl -L https://coder.com/install.sh | sh
+        # env:
+        #   VERSION: 0.x
+      - name: "Push template"
+        run: |
+          coder templates push $CODER_TEMPLATE_NAME --directory $CODER_TEMPLATE_DIR --yes --name=$CODER_TEMPLATE_VERSION
+        env:
+          # Consumed by Coder CLI
+          CODER_URL: https://dev.coder.com
+          CODER_SESSION_TOKEN: ${{ secrets.CODER_SESSION_TOKEN }}
+          # Template source & details
+          CODER_TEMPLATE_NAME: ${{ secrets.CODER_TEMPLATE_NAME }}
+          CODER_TEMPLATE_VERSION: ${{ steps.vars.outputs.sha_short }}
+          CODER_TEMPLATE_DIR: ./dogfood
@@ -0,0 +1,22 @@
+{
+  "ignorePatterns": [
+    {
+      "pattern": "://localhost"
+    },
+    {
+      "pattern": "://.*.?example\\.com"
+    },
+    {
+      "pattern": "developer.github.com"
+    },
+    {
+      "pattern": "docs.github.com"
+    },
+    {
+      "pattern": "support.google.com"
+    },
+    {
+      "pattern": "tailscale.com"
+    }
+  ]
+}
@@ -0,0 +1,16 @@
+# Filtering pull requests is much easier when we can reliably guarantee
+# that the "Assignee" field is populated.
+name: PR Auto Assign
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  pull-requests: write
+
+jobs:
+  assign-author:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: toshimaru/auto-author-assign@v1.6.2
@@ -1,35 +1,43 @@
 # GitHub release workflow.
-#
-# This workflow is a bit complicated because we have to build darwin binaries on
-# a mac runner, but the mac runners are extremely slow. So instead of running
-# the entire release on a mac (which will take an hour to run), we run only the
-# mac build on a mac, and the rest on a linux runner. The final release is then
-# published using a final linux runner.
-name: release
+name: Release
 on:
  push:
    tags:
      - "v*"
  workflow_dispatch:
    inputs:
-      snapshot:
-        description: Force a dev version to be generated, implies dry_run.
-        type: boolean
-        required: true
      dry_run:
-        description: Perform a dry-run release.
+        description: Perform a dry-run release (devel). Note that ref must be an annotated tag when run without dry-run.
        type: boolean
        required: true
+        default: false
+
+permissions:
+  # Required to publish a release
+  contents: write
+  # Necessary to push docker images to ghcr.io.
+  packages: write
+  # Necessary for GCP authentication (https://github.com/google-github-actions/setup-gcloud#usage)
+  id-token: write
+
+concurrency: ${{ github.workflow }}-${{ github.ref }}

 env:
-  CODER_RELEASE: ${{ github.event.inputs.snapshot && 'false' || 'true' }}
+  # Use `inputs` (vs `github.event.inputs`) to ensure that booleans are actual
+  # booleans, not strings.
+  # https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/
+  CODER_RELEASE: ${{ !inputs.dry_run }}
+  CODER_DRY_RUN: ${{ inputs.dry_run }}

 jobs:
-  linux-windows:
-    runs-on: ubuntu-latest
+  release:
+    name: Build and publish
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
    env:
      # Necessary for Docker manifest
      DOCKER_CLI_EXPERIMENTAL: "enabled"
+    outputs:
+      version: ${{ steps.version.outputs.version }}
    steps:
      - uses: actions/checkout@v3
        with:
@@ -43,16 +51,48 @@ jobs:
      - name: Fetch git tags
        run: git fetch --tags --force

+      - name: Print version
+        id: version
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          echo "version=$version" >> $GITHUB_OUTPUT
+          # Speed up future version.sh calls.
+          echo "CODER_FORCE_VERSION=$version" >> $GITHUB_ENV
+          echo "$version"
+
+      - name: Create release notes
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # We always have to set this since there might be commits on
+          # main that didn't have a PR.
+          CODER_IGNORE_MISSING_COMMIT_METADATA: "1"
+        run: |
+          set -euo pipefail
+          ref=HEAD
+          old_version="$(git describe --abbrev=0 "$ref^1")"
+          version="$(./scripts/version.sh)"
+
+          # Generate notes.
+          release_notes_file="$(mktemp -t release_notes.XXXXXX)"
+          ./scripts/release/generate_release_notes.sh --old-version "$old_version" --new-version "$version" --ref "$ref" >> "$release_notes_file"
+          echo CODER_RELEASE_NOTES_FILE="$release_notes_file" >> $GITHUB_ENV
+
+      - name: Show release notes
+        run: |
+          set -euo pipefail
+          cat "$CODER_RELEASE_NOTES_FILE"
+
      - name: Docker Login
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
-          username: ${{ github.repository_owner }}
+          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - uses: actions/setup-go@v3
        with:
-          go-version: "~1.18"
+          go-version: "~1.20"

      - name: Cache Node
        id: cache-node
@@ -65,52 +105,132 @@ jobs:
          restore-keys: |
            js-${{ runner.os }}-

+      - name: Install nsis and zstd
+        run: sudo apt-get install -y nsis zstd
+
      - name: Install nfpm
-        run: go install github.com/goreleaser/nfpm/v2/cmd/nfpm@v2.16.0
+        run: |
+          set -euo pipefail
+          wget -O /tmp/nfpm.deb https://github.com/goreleaser/nfpm/releases/download/v2.18.1/nfpm_amd64.deb
+          sudo dpkg -i /tmp/nfpm.deb
+          rm /tmp/nfpm.deb

-      - name: Install zstd
-        run: sudo apt-get install -y zstd
+      - name: Install rcodesign
+        run: |
+          set -euo pipefail
+          wget -O /tmp/rcodesign.tar.gz https://github.com/indygreg/apple-platform-rs/releases/download/apple-codesign%2F0.22.0/apple-codesign-0.22.0-x86_64-unknown-linux-musl.tar.gz
+          sudo tar -xzf /tmp/rcodesign.tar.gz \
+            -C /usr/bin \
+            --strip-components=1 \
+            apple-codesign-0.22.0-x86_64-unknown-linux-musl/rcodesign
+          rm /tmp/rcodesign.tar.gz

-      - name: Build Site
-        run: make site/out/index.html
+      - name: Setup Apple Developer certificate and API key
+        run: |
+          set -euo pipefail
+          touch /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          chmod 600 /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+          echo "$AC_CERTIFICATE_P12_BASE64" | base64 -d > /tmp/apple_cert.p12
+          echo "$AC_CERTIFICATE_PASSWORD" > /tmp/apple_cert_password.txt
+          echo "$AC_APIKEY_P8_BASE64" | base64 -d > /tmp/apple_apikey.p8
+        env:
+          AC_CERTIFICATE_P12_BASE64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
+          AC_CERTIFICATE_PASSWORD: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
+          AC_APIKEY_P8_BASE64: ${{ secrets.AC_APIKEY_P8_BASE64 }}

-      - name: Build Linux and Windows Binaries
+      - name: Build binaries
        run: |
          set -euo pipefail
          go mod download

-          mkdir -p ./dist
-          # build slim binaries
-          ./scripts/build_go_slim.sh \
-            --output ./dist/ \
-            --compress 22 \
-            linux:amd64,armv7,arm64 \
-            windows:amd64,arm64 \
-            darwin:amd64,arm64
+          version="$(./scripts/version.sh)"
+          make gen/mark-fresh
+          make -j \
+            build/coder_"$version"_linux_{amd64,armv7,arm64}.{tar.gz,apk,deb,rpm} \
+            build/coder_"$version"_{darwin,windows}_{amd64,arm64}.zip \
+            build/coder_"$version"_windows_amd64_installer.exe \
+            build/coder_helm_"$version".tgz
+        env:
+          CODER_SIGN_DARWIN: "1"
+          AC_CERTIFICATE_FILE: /tmp/apple_cert.p12
+          AC_CERTIFICATE_PASSWORD_FILE: /tmp/apple_cert_password.txt
+          AC_APIKEY_ISSUER_ID: ${{ secrets.AC_APIKEY_ISSUER_ID }}
+          AC_APIKEY_ID: ${{ secrets.AC_APIKEY_ID }}
+          AC_APIKEY_FILE: /tmp/apple_apikey.p8

-          # build linux and windows binaries
-          ./scripts/build_go_matrix.sh \
-            --output ./dist/ \
-            --archive \
-            --package-linux \
-            linux:amd64,armv7,arm64 \
-            windows:amd64,arm64
+      - name: Delete Apple Developer certificate and API key
+        run: rm -f /tmp/{apple_cert.p12,apple_cert_password.txt,apple_apikey.p8}
+
+      - name: Determine base image tag
+        id: image-base-tag
+        run: |
+          set -euo pipefail
+          if [[ "${CODER_RELEASE:-}" != *t* ]] || [[ "${CODER_DRY_RUN:-}" == *t* ]]; then
+            # Empty value means use the default and avoid building a fresh one.
+            echo "tag=" >> $GITHUB_OUTPUT
+          else
+            echo "tag=$(CODER_IMAGE_BASE=ghcr.io/coder/coder-base ./scripts/image_tag.sh)" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Create empty base-build-context directory
+        if: steps.image-base-tag.outputs.tag != ''
+        run: mkdir base-build-context
+
+      - name: Install depot.dev CLI
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/setup-action@v1
+
+      # This uses OIDC authentication, so no auth variables are required.
+      - name: Build base Docker image via depot.dev
+        if: steps.image-base-tag.outputs.tag != ''
+        uses: depot/build-push-action@v1
+        with:
+          project: wl5hnrrkns
+          context: base-build-context
+          file: scripts/Dockerfile.base
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          pull: true
+          no-cache: true
+          push: true
+          tags: |
+            ${{ steps.image-base-tag.outputs.tag }}
+
+      - name: Verify that images are pushed properly
+        run: |
+          # retry 10 times with a 5 second delay as the images may not be
+          # available immediately
+          for i in {1..10}; do
+            rc=0
+            raw_manifests=$(docker buildx imagetools inspect --raw "${{ steps.image-base-tag.outputs.tag }}") || rc=$?
+            if [[ "$rc" -eq 0 ]]; then
+              break
+            fi
+            if [[ "$i" -eq 10 ]]; then
+              echo "Failed to pull manifests after 10 retries"
+              exit 1
+            fi
+            echo "Failed to pull manifests, retrying in 5 seconds"
+            sleep 5
+          done
+
+          manifests=$(
+            echo "$raw_manifests" | \
+              jq -r '.manifests[].platform | .os + "/" + .architecture + (if .variant then "/" + .variant else "" end)'
+          )
+
+          # Verify all 3 platforms are present.
+          set -euxo pipefail
+          echo "$manifests" | grep -q linux/amd64
+          echo "$manifests" | grep -q linux/arm64
+          echo "$manifests" | grep -q linux/arm/v7

      - name: Build Linux Docker images
        run: |
          set -euxo pipefail

-          # build and (maybe) push Docker images for each architecture
-          images=()
-          for arch in amd64 armv7 arm64; do
-            img="$(
-              ./scripts/build_docker.sh \
-                ${{ (!github.event.inputs.dry_run && !github.event.inputs.snapshot) && '--push' || '' }} \
-                --arch "$arch" \
-                ./dist/coder_*_linux_"$arch"
-            )"
-            images+=("$img")
-          done
+          # build Docker images for each architecture
+          version="$(./scripts/version.sh)"
+          make -j build/coder_"$version"_linux_{amd64,arm64,armv7}.tag

          # we can't build multi-arch if the images aren't pushed, so quit now
          # if dry-running
@@ -119,10 +239,9 @@ jobs:
            exit 0
          fi

-          # build and push multi-arch manifest
-          ./scripts/build_docker_multiarch.sh \
-            --push \
-            "${images[@]}"
+          # build and push multi-arch manifest, this depends on the other images
+          # being pushed so will automatically push them.
+          make -j push/build/coder_"$version"_linux.tag

          # if the current version is equal to the highest (according to semver)
          # version in the repo, also create a multi-arch image as ":latest" and
@@ -131,158 +250,161 @@ jobs:
            ./scripts/build_docker_multiarch.sh \
              --push \
              --target "$(./scripts/image_tag.sh --version latest)" \
-              "${images[@]}"
+              $(cat build/coder_"$version"_linux_{amd64,arm64,armv7}.tag)
          fi
-
-      - name: Upload binary artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: linux
-          path: |
-            dist/*.zip
-            dist/*.tar.gz
-            dist/*.apk
-            dist/*.deb
-            dist/*.rpm
-
-  # The mac binaries get built on mac runners because they need to be signed,
-  # and the signing tool only runs on mac. This darwin job only builds the Mac
-  # binaries and uploads them as job artifacts used by the publish step.
-  darwin:
-    runs-on: macos-latest
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      # If the event that triggered the build was an annotated tag (which our
-      # tags are supposed to be), actions/checkout has a bug where the tag in
-      # question is only a lightweight tag and not a full annotated tag. This
-      # command seems to fix it.
-      # https://github.com/actions/checkout/issues/290
-      - name: Fetch git tags
-        run: git fetch --tags --force
-
-      - uses: actions/setup-go@v3
-        with:
-          go-version: "~1.18"
-
-      - name: Import Signing Certificates
-        uses: Apple-Actions/import-codesign-certs@v1
-        with:
-          p12-file-base64: ${{ secrets.AC_CERTIFICATE_P12_BASE64 }}
-          p12-password: ${{ secrets.AC_CERTIFICATE_PASSWORD }}
-
-      - name: Cache Node
-        id: cache-node
-        uses: actions/cache@v3
-        with:
-          path: |
-            **/node_modules
-            .eslintcache
-          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
-          restore-keys: |
-            js-${{ runner.os }}-
-
-      - name: Install dependencies
-        run: |
-          set -euo pipefail
-          # The version of bash that MacOS ships with is too old
-          brew install bash
-
-          # The version of make that MacOS ships with is too old
-          brew install make
-          echo "$(brew --prefix)/opt/make/libexec/gnubin" >> $GITHUB_PATH
-
-          # BSD getopt is incompatible with the build scripts
-          brew install gnu-getopt
-          echo "$(brew --prefix)/opt/gnu-getopt/bin" >> $GITHUB_PATH
-
-          # Used for notarizing the binaries
-          brew tap mitchellh/gon
-          brew install mitchellh/gon/gon
-
-          # Used for compressing embedded slim binaries
-          brew install zstd
-
-      - name: Build Site
-        run: make site/out/index.html
-
-      - name: Build darwin Binaries (with signatures)
-        run: |
-          set -euo pipefail
-          go mod download
-
-          mkdir -p ./dist
-          # build slim binaries
-          ./scripts/build_go_slim.sh \
-            --output ./dist/ \
-            --compress 22 \
-            linux:amd64,armv7,arm64 \
-            windows:amd64,arm64 \
-            darwin:amd64,arm64
-
-          # build darwin binaries
-          ./scripts/build_go_matrix.sh \
-            --output ./dist/ \
-            --archive \
-            --sign-darwin \
-            darwin:amd64,arm64
        env:
-          AC_USERNAME: ${{ secrets.AC_USERNAME }}
-          AC_PASSWORD: ${{ secrets.AC_PASSWORD }}
-          AC_APPLICATION_IDENTITY: BDB050EB749EDD6A80C6F119BF1382ECA119CCCC
+          CODER_BASE_IMAGE_TAG: ${{ steps.image-base-tag.outputs.tag }}

-      - name: Upload Binary Artifacts
-        uses: actions/upload-artifact@v3
-        with:
-          name: darwin
-          path: ./dist/coder_*.zip
+      - name: ls build
+        run: ls -lh build

-  publish:
-    runs-on: ubuntu-latest
-    needs:
-      - linux-windows
-      - darwin
-    steps:
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-
-      # If the event that triggered the build was an annotated tag (which our
-      # tags are supposed to be), actions/checkout has a bug where the tag in
-      # question is only a lightweight tag and not a full annotated tag. This
-      # command seems to fix it.
-      # https://github.com/actions/checkout/issues/290
-      - name: Fetch git tags
-        run: git fetch --tags --force
-
-      - name: mkdir artifacts
-        run: mkdir artifacts
-
-      - name: Download darwin Artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: darwin
-          path: artifacts
-
-      - name: Download Linux and Windows Artifacts
-        uses: actions/download-artifact@v3
-        with:
-          name: linux
-          path: artifacts
-
-      - name: ls artifacts
-        run: ls artifacts
-
-      - name: Publish Release
+      - name: Publish release
        run: |
-          ./scripts/publish_release.sh \
-            ${{ (github.event.inputs.dry_run || github.event.inputs.snapshot) && '--dry-run' }} \
-            ./artifacts/*.zip \
-            ./artifacts/*.tar.gz \
-            ./artifacts/*.apk \
-            ./artifacts/*.deb \
-            ./artifacts/*.rpm
+          set -euo pipefail
+
+          publish_args=()
+          if [[ $CODER_DRY_RUN == *t* ]]; then
+            publish_args+=(--dry-run)
+          fi
+          declare -p publish_args
+
+          ./scripts/release/publish.sh \
+            "${publish_args[@]}" \
+            --release-notes-file "$CODER_RELEASE_NOTES_FILE" \
+            ./build/*_installer.exe \
+            ./build/*.zip \
+            ./build/*.tar.gz \
+            ./build/*.tgz \
+            ./build/*.apk \
+            ./build/*.deb \
+            ./build/*.rpm
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          CODER_GPG_RELEASE_KEY_BASE64: ${{ secrets.GPG_RELEASE_KEY_BASE64 }}
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_ID_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
+
+      - name: Setup GCloud SDK
+        uses: "google-github-actions/setup-gcloud@v1"
+
+      - name: Publish Helm Chart
+        if: ${{ !inputs.dry_run }}
+        run: |
+          set -euo pipefail
+          version="$(./scripts/version.sh)"
+          mkdir -p build/helm
+          cp "build/coder_helm_${version}.tgz" build/helm
+          gsutil cp gs://helm.coder.com/v2/index.yaml build/helm/index.yaml
+          helm repo index build/helm --url https://helm.coder.com/v2 --merge build/helm/index.yaml
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/coder_helm_${version}.tgz gs://helm.coder.com/v2
+          gsutil -h "Cache-Control:no-cache,max-age=0" cp build/helm/index.yaml gs://helm.coder.com/v2
+
+      - name: Upload artifacts to actions (if dry-run)
+        if: ${{ inputs.dry_run }}
+        uses: actions/upload-artifact@v3
+        with:
+          name: release-artifacts
+          path: |
+            ./build/*_installer.exe
+            ./build/*.zip
+            ./build/*.tar.gz
+            ./build/*.tgz
+            ./build/*.apk
+            ./build/*.deb
+            ./build/*.rpm
+          retention-days: 7
+
+      - name: Start Packer builds
+        if: ${{ !inputs.dry_run }}
+        uses: peter-evans/repository-dispatch@v2
+        with:
+          token: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+          repository: coder/packages
+          event-type: coder-release
+          client-payload: '{"coder_version": "${{ steps.version.outputs.version }}"}'
+
+  publish-winget:
+    name: Publish to winget-pkgs
+    runs-on: windows-latest
+    needs: release
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      # If the event that triggered the build was an annotated tag (which our
+      # tags are supposed to be), actions/checkout has a bug where the tag in
+      # question is only a lightweight tag and not a full annotated tag. This
+      # command seems to fix it.
+      # https://github.com/actions/checkout/issues/290
+      - name: Fetch git tags
+        run: git fetch --tags --force
+
+      - name: Install wingetcreate
+        run: |
+          Invoke-WebRequest https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
+
+      - name: Submit updated manifest to winget-pkgs
+        run: |
+          # The package version is the same as the tag minus the leading "v".
+          # The version in this output already has the leading "v" removed but
+          # we do it again to be safe.
+          $version = "${{ needs.release.outputs.version }}".Trim('v')
+
+          $release_assets = gh release view --repo coder/coder "v${version}" --json assets | `
+            ConvertFrom-Json
+          # Get the installer URL from the release assets.
+          $installer_url = $release_assets.assets | `
+            Where-Object name -Match ".*_windows_amd64_installer.exe$" | `
+            Select -ExpandProperty url
+
+          echo "Installer URL: ${installer_url}"
+          echo "Package version: ${version}"
+
+          # Bail if dry-run.
+          if ($env:CODER_DRY_RUN -match "t") {
+            echo "Skipping submission due to dry-run."
+            exit 0
+          }
+
+          # The URL "|X64" suffix forces the architecture as it cannot be
+          # sniffed properly from the URL. wingetcreate checks both the URL and
+          # binary magic bytes for the architecture and they need to both match,
+          # but they only check for `x64`, `win64` and `_64` in the URL. Our URL
+          # contains `amd64` which doesn't match sadly.
+          #
+          # wingetcreate will still do the binary magic bytes check, so if we
+          # accidentally change the architecture of the installer, it will fail
+          # submission.
+          .\wingetcreate.exe update Coder.Coder `
+            --submit `
+            --version "${version}" `
+            --urls "${installer_url}|X64" `
+            --token "$env:WINGET_GH_TOKEN"
+
+        env:
+          # For gh CLI:
+          GH_TOKEN: ${{ github.token }}
+          # For wingetcreate. We need a real token since we're pushing a commit
+          # to GitHub and then making a PR in a different repo.
+          WINGET_GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
+
+      - name: Comment on PR
+        if: ${{ !inputs.dry_run }}
+        run: |
+          # Find the PR that wingetcreate just made.
+          $version = "${{ needs.release.outputs.version }}".Trim('v')
+          $pr_list = gh pr list --repo microsoft/winget-pkgs --search "author:cdrci Coder.Coder version ${version}" --limit 1 --json number | `
+            ConvertFrom-Json
+          $pr_number = $pr_list[0].number
+
+          gh pr comment --repo microsoft/winget-pkgs "${pr_number}" --body "🤖 cc: @deansheather @matifali"
+
+        env:
+          # For gh CLI. We need a real token since we're commenting on a PR in a
+          # different repo.
+          GH_TOKEN: ${{ secrets.CDRCI_GITHUB_TOKEN }}
@@ -0,0 +1,137 @@
+name: "security"
+
+permissions:
+  actions: read
+  contents: read
+  security-events: write
+
+on:
+  push:
+    branches: ["main"]
+
+  pull_request:
+    branches: ["main"]
+
+  workflow_dispatch:
+
+  schedule:
+    # Run every week at 10:24 on Thursday.
+    - cron: "24 10 * * 4"
+
+# Cancel in-progress runs for pull requests when developers push
+# additional changes
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}-security
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+jobs:
+  codeql:
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v2
+        with:
+          languages: go, javascript
+
+      - name: Setup Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - name: Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+
+      # Workaround to prevent CodeQL from building the dashboard.
+      - name: Remove Makefile
+        run: |
+          rm Makefile
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v2
+
+  trivy:
+    runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - uses: actions/setup-go@v3
+        with:
+          go-version: "~1.20"
+
+      - name: Go Cache Paths
+        id: go-cache-paths
+        run: |
+          echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
+
+      - name: Go Mod Cache
+        uses: actions/cache@v3
+        with:
+          path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
+          key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
+
+      - name: Cache Node
+        id: cache-node
+        uses: actions/cache@v3
+        with:
+          path: |
+            **/node_modules
+            .eslintcache
+          key: js-${{ runner.os }}-test-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |
+            js-${{ runner.os }}-
+
+      - name: Install yq
+        run: go run github.com/mikefarah/yq/v4@v4.30.6
+
+      - name: Build Coder linux amd64 Docker image
+        id: build
+        run: |
+          set -euo pipefail
+
+          version="$(./scripts/version.sh)"
+          image_job="build/coder_${version}_linux_amd64.tag"
+
+          # This environment variable force make to not build packages and
+          # archives (which the Docker image depends on due to technical reasons
+          # related to concurrent FS writes).
+          export DOCKER_IMAGE_NO_PREREQUISITES=true
+          # This environment variables forces scripts/build_docker.sh to build
+          # the base image tag locally instead of using the cached version from
+          # the registry.
+          export CODER_IMAGE_BUILD_BASE_TAG="$(CODER_IMAGE_BASE=coder-base ./scripts/image_tag.sh --version "$version")"
+
+          make -j "$image_job"
+          echo "image=$(cat "$image_job")" >> $GITHUB_OUTPUT
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252
+        with:
+          image-ref: ${{ steps.build.outputs.image }}
+          format: sarif
+          output: trivy-results.sarif
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: trivy-results.sarif
+          category: "Trivy"
+
+      - name: Upload Trivy scan results as an artifact
+        uses: actions/upload-artifact@v3
+        with:
+          name: trivy
+          path: trivy-results.sarif
+          retention-days: 7
@@ -0,0 +1,48 @@
+name: Stale Issue and Branch Cleanup
+on:
+  schedule:
+    # Every day at midnight
+    - cron: "0 0 * * *"
+  workflow_dispatch:
+jobs:
+  issues:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v7.0.0
+        with:
+          stale-issue-label: "stale"
+          stale-pr-label: "stale"
+          days-before-stale: 90
+          # Pull Requests become stale more quickly due to merge conflicts.
+          # Also, we promote minimizing WIP.
+          days-before-pr-stale: 7
+          days-before-pr-close: 3
+          stale-pr-message: >
+            This Pull Request is becoming stale. In order to minimize WIP,
+            prevent merge conflicts and keep the tracker readable, I'm going
+            close to this PR in 3 days if there isn't more activity.
+          stale-issue-message: >
+            This issue is becoming stale. In order to keep the tracker readable
+            and actionable, I'm going close to this issue in 7 days if there
+            isn't more activity.
+          # Upped from 30 since we have a big tracker and was hitting the limit.
+          operations-per-run: 60
+          # Start with the oldest issues, always.
+          ascending: true
+  branches:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v2
+      - name: Run delete-old-branches-action
+        uses: beatlabs/delete-old-branches-action@v0.0.9
+        with:
+          repo_token: ${{ github.token }}
+          date: "6 months ago"
+          dry_run: false
+          delete_tags: false
+          # extra_protected_branch_regex: ^(foo|bar)$
+          exclude_open_pr_branches: true
@@ -0,0 +1,27 @@
+[default.extend-identifiers]
+alog = "alog"
+Jetbrains = "JetBrains"
+IST = "IST"
+MacOS = "macOS"
+AKS = "AKS"
+
+[default.extend-words]
+AKS = "AKS"
+# do as sudo replacement
+doas = "doas"
+darcula = "darcula"
+Hashi = "Hashi"
+trialer = "trialer"
+encrypter = "encrypter"
+
+[files]
+extend-exclude = [
+    "**.svg",
+    "**.png",
+    "**.lock",
+    "go.sum",
+    "go.mod",
+    # These files contain base64 strings that confuse the detector
+    "**XService**.ts",
+    "**identity.go",
+]
@@ -1,43 +1,52 @@
-###############################################################################
-#                                 NOTICE                                      #
-# If you change this file, kindly copy-pasta your change into .prettierignore #
-# and .eslintignore as well. See the following discussions to understand why  #
-# we have to resort to this duplication (at least for now):                   #
-#                                                                             #
-# https://github.com/prettier/prettier/issues/8048                            #
-# https://github.com/prettier/prettier/issues/8506                            #
-# https://github.com/prettier/prettier/issues/8679                            #
-###############################################################################
-
-node_modules
-vendor
-.eslintcache
-yarn-error.log
-gotests.xml
-gotests.coverage
-.idea
+# Common ignore patterns, these rules applies in both root and subdirectories.
 .DS_Store
+.eslintcache
+.gitpod.yml
+.idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotestsum.json
+node_modules/
+vendor/
+yarn-error.log

-# Front-end ignore
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
 .next/
-site/.eslintcache
-site/.next/
-site/node_modules/
-site/storybook-static/
-site/test-results/
-site/yarn-error.log
-coverage/
 site/**/*.typegen.ts
 site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/states/*.json
+site/playwright-report/*
+
+# Make target for updating golden files.
+cli/testdata/.gen-golden

 # Build
-dist/
+/build/
+/dist/
 site/out/

+# Bundle analysis
+site/stats/
+
 *.tfstate
+*.tfstate.backup
 *.tfplan
 *.lock.hcl
 .terraform/

-.vscode/*.log
-**/*.swp
+/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
@@ -103,7 +103,7 @@ linters-settings:
    settings:
      ruleguard:
        failOn: all
-        rules: '${configDir}/scripts/rules.go'
+        rules: "${configDir}/scripts/rules.go"

  staticcheck:
    # https://staticcheck.io/docs/options#checks
@@ -123,6 +123,8 @@ linters-settings:

  misspell:
    locale: US
+    ignore-words:
+      - trialer

  nestif:
    min-complexity: 4 # Min complexity of if statements (def 5, goal 4)
@@ -235,10 +237,15 @@ linters:
    - noctx
    - paralleltest
    - revive
-    - rowserrcheck
-    - sqlclosecheck
+
+    # These don't work until the following issue is solved.
+    # https://github.com/golangci/golangci-lint/issues/2649
+    # - rowserrcheck
+    # - sqlclosecheck
+    # - structcheck
+    # - wastedassign
+
    - staticcheck
-    - structcheck
    - tenv
    # In Go, it's possible for a package to test it's internal functionality
    # without testing any exported functions. This is enabled to promote
@@ -253,4 +260,3 @@ linters:
    - unconvert
    - unused
    - varcheck
-    - wastedassign
@@ -0,0 +1,66 @@
+# Code generated by Makefile (.gitignore .prettierignore.include). DO NOT EDIT.
+
+# .gitignore:
+# Common ignore patterns, these rules applies in both root and subdirectories.
+.DS_Store
+.eslintcache
+.gitpod.yml
+.idea
+**/*.swp
+gotests.coverage
+gotests.xml
+gotestsum.json
+node_modules/
+vendor/
+yarn-error.log
+
+# VSCode settings.
+**/.vscode/*
+# Allow VSCode recommendations and default settings in project root.
+!/.vscode/extensions.json
+!/.vscode/settings.json
+
+# Front-end ignore patterns.
+.next/
+site/**/*.typegen.ts
+site/build-storybook.log
+site/coverage/
+site/storybook-static/
+site/test-results/*
+site/e2e/test-results/*
+site/e2e/states/*.json
+site/playwright-report/*
+
+# Make target for updating golden files.
+cli/testdata/.gen-golden
+
+# Build
+/build/
+/dist/
+site/out/
+
+# Bundle analysis
+site/stats/
+
+*.tfstate
+*.tfstate.backup
+*.tfplan
+*.lock.hcl
+.terraform/
+
+/.coderv2/*
+**/__debug_bin
+
+# direnv
+.envrc
+# .prettierignore.include:
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
@@ -0,0 +1,10 @@
+# Helm templates contain variables that are invalid YAML and can't be formatted
+# by Prettier.
+helm/templates/*.yaml
+
+# Terraform state files used in tests, these are automatically generated.
+# Example: provisioner/terraform/testdata/instance-id/instance-id.tfstate.json
+**/testdata/**/*.tf*.json
+
+# Testdata shouldn't be formatted.
+scripts/apitypings/testdata/**/*.ts
@@ -0,0 +1,16 @@
+# This config file is used in conjunction with `.editorconfig` to specify
+# formatting for prettier-supported files. See `.editorconfig` and
+# `site/.editorconfig`for whitespace formatting options.
+printWidth: 80
+semi: false
+trailingComma: all
+overrides:
+  - files:
+      - README.md
+    options:
+      proseWrap: preserve
+  - files:
+      - "site/**/*.yaml"
+      - "site/**/*.yml"
+    options:
+      proseWrap: always
@@ -0,0 +1,8 @@
+// Replace all NullTime with string
+replace github.com/coder/coder/codersdk.NullTime string
+// Prevent swaggo from rendering enums for time.Duration
+replace time.Duration int64
+// Do not expose "echo" provider
+replace github.com/coder/coder/codersdk.ProvisionerType string
+// Do not render netip.Addr
+replace netip.Addr string
@@ -1,5 +1,6 @@
 {
  "recommendations": [
+    "github.vscode-codeql",
    "golang.go",
    "hashicorp.terraform",
    "esbenp.prettier-vscode",
@@ -1,30 +1,53 @@
 {
  "cSpell.words": [
+    "afero",
+    "agentsdk",
    "apps",
+    "ASKPASS",
+    "authcheck",
+    "autostop",
    "awsidentity",
+    "bodyclose",
    "buildinfo",
    "buildname",
    "circbuf",
    "cliflag",
    "cliui",
+    "codecov",
    "coderd",
+    "coderdenttest",
    "coderdtest",
    "codersdk",
    "cronstrue",
+    "databasefake",
+    "dbtype",
+    "DERP",
+    "derphttp",
+    "derpmap",
    "devel",
+    "devtunnel",
+    "dflags",
    "drpc",
    "drpcconn",
    "drpcmux",
    "drpcserver",
    "Dsts",
+    "embeddedpostgres",
+    "enablements",
+    "errgroup",
+    "eventsourcemock",
+    "Failf",
    "fatih",
    "Formik",
+    "gitauth",
    "gitsshkey",
    "goarch",
    "gographviz",
    "goleak",
+    "gonet",
    "gossh",
    "gsyslog",
+    "GTTY",
    "hashicorp",
    "hclsyntax",
    "httpapi",
@@ -32,67 +55,121 @@
    "idtoken",
    "Iflag",
    "incpatch",
+    "ipnstate",
    "isatty",
    "Jobf",
    "Keygen",
    "kirsle",
+    "Kubernetes",
    "ldflags",
+    "magicsock",
    "manifoldco",
    "mapstructure",
    "mattn",
    "mitchellh",
    "moby",
+    "namesgenerator",
+    "namespacing",
+    "netaddr",
+    "netip",
+    "netmap",
+    "netns",
+    "netstack",
+    "nettype",
    "nfpms",
    "nhooyr",
+    "nmcfg",
    "nolint",
    "nosec",
    "ntqry",
    "OIDC",
    "oneof",
+    "opty",
+    "paralleltest",
    "parameterscopeid",
    "pqtype",
+    "prometheusmetrics",
+    "promhttp",
    "promptui",
    "protobuf",
    "provisionerd",
+    "provisionerdserver",
    "provisionersdk",
    "ptty",
+    "ptys",
    "ptytest",
+    "quickstart",
+    "reconfig",
+    "replicasync",
    "retrier",
    "rpty",
+    "SCIM",
    "sdkproto",
    "sdktrace",
    "Signup",
+    "slogtest",
    "sourcemapped",
    "Srcs",
+    "stdbuf",
    "stretchr",
+    "STTY",
+    "stuntest",
+    "tanstack",
+    "tailbroker",
+    "tailcfg",
+    "tailexchange",
+    "tailnet",
+    "tailnettest",
+    "Tailscale",
+    "tbody",
    "TCGETS",
    "tcpip",
    "TCSETS",
    "templateversions",
    "testdata",
    "testid",
+    "testutil",
    "tfexec",
    "tfjson",
    "tfplan",
    "tfstate",
+    "thead",
+    "tios",
+    "tmpdir",
+    "tparallel",
+    "trialer",
    "trimprefix",
+    "tsdial",
+    "tslogger",
+    "tstun",
    "turnconn",
    "typegen",
+    "typesafe",
    "unconvert",
    "Untar",
+    "Userspace",
    "VMID",
+    "walkthrough",
    "weblinks",
    "webrtc",
+    "wgcfg",
+    "wgconfig",
+    "wgengine",
+    "wgmonitor",
+    "wgnet",
    "workspaceagent",
+    "workspaceagents",
    "workspaceapp",
    "workspaceapps",
    "workspacebuilds",
    "workspacename",
    "wsconncache",
+    "wsjson",
    "xerrors",
    "xstate",
    "yamux"
  ],
+  "cSpell.ignorePaths": ["site/package.json", ".vscode/settings.json"],
  "emeraldwalk.runonsave": {
    "commands": [
      {
@@ -109,25 +186,34 @@
  "files.exclude": {
    "**/node_modules": true
  },
+  "search.exclude": {
+    "scripts/metricsdocgen/metrics": true,
+    "docs/api/*.md": true
+  },
  // Ensure files always have a newline.
  "files.insertFinalNewline": true,
  "go.lintTool": "golangci-lint",
  "go.lintFlags": ["--fast"],
  "go.lintOnSave": "package",
  "go.coverOnSave": true,
-  // The codersdk is used by coderd another other packages extensively.
-  // To reduce redundancy in tests, it's covered by other packages.
-  "go.testFlags": ["-short", "-coverpkg=./.,github.com/coder/coder/codersdk"],
  "go.coverageDecorator": {
    "type": "gutter",
-    "coveredHighlightColor": "rgba(64,128,128,0.5)",
-    "uncoveredHighlightColor": "rgba(128,64,64,0.25)",
-    "coveredBorderColor": "rgba(64,128,128,0.5)",
-    "uncoveredBorderColor": "rgba(128,64,64,0.25)",
    "coveredGutterStyle": "blockgreen",
    "uncoveredGutterStyle": "blockred"
  },
+  // The codersdk is used by coderd another other packages extensively.
+  // To reduce redundancy in tests, it's covered by other packages.
+  // Since package coverage pairing can't be defined, all packages cover
+  // all other packages.
+  "go.testFlags": ["-short", "-coverpkg=./..."],
  // We often use a version of TypeScript that's ahead of the version shipped
  // with VS Code.
-  "typescript.tsdk": "./site/node_modules/typescript/lib"
+  "typescript.tsdk": "./site/node_modules/typescript/lib",
+  "grammarly.selectors": [
+    {
+      "language": "markdown",
+      "scheme": "file",
+      "pattern": "docs/contributing/frontend.md"
+    }
+  ]
 }
@@ -1,17 +0,0 @@
-FROM alpine
-
-# LABEL doesn't add any real layers so it's fine (and easier) to do it here than
-# in the build script.
-ARG CODER_VERSION
-LABEL \
-	org.opencontainers.image.title="Coder" \
-	org.opencontainers.image.description="A tool for provisioning self-hosted development environments with Terraform." \
-	org.opencontainers.image.url="https://github.com/coder/coder" \
-	org.opencontainers.image.source="https://github.com/coder/coder" \
-	org.opencontainers.image.version="$CODER_VERSION" \
-	org.opencontainers.image.licenses="AGPL-3.0"
-
-# The coder binary is injected by scripts/build_docker.sh.
-ADD coder /opt/coder
-
-ENTRYPOINT [ "/opt/coder", "server" ]
@@ -0,0 +1,31 @@
+## Acceptance
+
+By using any software and associated documentation files under Coder 
+Technologies Inc.’s ("Coder") directory named "enterprise" ("Enterprise
+Software"), you agree to all of the terms and conditions below.
+
+## Copyright License
+
+The licensor grants you a non-exclusive, royalty-free, worldwide, 
+non-sublicensable, non-transferable license to use, copy, distribute, make 
+available, modify and prepare derivative works of the Enterprise Software, in 
+each case subject to the limitations and conditions below.
+
+## Limitations
+
+You may not move, change, disable, or circumvent the license key functionality 
+in the software, and you may not remove or obscure any functionality in the 
+software that is protected by the license key.
+
+You may not alter, remove, or obscure any licensing, copyright, or other notices
+of the licensor in the software. 
+
+You agree that Coder and/or its licensors (as applicable) retain all right, 
+title and interest in and to all such modifications and/or patches.
+
+## Additional Terms
+
+This Enterprise Software may only be used in production, if you (and any entity 
+that you represent) have agreed to, and are in compliance with, the Coder’s 
+Terms of Service, available at https://coder.com/legal/terms-of-service, or 
+other agreement governing the use of the Software, as agreed by you and Coder. 
@@ -1,75 +1,384 @@
-.DEFAULT_GOAL := build
+# This is the Coder Makefile. The build directory for most tasks is `build/`.
+#
+# These are the targets you're probably looking for:
+# - clean
+# - build-fat: builds all "fat" binaries for all architectures
+# - build-slim: builds all "slim" binaries (no frontend or slim binaries
+#   embedded) for all architectures
+# - release: simulate a release (mostly, does not push images)
+# - build/coder(-slim)?_${os}_${arch}(.exe)?: build a single fat binary
+# - build/coder_${os}_${arch}.(zip|tar.gz): build a release archive
+# - build/coder_linux_${arch}.(apk|deb|rpm): build a release Linux package
+# - build/coder_${version}_linux_${arch}.tag: build a release Linux Docker image
+# - build/coder_helm.tgz: build a release Helm chart
+
+.DEFAULT_GOAL := build-fat

 # Use a single bash shell for each job, and immediately exit on failure
 SHELL := bash
-.SHELLFLAGS = -ceu
+.SHELLFLAGS := -ceu
 .ONESHELL:

 # This doesn't work on directories.
 # See https://stackoverflow.com/questions/25752543/make-delete-on-error-for-directory-targets
 .DELETE_ON_ERROR:

-INSTALL_DIR=$(shell go env GOPATH)/bin
-GOOS=$(shell go env GOOS)
-GOARCH=$(shell go env GOARCH)
-VERSION=$(shell ./scripts/version.sh)
+# Don't print the commands in the file unless you specify VERBOSE. This is
+# essentially the same as putting "@" at the start of each line.
+ifndef VERBOSE
+.SILENT:
+endif

-bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
-	@echo "== This builds slim binaries for command-line usage."
-	@echo "== Use \"make build\" to embed the site."
+# Create the output directories if they do not exist.
+$(shell mkdir -p build site/out/bin)

-	mkdir -p ./dist
-	rm -rf ./dist/coder-slim_*
-	rm -f ./site/out/bin/coder*
-	./scripts/build_go_slim.sh \
-		--compress 6 \
+GOOS         := $(shell go env GOOS)
+GOARCH       := $(shell go env GOARCH)
+GOOS_BIN_EXT := $(if $(filter windows, $(GOOS)),.exe,)
+VERSION      := $(shell ./scripts/version.sh)
+
+# Use the highest ZSTD compression level in CI.
+ifdef CI
+ZSTDFLAGS := -22 --ultra
+else
+ZSTDFLAGS := -6
+endif
+
+# Common paths to exclude from find commands, this rule is written so
+# that it can be it can be used in a chain of AND statements (meaning
+# you can simply write `find . $(FIND_EXCLUSIONS) -name thing-i-want`).
+# Note, all find statements should be written with `.` or `./path` as
+# the search path so that these exclusions match.
+FIND_EXCLUSIONS= \
+	-not \( \( -path '*/.git/*' -o -path './build/*' -o -path './vendor/*' -o -path './.coderv2/*' -o -path '*/node_modules/*' -o -path './site/out/*' \) -prune \)
+# Source files used for make targets, evaluated on use.
+GO_SRC_FILES = $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.go')
+# All the shell files in the repo, excluding ignored files.
+SHELL_SRC_FILES = $(shell find . $(FIND_EXCLUSIONS) -type f -name '*.sh')
+
+# All ${OS}_${ARCH} combos we build for. Windows binaries have the .exe suffix.
+OS_ARCHES := \
+	linux_amd64 linux_arm64 linux_armv7 \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64.exe windows_arm64.exe
+
+# Archive formats and their corresponding ${OS}_${ARCH} combos.
+ARCHIVE_TAR_GZ := linux_amd64 linux_arm64 linux_armv7
+ARCHIVE_ZIP    := \
+	darwin_amd64 darwin_arm64 \
+	windows_amd64 windows_arm64
+
+# All package formats we build and the ${OS}_${ARCH} combos we build them for.
+PACKAGE_FORMATS   := apk deb rpm
+PACKAGE_OS_ARCHES := linux_amd64 linux_armv7 linux_arm64
+
+# All architectures we build Docker images for (Linux only).
+DOCKER_ARCHES := amd64 arm64 armv7
+
+# Computed variables based on the above.
+CODER_SLIM_BINARIES      := $(addprefix build/coder-slim_$(VERSION)_,$(OS_ARCHES))
+CODER_FAT_BINARIES       := $(addprefix build/coder_$(VERSION)_,$(OS_ARCHES))
+CODER_ALL_BINARIES       := $(CODER_SLIM_BINARIES) $(CODER_FAT_BINARIES)
+CODER_TAR_GZ_ARCHIVES    := $(foreach os_arch, $(ARCHIVE_TAR_GZ), build/coder_$(VERSION)_$(os_arch).tar.gz)
+CODER_ZIP_ARCHIVES       := $(foreach os_arch, $(ARCHIVE_ZIP), build/coder_$(VERSION)_$(os_arch).zip)
+CODER_ALL_ARCHIVES       := $(CODER_TAR_GZ_ARCHIVES) $(CODER_ZIP_ARCHIVES)
+CODER_ALL_PACKAGES       := $(foreach os_arch, $(PACKAGE_OS_ARCHES), $(addprefix build/coder_$(VERSION)_$(os_arch).,$(PACKAGE_FORMATS)))
+CODER_ARCH_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_$(VERSION)_linux_$(arch).tag)
+CODER_ARCH_IMAGES_PUSHED := $(addprefix push/, $(CODER_ARCH_IMAGES))
+CODER_MAIN_IMAGE         := build/coder_$(VERSION)_linux.tag
+
+CODER_SLIM_NOVERSION_BINARIES     := $(addprefix build/coder-slim_,$(OS_ARCHES))
+CODER_FAT_NOVERSION_BINARIES      := $(addprefix build/coder_,$(OS_ARCHES))
+CODER_ALL_NOVERSION_IMAGES        := $(foreach arch, $(DOCKER_ARCHES), build/coder_linux_$(arch).tag) build/coder_linux.tag
+CODER_ALL_NOVERSION_IMAGES_PUSHED := $(addprefix push/, $(CODER_ALL_NOVERSION_IMAGES))
+
+# If callers are only building Docker images and not the packages and archives,
+# we can skip those prerequisites as they are not actually required and only
+# specified to avoid concurrent write failures.
+ifdef DOCKER_IMAGE_NO_PREREQUISITES
+CODER_ARCH_IMAGE_PREREQUISITES :=
+else
+CODER_ARCH_IMAGE_PREREQUISITES := \
+	build/coder_$(VERSION)_%.apk \
+	build/coder_$(VERSION)_%.deb \
+	build/coder_$(VERSION)_%.rpm \
+	build/coder_$(VERSION)_%.tar.gz
+endif
+
+
+clean:
+	rm -rf build site/out
+	mkdir -p build site/out/bin
+	git restore site/out
+.PHONY: clean
+
+build-slim: $(CODER_SLIM_BINARIES)
+.PHONY: build-slim
+
+build-fat build-full build: $(CODER_FAT_BINARIES)
+.PHONY: build-fat build-full build
+
+release: $(CODER_FAT_BINARIES) $(CODER_ALL_ARCHIVES) $(CODER_ALL_PACKAGES) $(CODER_ARCH_IMAGES) build/coder_helm_$(VERSION).tgz
+.PHONY: release
+
+build/coder-slim_$(VERSION)_checksums.sha1: site/out/bin/coder.sha1
+	cp "$<" "$@"
+
+site/out/bin/coder.sha1: $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		openssl dgst -r -sha1 coder-* | tee coder.sha1
+	popd
+
+build/coder-slim_$(VERSION).tar: build/coder-slim_$(VERSION)_checksums.sha1 $(CODER_SLIM_BINARIES)
+	pushd ./site/out/bin
+		tar cf "../../../build/$(@F)" coder-*
+	popd
+
+	# delete the uncompressed binaries from the embedded dir
+	rm -f site/out/bin/coder-*
+
+site/out/bin/coder.tar.zst: build/coder-slim_$(VERSION).tar.zst
+	cp "$<" "$@"
+
+build/coder-slim_$(VERSION).tar.zst: build/coder-slim_$(VERSION).tar
+	zstd $(ZSTDFLAGS) \
+		--force \
+		--long \
+		--no-progress \
+		-o "build/coder-slim_$(VERSION).tar.zst" \
+		"build/coder-slim_$(VERSION).tar"
+
+# Redirect from version-less targets to the versioned ones. There is a similar
+# target for slim binaries below.
+#
+# Called like this:
+#   make build/coder_linux_amd64
+#   make build/coder_windows_amd64.exe
+$(CODER_FAT_NOVERSION_BINARIES): build/coder_%: build/coder_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Same as above, but for slim binaries.
+#
+# Called like this:
+#   make build/coder-slim_linux_amd64
+#   make build/coder-slim_windows_amd64.exe
+$(CODER_SLIM_NOVERSION_BINARIES): build/coder-slim_%: build/coder-slim_$(VERSION)_%
+	rm -f "$@"
+	ln "$<" "$@"
+
+# "fat" binaries always depend on the site and the compressed slim binaries.
+$(CODER_FAT_BINARIES): \
+	site/out/index.html \
+	site/out/bin/coder.sha1 \
+	site/out/bin/coder.tar.zst
+
+# This is a handy block that parses the target to determine whether it's "slim"
+# or "fat", which OS was specified and which architecture was specified.
+#
+# It populates the following variables: mode, os, arch_ext, arch, ext (without
+# dot).
+define get-mode-os-arch-ext =
+	mode="$$([[ "$@" = build/coder-slim* ]] && echo "slim" || echo "fat")"
+	os="$$(echo $@ | cut -d_ -f3)"
+	arch_ext="$$(echo $@ | cut -d_ -f4)"
+	if [[ "$$arch_ext" == *.* ]]; then
+		arch="$$(echo $$arch_ext | cut -d. -f1)"
+		ext="$${arch_ext#*.}"
+	else
+		arch="$$arch_ext"
+		ext=""
+	fi
+endef
+
+# This task handles all builds, for both "fat" and "slim" binaries. It parses
+# the target name to get the metadata for the build, so it must be specified in
+# this format:
+#     build/coder(-slim)?_${version}_${os}_${arch}(.exe)?
+#
+# You should probably use the non-version targets above instead if you're
+# calling this manually.
+$(CODER_ALL_BINARIES): go.mod go.sum \
+	$(GO_SRC_FILES) \
+	$(shell find ./examples/templates)
+
+	$(get-mode-os-arch-ext)
+	if [[ "$$os" != "windows" ]] && [[ "$$ext" != "" ]]; then
+		echo "ERROR: Invalid build binary extension" 1>&2
+		exit 1
+	fi
+	if [[ "$$os" == "windows" ]] && [[ "$$ext" != exe ]]; then
+		echo "ERROR: Windows binaries must have an .exe extension." 1>&2
+		exit 1
+	fi
+
+	build_args=( \
+		--os "$$os" \
+		--arch "$$arch" \
 		--version "$(VERSION)" \
-		--output ./dist/ \
-		linux:amd64,armv7,arm64 \
-		windows:amd64,arm64 \
-		darwin:amd64,arm64
-.PHONY: bin
+		--output "$@" \
+	)
+	if [ "$$mode" == "slim" ]; then
+		build_args+=(--slim)
+	fi

-build: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
-	rm -rf ./dist
-	mkdir -p ./dist
-	rm -f ./site/out/bin/coder*
+	./scripts/build_go.sh "$${build_args[@]}"

-	# build slim artifacts and copy them to the site output directory
-	./scripts/build_go_slim.sh \
+	if [[ "$$mode" == "slim" ]]; then
+		dot_ext=""
+		if [[ "$$ext" != "" ]]; then
+			dot_ext=".$$ext"
+		fi
+
+		cp "$@" "./site/out/bin/coder-$$os-$$arch$$dot_ext"
+	fi
+
+# This task builds all archives. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.${format}
+#
+# The following OS/arch/format combinations are supported:
+#     .tar.gz: linux_amd64, linux_arm64, linux_armv7
+#     .zip:    darwin_amd64, darwin_arm64, windows_amd64, windows_arm64
+#
+# This depends on all fat binaries because it's difficult to do dynamic
+# dependencies due to the .exe requirement on Windows. These targets are
+# typically only used during release anyways.
+$(CODER_ALL_ARCHIVES): $(CODER_FAT_BINARIES)
+	$(get-mode-os-arch-ext)
+	bin_ext=""
+	if [[ "$$os" == "windows" ]]; then
+		bin_ext=".exe"
+	fi
+
+	./scripts/archive.sh \
+		--format "$$ext" \
+		--os "$$os" \
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}$${bin_ext}"
+
+# This task builds all packages. It parses the target name to get the metadata
+# for the build, so it must be specified in this format:
+#     build/coder_${version}_linux_${arch}.${format}
+#
+# Supports apk, deb, rpm for all linux targets.
+#
+# This depends on all Linux fat binaries and archives because it's difficult to
+# do dynamic dependencies due to the extensions in the filenames. These targets
+# are typically only used during release anyways.
+#
+# Packages need to run after the archives are built, otherwise they cause tar
+# errors like "file changed as we read it".
+CODER_PACKAGE_DEPS := $(foreach os_arch, $(PACKAGE_OS_ARCHES), build/coder_$(VERSION)_$(os_arch) build/coder_$(VERSION)_$(os_arch).tar.gz)
+$(CODER_ALL_PACKAGES): $(CODER_PACKAGE_DEPS)
+	$(get-mode-os-arch-ext)
+
+	./scripts/package.sh \
+		--arch "$$arch" \
+		--format "$$ext" \
 		--version "$(VERSION)" \
-		--compress 6 \
-		--output ./dist/ \
-		linux:amd64,armv7,arm64 \
-		windows:amd64,arm64 \
-		darwin:amd64,arm64
+		--output "$@" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"

-	# build not-so-slim artifacts with the default name format
-	./scripts/build_go_matrix.sh \
+# This task builds a Windows amd64 installer. Depends on makensis.
+build/coder_$(VERSION)_windows_amd64_installer.exe: build/coder_$(VERSION)_windows_amd64.exe
+	./scripts/build_windows_installer.sh \
 		--version "$(VERSION)" \
-		--output ./dist/ \
-		--archive \
-		--package-linux \
-		linux:amd64,armv7,arm64 \
-		windows:amd64,arm64 \
-		darwin:amd64,arm64
-.PHONY: build
+		--output "$@" \
+		"$<"

-# Runs migrations to output a dump of the database.
-coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
-	go run coderd/database/dump/main.go
+# Redirect from version-less Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES): build/coder_%: build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES)

-# Generates Go code for querying the database.
-coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
-	coderd/database/generate.sh
+# Redirect from version-less push Docker image targets to the versioned ones.
+#
+# Called like this:
+#   make push/build/coder_linux_amd64.tag
+$(CODER_ALL_NOVERSION_IMAGES_PUSHED): push/build/coder_%: push/build/coder_$(VERSION)_%
+.PHONY: $(CODER_ALL_NOVERSION_IMAGES_PUSHED)

-# This target is deprecated, as GNU make has issues passing signals to subprocesses.
-dev:
-	@echo Please run ./scripts/develop.sh manually.
-.PHONY: dev
+# This task builds all Docker images. It parses the target name to get the
+# metadata for the build, so it must be specified in this format:
+#     build/coder_${version}_${os}_${arch}.tag
+#
+# Supports linux_amd64, linux_arm64, linux_armv7.
+#
+# Images need to run after the archives and packages are built, otherwise they
+# cause errors like "file changed as we read it".
+$(CODER_ARCH_IMAGES): build/coder_$(VERSION)_%.tag: build/coder_$(VERSION)_% $(CODER_ARCH_IMAGE_PREREQUISITES)
+	$(get-mode-os-arch-ext)
+
+	image_tag="$$(./scripts/image_tag.sh --arch "$$arch" --version "$(VERSION)")"
+	./scripts/build_docker.sh \
+		--arch "$$arch" \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		"build/coder_$(VERSION)_$${os}_$${arch}"
+
+	echo "$$image_tag" > "$@"
+
+# Multi-arch Docker image. This requires all architecture-specific images to be
+# built AND pushed.
+$(CODER_MAIN_IMAGE): $(CODER_ARCH_IMAGES_PUSHED)
+	image_tag="$$(./scripts/image_tag.sh --version "$(VERSION)")"
+	./scripts/build_docker_multiarch.sh \
+		--target "$$image_tag" \
+		--version "$(VERSION)" \
+		$(foreach img, $^, "$$(cat "$(img:push/%=%)")")
+
+	echo "$$image_tag" > "$@"
+
+# Push a Docker image.
+$(CODER_ARCH_IMAGES_PUSHED): push/%: %
+	image_tag="$$(cat "$<")"
+	docker push "$$image_tag"
+.PHONY: $(CODER_ARCH_IMAGES_PUSHED)
+
+# Push the multi-arch Docker manifest.
+push/$(CODER_MAIN_IMAGE): $(CODER_MAIN_IMAGE)
+	image_tag="$$(cat "$<")"
+	docker manifest push "$$image_tag"
+.PHONY: push/$(CODER_MAIN_IMAGE)
+
+# Shortcut for Helm chart package.
+build/coder_helm.tgz: build/coder_helm_$(VERSION).tgz
+	rm -f "$@"
+	ln "$<" "$@"
+
+# Helm chart package.
+build/coder_helm_$(VERSION).tgz:
+	./scripts/helm.sh \
+		--version "$(VERSION)" \
+		--output "$@"
+
+site/out/index.html: site/package.json $(shell find ./site $(FIND_EXCLUSIONS) -type f \( -name '*.ts' -o -name '*.tsx' \))
+	./scripts/yarn_install.sh
+	cd site
+	yarn build
+
+install: build/coder_$(VERSION)_$(GOOS)_$(GOARCH)$(GOOS_BIN_EXT)
+	install_dir="$$(go env GOPATH)/bin"
+	output_file="$${install_dir}/coder$(GOOS_BIN_EXT)"
+
+	mkdir -p "$$install_dir"
+	cp "$<" "$$output_file"
+.PHONY: install
+
+fmt: fmt/prettier fmt/terraform fmt/shfmt fmt/go
+.PHONY: fmt
+
+fmt/go:
+	# VS Code users should check out
+	# https://github.com/mvdan/gofumpt#visual-studio-code
+	go run mvdan.cc/gofumpt@v0.4.0 -w -l .
+.PHONY: fmt/go

 fmt/prettier:
-	@echo "--- prettier"
+	echo "--- prettier"
 	cd site
 # Avoid writing files in CI to reduce file write activity
 ifdef CI
@@ -83,68 +392,87 @@ fmt/terraform: $(wildcard *.tf)
 	terraform fmt -recursive
 .PHONY: fmt/terraform

-fmt/shfmt: $(shell shfmt -f .)
-	@echo "--- shfmt"
+fmt/shfmt: $(SHELL_SRC_FILES)
+	echo "--- shfmt"
 # Only do diff check in CI, errors on diff.
 ifdef CI
-	shfmt -d $(shell shfmt -f .)
+	shfmt -d $(SHELL_SRC_FILES)
 else
-	shfmt -w $(shell shfmt -f .)
+	shfmt -w $(SHELL_SRC_FILES)
 endif
 .PHONY: fmt/shfmt

-fmt: fmt/prettier fmt/terraform fmt/shfmt
-.PHONY: fmt
-
-gen: coderd/database/querier.go peerbroker/proto/peerbroker.pb.go provisionersdk/proto/provisioner.pb.go provisionerd/proto/provisionerd.pb.go site/src/api/typesGenerated.ts
-.PHONY: gen
-
-install: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
-	@output_file="$(INSTALL_DIR)/coder"
-
-	@if [[ "$(GOOS)" == "windows" ]]; then
-		@output_file="$${output_file}.exe"
-	@fi
-
-	@echo "-- Building CLI for $(GOOS) $(GOARCH) at $$output_file"
-
-	./scripts/build_go.sh \
-		--version "$(VERSION)" \
-		--output "$$output_file" \
-		--os "$(GOOS)" \
-		--arch "$(GOARCH)"
-
-	@echo
-.PHONY: install
-
 lint: lint/shellcheck lint/go
 .PHONY: lint

 lint/go:
+	./scripts/check_enterprise_imports.sh
 	golangci-lint run
 .PHONY: lint/go

 # Use shfmt to determine the shell files, takes editorconfig into consideration.
-lint/shellcheck: $(shell shfmt -f .)
-	@echo "--- shellcheck"
-	shellcheck --external-sources $(shell shfmt -f .)
+lint/shellcheck: $(SHELL_SRC_FILES)
+	echo "--- shellcheck"
+	shellcheck --external-sources $(SHELL_SRC_FILES)
 .PHONY: lint/shellcheck

-peerbroker/proto/peerbroker.pb.go: peerbroker/proto/peerbroker.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./peerbroker/proto/peerbroker.proto
+# all gen targets should be added here and to gen/mark-fresh
+gen: \
+	coderd/database/dump.sql \
+	coderd/database/querier.go \
+	provisionersdk/proto/provisioner.pb.go \
+	provisionerd/proto/provisionerd.pb.go \
+	site/src/api/typesGenerated.ts \
+	docs/admin/prometheus.md \
+	docs/cli.md \
+	docs/admin/audit-logs.md \
+	coderd/apidoc/swagger.json \
+	.prettierignore.include \
+	.prettierignore \
+	site/.prettierrc.yaml \
+	site/.prettierignore \
+	site/.eslintignore
+.PHONY: gen

-provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
-	protoc \
-		--go_out=. \
-		--go_opt=paths=source_relative \
-		--go-drpc_out=. \
-		--go-drpc_opt=paths=source_relative \
-		./provisionerd/proto/provisionerd.proto
+# Mark all generated files as fresh so make thinks they're up-to-date. This is
+# used during releases so we don't run generation scripts.
+gen/mark-fresh:
+	files="\
+		coderd/database/dump.sql \
+		coderd/database/querier.go \
+		provisionersdk/proto/provisioner.pb.go \
+		provisionerd/proto/provisionerd.pb.go \
+		site/src/api/typesGenerated.ts \
+		docs/admin/prometheus.md \
+		docs/cli.md \
+		docs/admin/audit-logs.md \
+		coderd/apidoc/swagger.json \
+		.prettierignore.include \
+		.prettierignore \
+		site/.prettierrc.yaml \
+		site/.prettierignore \
+		site/.eslintignore \
+	"
+	for file in $$files; do
+		echo "$$file"
+		if [ ! -f "$$file" ]; then
+			echo "File '$$file' does not exist"
+			exit 1
+		fi
+
+		# touch sets the mtime of the file to the current time
+		touch $$file
+	done
+.PHONY: gen/mark-fresh
+
+# Runs migrations to output a dump of the database schema after migrations are
+# applied.
+coderd/database/dump.sql: coderd/database/gen/dump/main.go $(wildcard coderd/database/migrations/*.sql)
+	go run ./coderd/database/gen/dump/main.go
+
+# Generates Go code for querying the database.
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql) coderd/database/gen/enum/main.go
+	./coderd/database/generate.sh

 provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 	protoc \
@@ -154,28 +482,122 @@ provisionersdk/proto/provisioner.pb.go: provisionersdk/proto/provisioner.proto
 		--go-drpc_opt=paths=source_relative \
 		./provisionersdk/proto/provisioner.proto

-site/out/index.html: $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.tsx') $(shell find ./site -not -path './site/node_modules/*' -type f -name '*.ts') site/package.json
-	./scripts/yarn_install.sh
-	cd site
-	yarn typegen
-	yarn build
-	# Restores GITKEEP files!
-	git checkout HEAD out
+provisionerd/proto/provisionerd.pb.go: provisionerd/proto/provisionerd.proto
+	protoc \
+		--go_out=. \
+		--go_opt=paths=source_relative \
+		--go-drpc_out=. \
+		--go-drpc_opt=paths=source_relative \
+		./provisionerd/proto/provisionerd.proto

-site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find codersdk -type f -name '*.go')
+site/src/api/typesGenerated.ts: scripts/apitypings/main.go $(shell find ./codersdk $(FIND_EXCLUSIONS) -type f -name '*.go')
 	go run scripts/apitypings/main.go > site/src/api/typesGenerated.ts
 	cd site
 	yarn run format:types

+docs/admin/prometheus.md: scripts/metricsdocgen/main.go scripts/metricsdocgen/metrics
+	go run scripts/metricsdocgen/main.go
+	cd site
+	yarn run format:write:only ../docs/admin/prometheus.md
+
+docs/cli.md: scripts/clidocgen/main.go $(GO_SRC_FILES) docs/manifest.json
+	rm -rf ./docs/cli/*.md
+	BASE_PATH="." go run ./scripts/clidocgen
+	cd site
+	yarn run format:write:only ../docs/cli.md ../docs/cli/*.md ../docs/manifest.json
+
+docs/admin/audit-logs.md: scripts/auditdocgen/main.go enterprise/audit/table.go
+	go run scripts/auditdocgen/main.go
+	cd site
+	yarn run format:write:only ../docs/admin/audit-logs.md
+
+coderd/apidoc/swagger.json: $(shell find ./scripts/apidocgen $(FIND_EXCLUSIONS) -type f) $(wildcard coderd/*.go) $(wildcard enterprise/coderd/*.go) $(wildcard codersdk/*.go) .swaggo docs/manifest.json
+	./scripts/apidocgen/generate.sh
+	yarn run --cwd=site format:write:only ../docs/api ../docs/manifest.json ../coderd/apidoc/swagger.json
+
+update-golden-files: cli/testdata/.gen-golden
+.PHONY: update-golden-files
+
+cli/testdata/.gen-golden: $(wildcard cli/testdata/*.golden) $(GO_SRC_FILES)
+	go test ./cli -run=TestCommandHelp -update
+	touch "$@"
+
+# Generate a prettierrc for the site package that uses relative paths for
+# overrides. This allows us to share the same prettier config between the
+# site and the root of the repo.
+site/.prettierrc.yaml: .prettierrc.yaml
+	. ./scripts/lib.sh
+	dependencies yq
+
+	echo "# Code generated by Makefile (../$<). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+
+	# Replace all listed override files with relative paths inside site/.
+	# - ./ -> ../
+	# - ./site -> ./
+	yq \
+		'.overrides[].files |= map(. | sub("^./"; "") | sub("^"; "../") | sub("../site/"; "./"))' \
+		"$<" >> "$@"
+
+# Combine .gitignore with .prettierignore.include to generate .prettierignore.
+.prettierignore: .gitignore .prettierignore.include
+	echo "# Code generated by Makefile ($^). DO NOT EDIT." > "$@"
+	echo "" >> "$@"
+	for f in $^; do
+		echo "# $${f}:" >> "$@"
+		cat "$$f" >> "$@"
+	done
+
+# Generate ignore files based on gitignore into the site directory. We turn all
+# rules into relative paths for the `site/` directory (where applicable),
+# following the pattern format defined by git:
+# https://git-scm.com/docs/gitignore#_pattern_format
+#
+# This is done for compatibility reasons, see:
+# https://github.com/prettier/prettier/issues/8048
+# https://github.com/prettier/prettier/issues/8506
+# https://github.com/prettier/prettier/issues/8679
+site/.eslintignore site/.prettierignore: .prettierignore Makefile
+	rm -f "$@"
+	touch "$@"
+	# Skip generated by header, inherit `.prettierignore` header as-is.
+	while read -r rule; do
+		# Remove leading ! if present to simplify rule, added back at the end.
+		tmp="$${rule#!}"
+		ignore="$${rule%"$$tmp"}"
+		rule="$$tmp"
+		case "$$rule" in
+			# Comments or empty lines (include).
+			\#*|'') ;;
+			# Generic rules (include).
+			\*\**) ;;
+			# Site prefixed rules (include).
+			site/*) rule="$${rule#site/}";;
+			./site/*) rule="$${rule#./site/}";;
+			# Rules that are non-generic and don't start with site (rewrite).
+			/*) rule=.."$$rule";;
+			*/?*) rule=../"$$rule";;
+			*) ;;
+		esac
+		echo "$${ignore}$${rule}" >> "$@"
+	done < "$<"
+
 test: test-clean
 	gotestsum -- -v -short ./...
 .PHONY: test

+# When updating -timeout for this test, keep in sync with
+# test-go-postgres (.github/workflows/coder.yaml).
 test-postgres: test-clean test-postgres-docker
-	DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum --junitfile="gotests.xml" --packages="./..." -- \
-		-covermode=atomic -coverprofile="gotests.coverage" -timeout=30m \
-		-coverpkg=./...,github.com/coder/coder/codersdk \
-		-count=2 -race -failfast
+	# The postgres test is prone to failure, so we limit parallelism for
+	# more consistent execution.
+	DB=ci DB_FROM=$(shell go run scripts/migrate-ci/main.go) gotestsum \
+		--junitfile="gotests.xml" \
+		--packages="./..." -- \
+		-covermode=atomic -coverprofile="gotests.coverage" -timeout=20m \
+		-parallel=4 \
+		-coverpkg=./... \
+		-count=1 -race -failfast
 .PHONY: test-postgres

 test-postgres-docker:
@@ -195,7 +617,8 @@ test-postgres-docker:
 		-c max_connections=1000 \
 		-c fsync=off \
 		-c synchronous_commit=off \
-		-c full_page_writes=off
+		-c full_page_writes=off \
+		-c log_statement=all
 	while ! pg_isready -h 127.0.0.1
 	do
 		echo "$(date) - waiting for database to start"
@@ -1,99 +1,125 @@
-# Coder
+<div align="center">
+  <a href="https://coder.com#gh-light-mode-only">
+    <img src="./docs/images/logo-black.png" style="width: 128px">
+  </a>
+  <a href="https://coder.com#gh-dark-mode-only">
+    <img src="./docs/images/logo-white.png" style="width: 128px">
+  </a>

-[!["GitHub
-Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/coder/coder/discussions)
-[!["Join us on
-Discord"](https://img.shields.io/badge/join-us%20on%20Discord-gray.svg?longCache=true&logo=discord&colorB=purple)](https://discord.gg/coder)
-[![Twitter
-Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq)
+  <h1>
+  Self-Hosted Remote Development Environments
+  </h1>
+
+  <a href="https://coder.com#gh-light-mode-only">
+    <img src="./docs/images/banner-black.png" style="width: 650px">
+  </a>
+  <a href="https://coder.com#gh-dark-mode-only">
+    <img src="./docs/images/banner-white.png" style="width: 650px">
+  </a>
+
+  <br>
+  <br>
+
+[Quickstart](#quickstart) | [Docs](https://coder.com/docs) | [Why Coder](https://coder.com/why) | [Enterprise](https://coder.com/docs/v2/latest/enterprise)
+
+[![discord](https://img.shields.io/discord/747933592273027093?label=discord)](https://discord.gg/coder)
 [![codecov](https://codecov.io/gh/coder/coder/branch/main/graph/badge.svg?token=TNLW3OAP6G)](https://codecov.io/gh/coder/coder)
+[![release](https://img.shields.io/github/v/release/coder/coder)](https://github.com/coder/coder/releases/latest)
+[![godoc](https://pkg.go.dev/badge/github.com/coder/coder.svg)](https://pkg.go.dev/github.com/coder/coder)
+[![Go Report Card](https://goreportcard.com/badge/github.com/coder/coder)](https://goreportcard.com/report/github.com/coder/coder)
+[![license](https://img.shields.io/github/license/coder/coder)](./LICENSE)

-Coder creates remote development machines so your team can develop from anywhere.
+</div>
+
+[Coder](https://coder.com) enables organizations to set up development environments in the cloud. Environments are defined with Terraform, connected through a secure high-speed Wireguard® tunnel, and are automatically shut down when not in use to save on costs. Coder gives engineering teams the flexibility to use the cloud for workloads that are most beneficial to them.
+
+- Define development environments in Terraform
+  - EC2 VMs, Kubernetes Pods, Docker Containers, etc.
+- Automatically shutdown idle resources to save on costs
+- Onboard developers in seconds instead of days

 <p align="center">
  <img src="./docs/images/hero-image.png">
 </p>

-**Manage less**
+## Quickstart

- Ensure your entire team is using the same tools and resources
-  - Rollout critical updates to your developers with one command
- Automatically shut down expensive cloud resources
- Keep your source code and data behind your firewall
+The most convenient way to try Coder is to install it on your local machine and experiment with provisioning development environments using Docker (works on Linux, macOS, and Windows).

-**Code more**
+```
+# First, install Coder
+curl -L https://coder.com/install.sh | sh

- Build and test faster
-  - Leveraging cloud CPUs, RAM, network speeds, etc.
- Access your environment from any place on any client (even an iPad)
- Onboard instantly then stay up to date continuously
+# Start the Coder server (caches data in ~/.cache/coder)
+coder server

-## Getting Started
+# Navigate to http://localhost:3000 to create your initial user
+# Create a Docker template, and provision a workspace
+```

-> **Note**:
-> Coder is in an alpha state. [Report issues here](https://github.com/coder/coder/issues/new).
+## Install

-The easiest way to install Coder is to use our [install script](https://github.com/coder/coder/blob/main/install.sh) for Linux and macOS.
-
-To install, run:
+The easiest way to install Coder is to use our
+[install script](https://github.com/coder/coder/blob/main/install.sh) for Linux
+and macOS. For Windows, use the latest `..._installer.exe` file from GitHub
+Releases.

 ```bash
 curl -L https://coder.com/install.sh | sh
 ```

-You can preview what occurs during the install process:
+You can run the install script with `--dry-run` to see the commands that will be used to install without executing them. You can modify the installation process by including flags. Run the install script with `--help` for reference.

-```bash
-curl -L https://coder.com/install.sh | sh -s -- --dry-run
-```
+> See [install](docs/install) for additional methods.

-You can modify the installation process by including flags. Run the help command for reference:
+Once installed, you can start a production deployment<sup>1</sup> with a single command:

-```bash
-curl -L https://coder.com/install.sh | sh -s -- --help
-```
-
-> See [install](docs/install.md) for additional methods.
-
-Once installed, you can start a production deployment with a single command:
-
-```sh
+```console
 # Automatically sets up an external access URL on *.try.coder.app
-coder server --tunnel
+coder server

-# Requires a PostgreSQL instance and external access URL
+# Requires a PostgreSQL instance (version 13 or higher) and external access URL
 coder server --postgres-url <url> --access-url <url>
 ```

-Use `coder --help` to get a complete list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/coder-oss/latest/quickstart) for a full walkthrough.
+> <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
+
+Use `coder --help` to get a list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/v2/latest/quickstart) for a full walkthrough.

 ## Documentation

-Visit our docs [here](https://coder.com/docs/coder-oss).
+Browse our docs [here](https://coder.com/docs/v2) or visit a specific section below:

-## Comparison
-
-Please file [an issue](https://github.com/coder/coder/issues/new) if any information is out of date. Also refer to: [What Coder is not](https://coder.com/docs/coder-oss/latest/index#what-coder-is-not).
-
-| Tool                                                        | Type     | Delivery Model     | Cost                          | Environments                                                                                                                                               |
-| :---------------------------------------------------------- | :------- | :----------------- | :---------------------------- | :--------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Coder](https://github.com/coder/coder)                     | Platform | OSS + Self-Managed | Pay your cloud                | All [Terraform](https://www.terraform.io/registry/providers) resources, all clouds, multi-architecture: Linux, Mac, Windows, containers, VMs, amd64, arm64 |
-| [code-server](https://github.com/cdr/code-server)           | Web IDE  | OSS + Self-Managed | Pay your cloud                | Linux, Mac, Windows, containers, VMs, amd64, arm64                                                                                                         |
-| [Coder (Classic)](https://coder.com/docs)                   | Platform | Self-Managed       | Pay your cloud + license fees | Kubernetes Linux Containers                                                                                                                                |
-| [GitHub Codespaces](https://github.com/features/codespaces) | Platform | SaaS               | 2x Azure Compute              | Linux containers                                                                                                                                           |
-
---
-
-_Last updated: 5/27/22_
+- [**Templates**](https://coder.com/docs/v2/latest/templates): Templates are written in Terraform and describe the infrastructure for workspaces
+- [**Workspaces**](https://coder.com/docs/v2/latest/workspaces): Workspaces contain the IDEs, dependencies, and configuration information needed for software development
+- [**IDEs**](https://coder.com/docs/v2/latest/ides): Connect your existing editor to a workspace
+- [**Administration**](https://coder.com/docs/v2/latest/admin): Learn how to operate Coder
+- [**Enterprise**](https://coder.com/docs/v2/latest/enterprise): Learn about our paid features built for large teams

 ## Community and Support

-Join our community on [Discord](https://discord.gg/coder) and [Twitter](https://twitter.com/coderhq)!
+Feel free to [open an issue](https://github.com/coder/coder/issues/new) if you have questions, run into bugs, or have a feature request.

-[Suggest improvements and report problems](https://github.com/coder/coder/issues/new/choose)
+[Join our Discord](https://discord.gg/coder) to provide feedback on in-progress features, and chat with the community using Coder!

 ## Contributing

-Read the [contributing docs](https://coder.com/docs/coder-oss/latest/CONTRIBUTING).
+Contributions are welcome! Read the [contributing docs](https://coder.com/docs/v2/latest/CONTRIBUTING) to get started.

-Find our list of contributors [here](./docs/CONTRIBUTORS.md).
+Find our list of contributors [here](https://github.com/coder/coder/graphs/contributors).
+
+## Related
+
+We are always working on new integrations. Feel free to open an issue to request an integration. Contributions are welcome in any official or community repositories.
+
+### Official
+
+- [**VS Code Extension**](https://marketplace.visualstudio.com/items?itemName=coder.coder-remote): Open any Coder workspace in VS Code with a single click
+- [**JetBrains Gateway Extension**](https://plugins.jetbrains.com/plugin/19620-coder): Open any Coder workspace in JetBrains Gateway with a single click
+- [**Self-Hosted VS Code Extension Marketplace**](https://github.com/coder/code-marketplace): A private extension marketplace that works in restricted or airgapped networks integrating with [code-server](https://github.com/coder/code-server).
+
+### Community
+
+- [**Provision Coder with Terraform**](https://github.com/ElliotG/coder-oss-tf): Provision Coder on Google GKE, Azure AKS, AWS EKS, DigitalOcean DOKS, IBMCloud K8s, OVHCloud K8s, and Scaleway K8s Kapsule with Terraform
+- [**Coder GitHub Action**](https://github.com/marketplace/actions/update-coder-template): A GitHub Action that updates Coder templates
+- [**Various Templates**](./examples/templates/community-templates.md): Hetzner Cloud, Docker in Docker, and other templates the community has built.
@@ -0,0 +1,73 @@
+# Coder Security
+
+Coder welcomes feedback from security researchers and the general public
+to help improve our security. If you believe you have discovered a vulnerability,
+privacy issue, exposed data, or other security issues in any of our assets, we
+want to hear from you. This policy outlines steps for reporting vulnerabilities
+to us, what we expect, what you can expect from us.
+
+You can see the pretty version [here](https://coder.com/security/policy)
+
+# Why Coder's security matters
+
+If an attacker could fully compromise a Coder installation, they could spin
+up expensive workstations, steal valuable credentials, or steal proprietary
+source code. We take this risk very seriously and employ routine pen testing,
+vulnerability scanning, and code reviews. We also welcome the contributions
+from the community that helped make this product possible.
+
+# Where should I report security issues?
+
+Please report security issues to security@coder.com, providing
+all relevant information. The more details you provide, the easier it will be
+for us to triage and fix the issue.
+
+# Out of Scope
+
+Our primary concern is around an abuse of the Coder application that allows
+an attacker to gain access to another users workspace, or spin up unwanted
+workspaces.
+
+- DOS/DDOS attacks affecting availability --> While we do support rate limiting
+  of requests, we primarily leave this to the owner of the Coder installation. Our
+  rationale is that a DOS attack only affecting availability is not a valuable
+  target for attackers.
+- Abuse of a compromised user credential --> If a user credential is compromised
+  outside of the Coder ecosystem, then we consider it beyond the scope of our application.
+  However, if an unprivileged user could escalate their permissions or gain access
+  to another workspace, that is a cause for concern.
+- Vulnerabilities in third party systems --> Vulnerabilities discovered in
+  out-of-scope systems should be reported to the appropriate vendor or applicable authority.
+
+# Our Commitments
+
+When working with us, according to this policy, you can expect us to:
+
+- Respond to your report promptly, and work with you to understand and validate your report;
+- Strive to keep you informed about the progress of a vulnerability as it is processed;
+- Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
+- Extend Safe Harbor for your vulnerability research that is related to this policy.
+
+# Our Expectations
+
+In participating in our vulnerability disclosure program in good faith, we ask that you:
+
+- Play by the rules, including following this policy and any other relevant agreements.
+  If there is any inconsistency between this policy and any other applicable terms, the
+  terms of this policy will prevail;
+- Report any vulnerability you’ve discovered promptly;
+- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or
+  harming user experience;
+- Use only the Official Channels to discuss vulnerability information with us;
+- Provide us a reasonable amount of time (at least 90 days from the initial report) to
+  resolve the issue before you disclose it publicly;
+- Perform testing only on in-scope systems, and respect systems and activities which
+  are out-of-scope;
+- If a vulnerability provides unintended access to data: Limit the amount of data you
+  access to the minimum required for effectively demonstrating a Proof of Concept; and
+  cease testing and submit a report immediately if you encounter any user data during testing,
+  such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI),
+  credit card data, or proprietary information;
+- You should only interact with test accounts you own or with explicit permission from
+- the account holder; and
+- Do not engage in extortion.
@@ -0,0 +1,49 @@
+package agent
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/go-chi/chi"
+
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+)
+
+func (*agent) apiHandler() http.Handler {
+	r := chi.NewRouter()
+	r.Get("/", func(rw http.ResponseWriter, r *http.Request) {
+		httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.Response{
+			Message: "Hello from the agent!",
+		})
+	})
+
+	lp := &listeningPortsHandler{}
+	r.Get("/api/v0/listening-ports", lp.handler)
+
+	return r
+}
+
+type listeningPortsHandler struct {
+	mut   sync.Mutex
+	ports []codersdk.WorkspaceAgentListeningPort
+	mtime time.Time
+}
+
+// handler returns a list of listening ports. This is tested by coderd's
+// TestWorkspaceAgentListeningPorts test.
+func (lp *listeningPortsHandler) handler(rw http.ResponseWriter, r *http.Request) {
+	ports, err := lp.getListeningPorts()
+	if err != nil {
+		httpapi.Write(r.Context(), rw, http.StatusInternalServerError, codersdk.Response{
+			Message: "Could not scan for listening ports.",
+			Detail:  err.Error(),
+		})
+		return
+	}
+
+	httpapi.Write(r.Context(), rw, http.StatusOK, codersdk.WorkspaceAgentListeningPortsResponse{
+		Ports: ports,
+	})
+}
@@ -0,0 +1,182 @@
+package agent
+
+import (
+	"context"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/retry"
+)
+
+// WorkspaceAgentApps fetches the workspace apps.
+type WorkspaceAgentApps func(context.Context) ([]codersdk.WorkspaceApp, error)
+
+// PostWorkspaceAgentAppHealth updates the workspace app health.
+type PostWorkspaceAgentAppHealth func(context.Context, agentsdk.PostAppHealthsRequest) error
+
+// WorkspaceAppHealthReporter is a function that checks and reports the health of the workspace apps until the passed context is canceled.
+type WorkspaceAppHealthReporter func(ctx context.Context)
+
+// NewWorkspaceAppHealthReporter creates a WorkspaceAppHealthReporter that reports app health to coderd.
+func NewWorkspaceAppHealthReporter(logger slog.Logger, apps []codersdk.WorkspaceApp, postWorkspaceAgentAppHealth PostWorkspaceAgentAppHealth) WorkspaceAppHealthReporter {
+	runHealthcheckLoop := func(ctx context.Context) error {
+		// no need to run this loop if no apps for this workspace.
+		if len(apps) == 0 {
+			return nil
+		}
+
+		hasHealthchecksEnabled := false
+		health := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+		for _, app := range apps {
+			if app.Health == codersdk.WorkspaceAppHealthDisabled {
+				continue
+			}
+			health[app.ID] = app.Health
+			hasHealthchecksEnabled = true
+		}
+
+		// no need to run this loop if no health checks are configured.
+		if !hasHealthchecksEnabled {
+			return nil
+		}
+
+		// run a ticker for each app health check.
+		var mu sync.RWMutex
+		failures := make(map[uuid.UUID]int, 0)
+		for _, nextApp := range apps {
+			if !shouldStartTicker(nextApp) {
+				continue
+			}
+			app := nextApp
+			go func() {
+				t := time.NewTicker(time.Duration(app.Healthcheck.Interval) * time.Second)
+				defer t.Stop()
+
+				for {
+					select {
+					case <-ctx.Done():
+						return
+					case <-t.C:
+					}
+					// we set the http timeout to the healthcheck interval to prevent getting too backed up.
+					client := &http.Client{
+						Timeout: time.Duration(app.Healthcheck.Interval) * time.Second,
+					}
+					err := func() error {
+						req, err := http.NewRequestWithContext(ctx, http.MethodGet, app.Healthcheck.URL, nil)
+						if err != nil {
+							return err
+						}
+						res, err := client.Do(req)
+						if err != nil {
+							return err
+						}
+						// successful healthcheck is a non-5XX status code
+						_ = res.Body.Close()
+						if res.StatusCode >= http.StatusInternalServerError {
+							return xerrors.Errorf("error status code: %d", res.StatusCode)
+						}
+
+						return nil
+					}()
+					if err != nil {
+						mu.Lock()
+						if failures[app.ID] < int(app.Healthcheck.Threshold) {
+							// increment the failure count and keep status the same.
+							// we will change it when we hit the threshold.
+							failures[app.ID]++
+						} else {
+							// set to unhealthy if we hit the failure threshold.
+							// we stop incrementing at the threshold to prevent the failure value from increasing forever.
+							health[app.ID] = codersdk.WorkspaceAppHealthUnhealthy
+						}
+						mu.Unlock()
+					} else {
+						mu.Lock()
+						// we only need one successful health check to be considered healthy.
+						health[app.ID] = codersdk.WorkspaceAppHealthHealthy
+						failures[app.ID] = 0
+						mu.Unlock()
+					}
+
+					t.Reset(time.Duration(app.Healthcheck.Interval) * time.Second)
+				}
+			}()
+		}
+
+		mu.Lock()
+		lastHealth := copyHealth(health)
+		mu.Unlock()
+		reportTicker := time.NewTicker(time.Second)
+		defer reportTicker.Stop()
+		// every second we check if the health values of the apps have changed
+		// and if there is a change we will report the new values.
+		for {
+			select {
+			case <-ctx.Done():
+				return nil
+			case <-reportTicker.C:
+				mu.RLock()
+				changed := healthChanged(lastHealth, health)
+				mu.RUnlock()
+				if !changed {
+					continue
+				}
+
+				mu.Lock()
+				lastHealth = copyHealth(health)
+				mu.Unlock()
+				err := postWorkspaceAgentAppHealth(ctx, agentsdk.PostAppHealthsRequest{
+					Healths: lastHealth,
+				})
+				if err != nil {
+					logger.Error(ctx, "failed to report workspace app stat", slog.Error(err))
+				}
+			}
+		}
+	}
+
+	return func(ctx context.Context) {
+		for r := retry.New(time.Second, 30*time.Second); r.Wait(ctx); {
+			err := runHealthcheckLoop(ctx)
+			if err == nil || xerrors.Is(err, context.Canceled) || xerrors.Is(err, context.DeadlineExceeded) {
+				return
+			}
+			logger.Error(ctx, "failed running workspace app reporter", slog.Error(err))
+		}
+	}
+}
+
+func shouldStartTicker(app codersdk.WorkspaceApp) bool {
+	return app.Healthcheck.URL != "" && app.Healthcheck.Interval > 0 && app.Healthcheck.Threshold > 0
+}
+
+func healthChanged(old map[uuid.UUID]codersdk.WorkspaceAppHealth, new map[uuid.UUID]codersdk.WorkspaceAppHealth) bool {
+	for name, newValue := range new {
+		oldValue, found := old[name]
+		if !found {
+			return true
+		}
+		if newValue != oldValue {
+			return true
+		}
+	}
+
+	return false
+}
+
+func copyHealth(h1 map[uuid.UUID]codersdk.WorkspaceAppHealth) map[uuid.UUID]codersdk.WorkspaceAppHealth {
+	h2 := make(map[uuid.UUID]codersdk.WorkspaceAppHealth, 0)
+	for k, v := range h1 {
+		h2[k] = v
+	}
+
+	return h2
+}
@@ -0,0 +1,207 @@
+package agent_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/slogtest"
+	"github.com/coder/coder/agent"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/testutil"
+)
+
+func TestAppHealth_Healthy(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug:        "app1",
+			Healthcheck: codersdk.Healthcheck{},
+			Health:      codersdk.WorkspaceAppHealthDisabled,
+		},
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		nil,
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	apps, err := getApps(ctx)
+	require.NoError(t, err)
+	require.EqualValues(t, codersdk.WorkspaceAppHealthDisabled, apps[0].Health)
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[1].Health == codersdk.WorkspaceAppHealthHealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_500(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(r.Context(), w, http.StatusInternalServerError, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_Timeout(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// sleep longer than the interval to cause the health check to time out
+			time.Sleep(2 * time.Second)
+			httpapi.Write(r.Context(), w, http.StatusOK, nil)
+		}),
+	}
+	getApps, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	require.Eventually(t, func() bool {
+		apps, err := getApps(ctx)
+		if err != nil {
+			return false
+		}
+
+		return apps[0].Health == codersdk.WorkspaceAppHealthUnhealthy
+	}, testutil.WaitLong, testutil.IntervalSlow)
+}
+
+func TestAppHealth_NotSpamming(t *testing.T) {
+	t.Parallel()
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+	defer cancel()
+	apps := []codersdk.WorkspaceApp{
+		{
+			Slug: "app2",
+			Healthcheck: codersdk.Healthcheck{
+				// URL: We don't set the URL for this test because the setup will
+				// create a httptest server for us and set it for us.
+				Interval:  1,
+				Threshold: 1,
+			},
+			Health: codersdk.WorkspaceAppHealthInitializing,
+		},
+	}
+
+	counter := new(int32)
+	handlers := []http.Handler{
+		http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			atomic.AddInt32(counter, 1)
+		}),
+	}
+	_, closeFn := setupAppReporter(ctx, t, apps, handlers)
+	defer closeFn()
+	// Ensure we haven't made more than 2 (expected 1 + 1 for buffer) requests in the last second.
+	// if there is a bug where we are spamming the healthcheck route this will catch it.
+	time.Sleep(time.Second)
+	require.LessOrEqual(t, atomic.LoadInt32(counter), int32(2))
+}
+
+func setupAppReporter(ctx context.Context, t *testing.T, apps []codersdk.WorkspaceApp, handlers []http.Handler) (agent.WorkspaceAgentApps, func()) {
+	closers := []func(){}
+	for i, handler := range handlers {
+		if handler == nil {
+			continue
+		}
+		ts := httptest.NewServer(handler)
+		app := apps[i]
+		app.Healthcheck.URL = ts.URL
+		apps[i] = app
+		closers = append(closers, ts.Close)
+	}
+
+	var mu sync.Mutex
+	workspaceAgentApps := func(context.Context) ([]codersdk.WorkspaceApp, error) {
+		mu.Lock()
+		defer mu.Unlock()
+		var newApps []codersdk.WorkspaceApp
+		return append(newApps, apps...), nil
+	}
+	postWorkspaceAgentAppHealth := func(_ context.Context, req agentsdk.PostAppHealthsRequest) error {
+		mu.Lock()
+		for id, health := range req.Healths {
+			for i, app := range apps {
+				if app.ID != id {
+					continue
+				}
+				app.Health = health
+				apps[i] = app
+			}
+		}
+		mu.Unlock()
+
+		return nil
+	}
+
+	go agent.NewWorkspaceAppHealthReporter(slogtest.Make(t, nil).Leveled(slog.LevelDebug), apps, postWorkspaceAgentAppHealth)(ctx)
+
+	return workspaceAgentApps, func() {
+		for _, closeFn := range closers {
+			closeFn()
+		}
+	}
+}
@@ -1,118 +0,0 @@
-package agent
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"net"
-	"net/url"
-	"strings"
-
-	"golang.org/x/crypto/ssh"
-	"golang.org/x/xerrors"
-
-	"github.com/coder/coder/peer"
-	"github.com/coder/coder/peerbroker/proto"
-)
-
-// ReconnectingPTYRequest is sent from the client to the server
-// to pipe data to a PTY.
-type ReconnectingPTYRequest struct {
-	Data   string `json:"data"`
-	Height uint16 `json:"height"`
-	Width  uint16 `json:"width"`
-}
-
-// Conn wraps a peer connection with helper functions to
-// communicate with the agent.
-type Conn struct {
-	// Negotiator is responsible for exchanging messages.
-	Negotiator proto.DRPCPeerBrokerClient
-
-	*peer.Conn
-}
-
-// ReconnectingPTY returns a connection serving a TTY that can
-// be reconnected to via ID.
-//
-// The command is optional and defaults to start a shell.
-func (c *Conn) ReconnectingPTY(id string, height, width uint16, command string) (net.Conn, error) {
-	channel, err := c.CreateChannel(context.Background(), fmt.Sprintf("%s:%d:%d:%s", id, height, width, command), &peer.ChannelOptions{
-		Protocol: ProtocolReconnectingPTY,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("pty: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSH dials the built-in SSH server.
-func (c *Conn) SSH() (net.Conn, error) {
-	channel, err := c.CreateChannel(context.Background(), "ssh", &peer.ChannelOptions{
-		Protocol: ProtocolSSH,
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("dial: %w", err)
-	}
-	return channel.NetConn(), nil
-}
-
-// SSHClient calls SSH to create a client that uses a weak cipher
-// for high throughput.
-func (c *Conn) SSHClient() (*ssh.Client, error) {
-	netConn, err := c.SSH()
-	if err != nil {
-		return nil, xerrors.Errorf("ssh: %w", err)
-	}
-	sshConn, channels, requests, err := ssh.NewClientConn(netConn, "localhost:22", &ssh.ClientConfig{
-		// SSH host validation isn't helpful, because obtaining a peer
-		// connection already signifies user-intent to dial a workspace.
-		// #nosec
-		HostKeyCallback: ssh.InsecureIgnoreHostKey(),
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("ssh conn: %w", err)
-	}
-	return ssh.NewClient(sshConn, channels, requests), nil
-}
-
-// DialContext dials an arbitrary protocol+address from inside the workspace and
-// proxies it through the provided net.Conn.
-func (c *Conn) DialContext(ctx context.Context, network string, addr string) (net.Conn, error) {
-	u := &url.URL{
-		Scheme: network,
-	}
-	if strings.HasPrefix(network, "unix") {
-		u.Path = addr
-	} else {
-		u.Host = addr
-	}
-
-	channel, err := c.CreateChannel(ctx, u.String(), &peer.ChannelOptions{
-		Protocol:  ProtocolDial,
-		Unordered: strings.HasPrefix(network, "udp"),
-	})
-	if err != nil {
-		return nil, xerrors.Errorf("create datachannel: %w", err)
-	}
-
-	// The first message written from the other side is a JSON payload
-	// containing the dial error.
-	dec := json.NewDecoder(channel)
-	var res dialResponse
-	err = dec.Decode(&res)
-	if err != nil {
-		return nil, xerrors.Errorf("decode agent dial response: %w", err)
-	}
-	if res.Error != "" {
-		_ = channel.Close()
-		return nil, xerrors.Errorf("remote dial error: %v", res.Error)
-	}
-
-	return channel.NetConn(), nil
-}
-
-func (c *Conn) Close() error {
-	_ = c.Negotiator.DRPCConn().Close()
-	return c.Conn.Close()
-}
@@ -0,0 +1,64 @@
+//go:build linux || (windows && amd64)
+
+package agent
+
+import (
+	"time"
+
+	"github.com/cakturk/go-netstat/netstat"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
+)
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+	lp.mut.Lock()
+	defer lp.mut.Unlock()
+
+	if time.Since(lp.mtime) < time.Second {
+		// copy
+		ports := make([]codersdk.WorkspaceAgentListeningPort, len(lp.ports))
+		copy(ports, lp.ports)
+		return ports, nil
+	}
+
+	tabs, err := netstat.TCPSocks(func(s *netstat.SockTabEntry) bool {
+		return s.State == netstat.Listen
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("scan listening ports: %w", err)
+	}
+
+	seen := make(map[uint16]struct{}, len(tabs))
+	ports := []codersdk.WorkspaceAgentListeningPort{}
+	for _, tab := range tabs {
+		if tab.LocalAddr == nil || tab.LocalAddr.Port < codersdk.WorkspaceAgentMinimumListeningPort {
+			continue
+		}
+
+		// Don't include ports that we've already seen. This can happen on
+		// Windows, and maybe on Linux if you're using a shared listener socket.
+		if _, ok := seen[tab.LocalAddr.Port]; ok {
+			continue
+		}
+		seen[tab.LocalAddr.Port] = struct{}{}
+
+		procName := ""
+		if tab.Process != nil {
+			procName = tab.Process.Name
+		}
+		ports = append(ports, codersdk.WorkspaceAgentListeningPort{
+			ProcessName: procName,
+			Network:     "tcp",
+			Port:        tab.LocalAddr.Port,
+		})
+	}
+
+	lp.ports = ports
+	lp.mtime = time.Now()
+
+	// copy
+	ports = make([]codersdk.WorkspaceAgentListeningPort, len(lp.ports))
+	copy(ports, lp.ports)
+	return ports, nil
+}
@@ -0,0 +1,12 @@
+//go:build !linux && !(windows && amd64)
+
+package agent
+
+import "github.com/coder/coder/codersdk"
+
+func (lp *listeningPortsHandler) getListeningPorts() ([]codersdk.WorkspaceAgentListeningPort, error) {
+	// Can't scan for ports on non-linux or non-windows_amd64 systems at the
+	// moment. The UI will not show any "no ports found" message to the user, so
+	// the user won't suspect a thing.
+	return []codersdk.WorkspaceAgentListeningPort{}, nil
+}
@@ -1,6 +1,10 @@
 package reaper

-import "github.com/hashicorp/go-reap"
+import (
+	"os"
+
+	"github.com/hashicorp/go-reap"
+)

 type Option func(o *options)

@@ -22,7 +26,16 @@ func WithPIDCallback(ch reap.PidCh) Option {
 	}
 }

-type options struct {
-	ExecArgs []string
-	PIDs     reap.PidCh
+// WithCatchSignals sets the signals that are caught and forwarded to the
+// child process. By default no signals are forwarded.
+func WithCatchSignals(sigs ...os.Signal) Option {
+	return func(o *options) {
+		o.CatchSignals = sigs
+	}
+}
+
+type options struct {
+	ExecArgs     []string
+	PIDs         reap.PidCh
+	CatchSignals []os.Signal
 }
@@ -7,6 +7,6 @@ func IsInitProcess() bool {
 	return false
 }

-func ForkReap(opt ...Option) error {
+func ForkReap(_ ...Option) error {
 	return nil
 }
@@ -3,8 +3,11 @@
 package reaper_test

 import (
+	"fmt"
 	"os"
 	"os/exec"
+	"os/signal"
+	"syscall"
 	"testing"
 	"time"

@@ -12,11 +15,11 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/testutil"
 )

+//nolint:paralleltest // Non-parallel subtest.
 func TestReap(t *testing.T) {
-	t.Parallel()
-
 	// Don't run the reaper test in CI. It does weird
 	// things like forkexecing which may have unintended
 	// consequences in CI.
@@ -27,6 +30,8 @@ func TestReap(t *testing.T) {
 	// OK checks that's the reaper is successfully reaping
 	// exited processes and passing the PIDs through the shared
 	// channel.
+
+	//nolint:paralleltest // Signal handling.
 	t.Run("OK", func(t *testing.T) {
 		pids := make(reap.PidCh, 1)
 		err := reaper.ForkReap(
@@ -52,10 +57,9 @@ func TestReap(t *testing.T) {

 		expectedPIDs := []int{cmd.Process.Pid, cmd2.Process.Pid}

-		deadline := time.NewTimer(time.Second * 5)
 		for i := 0; i < len(expectedPIDs); i++ {
 			select {
-			case <-deadline.C:
+			case <-time.After(testutil.WaitShort):
 				t.Fatalf("Timed out waiting for process")
 			case pid := <-pids:
 				require.Contains(t, expectedPIDs, pid)
@@ -63,3 +67,39 @@ func TestReap(t *testing.T) {
 		}
 	})
 }
+
+//nolint:paralleltest // Signal handling.
+func TestReapInterrupt(t *testing.T) {
+	// Don't run the reaper test in CI. It does weird
+	// things like forkexecing which may have unintended
+	// consequences in CI.
+	if _, ok := os.LookupEnv("CI"); ok {
+		t.Skip("Detected CI, skipping reaper tests")
+	}
+
+	errC := make(chan error, 1)
+	pids := make(reap.PidCh, 1)
+
+	// Use signals to notify when the child process is ready for the
+	//  next step of our test.
+	usrSig := make(chan os.Signal, 1)
+	signal.Notify(usrSig, syscall.SIGUSR1, syscall.SIGUSR2)
+	defer signal.Stop(usrSig)
+
+	go func() {
+		errC <- reaper.ForkReap(
+			reaper.WithPIDCallback(pids),
+			reaper.WithCatchSignals(os.Interrupt),
+			// Signal propagation does not extend to children of children, so
+			// we create a little bash script to ensure sleep is interrupted.
+			reaper.WithExecArgs("/bin/sh", "-c", fmt.Sprintf("pid=0; trap 'kill -USR2 %d; kill -TERM $pid' INT; sleep 10 &\npid=$!; kill -USR1 %d; wait", os.Getpid(), os.Getpid())),
+		)
+	}()
+
+	require.Equal(t, <-usrSig, syscall.SIGUSR1)
+	err := syscall.Kill(os.Getpid(), syscall.SIGINT)
+	require.NoError(t, err)
+	require.Equal(t, <-usrSig, syscall.SIGUSR2)
+
+	require.NoError(t, <-errC)
+}
@@ -4,6 +4,7 @@ package reaper

 import (
 	"os"
+	"os/signal"
 	"syscall"

 	"github.com/hashicorp/go-reap"
@@ -15,6 +16,24 @@ func IsInitProcess() bool {
 	return os.Getpid() == 1
 }

+func catchSignals(pid int, sigs []os.Signal) {
+	if len(sigs) == 0 {
+		return
+	}
+
+	sc := make(chan os.Signal, 1)
+	signal.Notify(sc, sigs...)
+	defer signal.Stop(sc)
+
+	for {
+		s := <-sc
+		sig, ok := s.(syscall.Signal)
+		if ok {
+			_ = syscall.Kill(pid, sig)
+		}
+	}
+}
+
 // ForkReap spawns a goroutine that reaps children. In order to avoid
 // complications with spawning `exec.Commands` in the same process that
 // is reaping, we forkexec a child process. This prevents a race between
@@ -51,13 +70,17 @@ func ForkReap(opt ...Option) error {
 	}

 	//#nosec G204
-	pid, _ := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+	pid, err := syscall.ForkExec(opts.ExecArgs[0], opts.ExecArgs, pattrs)
+	if err != nil {
+		return xerrors.Errorf("fork exec: %w", err)
+	}
+
+	go catchSignals(pid, opts.CatchSignals)

 	var wstatus syscall.WaitStatus
 	_, err = syscall.Wait4(pid, &wstatus, 0, nil)
 	for xerrors.Is(err, syscall.EINTR) {
 		_, err = syscall.Wait4(pid, &wstatus, 0, nil)
 	}
-
-	return nil
+	return err
 }
@@ -0,0 +1,203 @@
+package agent
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+
+	"github.com/gliderlabs/ssh"
+	gossh "golang.org/x/crypto/ssh"
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+)
+
+// streamLocalForwardPayload describes the extra data sent in a
+// streamlocal-forward@openssh.com containing the socket path to bind to.
+type streamLocalForwardPayload struct {
+	SocketPath string
+}
+
+// forwardedStreamLocalPayload describes the data sent as the payload in the new
+// channel request when a Unix connection is accepted by the listener.
+type forwardedStreamLocalPayload struct {
+	SocketPath string
+	Reserved   uint32
+}
+
+// forwardedUnixHandler is a clone of ssh.ForwardedTCPHandler that does
+// streamlocal forwarding (aka. unix forwarding) instead of TCP forwarding.
+type forwardedUnixHandler struct {
+	sync.Mutex
+	log      slog.Logger
+	forwards map[string]net.Listener
+}
+
+func (h *forwardedUnixHandler) HandleSSHRequest(ctx ssh.Context, _ *ssh.Server, req *gossh.Request) (bool, []byte) {
+	h.Lock()
+	if h.forwards == nil {
+		h.forwards = make(map[string]net.Listener)
+	}
+	h.Unlock()
+	conn, ok := ctx.Value(ssh.ContextKeyConn).(*gossh.ServerConn)
+	if !ok {
+		h.log.Warn(ctx, "SSH unix forward request from client with no gossh connection")
+		return false, nil
+	}
+
+	switch req.Type {
+	case "streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+
+		addr := reqPayload.SocketPath
+		h.Lock()
+		_, ok := h.forwards[addr]
+		h.Unlock()
+		if ok {
+			h.log.Warn(ctx, "SSH unix forward request for socket path that is already being forwarded (maybe to another client?)",
+				slog.F("socket_path", addr),
+			)
+			return false, nil
+		}
+
+		// Create socket parent dir if not exists.
+		parentDir := filepath.Dir(addr)
+		err = os.MkdirAll(parentDir, 0o700)
+		if err != nil {
+			h.log.Warn(ctx, "create parent dir for SSH unix forward request",
+				slog.F("parent_dir", parentDir),
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		ln, err := net.Listen("unix", addr)
+		if err != nil {
+			h.log.Warn(ctx, "listen on Unix socket for SSH unix forward request",
+				slog.F("socket_path", addr),
+				slog.Error(err),
+			)
+			return false, nil
+		}
+
+		// The listener needs to successfully start before it can be added to
+		// the map, so we don't have to worry about checking for an existing
+		// listener.
+		//
+		// This is also what the upstream TCP version of this code does.
+		h.Lock()
+		h.forwards[addr] = ln
+		h.Unlock()
+
+		ctx, cancel := context.WithCancel(ctx)
+		go func() {
+			<-ctx.Done()
+			_ = ln.Close()
+		}()
+		go func() {
+			defer cancel()
+
+			for {
+				c, err := ln.Accept()
+				if err != nil {
+					if !xerrors.Is(err, net.ErrClosed) {
+						h.log.Warn(ctx, "accept on local Unix socket for SSH unix forward request",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+					}
+					// closed below
+					break
+				}
+				payload := gossh.Marshal(&forwardedStreamLocalPayload{
+					SocketPath: addr,
+				})
+
+				go func() {
+					ch, reqs, err := conn.OpenChannel("forwarded-streamlocal@openssh.com", payload)
+					if err != nil {
+						h.log.Warn(ctx, "open SSH channel to forward Unix connection to client",
+							slog.F("socket_path", addr),
+							slog.Error(err),
+						)
+						_ = c.Close()
+						return
+					}
+					go gossh.DiscardRequests(reqs)
+					Bicopy(ctx, ch, c)
+				}()
+			}
+
+			h.Lock()
+			ln2, ok := h.forwards[addr]
+			if ok && ln2 == ln {
+				delete(h.forwards, addr)
+			}
+			h.Unlock()
+			_ = ln.Close()
+		}()
+
+		return true, nil
+
+	case "cancel-streamlocal-forward@openssh.com":
+		var reqPayload streamLocalForwardPayload
+		err := gossh.Unmarshal(req.Payload, &reqPayload)
+		if err != nil {
+			h.log.Warn(ctx, "parse cancel-streamlocal-forward@openssh.com request payload from client", slog.Error(err))
+			return false, nil
+		}
+		h.Lock()
+		ln, ok := h.forwards[reqPayload.SocketPath]
+		h.Unlock()
+		if ok {
+			_ = ln.Close()
+		}
+		return true, nil
+
+	default:
+		return false, nil
+	}
+}
+
+// directStreamLocalPayload describes the extra data sent in a
+// direct-streamlocal@openssh.com channel request containing the socket path.
+type directStreamLocalPayload struct {
+	SocketPath string
+
+	Reserved1 string
+	Reserved2 uint32
+}
+
+func directStreamLocalHandler(_ *ssh.Server, _ *gossh.ServerConn, newChan gossh.NewChannel, ctx ssh.Context) {
+	var reqPayload directStreamLocalPayload
+	err := gossh.Unmarshal(newChan.ExtraData(), &reqPayload)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, "could not parse direct-streamlocal@openssh.com channel payload")
+		return
+	}
+
+	var dialer net.Dialer
+	dconn, err := dialer.DialContext(ctx, "unix", reqPayload.SocketPath)
+	if err != nil {
+		_ = newChan.Reject(gossh.ConnectionFailed, fmt.Sprintf("dial unix socket %q: %+v", reqPayload.SocketPath, err.Error()))
+		return
+	}
+
+	ch, reqs, err := newChan.Accept()
+	if err != nil {
+		_ = dconn.Close()
+		return
+	}
+	go gossh.DiscardRequests(reqs)
+
+	Bicopy(ctx, ch, dconn)
+}
@@ -4,7 +4,11 @@ import "os/exec"

 // Get returns the command prompt binary name.
 func Get(username string) (string, error) {
-	_, err := exec.LookPath("powershell.exe")
+	_, err := exec.LookPath("pwsh.exe")
+	if err == nil {
+		return "pwsh.exe", nil
+	}
+	_, err = exec.LookPath("powershell.exe")
 	if err == nil {
 		return "powershell.exe", nil
 	}
@@ -1,97 +0,0 @@
-package agent
-
-import (
-	"context"
-	"net"
-	"strconv"
-
-	"golang.org/x/xerrors"
-	"inet.af/netaddr"
-
-	"cdr.dev/slog"
-	"github.com/coder/coder/peer/peerwg"
-)
-
-func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) error {
-	if a.network != nil {
-		_ = a.network.Close()
-		a.network = nil
-	}
-
-	// We can't create a wireguard network without these.
-	if len(addrs) == 0 || a.listenWireguardPeers == nil || a.postKeys == nil {
-		return xerrors.New("wireguard is enabled, but no addresses were provided or necessary functions were not provided")
-	}
-
-	wg, err := peerwg.New(a.logger.Named("wireguard"), addrs)
-	if err != nil {
-		return xerrors.Errorf("create wireguard network: %w", err)
-	}
-
-	// A new keypair is generated on each agent start.
-	// This keypair must be sent to Coder to allow for incoming connections.
-	err = a.postKeys(ctx, WireguardPublicKeys{
-		Public: wg.NodePrivateKey.Public(),
-		Disco:  wg.DiscoPublicKey,
-	})
-	if err != nil {
-		a.logger.Warn(ctx, "post keys", slog.Error(err))
-	}
-
-	go func() {
-		for {
-			ch, listenClose, err := a.listenWireguardPeers(ctx, a.logger)
-			if err != nil {
-				a.logger.Warn(ctx, "listen wireguard peers", slog.Error(err))
-				return
-			}
-
-			for {
-				peer, ok := <-ch
-				if !ok {
-					break
-				}
-
-				err := wg.AddPeer(peer)
-				a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.NodePublicKey.ShortString()), slog.Error(err))
-			}
-
-			listenClose()
-		}
-	}()
-
-	a.startWireguardListeners(ctx, wg, []handlerPort{
-		{port: 12212, handler: a.sshServer.HandleConn},
-	})
-
-	a.network = wg
-	return nil
-}
-
-type handlerPort struct {
-	handler func(conn net.Conn)
-	port    uint16
-}
-
-func (a *agent) startWireguardListeners(ctx context.Context, network *peerwg.Network, handlers []handlerPort) {
-	for _, h := range handlers {
-		go func(h handlerPort) {
-			a.logger.Debug(ctx, "starting wireguard listener", slog.F("port", h.port))
-
-			listener, err := network.Listen("tcp", net.JoinHostPort("", strconv.Itoa(int(h.port))))
-			if err != nil {
-				a.logger.Warn(ctx, "listen wireguard", slog.F("port", h.port), slog.Error(err))
-				return
-			}
-
-			for {
-				conn, err := listener.Accept()
-				if err != nil {
-					return
-				}
-
-				go h.handler(conn)
-			}
-		}(h)
-	}
-}
@@ -3,6 +3,7 @@ package buildinfo
 import (
 	"fmt"
 	"runtime/debug"
+	"strings"
 	"sync"
 	"time"

@@ -20,8 +21,17 @@ var (
 	version     string
 	readVersion sync.Once

-	// Injected with ldflags at build!
-	tag string
+	// Updated by buildinfo_slim.go on start.
+	slim bool
+
+	// Injected with ldflags at build, see scripts/build_go.sh
+	tag  string
+	agpl string // either "true" or "false", ldflags does not support bools
+)
+
+const (
+	// develPrefix is prefixed to developer versions of the application.
+	develPrefix = "v0.0.0-devel"
 )

 // Version returns the semantic version of the build.
@@ -35,7 +45,7 @@ func Version() string {
 		if tag == "" {
 			// This occurs when the tag hasn't been injected,
 			// like when using "go run".
-			version = "v0.0.0-devel" + revision
+			version = develPrefix + revision
 			return
 		}
 		version = "v" + tag
@@ -48,6 +58,35 @@ func Version() string {
 	return version
 }

+// VersionsMatch compares the two versions. It assumes the versions match if
+// the major and the minor versions are equivalent. Patch versions are
+// disregarded. If it detects that either version is a developer build it
+// returns true.
+func VersionsMatch(v1, v2 string) bool {
+	// Developer versions are disregarded...hopefully they know what they are
+	// doing.
+	if strings.HasPrefix(v1, develPrefix) || strings.HasPrefix(v2, develPrefix) {
+		return true
+	}
+
+	return semver.MajorMinor(v1) == semver.MajorMinor(v2)
+}
+
+// IsDev returns true if this is a development build.
+func IsDev() bool {
+	return strings.HasPrefix(Version(), develPrefix)
+}
+
+// IsSlim returns true if this is a slim build.
+func IsSlim() bool {
+	return slim
+}
+
+// IsAGPL returns true if this is an AGPL build.
+func IsAGPL() bool {
+	return strings.Contains(agpl, "t")
+}
+
 // ExternalURL returns a URL referencing the current Coder version.
 // For production builds, this will link directly to a release.
 // For development builds, this will link to a commit.
@@ -0,0 +1,7 @@
+//go:build slim
+
+package buildinfo
+
+func init() {
+	slim = true
+}
@@ -1,6 +1,7 @@
 package buildinfo_test

 import (
+	"fmt"
 	"testing"

 	"github.com/stretchr/testify/require"
@@ -29,4 +30,70 @@ func TestBuildInfo(t *testing.T) {
 		_, valid := buildinfo.Time()
 		require.False(t, valid)
 	})
+
+	t.Run("VersionsMatch", func(t *testing.T) {
+		t.Parallel()
+
+		type testcase struct {
+			name        string
+			v1          string
+			v2          string
+			expectMatch bool
+		}
+
+		cases := []testcase{
+			{
+				name:        "OK",
+				v1:          "v1.2.3",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Test that we return true if a developer version is detected.
+			// Developers do not need to be warned of mismatched versions.
+			{
+				name:        "DevelIgnored",
+				v1:          "v0.0.0-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: true,
+			},
+			// Our CI instance uses a "-devel" prerelease
+			// flag. This is not the same as a developer WIP build.
+			{
+				name:        "DevelPreleaseNotIgnored",
+				v1:          "v1.1.1-devel+123abac",
+				v2:          "v1.2.3",
+				expectMatch: false,
+			},
+			{
+				name:        "MajorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v0.1.2",
+				expectMatch: false,
+			},
+			{
+				name:        "MinorMismatch",
+				v1:          "v1.2.3",
+				v2:          "v1.3.2",
+				expectMatch: false,
+			},
+			// Different patches are ok, breaking changes are not allowed
+			// in patches.
+			{
+				name:        "PatchMismatch",
+				v1:          "v1.2.3+hash.whocares",
+				v2:          "v1.2.4+somestuff.hm.ok",
+				expectMatch: true,
+			},
+		}
+
+		for _, c := range cases {
+			c := c
+			t.Run(c.name, func(t *testing.T) {
+				t.Parallel()
+				require.Equal(t, c.expectMatch, buildinfo.VersionsMatch(c.v1, c.v2),
+					fmt.Sprintf("expected match=%v for version %s and %s", c.expectMatch, c.v1, c.v2),
+				)
+			})
+		}
+	})
 }
@@ -3,12 +3,15 @@ package cli
 import (
 	"context"
 	"fmt"
+	"io"
 	"net/http"
-	_ "net/http/pprof" //nolint: gosec
+	"net/http/pprof"
 	"net/url"
 	"os"
+	"os/signal"
 	"path/filepath"
 	"runtime"
+	"sync"
 	"time"

 	"cloud.google.com/go/compute/metadata"
@@ -20,24 +23,26 @@ import (
 	"cdr.dev/slog/sloggers/sloghuman"
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/agent/reaper"
+	"github.com/coder/coder/buildinfo"
 	"github.com/coder/coder/cli/cliflag"
-	"github.com/coder/coder/codersdk"
-	"github.com/coder/retry"
+	"github.com/coder/coder/codersdk/agentsdk"
 )

 func workspaceAgent() *cobra.Command {
 	var (
 		auth         string
-		pprofEnabled bool
+		logDir       string
 		pprofAddress string
 		noReap       bool
-		wireguard    bool
 	)
 	cmd := &cobra.Command{
 		Use: "agent",
 		// This command isn't useful to manually execute.
 		Hidden: true,
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			ctx, cancel := context.WithCancel(cmd.Context())
+			defer cancel()
+
 			rawURL, err := cmd.Flags().GetString(varAgentURL)
 			if err != nil {
 				return xerrors.Errorf("CODER_AGENT_URL must be set: %w", err)
@@ -47,117 +52,126 @@ func workspaceAgent() *cobra.Command {
 				return xerrors.Errorf("parse %q: %w", rawURL, err)
 			}

-			logWriter := &lumberjack.Logger{
-				Filename: filepath.Join(os.TempDir(), "coder-agent.log"),
-				MaxSize:  5, // MB
-			}
-			defer logWriter.Close()
-			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
-
 			isLinux := runtime.GOOS == "linux"

 			// Spawn a reaper so that we don't accumulate a ton
 			// of zombie processes.
 			if reaper.IsInitProcess() && !noReap && isLinux {
-				logger.Info(cmd.Context(), "spawning reaper process")
+				logWriter := &lumberjack.Logger{
+					Filename: filepath.Join(logDir, "coder-agent-init.log"),
+					MaxSize:  5, // MB
+				}
+				defer logWriter.Close()
+				logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
+
+				logger.Info(ctx, "spawning reaper process")
 				// Do not start a reaper on the child process. It's important
 				// to do this else we fork bomb ourselves.
 				args := append(os.Args, "--no-reap")
-				err := reaper.ForkReap(reaper.WithExecArgs(args...))
+				err := reaper.ForkReap(
+					reaper.WithExecArgs(args...),
+					reaper.WithCatchSignals(InterruptSignals...),
+				)
 				if err != nil {
-					logger.Error(cmd.Context(), "failed to reap", slog.Error(err))
+					logger.Error(ctx, "failed to reap", slog.Error(err))
 					return xerrors.Errorf("fork reap: %w", err)
 				}

-				logger.Info(cmd.Context(), "reaper process exiting")
+				logger.Info(ctx, "reaper process exiting")
 				return nil
 			}

-			client := codersdk.New(coderURL)
+			// Handle interrupt signals to allow for graceful shutdown,
+			// note that calling stopNotify disables the signal handler
+			// and the next interrupt will terminate the program (you
+			// probably want cancel instead).
+			//
+			// Note that we don't want to handle these signals in the
+			// process that runs as PID 1, that's why we do this after
+			// the reaper forked.
+			ctx, stopNotify := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stopNotify()

-			if pprofEnabled {
-				srvClose := serveHandler(cmd.Context(), logger, nil, pprofAddress, "pprof")
-				defer srvClose()
-			} else {
-				// If pprof wasn't enabled at startup, allow a
-				// `kill -USR1 $agent_pid` to start it (on Unix).
-				srvClose := agentStartPPROFOnUSR1(cmd.Context(), logger, pprofAddress)
-				defer srvClose()
+			// dumpHandler does signal handling, so we call it after the
+			// reaper.
+			go dumpHandler(ctx)
+
+			ljLogger := &lumberjack.Logger{
+				Filename: filepath.Join(logDir, "coder-agent.log"),
+				MaxSize:  5, // MB
 			}
+			defer ljLogger.Close()
+			logWriter := &closeWriter{w: ljLogger}
+			defer logWriter.Close()
+
+			logger := slog.Make(sloghuman.Sink(cmd.ErrOrStderr()), sloghuman.Sink(logWriter)).Leveled(slog.LevelDebug)
+
+			version := buildinfo.Version()
+			logger.Info(ctx, "starting agent",
+				slog.F("url", coderURL),
+				slog.F("auth", auth),
+				slog.F("version", version),
+			)
+			client := agentsdk.New(coderURL)
+			client.SDK.Logger = logger
+			// Set a reasonable timeout so requests can't hang forever!
+			client.SDK.HTTPClient.Timeout = 10 * time.Second
+
+			// Enable pprof handler
+			// This prevents the pprof import from being accidentally deleted.
+			_ = pprof.Handler
+			pprofSrvClose := serveHandler(ctx, logger, nil, pprofAddress, "pprof")
+			defer pprofSrvClose()

 			// exchangeToken returns a session token.
 			// This is abstracted to allow for the same looping condition
 			// regardless of instance identity auth type.
-			var exchangeToken func(context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error)
+			var exchangeToken func(context.Context) (agentsdk.AuthenticateResponse, error)
 			switch auth {
 			case "token":
 				token, err := cmd.Flags().GetString(varAgentToken)
 				if err != nil {
 					return xerrors.Errorf("CODER_AGENT_TOKEN must be set for token auth: %w", err)
 				}
-				client.SessionToken = token
+				client.SetSessionToken(token)
 			case "google-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var gcpClient *metadata.Client
-				gcpClientRaw := cmd.Context().Value("gcp-client")
+				gcpClientRaw := ctx.Value("gcp-client")
 				if gcpClientRaw != nil {
 					gcpClient, _ = gcpClientRaw.(*metadata.Client)
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceGoogleInstanceIdentity(ctx, "", gcpClient)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthGoogleInstanceIdentity(ctx, "", gcpClient)
 				}
 			case "aws-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var awsClient *http.Client
-				awsClientRaw := cmd.Context().Value("aws-client")
+				awsClientRaw := ctx.Value("aws-client")
 				if awsClientRaw != nil {
 					awsClient, _ = awsClientRaw.(*http.Client)
 					if awsClient != nil {
-						client.HTTPClient = awsClient
+						client.SDK.HTTPClient = awsClient
 					}
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceAWSInstanceIdentity(ctx)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthAWSInstanceIdentity(ctx)
 				}
 			case "azure-instance-identity":
 				// This is *only* done for testing to mock client authentication.
 				// This will never be set in a production scenario.
 				var azureClient *http.Client
-				azureClientRaw := cmd.Context().Value("azure-client")
+				azureClientRaw := ctx.Value("azure-client")
 				if azureClientRaw != nil {
 					azureClient, _ = azureClientRaw.(*http.Client)
 					if azureClient != nil {
-						client.HTTPClient = azureClient
+						client.SDK.HTTPClient = azureClient
 					}
 				}
-				exchangeToken = func(ctx context.Context) (codersdk.WorkspaceAgentAuthenticateResponse, error) {
-					return client.AuthWorkspaceAzureInstanceIdentity(ctx)
-				}
-			}
-
-			if exchangeToken != nil {
-				// Agent's can start before resources are returned from the provisioner
-				// daemon. If there are many resources being provisioned, this time
-				// could be significant. This is arbitrarily set at an hour to prevent
-				// tons of idle agents from pinging coderd.
-				ctx, cancelFunc := context.WithTimeout(cmd.Context(), time.Hour)
-				defer cancelFunc()
-				for retry.New(100*time.Millisecond, 5*time.Second).Wait(ctx) {
-					var response codersdk.WorkspaceAgentAuthenticateResponse
-
-					response, err = exchangeToken(ctx)
-					if err != nil {
-						logger.Warn(ctx, "authenticate workspace", slog.F("method", auth), slog.Error(err))
-						continue
-					}
-					client.SessionToken = response.SessionToken
-					logger.Info(ctx, "authenticated", slog.F("method", auth))
-					break
-				}
-				if err != nil {
-					return xerrors.Errorf("agent failed to authenticate in time: %w", err)
+				exchangeToken = func(ctx context.Context) (agentsdk.AuthenticateResponse, error) {
+					return client.AuthAzureInstanceIdentity(ctx)
 				}
 			}

@@ -170,26 +184,83 @@ func workspaceAgent() *cobra.Command {
 				return xerrors.Errorf("add executable to $PATH: %w", err)
 			}

-			closer := agent.New(client.ListenWorkspaceAgent, &agent.Options{
+			closer := agent.New(agent.Options{
+				Client: client,
 				Logger: logger,
-				EnvironmentVariables: map[string]string{
-					// Override the "CODER_AGENT_TOKEN" variable in all
-					// shells so "gitssh" works!
-					"CODER_AGENT_TOKEN": client.SessionToken,
+				LogDir: logDir,
+				ExchangeToken: func(ctx context.Context) (string, error) {
+					if exchangeToken == nil {
+						return client.SDK.SessionToken(), nil
+					}
+					resp, err := exchangeToken(ctx)
+					if err != nil {
+						return "", err
+					}
+					client.SetSessionToken(resp.SessionToken)
+					return resp.SessionToken, nil
+				},
+				EnvironmentVariables: map[string]string{
+					"GIT_ASKPASS": executablePath,
 				},
-				EnableWireguard:      wireguard,
-				UploadWireguardKeys:  client.UploadWorkspaceAgentKeys,
-				ListenWireguardPeers: client.WireguardPeerListener,
 			})
-			<-cmd.Context().Done()
+			<-ctx.Done()
 			return closer.Close()
 		},
 	}

 	cliflag.StringVarP(cmd.Flags(), &auth, "auth", "", "CODER_AGENT_AUTH", "token", "Specify the authentication type to use for the agent")
-	cliflag.BoolVarP(cmd.Flags(), &pprofEnabled, "pprof-enable", "", "CODER_AGENT_PPROF_ENABLE", false, "Enable serving pprof metrics on the address defined by --pprof-address.")
-	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
+	cliflag.StringVarP(cmd.Flags(), &logDir, "log-dir", "", "CODER_AGENT_LOG_DIR", os.TempDir(), "Specify the location for the agent log files")
 	cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
-	cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_AGENT_WIREGUARD", true, "Whether to start the Wireguard interface.")
+	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
 	return cmd
 }
+
+func serveHandler(ctx context.Context, logger slog.Logger, handler http.Handler, addr, name string) (closeFunc func()) {
+	logger.Debug(ctx, "http server listening", slog.F("addr", addr), slog.F("name", name))
+
+	// ReadHeaderTimeout is purposefully not enabled. It caused some issues with
+	// websockets over the dev tunnel.
+	// See: https://github.com/coder/coder/pull/3730
+	//nolint:gosec
+	srv := &http.Server{
+		Addr:    addr,
+		Handler: handler,
+	}
+	go func() {
+		err := srv.ListenAndServe()
+		if err != nil && !xerrors.Is(err, http.ErrServerClosed) {
+			logger.Error(ctx, "http server listen", slog.F("name", name), slog.Error(err))
+		}
+	}()
+
+	return func() {
+		_ = srv.Close()
+	}
+}
+
+// closeWriter is a wrapper around an io.WriteCloser that prevents
+// writes after Close. This is necessary because lumberjack will
+// re-open the file on write.
+type closeWriter struct {
+	w      io.WriteCloser
+	mu     sync.Mutex // Protects following.
+	closed bool
+}
+
+func (c *closeWriter) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	c.closed = true
+	return c.w.Close()
+}
+
+func (c *closeWriter) Write(p []byte) (int, error) {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+
+	if c.closed {
+		return 0, io.ErrClosedPipe
+	}
+	return c.w.Write(p)
+}
@@ -2,30 +2,96 @@ package cli_test

 import (
 	"context"
+	"os"
+	"path/filepath"
+	"runtime"
+	"strings"
 	"testing"

+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/testutil"
 )

 func TestWorkspaceAgent(t *testing.T) {
 	t.Parallel()
+
+	t.Run("LogDirectory", func(t *testing.T) {
+		t.Parallel()
+
+		authToken := uuid.NewString()
+		client := coderdtest.New(t, &coderdtest.Options{
+			IncludeProvisionerDaemon: true,
+		})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionApply: []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: []*proto.Resource{{
+							Name: "somename",
+							Type: "someinstance",
+							Agents: []*proto.Agent{{
+								Id:   uuid.NewString(),
+								Name: "someagent",
+								Auth: &proto.Agent_Token{
+									Token: authToken,
+								},
+							}},
+						}},
+					},
+				},
+			}},
+		})
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		logDir := t.TempDir()
+		cmd, _ := clitest.New(t,
+			"agent",
+			"--auth", "token",
+			"--agent-token", authToken,
+			"--agent-url", client.URL.String(),
+			"--log-dir", logDir,
+		)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitMedium)
+		defer cancel()
+		errC := make(chan error, 1)
+		go func() {
+			errC <- cmd.ExecuteContext(ctx)
+		}()
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+
+		cancel()
+		err := <-errC
+		require.NoError(t, err)
+
+		info, err := os.Stat(filepath.Join(logDir, "coder-agent.log"))
+		require.NoError(t, err)
+		require.Greater(t, info.Size(), int64(0))
+	})
+
 	t.Run("Azure", func(t *testing.T) {
 		t.Parallel()
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAzureInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AzureCertificates:   certificates,
-			IncludeProvisionerD: true,
+			AzureCertificates:        certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -46,7 +112,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)
@@ -56,14 +122,17 @@ func TestWorkspaceAgent(t *testing.T) {
 			ctx := context.WithValue(ctx, "azure-client", metadataClient)
 			errC <- cmd.ExecuteContext(ctx)
 		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, workspace.LatestBuild.Resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
+		require.True(t, dialer.AwaitReachable(context.Background()))
 		cancelFunc()
 		err = <-errC
 		require.NoError(t, err)
@@ -74,13 +143,13 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		certificates, metadataClient := coderdtest.NewAWSInstanceIdentity(t, instanceID)
 		client := coderdtest.New(t, &coderdtest.Options{
-			AWSCertificates:     certificates,
-			IncludeProvisionerD: true,
+			AWSCertificates:          certificates,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -101,7 +170,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)
@@ -111,14 +180,17 @@ func TestWorkspaceAgent(t *testing.T) {
 			ctx := context.WithValue(ctx, "aws-client", metadataClient)
 			errC <- cmd.ExecuteContext(ctx)
 		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
+		require.True(t, dialer.AwaitReachable(context.Background()))
 		cancelFunc()
 		err = <-errC
 		require.NoError(t, err)
@@ -129,13 +201,13 @@ func TestWorkspaceAgent(t *testing.T) {
 		instanceID := "instanceidentifier"
 		validator, metadata := coderdtest.NewGoogleInstanceIdentity(t, instanceID, false)
 		client := coderdtest.New(t, &coderdtest.Options{
-			GoogleTokenValidator: validator,
-			IncludeProvisionerD:  true,
+			GoogleTokenValidator:     validator,
+			IncludeProvisionerDaemon: true,
 		})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: echo.ParseComplete,
-			Provision: []*proto.Provision_Response{{
+			ProvisionApply: []*proto.Provision_Response{{
 				Type: &proto.Provision_Response_Complete{
 					Complete: &proto.Provision_Complete{
 						Resources: []*proto.Resource{{
@@ -156,7 +228,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)

-		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
+		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)
@@ -166,14 +238,33 @@ func TestWorkspaceAgent(t *testing.T) {
 			ctx := context.WithValue(ctx, "gcp-client", metadata)
 			errC <- cmd.ExecuteContext(ctx)
 		}()
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(ctx, workspace.LatestBuild.ID)
+		coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+		workspace, err := client.Workspace(ctx, workspace.ID)
 		require.NoError(t, err)
+		resources := workspace.LatestBuild.Resources
+		if assert.NotEmpty(t, resources) && assert.NotEmpty(t, resources[0].Agents) {
+			assert.NotEmpty(t, resources[0].Agents[0].Version)
+		}
 		dialer, err := client.DialWorkspaceAgent(ctx, resources[0].Agents[0].ID, nil)
 		require.NoError(t, err)
 		defer dialer.Close()
-		_, err = dialer.Ping()
+		require.True(t, dialer.AwaitReachable(context.Background()))
+		sshClient, err := dialer.SSHClient(ctx)
 		require.NoError(t, err)
+		defer sshClient.Close()
+		session, err := sshClient.NewSession()
+		require.NoError(t, err)
+		defer session.Close()
+		key := "CODER_AGENT_TOKEN"
+		command := "sh -c 'echo $" + key + "'"
+		if runtime.GOOS == "windows" {
+			command = "cmd.exe /c echo %" + key + "%"
+		}
+		token, err := session.CombinedOutput(command)
+		require.NoError(t, err)
+		_, err = uuid.Parse(strings.TrimSpace(string(token)))
+		require.NoError(t, err)
+
 		cancelFunc()
 		err = <-errC
 		require.NoError(t, err)
@@ -1,38 +0,0 @@
-//go:build !windows
-
-package cli
-
-import (
-	"context"
-	"os"
-	"os/signal"
-	"syscall"
-
-	"cdr.dev/slog"
-)
-
-func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
-	ctx, cancel := context.WithCancel(ctx)
-
-	usr1 := make(chan os.Signal, 1)
-	signal.Notify(usr1, syscall.SIGUSR1)
-	go func() {
-		defer close(usr1)
-		defer signal.Stop(usr1)
-
-		select {
-		case <-usr1:
-			signal.Stop(usr1)
-			srvClose := serveHandler(ctx, logger, nil, pprofAddress, "pprof")
-			defer srvClose()
-		case <-ctx.Done():
-			return
-		}
-		<-ctx.Done() // Prevent defer close until done.
-	}()
-
-	return func() {
-		cancel()
-		<-usr1 // Wait until usr1 is closed, ensures srvClose was run.
-	}
-}
@@ -1,12 +0,0 @@
-package cli
-
-import (
-	"context"
-
-	"cdr.dev/slog"
-)
-
-// agentStartPPROFOnUSR1 is no-op on Windows (no SIGUSR1 signal).
-func agentStartPPROFOnUSR1(ctx context.Context, logger slog.Logger, pprofAddress string) (srvClose func()) {
-	return func() {}
-}
@@ -6,8 +6,7 @@
 //
 // Will produce the following usage docs:
 //
-//   -a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
-//
+//	-a, --address string              The address to serve the API and dashboard (uses $CODER_ADDRESS). (default "127.0.0.1:3000")
 package cliflag

 import (
@@ -17,9 +16,35 @@ import (
 	"strings"
 	"time"

+	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
+
+	"github.com/coder/coder/cli/cliui"
 )

+// IsSetBool returns the value of the boolean flag if it is set.
+// It returns false if the flag isn't set or if any error occurs attempting
+// to parse the value of the flag.
+func IsSetBool(cmd *cobra.Command, name string) bool {
+	val, ok := IsSet(cmd, name)
+	if !ok {
+		return false
+	}
+
+	b, err := strconv.ParseBool(val)
+	return err == nil && b
+}
+
+// IsSet returns the string value of the flag and whether it was set.
+func IsSet(cmd *cobra.Command, name string) (string, bool) {
+	flag := cmd.Flag(name)
+	if flag == nil {
+		return "", false
+	}
+
+	return flag.Value.String(), flag.Changed
+}
+
 // String sets a string flag on the given flag set.
 func String(flagset *pflag.FlagSet, name, shorthand, env, def, usage string) {
 	v, ok := os.LookupEnv(env)
@@ -38,6 +63,18 @@ func StringVarP(flagset *pflag.FlagSet, p *string, name string, shorthand string
 	flagset.StringVarP(p, name, shorthand, v, fmtUsage(usage, env))
 }

+func StringArray(flagset *pflag.FlagSet, name, shorthand, env string, def []string, usage string) {
+	v, ok := os.LookupEnv(env)
+	if !ok || v == "" {
+		if v == "" {
+			def = []string{}
+		} else {
+			def = strings.Split(v, ",")
+		}
+	}
+	flagset.StringArrayP(name, shorthand, def, fmtUsage(usage, env))
+}
+
 func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shorthand string, env string, def []string, usage string) {
 	val, ok := os.LookupEnv(env)
 	if ok {
@@ -47,7 +84,7 @@ func StringArrayVarP(flagset *pflag.FlagSet, ptr *[]string, name string, shortha
 			def = strings.Split(val, ",")
 		}
 	}
-	flagset.StringArrayVarP(ptr, name, shorthand, def, usage)
+	flagset.StringArrayVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
 }

 // Uint8VarP sets a uint8 flag on the given flag set.
@@ -67,6 +104,39 @@ func Uint8VarP(flagset *pflag.FlagSet, ptr *uint8, name string, shorthand string
 	flagset.Uint8VarP(ptr, name, shorthand, uint8(vi64), fmtUsage(usage, env))
 }

+// IntVarP sets a uint8 flag on the given flag set.
+func IntVarP(flagset *pflag.FlagSet, ptr *int, name string, shorthand string, env string, def int, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	vi64, err := strconv.ParseUint(val, 10, 8)
+	if err != nil {
+		flagset.IntVarP(ptr, name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.IntVarP(ptr, name, shorthand, int(vi64), fmtUsage(usage, env))
+}
+
+func Bool(flagset *pflag.FlagSet, name, shorthand, env string, def bool, usage string) {
+	val, ok := os.LookupEnv(env)
+	if !ok || val == "" {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	valb, err := strconv.ParseBool(val)
+	if err != nil {
+		flagset.BoolP(name, shorthand, def, fmtUsage(usage, env))
+		return
+	}
+
+	flagset.BoolP(name, shorthand, valb, fmtUsage(usage, env))
+}
+
 // BoolVarP sets a bool flag on the given flag set.
 func BoolVarP(flagset *pflag.FlagSet, ptr *bool, name string, shorthand string, env string, def bool, usage string) {
 	val, ok := os.LookupEnv(env)
@@ -102,9 +172,14 @@ func DurationVarP(flagset *pflag.FlagSet, ptr *time.Duration, name string, short
 }

 func fmtUsage(u string, env string) string {
-	if env == "" {
-		return fmt.Sprintf("%s.", u)
+	if env != "" {
+		// Avoid double dotting.
+		dot := "."
+		if strings.HasSuffix(u, ".") {
+			dot = ""
+		}
+		u = fmt.Sprintf("%s%s\n"+cliui.Styles.Placeholder.Render("Consumes $%s"), u, dot, env)
 	}

-	return fmt.Sprintf("%s - consumes $%s.", u, env)
+	return u
 }
@@ -14,6 +14,7 @@ import (
 )

 // Testcliflag cannot run in parallel because it uses t.Setenv.
+//
 //nolint:paralleltest
 func TestCliflag(t *testing.T) {
 	t.Run("StringDefault", func(t *testing.T) {
@@ -24,7 +25,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("StringEnvVar", func(t *testing.T) {
@@ -48,7 +49,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("StringVarPEnvVar", func(t *testing.T) {
@@ -74,7 +75,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.NotContains(t, flagset.FlagUsages(), " - consumes")
+		require.NotContains(t, flagset.FlagUsages(), "Consumes")
 	})

 	t.Run("StringArrayDefault", func(t *testing.T) {
@@ -107,7 +108,7 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, []string{}, got)
 	})

-	t.Run("IntDefault", func(t *testing.T) {
+	t.Run("UInt8Default", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		def, _ := cryptorand.Int63n(10)
@@ -117,10 +118,10 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, uint8(def), got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

-	t.Run("IntEnvVar", func(t *testing.T) {
+	t.Run("UInt8EnvVar", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.Int63n(10)
@@ -133,7 +134,7 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(envValue), got)
 	})

-	t.Run("IntFailParse", func(t *testing.T) {
+	t.Run("UInt8FailParse", func(t *testing.T) {
 		var ptr uint8
 		flagset, name, shorthand, env, usage := randomFlag()
 		envValue, _ := cryptorand.String(10)
@@ -146,6 +147,45 @@ func TestCliflag(t *testing.T) {
 		require.Equal(t, uint8(def), got)
 	})

+	t.Run("IntDefault", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+		require.Contains(t, flagset.FlagUsages(), usage)
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
+	})
+
+	t.Run("IntEnvVar", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.Int63n(10)
+		t.Setenv(env, strconv.FormatUint(uint64(envValue), 10))
+		def, _ := cryptorand.Int()
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, def, usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(envValue), got)
+	})
+
+	t.Run("IntFailParse", func(t *testing.T) {
+		var ptr int
+		flagset, name, shorthand, env, usage := randomFlag()
+		envValue, _ := cryptorand.String(10)
+		t.Setenv(env, envValue)
+		def, _ := cryptorand.Int63n(10)
+
+		cliflag.IntVarP(flagset, &ptr, name, shorthand, env, int(def), usage)
+		got, err := flagset.GetInt(name)
+		require.NoError(t, err)
+		require.Equal(t, int(def), got)
+	})
+
 	t.Run("BoolDefault", func(t *testing.T) {
 		var ptr bool
 		flagset, name, shorthand, env, usage := randomFlag()
@@ -156,7 +196,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("BoolEnvVar", func(t *testing.T) {
@@ -195,7 +235,7 @@ func TestCliflag(t *testing.T) {
 		require.NoError(t, err)
 		require.Equal(t, def, got)
 		require.Contains(t, flagset.FlagUsages(), usage)
-		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf(" - consumes $%s", env))
+		require.Contains(t, flagset.FlagUsages(), fmt.Sprintf("Consumes $%s", env))
 	})

 	t.Run("DurationEnvVar", func(t *testing.T) {
@@ -5,8 +5,10 @@ import (
 	"bytes"
 	"errors"
 	"io"
+	"io/ioutil"
 	"os"
 	"path/filepath"
+	"strings"
 	"testing"

 	"github.com/spf13/cobra"
@@ -21,16 +23,28 @@ import (
 // New creates a CLI instance with a configuration pointed to a
 // temporary testing directory.
 func New(t *testing.T, args ...string) (*cobra.Command, config.Root) {
-	cmd := cli.Root()
+	return NewWithSubcommands(t, cli.AGPL(), args...)
+}
+
+func NewWithSubcommands(
+	t *testing.T, subcommands []*cobra.Command, args ...string,
+) (*cobra.Command, config.Root) {
+	cmd := cli.Root(subcommands)
 	dir := t.TempDir()
 	root := config.Root(dir)
 	cmd.SetArgs(append([]string{"--global-config", dir}, args...))
+
+	// We could consider using writers
+	// that log via t.Log here instead.
+	cmd.SetOut(io.Discard)
+	cmd.SetErr(io.Discard)
+
 	return cmd, root
 }

 // SetupConfig applies the URL and SessionToken of the client to the config.
 func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
-	err := root.Session().Write(client.SessionToken)
+	err := root.Session().Write(client.SessionToken())
 	require.NoError(t, err)
 	err = root.URL().Write(client.URL.String())
 	require.NoError(t, err)
@@ -40,6 +54,9 @@ func SetupConfig(t *testing.T, client *codersdk.Client, root config.Root) {
 // new temporary testing directory.
 func CreateTemplateVersionSource(t *testing.T, responses *echo.Responses) string {
 	directory := t.TempDir()
+	f, err := ioutil.TempFile(directory, "*.tf")
+	require.NoError(t, err)
+	_ = f.Close()
 	data, err := echo.Tar(responses)
 	require.NoError(t, err)
 	extractTar(t, data, directory)
@@ -54,11 +71,14 @@ func extractTar(t *testing.T, data []byte, directory string) {
 			break
 		}
 		require.NoError(t, err)
+		if header.Name == "." || strings.Contains(header.Name, "..") {
+			continue
+		}
 		// #nosec
 		path := filepath.Join(directory, header.Name)
 		mode := header.FileInfo().Mode()
 		if mode == 0 {
-			mode = 0600
+			mode = 0o600
 		}
 		switch header.Typeflag {
 		case tar.TypeDir:
@@ -10,16 +10,21 @@ import (
 	"time"

 	"github.com/briandowns/spinner"
+	"github.com/muesli/reflow/indent"
+	"github.com/muesli/reflow/wordwrap"
 	"golang.org/x/xerrors"

 	"github.com/coder/coder/codersdk"
 )

+var AgentStartError = xerrors.New("agent startup exited with non-zero exit status")
+
 type AgentOptions struct {
 	WorkspaceName string
 	Fetch         func(context.Context) (codersdk.WorkspaceAgent, error)
 	FetchInterval time.Duration
 	WarnInterval  time.Duration
+	NoWait        bool // If true, don't wait for the agent to be ready.
 }

 // Agent displays a spinning indicator that waits for a workspace agent to connect.
@@ -35,73 +40,202 @@ func Agent(ctx context.Context, writer io.Writer, opts AgentOptions) error {
 	if err != nil {
 		return xerrors.Errorf("fetch: %w", err)
 	}
-	if agent.Status == codersdk.WorkspaceAgentConnected {
+
+	// Fast path if the agent is ready (avoid showing connecting prompt).
+	// We don't take the fast path for opts.NoWait yet because we want to
+	// show the message.
+	if agent.Status == codersdk.WorkspaceAgentConnected &&
+		(agent.LoginBeforeReady || agent.LifecycleState == codersdk.WorkspaceAgentLifecycleReady) {
 		return nil
 	}
-	if agent.Status == codersdk.WorkspaceAgentDisconnected {
-		opts.WarnInterval = 0
-	}
+
+	ctx, cancel := signal.NotifyContext(ctx, os.Interrupt)
+	defer cancel()
+
 	spin := spinner.New(spinner.CharSets[78], 100*time.Millisecond, spinner.WithColor("fgHiGreen"))
 	spin.Writer = writer
 	spin.ForceOutput = true
-	spin.Suffix = " Waiting for connection from " + Styles.Field.Render(agent.Name) + "..."
-	spin.Start()
-	defer spin.Stop()
+	spin.Suffix = waitingMessage(agent, opts).Spin

-	ctx, cancelFunc := context.WithCancel(ctx)
-	defer cancelFunc()
-	stopSpin := make(chan os.Signal, 1)
-	signal.Notify(stopSpin, os.Interrupt)
-	defer signal.Stop(stopSpin)
-	go func() {
-		select {
-		case <-ctx.Done():
-			return
-		case <-stopSpin:
-		}
-		signal.Stop(stopSpin)
-		spin.Stop()
-		// nolint:revive
-		os.Exit(1)
-	}()
-
-	ticker := time.NewTicker(opts.FetchInterval)
-	defer ticker.Stop()
-	timer := time.NewTimer(opts.WarnInterval)
-	defer timer.Stop()
-	go func() {
-		select {
-		case <-ctx.Done():
-			return
-		case <-timer.C:
-		}
+	waitMessage := &message{}
+	showMessage := func() {
 		resourceMutex.Lock()
 		defer resourceMutex.Unlock()
-		message := "Don't panic, your workspace is booting up!"
-		if agent.Status == codersdk.WorkspaceAgentDisconnected {
-			message = "The workspace agent lost connection! Wait for it to reconnect or run: " + Styles.Code.Render("coder rebuild "+opts.WorkspaceName)
+
+		m := waitingMessage(agent, opts)
+		if m.Prompt == waitMessage.Prompt {
+			return
+		}
+		moveUp := ""
+		if waitMessage.Prompt != "" {
+			// If this is an update, move a line up
+			// to keep it tidy and aligned.
+			moveUp = "\033[1A"
+		}
+		waitMessage = m
+
+		// Stop the spinner while we write our message.
+		spin.Stop()
+		spin.Suffix = waitMessage.Spin
+		// Clear the line and (if necessary) move up a line to write our message.
+		_, _ = fmt.Fprintf(writer, "\033[2K%s\n%s\n", moveUp, waitMessage.Prompt)
+		select {
+		case <-ctx.Done():
+		default:
+			// Safe to resume operation.
+			if spin.Suffix != "" {
+				spin.Start()
+			}
+		}
+	}
+
+	// Fast path for showing the error message even when using no wait,
+	// we do this just before starting the spinner to avoid needless
+	// spinning.
+	if agent.Status == codersdk.WorkspaceAgentConnected &&
+		!agent.LoginBeforeReady && opts.NoWait {
+		showMessage()
+		return nil
+	}
+
+	// Start spinning after fast paths are handled.
+	if spin.Suffix != "" {
+		spin.Start()
+	}
+	defer spin.Stop()
+
+	warnAfter := time.NewTimer(opts.WarnInterval)
+	defer warnAfter.Stop()
+	warningShown := make(chan struct{})
+	go func() {
+		select {
+		case <-ctx.Done():
+			close(warningShown)
+		case <-warnAfter.C:
+			close(warningShown)
+			showMessage()
 		}
-		// This saves the cursor position, then defers clearing from the cursor
-		// position to the end of the screen.
-		_, _ = fmt.Fprintf(writer, "\033[s\r\033[2K%s\n\n", Styles.Paragraph.Render(Styles.Prompt.String()+message))
-		defer fmt.Fprintf(writer, "\033[u\033[J")
 	}()
+
+	fetchInterval := time.NewTicker(opts.FetchInterval)
+	defer fetchInterval.Stop()
 	for {
 		select {
 		case <-ctx.Done():
 			return ctx.Err()
-		case <-ticker.C:
+		case <-fetchInterval.C:
 		}
 		resourceMutex.Lock()
 		agent, err = opts.Fetch(ctx)
 		if err != nil {
+			resourceMutex.Unlock()
 			return xerrors.Errorf("fetch: %w", err)
 		}
-		if agent.Status != codersdk.WorkspaceAgentConnected {
-			resourceMutex.Unlock()
-			continue
-		}
 		resourceMutex.Unlock()
-		return nil
+		switch agent.Status {
+		case codersdk.WorkspaceAgentConnected:
+			// NOTE(mafredri): Once we have access to the workspace agent's
+			// startup script logs, we can show them here.
+			// https://github.com/coder/coder/issues/2957
+			if !agent.LoginBeforeReady && !opts.NoWait {
+				switch agent.LifecycleState {
+				case codersdk.WorkspaceAgentLifecycleReady:
+					return nil
+				case codersdk.WorkspaceAgentLifecycleStartTimeout:
+					showMessage()
+				case codersdk.WorkspaceAgentLifecycleStartError:
+					showMessage()
+					return AgentStartError
+				default:
+					select {
+					case <-warningShown:
+						showMessage()
+					default:
+						// This state is normal, we don't want
+						// to show a message prematurely.
+					}
+				}
+				continue
+			}
+			return nil
+		case codersdk.WorkspaceAgentTimeout, codersdk.WorkspaceAgentDisconnected:
+			showMessage()
+		}
 	}
 }
+
+type message struct {
+	Spin         string
+	Prompt       string
+	Troubleshoot bool
+}
+
+func waitingMessage(agent codersdk.WorkspaceAgent, opts AgentOptions) (m *message) {
+	m = &message{
+		Spin:   fmt.Sprintf("Waiting for connection from %s...", Styles.Field.Render(agent.Name)),
+		Prompt: "Don't panic, your workspace is booting up!",
+	}
+	defer func() {
+		if agent.Status == codersdk.WorkspaceAgentConnected && opts.NoWait {
+			m.Spin = ""
+		}
+		if m.Spin != "" {
+			m.Spin = " " + m.Spin
+		}
+
+		// We don't want to wrap the troubleshooting URL, so we'll handle word
+		// wrapping ourselves (vs using lipgloss).
+		w := wordwrap.NewWriter(Styles.Paragraph.GetWidth() - Styles.Paragraph.GetMarginLeft()*2)
+		w.Breakpoints = []rune{' ', '\n'}
+
+		_, _ = fmt.Fprint(w, m.Prompt)
+		if m.Troubleshoot {
+			if agent.TroubleshootingURL != "" {
+				_, _ = fmt.Fprintf(w, " See troubleshooting instructions at:\n%s", agent.TroubleshootingURL)
+			} else {
+				_, _ = fmt.Fprint(w, " Wait for it to (re)connect or restart your workspace.")
+			}
+		}
+		_, _ = fmt.Fprint(w, "\n")
+
+		// We want to prefix the prompt with a caret, but we want text on the
+		// following lines to align with the text on the first line (i.e. added
+		// spacing).
+		ind := " " + Styles.Prompt.String()
+		iw := indent.NewWriter(1, func(w io.Writer) {
+			_, _ = w.Write([]byte(ind))
+			ind = "   " // Set indentation to space after initial prompt.
+		})
+		_, _ = fmt.Fprint(iw, w.String())
+		m.Prompt = iw.String()
+	}()
+
+	switch agent.Status {
+	case codersdk.WorkspaceAgentTimeout:
+		m.Prompt = "The workspace agent is having trouble connecting."
+	case codersdk.WorkspaceAgentDisconnected:
+		m.Prompt = "The workspace agent lost connection!"
+	case codersdk.WorkspaceAgentConnected:
+		m.Spin = fmt.Sprintf("Waiting for %s to become ready...", Styles.Field.Render(agent.Name))
+		m.Prompt = "Don't panic, your workspace agent has connected and the workspace is getting ready!"
+		if opts.NoWait {
+			m.Prompt = "Your workspace is still getting ready, it may be in an incomplete state."
+		}
+
+		switch agent.LifecycleState {
+		case codersdk.WorkspaceAgentLifecycleStartTimeout:
+			m.Prompt = "The workspace is taking longer than expected to get ready, the agent startup script is still executing."
+		case codersdk.WorkspaceAgentLifecycleStartError:
+			m.Spin = ""
+			m.Prompt = "The workspace ran into a problem while getting ready, the agent startup script exited with non-zero status."
+		default:
+			// Not a failure state, no troubleshooting necessary.
+			return m
+		}
+	default:
+		// Not a failure state, no troubleshooting necessary.
+		return m
+	}
+	m.Troubleshoot = true
+	return m
+}
@@ -7,24 +7,31 @@ import (

 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 	"go.uber.org/atomic"

 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestAgent(t *testing.T) {
 	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
 	var disconnected atomic.Bool
 	ptty := ptytest.New(t)
 	cmd := &cobra.Command{
-		RunE: func(cmd *cobra.Command, args []string) error {
+		RunE: func(cmd *cobra.Command, _ []string) error {
 			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
 				WorkspaceName: "example",
-				Fetch: func(ctx context.Context) (codersdk.WorkspaceAgent, error) {
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
 					agent := codersdk.WorkspaceAgent{
-						Status: codersdk.WorkspaceAgentDisconnected,
+						Status:           codersdk.WorkspaceAgentDisconnected,
+						LoginBeforeReady: true,
 					}
 					if disconnected.Load() {
 						agent.Status = codersdk.WorkspaceAgentConnected
@@ -45,7 +52,305 @@ func TestAgent(t *testing.T) {
 		err := cmd.Execute()
 		assert.NoError(t, err)
 	}()
-	ptty.ExpectMatch("lost connection")
+	ptty.ExpectMatchContext(ctx, "lost connection")
 	disconnected.Store(true)
 	<-done
 }
+
+func TestAgent_TimeoutWithTroubleshootingURL(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	wantURL := "https://coder.com/troubleshoot"
+
+	var connected, timeout atomic.Bool
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						TroubleshootingURL: wantURL,
+						LoginBeforeReady:   true,
+					}
+					switch {
+					case !connected.Load() && timeout.Load():
+						agent.Status = codersdk.WorkspaceAgentTimeout
+					case connected.Load():
+						agent.Status = codersdk.WorkspaceAgentConnected
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  5 * time.Millisecond,
+			})
+			return err
+		},
+	}
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan error, 1)
+	go func() {
+		done <- cmd.ExecuteContext(ctx)
+	}()
+	ptty.ExpectMatchContext(ctx, "Don't panic, your workspace is booting")
+	timeout.Store(true)
+	ptty.ExpectMatchContext(ctx, wantURL)
+	connected.Store(true)
+	require.NoError(t, <-done)
+}
+
+func TestAgent_StartupTimeout(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	wantURL := "https://coder.com/this-is-a-really-long-troubleshooting-url-that-should-not-wrap"
+
+	var status, state atomic.String
+	setStatus := func(s codersdk.WorkspaceAgentStatus) { status.Store(string(s)) }
+	setState := func(s codersdk.WorkspaceAgentLifecycle) { state.Store(string(s)) }
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						LoginBeforeReady:   false,
+						LifecycleState:     codersdk.WorkspaceAgentLifecycleCreated,
+						TroubleshootingURL: wantURL,
+					}
+
+					if s := status.Load(); s != "" {
+						agent.Status = codersdk.WorkspaceAgentStatus(s)
+					}
+					if s := state.Load(); s != "" {
+						agent.LifecycleState = codersdk.WorkspaceAgentLifecycle(s)
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  time.Millisecond,
+				NoWait:        false,
+			})
+			return err
+		},
+	}
+
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan error, 1)
+	go func() {
+		done <- cmd.ExecuteContext(ctx)
+	}()
+	setStatus(codersdk.WorkspaceAgentConnecting)
+	ptty.ExpectMatchContext(ctx, "Don't panic, your workspace is booting")
+	setStatus(codersdk.WorkspaceAgentConnected)
+	setState(codersdk.WorkspaceAgentLifecycleStarting)
+	ptty.ExpectMatchContext(ctx, "workspace is getting ready")
+	setState(codersdk.WorkspaceAgentLifecycleStartTimeout)
+	ptty.ExpectMatchContext(ctx, "is taking longer")
+	ptty.ExpectMatchContext(ctx, wantURL)
+	setState(codersdk.WorkspaceAgentLifecycleReady)
+	require.NoError(t, <-done)
+}
+
+func TestAgent_StartErrorExit(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	wantURL := "https://coder.com/this-is-a-really-long-troubleshooting-url-that-should-not-wrap"
+
+	var status, state atomic.String
+	setStatus := func(s codersdk.WorkspaceAgentStatus) { status.Store(string(s)) }
+	setState := func(s codersdk.WorkspaceAgentLifecycle) { state.Store(string(s)) }
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						LoginBeforeReady:   false,
+						LifecycleState:     codersdk.WorkspaceAgentLifecycleCreated,
+						TroubleshootingURL: wantURL,
+					}
+
+					if s := status.Load(); s != "" {
+						agent.Status = codersdk.WorkspaceAgentStatus(s)
+					}
+					if s := state.Load(); s != "" {
+						agent.LifecycleState = codersdk.WorkspaceAgentLifecycle(s)
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  60 * time.Second,
+				NoWait:        false,
+			})
+			return err
+		},
+	}
+
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan error, 1)
+	go func() {
+		done <- cmd.ExecuteContext(ctx)
+	}()
+	setStatus(codersdk.WorkspaceAgentConnected)
+	setState(codersdk.WorkspaceAgentLifecycleStarting)
+	ptty.ExpectMatchContext(ctx, "to become ready...")
+	setState(codersdk.WorkspaceAgentLifecycleStartError)
+	ptty.ExpectMatchContext(ctx, "ran into a problem")
+	err := <-done
+	require.ErrorIs(t, err, cliui.AgentStartError, "lifecycle start_error should exit with error")
+}
+
+func TestAgent_NoWait(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	wantURL := "https://coder.com/this-is-a-really-long-troubleshooting-url-that-should-not-wrap"
+
+	var status, state atomic.String
+	setStatus := func(s codersdk.WorkspaceAgentStatus) { status.Store(string(s)) }
+	setState := func(s codersdk.WorkspaceAgentLifecycle) { state.Store(string(s)) }
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						LoginBeforeReady:   false,
+						LifecycleState:     codersdk.WorkspaceAgentLifecycleCreated,
+						TroubleshootingURL: wantURL,
+					}
+
+					if s := status.Load(); s != "" {
+						agent.Status = codersdk.WorkspaceAgentStatus(s)
+					}
+					if s := state.Load(); s != "" {
+						agent.LifecycleState = codersdk.WorkspaceAgentLifecycle(s)
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  time.Second,
+				NoWait:        true,
+			})
+			return err
+		},
+	}
+
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan error, 1)
+	go func() {
+		done <- cmd.ExecuteContext(ctx)
+	}()
+	setStatus(codersdk.WorkspaceAgentConnecting)
+	ptty.ExpectMatchContext(ctx, "Don't panic, your workspace is booting")
+
+	setStatus(codersdk.WorkspaceAgentConnected)
+	require.NoError(t, <-done, "created - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStarting)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "starting - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStartTimeout)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "start timeout - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStartError)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "start error - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleReady)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "ready - should exit early")
+}
+
+func TestAgent_LoginBeforeReadyEnabled(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	wantURL := "https://coder.com/this-is-a-really-long-troubleshooting-url-that-should-not-wrap"
+
+	var status, state atomic.String
+	setStatus := func(s codersdk.WorkspaceAgentStatus) { status.Store(string(s)) }
+	setState := func(s codersdk.WorkspaceAgentLifecycle) { state.Store(string(s)) }
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			err := cliui.Agent(cmd.Context(), cmd.OutOrStdout(), cliui.AgentOptions{
+				WorkspaceName: "example",
+				Fetch: func(_ context.Context) (codersdk.WorkspaceAgent, error) {
+					agent := codersdk.WorkspaceAgent{
+						Status:             codersdk.WorkspaceAgentConnecting,
+						LoginBeforeReady:   true,
+						LifecycleState:     codersdk.WorkspaceAgentLifecycleCreated,
+						TroubleshootingURL: wantURL,
+					}
+
+					if s := status.Load(); s != "" {
+						agent.Status = codersdk.WorkspaceAgentStatus(s)
+					}
+					if s := state.Load(); s != "" {
+						agent.LifecycleState = codersdk.WorkspaceAgentLifecycle(s)
+					}
+					return agent, nil
+				},
+				FetchInterval: time.Millisecond,
+				WarnInterval:  time.Second,
+				NoWait:        false,
+			})
+			return err
+		},
+	}
+
+	ptty := ptytest.New(t)
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan error, 1)
+	go func() {
+		done <- cmd.ExecuteContext(ctx)
+	}()
+	setStatus(codersdk.WorkspaceAgentConnecting)
+	ptty.ExpectMatchContext(ctx, "Don't panic, your workspace is booting")
+
+	setStatus(codersdk.WorkspaceAgentConnected)
+	require.NoError(t, <-done, "created - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStarting)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "starting - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStartTimeout)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "start timeout - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleStartError)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "start error - should exit early")
+
+	setState(codersdk.WorkspaceAgentLifecycleReady)
+	go func() { done <- cmd.ExecuteContext(ctx) }()
+	require.NoError(t, <-done, "ready - should exit early")
+}
@@ -26,6 +26,7 @@ var Styles = struct {
 	Checkmark,
 	Code,
 	Crossmark,
+	DateTimeStamp,
 	Error,
 	Field,
 	Keyword,
@@ -33,7 +34,7 @@ var Styles = struct {
 	Placeholder,
 	Prompt,
 	FocusedPrompt,
-	Fuschia,
+	Fuchsia,
 	Logo,
 	Warn,
 	Wrap lipgloss.Style
@@ -42,14 +43,15 @@ var Styles = struct {
 	Checkmark:     defaultStyles.Checkmark,
 	Code:          defaultStyles.Code,
 	Crossmark:     defaultStyles.Error.Copy().SetString("✘"),
+	DateTimeStamp: defaultStyles.LabelDim,
 	Error:         defaultStyles.Error,
 	Field:         defaultStyles.Code.Copy().Foreground(lipgloss.AdaptiveColor{Light: "#000000", Dark: "#FFFFFF"}),
 	Keyword:       defaultStyles.Keyword,
 	Paragraph:     defaultStyles.Paragraph,
-	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.Color("240")),
+	Placeholder:   lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#585858", Dark: "#4d46b3"}),
 	Prompt:        defaultStyles.Prompt.Foreground(lipgloss.AdaptiveColor{Light: "#9B9B9B", Dark: "#5C5C5C"}),
 	FocusedPrompt: defaultStyles.FocusedPrompt.Foreground(lipgloss.Color("#651fff")),
-	Fuschia:       defaultStyles.SelectedMenuItem.Copy(),
+	Fuchsia:       defaultStyles.SelectedMenuItem.Copy(),
 	Logo:          defaultStyles.Logo.SetString("Coder"),
 	Warn:          lipgloss.NewStyle().Foreground(lipgloss.AdaptiveColor{Light: "#04B575", Dark: "#ECFD65"}),
 	Wrap:          lipgloss.NewStyle().Width(80),
@@ -0,0 +1,72 @@
+package cliui
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"time"
+
+	"github.com/briandowns/spinner"
+
+	"github.com/coder/coder/codersdk"
+)
+
+type GitAuthOptions struct {
+	Fetch         func(context.Context) ([]codersdk.TemplateVersionGitAuth, error)
+	FetchInterval time.Duration
+}
+
+func GitAuth(ctx context.Context, writer io.Writer, opts GitAuthOptions) error {
+	if opts.FetchInterval == 0 {
+		opts.FetchInterval = 500 * time.Millisecond
+	}
+	gitAuth, err := opts.Fetch(ctx)
+	if err != nil {
+		return err
+	}
+
+	spin := spinner.New(spinner.CharSets[78], 100*time.Millisecond, spinner.WithColor("fgHiGreen"))
+	spin.Writer = writer
+	spin.ForceOutput = true
+	spin.Suffix = " Waiting for Git authentication..."
+	defer spin.Stop()
+
+	ticker := time.NewTicker(opts.FetchInterval)
+	defer ticker.Stop()
+	for _, auth := range gitAuth {
+		if auth.Authenticated {
+			return nil
+		}
+
+		_, _ = fmt.Fprintf(writer, "You must authenticate with %s to create a workspace with this template. Visit:\n\n\t%s\n\n", auth.Type.Pretty(), auth.AuthenticateURL)
+
+		ticker.Reset(opts.FetchInterval)
+		spin.Start()
+		for {
+			select {
+			case <-ctx.Done():
+				return ctx.Err()
+			case <-ticker.C:
+			}
+			gitAuth, err := opts.Fetch(ctx)
+			if err != nil {
+				return err
+			}
+			var authed bool
+			for _, a := range gitAuth {
+				if !a.Authenticated || a.ID != auth.ID {
+					continue
+				}
+				authed = true
+				break
+			}
+			// The user authenticated with the provider!
+			if authed {
+				break
+			}
+		}
+		spin.Stop()
+		_, _ = fmt.Fprintf(writer, "Successfully authenticated with %s!\n\n", auth.Type.Pretty())
+	}
+	return nil
+}
@@ -0,0 +1,55 @@
+package cliui_test
+
+import (
+	"context"
+	"net/url"
+	"sync/atomic"
+	"testing"
+	"time"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/assert"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
+)
+
+func TestGitAuth(t *testing.T) {
+	t.Parallel()
+
+	ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+	defer cancel()
+
+	ptty := ptytest.New(t)
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			var fetched atomic.Bool
+			return cliui.GitAuth(cmd.Context(), cmd.OutOrStdout(), cliui.GitAuthOptions{
+				Fetch: func(ctx context.Context) ([]codersdk.TemplateVersionGitAuth, error) {
+					defer fetched.Store(true)
+					return []codersdk.TemplateVersionGitAuth{{
+						ID:              "github",
+						Type:            codersdk.GitProviderGitHub,
+						Authenticated:   fetched.Load(),
+						AuthenticateURL: "https://example.com/gitauth/github?redirect=" + url.QueryEscape("/gitauth?notify"),
+					}}, nil
+				},
+				FetchInterval: time.Millisecond,
+			})
+		},
+	}
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	done := make(chan struct{})
+	go func() {
+		defer close(done)
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	}()
+	ptty.ExpectMatchContext(ctx, "You must authenticate with")
+	ptty.ExpectMatchContext(ctx, "https://example.com/gitauth/github")
+	ptty.ExpectMatchContext(ctx, "Successfully authenticated with GitHub")
+	<-done
+}
@@ -0,0 +1,156 @@
+package cliui
+
+import (
+	"context"
+	"encoding/json"
+	"reflect"
+	"strings"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+)
+
+type OutputFormat interface {
+	ID() string
+	AttachFlags(cmd *cobra.Command)
+	Format(ctx context.Context, data any) (string, error)
+}
+
+type OutputFormatter struct {
+	formats  []OutputFormat
+	formatID string
+}
+
+// NewOutputFormatter creates a new OutputFormatter with the given formats. The
+// first format is the default format. At least two formats must be provided.
+func NewOutputFormatter(formats ...OutputFormat) *OutputFormatter {
+	if len(formats) < 2 {
+		panic("at least two output formats must be provided")
+	}
+
+	formatIDs := make(map[string]struct{}, len(formats))
+	for _, format := range formats {
+		if format.ID() == "" {
+			panic("output format ID must not be empty")
+		}
+		if _, ok := formatIDs[format.ID()]; ok {
+			panic("duplicate format ID: " + format.ID())
+		}
+		formatIDs[format.ID()] = struct{}{}
+	}
+
+	return &OutputFormatter{
+		formats:  formats,
+		formatID: formats[0].ID(),
+	}
+}
+
+// AttachFlags attaches the --output flag to the given command, and any
+// additional flags required by the output formatters.
+func (f *OutputFormatter) AttachFlags(cmd *cobra.Command) {
+	for _, format := range f.formats {
+		format.AttachFlags(cmd)
+	}
+
+	formatNames := make([]string, 0, len(f.formats))
+	for _, format := range f.formats {
+		formatNames = append(formatNames, format.ID())
+	}
+
+	cmd.Flags().StringVarP(&f.formatID, "output", "o", f.formats[0].ID(), "Output format. Available formats: "+strings.Join(formatNames, ", "))
+}
+
+// Format formats the given data using the format specified by the --output
+// flag. If the flag is not set, the default format is used.
+func (f *OutputFormatter) Format(ctx context.Context, data any) (string, error) {
+	for _, format := range f.formats {
+		if format.ID() == f.formatID {
+			return format.Format(ctx, data)
+		}
+	}
+
+	return "", xerrors.Errorf("unknown output format %q", f.formatID)
+}
+
+type tableFormat struct {
+	defaultColumns []string
+	allColumns     []string
+	sort           string
+
+	columns []string
+}
+
+var _ OutputFormat = &tableFormat{}
+
+// TableFormat creates a table formatter for the given output type. The output
+// type should be specified as an empty slice of the desired type.
+//
+// E.g.: TableFormat([]MyType{}, []string{"foo", "bar"})
+//
+// defaultColumns is optional and specifies the default columns to display. If
+// not specified, all columns are displayed by default.
+func TableFormat(out any, defaultColumns []string) OutputFormat {
+	v := reflect.Indirect(reflect.ValueOf(out))
+	if v.Kind() != reflect.Slice {
+		panic("DisplayTable called with a non-slice type")
+	}
+
+	// Get the list of table column headers.
+	headers, defaultSort, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		panic("parse table headers: " + err.Error())
+	}
+
+	tf := &tableFormat{
+		defaultColumns: headers,
+		allColumns:     headers,
+		sort:           defaultSort,
+	}
+	if len(defaultColumns) > 0 {
+		tf.defaultColumns = defaultColumns
+	}
+
+	return tf
+}
+
+// ID implements OutputFormat.
+func (*tableFormat) ID() string {
+	return "table"
+}
+
+// AttachFlags implements OutputFormat.
+func (f *tableFormat) AttachFlags(cmd *cobra.Command) {
+	cmd.Flags().StringSliceVarP(&f.columns, "column", "c", f.defaultColumns, "Columns to display in table output. Available columns: "+strings.Join(f.allColumns, ", "))
+}
+
+// Format implements OutputFormat.
+func (f *tableFormat) Format(_ context.Context, data any) (string, error) {
+	return DisplayTable(data, f.sort, f.columns)
+}
+
+type jsonFormat struct{}
+
+var _ OutputFormat = jsonFormat{}
+
+// JSONFormat creates a JSON formatter.
+func JSONFormat() OutputFormat {
+	return jsonFormat{}
+}
+
+// ID implements OutputFormat.
+func (jsonFormat) ID() string {
+	return "json"
+}
+
+// AttachFlags implements OutputFormat.
+func (jsonFormat) AttachFlags(_ *cobra.Command) {}
+
+// Format implements OutputFormat.
+func (jsonFormat) Format(_ context.Context, data any) (string, error) {
+	outBytes, err := json.MarshalIndent(data, "", "  ")
+	if err != nil {
+		return "", xerrors.Errorf("marshal output to JSON: %w", err)
+	}
+
+	return string(outBytes), nil
+}
@@ -0,0 +1,128 @@
+package cliui_test
+
+import (
+	"context"
+	"encoding/json"
+	"sync/atomic"
+	"testing"
+
+	"github.com/spf13/cobra"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+type format struct {
+	id            string
+	attachFlagsFn func(cmd *cobra.Command)
+	formatFn      func(ctx context.Context, data any) (string, error)
+}
+
+var _ cliui.OutputFormat = &format{}
+
+func (f *format) ID() string {
+	return f.id
+}
+
+func (f *format) AttachFlags(cmd *cobra.Command) {
+	if f.attachFlagsFn != nil {
+		f.attachFlagsFn(cmd)
+	}
+}
+
+func (f *format) Format(ctx context.Context, data any) (string, error) {
+	if f.formatFn != nil {
+		return f.formatFn(ctx, data)
+	}
+
+	return "", nil
+}
+
+func Test_OutputFormatter(t *testing.T) {
+	t.Parallel()
+
+	t.Run("RequiresTwoFormatters", func(t *testing.T) {
+		t.Parallel()
+
+		require.Panics(t, func() {
+			cliui.NewOutputFormatter()
+		})
+		require.Panics(t, func() {
+			cliui.NewOutputFormatter(cliui.JSONFormat())
+		})
+	})
+
+	t.Run("NoMissingFormatID", func(t *testing.T) {
+		t.Parallel()
+
+		require.Panics(t, func() {
+			cliui.NewOutputFormatter(
+				cliui.JSONFormat(),
+				&format{id: ""},
+			)
+		})
+	})
+
+	t.Run("NoDuplicateFormats", func(t *testing.T) {
+		t.Parallel()
+
+		require.Panics(t, func() {
+			cliui.NewOutputFormatter(
+				cliui.JSONFormat(),
+				cliui.JSONFormat(),
+			)
+		})
+	})
+
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		var called int64
+		f := cliui.NewOutputFormatter(
+			cliui.JSONFormat(),
+			&format{
+				id: "foo",
+				attachFlagsFn: func(cmd *cobra.Command) {
+					cmd.Flags().StringP("foo", "f", "", "foo flag 1234")
+				},
+				formatFn: func(_ context.Context, _ any) (string, error) {
+					atomic.AddInt64(&called, 1)
+					return "foo", nil
+				},
+			},
+		)
+
+		cmd := &cobra.Command{}
+		f.AttachFlags(cmd)
+
+		selected, err := cmd.Flags().GetString("output")
+		require.NoError(t, err)
+		require.Equal(t, "json", selected)
+		usage := cmd.Flags().FlagUsages()
+		require.Contains(t, usage, "Available formats: json, foo")
+		require.Contains(t, usage, "foo flag 1234")
+
+		ctx := context.Background()
+		data := []string{"hi", "dean", "was", "here"}
+		out, err := f.Format(ctx, data)
+		require.NoError(t, err)
+
+		var got []string
+		require.NoError(t, json.Unmarshal([]byte(out), &got))
+		require.Equal(t, data, got)
+		require.EqualValues(t, 0, atomic.LoadInt64(&called))
+
+		require.NoError(t, cmd.Flags().Set("output", "foo"))
+		out, err = f.Format(ctx, data)
+		require.NoError(t, err)
+		require.Equal(t, "foo", out)
+		require.EqualValues(t, 1, atomic.LoadInt64(&called))
+
+		require.NoError(t, cmd.Flags().Set("output", "bar"))
+		out, err = f.Format(ctx, data)
+		require.Error(t, err)
+		require.ErrorContains(t, err, "bar")
+		require.Equal(t, "", out)
+		require.EqualValues(t, 1, atomic.LoadInt64(&called))
+	})
+}
@@ -47,6 +47,7 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ParameterSchem
 		value, err = Prompt(cmd, PromptOptions{
 			Text: Styles.Bold.Render(text),
 		})
+		value = strings.TrimSpace(value)
 	}
 	if err != nil {
 		return "", err
@@ -59,3 +60,59 @@ func ParameterSchema(cmd *cobra.Command, parameterSchema codersdk.ParameterSchem

 	return value, nil
 }
+
+func RichParameter(cmd *cobra.Command, templateVersionParameter codersdk.TemplateVersionParameter) (string, error) {
+	_, _ = fmt.Fprintln(cmd.OutOrStdout(), Styles.Bold.Render(templateVersionParameter.Name))
+	if templateVersionParameter.DescriptionPlaintext != "" {
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+strings.TrimSpace(strings.Join(strings.Split(templateVersionParameter.DescriptionPlaintext, "\n"), "\n  "))+"\n")
+	}
+
+	var err error
+	var value string
+	if len(templateVersionParameter.Options) > 0 {
+		// Move the cursor up a single line for nicer display!
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), "\033[1A")
+		var richParameterOption *codersdk.TemplateVersionParameterOption
+		richParameterOption, err = RichSelect(cmd, RichSelectOptions{
+			Options:    templateVersionParameter.Options,
+			Default:    templateVersionParameter.DefaultValue,
+			HideSearch: true,
+		})
+		if err == nil {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout())
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+Styles.Prompt.String()+Styles.Field.Render(richParameterOption.Name))
+			value = richParameterOption.Value
+		}
+	} else {
+		text := "Enter a value"
+		if templateVersionParameter.DefaultValue != "" {
+			text += fmt.Sprintf(" (default: %q)", templateVersionParameter.DefaultValue)
+		}
+		text += ":"
+
+		value, err = Prompt(cmd, PromptOptions{
+			Text: Styles.Bold.Render(text),
+			Validate: func(value string) error {
+				return validateRichPrompt(value, templateVersionParameter)
+			},
+		})
+		value = strings.TrimSpace(value)
+	}
+	if err != nil {
+		return "", err
+	}
+
+	// If they didn't specify anything, use the default value if set.
+	if len(templateVersionParameter.Options) == 0 && value == "" {
+		value = templateVersionParameter.DefaultValue
+	}
+
+	return value, nil
+}
+
+func validateRichPrompt(value string, p codersdk.TemplateVersionParameter) error {
+	return codersdk.ValidateWorkspaceBuildParameter(p, codersdk.WorkspaceBuildParameter{
+		Name:  p.Name,
+		Value: value,
+	}, nil)
+}
@@ -24,25 +24,41 @@ type PromptOptions struct {
 	Validate  func(string) error
 }

+const skipPromptFlag = "yes"
+
 func AllowSkipPrompt(cmd *cobra.Command) {
-	cmd.Flags().BoolP("yes", "y", false, "Bypass prompts")
+	cmd.Flags().BoolP(skipPromptFlag, "y", false, "Bypass prompts")
 }

+const (
+	ConfirmYes = "yes"
+	ConfirmNo  = "no"
+)
+
 // Prompt asks the user for input.
 func Prompt(cmd *cobra.Command, opts PromptOptions) (string, error) {
 	// If the cmd has a "yes" flag for skipping confirm prompts, honor it.
 	// If it's not a "Confirm" prompt, then don't skip. As the default value of
 	// "yes" makes no sense.
-	if opts.IsConfirm && cmd.Flags().Lookup("yes") != nil {
-		if skip, _ := cmd.Flags().GetBool("yes"); skip {
-			return "yes", nil
+	if opts.IsConfirm && cmd.Flags().Lookup(skipPromptFlag) != nil {
+		if skip, _ := cmd.Flags().GetBool(skipPromptFlag); skip {
+			return ConfirmYes, nil
 		}
 	}

 	_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.FocusedPrompt.String()+opts.Text+" ")
 	if opts.IsConfirm {
-		opts.Default = "yes"
-		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+Styles.Bold.Render("yes")+Styles.Placeholder.Render("/no) ")))
+		if len(opts.Default) == 0 {
+			opts.Default = ConfirmYes
+		}
+		renderedYes := Styles.Placeholder.Render(ConfirmYes)
+		renderedNo := Styles.Placeholder.Render(ConfirmNo)
+		if opts.Default == ConfirmYes {
+			renderedYes = Styles.Bold.Render(ConfirmYes)
+		} else {
+			renderedNo = Styles.Bold.Render(ConfirmNo)
+		}
+		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+renderedYes+Styles.Placeholder.Render("/"+renderedNo+Styles.Placeholder.Render(") "))))
 	} else if opts.Default != "" {
 		_, _ = fmt.Fprint(cmd.OutOrStdout(), Styles.Placeholder.Render("("+opts.Default+") "))
 	}
@@ -7,7 +7,6 @@ import (
 	"os"
 	"os/exec"
 	"testing"
-	"time"

 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
@@ -16,6 +15,7 @@ import (
 	"github.com/coder/coder/cli/cliui"
 	"github.com/coder/coder/pty"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestPrompt(t *testing.T) {
@@ -61,7 +61,7 @@ func TestPrompt(t *testing.T) {
 		// Copy all data written out to a buffer. When we close the ptty, we can
 		// no longer read from the ptty.Output(), but we can read what was
 		// written to the buffer.
-		dataRead, doneReading := context.WithTimeout(context.Background(), time.Second*2)
+		dataRead, doneReading := context.WithTimeout(context.Background(), testutil.WaitShort)
 		go func() {
 			// This will throw an error sometimes. The underlying ptty
 			// has its own cleanup routines in t.Cleanup. Instead of
@@ -165,9 +165,6 @@ func newPrompt(ptty *ptytest.PTY, opts cliui.PromptOptions, cmdOpt func(cmd *cob
 }

 func TestPasswordTerminalState(t *testing.T) {
-	// TODO: fix this test so that it runs reliably
-	t.Skip()
-
 	if os.Getenv("TEST_SUBPROCESS") == "1" {
 		passwordHelper()
 		return
@@ -185,27 +182,28 @@ func TestPasswordTerminalState(t *testing.T) {
 	// connect the child process's stdio to the PTY directly, not via a pipe
 	cmd.Stdin = ptty.Input().Reader
 	cmd.Stdout = ptty.Output().Writer
-	cmd.Stderr = os.Stderr
+	cmd.Stderr = ptty.Output().Writer
 	err := cmd.Start()
 	require.NoError(t, err)
 	process := cmd.Process
 	defer process.Kill()

 	ptty.ExpectMatch("Password: ")
-	time.Sleep(100 * time.Millisecond) // wait for child process to turn off echo and start reading input

-	echo, err := ptyWithFlags.EchoEnabled()
-	require.NoError(t, err)
-	require.False(t, echo, "echo is on while reading password")
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && !echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is on while reading password")

 	err = process.Signal(os.Interrupt)
 	require.NoError(t, err)
 	_, err = process.Wait()
 	require.NoError(t, err)

-	echo, err = ptyWithFlags.EchoEnabled()
-	require.NoError(t, err)
-	require.True(t, echo, "echo is off after reading password")
+	require.Eventually(t, func() bool {
+		echo, err := ptyWithFlags.EchoEnabled()
+		return err == nil && echo
+	}, testutil.WaitShort, testutil.IntervalMedium, "echo is off after reading password")
 }

 // nolint:unused
@@ -16,14 +16,14 @@ import (
 	"github.com/coder/coder/codersdk"
 )

-func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Client, build uuid.UUID, before time.Time) error {
+func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Client, build uuid.UUID) error {
 	return ProvisionerJob(ctx, writer, ProvisionerJobOptions{
 		Fetch: func() (codersdk.ProvisionerJob, error) {
 			build, err := client.WorkspaceBuild(ctx, build)
 			return build.Job, err
 		},
-		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-			return client.WorkspaceBuildLogsAfter(ctx, build, before)
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+			return client.WorkspaceBuildLogsAfter(ctx, build, 0)
 		},
 	})
 }
@@ -31,7 +31,7 @@ func WorkspaceBuild(ctx context.Context, writer io.Writer, client *codersdk.Clie
 type ProvisionerJobOptions struct {
 	Fetch  func() (codersdk.ProvisionerJob, error)
 	Cancel func() error
-	Logs   func() (<-chan codersdk.ProvisionerJobLog, error)
+	Logs   func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error)

 	FetchInterval time.Duration
 	// Verbose determines whether debug and trace logs will be shown.
@@ -103,7 +103,6 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp
 		}
 		updateStage("Running", *job.StartedAt)
 	}
-	updateJob()

 	if opts.Cancel != nil {
 		// Handles ctrl+c to cancel a job.
@@ -131,11 +130,13 @@ func ProvisionerJob(ctx context.Context, writer io.Writer, opts ProvisionerJobOp

 	// The initial stage needs to print after the signal handler has been registered.
 	printStage()
+	updateJob()

-	logs, err := opts.Logs()
+	logs, closer, err := opts.Logs()
 	if err != nil {
-		return xerrors.Errorf("logs: %w", err)
+		return xerrors.Errorf("begin streaming logs: %w", err)
 	}
+	defer closer.Close()

 	var (
 		// logOutput is where log output is written
@@ -2,6 +2,7 @@ package cliui_test

 import (
 	"context"
+	"io"
 	"os"
 	"runtime"
 	"sync"
@@ -136,8 +137,10 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 				Cancel: func() error {
 					return nil
 				},
-				Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-					return logs, nil
+				Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+					return logs, closeFunc(func() error {
+						return nil
+					}), nil
 				},
 			})
 		},
@@ -164,3 +167,9 @@ func newProvisionerJob(t *testing.T) provisionerJobTest {
 		PTY:      ptty,
 	}
 }
+
+type closeFunc func() error
+
+func (c closeFunc) Close() error {
+	return c()
+}
@@ -7,6 +7,7 @@ import (
 	"strconv"

 	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/mod/semver"

 	"github.com/coder/coder/coderd/database"

@@ -18,6 +19,7 @@ type WorkspaceResourcesOptions struct {
 	HideAgentState bool
 	HideAccess     bool
 	Title          string
+	ServerVersion  string
 }

 // WorkspaceResources displays the connection status and tree-view of provided resources.
@@ -48,6 +50,7 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 	row := table.Row{"Resource"}
 	if !options.HideAgentState {
 		row = append(row, "Status")
+		row = append(row, "Version")
 	}
 	if !options.HideAccess {
 		row = append(row, "Access")
@@ -91,21 +94,12 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 			}
 			if !options.HideAgentState {
 				var agentStatus string
+				var agentVersion string
 				if !options.HideAgentState {
-					switch agent.Status {
-					case codersdk.WorkspaceAgentConnecting:
-						since := database.Now().Sub(agent.CreatedAt)
-						agentStatus = Styles.Warn.Render("⦾ connecting") + " " +
-							Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
-					case codersdk.WorkspaceAgentDisconnected:
-						since := database.Now().Sub(*agent.DisconnectedAt)
-						agentStatus = Styles.Error.Render("⦾ disconnected") + " " +
-							Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
-					case codersdk.WorkspaceAgentConnected:
-						agentStatus = Styles.Keyword.Render("⦿ connected")
-					}
+					agentStatus = renderAgentStatus(agent)
+					agentVersion = renderAgentVersion(agent.Version, options.ServerVersion)
 				}
-				row = append(row, agentStatus)
+				row = append(row, agentStatus, agentVersion)
 			}
 			if !options.HideAccess {
 				sshCommand := "coder ssh " + options.WorkspaceName
@@ -122,3 +116,41 @@ func WorkspaceResources(writer io.Writer, resources []codersdk.WorkspaceResource
 	_, err := fmt.Fprintln(writer, tableWriter.Render())
 	return err
 }
+
+func renderAgentStatus(agent codersdk.WorkspaceAgent) string {
+	switch agent.Status {
+	case codersdk.WorkspaceAgentConnecting:
+		since := database.Now().Sub(agent.CreatedAt)
+		return Styles.Warn.Render("⦾ connecting") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentDisconnected:
+		since := database.Now().Sub(*agent.DisconnectedAt)
+		return Styles.Error.Render("⦾ disconnected") + " " +
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]")
+	case codersdk.WorkspaceAgentTimeout:
+		since := database.Now().Sub(agent.CreatedAt)
+		return fmt.Sprintf(
+			"%s %s",
+			Styles.Warn.Render("⦾ timeout"),
+			Styles.Placeholder.Render("["+strconv.Itoa(int(since.Seconds()))+"s]"),
+		)
+	case codersdk.WorkspaceAgentConnected:
+		return Styles.Keyword.Render("⦿ connected")
+	default:
+		return Styles.Warn.Render("○ unknown")
+	}
+}
+
+func renderAgentVersion(agentVersion, serverVersion string) string {
+	if agentVersion == "" {
+		agentVersion = "(unknown)"
+	}
+	if !semver.IsValid(serverVersion) || !semver.IsValid(agentVersion) {
+		return Styles.Placeholder.Render(agentVersion)
+	}
+	outdated := semver.Compare(agentVersion, serverVersion) < 0
+	if outdated {
+		return Styles.Warn.Render(agentVersion + " (outdated)")
+	}
+	return Styles.Keyword.Render(agentVersion)
+}
@@ -0,0 +1,50 @@
+package cliui
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRenderAgentVersion(t *testing.T) {
+	t.Parallel()
+	testCases := []struct {
+		name          string
+		agentVersion  string
+		serverVersion string
+		expected      string
+	}{
+		{
+			name:          "OK",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.3",
+			expected:      "v1.2.3",
+		},
+		{
+			name:          "Outdated",
+			agentVersion:  "v1.2.3",
+			serverVersion: "v1.2.4",
+			expected:      "v1.2.3 (outdated)",
+		},
+		{
+			name:          "AgentUnknown",
+			agentVersion:  "",
+			serverVersion: "v1.2.4",
+			expected:      "(unknown)",
+		},
+		{
+			name:          "ServerUnknown",
+			agentVersion:  "v1.2.3",
+			serverVersion: "",
+			expected:      "v1.2.3",
+		},
+	}
+	for _, testCase := range testCases {
+		testCase := testCase
+		t.Run(testCase.name, func(t *testing.T) {
+			t.Parallel()
+			actual := renderAgentVersion(testCase.agentVersion, testCase.serverVersion)
+			assert.Equal(t, testCase.expected, actual)
+		})
+	}
+}
@@ -26,6 +26,7 @@ func TestWorkspaceResources(t *testing.T) {
 				Agents: []codersdk.WorkspaceAgent{{
 					Name:            "dev",
 					Status:          codersdk.WorkspaceAgentConnected,
+					LifecycleState:  codersdk.WorkspaceAgentLifecycleCreated,
 					Architecture:    "amd64",
 					OperatingSystem: "linux",
 				}},
@@ -60,6 +61,7 @@ func TestWorkspaceResources(t *testing.T) {
 				Agents: []codersdk.WorkspaceAgent{{
 					CreatedAt:       database.Now().Add(-10 * time.Second),
 					Status:          codersdk.WorkspaceAgentConnecting,
+					LifecycleState:  codersdk.WorkspaceAgentLifecycleCreated,
 					Name:            "dev",
 					OperatingSystem: "linux",
 					Architecture:    "amd64",
@@ -70,12 +72,14 @@ func TestWorkspaceResources(t *testing.T) {
 				Name:       "dev",
 				Agents: []codersdk.WorkspaceAgent{{
 					Status:          codersdk.WorkspaceAgentConnected,
+					LifecycleState:  codersdk.WorkspaceAgentLifecycleReady,
 					Name:            "go",
 					Architecture:    "amd64",
 					OperatingSystem: "linux",
 				}, {
 					DisconnectedAt:  &disconnected,
 					Status:          codersdk.WorkspaceAgentDisconnected,
+					LifecycleState:  codersdk.WorkspaceAgentLifecycleReady,
 					Name:            "postgres",
 					Architecture:    "amd64",
 					OperatingSystem: "linux",
@@ -9,6 +9,9 @@ import (
 	"github.com/AlecAivazis/survey/v2"
 	"github.com/AlecAivazis/survey/v2/terminal"
 	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/codersdk"
 )

 func init() {
@@ -42,6 +45,42 @@ type SelectOptions struct {
 	HideSearch bool
 }

+type RichSelectOptions struct {
+	Options    []codersdk.TemplateVersionParameterOption
+	Default    string
+	Size       int
+	HideSearch bool
+}
+
+// RichSelect displays a list of user options including name and description.
+func RichSelect(cmd *cobra.Command, richOptions RichSelectOptions) (*codersdk.TemplateVersionParameterOption, error) {
+	opts := make([]string, len(richOptions.Options))
+	for i, option := range richOptions.Options {
+		line := option.Name
+		if len(option.Description) > 0 {
+			line += ": " + option.Description
+		}
+		opts[i] = line
+	}
+
+	selected, err := Select(cmd, SelectOptions{
+		Options:    opts,
+		Default:    richOptions.Default,
+		Size:       richOptions.Size,
+		HideSearch: richOptions.HideSearch,
+	})
+	if err != nil {
+		return nil, err
+	}
+
+	for i, option := range opts {
+		if option == selected {
+			return &richOptions.Options[i], nil
+		}
+	}
+	return nil, xerrors.Errorf("unknown option selected: %s", selected)
+}
+
 // Select displays a list of user options.
 func Select(cmd *cobra.Command, opts SelectOptions) (string, error) {
 	// The survey library used *always* fails when testing on Windows,
@@ -9,6 +9,7 @@ import (
 	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty/ptytest"
 )

@@ -42,3 +43,46 @@ func newSelect(ptty *ptytest.PTY, opts cliui.SelectOptions) (string, error) {
 	cmd.SetIn(ptty.Input())
 	return value, cmd.ExecuteContext(context.Background())
 }
+
+func TestRichSelect(t *testing.T) {
+	t.Parallel()
+	t.Run("RichSelect", func(t *testing.T) {
+		t.Parallel()
+		ptty := ptytest.New(t)
+		msgChan := make(chan string)
+		go func() {
+			resp, err := newRichSelect(ptty, cliui.RichSelectOptions{
+				Options: []codersdk.TemplateVersionParameterOption{
+					{
+						Name:        "A-Name",
+						Value:       "A-Value",
+						Description: "A-Description",
+					}, {
+						Name:        "B-Name",
+						Value:       "B-Value",
+						Description: "B-Description",
+					},
+				},
+			})
+			assert.NoError(t, err)
+			msgChan <- resp
+		}()
+		require.Equal(t, "A-Value", <-msgChan)
+	})
+}
+
+func newRichSelect(ptty *ptytest.PTY, opts cliui.RichSelectOptions) (string, error) {
+	value := ""
+	cmd := &cobra.Command{
+		RunE: func(cmd *cobra.Command, args []string) error {
+			richOption, err := cliui.RichSelect(cmd, opts)
+			if err == nil {
+				value = richOption.Value
+			}
+			return err
+		},
+	}
+	cmd.SetOutput(ptty.Output())
+	cmd.SetIn(ptty.Input())
+	return value, cmd.ExecuteContext(context.Background())
+}
@@ -1,9 +1,14 @@
 package cliui

 import (
+	"fmt"
+	"reflect"
 	"strings"
+	"time"

+	"github.com/fatih/structtag"
 	"github.com/jedib0t/go-pretty/v6/table"
+	"golang.org/x/xerrors"
 )

 // Table creates a new table with standardized styles.
@@ -17,10 +22,10 @@ func Table() table.Writer {
 	return tableWriter
 }

-// FilterTableColumns returns configurations to hide columns
+// filterTableColumns returns configurations to hide columns
 // that are not provided in the array. If the array is empty,
 // no filtering will occur!
-func FilterTableColumns(header table.Row, columns []string) []table.ColumnConfig {
+func filterTableColumns(header table.Row, columns []string) []table.ColumnConfig {
 	if len(columns) == 0 {
 		return nil
 	}
@@ -41,3 +46,286 @@ func FilterTableColumns(header table.Row, columns []string) []table.ColumnConfig
 	}
 	return columnConfigs
 }
+
+// DisplayTable renders a table as a string. The input argument must be a slice
+// of structs. At least one field in the struct must have a `table:""` tag
+// containing the name of the column in the outputted table.
+//
+// If `sort` is not specified, the field with the `table:"$NAME,default_sort"`
+// tag will be used to sort. An error will be returned if no field has this tag.
+//
+// Nested structs are processed if the field has the `table:"$NAME,recursive"`
+// tag and their fields will be named as `$PARENT_NAME $NAME`. If the tag is
+// malformed or a field is marked as recursive but does not contain a struct or
+// a pointer to a struct, this function will return an error (even with an empty
+// input slice).
+//
+// If sort is empty, the input order will be used. If filterColumns is empty or
+// nil, all available columns are included.
+func DisplayTable(out any, sort string, filterColumns []string) (string, error) {
+	v := reflect.Indirect(reflect.ValueOf(out))
+
+	if v.Kind() != reflect.Slice {
+		return "", xerrors.Errorf("DisplayTable called with a non-slice type")
+	}
+
+	// Get the list of table column headers.
+	headersRaw, defaultSort, err := typeToTableHeaders(v.Type().Elem())
+	if err != nil {
+		return "", xerrors.Errorf("get table headers recursively for type %q: %w", v.Type().Elem().String(), err)
+	}
+	if len(headersRaw) == 0 {
+		return "", xerrors.New(`no table headers found on the input type, make sure there is at least one "table" struct tag`)
+	}
+	if sort == "" {
+		sort = defaultSort
+	}
+	headers := make(table.Row, len(headersRaw))
+	for i, header := range headersRaw {
+		headers[i] = header
+	}
+
+	// Verify that the given sort column and filter columns are valid.
+	if sort != "" || len(filterColumns) != 0 {
+		headersMap := make(map[string]string, len(headersRaw))
+		for _, header := range headersRaw {
+			headersMap[strings.ToLower(header)] = header
+		}
+
+		if sort != "" {
+			sort = strings.ToLower(strings.ReplaceAll(sort, "_", " "))
+			h, ok := headersMap[sort]
+			if !ok {
+				return "", xerrors.Errorf(`specified sort column %q not found in table headers, available columns are "%v"`, sort, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			sort = h
+		}
+
+		for i, column := range filterColumns {
+			column := strings.ToLower(strings.ReplaceAll(column, "_", " "))
+			h, ok := headersMap[column]
+			if !ok {
+				return "", xerrors.Errorf(`specified filter column %q not found in table headers, available columns are "%v"`, column, strings.Join(headersRaw, `", "`))
+			}
+
+			// Autocorrect
+			filterColumns[i] = h
+		}
+	}
+
+	// Verify that the given sort column is valid.
+	if sort != "" {
+		sort = strings.ReplaceAll(sort, "_", " ")
+		found := false
+		for _, header := range headersRaw {
+			if strings.EqualFold(sort, header) {
+				found = true
+				sort = header
+				break
+			}
+		}
+		if !found {
+			return "", xerrors.Errorf("specified sort column %q not found in table headers, available columns are %q", sort, strings.Join(headersRaw, `", "`))
+		}
+	}
+
+	// Setup the table formatter.
+	tw := Table()
+	tw.AppendHeader(headers)
+	tw.SetColumnConfigs(filterTableColumns(headers, filterColumns))
+	if sort != "" {
+		tw.SortBy([]table.SortBy{{
+			Name: sort,
+		}})
+	}
+
+	// Write each struct to the table.
+	for i := 0; i < v.Len(); i++ {
+		// Format the row as a slice.
+		rowMap, err := valueToTableMap(v.Index(i))
+		if err != nil {
+			return "", xerrors.Errorf("get table row map %v: %w", i, err)
+		}
+
+		rowSlice := make([]any, len(headers))
+		for i, h := range headersRaw {
+			v, ok := rowMap[h]
+			if !ok {
+				v = nil
+			}
+
+			// Special type formatting.
+			switch val := v.(type) {
+			case time.Time:
+				v = val.Format(time.RFC3339)
+			case *time.Time:
+				if val != nil {
+					v = val.Format(time.RFC3339)
+				}
+			case *int64:
+				if val != nil {
+					v = *val
+				}
+			case fmt.Stringer:
+				if val != nil {
+					v = val.String()
+				}
+			}
+
+			rowSlice[i] = v
+		}
+
+		tw.AppendRow(table.Row(rowSlice))
+	}
+
+	return tw.Render(), nil
+}
+
+// parseTableStructTag returns the name of the field according to the `table`
+// struct tag. If the table tag does not exist or is "-", an empty string is
+// returned. If the table tag is malformed, an error is returned.
+//
+// The returned name is transformed from "snake_case" to "normal text".
+func parseTableStructTag(field reflect.StructField) (name string, defaultSort, recursive bool, err error) {
+	tags, err := structtag.Parse(string(field.Tag))
+	if err != nil {
+		return "", false, false, xerrors.Errorf("parse struct field tag %q: %w", string(field.Tag), err)
+	}
+
+	tag, err := tags.Get("table")
+	if err != nil || tag.Name == "-" {
+		// tags.Get only returns an error if the tag is not found.
+		return "", false, false, nil
+	}
+
+	defaultSortOpt := false
+	recursiveOpt := false
+	for _, opt := range tag.Options {
+		switch opt {
+		case "default_sort":
+			defaultSortOpt = true
+		case "recursive":
+			recursiveOpt = true
+		default:
+			return "", false, false, xerrors.Errorf("unknown option %q in struct field tag", opt)
+		}
+	}
+
+	return strings.ReplaceAll(tag.Name, "_", " "), defaultSortOpt, recursiveOpt, nil
+}
+
+func isStructOrStructPointer(t reflect.Type) bool {
+	return t.Kind() == reflect.Struct || (t.Kind() == reflect.Pointer && t.Elem().Kind() == reflect.Struct)
+}
+
+// typeToTableHeaders converts a type to a slice of column names. If the given
+// type is invalid (not a struct or a pointer to a struct, has invalid table
+// tags, etc.), an error is returned.
+func typeToTableHeaders(t reflect.Type) ([]string, string, error) {
+	if !isStructOrStructPointer(t) {
+		return nil, "", xerrors.Errorf("typeToTableHeaders called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if t.Kind() == reflect.Pointer {
+		t = t.Elem()
+	}
+
+	headers := []string{}
+	defaultSortName := ""
+	for i := 0; i < t.NumField(); i++ {
+		field := t.Field(i)
+		name, defaultSort, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, "", xerrors.Errorf("parse struct tags for field %q in type %q: %w", field.Name, t.String(), err)
+		}
+		if name == "" {
+			continue
+		}
+		if defaultSort {
+			if defaultSortName != "" {
+				return nil, "", xerrors.Errorf("multiple fields marked as default sort in type %q", t.String())
+			}
+			defaultSortName = name
+		}
+
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, "", xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, t.String())
+			}
+
+			childNames, _, err := typeToTableHeaders(fieldType)
+			if err != nil {
+				return nil, "", xerrors.Errorf("get child field header names for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for _, childName := range childNames {
+				headers = append(headers, fmt.Sprintf("%s %s", name, childName))
+			}
+			continue
+		}
+
+		headers = append(headers, name)
+	}
+
+	if defaultSortName == "" {
+		return nil, "", xerrors.Errorf("no field marked as default_sort in type %q", t.String())
+	}
+
+	return headers, defaultSortName, nil
+}
+
+// valueToTableMap converts a struct to a map of column name to value. If the
+// given type is invalid (not a struct or a pointer to a struct, has invalid
+// table tags, etc.), an error is returned.
+func valueToTableMap(val reflect.Value) (map[string]any, error) {
+	if !isStructOrStructPointer(val.Type()) {
+		return nil, xerrors.Errorf("valueToTableMap called with a non-struct or a non-pointer-to-a-struct type")
+	}
+	if val.Kind() == reflect.Pointer {
+		if val.IsNil() {
+			// No data for this struct, so return an empty map. All values will
+			// be rendered as nil in the resulting table.
+			return map[string]any{}, nil
+		}
+
+		val = val.Elem()
+	}
+
+	row := map[string]any{}
+	for i := 0; i < val.NumField(); i++ {
+		field := val.Type().Field(i)
+		fieldVal := val.Field(i)
+		name, _, recursive, err := parseTableStructTag(field)
+		if err != nil {
+			return nil, xerrors.Errorf("parse struct tags for field %q in type %T: %w", field.Name, val, err)
+		}
+		if name == "" {
+			continue
+		}
+
+		// Recurse if it's a struct.
+		fieldType := field.Type
+		if recursive {
+			if !isStructOrStructPointer(fieldType) {
+				return nil, xerrors.Errorf("field %q in type %q is marked as recursive but does not contain a struct or a pointer to a struct", field.Name, fieldType.String())
+			}
+
+			// valueToTableMap does nothing on pointers so we don't need to
+			// filter here.
+			childMap, err := valueToTableMap(fieldVal)
+			if err != nil {
+				return nil, xerrors.Errorf("get child field values for field %q in type %q: %w", field.Name, fieldType.String(), err)
+			}
+			for childName, childValue := range childMap {
+				row[fmt.Sprintf("%s %s", name, childName)] = childValue
+			}
+			continue
+		}
+
+		// Otherwise, we just use the field value.
+		row[name] = val.Field(i).Interface()
+	}
+
+	return row, nil
+}
@@ -0,0 +1,354 @@
+package cliui_test
+
+import (
+	"fmt"
+	"log"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/cliui"
+)
+
+type stringWrapper struct {
+	str string
+}
+
+var _ fmt.Stringer = stringWrapper{}
+
+func (s stringWrapper) String() string {
+	return s.str
+}
+
+type tableTest1 struct {
+	Name        string      `table:"name,default_sort"`
+	NotIncluded string      // no table tag
+	Age         int         `table:"age"`
+	Roles       []string    `table:"roles"`
+	Sub1        tableTest2  `table:"sub_1,recursive"`
+	Sub2        *tableTest2 `table:"sub_2,recursive"`
+	Sub3        tableTest3  `table:"sub 3,recursive"`
+	Sub4        tableTest2  `table:"sub 4"` // not recursive
+
+	// Types with special formatting.
+	Time    time.Time  `table:"time"`
+	TimePtr *time.Time `table:"time_ptr"`
+}
+
+type tableTest2 struct {
+	Name        stringWrapper `table:"name,default_sort"`
+	Age         int           `table:"age"`
+	NotIncluded string        `table:"-"`
+}
+
+type tableTest3 struct {
+	NotIncluded string     // no table tag
+	Sub         tableTest2 `table:"inner,recursive,default_sort"`
+}
+
+func Test_DisplayTable(t *testing.T) {
+	t.Parallel()
+
+	someTime := time.Date(2022, 8, 2, 15, 49, 10, 0, time.UTC)
+
+	// Not sorted by name or age to test sorting.
+	in := []tableTest1{
+		{
+			Name:  "bar",
+			Age:   20,
+			Roles: []string{"a"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "bar1"},
+				Age:  21,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "bar3"},
+					Age:  23,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "bar4"},
+				Age:  24,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+		{
+			Name:  "foo",
+			Age:   10,
+			Roles: []string{"a", "b", "c"},
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "foo1"},
+				Age:  11,
+			},
+			Sub2: &tableTest2{
+				Name: stringWrapper{str: "foo2"},
+				Age:  12,
+			},
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "foo3"},
+					Age:  13,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "foo4"},
+				Age:  14,
+			},
+			Time:    someTime,
+			TimePtr: &someTime,
+		},
+		{
+			Name:  "baz",
+			Age:   30,
+			Roles: nil,
+			Sub1: tableTest2{
+				Name: stringWrapper{str: "baz1"},
+				Age:  31,
+			},
+			Sub2: nil,
+			Sub3: tableTest3{
+				Sub: tableTest2{
+					Name: stringWrapper{str: "baz3"},
+					Age:  33,
+				},
+			},
+			Sub4: tableTest2{
+				Name: stringWrapper{str: "baz4"},
+				Age:  34,
+			},
+			Time:    someTime,
+			TimePtr: nil,
+		},
+	}
+
+	// This test tests skipping fields without table tags, recursion, pointer
+	// dereferencing, and nil pointer skipping.
+	t.Run("OK", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME                  TIME PTR
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  2022-08-02T15:49:10Z  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  2022-08-02T15:49:10Z  <nil>
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  2022-08-02T15:49:10Z  2022-08-02T15:49:10Z
+		`
+
+		// Test with non-pointer values.
+		out, err := cliui.DisplayTable(in, "", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+
+		// Test with pointer values.
+		inPtr := make([]*tableTest1, len(in))
+		for i, v := range in {
+			v := v
+			inPtr[i] = &v
+		}
+		out, err = cliui.DisplayTable(inPtr, "", nil)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("CustomSort", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  AGE  ROLES    SUB 1 NAME  SUB 1 AGE  SUB 2 NAME  SUB 2 AGE  SUB 3 INNER NAME  SUB 3 INNER AGE  SUB 4       TIME                  TIME PTR
+foo    10  [a b c]  foo1               11  foo2        12         foo3                           13  {foo4 14 }  2022-08-02T15:49:10Z  2022-08-02T15:49:10Z
+bar    20  [a]      bar1               21  <nil>       <nil>      bar3                           23  {bar4 24 }  2022-08-02T15:49:10Z  <nil>
+baz    30  []       baz1               31  <nil>       <nil>      baz3                           33  {baz4 34 }  2022-08-02T15:49:10Z  <nil>
+		`
+
+		out, err := cliui.DisplayTable(in, "age", nil)
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	t.Run("Filter", func(t *testing.T) {
+		t.Parallel()
+
+		expected := `
+NAME  SUB 1 NAME  SUB 3 INNER NAME  TIME
+bar   bar1        bar3              2022-08-02T15:49:10Z
+baz   baz1        baz3              2022-08-02T15:49:10Z
+foo   foo1        foo3              2022-08-02T15:49:10Z
+		`
+
+		out, err := cliui.DisplayTable(in, "", []string{"name", "sub_1_name", "sub_3 inner name", "time"})
+		log.Println("rendered table:\n" + out)
+		require.NoError(t, err)
+		compareTables(t, expected, out)
+	})
+
+	// This test ensures that safeties against invalid use of `table` tags
+	// causes errors (even without data).
+	t.Run("Errors", func(t *testing.T) {
+		t.Parallel()
+
+		t.Run("NotSlice", func(t *testing.T) {
+			t.Parallel()
+
+			var in string
+			_, err := cliui.DisplayTable(in, "", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadSortColumn", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "bad_column_does_not_exist", nil)
+			require.Error(t, err)
+		})
+
+		t.Run("BadFilterColumns", func(t *testing.T) {
+			t.Parallel()
+
+			_, err := cliui.DisplayTable(in, "", []string{"name", "bad_column_does_not_exist"})
+			require.Error(t, err)
+		})
+
+		t.Run("Interfaces", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []any
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []any{tableTest1{}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NotStruct", func(t *testing.T) {
+			t.Parallel()
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []string
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []string{"foo", "bar", "baz"}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("NoTableTags", func(t *testing.T) {
+			t.Parallel()
+
+			type noTableTagsTest struct {
+				Field string `json:"field"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noTableTagsTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noTableTagsTest{{Field: "hi"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/NoName", func(t *testing.T) {
+			t.Parallel()
+
+			type noNameTest struct {
+				Field string `table:""`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []noNameTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []noNameTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+
+		t.Run("InvalidTag/BadSyntax", func(t *testing.T) {
+			t.Parallel()
+
+			type invalidSyntaxTest struct {
+				Field string `table:"asda,asdjada"`
+			}
+
+			t.Run("WithoutData", func(t *testing.T) {
+				t.Parallel()
+
+				var in []invalidSyntaxTest
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+
+			t.Run("WithData", func(t *testing.T) {
+				t.Parallel()
+
+				in := []invalidSyntaxTest{{Field: "test"}}
+				_, err := cliui.DisplayTable(in, "", nil)
+				require.Error(t, err)
+			})
+		})
+	})
+}
+
+// compareTables normalizes the incoming table lines
+func compareTables(t *testing.T, expected, out string) {
+	t.Helper()
+
+	expectedLines := strings.Split(strings.TrimSpace(expected), "\n")
+	gotLines := strings.Split(strings.TrimSpace(out), "\n")
+	assert.Equal(t, len(expectedLines), len(gotLines), "expected line count does not match generated line count")
+
+	// Map the expected and got lines to normalize them.
+	expectedNormalized := make([]string, len(expectedLines))
+	gotNormalized := make([]string, len(gotLines))
+	normalizeLine := func(s string) string {
+		return strings.Join(strings.Fields(strings.TrimSpace(s)), " ")
+	}
+	for i, s := range expectedLines {
+		expectedNormalized[i] = normalizeLine(s)
+	}
+	for i, s := range gotLines {
+		gotNormalized[i] = normalizeLine(s)
+	}
+
+	require.Equal(t, expectedNormalized, gotNormalized, "expected lines to match generated lines")
+}
@@ -6,6 +6,10 @@ import (
 	"path/filepath"
 )

+const (
+	FlagName = "global-config"
+)
+
 // Root represents the configuration directory.
 type Root string

@@ -13,6 +17,11 @@ func (r Root) Session() File {
 	return File(filepath.Join(string(r), "session"))
 }

+// ReplicaID is a unique identifier for the Coder server.
+func (r Root) ReplicaID() File {
+	return File(filepath.Join(string(r), "replica_id"))
+}
+
 func (r Root) URL() File {
 	return File(filepath.Join(string(r), "url"))
 }
@@ -37,6 +46,10 @@ func (r Root) PostgresPort() File {
 	return File(filepath.Join(r.PostgresPath(), "port"))
 }

+func (r Root) DeploymentConfigPath() string {
+	return filepath.Join(string(r), "server.yaml")
+}
+
 // File provides convenience methods for interacting with *os.File.
 type File string

@@ -47,7 +60,7 @@ func (f File) Delete() error {

 // Write writes the string to the file.
 func (f File) Write(s string) error {
-	return write(string(f), 0600, []byte(s))
+	return write(string(f), 0o600, []byte(s))
 }

 // Read reads the file to a string.
@@ -59,7 +72,7 @@ func (f File) Read() (string, error) {
 // open opens a file in the configuration directory,
 // creating all intermediate directories.
 func open(path string, flag int, mode os.FileMode) (*os.File, error) {
-	err := os.MkdirAll(filepath.Dir(path), 0750)
+	err := os.MkdirAll(filepath.Dir(path), 0o750)
 	if err != nil {
 		return nil, err
 	}
@@ -0,0 +1,25 @@
+# Coder Server Configuration
+
+# Automatically authenticate HTTP(s) Git requests.
+gitauth:
+# Supported: azure-devops, bitbucket, github, gitlab
+# - type: github
+#   client_id: xxxxxx
+#   client_secret: xxxxxx
+
+# Multiple providers are an Enterprise feature.
+# Contact sales@coder.com for a license.
+#
+# If multiple providers are used, a unique "id"
+# must be provided for each one.
+# - id: example
+#   type: azure-devops
+#   client_id: xxxxxxx
+#   client_secret: xxxxxxx
+# A custom regex can be used to match a specific
+# repository or organization to limit auth scope.
+#   regex: github.com/coder
+# Custom authentication and token URLs should be
+# used for self-managed Git provider deployments.
+#   auth_url: https://example.com/oauth/authorize
+#   token_url: https://example.com/oauth/token
@@ -70,7 +70,7 @@ type sshWorkspaceConfig struct {
 }

 func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]sshWorkspaceConfig, error) {
-	workspaces, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
+	res, err := client.Workspaces(ctx, codersdk.WorkspaceFilter{
 		Owner: codersdk.Me,
 	})
 	if err != nil {
@@ -78,8 +78,8 @@ func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]s
 	}

 	var errGroup errgroup.Group
-	workspaceConfigs := make([]sshWorkspaceConfig, len(workspaces))
-	for i, workspace := range workspaces {
+	workspaceConfigs := make([]sshWorkspaceConfig, len(res.Workspaces))
+	for i, workspace := range res.Workspaces {
 		i := i
 		workspace := workspace
 		errGroup.Go(func() error {
@@ -89,18 +89,23 @@ func sshFetchWorkspaceConfigs(ctx context.Context, client *codersdk.Client) ([]s
 			}

 			wc := sshWorkspaceConfig{Name: workspace.Name}
+			var agents []codersdk.WorkspaceAgent
 			for _, resource := range resources {
 				if resource.Transition != codersdk.WorkspaceTransitionStart {
 					continue
 				}
-				for _, agent := range resource.Agents {
-					hostname := workspace.Name
-					if len(resource.Agents) > 1 {
-						hostname += "." + agent.Name
-					}
-					wc.Hosts = append(wc.Hosts, hostname)
-				}
+				agents = append(agents, resource.Agents...)
 			}
+
+			// handle both WORKSPACE and WORKSPACE.AGENT syntax
+			if len(agents) == 1 {
+				wc.Hosts = append(wc.Hosts, workspace.Name)
+			}
+			for _, agent := range agents {
+				hostname := workspace.Name + "." + agent.Name
+				wc.Hosts = append(wc.Hosts, hostname)
+			}
+
 			workspaceConfigs[i] = wc

 			return nil
@@ -132,26 +137,26 @@ func configSSH() *cobra.Command {
 		sshConfigFile    string
 		sshConfigOpts    sshConfigOptions
 		usePreviousOpts  bool
-		coderConfigFile  string
 		dryRun           bool
 		skipProxyCommand bool
-		wireguard        bool
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "config-ssh",
-		Short:       "Populate your SSH config with Host entries for all of your workspaces",
-		Example: `
-  - You can use -o (or --ssh-option) so set SSH options to be used for all your
-    workspaces.
-
-    ` + cliui.Styles.Code.Render("$ coder config-ssh -o ForwardAgent=yes") + `
-
-  - You can use --dry-run (or -n) to see the changes that would be made.
-
-    ` + cliui.Styles.Code.Render("$ coder config-ssh --dry-run"),
-		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+		Short:       "Add an SSH Host entry for your workspaces \"ssh coder.workspace\"",
+		Example: formatExamples(
+			example{
+				Description: "You can use -o (or --ssh-option) so set SSH options to be used for all your workspaces",
+				Command:     "coder config-ssh -o ForwardAgent=yes",
+			},
+			example{
+				Description: "You can use --dry-run (or -n) to see the changes that would be made",
+				Command:     "coder config-ssh --dry-run",
+			},
+		),
+		Args: cobra.ExactArgs(0),
+		RunE: func(cmd *cobra.Command, _ []string) error {
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
@@ -164,10 +169,20 @@ func configSSH() *cobra.Command {
 				// that it's possible to capture the diff.
 				out = cmd.OutOrStderr()
 			}
-			binaryFile, err := currentBinPath(out)
+			coderBinary, err := currentBinPath(out)
 			if err != nil {
 				return err
 			}
+			escapedCoderBinary, err := sshConfigExecEscape(coderBinary)
+			if err != nil {
+				return xerrors.Errorf("escape coder binary for ssh failed: %w", err)
+			}
+
+			root := createConfig(cmd)
+			escapedGlobalConfig, err := sshConfigExecEscape(string(root))
+			if err != nil {
+				return xerrors.Errorf("escape global config for ssh failed: %w", err)
+			}

 			homedir, err := os.UserHomeDir()
 			if err != nil {
@@ -191,15 +206,11 @@ func configSSH() *cobra.Command {
 			// Parse the previous configuration only if config-ssh
 			// has been run previously.
 			var lastConfig *sshConfigOptions
-			var ok bool
-			var coderConfigRaw []byte
-			if coderConfigFile, coderConfigRaw, ok = readDeprecatedCoderConfigFile(homedir, coderConfigFile); ok {
-				// Deprecated: Remove after migration period.
-				changes = append(changes, fmt.Sprintf("Remove old auto-generated coder config file at %s", coderConfigFile))
-				// Backwards compate, restore old options.
-				c := sshConfigParseLastOptions(bytes.NewReader(coderConfigRaw))
-				lastConfig = &c
-			} else if section, ok := sshConfigGetCoderSection(configRaw); ok {
+			section, ok, err := sshConfigGetCoderSection(configRaw)
+			if err != nil {
+				return err
+			}
+			if ok {
 				c := sshConfigParseLastOptions(bytes.NewReader(section))
 				lastConfig = &c
 			}
@@ -230,6 +241,8 @@ func configSSH() *cobra.Command {
 					}
 					// Selecting "no" will use the last config.
 					sshConfigOpts = *lastConfig
+				} else {
+					changes = append(changes, "Use new SSH options")
 				}
 				// Only print when prompts are shown.
 				if yes, _ := cmd.Flags().GetBool("yes"); !yes {
@@ -239,17 +252,11 @@ func configSSH() *cobra.Command {

 			configModified := configRaw

-			// Check for the presence of the coder Include
-			// statement is present and add if missing.
-			// Deprecated: Remove after migration period.
-			if configModified, ok = removeDeprecatedSSHIncludeStatement(configModified); ok {
-				changes = append(changes, fmt.Sprintf("Remove %q from %s", "Include coder", sshConfigFile))
-			}
-
-			root := createConfig(cmd)
-
 			buf := &bytes.Buffer{}
-			before, after := sshConfigSplitOnCoderSection(configModified)
+			before, _, after, err := sshConfigSplitOnCoderSection(configModified)
+			if err != nil {
+				return err
+			}
 			// Write the first half of the users config file to buf.
 			_, _ = buf.Write(before)

@@ -288,11 +295,13 @@ func configSSH() *cobra.Command {
 						"\tLogLevel ERROR",
 					)
 					if !skipProxyCommand {
-						if !wireguard {
-							configOptions = append(configOptions, fmt.Sprintf("\tProxyCommand %q --global-config %q ssh --stdio %s", binaryFile, root, hostname))
-						} else {
-							configOptions = append(configOptions, fmt.Sprintf("\tProxyCommand %q --global-config %q ssh --wireguard --stdio %s", binaryFile, root, hostname))
-						}
+						configOptions = append(
+							configOptions,
+							fmt.Sprintf(
+								"\tProxyCommand %s --global-config %s ssh --stdio %s",
+								escapedCoderBinary, escapedGlobalConfig, hostname,
+							),
+						)
 					}

 					_, _ = buf.WriteString(strings.Join(configOptions, "\n"))
@@ -306,17 +315,34 @@ func configSSH() *cobra.Command {
 			_, _ = buf.Write(after)

 			if !bytes.Equal(configModified, buf.Bytes()) {
-				changes = append(changes, fmt.Sprintf("Update coder config section in %s", sshConfigFile))
+				changes = append(changes, fmt.Sprintf("Update the coder section in %s", sshConfigFile))
 				configModified = buf.Bytes()
 			}

-			if len(changes) > 0 {
-				dryRunDisclaimer := ""
-				if dryRun {
-					dryRunDisclaimer = " (dry-run, no changes will be made)"
+			if len(changes) == 0 {
+				_, _ = fmt.Fprintf(out, "No changes to make.\n")
+				return nil
+			}
+
+			if dryRun {
+				_, _ = fmt.Fprintf(out, "Dry run, the following changes would be made to your SSH configuration:\n\n  * %s\n\n", strings.Join(changes, "\n  * "))
+
+				color := isTTYOut(cmd)
+				diff, err := diffBytes(sshConfigFile, configRaw, configModified, color)
+				if err != nil {
+					return xerrors.Errorf("diff failed: %w", err)
 				}
+				if len(diff) > 0 {
+					// Write diff to stdout.
+					_, _ = fmt.Fprintf(cmd.OutOrStdout(), "%s", diff)
+				}
+
+				return nil
+			}
+
+			if len(changes) > 0 {
 				_, err = cliui.Prompt(cmd, cliui.PromptOptions{
-					Text:      fmt.Sprintf("The following changes will be made to your SSH configuration:\n\n    * %s\n\n  Continue?%s", strings.Join(changes, "\n    * "), dryRunDisclaimer),
+					Text:      fmt.Sprintf("The following changes will be made to your SSH configuration:\n\n    * %s\n\n  Continue?", strings.Join(changes, "\n    * ")),
 					IsConfirm: true,
 				})
 				if err != nil {
@@ -328,47 +354,18 @@ func configSSH() *cobra.Command {
 				}
 			}

-			if dryRun {
-				color := isTTYOut(cmd)
-				diffFns := []func() ([]byte, error){
-					func() ([]byte, error) { return diffBytes(sshConfigFile, configRaw, configModified, color) },
-				}
-				if len(coderConfigRaw) > 0 {
-					// Deprecated: Remove after migration period.
-					diffFns = append(diffFns, func() ([]byte, error) { return diffBytes(coderConfigFile, coderConfigRaw, nil, color) })
-				}
-
-				for _, diffFn := range diffFns {
-					diff, err := diffFn()
-					if err != nil {
-						return xerrors.Errorf("diff failed: %w", err)
-					}
-					if len(diff) > 0 {
-						// Write diff to stdout.
-						_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\n%s", diff)
-					}
-				}
-			} else {
-				if !bytes.Equal(configRaw, configModified) {
-					err = writeWithTempFileAndMove(sshConfigFile, bytes.NewReader(configModified))
-					if err != nil {
-						return xerrors.Errorf("write ssh config failed: %w", err)
-					}
-				}
-				// Deprecated: Remove after migration period.
-				if len(coderConfigRaw) > 0 {
-					err = os.Remove(coderConfigFile)
-					if err != nil {
-						return xerrors.Errorf("remove coder config failed: %w", err)
-					}
+			if !bytes.Equal(configRaw, configModified) {
+				err = writeWithTempFileAndMove(sshConfigFile, bytes.NewReader(configModified))
+				if err != nil {
+					return xerrors.Errorf("write ssh config failed: %w", err)
 				}
 			}

 			if len(workspaceConfigs) > 0 {
 				_, _ = fmt.Fprintln(out, "You should now be able to ssh into your workspace.")
-				_, _ = fmt.Fprintf(out, "For example, try running:\n\n\t$ ssh coder.%s\n\n", workspaceConfigs[0].Name)
+				_, _ = fmt.Fprintf(out, "For example, try running:\n\n\t$ ssh coder.%s\n", workspaceConfigs[0].Name)
 			} else {
-				_, _ = fmt.Fprint(out, "You don't have any workspaces yet, try creating one with:\n\n\t$ coder create <workspace>\n\n")
+				_, _ = fmt.Fprint(out, "You don't have any workspaces yet, try creating one with:\n\n\t$ coder create <workspace>\n")
 			}
 			return nil
 		},
@@ -379,13 +376,6 @@ func configSSH() *cobra.Command {
 	cmd.Flags().BoolVarP(&skipProxyCommand, "skip-proxy-command", "", false, "Specifies whether the ProxyCommand option should be skipped. Useful for testing.")
 	_ = cmd.Flags().MarkHidden("skip-proxy-command")
 	cliflag.BoolVarP(cmd.Flags(), &usePreviousOpts, "use-previous-options", "", "CODER_SSH_USE_PREVIOUS_OPTIONS", false, "Specifies whether or not to keep options from previous run of config-ssh.")
-	cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_CONFIG_SSH_WIREGUARD", false, "Whether to use Wireguard for SSH tunneling.")
-	_ = cmd.Flags().MarkHidden("wireguard")
-
-	// Deprecated: Remove after migration period.
-	cmd.Flags().StringVar(&coderConfigFile, "test.ssh-coder-config-file", sshDefaultCoderConfigFileName, "Specifies the path to an Coder SSH config file. Useful for testing.")
-	_ = cmd.Flags().MarkHidden("test.ssh-coder-config-file")
-
 	cliui.AllowSkipPrompt(cmd)

 	return cmd
@@ -435,22 +425,39 @@ func sshConfigParseLastOptions(r io.Reader) (o sshConfigOptions) {
 	return o
 }

-func sshConfigGetCoderSection(data []byte) (section []byte, ok bool) {
-	startIndex := bytes.Index(data, []byte(sshStartToken))
-	endIndex := bytes.Index(data, []byte(sshEndToken))
-	if startIndex != -1 && endIndex != -1 {
-		return data[startIndex : endIndex+len(sshEndToken)], true
+// sshConfigGetCoderSection is a helper function that only returns the coder
+// section of the SSH config and a boolean if it exists.
+func sshConfigGetCoderSection(data []byte) (section []byte, ok bool, err error) {
+	_, section, _, err = sshConfigSplitOnCoderSection(data)
+	if err != nil {
+		return nil, false, err
 	}
-	return nil, false
+
+	return section, len(section) > 0, nil
 }

-// sshConfigSplitOnCoderSection splits the SSH config into two sections,
-// before contains the lines before sshStartToken and after contains the
-// lines after sshEndToken.
-func sshConfigSplitOnCoderSection(data []byte) (before, after []byte) {
+// sshConfigSplitOnCoderSection splits the SSH config into 3 sections.
+// All lines before sshStartToken, the coder section, and all lines after
+// sshEndToken.
+func sshConfigSplitOnCoderSection(data []byte) (before, section []byte, after []byte, err error) {
+	startCount := bytes.Count(data, []byte(sshStartToken))
+	endCount := bytes.Count(data, []byte(sshEndToken))
+	if startCount > 1 || endCount > 1 {
+		return nil, nil, nil, xerrors.New("Malformed config: ssh config has multiple coder sections, please remove all but one")
+	}
+
 	startIndex := bytes.Index(data, []byte(sshStartToken))
 	endIndex := bytes.Index(data, []byte(sshEndToken))
+	if startIndex == -1 && endIndex != -1 {
+		return nil, nil, nil, xerrors.New("Malformed config: ssh config has end header, but missing start header")
+	}
+	if startIndex != -1 && endIndex == -1 {
+		return nil, nil, nil, xerrors.New("Malformed config: ssh config has start header, but missing end header")
+	}
 	if startIndex != -1 && endIndex != -1 {
+		if startIndex > endIndex {
+			return nil, nil, nil, xerrors.New("Malformed config: ssh config has coder section, but it is malformed and the END header is before the START header")
+		}
 		// We use -1 and +1 here to also include the preceding
 		// and trailing newline, where applicable.
 		start := startIndex
@@ -461,10 +468,10 @@ func sshConfigSplitOnCoderSection(data []byte) (before, after []byte) {
 		if end < len(data) {
 			end++
 		}
-		return data[:start], data[end:]
+		return data[:start], data[start:end], data[end:], nil
 	}

-	return data, nil
+	return data, nil, nil, nil
 }

 // writeWithTempFileAndMove writes to a temporary file in the same
@@ -475,6 +482,11 @@ func writeWithTempFileAndMove(path string, r io.Reader) (err error) {
 	dir := filepath.Dir(path)
 	name := filepath.Base(path)

+	// Ensure that e.g. the ~/.ssh directory exists.
+	if err = os.MkdirAll(dir, 0o700); err != nil {
+		return xerrors.Errorf("create directory: %w", err)
+	}
+
 	// Create a tempfile in the same directory for ensuring write
 	// operation does not fail.
 	f, err := os.CreateTemp(dir, fmt.Sprintf(".%s.", name))
@@ -506,6 +518,52 @@ func writeWithTempFileAndMove(path string, r io.Reader) (err error) {
 	return nil
 }

+// sshConfigExecEscape quotes the string if it contains spaces, as per
+// `man 5 ssh_config`. However, OpenSSH uses exec in the users shell to
+// run the command, and as such the formatting/escape requirements
+// cannot simply be covered by `fmt.Sprintf("%q", path)`.
+//
+// Always escaping the path with `fmt.Sprintf("%q", path)` usually works
+// on most platforms, but double quotes sometimes break on Windows 10
+// (see #2853). This function takes a best-effort approach to improving
+// compatibility and covering edge cases.
+//
+// Given the following ProxyCommand:
+//
+//	ProxyCommand "/path/with space/coder" ssh --stdio work
+//
+// This is ~what OpenSSH would execute:
+//
+//	/bin/bash -c '"/path/with space/to/coder" ssh --stdio workspace'
+//
+// However, since it's actually an arg in C, the contents inside the
+// single quotes are interpreted as is, e.g. if there was a '\t', it
+// would be the literal string '\t', not a tab.
+//
+// See:
+//   - https://github.com/coder/coder/issues/2853
+//   - https://github.com/openssh/openssh-portable/blob/V_9_0_P1/sshconnect.c#L158-L167
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/sshconnect.c#L231-L293
+//   - https://github.com/PowerShell/openssh-portable/blob/v8.1.0.0/contrib/win32/win32compat/w32fd.c#L1075-L1100
+func sshConfigExecEscape(path string) (string, error) {
+	// This is unlikely to ever happen, but newlines are allowed on
+	// certain filesystems, but cannot be used inside ssh config.
+	if strings.ContainsAny(path, "\n") {
+		return "", xerrors.Errorf("invalid path: %s", path)
+	}
+	// In the unlikely even that a path contains quotes, they must be
+	// escaped so that they are not interpreted as shell quotes.
+	if strings.Contains(path, "\"") {
+		path = strings.ReplaceAll(path, "\"", "\\\"")
+	}
+	// A space or a tab requires quoting, but tabs must not be escaped
+	// (\t) since OpenSSH interprets it as a literal \t, not a tab.
+	if strings.ContainsAny(path, " \t") {
+		path = fmt.Sprintf("\"%s\"", path) //nolint:gocritic // We don't want %q here.
+	}
+	return path, nil
+}
+
 // currentBinPath returns the path to the coder binary suitable for use in ssh
 // ProxyCommand.
 func currentBinPath(w io.Writer) (string, error) {
@@ -551,7 +609,7 @@ func currentBinPath(w io.Writer) (string, error) {

 // diffBytes takes two byte slices and diffs them as if they were in a
 // file named name.
-//nolint: revive // Color is an option, not a control coupling.
+// nolint: revive // Color is an option, not a control coupling.
 func diffBytes(name string, b1, b2 []byte, color bool) ([]byte, error) {
 	var buf bytes.Buffer
 	var opts []write.Option
@@ -0,0 +1,181 @@
+package cli
+
+import (
+	"os"
+	"os/exec"
+	"path/filepath"
+	"runtime"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func Test_sshConfigSplitOnCoderSection(t *testing.T) {
+	t.Parallel()
+
+	testCases := []struct {
+		Name    string
+		Input   string
+		Before  string
+		Section string
+		After   string
+		Err     bool
+	}{
+		{
+			Name:    "Empty",
+			Input:   "",
+			Before:  "",
+			Section: "",
+			After:   "",
+			Err:     false,
+		},
+		{
+			Name:    "JustSection",
+			Input:   strings.Join([]string{sshStartToken, sshEndToken}, "\n"),
+			Before:  "",
+			Section: strings.Join([]string{sshStartToken, sshEndToken}, "\n"),
+			After:   "",
+			Err:     false,
+		},
+		{
+			Name:    "NoSection",
+			Input:   strings.Join([]string{"# Some content"}, "\n"),
+			Before:  "# Some content",
+			Section: "",
+			After:   "",
+			Err:     false,
+		},
+		{
+			Name: "Normal",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshStartToken,
+				sshEndToken,
+				"# Content after the section",
+			}, "\n"),
+			Before:  "# Content before the section",
+			Section: strings.Join([]string{"", sshStartToken, sshEndToken, ""}, "\n"),
+			After:   "# Content after the section",
+			Err:     false,
+		},
+		{
+			Name: "OutOfOrder",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshEndToken,
+				sshStartToken,
+				"# Content after the section",
+			}, "\n"),
+			Err: true,
+		},
+		{
+			Name: "MissingStart",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshEndToken,
+				"# Content after the section",
+			}, "\n"),
+			Err: true,
+		},
+		{
+			Name: "MissingEnd",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshEndToken,
+				"# Content after the section",
+			}, "\n"),
+			Err: true,
+		},
+		{
+			Name: "ExtraStart",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshStartToken,
+				sshEndToken,
+				sshStartToken,
+				"# Content after the section",
+			}, "\n"),
+			Err: true,
+		},
+		{
+			Name: "ExtraEnd",
+			Input: strings.Join([]string{
+				"# Content before the section",
+				sshStartToken,
+				sshEndToken,
+				sshEndToken,
+				"# Content after the section",
+			}, "\n"),
+			Err: true,
+		},
+	}
+
+	for _, tc := range testCases {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Parallel()
+
+			before, section, after, err := sshConfigSplitOnCoderSection([]byte(tc.Input))
+			if tc.Err {
+				require.Error(t, err)
+				return
+			}
+
+			require.NoError(t, err)
+			require.Equal(t, tc.Before, string(before), "before")
+			require.Equal(t, tc.Section, string(section), "section")
+			require.Equal(t, tc.After, string(after), "after")
+		})
+	}
+}
+
+// This test tries to mimic the behavior of OpenSSH
+// when executing e.g. a ProxyCommand.
+func Test_sshConfigExecEscape(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name    string
+		path    string
+		wantErr bool
+		windows bool
+	}{
+		{"no spaces", "simple", false, true},
+		{"spaces", "path with spaces", false, true},
+		{"quotes", "path with \"quotes\"", false, false},
+		{"backslashes", "path with \\backslashes", false, false},
+		{"tabs", "path with \ttabs", false, false},
+		{"newline fails", "path with \nnewline", true, false},
+	}
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			if runtime.GOOS == "windows" {
+				t.Skip("Windows doesn't typically execute via /bin/sh or cmd.exe, so this test is not applicable.")
+			}
+
+			dir := filepath.Join(t.TempDir(), tt.path)
+			err := os.MkdirAll(dir, 0o755)
+			require.NoError(t, err)
+			bin := filepath.Join(dir, "coder")
+			contents := []byte("#!/bin/sh\necho yay\n")
+			err = os.WriteFile(bin, contents, 0o755) //nolint:gosec
+			require.NoError(t, err)
+
+			escaped, err := sshConfigExecEscape(bin)
+			if tt.wantErr {
+				require.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+
+			b, err := exec.Command("/bin/sh", "-c", escaped).CombinedOutput() //nolint:gosec
+			require.NoError(t, err)
+			got := strings.TrimSpace(string(b))
+			require.Equal(t, "yay", got)
+		})
+	}
+}
@@ -1,66 +0,0 @@
-package cli
-
-import (
-	"bytes"
-	"os"
-	"path/filepath"
-	"regexp"
-	"strings"
-)
-
-// This file contains config-ssh definitions that are deprecated, they
-// will be removed after a migratory period.
-
-const (
-	sshDefaultCoderConfigFileName = "~/.ssh/coder"
-	sshCoderConfigHeader          = "# This file is managed by coder. DO NOT EDIT."
-)
-
-// Regular expressions are used because SSH configs do not have
-// meaningful indentation and keywords are case-insensitive.
-var (
-	// Find the semantically correct include statement. Since the user can
-	// modify their configuration as they see fit, there could be:
-	// - Leading indentation (space, tab)
-	// - Trailing indentation (space, tab)
-	// - Select newline after Include statement for cleaner removal
-	// In the following cases, we will not recognize the Include statement
-	// and leave as-is (i.e. they're not supported):
-	// - User adds another file to the Include statement
-	// - User adds a comment on the same line as the Include statement
-	sshCoderIncludedRe = regexp.MustCompile(`(?m)^[\t ]*((?i)Include) coder[\t ]*[\r]?[\n]?$`)
-)
-
-// removeDeprecatedSSHIncludeStatement checks for the Include coder statement
-// and returns modified = true if it was removed.
-func removeDeprecatedSSHIncludeStatement(data []byte) (modifiedData []byte, modified bool) {
-	coderInclude := sshCoderIncludedRe.FindIndex(data)
-	if coderInclude == nil {
-		return data, false
-	}
-
-	// Remove Include statement.
-	d := append([]byte{}, data[:coderInclude[0]]...)
-	d = append(d, data[coderInclude[1]:]...)
-	data = d
-
-	return data, true
-}
-
-// readDeprecatedCoderConfigFile reads the deprecated split config file.
-func readDeprecatedCoderConfigFile(homedir, coderConfigFile string) (name string, data []byte, ok bool) {
-	if strings.HasPrefix(coderConfigFile, "~/") {
-		coderConfigFile = filepath.Join(homedir, coderConfigFile[2:])
-	}
-
-	b, err := os.ReadFile(coderConfigFile)
-	if err != nil {
-		return coderConfigFile, nil, false
-	}
-	if len(b) > 0 {
-		if !bytes.HasPrefix(b, []byte(sshCoderConfigHeader)) {
-			return coderConfigFile, nil, false
-		}
-	}
-	return coderConfigFile, b, true
-}
@@ -1,16 +1,18 @@
 package cli_test

 import (
+	"bufio"
+	"bytes"
 	"context"
 	"fmt"
 	"io"
-	"io/fs"
 	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
 	"strconv"
 	"strings"
+	"sync"
 	"testing"

 	"github.com/google/uuid"
@@ -22,21 +24,21 @@ import (
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
-	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

-func sshConfigFileNames(t *testing.T) (sshConfig string, coderConfig string) {
+func sshConfigFileName(t *testing.T) (sshConfig string) {
 	t.Helper()
 	tmpdir := t.TempDir()
 	dotssh := filepath.Join(tmpdir, ".ssh")
 	err := os.Mkdir(dotssh, 0o700)
 	require.NoError(t, err)
-	n1 := filepath.Join(dotssh, "config")
-	n2 := filepath.Join(dotssh, "coder")
-	return n1, n2
+	n := filepath.Join(dotssh, "config")
+	return n
 }

 func sshConfigFileCreate(t *testing.T, name string, data io.Reader) {
@@ -61,12 +63,12 @@ func sshConfigFileRead(t *testing.T, name string) string {
 func TestConfigSSH(t *testing.T) {
 	t.Parallel()

-	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 	user := coderdtest.CreateFirstUser(t, client)
 	authToken := uuid.NewString()
 	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 		Parse: echo.ParseComplete,
-		ProvisionDryRun: []*proto.Provision_Response{{
+		ProvisionPlan: []*proto.Provision_Response{{
 			Type: &proto.Provision_Response_Complete{
 				Complete: &proto.Provision_Complete{
 					Resources: []*proto.Resource{{
@@ -80,7 +82,7 @@ func TestConfigSSH(t *testing.T) {
 				},
 			},
 		}},
-		Provision: []*proto.Provision_Response{{
+		ProvisionApply: []*proto.Provision_Response{{
 			Type: &proto.Provision_Response_Complete{
 				Complete: &proto.Provision_Complete{
 					Resources: []*proto.Resource{{
@@ -102,41 +104,52 @@ func TestConfigSSH(t *testing.T) {
 	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-	agentClient := codersdk.New(client.URL)
-	agentClient.SessionToken = authToken
-	agentCloser := agent.New(agentClient.ListenWorkspaceAgent, &agent.Options{
-		Logger: slogtest.Make(t, nil),
+	agentClient := agentsdk.New(client.URL)
+	agentClient.SetSessionToken(authToken)
+	agentCloser := agent.New(agent.Options{
+		Client: agentClient,
+		Logger: slogtest.Make(t, nil).Named("agent"),
 	})
-	t.Cleanup(func() {
+	defer func() {
 		_ = agentCloser.Close()
-	})
-	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
+	}()
+	resources := coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
 	agentConn, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
 	require.NoError(t, err)
 	defer agentConn.Close()

 	listener, err := net.Listen("tcp", "127.0.0.1:0")
 	require.NoError(t, err)
-	t.Cleanup(func() {
+	defer func() {
 		_ = listener.Close()
-	})
+	}()
+	copyDone := make(chan struct{})
 	go func() {
+		defer close(copyDone)
+		var wg sync.WaitGroup
 		for {
 			conn, err := listener.Accept()
 			if err != nil {
-				return
+				break
 			}
-			ssh, err := agentConn.SSH()
+			ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+			ssh, err := agentConn.SSH(ctx)
+			cancel()
 			assert.NoError(t, err)
-			go io.Copy(conn, ssh)
-			go io.Copy(ssh, conn)
+			wg.Add(2)
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(conn, ssh)
+			}()
+			go func() {
+				defer wg.Done()
+				_, _ = io.Copy(ssh, conn)
+			}()
 		}
+		wg.Wait()
 	}()
-	t.Cleanup(func() {
-		_ = listener.Close()
-	})

-	sshConfigFile, _ := sshConfigFileNames(t)
+	sshConfigFile := sshConfigFileName(t)

 	tcpAddr, valid := listener.Addr().(*net.TCPAddr)
 	require.True(t, valid)
@@ -171,12 +184,16 @@ func TestConfigSSH(t *testing.T) {
 	home := filepath.Dir(filepath.Dir(sshConfigFile))
 	// #nosec
 	sshCmd := exec.Command("ssh", "-F", sshConfigFile, "coder."+workspace.Name, "echo", "test")
+	pty = ptytest.New(t)
 	// Set HOME because coder config is included from ~/.ssh/coder.
 	sshCmd.Env = append(sshCmd.Env, fmt.Sprintf("HOME=%s", home))
-	sshCmd.Stderr = os.Stderr
+	sshCmd.Stderr = pty.Output()
 	data, err := sshCmd.Output()
 	require.NoError(t, err)
 	require.Equal(t, "test", strings.TrimSpace(string(data)))
+
+	_ = listener.Close()
+	<-copyDone
 }

 func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
@@ -197,12 +214,10 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 	}, "\n")

 	type writeConfig struct {
-		ssh   string
-		coder string
+		ssh string
 	}
 	type wantConfig struct {
-		ssh       string
-		coderKept bool
+		ssh string
 	}
 	type match struct {
 		match, write string
@@ -514,119 +529,35 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				"--yes",
 			},
 		},
-
-		// Tests for deprecated split coder config.
 		{
-			name: "Do not overwrite unknown coder config",
+			name:    "Start/End out of order",
+			matches: []match{
+				// {match: "Continue?", write: "yes"},
+			},
 			writeConfig: writeConfig{
 				ssh: strings.Join([]string{
-					baseHeader,
-					"",
-				}, "\n"),
-				coder: strings.Join([]string{
-					"We're no strangers to love",
-					"You know the rules and so do I (do I)",
+					"# Content before coder block",
+					headerEnd,
+					headerStart,
+					"# Content after coder block",
 				}, "\n"),
 			},
-			wantConfig: wantConfig{
-				coderKept: true,
-			},
+			wantErr: true,
 		},
 		{
-			name: "Transfer options from coder to ssh config",
-			writeConfig: writeConfig{
-				ssh: strings.Join([]string{
-					"Include coder",
-					"",
-				}, "\n"),
-				coder: strings.Join([]string{
-					"# This file is managed by coder. DO NOT EDIT.",
-					"#",
-					"# You should not hand-edit this file, all changes will be lost when running",
-					"# \"coder config-ssh\".",
-					"#",
-					"# Last config-ssh options:",
-					"# :ssh-option=ForwardAgent=yes",
-					"#",
-				}, "\n"),
+			name:    "Multiple sections",
+			matches: []match{
+				// {match: "Continue?", write: "yes"},
 			},
-			wantConfig: wantConfig{
+			writeConfig: writeConfig{
 				ssh: strings.Join([]string{
 					headerStart,
-					"# Last config-ssh options:",
-					"# :ssh-option=ForwardAgent=yes",
-					"#",
 					headerEnd,
-					"",
-				}, "\n"),
-			},
-			matches: []match{
-				{match: "Use new options?", write: "no"},
-				{match: "Continue?", write: "yes"},
-			},
-		},
-		{
-			name: "Allow overwriting previous options from coder config",
-			writeConfig: writeConfig{
-				ssh: strings.Join([]string{
-					"Include coder",
-					"",
-				}, "\n"),
-				coder: strings.Join([]string{
-					"# This file is managed by coder. DO NOT EDIT.",
-					"#",
-					"# You should not hand-edit this file, all changes will be lost when running",
-					"# \"coder config-ssh\".",
-					"#",
-					"# Last config-ssh options:",
-					"# :ssh-option=ForwardAgent=yes",
-					"#",
-				}, "\n"),
-			},
-			wantConfig: wantConfig{
-				ssh: strings.Join([]string{
-					baseHeader,
-					"",
-				}, "\n"),
-			},
-			matches: []match{
-				{match: "Use new options?", write: "yes"},
-				{match: "Continue?", write: "yes"},
-			},
-		},
-		{
-			name: "Allow overwriting previous options from coder config when they differ",
-			writeConfig: writeConfig{
-				ssh: strings.Join([]string{
-					"Include coder",
-					"",
-				}, "\n"),
-				coder: strings.Join([]string{
-					"# This file is managed by coder. DO NOT EDIT.",
-					"#",
-					"# You should not hand-edit this file, all changes will be lost when running",
-					"# \"coder config-ssh\".",
-					"#",
-					"# Last config-ssh options:",
-					"# :ssh-option=ForwardAgent=yes",
-					"#",
-				}, "\n"),
-			},
-			wantConfig: wantConfig{
-				ssh: strings.Join([]string{
 					headerStart,
-					"# Last config-ssh options:",
-					"# :ssh-option=ForwardAgent=no",
-					"#",
 					headerEnd,
-					"",
 				}, "\n"),
 			},
-			args: []string{"--ssh-option", "ForwardAgent=no"},
-			matches: []match{
-				{match: "Use new options?", write: "yes"},
-				{match: "Continue?", write: "yes"},
-			},
+			wantErr: true,
 		},
 	}
 	for _, tt := range tests {
@@ -635,7 +566,7 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 			t.Parallel()

 			var (
-				client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+				client    = coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 				user      = coderdtest.CreateFirstUser(t, client)
 				version   = coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 				_         = coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
@@ -645,18 +576,14 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 			)

 			// Prepare ssh config files.
-			sshConfigName, coderConfigName := sshConfigFileNames(t)
+			sshConfigName := sshConfigFileName(t)
 			if tt.writeConfig.ssh != "" {
 				sshConfigFileCreate(t, sshConfigName, strings.NewReader(tt.writeConfig.ssh))
 			}
-			if tt.writeConfig.coder != "" {
-				sshConfigFileCreate(t, coderConfigName, strings.NewReader(tt.writeConfig.coder))
-			}

 			args := []string{
 				"config-ssh",
 				"--ssh-config-file", sshConfigName,
-				"--test.ssh-coder-config-file", coderConfigName,
 			}
 			args = append(args, tt.args...)
 			cmd, root := clitest.New(t, args...)
@@ -685,10 +612,155 @@ func TestConfigSSH_FileWriteAndOptionsFlow(t *testing.T) {
 				got := sshConfigFileRead(t, sshConfigName)
 				assert.Equal(t, tt.wantConfig.ssh, got)
 			}
-			if !tt.wantConfig.coderKept {
-				_, err := os.ReadFile(coderConfigName)
-				assert.ErrorIs(t, err, fs.ErrNotExist)
-			}
 		})
 	}
 }
+
+func TestConfigSSH_Hostnames(t *testing.T) {
+	t.Parallel()
+
+	type resourceSpec struct {
+		name   string
+		agents []string
+	}
+	tests := []struct {
+		name      string
+		resources []resourceSpec
+		expected  []string
+	}{
+		{
+			name: "one resource with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "one resource with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1", "agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+		{
+			name: "two resources with one agent",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar"},
+			},
+			expected: []string{"coder.@", "coder.@.agent1"},
+		},
+		{
+			name: "two resources with two agents",
+			resources: []resourceSpec{
+				{name: "foo", agents: []string{"agent1"}},
+				{name: "bar", agents: []string{"agent2"}},
+			},
+			expected: []string{"coder.@.agent1", "coder.@.agent2"},
+		},
+	}
+
+	for _, tt := range tests {
+		tt := tt
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			var resources []*proto.Resource
+			for _, resourceSpec := range tt.resources {
+				resource := &proto.Resource{
+					Name: resourceSpec.name,
+					Type: "aws_instance",
+				}
+				for _, agentName := range resourceSpec.agents {
+					resource.Agents = append(resource.Agents, &proto.Agent{
+						Id:   uuid.NewString(),
+						Name: agentName,
+					})
+				}
+				resources = append(resources, resource)
+			}
+
+			provisionResponse := []*proto.Provision_Response{{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Resources: resources,
+					},
+				},
+			}}
+
+			client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+			user := coderdtest.CreateFirstUser(t, client)
+			// authToken := uuid.NewString()
+			version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+				Parse:          echo.ParseComplete,
+				ProvisionPlan:  provisionResponse,
+				ProvisionApply: provisionResponse,
+			})
+			coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+			template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+			workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+			coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+			sshConfigFile := sshConfigFileName(t)
+
+			cmd, root := clitest.New(t, "config-ssh", "--ssh-config-file", sshConfigFile)
+			clitest.SetupConfig(t, client, root)
+			doneChan := make(chan struct{})
+			pty := ptytest.New(t)
+			cmd.SetIn(pty.Input())
+			cmd.SetOut(pty.Output())
+			go func() {
+				defer close(doneChan)
+				err := cmd.Execute()
+				assert.NoError(t, err)
+			}()
+
+			matches := []struct {
+				match, write string
+			}{
+				{match: "Continue?", write: "yes"},
+			}
+			for _, m := range matches {
+				pty.ExpectMatch(m.match)
+				pty.WriteLine(m.write)
+			}
+
+			<-doneChan
+
+			var expectedHosts []string
+			for _, hostnamePattern := range tt.expected {
+				hostname := strings.ReplaceAll(hostnamePattern, "@", workspace.Name)
+				expectedHosts = append(expectedHosts, hostname)
+			}
+
+			hosts := sshConfigFileParseHosts(t, sshConfigFile)
+			require.ElementsMatch(t, expectedHosts, hosts)
+		})
+	}
+}
+
+// sshConfigFileParseHosts reads a file in the format of .ssh/config and extracts
+// the hostnames that are listed in "Host" directives.
+func sshConfigFileParseHosts(t *testing.T, name string) []string {
+	t.Helper()
+	b, err := os.ReadFile(name)
+	require.NoError(t, err)
+
+	var result []string
+	lineScanner := bufio.NewScanner(bytes.NewBuffer(b))
+	for lineScanner.Scan() {
+		line := lineScanner.Text()
+		line = strings.TrimSpace(line)
+
+		tokenScanner := bufio.NewScanner(bytes.NewBufferString(line))
+		tokenScanner.Split(bufio.ScanWords)
+		ok := tokenScanner.Scan()
+		if ok && tokenScanner.Text() == "Host" {
+			for tokenScanner.Scan() {
+				result = append(result, tokenScanner.Text())
+			}
+		}
+	}
+
+	return result
+}
@@ -1,7 +1,9 @@
 package cli

 import (
+	"context"
 	"fmt"
+	"io"
 	"time"

 	"github.com/spf13/cobra"
@@ -16,23 +18,24 @@ import (

 func create() *cobra.Command {
 	var (
-		parameterFile string
-		templateName  string
-		startAt       string
-		stopAfter     time.Duration
-		workspaceName string
+		parameterFile     string
+		richParameterFile string
+		templateName      string
+		startAt           string
+		stopAfter         time.Duration
+		workspaceName     string
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "create [name]",
-		Short:       "Create a workspace from a template",
+		Short:       "Create a workspace",
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}

-			organization, err := currentOrganization(cmd, client)
+			organization, err := CurrentOrganization(cmd, client)
 			if err != nil {
 				return err
 			}
@@ -72,7 +75,7 @@ func create() *cobra.Command {
 				}

 				slices.SortFunc(templates, func(a, b codersdk.Template) bool {
-					return a.WorkspaceOwnerCount > b.WorkspaceOwnerCount
+					return a.ActiveUserCount > b.ActiveUserCount
 				})

 				templateNames := make([]string, 0, len(templates))
@@ -81,13 +84,13 @@ func create() *cobra.Command {
 				for _, template := range templates {
 					templateName := template.Name

-					if template.WorkspaceOwnerCount > 0 {
-						developerText := "developer"
-						if template.WorkspaceOwnerCount != 1 {
-							developerText = "developers"
-						}
-
-						templateName += cliui.Styles.Placeholder.Render(fmt.Sprintf(" (used by %d %s)", template.WorkspaceOwnerCount, developerText))
+					if template.ActiveUserCount > 0 {
+						templateName += cliui.Styles.Placeholder.Render(
+							fmt.Sprintf(
+								" (used by %s)",
+								formatActiveDevelopers(template.ActiveUserCount),
+							),
+						)
 					}

 					templateNames = append(templateNames, templateName)
@@ -120,11 +123,12 @@ func create() *cobra.Command {
 				schedSpec = ptr.Ref(sched.String())
 			}

-			parameters, err := prepWorkspaceBuild(cmd, client, prepWorkspaceBuildArgs{
-				Template:         template,
-				ExistingParams:   []codersdk.Parameter{},
-				ParameterFile:    parameterFile,
-				NewWorkspaceName: workspaceName,
+			buildParams, err := prepWorkspaceBuild(cmd, client, prepWorkspaceBuildArgs{
+				Template:          template,
+				ExistingParams:    []codersdk.Parameter{},
+				ParameterFile:     parameterFile,
+				RichParameterFile: richParameterFile,
+				NewWorkspaceName:  workspaceName,
 			})
 			if err != nil {
 				return err
@@ -138,24 +142,24 @@ func create() *cobra.Command {
 				return err
 			}

-			after := time.Now()
-			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.CreateWorkspaceRequest{
-				TemplateID:        template.ID,
-				Name:              workspaceName,
-				AutostartSchedule: schedSpec,
-				TTLMillis:         ptr.Ref(stopAfter.Milliseconds()),
-				ParameterValues:   parameters,
+			workspace, err := client.CreateWorkspace(cmd.Context(), organization.ID, codersdk.Me, codersdk.CreateWorkspaceRequest{
+				TemplateID:          template.ID,
+				Name:                workspaceName,
+				AutostartSchedule:   schedSpec,
+				TTLMillis:           ptr.Ref(stopAfter.Milliseconds()),
+				ParameterValues:     buildParams.parameters,
+				RichParameterValues: buildParams.richParameters,
 			})
 			if err != nil {
 				return err
 			}

-			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID, after)
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, workspace.LatestBuild.ID)
 			if err != nil {
 				return err
 			}

-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been created!\n", cliui.Styles.Keyword.Render(workspace.Name))
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been created at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
 			return nil
 		},
 	}
@@ -163,26 +167,55 @@ func create() *cobra.Command {
 	cliui.AllowSkipPrompt(cmd)
 	cliflag.StringVarP(cmd.Flags(), &templateName, "template", "t", "CODER_TEMPLATE_NAME", "", "Specify a template name.")
 	cliflag.StringVarP(cmd.Flags(), &parameterFile, "parameter-file", "", "CODER_PARAMETER_FILE", "", "Specify a file path with parameter values.")
+	cliflag.StringVarP(cmd.Flags(), &richParameterFile, "rich-parameter-file", "", "CODER_RICH_PARAMETER_FILE", "", "Specify a file path with values for rich parameters defined in the template.")
 	cliflag.StringVarP(cmd.Flags(), &startAt, "start-at", "", "CODER_WORKSPACE_START_AT", "", "Specify the workspace autostart schedule. Check `coder schedule start --help` for the syntax.")
 	cliflag.DurationVarP(cmd.Flags(), &stopAfter, "stop-after", "", "CODER_WORKSPACE_STOP_AFTER", 8*time.Hour, "Specify a duration after which the workspace should shut down (e.g. 8h).")
 	return cmd
 }

 type prepWorkspaceBuildArgs struct {
-	Template         codersdk.Template
-	ExistingParams   []codersdk.Parameter
-	ParameterFile    string
-	NewWorkspaceName string
+	Template           codersdk.Template
+	ExistingParams     []codersdk.Parameter
+	ParameterFile      string
+	ExistingRichParams []codersdk.WorkspaceBuildParameter
+	RichParameterFile  string
+	NewWorkspaceName   string
+
+	UpdateWorkspace bool
+}
+
+type buildParameters struct {
+	// Parameters contains legacy parameters stored in /parameters.
+	parameters []codersdk.CreateParameterRequest
+	// Rich parameters stores values for build parameters annotated with description, icon, type, etc.
+	richParameters []codersdk.WorkspaceBuildParameter
 }

 // prepWorkspaceBuild will ensure a workspace build will succeed on the latest template version.
-// Any missing params will be prompted to the user.
-func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWorkspaceBuildArgs) ([]codersdk.CreateParameterRequest, error) {
+// Any missing params will be prompted to the user. It supports legacy and rich parameters.
+func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWorkspaceBuildArgs) (*buildParameters, error) {
 	ctx := cmd.Context()
+
+	var useRichParameters bool
+	if len(args.ExistingRichParams) > 0 && len(args.RichParameterFile) > 0 {
+		useRichParameters = true
+	}
+
+	var useLegacyParameters bool
+	if len(args.ExistingParams) > 0 || len(args.ParameterFile) > 0 {
+		useLegacyParameters = true
+	}
+
+	if useRichParameters && useLegacyParameters {
+		return nil, xerrors.Errorf("Rich parameters can't be used together with legacy parameters.")
+	}
+
 	templateVersion, err := client.TemplateVersion(ctx, args.Template.ActiveVersionID)
 	if err != nil {
 		return nil, err
 	}
+
+	// Legacy parameters
 	parameterSchemas, err := client.TemplateVersionSchema(ctx, templateVersion.ID)
 	if err != nil {
 		return nil, err
@@ -200,7 +233,7 @@ func prepWorkspaceBuild(cmd *cobra.Command, client *codersdk.Client, args prepWo
 		}
 	}
 	disclaimerPrinted := false
-	parameters := make([]codersdk.CreateParameterRequest, 0)
+	legacyParameters := make([]codersdk.CreateParameterRequest, 0)
 PromptParamLoop:
 	for _, parameterSchema := range parameterSchemas {
 		if !parameterSchema.AllowOverrideSource {
@@ -227,20 +260,85 @@ PromptParamLoop:
 			return nil, err
 		}

-		parameters = append(parameters, codersdk.CreateParameterRequest{
+		legacyParameters = append(legacyParameters, codersdk.CreateParameterRequest{
 			Name:              parameterSchema.Name,
 			SourceValue:       parameterValue,
 			SourceScheme:      codersdk.ParameterSourceSchemeData,
 			DestinationScheme: parameterSchema.DefaultDestinationScheme,
 		})
 	}
-	_, _ = fmt.Fprintln(cmd.OutOrStdout())
+
+	if disclaimerPrinted {
+		_, _ = fmt.Fprintln(cmd.OutOrStdout())
+	}
+
+	// Rich parameters
+	templateVersionParameters, err := client.TemplateVersionRichParameters(cmd.Context(), templateVersion.ID)
+	if err != nil {
+		return nil, xerrors.Errorf("get template version rich parameters: %w", err)
+	}
+
+	parameterMapFromFile = map[string]string{}
+	useParamFile = false
+	if args.RichParameterFile != "" {
+		useParamFile = true
+		_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("Attempting to read the variables from the rich parameter file.")+"\r\n")
+		parameterMapFromFile, err = createParameterMapFromFile(args.RichParameterFile)
+		if err != nil {
+			return nil, err
+		}
+	}
+	disclaimerPrinted = false
+	richParameters := make([]codersdk.WorkspaceBuildParameter, 0)
+PromptRichParamLoop:
+	for _, templateVersionParameter := range templateVersionParameters {
+		if !disclaimerPrinted {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render("This template has customizable parameters. Values can be changed after create, but may have unintended side effects (like data loss).")+"\r\n")
+			disclaimerPrinted = true
+		}
+
+		// Param file is all or nothing
+		if !useParamFile {
+			for _, e := range args.ExistingRichParams {
+				if e.Name == templateVersionParameter.Name {
+					// If the param already exists, we do not need to prompt it again.
+					// The workspace scope will reuse params for each build.
+					continue PromptRichParamLoop
+				}
+			}
+		}
+
+		if args.UpdateWorkspace && !templateVersionParameter.Mutable {
+			_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Warn.Render(fmt.Sprintf(`Parameter %q is not mutable, so can't be customized after workspace creation.`, templateVersionParameter.Name)))
+			continue
+		}
+
+		parameterValue, err := getWorkspaceBuildParameterValueFromMapOrInput(cmd, parameterMapFromFile, templateVersionParameter)
+		if err != nil {
+			return nil, err
+		}
+
+		richParameters = append(richParameters, *parameterValue)
+	}
+
+	if disclaimerPrinted {
+		_, _ = fmt.Fprintln(cmd.OutOrStdout())
+	}
+
+	err = cliui.GitAuth(ctx, cmd.OutOrStdout(), cliui.GitAuthOptions{
+		Fetch: func(ctx context.Context) ([]codersdk.TemplateVersionGitAuth, error) {
+			return client.TemplateVersionGitAuth(ctx, templateVersion.ID)
+		},
+	})
+	if err != nil {
+		return nil, xerrors.Errorf("template version git auth: %w", err)
+	}

 	// Run a dry-run with the given parameters to check correctness
-	after := time.Now()
 	dryRun, err := client.CreateTemplateVersionDryRun(cmd.Context(), templateVersion.ID, codersdk.CreateTemplateVersionDryRunRequest{
-		WorkspaceName:   args.NewWorkspaceName,
-		ParameterValues: parameters,
+		WorkspaceName:       args.NewWorkspaceName,
+		ParameterValues:     legacyParameters,
+		RichParameterValues: richParameters,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("begin workspace dry-run: %w", err)
@@ -253,8 +351,8 @@ PromptParamLoop:
 		Cancel: func() error {
 			return client.CancelTemplateVersionDryRun(cmd.Context(), templateVersion.ID, dryRun.ID)
 		},
-		Logs: func() (<-chan codersdk.ProvisionerJobLog, error) {
-			return client.TemplateVersionDryRunLogsAfter(cmd.Context(), templateVersion.ID, dryRun.ID, after)
+		Logs: func() (<-chan codersdk.ProvisionerJobLog, io.Closer, error) {
+			return client.TemplateVersionDryRunLogsAfter(cmd.Context(), templateVersion.ID, dryRun.ID, 0)
 		},
 		// Don't show log output for the dry-run unless there's an error.
 		Silent: true,
@@ -280,5 +378,8 @@ PromptParamLoop:
 		return nil, err
 	}

-	return parameters, nil
+	return &buildParameters{
+		parameters:     legacyParameters,
+		richParameters: richParameters,
+	}, nil
 }
@@ -3,31 +3,38 @@ package cli_test
 import (
 	"context"
 	"fmt"
+	"net/http"
+	"net/url"
 	"os"
+	"regexp"
 	"testing"
 	"time"

 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
+	"golang.org/x/oauth2"

 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/coderd/database"
+	"github.com/coder/coder/coderd/gitauth"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestCreate(t *testing.T) {
 	t.Parallel()
 	t.Run("Create", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           echo.ParseComplete,
-			Provision:       provisionCompleteWithAgent,
-			ProvisionDryRun: provisionCompleteWithAgent,
+			Parse:          echo.ParseComplete,
+			ProvisionApply: provisionCompleteWithAgent,
+			ProvisionPlan:  provisionCompleteWithAgent,
 		})
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
@@ -79,16 +86,16 @@ func TestCreate(t *testing.T) {

 	t.Run("CreateFromListWithSkip", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		cmd, root := clitest.New(t, "create", "my-workspace", "-y")

-		member := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
+		member, _ := coderdtest.CreateAnotherUser(t, client, user.OrganizationID)
 		clitest.SetupConfig(t, member, root)
-		cmdCtx, done := context.WithTimeout(context.Background(), time.Second*3)
+		cmdCtx, done := context.WithTimeout(context.Background(), testutil.WaitLong)
 		go func() {
 			defer done()
 			err := cmd.ExecuteContext(cmdCtx)
@@ -101,7 +108,7 @@ func TestCreate(t *testing.T) {

 	t.Run("FromNothing", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
@@ -138,14 +145,14 @@ func TestCreate(t *testing.T) {

 	t.Run("WithParameter", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)

 		defaultValue := "something"
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           createTestParseResponseWithDefault(defaultValue),
-			Provision:       echo.ProvisionComplete,
-			ProvisionDryRun: echo.ProvisionComplete,
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
 		})

 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
@@ -179,19 +186,20 @@ func TestCreate(t *testing.T) {

 	t.Run("WithParameterFileContainingTheValue", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)

 		defaultValue := "something"
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           createTestParseResponseWithDefault(defaultValue),
-			Provision:       echo.ProvisionComplete,
-			ProvisionDryRun: echo.ProvisionComplete,
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
 		})

 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
 		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
 		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
 		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
 		_, _ = parameterFile.WriteString("region: \"bingo\"\nusername: \"boingo\"")
 		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
@@ -217,26 +225,29 @@ func TestCreate(t *testing.T) {
 			pty.WriteLine(value)
 		}
 		<-doneChan
-		removeTmpDirUntilSuccess(t, tempDir)
 	})

 	t.Run("WithParameterFileNotContainingTheValue", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)

 		defaultValue := "something"
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           createTestParseResponseWithDefault(defaultValue),
-			Provision:       echo.ProvisionComplete,
-			ProvisionDryRun: echo.ProvisionComplete,
+			Parse:          createTestParseResponseWithDefault(defaultValue),
+			ProvisionApply: echo.ProvisionComplete,
+			ProvisionPlan:  echo.ProvisionComplete,
 		})
+
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		_ = coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
 		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
 		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
-		_, _ = parameterFile.WriteString("zone: \"bananas\"")
-		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name, "--parameter-file", parameterFile.Name())
+		_, _ = parameterFile.WriteString("username: \"boingo\"")
+
+		cmd, root := clitest.New(t, "create", "", "--parameter-file", parameterFile.Name())
 		clitest.SetupConfig(t, client, root)
 		doneChan := make(chan struct{})
 		pty := ptytest.New(t)
@@ -245,15 +256,35 @@ func TestCreate(t *testing.T) {
 		go func() {
 			defer close(doneChan)
 			err := cmd.Execute()
-			assert.EqualError(t, err, "Parameter value absent in parameter file for \"region\"!")
+			assert.NoError(t, err)
 		}()
-		<-doneChan
-		removeTmpDirUntilSuccess(t, tempDir)
-	})
+		matches := []struct {
+			match string
+			write string
+		}{
+			{
+				match: "Specify a name",
+				write: "my-workspace",
+			},
+			{
+				match: fmt.Sprintf("Enter a value (default: %q):", defaultValue),
+				write: "bingo",
+			},
+			{
+				match: "Confirm create?",
+				write: "yes",
+			},
+		}

+		for _, m := range matches {
+			pty.ExpectMatch(m.match)
+			pty.WriteLine(m.write)
+		}
+		<-doneChan
+	})
 	t.Run("FailedDryRun", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
 			Parse: []*proto.Parse_Response{{
@@ -263,7 +294,7 @@ func TestCreate(t *testing.T) {
 					},
 				},
 			}},
-			ProvisionDryRun: []*proto.Provision_Response{
+			ProvisionPlan: []*proto.Provision_Response{
 				{
 					Type: &proto.Provision_Response_Complete{
 						Complete: &proto.Provision_Complete{},
@@ -296,6 +327,343 @@ func TestCreate(t *testing.T) {
 	})
 }

+func TestCreateWithRichParameters(t *testing.T) {
+	t.Parallel()
+
+	const (
+		firstParameterName        = "first_parameter"
+		firstParameterDescription = "This is first parameter"
+		firstParameterValue       = "1"
+
+		secondParameterName        = "second_parameter"
+		secondParameterDescription = "This is second parameter"
+		secondParameterValue       = "2"
+
+		immutableParameterName        = "third_parameter"
+		immutableParameterDescription = "This is not mutable parameter"
+		immutableParameterValue       = "3"
+	)
+
+	echoResponses := &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionPlan: []*proto.Provision_Response{
+			{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						Parameters: []*proto.RichParameter{
+							{Name: firstParameterName, Description: firstParameterDescription, Mutable: true},
+							{Name: secondParameterName, Description: secondParameterDescription, Mutable: true},
+							{Name: immutableParameterName, Description: immutableParameterDescription, Mutable: false},
+						},
+					},
+				},
+			},
+		},
+		ProvisionApply: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{},
+			},
+		}},
+	}
+
+	t.Run("InputParameters", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, echoResponses)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			firstParameterDescription, firstParameterValue,
+			secondParameterDescription, secondParameterValue,
+			immutableParameterDescription, immutableParameterValue,
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("RichParametersFile", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, echoResponses)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		tempDir := t.TempDir()
+		removeTmpDirUntilSuccessAfterTest(t, tempDir)
+		parameterFile, _ := os.CreateTemp(tempDir, "testParameterFile*.yaml")
+		_, _ = parameterFile.WriteString(
+			firstParameterName + ": " + firstParameterValue + "\n" +
+				secondParameterName + ": " + secondParameterValue + "\n" +
+				immutableParameterName + ": " + immutableParameterValue)
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name, "--rich-parameter-file", parameterFile.Name())
+		clitest.SetupConfig(t, client, root)
+
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+}
+
+func TestCreateValidateRichParameters(t *testing.T) {
+	t.Parallel()
+
+	const (
+		stringParameterName  = "string_parameter"
+		stringParameterValue = "abc"
+
+		numberParameterName  = "number_parameter"
+		numberParameterValue = "7"
+
+		boolParameterName  = "bool_parameter"
+		boolParameterValue = "true"
+	)
+
+	numberRichParameters := []*proto.RichParameter{
+		{Name: numberParameterName, Type: "number", Mutable: true, ValidationMin: 3, ValidationMax: 10},
+	}
+
+	stringRichParameters := []*proto.RichParameter{
+		{Name: stringParameterName, Type: "string", Mutable: true, ValidationRegex: "^[a-z]+$", ValidationError: "this is error"},
+	}
+
+	boolRichParameters := []*proto.RichParameter{
+		{Name: boolParameterName, Type: "bool", Mutable: true},
+	}
+
+	prepareEchoResponses := func(richParameters []*proto.RichParameter) *echo.Responses {
+		return &echo.Responses{
+			Parse: echo.ParseComplete,
+			ProvisionPlan: []*proto.Provision_Response{
+				{
+					Type: &proto.Provision_Response_Complete{
+						Complete: &proto.Provision_Complete{
+							Parameters: richParameters,
+						},
+					},
+				},
+			},
+			ProvisionApply: []*proto.Provision_Response{
+				{
+					Type: &proto.Provision_Response_Complete{
+						Complete: &proto.Provision_Complete{},
+					},
+				},
+			},
+		}
+	}
+
+	t.Run("ValidateString", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, prepareEchoResponses(stringRichParameters))
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			stringParameterName, "$$",
+			"does not match", "",
+			"Enter a value", "abc",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+
+	t.Run("ValidateNumber", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, prepareEchoResponses(numberRichParameters))
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			numberParameterName, "12",
+			"is more than the maximum", "",
+			"Enter a value", "8",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+
+			if value != "" {
+				pty.WriteLine(value)
+			}
+		}
+		<-doneChan
+	})
+
+	t.Run("ValidateBool", func(t *testing.T) {
+		t.Parallel()
+
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, prepareEchoResponses(boolRichParameters))
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+		cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+
+		matches := []string{
+			boolParameterName, "cat",
+			"boolean value can be either", "",
+			"Enter a value", "true",
+			"Confirm create?", "yes",
+		}
+		for i := 0; i < len(matches); i += 2 {
+			match := matches[i]
+			value := matches[i+1]
+			pty.ExpectMatch(match)
+			pty.WriteLine(value)
+		}
+		<-doneChan
+	})
+}
+
+func TestCreateWithGitAuth(t *testing.T) {
+	t.Parallel()
+	echoResponses := &echo.Responses{
+		Parse: echo.ParseComplete,
+		ProvisionPlan: []*proto.Provision_Response{
+			{
+				Type: &proto.Provision_Response_Complete{
+					Complete: &proto.Provision_Complete{
+						GitAuthProviders: []string{"github"},
+					},
+				},
+			},
+		},
+		ProvisionApply: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{},
+			},
+		}},
+	}
+
+	client := coderdtest.New(t, &coderdtest.Options{
+		GitAuthConfigs: []*gitauth.Config{{
+			OAuth2Config: &oauth2Config{},
+			ID:           "github",
+			Regex:        regexp.MustCompile(`github\.com`),
+			Type:         codersdk.GitProviderGitHub,
+		}},
+		IncludeProvisionerDaemon: true,
+	})
+	user := coderdtest.CreateFirstUser(t, client)
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, echoResponses)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+
+	cmd, root := clitest.New(t, "create", "my-workspace", "--template", template.Name)
+	clitest.SetupConfig(t, client, root)
+	doneChan := make(chan struct{})
+	pty := ptytest.New(t)
+	cmd.SetIn(pty.Input())
+	cmd.SetOut(pty.Output())
+	go func() {
+		defer close(doneChan)
+		err := cmd.Execute()
+		assert.NoError(t, err)
+	}()
+
+	pty.ExpectMatch("You must authenticate with GitHub to create a workspace")
+	resp := coderdtest.RequestGitAuthCallback(t, "github", client)
+	_ = resp.Body.Close()
+	require.Equal(t, http.StatusTemporaryRedirect, resp.StatusCode)
+	pty.ExpectMatch("Confirm create?")
+	pty.WriteLine("yes")
+	<-doneChan
+}
+
 func createTestParseResponseWithDefault(defaultValue string) []*proto.Parse_Response {
 	return []*proto.Parse_Response{{
 		Type: &proto.Parse_Response_Complete{
@@ -331,3 +699,31 @@ func createTestParseResponseWithDefault(defaultValue string) []*proto.Parse_Resp
 		},
 	}}
 }
+
+type oauth2Config struct{}
+
+func (*oauth2Config) AuthCodeURL(state string, _ ...oauth2.AuthCodeOption) string {
+	return "/?state=" + url.QueryEscape(state)
+}
+
+func (*oauth2Config) Exchange(context.Context, string, ...oauth2.AuthCodeOption) (*oauth2.Token, error) {
+	return &oauth2.Token{
+		AccessToken:  "token",
+		RefreshToken: "refresh",
+		Expiry:       database.Now().Add(time.Hour),
+	}, nil
+}
+
+func (*oauth2Config) TokenSource(context.Context, *oauth2.Token) oauth2.TokenSource {
+	return &oauth2TokenSource{}
+}
+
+type oauth2TokenSource struct{}
+
+func (*oauth2TokenSource) Token() (*oauth2.Token, error) {
+	return &oauth2.Token{
+		AccessToken:  "token",
+		RefreshToken: "refresh",
+		Expiry:       database.Now().Add(time.Hour),
+	}, nil
+}
@@ -12,6 +12,7 @@ import (

 // nolint
 func deleteWorkspace() *cobra.Command {
+	var orphan bool
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "delete <workspace>",
@@ -22,12 +23,13 @@ func deleteWorkspace() *cobra.Command {
 			_, err := cliui.Prompt(cmd, cliui.PromptOptions{
 				Text:      "Confirm delete workspace?",
 				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
 			})
 			if err != nil {
 				return err
 			}

-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
@@ -35,23 +37,38 @@ func deleteWorkspace() *cobra.Command {
 			if err != nil {
 				return err
 			}
-			before := time.Now()
+
+			var state []byte
+
+			if orphan {
+				cliui.Warn(
+					cmd.ErrOrStderr(),
+					"Orphaning workspace requires template edit permission",
+				)
+			}
+
 			build, err := client.CreateWorkspaceBuild(cmd.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
-				Transition: codersdk.WorkspaceTransitionDelete,
+				Transition:       codersdk.WorkspaceTransitionDelete,
+				ProvisionerState: state,
+				Orphan:           orphan,
 			})
 			if err != nil {
 				return err
 			}

-			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID, before)
+			err = cliui.WorkspaceBuild(cmd.Context(), cmd.OutOrStdout(), client, build.ID)
 			if err != nil {
 				return err
 			}

-			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been deleted!\n", cliui.Styles.Keyword.Render(workspace.Name))
+			_, _ = fmt.Fprintf(cmd.OutOrStdout(), "\nThe %s workspace has been deleted at %s!\n", cliui.Styles.Keyword.Render(workspace.Name), cliui.Styles.DateTimeStamp.Render(time.Now().Format(time.Stamp)))
 			return nil
 		},
 	}
+	cmd.Flags().BoolVar(&orphan, "orphan", false,
+		`Delete a workspace without deleting its resources. This can delete a
+workspace in a broken state, but may also lead to unaccounted cloud resources.`,
+	)
 	cliui.AllowSkipPrompt(cmd)
 	return cmd
 }
@@ -15,9 +15,10 @@ import (
 )

 func TestDelete(t *testing.T) {
+	t.Parallel()
 	t.Run("WithParameter", func(t *testing.T) {
 		t.Parallel()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
@@ -38,16 +39,45 @@ func TestDelete(t *testing.T) {
 				assert.ErrorIs(t, err, io.EOF)
 			}
 		}()
-		pty.ExpectMatch("Cleaning Up")
+		pty.ExpectMatch("workspace has been deleted")
+		<-doneChan
+	})
+
+	t.Run("Orphan", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+		cmd, root := clitest.New(t, "delete", workspace.Name, "-y", "--orphan")
+
+		clitest.SetupConfig(t, client, root)
+		doneChan := make(chan struct{})
+		pty := ptytest.New(t)
+		cmd.SetIn(pty.Input())
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		go func() {
+			defer close(doneChan)
+			err := cmd.Execute()
+			// When running with the race detector on, we sometimes get an EOF.
+			if err != nil {
+				assert.ErrorIs(t, err, io.EOF)
+			}
+		}()
+		pty.ExpectMatch("workspace has been deleted")
 		<-doneChan
 	})

 	t.Run("DifferentUser", func(t *testing.T) {
 		t.Parallel()
-		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		adminClient := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		adminUser := coderdtest.CreateFirstUser(t, adminClient)
 		orgID := adminUser.OrganizationID
-		client := coderdtest.CreateAnotherUser(t, adminClient, orgID)
+		client, _ := coderdtest.CreateAnotherUser(t, adminClient, orgID)
 		user, err := client.User(context.Background(), codersdk.Me)
 		require.NoError(t, err)

@@ -72,7 +102,7 @@ func TestDelete(t *testing.T) {
 			}
 		}()

-		pty.ExpectMatch("Cleaning Up")
+		pty.ExpectMatch("workspace has been deleted")
 		<-doneChan

 		workspace, err = client.Workspace(context.Background(), workspace.ID)
@@ -0,0 +1,895 @@
+package deployment
+
+import (
+	"flag"
+	"fmt"
+	"os"
+	"path/filepath"
+	"reflect"
+	"strings"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/spf13/pflag"
+	"github.com/spf13/viper"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/buildinfo"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/codersdk"
+)
+
+func newConfig() *codersdk.DeploymentConfig {
+	return &codersdk.DeploymentConfig{
+		AccessURL: &codersdk.DeploymentConfigField[string]{
+			Name:  "Access URL",
+			Usage: "External URL to access your deployment. This must be accessible by all provisioned workspaces.",
+			Flag:  "access-url",
+		},
+		WildcardAccessURL: &codersdk.DeploymentConfigField[string]{
+			Name:  "Wildcard Access URL",
+			Usage: "Specifies the wildcard hostname to use for workspace applications in the form \"*.example.com\".",
+			Flag:  "wildcard-access-url",
+		},
+		RedirectToAccessURL: &codersdk.DeploymentConfigField[bool]{
+			Name:  "Redirect to Access URL",
+			Usage: "Specifies whether to redirect requests that do not match the access URL host.",
+			Flag:  "redirect-to-access-url",
+		},
+		// DEPRECATED: Use HTTPAddress or TLS.Address instead.
+		Address: &codersdk.DeploymentConfigField[string]{
+			Name:      "Address",
+			Usage:     "Bind address of the server.",
+			Flag:      "address",
+			Shorthand: "a",
+			// Deprecated, so we don't have a default. If set, it will overwrite
+			// HTTPAddress and TLS.Address and print a warning.
+			Hidden:  true,
+			Default: "",
+		},
+		HTTPAddress: &codersdk.DeploymentConfigField[string]{
+			Name:    "Address",
+			Usage:   "HTTP bind address of the server. Unset to disable the HTTP endpoint.",
+			Flag:    "http-address",
+			Default: "127.0.0.1:3000",
+		},
+		AutobuildPollInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Autobuild Poll Interval",
+			Usage:   "Interval to poll for scheduled workspace builds.",
+			Flag:    "autobuild-poll-interval",
+			Hidden:  true,
+			Default: time.Minute,
+		},
+		DERP: &codersdk.DERP{
+			Server: &codersdk.DERPServerConfig{
+				Enable: &codersdk.DeploymentConfigField[bool]{
+					Name:    "DERP Server Enable",
+					Usage:   "Whether to enable or disable the embedded DERP relay server.",
+					Flag:    "derp-server-enable",
+					Default: true,
+				},
+				RegionID: &codersdk.DeploymentConfigField[int]{
+					Name:    "DERP Server Region ID",
+					Usage:   "Region ID to use for the embedded DERP server.",
+					Flag:    "derp-server-region-id",
+					Default: 999,
+				},
+				RegionCode: &codersdk.DeploymentConfigField[string]{
+					Name:    "DERP Server Region Code",
+					Usage:   "Region code to use for the embedded DERP server.",
+					Flag:    "derp-server-region-code",
+					Default: "coder",
+				},
+				RegionName: &codersdk.DeploymentConfigField[string]{
+					Name:    "DERP Server Region Name",
+					Usage:   "Region name that for the embedded DERP server.",
+					Flag:    "derp-server-region-name",
+					Default: "Coder Embedded Relay",
+				},
+				STUNAddresses: &codersdk.DeploymentConfigField[[]string]{
+					Name:    "DERP Server STUN Addresses",
+					Usage:   "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.",
+					Flag:    "derp-server-stun-addresses",
+					Default: []string{"stun.l.google.com:19302"},
+				},
+				RelayURL: &codersdk.DeploymentConfigField[string]{
+					Name:       "DERP Server Relay URL",
+					Usage:      "An HTTP URL that is accessible by other replicas to relay DERP traffic. Required for high availability.",
+					Flag:       "derp-server-relay-url",
+					Enterprise: true,
+				},
+			},
+			Config: &codersdk.DERPConfig{
+				URL: &codersdk.DeploymentConfigField[string]{
+					Name:  "DERP Config URL",
+					Usage: "URL to fetch a DERP mapping on startup. See: https://tailscale.com/kb/1118/custom-derp-servers/",
+					Flag:  "derp-config-url",
+				},
+				Path: &codersdk.DeploymentConfigField[string]{
+					Name:  "DERP Config Path",
+					Usage: "Path to read a DERP mapping from. See: https://tailscale.com/kb/1118/custom-derp-servers/",
+					Flag:  "derp-config-path",
+				},
+			},
+		},
+		GitAuth: &codersdk.DeploymentConfigField[[]codersdk.GitAuthConfig]{
+			Name:    "Git Auth",
+			Usage:   "Automatically authenticate Git inside workspaces.",
+			Flag:    "gitauth",
+			Default: []codersdk.GitAuthConfig{},
+		},
+		Prometheus: &codersdk.PrometheusConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Prometheus Enable",
+				Usage: "Serve prometheus metrics on the address defined by prometheus address.",
+				Flag:  "prometheus-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "Prometheus Address",
+				Usage:   "The bind address to serve prometheus metrics.",
+				Flag:    "prometheus-address",
+				Default: "127.0.0.1:2112",
+			},
+		},
+		Pprof: &codersdk.PprofConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Pprof Enable",
+				Usage: "Serve pprof metrics on the address defined by pprof address.",
+				Flag:  "pprof-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "Pprof Address",
+				Usage:   "The bind address to serve pprof.",
+				Flag:    "pprof-address",
+				Default: "127.0.0.1:6060",
+			},
+		},
+		ProxyTrustedHeaders: &codersdk.DeploymentConfigField[[]string]{
+			Name:  "Proxy Trusted Headers",
+			Flag:  "proxy-trusted-headers",
+			Usage: "Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, True-Client-Ip, X-Forwarded-For",
+		},
+		ProxyTrustedOrigins: &codersdk.DeploymentConfigField[[]string]{
+			Name:  "Proxy Trusted Origins",
+			Flag:  "proxy-trusted-origins",
+			Usage: "Origin addresses to respect \"proxy-trusted-headers\". e.g. 192.168.1.0/24",
+		},
+		CacheDirectory: &codersdk.DeploymentConfigField[string]{
+			Name:    "Cache Directory",
+			Usage:   "The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is set, it will be used for compatibility with systemd.",
+			Flag:    "cache-dir",
+			Default: DefaultCacheDir(),
+		},
+		InMemoryDatabase: &codersdk.DeploymentConfigField[bool]{
+			Name:   "In Memory Database",
+			Usage:  "Controls whether data will be stored in an in-memory database.",
+			Flag:   "in-memory",
+			Hidden: true,
+		},
+		PostgresURL: &codersdk.DeploymentConfigField[string]{
+			Name:   "Postgres Connection URL",
+			Usage:  "URL of a PostgreSQL database. If empty, PostgreSQL binaries will be downloaded from Maven (https://repo1.maven.org/maven2) and store all data in the config root. Access the built-in database with \"coder server postgres-builtin-url\".",
+			Flag:   "postgres-url",
+			Secret: true,
+		},
+		OAuth2: &codersdk.OAuth2Config{
+			Github: &codersdk.OAuth2GithubConfig{
+				ClientID: &codersdk.DeploymentConfigField[string]{
+					Name:  "OAuth2 GitHub Client ID",
+					Usage: "Client ID for Login with GitHub.",
+					Flag:  "oauth2-github-client-id",
+				},
+				ClientSecret: &codersdk.DeploymentConfigField[string]{
+					Name:   "OAuth2 GitHub Client Secret",
+					Usage:  "Client secret for Login with GitHub.",
+					Flag:   "oauth2-github-client-secret",
+					Secret: true,
+				},
+				AllowedOrgs: &codersdk.DeploymentConfigField[[]string]{
+					Name:  "OAuth2 GitHub Allowed Orgs",
+					Usage: "Organizations the user must be a member of to Login with GitHub.",
+					Flag:  "oauth2-github-allowed-orgs",
+				},
+				AllowedTeams: &codersdk.DeploymentConfigField[[]string]{
+					Name:  "OAuth2 GitHub Allowed Teams",
+					Usage: "Teams inside organizations the user must be a member of to Login with GitHub. Structured as: <organization-name>/<team-slug>.",
+					Flag:  "oauth2-github-allowed-teams",
+				},
+				AllowSignups: &codersdk.DeploymentConfigField[bool]{
+					Name:  "OAuth2 GitHub Allow Signups",
+					Usage: "Whether new users can sign up with GitHub.",
+					Flag:  "oauth2-github-allow-signups",
+				},
+				AllowEveryone: &codersdk.DeploymentConfigField[bool]{
+					Name:  "OAuth2 GitHub Allow Everyone",
+					Usage: "Allow all logins, setting this option means allowed orgs and teams must be empty.",
+					Flag:  "oauth2-github-allow-everyone",
+				},
+				EnterpriseBaseURL: &codersdk.DeploymentConfigField[string]{
+					Name:  "OAuth2 GitHub Enterprise Base URL",
+					Usage: "Base URL of a GitHub Enterprise deployment to use for Login with GitHub.",
+					Flag:  "oauth2-github-enterprise-base-url",
+				},
+			},
+		},
+		OIDC: &codersdk.OIDCConfig{
+			AllowSignups: &codersdk.DeploymentConfigField[bool]{
+				Name:    "OIDC Allow Signups",
+				Usage:   "Whether new users can sign up with OIDC.",
+				Flag:    "oidc-allow-signups",
+				Default: true,
+			},
+			ClientID: &codersdk.DeploymentConfigField[string]{
+				Name:  "OIDC Client ID",
+				Usage: "Client ID to use for Login with OIDC.",
+				Flag:  "oidc-client-id",
+			},
+			ClientSecret: &codersdk.DeploymentConfigField[string]{
+				Name:   "OIDC Client Secret",
+				Usage:  "Client secret to use for Login with OIDC.",
+				Flag:   "oidc-client-secret",
+				Secret: true,
+			},
+			EmailDomain: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "OIDC Email Domain",
+				Usage: "Email domains that clients logging in with OIDC must match.",
+				Flag:  "oidc-email-domain",
+			},
+			IssuerURL: &codersdk.DeploymentConfigField[string]{
+				Name:  "OIDC Issuer URL",
+				Usage: "Issuer URL to use for Login with OIDC.",
+				Flag:  "oidc-issuer-url",
+			},
+			Scopes: &codersdk.DeploymentConfigField[[]string]{
+				Name:    "OIDC Scopes",
+				Usage:   "Scopes to grant when authenticating with OIDC.",
+				Flag:    "oidc-scopes",
+				Default: []string{oidc.ScopeOpenID, "profile", "email"},
+			},
+			IgnoreEmailVerified: &codersdk.DeploymentConfigField[bool]{
+				Name:    "OIDC Ignore Email Verified",
+				Usage:   "Ignore the email_verified claim from the upstream provider.",
+				Flag:    "oidc-ignore-email-verified",
+				Default: false,
+			},
+			UsernameField: &codersdk.DeploymentConfigField[string]{
+				Name:    "OIDC Username Field",
+				Usage:   "OIDC claim field to use as the username.",
+				Flag:    "oidc-username-field",
+				Default: "preferred_username",
+			},
+			SignInText: &codersdk.DeploymentConfigField[string]{
+				Name:    "OpenID Connect sign in text",
+				Usage:   "The text to show on the OpenID Connect sign in button",
+				Flag:    "oidc-sign-in-text",
+				Default: "OpenID Connect",
+			},
+			IconURL: &codersdk.DeploymentConfigField[string]{
+				Name:  "OpenID connect icon URL",
+				Usage: "URL pointing to the icon to use on the OepnID Connect login button",
+				Flag:  "oidc-icon-url",
+			},
+		},
+
+		Telemetry: &codersdk.TelemetryConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Telemetry Enable",
+				Usage:   "Whether telemetry is enabled or not. Coder collects anonymized usage data to help improve our product.",
+				Flag:    "telemetry",
+				Default: flag.Lookup("test.v") == nil,
+			},
+			Trace: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Telemetry Trace",
+				Usage:   "Whether Opentelemetry traces are sent to Coder. Coder collects anonymized application tracing to help improve our product. Disabling telemetry also disables this option.",
+				Flag:    "telemetry-trace",
+				Default: flag.Lookup("test.v") == nil,
+			},
+			URL: &codersdk.DeploymentConfigField[string]{
+				Name:    "Telemetry URL",
+				Usage:   "URL to send telemetry.",
+				Flag:    "telemetry-url",
+				Hidden:  true,
+				Default: "https://telemetry.coder.com",
+			},
+		},
+		TLS: &codersdk.TLSConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "TLS Enable",
+				Usage: "Whether TLS will be enabled.",
+				Flag:  "tls-enable",
+			},
+			Address: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Address",
+				Usage:   "HTTPS bind address of the server.",
+				Flag:    "tls-address",
+				Default: "127.0.0.1:3443",
+			},
+			// DEPRECATED: Use RedirectToAccessURL instead.
+			RedirectHTTP: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Redirect HTTP to HTTPS",
+				Usage:   "Whether HTTP requests will be redirected to the access URL (if it's a https URL and TLS is enabled). Requests to local IP addresses are never redirected regardless of this setting.",
+				Flag:    "tls-redirect-http-to-https",
+				Default: true,
+				Hidden:  true,
+			},
+			CertFiles: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "TLS Certificate Files",
+				Usage: "Path to each certificate for TLS. It requires a PEM-encoded file. To configure the listener to use a CA certificate, concatenate the primary certificate and the CA certificate together. The primary certificate should appear first in the combined file.",
+				Flag:  "tls-cert-file",
+			},
+			ClientCAFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client CA Files",
+				Usage: "PEM-encoded Certificate Authority file used for checking the authenticity of client",
+				Flag:  "tls-client-ca-file",
+			},
+			ClientAuth: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Client Auth",
+				Usage:   "Policy the server will follow for TLS Client Authentication. Accepted values are \"none\", \"request\", \"require-any\", \"verify-if-given\", or \"require-and-verify\".",
+				Flag:    "tls-client-auth",
+				Default: "none",
+			},
+			KeyFiles: &codersdk.DeploymentConfigField[[]string]{
+				Name:  "TLS Key Files",
+				Usage: "Paths to the private keys for each of the certificates. It requires a PEM-encoded file.",
+				Flag:  "tls-key-file",
+			},
+			MinVersion: &codersdk.DeploymentConfigField[string]{
+				Name:    "TLS Minimum Version",
+				Usage:   "Minimum supported version of TLS. Accepted values are \"tls10\", \"tls11\", \"tls12\" or \"tls13\"",
+				Flag:    "tls-min-version",
+				Default: "tls12",
+			},
+			ClientCertFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client Cert File",
+				Usage: "Path to certificate for client TLS authentication. It requires a PEM-encoded file.",
+				Flag:  "tls-client-cert-file",
+			},
+			ClientKeyFile: &codersdk.DeploymentConfigField[string]{
+				Name:  "TLS Client Key File",
+				Usage: "Path to key for client TLS authentication. It requires a PEM-encoded file.",
+				Flag:  "tls-client-key-file",
+			},
+		},
+		Trace: &codersdk.TraceConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Trace Enable",
+				Usage: "Whether application tracing data is collected. It exports to a backend configured by environment variables. See: https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md",
+				Flag:  "trace",
+			},
+			HoneycombAPIKey: &codersdk.DeploymentConfigField[string]{
+				Name:   "Trace Honeycomb API Key",
+				Usage:  "Enables trace exporting to Honeycomb.io using the provided API Key.",
+				Flag:   "trace-honeycomb-api-key",
+				Secret: true,
+			},
+			CaptureLogs: &codersdk.DeploymentConfigField[bool]{
+				Name:  "Capture Logs in Traces",
+				Usage: "Enables capturing of logs as events in traces. This is useful for debugging, but may result in a very large amount of events being sent to the tracing backend which may incur significant costs. If the verbose flag was supplied, debug-level logs will be included.",
+				Flag:  "trace-logs",
+			},
+		},
+		SecureAuthCookie: &codersdk.DeploymentConfigField[bool]{
+			Name:  "Secure Auth Cookie",
+			Usage: "Controls if the 'Secure' property is set on browser session cookies.",
+			Flag:  "secure-auth-cookie",
+		},
+		StrictTransportSecurity: &codersdk.DeploymentConfigField[int]{
+			Name: "Strict-Transport-Security",
+			Usage: "Controls if the 'Strict-Transport-Security' header is set on all static file responses. " +
+				"This header should only be set if the server is accessed via HTTPS. This value is the MaxAge in seconds of " +
+				"the header.",
+			Default: 0,
+			Flag:    "strict-transport-security",
+		},
+		StrictTransportSecurityOptions: &codersdk.DeploymentConfigField[[]string]{
+			Name: "Strict-Transport-Security Options",
+			Usage: "Two optional fields can be set in the Strict-Transport-Security header; 'includeSubDomains' and 'preload'. " +
+				"The 'strict-transport-security' flag must be set to a non-zero value for these options to be used.",
+			Flag: "strict-transport-security-options",
+		},
+		SSHKeygenAlgorithm: &codersdk.DeploymentConfigField[string]{
+			Name:    "SSH Keygen Algorithm",
+			Usage:   "The algorithm to use for generating ssh keys. Accepted values are \"ed25519\", \"ecdsa\", or \"rsa4096\".",
+			Flag:    "ssh-keygen-algorithm",
+			Default: "ed25519",
+		},
+		MetricsCacheRefreshInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Metrics Cache Refresh Interval",
+			Usage:   "How frequently metrics are refreshed",
+			Flag:    "metrics-cache-refresh-interval",
+			Hidden:  true,
+			Default: time.Hour,
+		},
+		AgentStatRefreshInterval: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Agent Stat Refresh Interval",
+			Usage:   "How frequently agent stats are recorded",
+			Flag:    "agent-stats-refresh-interval",
+			Hidden:  true,
+			Default: 10 * time.Minute,
+		},
+		AgentFallbackTroubleshootingURL: &codersdk.DeploymentConfigField[string]{
+			Name:    "Agent Fallback Troubleshooting URL",
+			Usage:   "URL to use for agent troubleshooting when not set in the template",
+			Flag:    "agent-fallback-troubleshooting-url",
+			Hidden:  true,
+			Default: "https://coder.com/docs/coder-oss/latest/templates#troubleshooting-templates",
+		},
+		AuditLogging: &codersdk.DeploymentConfigField[bool]{
+			Name:       "Audit Logging",
+			Usage:      "Specifies whether audit logging is enabled.",
+			Flag:       "audit-logging",
+			Default:    true,
+			Enterprise: true,
+		},
+		BrowserOnly: &codersdk.DeploymentConfigField[bool]{
+			Name:       "Browser Only",
+			Usage:      "Whether Coder only allows connections to workspaces via the browser.",
+			Flag:       "browser-only",
+			Enterprise: true,
+		},
+		SCIMAPIKey: &codersdk.DeploymentConfigField[string]{
+			Name:       "SCIM API Key",
+			Usage:      "Enables SCIM and sets the authentication header for the built-in SCIM server. New users are automatically created with OIDC authentication.",
+			Flag:       "scim-auth-header",
+			Enterprise: true,
+			Secret:     true,
+		},
+		Provisioner: &codersdk.ProvisionerConfig{
+			Daemons: &codersdk.DeploymentConfigField[int]{
+				Name:    "Provisioner Daemons",
+				Usage:   "Number of provisioner daemons to create on start. If builds are stuck in queued state for a long time, consider increasing this.",
+				Flag:    "provisioner-daemons",
+				Default: 3,
+			},
+			DaemonPollInterval: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Poll Interval",
+				Usage:   "Time to wait before polling for a new job.",
+				Flag:    "provisioner-daemon-poll-interval",
+				Default: time.Second,
+			},
+			DaemonPollJitter: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Poll Jitter",
+				Usage:   "Random jitter added to the poll interval.",
+				Flag:    "provisioner-daemon-poll-jitter",
+				Default: 100 * time.Millisecond,
+			},
+			ForceCancelInterval: &codersdk.DeploymentConfigField[time.Duration]{
+				Name:    "Force Cancel Interval",
+				Usage:   "Time to force cancel provisioning tasks that are stuck.",
+				Flag:    "provisioner-force-cancel-interval",
+				Default: 10 * time.Minute,
+			},
+		},
+		RateLimit: &codersdk.RateLimitConfig{
+			DisableAll: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Disable All Rate Limits",
+				Usage:   "Disables all rate limits. This is not recommended in production.",
+				Flag:    "dangerous-disable-rate-limits",
+				Default: false,
+			},
+			API: &codersdk.DeploymentConfigField[int]{
+				Name:  "API Rate Limit",
+				Usage: "Maximum number of requests per minute allowed to the API per user, or per IP address for unauthenticated users. Negative values mean no rate limit. Some API endpoints have separate strict rate limits regardless of this value to prevent denial-of-service or brute force attacks.",
+				// Change the env from the auto-generated CODER_RATE_LIMIT_API to the
+				// old value to avoid breaking existing deployments.
+				EnvOverride: "CODER_API_RATE_LIMIT",
+				Flag:        "api-rate-limit",
+				Default:     512,
+			},
+		},
+		// DEPRECATED: use Experiments instead.
+		Experimental: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Experimental",
+			Usage:   "Enable experimental features. Experimental features are not ready for production.",
+			Flag:    "experimental",
+			Default: false,
+			Hidden:  true,
+		},
+		Experiments: &codersdk.DeploymentConfigField[[]string]{
+			Name:    "Experiments",
+			Usage:   "Enable one or more experiments. These are not ready for production. Separate multiple experiments with commas, or enter '*' to opt-in to all available experiments.",
+			Flag:    "experiments",
+			Default: []string{},
+		},
+		UpdateCheck: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Update Check",
+			Usage:   "Periodically check for new releases of Coder and inform the owner. The check is performed once per day.",
+			Flag:    "update-check",
+			Default: flag.Lookup("test.v") == nil && !buildinfo.IsDev(),
+		},
+		MaxTokenLifetime: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Max Token Lifetime",
+			Usage:   "The maximum lifetime duration users can specify when creating an API token.",
+			Flag:    "max-token-lifetime",
+			Default: 24 * 30 * time.Hour,
+		},
+		Swagger: &codersdk.SwaggerConfig{
+			Enable: &codersdk.DeploymentConfigField[bool]{
+				Name:    "Enable swagger endpoint",
+				Usage:   "Expose the swagger endpoint via /swagger.",
+				Flag:    "swagger-enable",
+				Default: false,
+			},
+		},
+		Logging: &codersdk.LoggingConfig{
+			Human: &codersdk.DeploymentConfigField[string]{
+				Name:    "Human Log Location",
+				Usage:   "Output human-readable logs to a given file.",
+				Flag:    "log-human",
+				Default: "/dev/stderr",
+			},
+			JSON: &codersdk.DeploymentConfigField[string]{
+				Name:    "JSON Log Location",
+				Usage:   "Output JSON logs to a given file.",
+				Flag:    "log-json",
+				Default: "",
+			},
+			Stackdriver: &codersdk.DeploymentConfigField[string]{
+				Name:    "Stackdriver Log Location",
+				Usage:   "Output Stackdriver compatible logs to a given file.",
+				Flag:    "log-stackdriver",
+				Default: "",
+			},
+		},
+		Dangerous: &codersdk.DangerousConfig{
+			AllowPathAppSharing: &codersdk.DeploymentConfigField[bool]{
+				Name:    "DANGEROUS: Allow Path App Sharing",
+				Usage:   "Allow workspace apps that are not served from subdomains to be shared. Path-based app sharing is DISABLED by default for security purposes. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.",
+				Flag:    "dangerous-allow-path-app-sharing",
+				Default: false,
+			},
+			AllowPathAppSiteOwnerAccess: &codersdk.DeploymentConfigField[bool]{
+				Name:    "DANGEROUS: Allow Site Owners to Access Path Apps",
+				Usage:   "Allow site-owners to access workspace apps from workspaces they do not own. Owners cannot access path-based apps they do not own by default. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. Path-based apps can be disabled entirely with --disable-path-apps for further security.",
+				Flag:    "dangerous-allow-path-app-site-owner-access",
+				Default: false,
+			},
+		},
+		DisablePathApps: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Path Apps",
+			Usage:   "Disable workspace apps that are not served from subdomains. Path-based apps can make requests to the Coder API and pose a security risk when the workspace serves malicious JavaScript. This is recommended for security purposes if a --wildcard-access-url is configured.",
+			Flag:    "disable-path-apps",
+			Default: false,
+		},
+		SessionDuration: &codersdk.DeploymentConfigField[time.Duration]{
+			Name:    "Session Duration",
+			Usage:   "The token expiry duration for browser sessions. Sessions may last longer if they are actively making requests, but this functionality can be disabled via --disable-session-expiry-refresh.",
+			Flag:    "session-duration",
+			Default: 24 * time.Hour,
+		},
+		DisableSessionExpiryRefresh: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Session Expiry Refresh",
+			Usage:   "Disable automatic session expiry bumping due to activity. This forces all sessions to become invalid after the session expiry duration has been reached.",
+			Flag:    "disable-session-expiry-refresh",
+			Default: false,
+		},
+		DisablePasswordAuth: &codersdk.DeploymentConfigField[bool]{
+			Name:    "Disable Password Authentication",
+			Usage:   "Disable password authentication. This is recommended for security purposes in production deployments that rely on an identity provider. Any user with the owner role will be able to sign in with their password regardless of this setting to avoid potential lock out. If you are locked out of your account, you can use the `coder server create-admin` command to create a new admin user directly in the database.",
+			Flag:    "disable-password-auth",
+			Default: false,
+		},
+		Support: &codersdk.SupportConfig{
+			Links: &codersdk.DeploymentConfigField[[]codersdk.LinkConfig]{
+				Name:       "Support links",
+				Usage:      "Use custom support links",
+				Flag:       "support-links",
+				Default:    []codersdk.LinkConfig{},
+				Enterprise: true,
+			},
+		},
+	}
+}
+
+//nolint:revive
+func Config(flagset *pflag.FlagSet, vip *viper.Viper) (*codersdk.DeploymentConfig, error) {
+	dc := newConfig()
+	flg, err := flagset.GetString(config.FlagName)
+	if err != nil {
+		return nil, xerrors.Errorf("get global config from flag: %w", err)
+	}
+	vip.SetEnvPrefix("coder")
+
+	if flg != "" {
+		vip.SetConfigFile(flg + "/server.yaml")
+		err = vip.ReadInConfig()
+		if err != nil && !xerrors.Is(err, os.ErrNotExist) {
+			return dc, xerrors.Errorf("reading deployment config: %w", err)
+		}
+	}
+
+	setConfig("", vip, &dc)
+
+	return dc, nil
+}
+
+func setConfig(prefix string, vip *viper.Viper, target interface{}) {
+	val := reflect.Indirect(reflect.ValueOf(target))
+	typ := val.Type()
+	if typ.Kind() != reflect.Struct {
+		val = val.Elem()
+		typ = val.Type()
+	}
+
+	// Ensure that we only bind env variables to proper fields,
+	// otherwise Viper will get confused if the parent struct is
+	// assigned a value.
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		value := val.FieldByName("Value").Interface()
+
+		env, ok := val.FieldByName("EnvOverride").Interface().(string)
+		if !ok {
+			panic("DeploymentConfigField[].EnvOverride must be a string")
+		}
+		if env == "" {
+			env = formatEnv(prefix)
+		}
+
+		switch value.(type) {
+		case string:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetString(vip.GetString(prefix))
+		case bool:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetBool(vip.GetBool(prefix))
+		case int:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetInt(int64(vip.GetInt(prefix)))
+		case time.Duration:
+			vip.MustBindEnv(prefix, env)
+			val.FieldByName("Value").SetInt(int64(vip.GetDuration(prefix)))
+		case []string:
+			vip.MustBindEnv(prefix, env)
+			// As of October 21st, 2022 we supported delimiting a string
+			// with a comma, but Viper only supports with a space. This
+			// is a small hack around it!
+			rawSlice := reflect.ValueOf(vip.GetStringSlice(prefix)).Interface()
+			stringSlice, ok := rawSlice.([]string)
+			if !ok {
+				panic(fmt.Sprintf("string slice is of type %T", rawSlice))
+			}
+			value := make([]string, 0, len(stringSlice))
+			for _, entry := range stringSlice {
+				value = append(value, strings.Split(entry, ",")...)
+			}
+			val.FieldByName("Value").Set(reflect.ValueOf(value))
+		case []codersdk.GitAuthConfig:
+			// Do not bind to CODER_GITAUTH, instead bind to CODER_GITAUTH_0_*, etc.
+			values := readSliceFromViper[codersdk.GitAuthConfig](vip, prefix, value)
+			val.FieldByName("Value").Set(reflect.ValueOf(values))
+		case []codersdk.LinkConfig:
+			// Do not bind to CODER_SUPPORT_LINKS, instead bind to CODER_SUPPORT_LINKS_0_*, etc.
+			values := readSliceFromViper[codersdk.LinkConfig](vip, prefix, value)
+			val.FieldByName("Value").Set(reflect.ValueOf(values))
+		default:
+			panic(fmt.Sprintf("unsupported type %T", value))
+		}
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setConfig(key, vip, fv.Interface())
+		case reflect.Slice:
+			for j := 0; j < fv.Len(); j++ {
+				key := fmt.Sprintf("%s.%d", key, j)
+				setConfig(key, vip, fv.Index(j).Interface())
+			}
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+// readSliceFromViper reads a typed mapping from the key provided.
+// This enables environment variables like CODER_GITAUTH_<index>_CLIENT_ID.
+func readSliceFromViper[T any](vip *viper.Viper, key string, value any) []T {
+	elementType := reflect.TypeOf(value).Elem()
+	returnValues := make([]T, 0)
+	for entry := 0; true; entry++ {
+		// Only create an instance when the entry exists in viper...
+		// otherwise we risk
+		var instance *reflect.Value
+		for i := 0; i < elementType.NumField(); i++ {
+			fve := elementType.Field(i)
+			prop := fve.Tag.Get("json")
+			// For fields that are omitted in JSON, we use a YAML tag.
+			if prop == "-" {
+				prop = fve.Tag.Get("yaml")
+			}
+			configKey := fmt.Sprintf("%s.%d.%s", key, entry, prop)
+
+			// Ensure the env entry for this key is registered
+			// before checking value.
+			//
+			// We don't support DeploymentConfigField[].EnvOverride for array flags so
+			// this is fine to just use `formatEnv` here.
+			vip.MustBindEnv(configKey, formatEnv(configKey))
+
+			value := vip.Get(configKey)
+			if value == nil {
+				continue
+			}
+			if instance == nil {
+				newType := reflect.Indirect(reflect.New(elementType))
+				instance = &newType
+			}
+			switch v := instance.Field(i).Type().String(); v {
+			case "[]string":
+				value = vip.GetStringSlice(configKey)
+			case "bool":
+				value = vip.GetBool(configKey)
+			default:
+			}
+			instance.Field(i).Set(reflect.ValueOf(value))
+		}
+		if instance == nil {
+			break
+		}
+		value, ok := instance.Interface().(T)
+		if !ok {
+			continue
+		}
+		returnValues = append(returnValues, value)
+	}
+	return returnValues
+}
+
+func NewViper() *viper.Viper {
+	dc := newConfig()
+	vip := viper.New()
+	vip.SetEnvPrefix("coder")
+	vip.SetEnvKeyReplacer(strings.NewReplacer("-", "_", ".", "_"))
+
+	setViperDefaults("", vip, dc)
+
+	return vip
+}
+
+func setViperDefaults(prefix string, vip *viper.Viper, target interface{}) {
+	val := reflect.ValueOf(target).Elem()
+	val = reflect.Indirect(val)
+	typ := val.Type()
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		value := val.FieldByName("Default").Interface()
+		vip.SetDefault(prefix, value)
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setViperDefaults(key, vip, fv.Interface())
+		case reflect.Slice:
+			// we currently don't support default values on structured slices
+			continue
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+//nolint:revive
+func AttachFlags(flagset *pflag.FlagSet, vip *viper.Viper, enterprise bool) {
+	setFlags("", flagset, vip, newConfig(), enterprise)
+}
+
+//nolint:revive
+func setFlags(prefix string, flagset *pflag.FlagSet, vip *viper.Viper, target interface{}, enterprise bool) {
+	val := reflect.Indirect(reflect.ValueOf(target))
+	typ := val.Type()
+	if strings.HasPrefix(typ.Name(), "DeploymentConfigField[") {
+		isEnt := val.FieldByName("Enterprise").Bool()
+		if enterprise != isEnt {
+			return
+		}
+		flg := val.FieldByName("Flag").String()
+		if flg == "" {
+			return
+		}
+
+		env, ok := val.FieldByName("EnvOverride").Interface().(string)
+		if !ok {
+			panic("DeploymentConfigField[].EnvOverride must be a string")
+		}
+		if env == "" {
+			env = formatEnv(prefix)
+		}
+
+		usage := val.FieldByName("Usage").String()
+		usage = fmt.Sprintf("%s\n%s", usage, cliui.Styles.Placeholder.Render("Consumes $"+env))
+		shorthand := val.FieldByName("Shorthand").String()
+		hidden := val.FieldByName("Hidden").Bool()
+		value := val.FieldByName("Default").Interface()
+
+		// Allow currently set environment variables
+		// to override default values in help output.
+		vip.MustBindEnv(prefix, env)
+
+		switch value.(type) {
+		case string:
+			_ = flagset.StringP(flg, shorthand, vip.GetString(prefix), usage)
+		case bool:
+			_ = flagset.BoolP(flg, shorthand, vip.GetBool(prefix), usage)
+		case int:
+			_ = flagset.IntP(flg, shorthand, vip.GetInt(prefix), usage)
+		case time.Duration:
+			_ = flagset.DurationP(flg, shorthand, vip.GetDuration(prefix), usage)
+		case []string:
+			_ = flagset.StringSliceP(flg, shorthand, vip.GetStringSlice(prefix), usage)
+		case []codersdk.LinkConfig:
+			// Ignore this one!
+		case []codersdk.GitAuthConfig:
+			// Ignore this one!
+		default:
+			panic(fmt.Sprintf("unsupported type %T", typ))
+		}
+
+		_ = vip.BindPFlag(prefix, flagset.Lookup(flg))
+		if hidden {
+			_ = flagset.MarkHidden(flg)
+		}
+
+		return
+	}
+
+	for i := 0; i < typ.NumField(); i++ {
+		fv := val.Field(i)
+		ft := fv.Type()
+		tag := typ.Field(i).Tag.Get("json")
+		var key string
+		if prefix == "" {
+			key = tag
+		} else {
+			key = fmt.Sprintf("%s.%s", prefix, tag)
+		}
+		switch ft.Kind() {
+		case reflect.Ptr:
+			setFlags(key, flagset, vip, fv.Interface(), enterprise)
+		case reflect.Slice:
+			for j := 0; j < fv.Len(); j++ {
+				key := fmt.Sprintf("%s.%d", key, j)
+				setFlags(key, flagset, vip, fv.Index(j).Interface(), enterprise)
+			}
+		default:
+			panic(fmt.Sprintf("unsupported type %T", ft))
+		}
+	}
+}
+
+func formatEnv(key string) string {
+	return "CODER_" + strings.ToUpper(strings.NewReplacer("-", "_", ".", "_").Replace(key))
+}
+
+func DefaultCacheDir() string {
+	defaultCacheDir, err := os.UserCacheDir()
+	if err != nil {
+		defaultCacheDir = os.TempDir()
+	}
+	if dir := os.Getenv("CACHE_DIRECTORY"); dir != "" {
+		// For compatibility with systemd.
+		defaultCacheDir = dir
+	}
+
+	return filepath.Join(defaultCacheDir, "coder")
+}
@@ -0,0 +1,287 @@
+package deployment_test
+
+import (
+	"testing"
+	"time"
+
+	"github.com/spf13/pflag"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/config"
+	"github.com/coder/coder/cli/deployment"
+	"github.com/coder/coder/codersdk"
+)
+
+// nolint:paralleltest
+func TestConfig(t *testing.T) {
+	viper := deployment.NewViper()
+	flagSet := pflag.NewFlagSet("", pflag.ContinueOnError)
+	flagSet.String(config.FlagName, "", "")
+	deployment.AttachFlags(flagSet, viper, true)
+
+	for _, tc := range []struct {
+		Name  string
+		Env   map[string]string
+		Valid func(config *codersdk.DeploymentConfig)
+	}{{
+		Name: "Deployment",
+		Env: map[string]string{
+			"CODER_ADDRESS":                          "0.0.0.0:8443",
+			"CODER_ACCESS_URL":                       "https://dev.coder.com",
+			"CODER_PG_CONNECTION_URL":                "some-url",
+			"CODER_PPROF_ADDRESS":                    "something",
+			"CODER_PPROF_ENABLE":                     "true",
+			"CODER_PROMETHEUS_ADDRESS":               "hello-world",
+			"CODER_PROMETHEUS_ENABLE":                "true",
+			"CODER_PROVISIONER_DAEMONS":              "5",
+			"CODER_PROVISIONER_DAEMON_POLL_INTERVAL": "5s",
+			"CODER_PROVISIONER_DAEMON_POLL_JITTER":   "1s",
+			"CODER_SECURE_AUTH_COOKIE":               "true",
+			"CODER_SSH_KEYGEN_ALGORITHM":             "potato",
+			"CODER_TELEMETRY":                        "false",
+			"CODER_TELEMETRY_TRACE":                  "false",
+			"CODER_WILDCARD_ACCESS_URL":              "something-wildcard.com",
+			"CODER_UPDATE_CHECK":                     "false",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Address.Value, "0.0.0.0:8443")
+			require.Equal(t, config.AccessURL.Value, "https://dev.coder.com")
+			require.Equal(t, config.PostgresURL.Value, "some-url")
+			require.Equal(t, config.Pprof.Address.Value, "something")
+			require.Equal(t, config.Pprof.Enable.Value, true)
+			require.Equal(t, config.Prometheus.Address.Value, "hello-world")
+			require.Equal(t, config.Prometheus.Enable.Value, true)
+			require.Equal(t, config.Provisioner.Daemons.Value, 5)
+			require.Equal(t, config.Provisioner.DaemonPollInterval.Value, 5*time.Second)
+			require.Equal(t, config.Provisioner.DaemonPollJitter.Value, 1*time.Second)
+			require.Equal(t, config.SecureAuthCookie.Value, true)
+			require.Equal(t, config.SSHKeygenAlgorithm.Value, "potato")
+			require.Equal(t, config.Telemetry.Enable.Value, false)
+			require.Equal(t, config.Telemetry.Trace.Value, false)
+			require.Equal(t, config.WildcardAccessURL.Value, "something-wildcard.com")
+			require.Equal(t, config.UpdateCheck.Value, false)
+		},
+	}, {
+		Name: "DERP",
+		Env: map[string]string{
+			"CODER_DERP_CONFIG_PATH":           "/example/path",
+			"CODER_DERP_CONFIG_URL":            "https://google.com",
+			"CODER_DERP_SERVER_ENABLE":         "false",
+			"CODER_DERP_SERVER_REGION_CODE":    "something",
+			"CODER_DERP_SERVER_REGION_ID":      "123",
+			"CODER_DERP_SERVER_REGION_NAME":    "Code-Land",
+			"CODER_DERP_SERVER_RELAY_URL":      "1.1.1.1",
+			"CODER_DERP_SERVER_STUN_ADDRESSES": "google.org",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.DERP.Config.Path.Value, "/example/path")
+			require.Equal(t, config.DERP.Config.URL.Value, "https://google.com")
+			require.Equal(t, config.DERP.Server.Enable.Value, false)
+			require.Equal(t, config.DERP.Server.RegionCode.Value, "something")
+			require.Equal(t, config.DERP.Server.RegionID.Value, 123)
+			require.Equal(t, config.DERP.Server.RegionName.Value, "Code-Land")
+			require.Equal(t, config.DERP.Server.RelayURL.Value, "1.1.1.1")
+			require.Equal(t, config.DERP.Server.STUNAddresses.Value, []string{"google.org"})
+		},
+	}, {
+		Name: "Enterprise",
+		Env: map[string]string{
+			"CODER_AUDIT_LOGGING": "false",
+			"CODER_BROWSER_ONLY":  "true",
+			"CODER_SCIM_API_KEY":  "some-key",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.AuditLogging.Value, false)
+			require.Equal(t, config.BrowserOnly.Value, true)
+			require.Equal(t, config.SCIMAPIKey.Value, "some-key")
+		},
+	}, {
+		Name: "TLS",
+		Env: map[string]string{
+			"CODER_TLS_CERT_FILE":      "/etc/acme-sh/dev.coder.com,/etc/acme-sh/*.dev.coder.com",
+			"CODER_TLS_KEY_FILE":       "/etc/acme-sh/dev.coder.com,/etc/acme-sh/*.dev.coder.com",
+			"CODER_TLS_CLIENT_AUTH":    "/some/path",
+			"CODER_TLS_CLIENT_CA_FILE": "/some/path",
+			"CODER_TLS_ENABLE":         "true",
+			"CODER_TLS_MIN_VERSION":    "tls10",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.TLS.CertFiles.Value, 2)
+			require.Equal(t, config.TLS.CertFiles.Value[0], "/etc/acme-sh/dev.coder.com")
+			require.Equal(t, config.TLS.CertFiles.Value[1], "/etc/acme-sh/*.dev.coder.com")
+
+			require.Len(t, config.TLS.KeyFiles.Value, 2)
+			require.Equal(t, config.TLS.KeyFiles.Value[0], "/etc/acme-sh/dev.coder.com")
+			require.Equal(t, config.TLS.KeyFiles.Value[1], "/etc/acme-sh/*.dev.coder.com")
+
+			require.Equal(t, config.TLS.ClientAuth.Value, "/some/path")
+			require.Equal(t, config.TLS.ClientCAFile.Value, "/some/path")
+			require.Equal(t, config.TLS.Enable.Value, true)
+			require.Equal(t, config.TLS.MinVersion.Value, "tls10")
+		},
+	}, {
+		Name: "Trace",
+		Env: map[string]string{
+			"CODER_TRACE_ENABLE":            "true",
+			"CODER_TRACE_HONEYCOMB_API_KEY": "my-honeycomb-key",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Trace.Enable.Value, true)
+			require.Equal(t, config.Trace.HoneycombAPIKey.Value, "my-honeycomb-key")
+		},
+	}, {
+		Name: "OIDC_Defaults",
+		Env:  map[string]string{},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Empty(t, config.OIDC.IssuerURL.Value)
+			require.Empty(t, config.OIDC.EmailDomain.Value)
+			require.Empty(t, config.OIDC.ClientID.Value)
+			require.Empty(t, config.OIDC.ClientSecret.Value)
+			require.True(t, config.OIDC.AllowSignups.Value)
+			require.ElementsMatch(t, config.OIDC.Scopes.Value, []string{"openid", "email", "profile"})
+			require.False(t, config.OIDC.IgnoreEmailVerified.Value)
+		},
+	}, {
+		Name: "OIDC",
+		Env: map[string]string{
+			"CODER_OIDC_ISSUER_URL":            "https://accounts.google.com",
+			"CODER_OIDC_EMAIL_DOMAIN":          "coder.com",
+			"CODER_OIDC_CLIENT_ID":             "client",
+			"CODER_OIDC_CLIENT_SECRET":         "secret",
+			"CODER_OIDC_ALLOW_SIGNUPS":         "false",
+			"CODER_OIDC_SCOPES":                "something,here",
+			"CODER_OIDC_IGNORE_EMAIL_VERIFIED": "true",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.OIDC.IssuerURL.Value, "https://accounts.google.com")
+			require.Equal(t, config.OIDC.EmailDomain.Value, []string{"coder.com"})
+			require.Equal(t, config.OIDC.ClientID.Value, "client")
+			require.Equal(t, config.OIDC.ClientSecret.Value, "secret")
+			require.False(t, config.OIDC.AllowSignups.Value)
+			require.Equal(t, config.OIDC.Scopes.Value, []string{"something", "here"})
+			require.True(t, config.OIDC.IgnoreEmailVerified.Value)
+		},
+	}, {
+		Name: "GitHub",
+		Env: map[string]string{
+			"CODER_OAUTH2_GITHUB_CLIENT_ID":     "client",
+			"CODER_OAUTH2_GITHUB_CLIENT_SECRET": "secret",
+			"CODER_OAUTH2_GITHUB_ALLOWED_ORGS":  "coder",
+			"CODER_OAUTH2_GITHUB_ALLOWED_TEAMS": "coder",
+			"CODER_OAUTH2_GITHUB_ALLOW_SIGNUPS": "true",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.OAuth2.Github.ClientID.Value, "client")
+			require.Equal(t, config.OAuth2.Github.ClientSecret.Value, "secret")
+			require.Equal(t, []string{"coder"}, config.OAuth2.Github.AllowedOrgs.Value)
+			require.Equal(t, []string{"coder"}, config.OAuth2.Github.AllowedTeams.Value)
+			require.Equal(t, config.OAuth2.Github.AllowSignups.Value, true)
+		},
+	}, {
+		Name: "GitAuth",
+		Env: map[string]string{
+			"CODER_GITAUTH_0_ID":            "hello",
+			"CODER_GITAUTH_0_TYPE":          "github",
+			"CODER_GITAUTH_0_CLIENT_ID":     "client",
+			"CODER_GITAUTH_0_CLIENT_SECRET": "secret",
+			"CODER_GITAUTH_0_AUTH_URL":      "https://auth.com",
+			"CODER_GITAUTH_0_TOKEN_URL":     "https://token.com",
+			"CODER_GITAUTH_0_VALIDATE_URL":  "https://validate.com",
+			"CODER_GITAUTH_0_REGEX":         "github.com",
+			"CODER_GITAUTH_0_SCOPES":        "read write",
+			"CODER_GITAUTH_0_NO_REFRESH":    "true",
+
+			"CODER_GITAUTH_1_ID":            "another",
+			"CODER_GITAUTH_1_TYPE":          "gitlab",
+			"CODER_GITAUTH_1_CLIENT_ID":     "client-2",
+			"CODER_GITAUTH_1_CLIENT_SECRET": "secret-2",
+			"CODER_GITAUTH_1_AUTH_URL":      "https://auth-2.com",
+			"CODER_GITAUTH_1_TOKEN_URL":     "https://token-2.com",
+			"CODER_GITAUTH_1_REGEX":         "gitlab.com",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.GitAuth.Value, 2)
+			require.Equal(t, []codersdk.GitAuthConfig{{
+				ID:           "hello",
+				Type:         "github",
+				ClientID:     "client",
+				ClientSecret: "secret",
+				AuthURL:      "https://auth.com",
+				TokenURL:     "https://token.com",
+				ValidateURL:  "https://validate.com",
+				Regex:        "github.com",
+				Scopes:       []string{"read", "write"},
+				NoRefresh:    true,
+			}, {
+				ID:           "another",
+				Type:         "gitlab",
+				ClientID:     "client-2",
+				ClientSecret: "secret-2",
+				AuthURL:      "https://auth-2.com",
+				TokenURL:     "https://token-2.com",
+				Regex:        "gitlab.com",
+			}}, config.GitAuth.Value)
+		},
+	}, {
+		Name: "Support links",
+		Env: map[string]string{
+			"CODER_SUPPORT_LINKS_0_NAME":   "First link",
+			"CODER_SUPPORT_LINKS_0_TARGET": "http://target-link-1",
+			"CODER_SUPPORT_LINKS_0_ICON":   "bug",
+
+			"CODER_SUPPORT_LINKS_1_NAME":   "Second link",
+			"CODER_SUPPORT_LINKS_1_TARGET": "http://target-link-2",
+			"CODER_SUPPORT_LINKS_1_ICON":   "chat",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Len(t, config.Support.Links.Value, 2)
+			require.Equal(t, []codersdk.LinkConfig{{
+				Name:   "First link",
+				Target: "http://target-link-1",
+				Icon:   "bug",
+			}, {
+				Name:   "Second link",
+				Target: "http://target-link-2",
+				Icon:   "chat",
+			}}, config.Support.Links.Value)
+		},
+	}, {
+		Name: "Wrong env must not break default values",
+		Env: map[string]string{
+			"CODER_PROMETHEUS_ENABLE": "true",
+			"CODER_PROMETHEUS":        "true", // Wrong env name, must not break prom addr.
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Equal(t, config.Prometheus.Enable.Value, true)
+			require.Equal(t, config.Prometheus.Address.Value, config.Prometheus.Address.Default)
+		},
+	}, {
+		Name: "Experiments - no features",
+		Env: map[string]string{
+			"CODER_EXPERIMENTS": "",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			require.Empty(t, config.Experiments.Value)
+		},
+	}, {
+		Name: "Experiments - multiple features",
+		Env: map[string]string{
+			"CODER_EXPERIMENTS": "foo,bar",
+		},
+		Valid: func(config *codersdk.DeploymentConfig) {
+			expected := []string{"foo", "bar"}
+			require.ElementsMatch(t, expected, config.Experiments.Value)
+		},
+	}} {
+		tc := tc
+		t.Run(tc.Name, func(t *testing.T) {
+			t.Helper()
+			for key, value := range tc.Env {
+				t.Setenv(key, value)
+			}
+			config, err := deployment.Config(flagSet, viper)
+			require.NoError(t, err)
+			tc.Valid(config)
+		})
+	}
+}
@@ -18,14 +18,17 @@ import (
 )

 func dotfiles() *cobra.Command {
-	var (
-		symlinkDir string
-	)
+	var symlinkDir string
 	cmd := &cobra.Command{
-		Use:     "dotfiles [git_repo_url]",
-		Args:    cobra.ExactArgs(1),
-		Short:   "Checkout and install a dotfiles repository.",
-		Example: "coder dotfiles [-y] git@github.com:example/dotfiles.git",
+		Use:   "dotfiles [git_repo_url]",
+		Args:  cobra.ExactArgs(1),
+		Short: "Checkout and install a dotfiles repository from a Git URL",
+		Example: formatExamples(
+			example{
+				Description: "Check out and install a dotfiles repository without prompts",
+				Command:     "coder dotfiles --yes git@github.com:example/dotfiles.git",
+			},
+		),
 		RunE: func(cmd *cobra.Command, args []string) error {
 			var (
 				dotfilesRepoDir = "dotfiles"
@@ -108,7 +111,7 @@ func dotfiles() *cobra.Command {
 			}

 			// ensure command dir exists
-			err = os.MkdirAll(gitCmdDir, 0750)
+			err = os.MkdirAll(gitCmdDir, 0o750)
 			if err != nil {
 				return xerrors.Errorf("ensuring dir at %s: %w", gitCmdDir, err)
 			}
@@ -27,7 +27,7 @@ func TestDotfiles(t *testing.T) {
 		testRepo := testGitRepo(t, root)

 		// nolint:gosec
-		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0o750)
 		require.NoError(t, err)

 		c := exec.Command("git", "add", ".bashrc")
@@ -56,7 +56,7 @@ func TestDotfiles(t *testing.T) {
 		testRepo := testGitRepo(t, root)

 		// nolint:gosec
-		err := os.WriteFile(filepath.Join(testRepo, "install.sh"), []byte("#!/bin/bash\necho wow > "+filepath.Join(string(root), ".bashrc")), 0750)
+		err := os.WriteFile(filepath.Join(testRepo, "install.sh"), []byte("#!/bin/bash\necho wow > "+filepath.Join(string(root), ".bashrc")), 0o750)
 		require.NoError(t, err)

 		c := exec.Command("git", "add", "install.sh")
@@ -82,12 +82,12 @@ func TestDotfiles(t *testing.T) {
 		testRepo := testGitRepo(t, root)

 		// nolint:gosec
-		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0750)
+		err := os.WriteFile(filepath.Join(testRepo, ".bashrc"), []byte("wow"), 0o750)
 		require.NoError(t, err)

 		// add a conflicting file at destination
 		// nolint:gosec
-		err = os.WriteFile(filepath.Join(string(root), ".bashrc"), []byte("backup"), 0750)
+		err = os.WriteFile(filepath.Join(string(root), ".bashrc"), []byte("backup"), 0o750)
 		require.NoError(t, err)

 		c := exec.Command("git", "add", ".bashrc")
@@ -119,7 +119,7 @@ func testGitRepo(t *testing.T, root config.Root) string {
 	r, err := cryptorand.String(8)
 	require.NoError(t, err)
 	dir := filepath.Join(string(root), fmt.Sprintf("test-repo-%s", r))
-	err = os.MkdirAll(dir, 0750)
+	err = os.MkdirAll(dir, 0o750)
 	require.NoError(t, err)

 	c := exec.Command("git", "init")
@@ -0,0 +1,83 @@
+package cli
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"os/signal"
+	"time"
+
+	"github.com/spf13/cobra"
+	"golang.org/x/xerrors"
+
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/gitauth"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/retry"
+)
+
+// gitAskpass is used by the Coder agent to automatically authenticate
+// with Git providers based on a hostname.
+func gitAskpass() *cobra.Command {
+	return &cobra.Command{
+		Use:    "gitaskpass",
+		Hidden: true,
+		Args:   cobra.ExactArgs(1),
+		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+
+			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stop()
+
+			user, host, err := gitauth.ParseAskpass(args[0])
+			if err != nil {
+				return xerrors.Errorf("parse host: %w", err)
+			}
+
+			client, err := createAgentClient(cmd)
+			if err != nil {
+				return xerrors.Errorf("create agent client: %w", err)
+			}
+
+			token, err := client.GitAuth(ctx, host, false)
+			if err != nil {
+				var apiError *codersdk.Error
+				if errors.As(err, &apiError) && apiError.StatusCode() == http.StatusNotFound {
+					// This prevents the "Run 'coder --help' for usage"
+					// message from occurring.
+					cmd.Printf("%s\n", apiError.Message)
+					return cliui.Canceled
+				}
+				return xerrors.Errorf("get git token: %w", err)
+			}
+			if token.URL != "" {
+				if err := openURL(cmd, token.URL); err == nil {
+					cmd.Printf("Your browser has been opened to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				} else {
+					cmd.Printf("Open the following URL to authenticate with Git:\n\n\t%s\n\n", token.URL)
+				}
+
+				for r := retry.New(250*time.Millisecond, 10*time.Second); r.Wait(ctx); {
+					token, err = client.GitAuth(ctx, host, true)
+					if err != nil {
+						continue
+					}
+					cmd.Printf("You've been authenticated with Git!\n")
+					break
+				}
+			}
+
+			if token.Password != "" {
+				if user == "" {
+					_, _ = fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+				} else {
+					_, _ = fmt.Fprintln(cmd.OutOrStdout(), token.Password)
+				}
+			} else {
+				_, _ = fmt.Fprintln(cmd.OutOrStdout(), token.Username)
+			}
+
+			return nil
+		},
+	}
+}
@@ -0,0 +1,98 @@
+package cli_test
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"sync/atomic"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/cli/clitest"
+	"github.com/coder/coder/cli/cliui"
+	"github.com/coder/coder/coderd/httpapi"
+	"github.com/coder/coder/codersdk"
+	"github.com/coder/coder/codersdk/agentsdk"
+	"github.com/coder/coder/pty/ptytest"
+)
+
+// nolint:paralleltest
+func TestGitAskpass(t *testing.T) {
+	t.Setenv("GIT_PREFIX", "/")
+	t.Run("UsernameAndPassword", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), w, http.StatusOK, agentsdk.GitAuthResponse{
+				Username: "something",
+				Password: "bananas",
+			})
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+		cmd, _ := clitest.New(t, "--agent-url", url, "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err := cmd.Execute()
+		require.NoError(t, err)
+		pty.ExpectMatch("something")
+
+		cmd, _ = clitest.New(t, "--agent-url", url, "Password for 'https://potato@github.com':")
+		pty = ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err = cmd.Execute()
+		require.NoError(t, err)
+		pty.ExpectMatch("bananas")
+	})
+
+	t.Run("NoHost", func(t *testing.T) {
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			httpapi.Write(context.Background(), w, http.StatusNotFound, codersdk.Response{
+				Message: "Nope!",
+			})
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+		cmd, _ := clitest.New(t, "--agent-url", url, "--no-open", "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		err := cmd.Execute()
+		require.ErrorIs(t, err, cliui.Canceled)
+		pty.ExpectMatch("Nope!")
+	})
+
+	t.Run("Poll", func(t *testing.T) {
+		resp := atomic.Pointer[agentsdk.GitAuthResponse]{}
+		resp.Store(&agentsdk.GitAuthResponse{
+			URL: "https://something.org",
+		})
+		poll := make(chan struct{}, 10)
+		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			val := resp.Load()
+			if r.URL.Query().Has("listen") {
+				poll <- struct{}{}
+				if val.URL != "" {
+					httpapi.Write(context.Background(), w, http.StatusInternalServerError, val)
+					return
+				}
+			}
+			httpapi.Write(context.Background(), w, http.StatusOK, val)
+		}))
+		t.Cleanup(srv.Close)
+		url := srv.URL
+
+		cmd, _ := clitest.New(t, "--agent-url", url, "--no-open", "Username for 'https://github.com':")
+		pty := ptytest.New(t)
+		cmd.SetOutput(pty.Output())
+		go func() {
+			err := cmd.Execute()
+			assert.NoError(t, err)
+		}()
+		<-poll
+		resp.Store(&agentsdk.GitAuthResponse{
+			Username: "username",
+			Password: "password",
+		})
+		pty.ExpectMatch("username")
+	})
+}
@@ -1,9 +1,15 @@
 package cli

 import (
+	"bufio"
+	"bytes"
+	"context"
 	"fmt"
+	"io"
 	"os"
 	"os/exec"
+	"os/signal"
+	"path/filepath"
 	"strings"

 	"github.com/spf13/cobra"
@@ -13,16 +19,30 @@ import (
 )

 func gitssh() *cobra.Command {
-	return &cobra.Command{
+	cmd := &cobra.Command{
 		Use:    "gitssh",
 		Hidden: true,
 		Short:  `Wraps the "ssh" command and uses the coder gitssh key for authentication`,
 		RunE: func(cmd *cobra.Command, args []string) error {
+			ctx := cmd.Context()
+			env := os.Environ()
+
+			// Catch interrupt signals to ensure the temporary private
+			// key file is cleaned up on most cases.
+			ctx, stop := signal.NotifyContext(ctx, InterruptSignals...)
+			defer stop()
+
+			// Early check so errors are reported immediately.
+			identityFiles, err := parseIdentityFilesForHost(ctx, args, env)
+			if err != nil {
+				return err
+			}
+
 			client, err := createAgentClient(cmd)
 			if err != nil {
 				return xerrors.Errorf("create agent client: %w", err)
 			}
-			key, err := client.AgentGitSSHKey(cmd.Context())
+			key, err := client.GitSSHKey(ctx)
 			if err != nil {
 				return xerrors.Errorf("get agent git ssh token: %w", err)
 			}
@@ -44,8 +64,23 @@ func gitssh() *cobra.Command {
 				return xerrors.Errorf("close temp gitsshkey file: %w", err)
 			}

-			args = append([]string{"-i", privateKeyFile.Name()}, args...)
-			c := exec.CommandContext(cmd.Context(), "ssh", args...)
+			// Append our key, giving precedence to user keys. Note that
+			// OpenSSH server are typically configured with MaxAuthTries
+			// set to the default value of 6. This means that only the 6
+			// first keys can be tried. However, we will assume that if
+			// a user has configured 6+ keys for a host, they know what
+			// they're doing. This behavior is critical if a server has
+			// been configured with MaxAuthTries set to 1.
+			identityFiles = append(identityFiles, privateKeyFile.Name())
+
+			var identityArgs []string
+			for _, id := range identityFiles {
+				identityArgs = append(identityArgs, "-i", id)
+			}
+
+			args = append(identityArgs, args...)
+			c := exec.CommandContext(ctx, "ssh", args...)
+			c.Env = append(c.Env, env...)
 			c.Stderr = cmd.ErrOrStderr()
 			c.Stdout = cmd.OutOrStdout()
 			c.Stdin = cmd.InOrStdin()
@@ -69,4 +104,86 @@ func gitssh() *cobra.Command {
 			return nil
 		},
 	}
+
+	return cmd
+}
+
+// fallbackIdentityFiles is the list of identity files SSH tries when
+// none have been defined for a host.
+var fallbackIdentityFiles = strings.Join([]string{
+	"identityfile ~/.ssh/id_rsa",
+	"identityfile ~/.ssh/id_dsa",
+	"identityfile ~/.ssh/id_ecdsa",
+	"identityfile ~/.ssh/id_ecdsa_sk",
+	"identityfile ~/.ssh/id_ed25519",
+	"identityfile ~/.ssh/id_ed25519_sk",
+	"identityfile ~/.ssh/id_xmss",
+}, "\n")
+
+// parseIdentityFilesForHost uses ssh -G to discern what SSH keys have
+// been enabled for the host (via the users SSH config) and returns a
+// list of existing identity files.
+//
+// We do this because when no keys are defined for a host, SSH uses
+// fallback keys (see above). However, by passing `-i` to attach our
+// private key, we're effectively disabling the fallback keys.
+//
+// Example invocation:
+//
+//	ssh -G -o SendEnv=GIT_PROTOCOL git@github.com git-upload-pack 'coder/coder'
+//
+// The extra arguments work without issue and lets us run the command
+// as-is without stripping out the excess (git-upload-pack 'coder/coder').
+func parseIdentityFilesForHost(ctx context.Context, args, env []string) (identityFiles []string, error error) {
+	home, err := os.UserHomeDir()
+	if err != nil {
+		return nil, xerrors.Errorf("get user home dir failed: %w", err)
+	}
+
+	var outBuf bytes.Buffer
+	var r io.Reader = &outBuf
+
+	args = append([]string{"-G"}, args...)
+	cmd := exec.CommandContext(ctx, "ssh", args...)
+	cmd.Env = append(cmd.Env, env...)
+	cmd.Stdout = &outBuf
+	cmd.Stderr = io.Discard
+	err = cmd.Run()
+	if err != nil {
+		// If ssh -G failed, the SSH version is likely too old, fallback
+		// to using the default identity files.
+		r = strings.NewReader(fallbackIdentityFiles)
+	}
+
+	s := bufio.NewScanner(r)
+	for s.Scan() {
+		line := s.Text()
+		if strings.HasPrefix(line, "identityfile ") {
+			id := strings.TrimPrefix(line, "identityfile ")
+			if strings.HasPrefix(id, "~/") {
+				id = home + id[1:]
+			}
+			// OpenSSH on Windows is weird, it supports using (and does
+			// use) mixed \ and / in paths.
+			//
+			// Example: C:\Users\ZeroCool/.ssh/known_hosts
+			//
+			// To check the file existence in Go, though, we want to use
+			// proper Windows paths.
+			// OpenSSH is amazing, this will work on Windows too:
+			// C:\Users\ZeroCool/.ssh/id_rsa
+			id = filepath.FromSlash(id)
+
+			// Only include the identity file if it exists.
+			if _, err := os.Stat(id); err == nil {
+				identityFiles = append(identityFiles, id)
+			}
+		}
+	}
+	if err := s.Err(); err != nil {
+		// This should never happen, the check is for completeness.
+		return nil, xerrors.Errorf("scan ssh output: %w", err)
+	}
+
+	return identityFiles, nil
 }
@@ -2,8 +2,16 @@ package cli_test

 import (
 	"context"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"crypto/x509"
+	"encoding/pem"
 	"fmt"
 	"net"
+	"os"
+	"path/filepath"
+	"strings"
 	"sync/atomic"
 	"testing"

@@ -17,98 +25,236 @@ import (
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/provisioner/echo"
 	"github.com/coder/coder/provisionersdk/proto"
+	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

+func prepareTestGitSSH(ctx context.Context, t *testing.T) (*codersdk.Client, string, gossh.PublicKey) {
+	t.Helper()
+
+	client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+	user := coderdtest.CreateFirstUser(t, client)
+
+	ctx, cancel := context.WithCancel(ctx)
+	defer t.Cleanup(cancel) // Defer so that cancel is the first cleanup.
+
+	// get user public key
+	keypair, err := client.GitSSHKey(ctx, codersdk.Me)
+	require.NoError(t, err)
+	//nolint:dogsled
+	pubkey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
+	require.NoError(t, err)
+
+	// setup template
+	agentToken := uuid.NewString()
+	version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
+		Parse:         echo.ParseComplete,
+		ProvisionPlan: echo.ProvisionComplete,
+		ProvisionApply: []*proto.Provision_Response{{
+			Type: &proto.Provision_Response_Complete{
+				Complete: &proto.Provision_Complete{
+					Resources: []*proto.Resource{{
+						Name: "somename",
+						Type: "someinstance",
+						Agents: []*proto.Agent{{
+							Auth: &proto.Agent_Token{
+								Token: agentToken,
+							},
+						}},
+					}},
+				},
+			},
+		}},
+	})
+	template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+	coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+	workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+	coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+	// start workspace agent
+	cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
+	agentClient := client
+	clitest.SetupConfig(t, agentClient, root)
+
+	errC := make(chan error, 1)
+	go func() {
+		errC <- cmd.ExecuteContext(ctx)
+	}()
+	t.Cleanup(func() { require.NoError(t, <-errC) })
+	coderdtest.AwaitWorkspaceAgents(t, client, workspace.ID)
+	return agentClient, agentToken, pubkey
+}
+
+func serveSSHForGitSSH(t *testing.T, handler func(ssh.Session), pubkeys ...gossh.PublicKey) *net.TCPAddr {
+	t.Helper()
+
+	// start ssh server
+	l, err := net.Listen("tcp", "localhost:0")
+	require.NoError(t, err)
+	t.Cleanup(func() { _ = l.Close() })
+
+	serveOpts := []ssh.Option{
+		ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
+			for _, pubkey := range pubkeys {
+				if ssh.KeysEqual(pubkey, key) {
+					return true
+				}
+			}
+			return false
+		}),
+	}
+	errC := make(chan error, 1)
+	go func() {
+		// as long as we get a successful session we don't care if the server errors
+		errC <- ssh.Serve(l, handler, serveOpts...)
+	}()
+	t.Cleanup(func() {
+		_ = l.Close() // Ensure server shutdown.
+		<-errC
+	})
+
+	// start ssh session
+	addr, ok := l.Addr().(*net.TCPAddr)
+	require.True(t, ok)
+
+	return addr
+}
+
+func writePrivateKeyToFile(t *testing.T, name string, key *ecdsa.PrivateKey) {
+	t.Helper()
+
+	b, err := x509.MarshalPKCS8PrivateKey(key)
+	require.NoError(t, err)
+	b = pem.EncodeToMemory(&pem.Block{
+		Type:  "PRIVATE KEY",
+		Bytes: b,
+	})
+
+	err = os.WriteFile(name, b, 0o600)
+	require.NoError(t, err)
+}
+
 func TestGitSSH(t *testing.T) {
 	t.Parallel()
 	t.Run("Dial", func(t *testing.T) {
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
-		user := coderdtest.CreateFirstUser(t, client)
+		t.Parallel()

-		// get user public key
-		keypair, err := client.GitSSHKey(context.Background(), codersdk.Me)
-		require.NoError(t, err)
-		publicKey, _, _, _, err := gossh.ParseAuthorizedKey([]byte(keypair.PublicKey))
-		require.NoError(t, err)
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()

-		// setup template
-		agentToken := uuid.NewString()
-		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, &echo.Responses{
-			Parse:           echo.ParseComplete,
-			ProvisionDryRun: echo.ProvisionComplete,
-			Provision: []*proto.Provision_Response{{
-				Type: &proto.Provision_Response_Complete{
-					Complete: &proto.Provision_Complete{
-						Resources: []*proto.Resource{{
-							Name: "somename",
-							Type: "someinstance",
-							Agents: []*proto.Agent{{
-								Auth: &proto.Agent_Token{
-									Token: agentToken,
-								},
-							}},
-						}},
-					},
-				},
-			}},
-		})
-		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
-		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
-		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
-		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
-
-		// start workspace agent
-		cmd, root := clitest.New(t, "agent", "--agent-token", agentToken, "--agent-url", client.URL.String())
-		agentClient := client
-		clitest.SetupConfig(t, agentClient, root)
-		ctx, cancelFunc := context.WithCancel(context.Background())
-		defer cancelFunc()
-		agentErrC := make(chan error)
-		go func() {
-			agentErrC <- cmd.ExecuteContext(ctx)
-		}()
-
-		coderdtest.AwaitWorkspaceAgents(t, client, workspace.LatestBuild.ID)
-		resources, err := client.WorkspaceResourcesByBuild(context.Background(), workspace.LatestBuild.ID)
-		require.NoError(t, err)
-		dialer, err := client.DialWorkspaceAgent(context.Background(), resources[0].Agents[0].ID, nil)
-		require.NoError(t, err)
-		defer dialer.Close()
-		_, err = dialer.Ping()
-		require.NoError(t, err)
-
-		// start ssh server
-		l, err := net.Listen("tcp", "localhost:0")
-		require.NoError(t, err)
-		defer l.Close()
-		publicKeyOption := ssh.PublicKeyAuth(func(ctx ssh.Context, key ssh.PublicKey) bool {
-			return ssh.KeysEqual(publicKey, key)
-		})
+		client, token, pubkey := prepareTestGitSSH(ctx, t)
 		var inc int64
-		sshErrC := make(chan error)
-		go func() {
-			// as long as we get a successful session we don't care if the server errors
-			_ = ssh.Serve(l, func(s ssh.Session) {
-				atomic.AddInt64(&inc, 1)
-				t.Log("got authenticated session")
-				sshErrC <- s.Exit(0)
-			}, publicKeyOption)
-		}()
+		errC := make(chan error, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			atomic.AddInt64(&inc, 1)
+			t.Log("got authenticated session")
+			select {
+			case errC <- s.Exit(0):
+			default:
+				t.Error("error channel is full")
+			}
+		}, pubkey)

-		// start ssh session
-		addr, ok := l.Addr().(*net.TCPAddr)
-		require.True(t, ok)
 		// set to agent config dir
-		gitsshCmd, _ := clitest.New(t, "gitssh", "--agent-url", agentClient.URL.String(), "--agent-token", agentToken, "--", fmt.Sprintf("-p%d", addr.Port), "-o", "StrictHostKeyChecking=no", "-o", "IdentitiesOnly=yes", "127.0.0.1")
-		err = gitsshCmd.ExecuteContext(context.Background())
+		cmd, _ := clitest.New(t,
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			fmt.Sprintf("-p%d", addr.Port),
+			"-o", "StrictHostKeyChecking=no",
+			"-o", "IdentitiesOnly=yes",
+			"127.0.0.1",
+		)
+		err := cmd.ExecuteContext(ctx)
 		require.NoError(t, err)
 		require.EqualValues(t, 1, inc)

-		err = <-sshErrC
-		require.NoError(t, err, "error in ssh session exit")
-
-		cancelFunc()
-		err = <-agentErrC
+		err = <-errC
 		require.NoError(t, err, "error in agent execute")
 	})
+
+	t.Run("Local SSH Keys", func(t *testing.T) {
+		t.Parallel()
+
+		home := t.TempDir()
+		sshdir := filepath.Join(home, ".ssh")
+		err := os.MkdirAll(sshdir, 0o700)
+		require.NoError(t, err)
+
+		idFile := filepath.Join(sshdir, "id_ed25519")
+		privkey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+		require.NoError(t, err)
+		localPubkey, err := gossh.NewPublicKey(&privkey.PublicKey)
+		require.NoError(t, err)
+		writePrivateKeyToFile(t, idFile, privkey)
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancel()
+
+		client, token, coderPubkey := prepareTestGitSSH(ctx, t)
+
+		authkey := make(chan gossh.PublicKey, 1)
+		addr := serveSSHForGitSSH(t, func(s ssh.Session) {
+			t.Logf("authenticated with: %s", gossh.MarshalAuthorizedKey(s.PublicKey()))
+			select {
+			case authkey <- s.PublicKey():
+			default:
+				t.Error("authkey channel is full")
+			}
+		}, localPubkey, coderPubkey)
+
+		// Create a new config which sets an identity file.
+		config := filepath.Join(sshdir, "config")
+		knownHosts := filepath.Join(sshdir, "known_hosts")
+		err = os.WriteFile(config, []byte(strings.Join([]string{
+			"Host mytest",
+			"  HostName 127.0.0.1",
+			fmt.Sprintf("  Port %d", addr.Port),
+			"  StrictHostKeyChecking no",
+			"  UserKnownHostsFile=" + knownHosts,
+			"  IdentitiesOnly yes",
+			"  IdentityFile=" + idFile,
+		}, "\n")), 0o600)
+		require.NoError(t, err)
+
+		pty := ptytest.New(t)
+		cmdArgs := []string{
+			"gitssh",
+			"--agent-url", client.URL.String(),
+			"--agent-token", token,
+			"--",
+			"-F", config,
+			"mytest",
+		}
+		// Test authentication via local private key.
+		cmd, _ := clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, localPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
+
+		// Delete the local private key.
+		err = os.Remove(idFile)
+		require.NoError(t, err)
+
+		// With the local file deleted, the coder key should be used.
+		cmd, _ = clitest.New(t, cmdArgs...)
+		cmd.SetOut(pty.Output())
+		cmd.SetErr(pty.Output())
+		err = cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+		select {
+		case key := <-authkey:
+			require.Equal(t, coderPubkey, key)
+		case <-ctx.Done():
+			t.Fatal("timeout waiting for auth")
+		}
+	})
 }
@@ -5,7 +5,6 @@ import (
 	"time"

 	"github.com/google/uuid"
-	"github.com/jedib0t/go-pretty/v6/table"
 	"github.com/spf13/cobra"

 	"github.com/coder/coder/cli/cliui"
@@ -14,112 +13,129 @@ import (
 	"github.com/coder/coder/codersdk"
 )

+// workspaceListRow is the type provided to the OutputFormatter. This is a bit
+// dodgy but it's the only way to do complex display code for one format vs. the
+// other.
+type workspaceListRow struct {
+	// For JSON format:
+	codersdk.Workspace `table:"-"`
+
+	// For table format:
+	WorkspaceName string `json:"-" table:"workspace,default_sort"`
+	Template      string `json:"-" table:"template"`
+	Status        string `json:"-" table:"status"`
+	LastBuilt     string `json:"-" table:"last built"`
+	Outdated      bool   `json:"-" table:"outdated"`
+	StartsAt      string `json:"-" table:"starts at"`
+	StopsAfter    string `json:"-" table:"stops after"`
+}
+
+func workspaceListRowFromWorkspace(now time.Time, usersByID map[uuid.UUID]codersdk.User, workspace codersdk.Workspace) workspaceListRow {
+	status := codersdk.WorkspaceDisplayStatus(workspace.LatestBuild.Job.Status, workspace.LatestBuild.Transition)
+
+	lastBuilt := now.UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
+	autostartDisplay := "-"
+	if !ptr.NilOrEmpty(workspace.AutostartSchedule) {
+		if sched, err := schedule.Weekly(*workspace.AutostartSchedule); err == nil {
+			autostartDisplay = fmt.Sprintf("%s %s (%s)", sched.Time(), sched.DaysOfWeek(), sched.Location())
+		}
+	}
+
+	autostopDisplay := "-"
+	if !ptr.NilOrZero(workspace.TTLMillis) {
+		dur := time.Duration(*workspace.TTLMillis) * time.Millisecond
+		autostopDisplay = durationDisplay(dur)
+		if !workspace.LatestBuild.Deadline.IsZero() && workspace.LatestBuild.Deadline.Time.After(now) && status == "Running" {
+			remaining := time.Until(workspace.LatestBuild.Deadline.Time)
+			autostopDisplay = fmt.Sprintf("%s (%s)", autostopDisplay, relative(remaining))
+		}
+	}
+
+	user := usersByID[workspace.OwnerID]
+	return workspaceListRow{
+		Workspace:     workspace,
+		WorkspaceName: user.Username + "/" + workspace.Name,
+		Template:      workspace.TemplateName,
+		Status:        status,
+		LastBuilt:     durationDisplay(lastBuilt),
+		Outdated:      workspace.Outdated,
+		StartsAt:      autostartDisplay,
+		StopsAfter:    autostopDisplay,
+	}
+}
+
 func list() *cobra.Command {
 	var (
-		columns []string
+		all               bool
+		defaultQuery      = "owner:me"
+		searchQuery       string
+		displayWorkspaces []workspaceListRow
+		formatter         = cliui.NewOutputFormatter(
+			cliui.TableFormat([]workspaceListRow{}, nil),
+			cliui.JSONFormat(),
+		)
 	)
 	cmd := &cobra.Command{
 		Annotations: workspaceCommand,
 		Use:         "list",
-		Short:       "List all workspaces",
+		Short:       "List workspaces",
 		Aliases:     []string{"ls"},
+		Args:        cobra.ExactArgs(0),
 		RunE: func(cmd *cobra.Command, args []string) error {
-			client, err := createClient(cmd)
+			client, err := CreateClient(cmd)
 			if err != nil {
 				return err
 			}
-			workspaces, err := client.Workspaces(cmd.Context(), codersdk.WorkspaceFilter{})
+
+			filter := codersdk.WorkspaceFilter{
+				FilterQuery: searchQuery,
+			}
+			if all && searchQuery == defaultQuery {
+				filter.FilterQuery = ""
+			}
+
+			res, err := client.Workspaces(cmd.Context(), filter)
 			if err != nil {
 				return err
 			}
-			if len(workspaces) == 0 {
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
-				_, _ = fmt.Fprintln(cmd.OutOrStdout())
-				_, _ = fmt.Fprintln(cmd.OutOrStdout(), "  "+cliui.Styles.Code.Render("coder create <name>"))
-				_, _ = fmt.Fprintln(cmd.OutOrStdout())
+			if len(res.Workspaces) == 0 {
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), cliui.Styles.Prompt.String()+"No workspaces found! Create one:")
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr(), "  "+cliui.Styles.Code.Render("coder create <name>"))
+				_, _ = fmt.Fprintln(cmd.ErrOrStderr())
 				return nil
 			}
-			users, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
+
+			userRes, err := client.Users(cmd.Context(), codersdk.UsersRequest{})
 			if err != nil {
 				return err
 			}
+
 			usersByID := map[uuid.UUID]codersdk.User{}
-			for _, user := range users {
+			for _, user := range userRes.Users {
 				usersByID[user.ID] = user
 			}

-			tableWriter := cliui.Table()
-			header := table.Row{"workspace", "template", "status", "last built", "outdated", "starts at", "stops after"}
-			tableWriter.AppendHeader(header)
-			tableWriter.SortBy([]table.SortBy{{
-				Name: "workspace",
-			}})
-			tableWriter.SetColumnConfigs(cliui.FilterTableColumns(header, columns))
-
 			now := time.Now()
-			for _, workspace := range workspaces {
-				status := ""
-				inProgress := false
-				if workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobRunning ||
-					workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobCanceling {
-					inProgress = true
-				}
-
-				switch workspace.LatestBuild.Transition {
-				case codersdk.WorkspaceTransitionStart:
-					status = "Running"
-					if inProgress {
-						status = "Starting"
-					}
-				case codersdk.WorkspaceTransitionStop:
-					status = "Stopped"
-					if inProgress {
-						status = "Stopping"
-					}
-				case codersdk.WorkspaceTransitionDelete:
-					status = "Deleted"
-					if inProgress {
-						status = "Deleting"
-					}
-				}
-				if workspace.LatestBuild.Job.Status == codersdk.ProvisionerJobFailed {
-					status = "Failed"
-				}
-
-				lastBuilt := time.Now().UTC().Sub(workspace.LatestBuild.Job.CreatedAt).Truncate(time.Second)
-				autostartDisplay := "-"
-				if !ptr.NilOrEmpty(workspace.AutostartSchedule) {
-					if sched, err := schedule.Weekly(*workspace.AutostartSchedule); err == nil {
-						autostartDisplay = fmt.Sprintf("%s %s (%s)", sched.Time(), sched.DaysOfWeek(), sched.Location())
-					}
-				}
-
-				autostopDisplay := "-"
-				if !ptr.NilOrZero(workspace.TTLMillis) {
-					dur := time.Duration(*workspace.TTLMillis) * time.Millisecond
-					autostopDisplay = durationDisplay(dur)
-					if !workspace.LatestBuild.Deadline.IsZero() && workspace.LatestBuild.Deadline.After(now) && status == "Running" {
-						remaining := time.Until(workspace.LatestBuild.Deadline)
-						autostopDisplay = fmt.Sprintf("%s (%s)", autostopDisplay, relative(remaining))
-					}
-				}
-
-				user := usersByID[workspace.OwnerID]
-				tableWriter.AppendRow(table.Row{
-					user.Username + "/" + workspace.Name,
-					workspace.TemplateName,
-					status,
-					durationDisplay(lastBuilt),
-					workspace.Outdated,
-					autostartDisplay,
-					autostopDisplay,
-				})
+			displayWorkspaces = make([]workspaceListRow, len(res.Workspaces))
+			for i, workspace := range res.Workspaces {
+				displayWorkspaces[i] = workspaceListRowFromWorkspace(now, usersByID, workspace)
 			}
-			_, err = fmt.Fprintln(cmd.OutOrStdout(), tableWriter.Render())
+
+			out, err := formatter.Format(cmd.Context(), displayWorkspaces)
+			if err != nil {
+				return err
+			}
+
+			_, err = fmt.Fprintln(cmd.OutOrStdout(), out)
 			return err
 		},
 	}
-	cmd.Flags().StringArrayVarP(&columns, "column", "c", nil,
-		"Specify a column to filter in the table.")
+
+	cmd.Flags().BoolVarP(&all, "all", "a", false,
+		"Specifies whether all workspaces will be listed or not.")
+	cmd.Flags().StringVar(&searchQuery, "search", defaultQuery, "Search for a workspace with a query.")
+
+	formatter.AttachFlags(cmd)
 	return cmd
 }
@@ -1,24 +1,26 @@
 package cli_test

 import (
+	"bytes"
 	"context"
+	"encoding/json"
 	"testing"
-	"time"

 	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"

 	"github.com/coder/coder/cli/clitest"
 	"github.com/coder/coder/coderd/coderdtest"
+	"github.com/coder/coder/codersdk"
 	"github.com/coder/coder/pty/ptytest"
+	"github.com/coder/coder/testutil"
 )

 func TestList(t *testing.T) {
 	t.Parallel()
 	t.Run("Single", func(t *testing.T) {
 		t.Parallel()
-		ctx, cancelFunc := context.WithTimeout(context.Background(), 5*time.Second)
-		defer cancelFunc()
-		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerD: true})
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
 		user := coderdtest.CreateFirstUser(t, client)
 		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
 		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
@@ -30,6 +32,9 @@ func TestList(t *testing.T) {
 		pty := ptytest.New(t)
 		cmd.SetIn(pty.Input())
 		cmd.SetOut(pty.Output())
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
 		done := make(chan any)
 		go func() {
 			errC := cmd.ExecuteContext(ctx)
@@ -37,8 +42,34 @@ func TestList(t *testing.T) {
 			close(done)
 		}()
 		pty.ExpectMatch(workspace.Name)
-		pty.ExpectMatch("Running")
+		pty.ExpectMatch("Started")
 		cancelFunc()
 		<-done
 	})
+
+	t.Run("JSON", func(t *testing.T) {
+		t.Parallel()
+		client := coderdtest.New(t, &coderdtest.Options{IncludeProvisionerDaemon: true})
+		user := coderdtest.CreateFirstUser(t, client)
+		version := coderdtest.CreateTemplateVersion(t, client, user.OrganizationID, nil)
+		coderdtest.AwaitTemplateVersionJob(t, client, version.ID)
+		template := coderdtest.CreateTemplate(t, client, user.OrganizationID, version.ID)
+		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
+		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
+
+		cmd, root := clitest.New(t, "list", "--output=json")
+		clitest.SetupConfig(t, client, root)
+
+		ctx, cancelFunc := context.WithTimeout(context.Background(), testutil.WaitLong)
+		defer cancelFunc()
+
+		out := bytes.NewBuffer(nil)
+		cmd.SetOut(out)
+		err := cmd.ExecuteContext(ctx)
+		require.NoError(t, err)
+
+		var templates []codersdk.Workspace
+		require.NoError(t, json.Unmarshal(out.Bytes(), &templates))
+		require.Len(t, templates, 1)
+	})
 }
--- a/Show More
+++ b/Show More