coder
diff --git a/‎cli/server.go
+13-5 b/‎cli/server.go
+13-5
diff --git a/‎cli/server_regenerate_vapid_keypair.go
+111 b/‎cli/server_regenerate_vapid_keypair.go
+111
diff --git a/‎cli/server_regenerate_vapid_keypair_test.go
+115 b/‎cli/server_regenerate_vapid_keypair_test.go
+115
diff --git a/‎cli/testdata/coder_server_--help.golden
+8-6 b/‎cli/testdata/coder_server_--help.golden
+8-6
diff --git a/‎cli/testdata/coder_server_regenerate-vapid-keypair_--help.golden
+21 b/‎cli/testdata/coder_server_regenerate-vapid-keypair_--help.golden
+21
diff --git a/‎coderd/apidoc/docs.go
+78 b/‎coderd/apidoc/docs.go
+78
@@ -776,11 +776,18 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 				return xerrors.Errorf("set deployment id: %w", err)
 			}
 
-			pushNotifier, err := push.New(ctx, &options.Logger, options.Database)
-			if err != nil {
-				return xerrors.Errorf("failed to create push notifier: %w", err)
+			// Manage push notifications.
+			{
+				pushNotifier, err := push.New(ctx, &options.Logger, options.Database)
+				if err != nil {
+					options.Logger.Error(ctx, "failed to create push notifier", slog.Error(err))
+					options.Logger.Warn(ctx, "push notifications will not work until the VAPID keys are regenerated")
+					pushNotifier = &push.NoopNotifier{
+						Msg: "Push notifications are disabled due to a system error. Please contact your Coder administrator.",
+					}
+				}
+				options.PushNotifier = pushNotifier
 			}
-			options.PushNotifier = pushNotifier
 
 			githubOAuth2ConfigParams, err := getGithubOAuth2ConfigParams(ctx, options.Database, vals)
 			if err != nil {
@@ -1262,6 +1269,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 	}
 
 	createAdminUserCmd := r.newCreateAdminUserCommand()
+	regenerateVapidKeypairCmd := r.newRegenerateVapidKeypairCommand()
 
 	rawURLOpt := serpent.Option{
 		Flag: "raw-url",
@@ -1275,7 +1283,7 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 
 	serverCmd.Children = append(
 		serverCmd.Children,
-		createAdminUserCmd, postgresBuiltinURLCmd, postgresBuiltinServeCmd,
+		createAdminUserCmd, postgresBuiltinURLCmd, postgresBuiltinServeCmd, regenerateVapidKeypairCmd,
 	)
 
 	return serverCmd
 
@@ -0,0 +1,111 @@
+//go:build !slim
+
+package cli
+
+import (
+	"fmt"
+
+	"golang.org/x/xerrors"
+
+	"cdr.dev/slog"
+	"cdr.dev/slog/sloggers/sloghuman"
+
+	"github.com/coder/coder/v2/cli/cliui"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/awsiamrds"
+	"github.com/coder/coder/v2/coderd/notifications/push"
+	"github.com/coder/coder/v2/codersdk"
+	"github.com/coder/serpent"
+)
+
+func (r *RootCmd) newRegenerateVapidKeypairCommand() *serpent.Command {
+	var (
+		regenVapidKeypairDBURL  string
+		regenVapidKeypairPgAuth string
+	)
+	regenerateVapidKeypairCommand := &serpent.Command{
+		Use:   "regenerate-vapid-keypair",
+		Short: "Regenerate the VAPID keypair used for push notifications.",
+		Handler: func(inv *serpent.Invocation) error {
+			var (
+				ctx, cancel = inv.SignalNotifyContext(inv.Context(), StopSignals...)
+				cfg         = r.createConfig()
+				logger      = inv.Logger.AppendSinks(sloghuman.Sink(inv.Stderr))
+			)
+			if r.verbose {
+				logger = logger.Leveled(slog.LevelDebug)
+			}
+
+			defer cancel()
+
+			if regenVapidKeypairDBURL == "" {
+				cliui.Infof(inv.Stdout, "Using built-in PostgreSQL (%s)", cfg.PostgresPath())
+				url, closePg, err := startBuiltinPostgres(ctx, cfg, logger, "")
+				if err != nil {
+					return err
+				}
+				defer func() {
+					_ = closePg()
+				}()
+				regenVapidKeypairDBURL = url
+			}
+
+			sqlDriver := "postgres"
+			var err error
+			if codersdk.PostgresAuth(regenVapidKeypairPgAuth) == codersdk.PostgresAuthAWSIAMRDS {
+				sqlDriver, err = awsiamrds.Register(inv.Context(), sqlDriver)
+				if err != nil {
+					return xerrors.Errorf("register aws rds iam auth: %w", err)
+				}
+			}
+
+			sqlDB, err := ConnectToPostgres(ctx, logger, sqlDriver, regenVapidKeypairDBURL, nil)
+			if err != nil {
+				return xerrors.Errorf("connect to postgres: %w", err)
+			}
+			defer func() {
+				_ = sqlDB.Close()
+			}()
+			db := database.New(sqlDB)
+
+			// Confirm that the user really wants to regenerate the VAPID keypair.
+			cliui.Infof(inv.Stdout, "Regenerating VAPID keypair...")
+			cliui.Infof(inv.Stdout, "This will delete all existing push notification subscriptions.")
+			cliui.Infof(inv.Stdout, "Are you sure you want to continue? (y/N)")
+
+			if resp, err := cliui.Prompt(inv, cliui.PromptOptions{
+				IsConfirm: true,
+				Default:   cliui.ConfirmNo,
+			}); err != nil || resp != cliui.ConfirmYes {
+				return xerrors.Errorf("VAPID keypair regeneration failed: %w", err)
+			}
+
+			if _, _, err := push.RegenerateVAPIDKeys(ctx, db); err != nil {
+				return xerrors.Errorf("regenerate vapid keypair: %w", err)
+			}
+
+			_, _ = fmt.Fprintln(inv.Stdout, "VAPID keypair regenerated successfully.")
+			return nil
+		},
+	}
+
+	regenerateVapidKeypairCommand.Options.Add(
+		cliui.SkipPromptOption(),
+		serpent.Option{
+			Env:         "CODER_PG_CONNECTION_URL",
+			Flag:        "postgres-url",
+			Description: "URL of a PostgreSQL database. If empty, the built-in PostgreSQL deployment will be used (Coder must not be already running in this case).",
+			Value:       serpent.StringOf(&regenVapidKeypairDBURL),
+		},
+		serpent.Option{
+			Name:        "Postgres Connection Auth",
+			Description: "Type of auth to use when connecting to postgres.",
+			Flag:        "postgres-connection-auth",
+			Env:         "CODER_PG_CONNECTION_AUTH",
+			Default:     "password",
+			Value:       serpent.EnumOf(&regenVapidKeypairPgAuth, codersdk.PostgresAuthDrivers...),
+		},
+	)
+
+	return regenerateVapidKeypairCommand
+}
@@ -0,0 +1,115 @@
+package cli_test
+
+import (
+	"context"
+	"database/sql"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/coder/coder/v2/cli/clitest"
+	"github.com/coder/coder/v2/coderd/database"
+	"github.com/coder/coder/v2/coderd/database/dbgen"
+	"github.com/coder/coder/v2/coderd/database/dbtestutil"
+	"github.com/coder/coder/v2/pty/ptytest"
+	"github.com/coder/coder/v2/testutil"
+)
+
+func TestRegenerateVapidKeypair(t *testing.T) {
+	t.Parallel()
+
+	t.Run("NoExistingVAPIDKeys", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+		t.Cleanup(cancel)
+
+		connectionURL, err := dbtestutil.Open(t)
+		require.NoError(t, err)
+
+		sqlDB, err := sql.Open("postgres", connectionURL)
+		require.NoError(t, err)
+		defer sqlDB.Close()
+
+		db := database.New(sqlDB)
+		// Ensure there is no existing VAPID keypair.
+		rows, err := db.GetNotificationVAPIDKeys(ctx)
+		require.NoError(t, err)
+		require.Empty(t, rows)
+
+		inv, _ := clitest.New(t, "server", "regenerate-vapid-keypair", "--postgres-url", connectionURL, "--yes")
+
+		pty := ptytest.New(t)
+		inv.Stdout = pty.Output()
+		inv.Stderr = pty.Output()
+		clitest.Start(t, inv)
+
+		pty.ExpectMatchContext(ctx, "Regenerating VAPID keypair...")
+		pty.ExpectMatchContext(ctx, "This will delete all existing push notification subscriptions.")
+		pty.ExpectMatchContext(ctx, "Are you sure you want to continue? (y/N)")
+		pty.WriteLine("y")
+		pty.ExpectMatchContext(ctx, "VAPID keypair regenerated successfully.")
+
+		// Ensure the VAPID keypair was created.
+		keys, err := db.GetNotificationVAPIDKeys(ctx)
+		require.NoError(t, err)
+		require.NotEmpty(t, keys.VapidPublicKey)
+		require.NotEmpty(t, keys.VapidPrivateKey)
+	})
+
+	t.Run("ExistingVAPIDKeys", func(t *testing.T) {
+		t.Parallel()
+
+		ctx, cancel := context.WithTimeout(context.Background(), testutil.WaitShort)
+		t.Cleanup(cancel)
+
+		connectionURL, err := dbtestutil.Open(t)
+		require.NoError(t, err)
+
+		sqlDB, err := sql.Open("postgres", connectionURL)
+		require.NoError(t, err)
+		defer sqlDB.Close()
+
+		db := database.New(sqlDB)
+		for i := 0; i < 10; i++ {
+			// Insert a few fake users.
+			u := dbgen.User(t, db, database.User{})
+			// Insert a few fake push subscriptions for each user.
+			for j := 0; j < 10; j++ {
+				_ = dbgen.NotificationPushSubscription(t, db, database.InsertNotificationPushSubscriptionParams{
+					UserID: u.ID,
+				})
+			}
+		}
+
+		inv, _ := clitest.New(t, "server", "regenerate-vapid-keypair", "--postgres-url", connectionURL, "--yes")
+
+		pty := ptytest.New(t)
+		inv.Stdout = pty.Output()
+		inv.Stderr = pty.Output()
+		clitest.Start(t, inv)
+
+		pty.ExpectMatchContext(ctx, "Regenerating VAPID keypair...")
+		pty.ExpectMatchContext(ctx, "This will delete all existing push notification subscriptions.")
+		pty.ExpectMatchContext(ctx, "Are you sure you want to continue? (y/N)")
+		pty.WriteLine("y")
+		pty.ExpectMatchContext(ctx, "VAPID keypair regenerated successfully.")
+
+		// Ensure the VAPID keypair was created.
+		keys, err := db.GetNotificationVAPIDKeys(ctx)
+		require.NoError(t, err)
+		require.NotEmpty(t, keys.VapidPublicKey)
+		require.NotEmpty(t, keys.VapidPrivateKey)
+
+		// Ensure the push subscriptions were deleted.
+		var count int64
+		rows, err := sqlDB.QueryContext(ctx, "SELECT COUNT(*) FROM notification_push_subscriptions")
+		require.NoError(t, err)
+		t.Cleanup(func() {
+			_ = rows.Close()
+		})
+		require.True(t, rows.Next())
+		require.NoError(t, rows.Scan(&count))
+		require.Equal(t, int64(0), count)
+	})
+}
@@ -6,12 +6,14 @@ USAGE:
   Start a Coder server
 
 SUBCOMMANDS:
-    create-admin-user         Create a new admin user with the given username,
-                              email and password and adds it to every
-                              organization.
-    postgres-builtin-serve    Run the built-in PostgreSQL deployment.
-    postgres-builtin-url      Output the connection URL for the built-in
-                              PostgreSQL deployment.
+    create-admin-user           Create a new admin user with the given username,
+                                email and password and adds it to every
+                                organization.
+    postgres-builtin-serve      Run the built-in PostgreSQL deployment.
+    postgres-builtin-url        Output the connection URL for the built-in
+                                PostgreSQL deployment.
+    regenerate-vapid-keypair    Regenerate the VAPID keypair used for push
+                                notifications.
 
 OPTIONS:
       --allow-workspace-renames bool, $CODER_ALLOW_WORKSPACE_RENAMES (default: false)
 
@@ -0,0 +1,21 @@
+coder v0.0.0-devel
+
+USAGE:
+  coder server regenerate-vapid-keypair [flags]
+
+  Regenerate the VAPID keypair used for push notifications.
+
+OPTIONS:
+      --postgres-connection-auth password|awsiamrds, $CODER_PG_CONNECTION_AUTH (default: password)
+          Type of auth to use when connecting to postgres.
+
+      --postgres-url string, $CODER_PG_CONNECTION_URL
+          URL of a PostgreSQL database. If empty, the built-in PostgreSQL
+          deployment will be used (Coder must not be already running in this
+          case).
+
+  -y, --yes bool
+          Bypass prompts.
+
+———
+Run `coder --help` for a list of global options.