coder
diff --git a/‎README.md
Lines changed: 1 addition & 1 deletion b/‎README.md
Lines changed: 1 addition & 1 deletion
diff --git a/‎agent/agent.go
Lines changed: 13 additions & 9 deletions b/‎agent/agent.go
Lines changed: 13 additions & 9 deletions
diff --git a/‎cli/agent.go
Lines changed: 17 additions & 8 deletions b/‎cli/agent.go
Lines changed: 17 additions & 8 deletions
diff --git a/‎cli/create.go
Lines changed: 27 additions & 2 deletions b/‎cli/create.go
Lines changed: 27 additions & 2 deletions
diff --git a/‎cli/delete.go
Lines changed: 0 additions & 8 deletions b/‎cli/delete.go
Lines changed: 0 additions & 8 deletions
diff --git a/‎cli/testdata/coder_agent_--help.golden
Lines changed: 3 additions & 0 deletions b/‎cli/testdata/coder_agent_--help.golden
Lines changed: 3 additions & 0 deletions
diff --git a/‎cli/update.go
Lines changed: 3 additions & 1 deletion b/‎cli/update.go
Lines changed: 3 additions & 1 deletion
diff --git a/‎coderd/coderd.go
Lines changed: 5 additions & 5 deletions b/‎coderd/coderd.go
Lines changed: 5 additions & 5 deletions
diff --git a/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion b/‎coderd/coderdtest/coderdtest.go
Lines changed: 1 addition & 1 deletion
diff --git a/‎coderd/database/queries.sql.go
Lines changed: 3 additions & 3 deletions b/‎coderd/database/queries.sql.go
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/database/queries/workspaces.sql
Lines changed: 3 additions & 3 deletions b/‎coderd/database/queries/workspaces.sql
Lines changed: 3 additions & 3 deletions
diff --git a/‎coderd/healthcheck/derp.go
Lines changed: 8 additions & 1 deletion b/‎coderd/healthcheck/derp.go
Lines changed: 8 additions & 1 deletion
diff --git a/‎coderd/healthcheck/derp_test.go
Lines changed: 49 additions & 3 deletions b/‎coderd/healthcheck/derp_test.go
Lines changed: 49 additions & 3 deletions
diff --git a/‎coderd/httpapi/cookie.go
Lines changed: 1 addition & 1 deletion b/‎coderd/httpapi/cookie.go
Lines changed: 1 addition & 1 deletion
@@ -84,7 +84,7 @@ coder server --postgres-url <url> --access-url <url>
 
 > <sup>1</sup> For production deployments, set up an external PostgreSQL instance for reliability.
 
-Use `coder --help` to get a list of flags and environment variables. Use our [quickstart guide](https://coder.com/docs/v2/latest/quickstart) for a full walkthrough.
+Use `coder --help` to get a list of flags and environment variables. Use our [install guides](https://coder.com/docs/v2/latest/guides) for a full walkthrough.
 
 ## Documentation
 
 
@@ -82,6 +82,7 @@ type Options struct {
 	Logger                 slog.Logger
 	AgentPorts             map[int]string
 	SSHMaxTimeout          time.Duration
+	TailnetListenPort      uint16
 }
 
 type Client interface {
@@ -118,6 +119,7 @@ func New(options Options) io.Closer {
 	}
 	ctx, cancelFunc := context.WithCancel(context.Background())
 	a := &agent{
+		tailnetListenPort:      options.TailnetListenPort,
 		reconnectingPTYTimeout: options.ReconnectingPTYTimeout,
 		logger:                 options.Logger,
 		closeCancel:            cancelFunc,
@@ -139,12 +141,13 @@ func New(options Options) io.Closer {
 }
 
 type agent struct {
-	logger        slog.Logger
-	client        Client
-	exchangeToken func(ctx context.Context) (string, error)
-	filesystem    afero.Fs
-	logDir        string
-	tempDir       string
+	logger            slog.Logger
+	client            Client
+	exchangeToken     func(ctx context.Context) (string, error)
+	tailnetListenPort uint16
+	filesystem        afero.Fs
+	logDir            string
+	tempDir           string
 	// ignorePorts tells the api handler which ports to ignore when
 	// listing all listening ports. This is helpful to hide ports that
 	// are used by the agent, that the user does not care about.
@@ -606,9 +609,10 @@ func (a *agent) trackConnGoroutine(fn func()) error {
 
 func (a *agent) createTailnet(ctx context.Context, derpMap *tailcfg.DERPMap) (_ *tailnet.Conn, err error) {
 	network, err := tailnet.NewConn(&tailnet.Options{
-		Addresses: []netip.Prefix{netip.PrefixFrom(codersdk.WorkspaceAgentIP, 128)},
-		DERPMap:   derpMap,
-		Logger:    a.logger.Named("tailnet"),
+		Addresses:  []netip.Prefix{netip.PrefixFrom(codersdk.WorkspaceAgentIP, 128)},
+		DERPMap:    derpMap,
+		Logger:     a.logger.Named("tailnet"),
+		ListenPort: a.tailnetListenPort,
 	})
 	if err != nil {
 		return nil, xerrors.Errorf("create tailnet: %w", err)
 
@@ -30,11 +30,12 @@ import (
 
 func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 	var (
-		auth          string
-		logDir        string
-		pprofAddress  string
-		noReap        bool
-		sshMaxTimeout time.Duration
+		auth              string
+		logDir            string
+		pprofAddress      string
+		noReap            bool
+		sshMaxTimeout     time.Duration
+		tailnetListenPort int64
 	)
 	cmd := &clibase.Cmd{
 		Use:   "agent",
@@ -187,9 +188,10 @@ func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 			}
 
 			closer := agent.New(agent.Options{
-				Client: client,
-				Logger: logger,
-				LogDir: logDir,
+				Client:            client,
+				Logger:            logger,
+				LogDir:            logDir,
+				TailnetListenPort: uint16(tailnetListenPort),
 				ExchangeToken: func(ctx context.Context) (string, error) {
 					if exchangeToken == nil {
 						return client.SDK.SessionToken(), nil
@@ -248,6 +250,13 @@ func (r *RootCmd) workspaceAgent() *clibase.Cmd {
 			Description: "Specify the max timeout for a SSH connection.",
 			Value:       clibase.DurationOf(&sshMaxTimeout),
 		},
+		{
+			Flag:        "tailnet-listen-port",
+			Default:     "0",
+			Env:         "CODER_AGENT_TAILNET_LISTEN_PORT",
+			Description: "Specify a static port for Tailscale to use for listening.",
+			Value:       clibase.Int64Of(&tailnetListenPort),
+		},
 	}
 
 	return cmd
 
@@ -6,6 +6,7 @@ import (
 	"io"
 	"time"
 
+	"github.com/google/uuid"
 	"golang.org/x/exp/slices"
 	"golang.org/x/xerrors"
 
@@ -213,6 +214,7 @@ type prepWorkspaceBuildArgs struct {
 	NewWorkspaceName   string
 
 	UpdateWorkspace bool
+	WorkspaceID     uuid.UUID
 }
 
 type buildParameters struct {
@@ -340,8 +342,17 @@ PromptRichParamLoop:
 		}
 
 		if args.UpdateWorkspace && !templateVersionParameter.Mutable {
-			_, _ = fmt.Fprintln(inv.Stdout, cliui.Styles.Warn.Render(fmt.Sprintf(`Parameter %q is not mutable, so can't be customized after workspace creation.`, templateVersionParameter.Name)))
-			continue
+			// Check if the immutable parameter was used in the previous build. If so, then it isn't a fresh one
+			// and the user should be warned.
+			exists, err := workspaceBuildParameterExists(ctx, client, args.WorkspaceID, templateVersionParameter)
+			if err != nil {
+				return nil, err
+			}
+
+			if exists {
+				_, _ = fmt.Fprintln(inv.Stdout, cliui.Styles.Warn.Render(fmt.Sprintf(`Parameter %q is not mutable, so can't be customized after workspace creation.`, templateVersionParameter.Name)))
+				continue
+			}
 		}
 
 		parameterValue, err := getWorkspaceBuildParameterValueFromMapOrInput(inv, parameterMapFromFile, templateVersionParameter)
@@ -414,3 +425,17 @@ PromptRichParamLoop:
 		richParameters: richParameters,
 	}, nil
 }
+
+func workspaceBuildParameterExists(ctx context.Context, client *codersdk.Client, workspaceID uuid.UUID, templateVersionParameter codersdk.TemplateVersionParameter) (bool, error) {
+	lastBuildParameters, err := client.WorkspaceBuildParameters(ctx, workspaceID)
+	if err != nil {
+		return false, xerrors.Errorf("can't fetch last workspace build parameters: %w", err)
+	}
+
+	for _, p := range lastBuildParameters {
+		if p.Name == templateVersionParameter.Name {
+			return true, nil
+		}
+	}
+	return false, nil
+}
@@ -37,14 +37,6 @@ func (r *RootCmd) deleteWorkspace() *clibase.Cmd {
 			}
 
 			var state []byte
-
-			if orphan {
-				cliui.Warn(
-					inv.Stderr,
-					"Orphaning workspace requires template edit permission",
-				)
-			}
-
 			build, err := client.CreateWorkspaceBuild(inv.Context(), workspace.ID, codersdk.CreateWorkspaceBuildRequest{
 				Transition:       codersdk.WorkspaceTransitionDelete,
 				ProvisionerState: state,
 
@@ -18,5 +18,8 @@ Starts the Coder workspace agent.
       --ssh-max-timeout duration, $CODER_AGENT_SSH_MAX_TIMEOUT (default: 0)
           Specify the max timeout for a SSH connection.
 
+      --tailnet-listen-port int, $CODER_AGENT_TAILNET_LISTEN_PORT (default: 0)
+          Specify a static port for Tailscale to use for listening.
+
 ---
 Run `coder --help` for a list of global options.
@@ -59,7 +59,9 @@ func (r *RootCmd) update() *clibase.Cmd {
 				ExistingRichParams: existingRichParams,
 				RichParameterFile:  richParameterFile,
 				NewWorkspaceName:   workspace.Name,
-				UpdateWorkspace:    true,
+
+				UpdateWorkspace: true,
+				WorkspaceID:     workspace.LatestBuild.ID,
 			})
 			if err != nil {
 				return nil
 
@@ -123,8 +123,8 @@ type Options struct {
 	SwaggerEndpoint       bool
 	SetUserGroups         func(ctx context.Context, tx database.Store, userID uuid.UUID, groupNames []string) error
 	TemplateScheduleStore schedule.TemplateScheduleStore
-	// AppSigningKey denotes the symmetric key to use for signing app tickets.
-	// The key must be 64 bytes long.
+	// AppSigningKey denotes the symmetric key to use for signing temporary app
+	// tokens. The key must be 64 bytes long.
 	AppSigningKey      []byte
 	HealthcheckFunc    func(ctx context.Context) (*healthcheck.Report, error)
 	HealthcheckTimeout time.Duration
@@ -297,7 +297,7 @@ func New(options *Options) *API {
 			Authorizer: options.Authorizer,
 			Logger:     options.Logger,
 		},
-		WorkspaceAppsProvider: workspaceapps.New(
+		WorkspaceAppsProvider: workspaceapps.NewDBTokenProvider(
 			options.Logger.Named("workspaceapps"),
 			options.AccessURL,
 			options.Authorizer,
@@ -642,7 +642,7 @@ func New(options *Options) *API {
 				r.Post("/metadata/{key}", api.workspaceAgentPostMetadata)
 			})
 			// No middleware on the PTY endpoint since it uses workspace
-			// application auth and tickets.
+			// application auth and signed app tokens.
 			r.Get("/{workspaceagent}/pty", api.workspaceAgentPTY)
 			r.Route("/{workspaceagent}", func(r chi.Router) {
 				r.Use(
@@ -788,7 +788,7 @@ type API struct {
 	metricsCache          *metricscache.Cache
 	workspaceAgentCache   *wsconncache.Cache
 	updateChecker         *updatecheck.Checker
-	WorkspaceAppsProvider *workspaceapps.Provider
+	WorkspaceAppsProvider workspaceapps.SignedTokenProvider
 
 	// Experiments contains the list of experiments currently enabled.
 	// This is used to gate features that are not yet ready for production.
 
@@ -80,7 +80,7 @@ import (
 	"github.com/coder/coder/testutil"
 )
 
-// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tickets in
+// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tokens in
 // tests.
 var AppSigningKey = must(hex.DecodeString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))
 
 
@@ -356,16 +356,16 @@ WITH workspaces_with_jobs AS (
 			build_number DESC
 		LIMIT
 			1
-	) latest_build ON TRUE
+	) latest_build ON TRUE WHERE deleted = false
 ), pending_workspaces AS (
 	SELECT COUNT(*) AS count FROM workspaces_with_jobs WHERE
 		started_at IS NULL
 ), building_workspaces AS (
 	SELECT COUNT(*) AS count FROM workspaces_with_jobs WHERE
 		started_at IS NOT NULL AND
 		canceled_at IS NULL AND
-		updated_at - INTERVAL '30 seconds' < NOW() AND
-		completed_at IS NULL
+		completed_at IS NULL AND
+		updated_at - INTERVAL '30 seconds' < NOW()
 ), running_workspaces AS (
 	SELECT COUNT(*) AS count FROM workspaces_with_jobs WHERE
 		completed_at IS NOT NULL AND
 
@@ -171,7 +171,14 @@ func (r *DERPNodeReport) Run(ctx context.Context) error {
 	r.doExchangeMessage(ctx)
 	r.doSTUNTest(ctx)
 
-	if !r.CanExchangeMessages || r.UsesWebsocket || r.STUN.Error != nil {
+	// We can't exchange messages with the node,
+	if (!r.CanExchangeMessages && !r.Node.STUNOnly) ||
+		// A node may use websockets because `Upgrade: DERP` may be blocked on
+		// the load balancer. This is unhealthy because websockets are slower
+		// than the regular DERP protocol.
+		r.UsesWebsocket ||
+		// The node was marked as STUN compatible but the STUN test failed.
+		r.STUN.Error != nil {
 		r.Healthy = false
 	}
 	return nil
 
@@ -64,7 +64,8 @@ func TestDERP(t *testing.T) {
 			for _, node := range region.NodeReports {
 				assert.True(t, node.Healthy)
 				assert.True(t, node.CanExchangeMessages)
-				assert.Positive(t, node.RoundTripPing)
+				// TODO: test this without serializing time.Time over the wire.
+				// assert.Positive(t, node.RoundTripPing)
 				assert.Len(t, node.ClientLogs, 2)
 				assert.Len(t, node.ClientLogs[0], 1)
 				assert.Len(t, node.ClientErrs[0], 0)
@@ -105,7 +106,8 @@ func TestDERP(t *testing.T) {
 			for _, node := range region.NodeReports {
 				assert.True(t, node.Healthy)
 				assert.True(t, node.CanExchangeMessages)
-				assert.Positive(t, node.RoundTripPing)
+				// TODO: test this without serializing time.Time over the wire.
+				// assert.Positive(t, node.RoundTripPing)
 				assert.Len(t, node.ClientLogs, 2)
 				assert.Len(t, node.ClientLogs[0], 1)
 				assert.Len(t, node.ClientErrs[0], 0)
@@ -168,7 +170,8 @@ func TestDERP(t *testing.T) {
 			for _, node := range region.NodeReports {
 				assert.False(t, node.Healthy)
 				assert.True(t, node.CanExchangeMessages)
-				assert.Positive(t, node.RoundTripPing)
+				// TODO: test this without serializing time.Time over the wire.
+				// assert.Positive(t, node.RoundTripPing)
 				assert.Len(t, node.ClientLogs, 2)
 				assert.Len(t, node.ClientLogs[0], 3)
 				assert.Len(t, node.ClientLogs[1], 3)
@@ -183,6 +186,49 @@ func TestDERP(t *testing.T) {
 			}
 		}
 	})
+
+	t.Run("OK/STUNOnly", func(t *testing.T) {
+		t.Parallel()
+
+		var (
+			ctx    = context.Background()
+			report = healthcheck.DERPReport{}
+			opts   = &healthcheck.DERPReportOptions{
+				DERPMap: &tailcfg.DERPMap{Regions: map[int]*tailcfg.DERPRegion{
+					1: {
+						EmbeddedRelay: true,
+						RegionID:      999,
+						Nodes: []*tailcfg.DERPNode{{
+							Name:             "999stun0",
+							RegionID:         999,
+							HostName:         "stun.l.google.com",
+							STUNPort:         19302,
+							STUNOnly:         true,
+							InsecureForTests: true,
+							ForceHTTP:        true,
+						}},
+					},
+				}},
+			}
+		)
+
+		err := report.Run(ctx, opts)
+		require.NoError(t, err)
+
+		assert.True(t, report.Healthy)
+		for _, region := range report.Regions {
+			assert.True(t, region.Healthy)
+			for _, node := range region.NodeReports {
+				assert.True(t, node.Healthy)
+				assert.False(t, node.CanExchangeMessages)
+				assert.Len(t, node.ClientLogs, 0)
+
+				assert.True(t, node.STUN.Enabled)
+				assert.True(t, node.STUN.CanSTUN)
+				assert.NoError(t, node.STUN.Error)
+			}
+		}
+	})
 }
 
 func tsDERPMap(ctx context.Context, t testing.TB) *tailcfg.DERPMap {
 
@@ -24,7 +24,7 @@ func StripCoderCookies(header string) string {
 			name == codersdk.OAuth2StateCookie ||
 			name == codersdk.OAuth2RedirectCookie ||
 			name == codersdk.DevURLSessionTokenCookie ||
-			name == codersdk.DevURLSessionTicketCookie {
+			name == codersdk.DevURLSignedAppTokenCookie {
 			continue
 		}
 		cookies = append(cookies, part)
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ import (`
`80`	`80`	`"github.com/coder/coder/testutil"`
`81`	`81`	`)`
`82`	`82`
`83`		`-// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tickets in`
	`83`	`+// AppSigningKey is a 64-byte key used to sign JWTs for workspace app tokens in`
`84`	`84`	`// tests.`
`85`	`85`	`var AppSigningKey = must(hex.DecodeString("64656164626565666465616462656566646561646265656664656164626565666465616462656566646561646265656664656164626565666465616462656566"))`
`86`	`86`
Original file line number	Diff line number	Diff line change
`@@ -24,7 +24,7 @@ func StripCoderCookies(header string) string {`
`24`	`24`	`name == codersdk.OAuth2StateCookie \|\|`
`25`	`25`	`name == codersdk.OAuth2RedirectCookie \|\|`
`26`	`26`	`name == codersdk.DevURLSessionTokenCookie \|\|`
`27`		`- name == codersdk.DevURLSessionTicketCookie {`
	`27`	`+ name == codersdk.DevURLSignedAppTokenCookie {`
`28`	`28`	`continue`
`29`	`29`	`}`
`30`	`30`	`cookies = append(cookies, part)`