selfhosted
/
coder
mirror of https://github.com/coder/coder.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
coder/cli/testdata/server-config.yaml.golden

487 lines
22 KiB
Plaintext
Raw Blame History

networking:
# The URL that users will use to access the Coder deployment.
# (default: <unset>, type: url)
accessURL:
# Specifies the wildcard hostname to use for workspace applications in the form
# "*.example.com".
# (default: <unset>, type: string)
wildcardAccessURL: ""
# Specifies the custom docs URL.
# (default: <unset>, type: url)
docsURL:
# Specifies whether to redirect requests that do not match the access URL host.
# (default: <unset>, type: bool)
redirectToAccessURL: false
http:
# HTTP bind address of the server. Unset to disable the HTTP endpoint.
# (default: 127.0.0.1:3000, type: string)
httpAddress: 127.0.0.1:3000
# The maximum lifetime duration users can specify when creating an API token.
# (default: 876600h0m0s, type: duration)
maxTokenLifetime: 876600h0m0s
# The token expiry duration for browser sessions. Sessions may last longer if they
# are actively making requests, but this functionality can be disabled via
# --disable-session-expiry-refresh.
# (default: 24h0m0s, type: duration)
sessionDuration: 24h0m0s
# Disable automatic session expiry bumping due to activity. This forces all
# sessions to become invalid after the session expiry duration has been reached.
# (default: <unset>, type: bool)
disableSessionExpiryRefresh: false
# Disable password authentication. This is recommended for security purposes in
# production deployments that rely on an identity provider. Any user with the
# owner role will be able to sign in with their password regardless of this
# setting to avoid potential lock out. If you are locked out of your account, you
# can use the `coder server create-admin` command to create a new admin user
# directly in the database.
# (default: <unset>, type: bool)
disablePasswordAuth: false
# The interval in which coderd should be checking the status of workspace proxies.
# (default: 1m0s, type: duration)
proxyHealthInterval: 1m0s
# Configure TLS / HTTPS for your Coder deployment. If you're running
# Coder behind a TLS-terminating reverse proxy or are accessing Coder over a
# secure link, you can safely ignore these settings.
tls:
# HTTPS bind address of the server.
# (default: 127.0.0.1:3443, type: host:port)
address: 127.0.0.1:3443
# Whether TLS will be enabled.
# (default: <unset>, type: bool)
enable: false
# Whether HTTP requests will be redirected to the access URL (if it's a https URL
# and TLS is enabled). Requests to local IP addresses are never redirected
# regardless of this setting.
# (default: true, type: bool)
redirectHTTP: true
# Path to each certificate for TLS. It requires a PEM-encoded file. To configure
# the listener to use a CA certificate, concatenate the primary certificate and
# the CA certificate together. The primary certificate should appear first in the
# combined file.
# (default: <unset>, type: string-array)
certFiles: []
# PEM-encoded Certificate Authority file used for checking the authenticity of
# client.
# (default: <unset>, type: string)
clientCAFile: ""
# Policy the server will follow for TLS Client Authentication. Accepted values are
# "none", "request", "require-any", "verify-if-given", or "require-and-verify".
# (default: none, type: string)
clientAuth: none
# Paths to the private keys for each of the certificates. It requires a
# PEM-encoded file.
# (default: <unset>, type: string-array)
keyFiles: []
# Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12"
# or "tls13".
# (default: tls12, type: string)
minVersion: tls12
# Path to certificate for client TLS authentication. It requires a PEM-encoded
# file.
# (default: <unset>, type: string)
clientCertFile: ""
# Path to key for client TLS authentication. It requires a PEM-encoded file.
# (default: <unset>, type: string)
clientKeyFile: ""
# Specify specific TLS ciphers that allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75.
# (default: <unset>, type: string-array)
tlsCiphers: []
# By default, only ciphers marked as 'secure' are allowed to be used. See
# https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95.
# (default: false, type: bool)
tlsAllowInsecureCiphers: false
# Controls if the 'Strict-Transport-Security' header is set on all static file
# responses. This header should only be set if the server is accessed via HTTPS.
# This value is the MaxAge in seconds of the header.
# (default: 0, type: int)
strictTransportSecurity: 0
# Two optional fields can be set in the Strict-Transport-Security header;
# 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be
# set to a non-zero value for these options to be used.
# (default: <unset>, type: string-array)
strictTransportSecurityOptions: []
# Most Coder deployments never have to think about DERP because all connections
# between workspaces and users are peer-to-peer. However, when Coder cannot
# establish
# a peer to peer connection, Coder uses a distributed relay network backed by
# Tailscale and WireGuard.
derp:
# Whether to enable or disable the embedded DERP relay server.
# (default: true, type: bool)
enable: true
# Region ID to use for the embedded DERP server.
# (default: 999, type: int)
regionID: 999
# Region code to use for the embedded DERP server.
# (default: coder, type: string)
regionCode: coder
# Region name that for the embedded DERP server.
# (default: Coder Embedded Relay, type: string)
regionName: Coder Embedded Relay
# Addresses for STUN servers to establish P2P connections. It's recommended to
# have at least two STUN servers to give users the best chance of connecting P2P
# to workspaces. Each STUN server will get it's own DERP region, with region IDs
# starting at `--derp-server-region-id + 1`. Use special value 'disable' to turn
# off STUN completely.
# (default:
# stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302,stun3.l.google.com:19302,stun4.l.google.com:19302,
# type: string-array)
stunAddresses:
- stun.l.google.com:19302
- stun1.l.google.com:19302
- stun2.l.google.com:19302
- stun3.l.google.com:19302
- stun4.l.google.com:19302
# An HTTP URL that is accessible by other replicas to relay DERP traffic. Required
# for high availability.
# (default: <unset>, type: url)
relayURL:
# Block peer-to-peer (aka. direct) workspace connections. All workspace
# connections from the CLI will be proxied through Coder (or custom configured
# DERP servers) and will never be peer-to-peer when enabled. Workspaces may still
# reach out to STUN servers to get their address until they are restarted after
# this change has been made, but new connections will still be proxied regardless.
# (default: <unset>, type: bool)
blockDirect: false
# Force clients and agents to always use WebSocket to connect to DERP relay
# servers. By default, DERP uses `Upgrade: derp`, which may cause issues with some
# reverse proxies. Clients may automatically fallback to WebSocket if they detect
# an issue with `Upgrade: derp`, but this does not work in all situations.
# (default: <unset>, type: bool)
forceWebSockets: false
# URL to fetch a DERP mapping on startup. See:
# https://tailscale.com/kb/1118/custom-derp-servers/.
# (default: <unset>, type: string)
url: ""
# Path to read a DERP mapping from. See:
# https://tailscale.com/kb/1118/custom-derp-servers/.
# (default: <unset>, type: string)
configPath: ""
# Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip,
# True-Client-Ip, X-Forwarded-For.
# (default: <unset>, type: string-array)
proxyTrustedHeaders: []
# Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24.
# (default: <unset>, type: string-array)
proxyTrustedOrigins: []
# Controls if the 'Secure' property is set on browser session cookies.
# (default: <unset>, type: bool)
secureAuthCookie: false
# Whether Coder only allows connections to workspaces via the browser.
# (default: <unset>, type: bool)
browserOnly: false
# Interval to poll for scheduled workspace builds.
# (default: 1m0s, type: duration)
autobuildPollInterval: 1m0s
# Interval to poll for hung jobs and automatically terminate them.
# (default: 1m0s, type: duration)
jobHangDetectorInterval: 1m0s
introspection:
prometheus:
# Serve prometheus metrics on the address defined by prometheus address.
# (default: <unset>, type: bool)
enable: false
# The bind address to serve prometheus metrics.
# (default: 127.0.0.1:2112, type: host:port)
address: 127.0.0.1:2112
# Collect agent stats (may increase charges for metrics storage).
# (default: <unset>, type: bool)
collect_agent_stats: false
# When collecting agent stats, aggregate metrics by a given set of comma-separated
# labels to reduce cardinality. Accepted values are agent_name, template_name,
# username, workspace_name.
# (default: agent_name,template_name,username,workspace_name, type: string-array)
aggregate_agent_stats_by:
- agent_name
- template_name
- username
- workspace_name
# Collect database metrics (may increase charges for metrics storage).
# (default: false, type: bool)
collect_db_metrics: false
pprof:
# Serve pprof metrics on the address defined by pprof address.
# (default: <unset>, type: bool)
enable: false
# The bind address to serve pprof.
# (default: 127.0.0.1:6060, type: host:port)
address: 127.0.0.1:6060
tracing:
# Whether application tracing data is collected. It exports to a backend
# configured by environment variables. See:
# https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md.
# (default: <unset>, type: bool)
enable: false
# Enables capturing of logs as events in traces. This is useful for debugging, but
# may result in a very large amount of events being sent to the tracing backend
# which may incur significant costs.
# (default: <unset>, type: bool)
captureLogs: false
# Enables sending Go runtime traces to the local DataDog agent.
# (default: false, type: bool)
dataDog: false
logging:
# Output debug-level logs.
# (default: <unset>, type: bool)
verbose: false
# Filter debug logs by matching against a given regex. Use .* to match all debug
# logs.
# (default: <unset>, type: string-array)
filter: []
# Output human-readable logs to a given file.
# (default: /dev/stderr, type: string)
humanPath: /dev/stderr
# Output JSON logs to a given file.
# (default: <unset>, type: string)
jsonPath: ""
# Output Stackdriver compatible logs to a given file.
# (default: <unset>, type: string)
stackdriverPath: ""
# Allow administrators to enable Terraform debug output.
# (default: false, type: bool)
enableTerraformDebugMode: false
healthcheck:
# Refresh interval for healthchecks.
# (default: 10m0s, type: duration)
refresh: 10m0s
# The threshold for the database health check. If the median latency of the
# database exceeds this threshold over 5 attempts, the database is considered
# unhealthy. The default value is 15ms.
# (default: 15ms, type: duration)
thresholdDatabase: 15ms
oauth2:
github:
# Client ID for Login with GitHub.
# (default: <unset>, type: string)
clientID: ""
# Organizations the user must be a member of to Login with GitHub.
# (default: <unset>, type: string-array)
allowedOrgs: []
# Teams inside organizations the user must be a member of to Login with GitHub.
# Structured as: <organization-name>/<team-slug>.
# (default: <unset>, type: string-array)
allowedTeams: []
# Whether new users can sign up with GitHub.
# (default: <unset>, type: bool)
allowSignups: false
# Allow all logins, setting this option means allowed orgs and teams must be
# empty.
# (default: <unset>, type: bool)
allowEveryone: false
# Base URL of a GitHub Enterprise deployment to use for Login with GitHub.
# (default: <unset>, type: string)
enterpriseBaseURL: ""
oidc:
# Whether new users can sign up with OIDC.
# (default: true, type: bool)
allowSignups: true
# Client ID to use for Login with OIDC.
# (default: <unset>, type: string)
clientID: ""
# Pem encoded RSA private key to use for oauth2 PKI/JWT authorization. This can be
# used instead of oidc-client-secret if your IDP supports it.
# (default: <unset>, type: string)
oidcClientKeyFile: ""
# Pem encoded certificate file to use for oauth2 PKI/JWT authorization. The public
# certificate that accompanies oidc-client-key-file. A standard x509 certificate
# is expected.
# (default: <unset>, type: string)
oidcClientCertFile: ""
# Email domains that clients logging in with OIDC must match.
# (default: <unset>, type: string-array)
emailDomain: []
# Issuer URL to use for Login with OIDC.
# (default: <unset>, type: string)
issuerURL: ""
# Scopes to grant when authenticating with OIDC.
# (default: openid,profile,email, type: string-array)
scopes:
- openid
- profile
- email
# Ignore the email_verified claim from the upstream provider.
# (default: <unset>, type: bool)
ignoreEmailVerified: false
# OIDC claim field to use as the username.
# (default: preferred_username, type: string)
usernameField: preferred_username
# OIDC claim field to use as the email.
# (default: email, type: string)
emailField: email
# OIDC auth URL parameters to pass to the upstream provider.
# (default: {"access_type": "offline"}, type: struct[map[string]string])
authURLParams:
access_type: offline
# Ignore the userinfo endpoint and only use the ID token for user information.
# (default: false, type: bool)
ignoreUserInfo: false
# This field must be set if using the group sync feature and the scope name is not
# 'groups'. Set to the claim to be used for groups.
# (default: <unset>, type: string)
groupField: ""
# A map of OIDC group IDs and the group in Coder it should map to. This is useful
# for when OIDC providers only return group IDs.
# (default: {}, type: struct[map[string]string])
groupMapping: {}
# Automatically creates missing groups from a user's groups claim.
# (default: false, type: bool)
enableGroupAutoCreate: false
# If provided any group name not matching the regex is ignored. This allows for
# filtering out groups that are not needed. This filter is applied after the group
# mapping.
# (default: .*, type: regexp)
groupRegexFilter: .*
# If provided any group name not in the list will not be allowed to authenticate.
# This allows for restricting access to a specific set of groups. This filter is
# applied after the group mapping and before the regex filter.
# (default: <unset>, type: string-array)
groupAllowed: []
# This field must be set if using the user roles sync feature. Set this to the
# name of the claim used to store the user's role. The roles should be sent as an
# array of strings.
# (default: <unset>, type: string)
userRoleField: ""
# A map of the OIDC passed in user roles and the groups in Coder it should map to.
# This is useful if the group names do not match. If mapped to the empty string,
# the role will ignored.
# (default: {}, type: struct[map[string][]string])
userRoleMapping: {}
# If user role sync is enabled, these roles are always included for all
# authenticated users. The 'member' role is always assigned.
# (default: <unset>, type: string-array)
userRoleDefault: []
# The text to show on the OpenID Connect sign in button.
# (default: OpenID Connect, type: string)
signInText: OpenID Connect
# URL pointing to the icon to use on the OpenID Connect login button.
# (default: <unset>, type: url)
iconURL:
# The custom text to show on the error page informing about disabled OIDC signups.
# Markdown format is supported.
# (default: <unset>, type: string)
signupsDisabledText: ""
# Telemetry is critical to our ability to improve Coder. We strip all personal
# information before sending data to our servers. Please only disable telemetry
# when required by your organization's security policy.
telemetry:
# Whether telemetry is enabled or not. Coder collects anonymized usage data to
# help improve our product.
# (default: false, type: bool)
enable: false
# URL to send telemetry.
# (default: https://telemetry.coder.com, type: url)
url: https://telemetry.coder.com
# Tune the behavior of the provisioner, which is responsible for creating,
# updating, and deleting workspace resources.
provisioning:
# Number of provisioner daemons to create on start. If builds are stuck in queued
# state for a long time, consider increasing this.
# (default: 3, type: int)
daemons: 3
# Whether to use echo provisioner daemons instead of Terraform. This is for E2E
# tests.
# (default: false, type: bool)
daemonsEcho: false
# Deprecated and ignored.
# (default: 1s, type: duration)
daemonPollInterval: 1s
# Deprecated and ignored.
# (default: 100ms, type: duration)
daemonPollJitter: 100ms
# Time to force cancel provisioning tasks that are stuck.
# (default: 10m0s, type: duration)
forceCancelInterval: 10m0s
# Enable one or more experiments. These are not ready for production. Separate
# multiple experiments with commas, or enter '*' to opt-in to all available
# experiments.
# (default: <unset>, type: string-array)
experiments: []
# Periodically check for new releases of Coder and inform the owner. The check is
# performed once per day.
# (default: false, type: bool)
updateCheck: false
# Expose the swagger endpoint via /swagger.
# (default: <unset>, type: bool)
enableSwagger: false
# The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is
# set, it will be used for compatibility with systemd.
# (default: [cache dir], type: string)
cacheDir: [cache dir]
# Controls whether data will be stored in an in-memory database.
# (default: <unset>, type: bool)
inMemoryDatabase: false
# The algorithm to use for generating ssh keys. Accepted values are "ed25519",
# "ecdsa", or "rsa4096".
# (default: ed25519, type: string)
sshKeygenAlgorithm: ed25519
# URL to use for agent troubleshooting when not set in the template.
# (default:
# https://coder.com/docs/coder-oss/latest/templates#troubleshooting-templates,
# type: url)
agentFallbackTroubleshootingURL: https://coder.com/docs/coder-oss/latest/templates#troubleshooting-templates
# Disable workspace apps that are not served from subdomains. Path-based apps can
# make requests to the Coder API and pose a security risk when the workspace
# serves malicious JavaScript. This is recommended for security purposes if a
# --wildcard-access-url is configured.
# (default: <unset>, type: bool)
disablePathApps: false
# Remove the permission for the 'owner' role to have workspace execution on all
# workspaces. This prevents the 'owner' from ssh, apps, and terminal access based
# on the 'owner' role. They still have their user permissions to access their own
# workspaces.
# (default: <unset>, type: bool)
disableOwnerWorkspaceAccess: false
# These options change the behavior of how clients interact with the Coder.
# Clients include the coder cli, vs code extension, and the web UI.
client:
# The SSH deployment prefix is used in the Host of the ssh config.
# (default: coder., type: string)
sshHostnamePrefix: coder.
# These SSH config options will override the default SSH config options. Provide
# options in "key=value" or "key value" format separated by commas.Using this
# incorrectly can break SSH to your deployment, use cautiously.
# (default: <unset>, type: string-array)
sshConfigOptions: []
# The upgrade message to display to users when a client/server mismatch is
# detected. By default it instructs users to update using 'curl -L
# https://coder.com/install.sh | sh'.
# (default: <unset>, type: string)
cliUpgradeMessage: ""
# The renderer to use when opening a web terminal. Valid values are 'canvas',
# 'webgl', or 'dom'.
# (default: canvas, type: string)
webTerminalRenderer: canvas
# Support links to display in the top right drop down menu.
# (default: <unset>, type: struct[[]codersdk.LinkConfig])
supportLinks: []
# External Authentication providers.
# (default: <unset>, type: struct[[]codersdk.ExternalAuthConfig])
externalAuthProviders: []
# Hostname of HTTPS server that runs https://github.com/coder/wgtunnel. By
# default, this will pick the best available wgtunnel server hosted by Coder. e.g.
# "tunnel.example.com".
# (default: <unset>, type: string)
wgtunnelHost: ""
# Allow users to set quiet hours schedules each day for workspaces to avoid
# workspaces stopping during the day due to template max TTL.
userQuietHoursSchedule:
# The default daily cron schedule applied to users that haven't set a custom quiet
# hours schedule themselves. The quiet hours schedule determines when workspaces
# will be force stopped due to the template's autostop requirement, and will round
# the max deadline up to be within the user's quiet hours window (or default). The
# format is the same as the standard cron format, but the day-of-month, month and
# day-of-week must be *. Only one hour and minute can be specified (ranges or
# comma separated values are not supported).
# (default: CRON_TZ=UTC 0 0 * * *, type: string)
defaultQuietHoursSchedule: CRON_TZ=UTC 0 0 * * *
# Allow users to set their own quiet hours schedule for workspaces to stop in
# (depending on template autostop requirement settings). If false, users can't
# change their quiet hours schedule and the site default is always used.
# (default: true, type: bool)
allowCustomQuietHours: true
# DEPRECATED: Allow users to rename their workspaces. Use only for temporary
# compatibility reasons, this will be removed in a future release.
# (default: false, type: bool)
allowWorkspaceRenames: false
Reference in New Issue View Git Blame Copy Permalink