diff --git a/dogfood/README.md b/dogfood/README.md
new file mode 100644
index 0000000000000..e4ffc192e95e7
--- /dev/null
+++ b/dogfood/README.md
@@ -0,0 +1,26 @@
+# dogfood template
+
+Ammar is this template's admin.
+
+This template runs the `gcr.io/coder-dogfood/master/coder-dev-ubuntu` Docker
+image in a `sysbox-runc` container.
+
+## Personalization
+
+The startup script runs your `~/personalize` file if it exists.
+
+## How is this hosted?
+
+Coder dogfoods on a beefy, single Teraswitch machine. We decided to use
+a bare metal provider for best-in-class cost-to-performance. We decided to
+use a single machine for crazy fast parallelized builds and tests.
+
+## How is the provisioner configured?
+
+Our dogfood VM runs an SSH tunnel to our dogfood Docker host's docker socket.
+The socket is mounted on `/var/run/dogfood-docker.sock`.
+
+The SSH command can be found hanging out in the screen session named
+`forward`.
+
+The tunnel and corresponding SSH key is under the root user.
diff --git a/dogfood/main.tf b/dogfood/main.tf
new file mode 100644
index 0000000000000..5407a631e16e3
--- /dev/null
+++ b/dogfood/main.tf
@@ -0,0 +1,81 @@
+terraform {
+  required_providers {
+    coder = {
+      source  = "coder/coder"
+      version = "0.4.2"
+    }
+    docker = {
+      source  = "kreuzwerker/docker"
+      version = "~> 2.18.0"
+    }
+  }
+}
+
+# Admin parameters
+
+provider "docker" {
+  host = "unix:///var/run/dogfood-docker.sock"
+}
+
+provider "coder" {
+}
+
+data "coder_workspace" "me" {
+}
+
+resource "coder_agent" "dev" {
+  arch           = "amd64"
+  os             = "linux"
+  startup_script = <<EOF
+    #!/bin/sh
+    set -x
+    # install and start code-server
+    curl -fsSL https://code-server.dev/install.sh | sh
+    code-server --auth none --port 13337 &
+    sudo service docker start
+    if [ -f ~/personalize ]; then ~/personalize 2>&1 | tee  ~/.personalize.log; fi
+    EOF
+}
+
+resource "coder_app" "code-server" {
+  agent_id = coder_agent.dev.id
+  name     = "code-server"
+  url      = "http://localhost:13337/?folder=/home/coder"
+  icon     = "/icon/code.svg"
+}
+
+
+resource "docker_volume" "home_volume" {
+  name = "coder-${data.coder_workspace.me.owner}-${data.coder_workspace.me.name}-home"
+}
+
+resource "docker_container" "workspace" {
+  count = data.coder_workspace.me.start_count
+  image = "gcr.io/coder-dogfood/master/coder-dev-ubuntu:latest"
+  # Uses lower() to avoid Docker restriction on container names.
+  name = "coder-${data.coder_workspace.me.owner}-${lower(data.coder_workspace.me.name)}"
+  # Hostname makes the shell more user friendly: coder@my-workspace:~$
+  hostname = lower(data.coder_workspace.me.name)
+  dns      = ["1.1.1.1"]
+  # Use the docker gateway if the access URL is 127.0.0.1
+  command = [
+    "sh", "-c",
+    <<EOT
+    trap '[ $? -ne 0 ] && echo === Agent script exited with non-zero code. Sleeping infinitely to preserve logs... && sleep infinity' EXIT
+    ${replace(coder_agent.dev.init_script, "localhost", "host.docker.internal")}
+    EOT
+  ]
+  # CPU limits are unnecessary since Docker will load balance automatically
+  memory  = 32768
+  runtime = "sysbox-runc"
+  env     = ["CODER_AGENT_TOKEN=${coder_agent.dev.token}"]
+  host {
+    host = "host.docker.internal"
+    ip   = "host-gateway"
+  }
+  volumes {
+    container_path = "/home/coder/"
+    volume_name    = docker_volume.home_volume.name
+    read_only      = false
+  }
+}