coder
diff --git a/‎cli/testdata/coder_server_--help.golden
+69-3 b/‎cli/testdata/coder_server_--help.golden
+69-3
diff --git a/‎cli/testdata/server-config.yaml.golden
+48-3 b/‎cli/testdata/server-config.yaml.golden
+48-3
diff --git a/‎coderd/notifications/dispatch/smtp.go
+2-2 b/‎coderd/notifications/dispatch/smtp.go
+2-2
@@ -106,6 +106,58 @@ Use a YAML configuration file when your server launch become unwieldy.
 
           Write out the current server config as YAML to stdout.
 
+EMAIL OPTIONS: 
+Configure how emails are sent.
+
+      --email-force-tls bool, $CODER_EMAIL_FORCE_TLS (default: false)
+          Force a TLS connection to the configured SMTP smarthost.
+
+      --email-from string, $CODER_EMAIL_FROM
+          The sender's address to use.
+
+      --email-hello string, $CODER_EMAIL_HELLO (default: localhost)
+          The hostname identifying the SMTP server.
+
+      --email-smarthost host:port, $CODER_EMAIL_SMARTHOST (default: localhost:587)
+          The intermediary SMTP host through which emails are sent.
+
+EMAIL / EMAIL AUTHENTICATION OPTIONS: 
+Configure SMTP authentication options.
+
+      --email-auth-identity string, $CODER_EMAIL_AUTH_IDENTITY
+          Identity to use with PLAIN authentication.
+
+      --email-auth-password string, $CODER_EMAIL_AUTH_PASSWORD
+          Password to use with PLAIN/LOGIN authentication.
+
+      --email-auth-password-file string, $CODER_EMAIL_AUTH_PASSWORD_FILE
+          File from which to load password for use with PLAIN/LOGIN
+          authentication.
+
+      --email-auth-username string, $CODER_EMAIL_AUTH_USERNAME
+          Username to use with PLAIN/LOGIN authentication.
+
+EMAIL / EMAIL TLS OPTIONS: 
+Configure TLS for your SMTP server target.
+
+      --email-tls-ca-cert-file string, $CODER_EMAIL_TLS_CACERTFILE
+          CA certificate file to use.
+
+      --email-tls-cert-file string, $CODER_EMAIL_TLS_CERTFILE
+          Certificate file to use.
+
+      --email-tls-cert-key-file string, $CODER_EMAIL_TLS_CERTKEYFILE
+          Certificate key file to use.
+
+      --email-tls-server-name string, $CODER_EMAIL_TLS_SERVERNAME
+          Server name to verify against the target certificate.
+
+      --email-tls-skip-verify bool, $CODER_EMAIL_TLS_SKIPVERIFY
+          Skip verification of the target server's certificate (insecure).
+
+      --email-tls-starttls bool, $CODER_EMAIL_TLS_STARTTLS
+          Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+
 INTROSPECTION / HEALTH CHECK OPTIONS: 
       --health-check-refresh duration, $CODER_HEALTH_CHECK_REFRESH (default: 10m0s)
           Refresh interval for healthchecks.
@@ -349,54 +401,68 @@ Configure how notifications are processed and delivered.
 NOTIFICATIONS / EMAIL OPTIONS: 
 Configure how email notifications are sent.
 
-      --notifications-email-force-tls bool, $CODER_NOTIFICATIONS_EMAIL_FORCE_TLS (default: false)
+      --notifications-email-force-tls bool, $CODER_NOTIFICATIONS_EMAIL_FORCE_TLS
           Force a TLS connection to the configured SMTP smarthost.
+          DEPRECATED: Use --email-force-tls instead.
 
       --notifications-email-from string, $CODER_NOTIFICATIONS_EMAIL_FROM
           The sender's address to use.
+          DEPRECATED: Use --email-from instead.
 
-      --notifications-email-hello string, $CODER_NOTIFICATIONS_EMAIL_HELLO (default: localhost)
+      --notifications-email-hello string, $CODER_NOTIFICATIONS_EMAIL_HELLO
           The hostname identifying the SMTP server.
+          DEPRECATED: Use --email-hello instead.
 
-      --notifications-email-smarthost host:port, $CODER_NOTIFICATIONS_EMAIL_SMARTHOST (default: localhost:587)
+      --notifications-email-smarthost host:port, $CODER_NOTIFICATIONS_EMAIL_SMARTHOST
           The intermediary SMTP host through which emails are sent.
+          DEPRECATED: Use --email-smarthost instead.
 
 NOTIFICATIONS / EMAIL / EMAIL AUTHENTICATION OPTIONS: 
 Configure SMTP authentication options.
 
       --notifications-email-auth-identity string, $CODER_NOTIFICATIONS_EMAIL_AUTH_IDENTITY
           Identity to use with PLAIN authentication.
+          DEPRECATED: Use --email-auth-identity instead.
 
       --notifications-email-auth-password string, $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD
           Password to use with PLAIN/LOGIN authentication.
+          DEPRECATED: Use --email-auth-password instead.
 
       --notifications-email-auth-password-file string, $CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD_FILE
           File from which to load password for use with PLAIN/LOGIN
           authentication.
+          DEPRECATED: Use --email-auth-password-file instead.
 
       --notifications-email-auth-username string, $CODER_NOTIFICATIONS_EMAIL_AUTH_USERNAME
           Username to use with PLAIN/LOGIN authentication.
+          DEPRECATED: Use --email-auth-username instead.
 
 NOTIFICATIONS / EMAIL / EMAIL TLS OPTIONS: 
 Configure TLS for your SMTP server target.
 
       --notifications-email-tls-ca-cert-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CACERTFILE
           CA certificate file to use.
+          DEPRECATED: Use --email-tls-ca-cert-file instead.
 
       --notifications-email-tls-cert-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CERTFILE
           Certificate file to use.
+          DEPRECATED: Use --email-tls-cert-file instead.
 
       --notifications-email-tls-cert-key-file string, $CODER_NOTIFICATIONS_EMAIL_TLS_CERTKEYFILE
           Certificate key file to use.
+          DEPRECATED: Use --email-tls-cert-key-file instead.
 
       --notifications-email-tls-server-name string, $CODER_NOTIFICATIONS_EMAIL_TLS_SERVERNAME
           Server name to verify against the target certificate.
+          DEPRECATED: Use --email-tls-server-name instead.
 
       --notifications-email-tls-skip-verify bool, $CODER_NOTIFICATIONS_EMAIL_TLS_SKIPVERIFY
           Skip verification of the target server's certificate (insecure).
+          DEPRECATED: Use --email-tls-skip-verify instead.
 
       --notifications-email-tls-starttls bool, $CODER_NOTIFICATIONS_EMAIL_TLS_STARTTLS
           Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+          DEPRECATED: Use --email-tls-starttls instead.
 
 NOTIFICATIONS / WEBHOOK OPTIONS: 
       --notifications-webhook-endpoint url, $CODER_NOTIFICATIONS_WEBHOOK_ENDPOINT
 
@@ -518,6 +518,51 @@ userQuietHoursSchedule:
 # compatibility reasons, this will be removed in a future release.
 # (default: false, type: bool)
 allowWorkspaceRenames: false
+# Configure how emails are sent.
+email:
+  # The sender's address to use.
+  # (default: <unset>, type: string)
+  from: ""
+  # The intermediary SMTP host through which emails are sent.
+  # (default: localhost:587, type: host:port)
+  smarthost: localhost:587
+  # The hostname identifying the SMTP server.
+  # (default: localhost, type: string)
+  hello: localhost
+  # Force a TLS connection to the configured SMTP smarthost.
+  # (default: false, type: bool)
+  forceTLS: false
+  # Configure SMTP authentication options.
+  emailAuth:
+    # Identity to use with PLAIN authentication.
+    # (default: <unset>, type: string)
+    identity: ""
+    # Username to use with PLAIN/LOGIN authentication.
+    # (default: <unset>, type: string)
+    username: ""
+    # File from which to load password for use with PLAIN/LOGIN authentication.
+    # (default: <unset>, type: string)
+    passwordFile: ""
+  # Configure TLS for your SMTP server target.
+  emailTLS:
+    # Enable STARTTLS to upgrade insecure SMTP connections using TLS.
+    # (default: <unset>, type: bool)
+    startTLS: false
+    # Server name to verify against the target certificate.
+    # (default: <unset>, type: string)
+    serverName: ""
+    # Skip verification of the target server's certificate (insecure).
+    # (default: <unset>, type: bool)
+    insecureSkipVerify: false
+    # CA certificate file to use.
+    # (default: <unset>, type: string)
+    caCertFile: ""
+    # Certificate file to use.
+    # (default: <unset>, type: string)
+    certFile: ""
+    # Certificate key file to use.
+    # (default: <unset>, type: string)
+    certKeyFile: ""
 # Configure how notifications are processed and delivered.
 notifications:
   # Which delivery method to use (available options: 'smtp', 'webhook').
@@ -532,13 +577,13 @@ notifications:
     # (default: <unset>, type: string)
     from: ""
     # The intermediary SMTP host through which emails are sent.
-    # (default: localhost:587, type: host:port)
+    # (default: <unset>, type: host:port)
     smarthost: localhost:587
     # The hostname identifying the SMTP server.
-    # (default: localhost, type: string)
+    # (default: <unset>, type: string)
     hello: localhost
     # Force a TLS connection to the configured SMTP smarthost.
-    # (default: false, type: bool)
+    # (default: <unset>, type: bool)
     forceTLS: false
     # Configure SMTP authentication options.
     emailAuth:
 
@@ -453,7 +453,7 @@ func (s *SMTPHandler) auth(ctx context.Context, mechs string) (sasl.Client, erro
 				continue
 			}
 			if password == "" {
-				errs = multierror.Append(errs, xerrors.New("cannot use PLAIN auth, password not defined (see CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD)"))
+				errs = multierror.Append(errs, xerrors.New("cannot use PLAIN auth, password not defined (see CODER_EMAIL_AUTH_PASSWORD)"))
 				continue
 			}
 
@@ -475,7 +475,7 @@ func (s *SMTPHandler) auth(ctx context.Context, mechs string) (sasl.Client, erro
 				continue
 			}
 			if password == "" {
-				errs = multierror.Append(errs, xerrors.New("cannot use LOGIN auth, password not defined (see CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD)"))
+				errs = multierror.Append(errs, xerrors.New("cannot use LOGIN auth, password not defined (see CODER_EMAIL_AUTH_PASSWORD)"))
 				continue
 			}
Original file line number	Diff line number	Diff line change
`@@ -453,7 +453,7 @@ func (s *SMTPHandler) auth(ctx context.Context, mechs string) (sasl.Client, erro`
`453`	`453`	`continue`
`454`	`454`	`}`
`455`	`455`	`if password == "" {`
`456`		`- errs = multierror.Append(errs, xerrors.New("cannot use PLAIN auth, password not defined (see CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD)"))`
	`456`	`+ errs = multierror.Append(errs, xerrors.New("cannot use PLAIN auth, password not defined (see CODER_EMAIL_AUTH_PASSWORD)"))`
`457`	`457`	`continue`
`458`	`458`	`}`
`459`	`459`
`@@ -475,7 +475,7 @@ func (s *SMTPHandler) auth(ctx context.Context, mechs string) (sasl.Client, erro`
`475`	`475`	`continue`
`476`	`476`	`}`
`477`	`477`	`if password == "" {`
`478`		`- errs = multierror.Append(errs, xerrors.New("cannot use LOGIN auth, password not defined (see CODER_NOTIFICATIONS_EMAIL_AUTH_PASSWORD)"))`
	`478`	`+ errs = multierror.Append(errs, xerrors.New("cannot use LOGIN auth, password not defined (see CODER_EMAIL_AUTH_PASSWORD)"))`
`479`	`479`	`continue`
`480`	`480`	`}`
`481`	`481`