coder
diff --git a/‎.github/workflows/coder.yaml
+3-3 b/‎.github/workflows/coder.yaml
+3-3
diff --git a/‎Makefile
+4-1 b/‎Makefile
+4-1
diff --git a/‎agent/agent.go
+38-9 b/‎agent/agent.go
+38-9
diff --git a/‎agent/wireguard.go
+97 b/‎agent/wireguard.go
+97
diff --git a/‎cli/agent.go
+6-3 b/‎cli/agent.go
+6-3
diff --git a/‎cli/agent_test.go
+3-3 b/‎cli/agent_test.go
+3-3
@@ -197,7 +197,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
           terraform_wrapper: false
 
       - name: Test with Mock Database
@@ -264,7 +264,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
           terraform_wrapper: false
 
       - name: Start PostgreSQL Database
@@ -508,7 +508,7 @@ jobs:
 
       - uses: hashicorp/setup-terraform@v2
         with:
-          terraform_version: 1.1.2
+          terraform_version: 1.1.9
           terraform_wrapper: false
 
       - uses: actions/setup-node@v3
 
@@ -20,7 +20,9 @@ bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
 
 	mkdir -p ./dist
 	rm -rf ./dist/coder-slim_*
+	rm -f ./site/out/bin/coder*
 	./scripts/build_go_slim.sh \
+		--compress 6 \
 		--version "$(VERSION)" \
 		--output ./dist/ \
 		linux:amd64,armv7,arm64 \
@@ -31,6 +33,7 @@ bin: $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum
 build: site/out/index.html $(shell find . -not -path './vendor/*' -type f -name '*.go') go.mod go.sum $(shell find ./examples/templates)
 	rm -rf ./dist
 	mkdir -p ./dist
+	rm -f ./site/out/bin/coder*
 
 	# build slim artifacts and copy them to the site output directory
 	./scripts/build_go_slim.sh \
@@ -57,7 +60,7 @@ coderd/database/dump.sql: $(wildcard coderd/database/migrations/*.sql)
 	go run coderd/database/dump/main.go
 
 # Generates Go code for querying the database.
-coderd/database/querier.go: coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
+coderd/database/querier.go: coderd/database/sqlc.yaml coderd/database/dump.sql $(wildcard coderd/database/queries/*.sql)
 	coderd/database/generate.sh
 
 # This target is deprecated, as GNU make has issues passing signals to subprocesses.
 
@@ -27,10 +27,13 @@ import (
 	"go.uber.org/atomic"
 	gossh "golang.org/x/crypto/ssh"
 	"golang.org/x/xerrors"
+	"inet.af/netaddr"
+	"tailscale.com/types/key"
 
 	"cdr.dev/slog"
 	"github.com/coder/coder/agent/usershell"
 	"github.com/coder/coder/peer"
+	"github.com/coder/coder/peer/peerwg"
 	"github.com/coder/coder/peerbroker"
 	"github.com/coder/coder/pty"
 	"github.com/coder/retry"
@@ -43,20 +46,31 @@ const (
 )
 
 type Options struct {
+	EnableWireguard        bool
+	UploadWireguardKeys    UploadWireguardKeys
+	ListenWireguardPeers   ListenWireguardPeers
 	ReconnectingPTYTimeout time.Duration
 	EnvironmentVariables   map[string]string
 	Logger                 slog.Logger
 }
 
 type Metadata struct {
-	OwnerEmail           string            `json:"owner_email"`
-	OwnerUsername        string            `json:"owner_username"`
-	EnvironmentVariables map[string]string `json:"environment_variables"`
-	StartupScript        string            `json:"startup_script"`
-	Directory            string            `json:"directory"`
+	WireguardAddresses   []netaddr.IPPrefix `json:"addresses"`
+	OwnerEmail           string             `json:"owner_email"`
+	OwnerUsername        string             `json:"owner_username"`
+	EnvironmentVariables map[string]string  `json:"environment_variables"`
+	StartupScript        string             `json:"startup_script"`
+	Directory            string             `json:"directory"`
+}
+
+type WireguardPublicKeys struct {
+	Public key.NodePublic  `json:"public"`
+	Disco  key.DiscoPublic `json:"disco"`
 }
 
 type Dialer func(ctx context.Context, logger slog.Logger) (Metadata, *peerbroker.Listener, error)
+type UploadWireguardKeys func(ctx context.Context, keys WireguardPublicKeys) error
+type ListenWireguardPeers func(ctx context.Context, logger slog.Logger) (<-chan peerwg.Handshake, func(), error)
 
 func New(dialer Dialer, options *Options) io.Closer {
 	if options == nil {
@@ -73,6 +87,9 @@ func New(dialer Dialer, options *Options) io.Closer {
 		closeCancel:            cancelFunc,
 		closed:                 make(chan struct{}),
 		envVars:                options.EnvironmentVariables,
+		enableWireguard:        options.EnableWireguard,
+		postKeys:               options.UploadWireguardKeys,
+		listenWireguardPeers:   options.ListenWireguardPeers,
 	}
 	server.init(ctx)
 	return server
@@ -95,6 +112,11 @@ type agent struct {
 	metadata      atomic.Value
 	startupScript atomic.Bool
 	sshServer     *ssh.Server
+
+	enableWireguard      bool
+	network              *peerwg.Network
+	postKeys             UploadWireguardKeys
+	listenWireguardPeers ListenWireguardPeers
 }
 
 func (a *agent) run(ctx context.Context) {
@@ -138,6 +160,13 @@ func (a *agent) run(ctx context.Context) {
 		}()
 	}
 
+	if a.enableWireguard {
+		err = a.startWireguard(ctx, metadata.WireguardAddresses)
+		if err != nil {
+			a.logger.Error(ctx, "start wireguard", slog.Error(err))
+		}
+	}
+
 	for {
 		conn, err := peerListener.Accept()
 		if err != nil {
@@ -366,17 +395,17 @@ func (a *agent) createCommand(ctx context.Context, rawCommand string, env []stri
 
 	// Load environment variables passed via the agent.
 	// These should override all variables we manually specify.
-	for key, value := range metadata.EnvironmentVariables {
+	for envKey, value := range metadata.EnvironmentVariables {
 		// Expanding environment variables allows for customization
 		// of the $PATH, among other variables. Customers can prepand
 		// or append to the $PATH, so allowing expand is required!
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, os.ExpandEnv(value)))
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, os.ExpandEnv(value)))
 	}
 
 	// Agent-level environment variables should take over all!
 	// This is used for setting agent-specific variables like "CODER_AGENT_TOKEN".
-	for key, value := range a.envVars {
-		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", key, value))
+	for envKey, value := range a.envVars {
+		cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%s", envKey, value))
 	}
 
 	return cmd, nil
 
@@ -0,0 +1,97 @@
+package agent
+
+import (
+	"context"
+	"net"
+	"strconv"
+
+	"golang.org/x/xerrors"
+	"inet.af/netaddr"
+
+	"cdr.dev/slog"
+	"github.com/coder/coder/peer/peerwg"
+)
+
+func (a *agent) startWireguard(ctx context.Context, addrs []netaddr.IPPrefix) error {
+	if a.network != nil {
+		_ = a.network.Close()
+		a.network = nil
+	}
+
+	// We can't create a wireguard network without these.
+	if len(addrs) == 0 || a.listenWireguardPeers == nil || a.postKeys == nil {
+		return xerrors.New("wireguard is enabled, but no addresses were provided or necessary functions were not provided")
+	}
+
+	wg, err := peerwg.New(a.logger.Named("wireguard"), addrs)
+	if err != nil {
+		return xerrors.Errorf("create wireguard network: %w", err)
+	}
+
+	// A new keypair is generated on each agent start.
+	// This keypair must be sent to Coder to allow for incoming connections.
+	err = a.postKeys(ctx, WireguardPublicKeys{
+		Public: wg.NodePrivateKey.Public(),
+		Disco:  wg.DiscoPublicKey,
+	})
+	if err != nil {
+		a.logger.Warn(ctx, "post keys", slog.Error(err))
+	}
+
+	go func() {
+		for {
+			ch, listenClose, err := a.listenWireguardPeers(ctx, a.logger)
+			if err != nil {
+				a.logger.Warn(ctx, "listen wireguard peers", slog.Error(err))
+				return
+			}
+
+			for {
+				peer, ok := <-ch
+				if !ok {
+					break
+				}
+
+				err := wg.AddPeer(peer)
+				a.logger.Info(ctx, "added wireguard peer", slog.F("peer", peer.NodePublicKey.ShortString()), slog.Error(err))
+			}
+
+			listenClose()
+		}
+	}()
+
+	a.startWireguardListeners(ctx, wg, []handlerPort{
+		{port: 12212, handler: a.sshServer.HandleConn},
+	})
+
+	a.network = wg
+	return nil
+}
+
+type handlerPort struct {
+	handler func(conn net.Conn)
+	port    uint16
+}
+
+func (a *agent) startWireguardListeners(ctx context.Context, network *peerwg.Network, handlers []handlerPort) {
+	for _, h := range handlers {
+		go func(h handlerPort) {
+			a.logger.Debug(ctx, "starting wireguard listener", slog.F("port", h.port))
+
+			listener, err := network.Listen("tcp", net.JoinHostPort("", strconv.Itoa(int(h.port))))
+			if err != nil {
+				a.logger.Warn(ctx, "listen wireguard", slog.F("port", h.port), slog.Error(err))
+				return
+			}
+
+			for {
+				conn, err := listener.Accept()
+				if err != nil {
+					return
+				}
+
+				go h.handler(conn)
+			}
+		}(h)
+	}
+}
@@ -14,17 +14,15 @@ import (
 	"cloud.google.com/go/compute/metadata"
 	"github.com/spf13/cobra"
 	"golang.org/x/xerrors"
+	"gopkg.in/natefinch/lumberjack.v2"
 
 	"cdr.dev/slog"
 	"cdr.dev/slog/sloggers/sloghuman"
-
 	"github.com/coder/coder/agent"
 	"github.com/coder/coder/agent/reaper"
 	"github.com/coder/coder/cli/cliflag"
 	"github.com/coder/coder/codersdk"
 	"github.com/coder/retry"
-
-	"gopkg.in/natefinch/lumberjack.v2"
 )
 
 func workspaceAgent() *cobra.Command {
@@ -33,6 +31,7 @@ func workspaceAgent() *cobra.Command {
 		pprofEnabled bool
 		pprofAddress string
 		noReap       bool
+		wireguard    bool
 	)
 	cmd := &cobra.Command{
 		Use: "agent",
@@ -178,6 +177,9 @@ func workspaceAgent() *cobra.Command {
 					// shells so "gitssh" works!
 					"CODER_AGENT_TOKEN": client.SessionToken,
 				},
+				EnableWireguard:      wireguard,
+				UploadWireguardKeys:  client.UploadWorkspaceAgentKeys,
+				ListenWireguardPeers: client.WireguardPeerListener,
 			})
 			<-cmd.Context().Done()
 			return closer.Close()
@@ -188,5 +190,6 @@ func workspaceAgent() *cobra.Command {
 	cliflag.BoolVarP(cmd.Flags(), &pprofEnabled, "pprof-enable", "", "CODER_AGENT_PPROF_ENABLE", false, "Enable serving pprof metrics on the address defined by --pprof-address.")
 	cliflag.BoolVarP(cmd.Flags(), &noReap, "no-reap", "", "", false, "Do not start a process reaper.")
 	cliflag.StringVarP(cmd.Flags(), &pprofAddress, "pprof-address", "", "CODER_AGENT_PPROF_ADDRESS", "127.0.0.1:6060", "The address to serve pprof.")
+	cliflag.BoolVarP(cmd.Flags(), &wireguard, "wireguard", "", "CODER_AGENT_WIREGUARD", true, "Whether to start the Wireguard interface.")
 	return cmd
 }
@@ -46,7 +46,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 
-		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String())
+		cmd, _ := clitest.New(t, "agent", "--auth", "azure-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)
@@ -101,7 +101,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 
-		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String())
+		cmd, _ := clitest.New(t, "agent", "--auth", "aws-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)
@@ -156,7 +156,7 @@ func TestWorkspaceAgent(t *testing.T) {
 		workspace := coderdtest.CreateWorkspace(t, client, user.OrganizationID, template.ID)
 		coderdtest.AwaitWorkspaceBuildJob(t, client, workspace.LatestBuild.ID)
 
-		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String())
+		cmd, _ := clitest.New(t, "agent", "--auth", "google-instance-identity", "--agent-url", client.URL.String(), "--wireguard=false")
 		ctx, cancelFunc := context.WithCancel(context.Background())
 		defer cancelFunc()
 		errC := make(chan error)