ci: Update standalone build test

ms-toolsai.jupyter is now a dependency of ms-python and is installed
along with it.

.eslintrc.yaml

@@ -19,10 +19,23 @@ extends:
   - prettier/@typescript-eslint # Remove conflicts again.
 
 rules:
+  # Sometimes you need to add args to implement a function signature even
+  # if they are unused.
+  "@typescript-eslint/no-unused-vars": ["error", { "args": "none" }]
   # For overloads.
   no-dupe-class-members: off
   "@typescript-eslint/no-use-before-define": off
   "@typescript-eslint/no-non-null-assertion": off
+  "@typescript-eslint/ban-types": off
+  "@typescript-eslint/no-var-requires": off
+  "@typescript-eslint/explicit-module-boundary-types": off
+  "@typescript-eslint/no-explicit-any": off
+  eqeqeq: error
+  import/order:
+    [error, { alphabetize: { order: "asc" }, groups: [["builtin", "external", "internal"], "parent", "sibling"] }]
+  no-async-promise-executor: off
+  # This isn't a real module, just types, which apparently doesn't resolve.
+  import/no-unresolved: [error, { ignore: ["express-serve-static-core"] }]
 
 settings:
   # Does not work with CommonJS unfortunately.

.github/CODEOWNERS

@@ -1 +1,3 @@
 * @code-asher @nhooyr
+
+ci/helm-chart @Matthew-Beckett @alexgorbatchev

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,8 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Question
+    url: https://github.com/cdr/code-server/discussions/new?category_id=22503114
+    about: Ask the community for help on our GitHub Discussions board
+  - name: Chat
+    about: Need immediate help or just want to talk? Hop in our Slack
+    url: https://cdr.co/join-community

.github/ISSUE_TEMPLATE/doc.md

@@ -0,0 +1,7 @@
+---
+name: Documentation improvement
+about: Suggest a documentation improvement
+title: ""
+labels: "docs"
+assignees: ""
+---

.github/issue_template.md

@@ -1,4 +0,0 @@
-<!--
-Please file all questions and support requests at https://www.reddit.com/r/codeserver/
-The issue tracker is only for bugs.
--->

.github/lock.yml

@@ -0,0 +1,37 @@
+# Configuration for Lock Threads - https://github.com/dessant/lock-threads-app
+
+# Number of days of inactivity before a closed issue or pull request is locked
+daysUntilLock: 90
+
+# Skip issues and pull requests created before a given timestamp. Timestamp must
+# follow ISO 8601 (`YYYY-MM-DD`). Set to `false` to disable
+skipCreatedBefore: false
+
+# Issues and pull requests with these labels will be ignored. Set to `[]` to disable
+exemptLabels: []
+
+# Label to add before locking, such as `outdated`. Set to `false` to disable
+lockLabel: false
+
+# Comment to post before locking. Set to `false` to disable
+lockComment: >
+  This thread has been automatically locked since there has not been
+  any recent activity after it was closed. Please open a new issue for
+  related bugs.
+
+# Assign `resolved` as the reason for locking. Set to `false` to disable
+setLockReason: true
+# Limit to only `issues` or `pulls`
+# only: issues
+
+# Optionally, specify configuration settings just for `issues` or `pulls`
+# issues:
+#   exemptLabels:
+#     - help-wanted
+#   lockLabel: outdated
+
+# pulls:
+#   daysUntilLock: 30
+
+# Repository to extend settings from
+# _extends: repo

.github/pull_request_template.md

@@ -1,4 +1,6 @@
 <!--
 Please link to the issue this PR solves.
 If there is no existing issue, please first create one unless the fix is minor.
+
+Please make sure the base of your PR is the master branch!
 -->

.github/workflows/ci.yaml

@@ -8,7 +8,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/fmt.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/fmt.sh
 
@@ -17,7 +17,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/lint.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/lint.sh
 
@@ -26,7 +26,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/test.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/test.sh
 
@@ -35,7 +35,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/release.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/release.sh
       - name: Upload npm package artifact
@@ -55,7 +55,7 @@ jobs:
           name: npm-package
           path: ./release-npm-package
       - name: Run ./ci/steps/release-packages.sh
-        uses: ./ci/container
+        uses: ./ci/images/centos7
         with:
           args: ./ci/steps/release-packages.sh
       - name: Upload release artifacts
@@ -75,7 +75,7 @@ jobs:
           name: npm-package
           path: ./release-npm-package
       - name: Run ./ci/steps/release-packages.sh
-        uses: ./ci/container/arm64
+        uses: ./ci/images/centos7
         with:
           args: ./ci/steps/release-packages.sh
       - name: Upload release artifacts
@@ -94,8 +94,6 @@ jobs:
         with:
           name: npm-package
           path: ./release-npm-package
-      - run: brew unlink node@12
-      - run: brew install node
       - run: ./ci/steps/release-packages.sh
         env:
           # Otherwise we get rate limited when fetching the ripgrep binary.
@@ -118,7 +116,7 @@ jobs:
           name: release-packages
           path: ./release-packages
       - name: Run ./ci/steps/build-docker-image.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/build-docker-image.sh
       - name: Upload release image
@@ -138,7 +136,7 @@ jobs:
           name: release-packages
           path: ./release-packages
       - name: Run ./ci/steps/build-docker-image.sh
-        uses: ./ci/container/arm64
+        uses: ./ci/images/centos7
         with:
           args: ./ci/steps/build-docker-image.sh
       - name: Upload release image

.github/workflows/publish.yaml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/publish-npm.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/publish-npm.sh
         env:
@@ -22,7 +22,7 @@ jobs:
     steps:
       - uses: actions/checkout@v1
       - name: Run ./ci/steps/push-docker-manifest.sh
-        uses: ./ci/container
+        uses: ./ci/images/debian10
         with:
           args: ./ci/steps/push-docker-manifest.sh
         env:

.gitignore

@@ -9,3 +9,7 @@ release-packages/
 release-gcp/
 release-images/
 node_modules
+node-*
+/plugins
+/lib/coder-cloud-agent
+.home

.gitmodules

@@ -1,3 +1,4 @@
 [submodule "lib/vscode"]
 	path = lib/vscode
 	url = https://github.com/microsoft/vscode
+	ignore = dirty

.ignore

@@ -0,0 +1 @@
+lib

README.md

@@ -1,4 +1,4 @@
-# code-server
+# code-server · [!["GitHub Discussions"](https://img.shields.io/badge/%20GitHub-%20Discussions-gray.svg?longCache=true&logo=github&colorB=purple)](https://github.com/cdr/code-server/discussions) [!["Join us on Slack"](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=brightgreen)](https://cdr.co/join-community) [![Twitter Follow](https://img.shields.io/twitter/follow/CoderHQ?label=%40CoderHQ&style=social)](https://twitter.com/coderhq)
 
 Run [VS Code](https://github.com/Microsoft/vscode) on any machine anywhere and access it in the browser.
 
@@ -6,51 +6,64 @@ Run [VS Code](https://github.com/Microsoft/vscode) on any machine anywhere and a
 
 ## Highlights
 
-- **Code everywhere**
-  - Code on your Chromebook, tablet, and laptop with a consistent development environment.
-  - Develop on a Linux machine and pick up from any device with a web browser.
-- **Server-powered**
-  - Take advantage of large cloud servers to speed up tests, compilations, downloads, and more.
-  - Preserve battery life when you're on the go as all intensive tasks runs on your server.
-  - Make use of a spare computer you have lying around and turn it into a full development environment.
+- Code on any device with a consistent development environment
+- Use cloud servers to speed up tests, compilations, downloads, and more
+- Preserve battery life when you're on the go; all intensive tasks run on your server
 
 ## Getting Started
 
-For a full setup and walkthrough, please see [./doc/guide.md](./doc/guide.md).
+There are two ways to get started:
 
-We have a [script](./install.sh) to install code-server for Linux and macOS.
+1. Using the [install script](./install.sh), which automates most of the process. The script uses the system package manager (if possible)
+2. Manually installing code-server; see [Installation](./doc/install.md) for instructions applicable to most use cases
 
-It tries to use the system package manager if possible.
-
-First run to print out the install process:
+If you choose to use the install script, you can preview what occurs during the install process:
 
 ```bash
 curl -fsSL https://code-server.dev/install.sh | sh -s -- --dry-run
 ```
 
-Now to actually install:
+To install, run:
 
 ```bash
 curl -fsSL https://code-server.dev/install.sh | sh
 ```
 
-The install script will print out how to run and start using code-server.
+When done, the install script prints out instructions for running and starting code-server.
 
-If you believe an install script used with `curl | sh` is insecure, please give
-[this wonderful blogpost](https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install) by
-[sandstorm.io](https://sandstorm.io) a read.
+We also have an in-depth [setup and configuration](./doc/guide.md) guide.
 
-Docs on the install script, manual installation and docker image are at [./doc/install.md](./doc/install.md).
+### Alpha Program 🐣
+
+We're working on a cloud platform that makes deploying and managing code-server easier. Consider [updating to 3.7.0](https://github.com/cdr/code-server/releases/tag/v3.7.0) and running code-server with our experimental flag `--link` if you don't want to worry about
+
+- TLS
+- Authentication
+- Port Forwarding
+
+```bash
+$ code-server --link
+Proxying code-server to Coder Cloud, you can access your IDE at https://valmar-jon.cdr.co
+```
 
 ## FAQ
 
 See [./doc/FAQ.md](./doc/FAQ.md).
 
-## Contributing
+## Want to help?
 
-See [./doc/CONTRIBUTING.md](./doc/CONTRIBUTING.md).
+See [CONTRIBUTING](./doc/CONTRIBUTING.md) for details.
 
-## Enterprise
+## Hiring
 
-Visit [our website](https://coder.com) for more information about our
-enterprise offerings.
+We ([@cdr](https://github.com/cdr)) are looking for engineers to help [maintain
+code-server](https://jobs.lever.co/coder/e40becde-2cbd-4885-9029-e5c7b0a734b8), innovate on open source, and streamline dev workflows.
+
+Our main office is in Austin, Texas. Remote is ok as long as
+you're in North America or Europe.
+
+Please get in [touch](mailto:jobs@coder.com) with your resume/GitHub if interested.
+
+## For Organizations
+
+Visit [our website](https://coder.com) for more information about remote development for your organization or enterprise.

ThirdPartyNotices.txt

@@ -0,0 +1,22 @@
+code-server
+
+THIRD-PARTY SOFTWARE NOTICES AND INFORMATION
+Do Not Translate or Localize
+
+1.	Microsoft/vscode version 1.47.0 (https://github.com/Microsoft/vscode)
+
+%% Microsoft/vscode NOTICES AND INFORMATION BEGIN HERE
+=========================================
+MIT License 
+
+
+Copyright (c) 2015 - present Microsoft Corporation 
+
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: 
+
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. 
+
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.  

ci/README.md

@@ -16,16 +16,20 @@ Make sure you have `$GITHUB_TOKEN` set and [hub](https://github.com/github/hub)
 
 1. Update the version of code-server and make a PR.
    1. Update in `package.json`
-   2. Update in [install.sh](../install.sh)
+   2. Update in [./doc/install.md](../doc/install.md)
+   3. Update in [./ci/helm-chart/README.md](../ci/helm-chart/README.md)
 2. GitHub actions will generate the `npm-package`, `release-packages` and `release-images` artifacts.
+   1. You do not have to wait for these.
 3. Run `yarn release:github-draft` to create a GitHub draft release from the template with
    the updated version.
    1. Summarize the major changes in the release notes and link to the relevant issues.
 4. Wait for the artifacts in step 2 to build.
-5. Run `yarn release:github-assets` to download the `release-packages` artifact and then
-   upload them to the draft release.
+5. Run `yarn release:github-assets` to download the `release-packages` artifact.
+   - It will upload them to the draft release.
 6. Run some basic sanity tests on one of the released packages.
-7. Make sure the github release tag is the commit with the artifacts.
+   - Especially make sure the terminal works fine.
+7. Make sure the github release tag is the commit with the artifacts. This is a bug in
+   `hub` where uploading assets in step 5 will break the tag.
 8. Publish the release and merge the PR.
    1. CI will automatically grab the artifacts and then:
       1. Publish the NPM package from `npm-package`.
@@ -40,7 +44,7 @@ Make sure you have `$GITHUB_TOKEN` set and [hub](https://github.com/github/hub)
 
 This directory contains scripts used for the development of code-server.
 
-- [./ci/dev/container](./dev/container)
+- [./ci/dev/image](./dev/image)
   - See [./doc/CONTRIBUTING.md](../doc/CONTRIBUTING.md) for docs on the development container.
 - [./ci/dev/fmt.sh](./dev/fmt.sh) (`yarn fmt`)
   - Runs formatters.
@@ -104,17 +108,17 @@ You can disable minification by setting `MINIFY=`.
   - Post install script for the npm package.
   - Bundled by`yarn release`.
 
-## release-container
+## release-image
 
-This directory contains the release docker container.
+This directory contains the release docker container image.
 
-- [./release-container/build.sh](./release-container/build.sh)
+- [./release-image/build.sh](./release-image/build.sh)
   - Builds the release container with the tag `codercom/code-server-$ARCH:$VERSION`.
   - Assumes debian releases are ready in `./release-packages`.
 
-## container
+## images
 
-This directory contains the container for CI.
+This directory contains the images for CI.
 
 ## steps
 

ci/build/build-code-server.sh

@@ -9,7 +9,8 @@ MINIFY=${MINIFY-true}
 main() {
   cd "$(dirname "${0}")/../.."
 
-  tsc --outDir out --tsBuildInfoFile .cache/out.tsbuildinfo
+  tsc
+
   # If out/node/entry.js does not already have the shebang,
   # we make sure to add it and make it executable.
   if ! grep -q -m1 "^#!/usr/bin/env node" out/node/entry.js; then
@@ -17,13 +18,20 @@ main() {
     chmod +x out/node/entry.js
   fi
 
+  if ! [ -f ./lib/coder-cloud-agent ]; then
+    OS="$(uname | tr '[:upper:]' '[:lower:]')"
+    curl -fsSL "https://storage.googleapis.com/coder-cloud-releases/agent/latest/$OS/cloud-agent" -o ./lib/coder-cloud-agent
+    chmod +x ./lib/coder-cloud-agent
+  fi
+
   parcel build \
-    --public-url "/static/$(git rev-parse HEAD)/dist" \
+    --public-url "." \
     --out-dir dist \
     $([[ $MINIFY ]] || echo --no-minify) \
-    src/browser/pages/app.ts \
     src/browser/register.ts \
-    src/browser/serviceWorker.ts
+    src/browser/serviceWorker.ts \
+    src/browser/pages/login.ts \
+    src/browser/pages/vscode.ts
 }
 
 main "$@"

ci/build/build-packages.sh

@@ -11,15 +11,6 @@ main() {
   mkdir -p release-packages
 
   release_archive
-  # Will stop the auto update issues and allow people to upgrade their scripts
-  # for the new release structure.
-  if [[ $ARCH == "amd64" ]]; then
-    if [[ $OS == "linux" ]]; then
-      ARCH=x86_64 release_archive
-    elif [[ $OS == "macos" ]]; then
-      OS=darwin ARCH=x86_64 release_archive
-    fi
-  fi
 
   if [[ $OS == "linux" ]]; then
     release_nfpm
@@ -33,6 +24,7 @@ release_archive() {
   else
     tar -czf "release-packages/$release_name.tar.gz" -s "/^release-standalone/$release_name/" release-standalone
   fi
+
   echo "done (release-packages/$release_name)"
 
   release_gcp

ci/build/build-release.sh

@@ -6,6 +6,10 @@ set -euo pipefail
 # MINIFY controls whether minified vscode is bundled.
 MINIFY="${MINIFY-true}"
 
+# KEEP_MODULES controls whether the script cleans all node_modules requiring a yarn install
+# to run first.
+KEEP_MODULES="${KEEP_MODULES-0}"
+
 main() {
   cd "$(dirname "${0}")/../.."
   source ./ci/lib.sh
@@ -21,6 +25,12 @@ main() {
   rsync README.md "$RELEASE_PATH"
   rsync LICENSE.txt "$RELEASE_PATH"
   rsync ./lib/vscode/ThirdPartyNotices.txt "$RELEASE_PATH"
+
+  # code-server exports types which can be imported and used by plugins. Those
+  # types import ipc.d.ts but it isn't included in the final vscode build so
+  # we'll copy it ourselves here.
+  mkdir -p "$RELEASE_PATH/lib/vscode/src/vs/server"
+  rsync ./lib/vscode/src/vs/server/ipc.d.ts "$RELEASE_PATH/lib/vscode/src/vs/server"
 }
 
 bundle_code_server() {
@@ -31,6 +41,7 @@ bundle_code_server() {
   rsync src/browser/media/ "$RELEASE_PATH/src/browser/media"
   mkdir -p "$RELEASE_PATH/src/browser/pages"
   rsync src/browser/pages/*.html "$RELEASE_PATH/src/browser/pages"
+  rsync src/browser/robots.txt "$RELEASE_PATH/src/browser"
 
   # Adds the commit to package.json
   jq --slurp '.[0] * .[1]' package.json <(
@@ -45,15 +56,25 @@ EOF
   ) > "$RELEASE_PATH/package.json"
   rsync yarn.lock "$RELEASE_PATH"
   rsync ci/build/npm-postinstall.sh "$RELEASE_PATH/postinstall.sh"
+
+  if [ "$KEEP_MODULES" = 1 ]; then
+    rsync node_modules/ "$RELEASE_PATH/node_modules"
+    mkdir -p "$RELEASE_PATH/lib"
+    rsync ./lib/coder-cloud-agent "$RELEASE_PATH/lib"
+  fi
 }
 
 bundle_vscode() {
   mkdir -p "$VSCODE_OUT_PATH"
   rsync "$VSCODE_SRC_PATH/yarn.lock" "$VSCODE_OUT_PATH"
-  rsync "$VSCODE_SRC_PATH/out-vscode${MINIFY+-min}/" "$VSCODE_OUT_PATH/out"
+  rsync "$VSCODE_SRC_PATH/out-vscode${MINIFY:+-min}/" "$VSCODE_OUT_PATH/out"
 
   rsync "$VSCODE_SRC_PATH/.build/extensions/" "$VSCODE_OUT_PATH/extensions"
-  rm -Rf "$VSCODE_OUT_PATH/extensions/node_modules"
+  if [ "$KEEP_MODULES" = 0 ]; then
+    rm -Rf "$VSCODE_OUT_PATH/extensions/node_modules"
+  else
+    rsync "$VSCODE_SRC_PATH/node_modules/" "$VSCODE_OUT_PATH/node_modules"
+  fi
   rsync "$VSCODE_SRC_PATH/extensions/package.json" "$VSCODE_OUT_PATH/extensions"
   rsync "$VSCODE_SRC_PATH/extensions/yarn.lock" "$VSCODE_OUT_PATH/extensions"
   rsync "$VSCODE_SRC_PATH/extensions/postinstall.js" "$VSCODE_OUT_PATH/extensions"

ci/build/build-standalone-release.sh

@@ -17,14 +17,6 @@ main() {
   mkdir -p "$RELEASE_PATH/bin"
   rsync ./ci/build/code-server.sh "$RELEASE_PATH/bin/code-server"
   rsync "$node_path" "$RELEASE_PATH/lib/node"
-  if [[ $OS == "linux" ]]; then
-    bundle_dynamic_lib libstdc++
-    bundle_dynamic_lib libgcc_s
-  elif [[ $OS == "macos" ]]; then
-    bundle_dynamic_lib libicui18n
-    bundle_dynamic_lib libicuuc
-    bundle_dynamic_lib libicudata
-  fi
 
   ln -s "./bin/code-server" "$RELEASE_PATH/code-server"
   ln -s "./lib/node" "$RELEASE_PATH/node"
@@ -33,17 +25,4 @@ main() {
   yarn --production --frozen-lockfile
 }
 
-bundle_dynamic_lib() {
-  local lib_name="$1"
-  local lib_path
-
-  if [[ $OS == "linux" ]]; then
-    lib_path="$(ldd "$RELEASE_PATH/lib/node" | grep "$lib_name" | awk '{print $3 }')"
-  elif [[ $OS == "macos" ]]; then
-    lib_path="$(otool -L "$RELEASE_PATH/lib/node" | grep "$lib_name" | awk '{print $1 }')"
-  fi
-
-  cp "$lib_path" "$RELEASE_PATH/lib"
-}
-
 main "$@"

ci/build/clean.sh

@@ -5,16 +5,7 @@ main() {
   cd "$(dirname "${0}")/../.."
   source ./ci/lib.sh
 
-  rm -Rf \
-    out \
-    release \
-    release-standalone \
-    release-packages \
-    release-gcp \
-    release-images/ \
-    dist \
-    .tsbuildinfo \
-    .cache/out.tsbuildinfo
+  git clean -Xffd
 
   pushd lib/vscode
   git clean -xffd

ci/build/code-server.sh

@@ -1,25 +1,36 @@
 #!/bin/sh
+set -eu
 
 # This script is intended to be bundled into the standalone releases.
 # Runs code-server with the bundled node binary.
 
-# More complicated than readlink -f or realpath to support macOS.
-# See https://github.com/cdr/code-server/issues/1537
-bin_dir() {
-  # We read the symlink, which may be relative from $0.
-  dst="$(readlink "$0")"
-  # We cd into the $0 directory.
-  cd "$(dirname "$0")" || exit 1
-  # Now we can cd into the dst directory.
-  cd "$(dirname "$dst")" || exit 1
-  # Finally we use pwd -P to print the absolute path of the directory of $dst.
-  pwd -P || exit 1
+_realpath() {
+  # See https://github.com/cdr/code-server/issues/1537 on why no realpath or readlink -f.
+
+  script="$1"
+  cd "$(dirname "$script")"
+
+  while [ -L "$(basename "$script")" ]; do
+    if [ -L "./node" ] && [ -L "./code-server" ] &&
+      [ -f "package.json" ] &&
+      cat package.json | grep -q '^  "name": "code-server",$'; then
+      echo "***** Please use the script in bin/code-server instead!" >&2
+      echo "***** This script will soon be removed!" >&2
+      echo "***** See the release notes at https://github.com/cdr/code-server/releases/tag/v3.4.0" >&2
+    fi
+
+    script="$(readlink "$(basename "$script")")"
+    cd "$(dirname "$script")"
+  done
+
+  echo "$PWD/$(basename "$script")"
 }
 
-BIN_DIR=$(bin_dir)
-if [ "$(uname)" = "Linux" ]; then
-  export LD_LIBRARY_PATH="$BIN_DIR/../lib${LD_LIBRARY_PATH+:$LD_LIBRARY_PATH}"
-elif [ "$(uname)" = "Darwin" ]; then
-  export DYLD_LIBRARY_PATH="$BIN_DIR/../lib${DYLD_LIBRARY_PATH+:$DYLD_LIBRARY_PATH}"
-fi
-exec "$BIN_DIR/../lib/node" "$BIN_DIR/.." "$@"
+root() {
+  script="$(_realpath "$0")"
+  bin_dir="$(dirname "$script")"
+  dirname "$bin_dir"
+}
+
+ROOT="$(root)"
+exec "$ROOT/lib/node" "$ROOT" "$@"

ci/build/code-server@.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=code-server
+After=network.target
+
+[Service]
+Type=exec
+ExecStart=/usr/bin/code-server
+Restart=always
+User=%i
+
+[Install]
+WantedBy=default.target

ci/build/nfpm.yaml

@@ -12,5 +12,8 @@ homepage: "https://github.com/cdr/code-server"
 license: "MIT"
 files:
   ./ci/build/code-server-nfpm.sh: /usr/bin/code-server
-  ./ci/build/code-server.service: /usr/lib/systemd/user/code-server.service
+  ./ci/build/code-server@.service: /usr/lib/systemd/system/code-server@.service
+  # Only included for backwards compat with previous releases that shipped
+  # the user service. See #1997
+  ./ci/build/code-server-user.service: /usr/lib/systemd/user/code-server.service
   ./release-standalone/**/*: "/usr/lib/code-server/"

ci/build/npm-postinstall.sh

@@ -24,6 +24,13 @@ main() {
     ;;
   esac
 
+  OS="$(uname | tr '[:upper:]' '[:lower:]')"
+  if curl -fsSL "https://storage.googleapis.com/coder-cloud-releases/agent/latest/$OS/cloud-agent" -o ./lib/coder-cloud-agent; then
+    chmod +x ./lib/coder-cloud-agent
+  else
+    echo "Failed to download cloud agent; --link will not work"
+  fi
+
   if ! vscode_yarn; then
     echo "You may not have the required dependencies to build the native modules."
     echo "Please see https://github.com/cdr/code-server/blob/master/doc/npm.md"
@@ -36,6 +43,13 @@ vscode_yarn() {
   yarn --production --frozen-lockfile
   cd extensions
   yarn --production --frozen-lockfile
+  for ext in */; do
+    ext="${ext%/}"
+    echo "extensions/$ext: installing dependencies"
+    cd "$ext"
+    yarn --production --frozen-lockfile
+    cd "$OLDPWD"
+  done
 }
 
 main "$@"

ci/build/release-github-assets.sh

@@ -11,7 +11,7 @@ main() {
   source ./ci/lib.sh
 
   download_artifact release-packages ./release-packages
-  local assets=(./release-packages/*)
+  local assets=(./release-packages/code-server*"$VERSION"*{.tar.gz,.deb,.rpm})
   for i in "${!assets[@]}"; do
     assets[$i]="--attach=${assets[$i]}"
   done

ci/build/test-standalone-release.sh

@@ -15,7 +15,8 @@ main() {
   ./release-standalone/bin/code-server --extensions-dir "$EXTENSIONS_DIR" --install-extension ms-python.python
   local installed_extensions
   installed_extensions="$(./release-standalone/bin/code-server --extensions-dir "$EXTENSIONS_DIR" --list-extensions 2>&1)"
-  if [[ $installed_extensions != "ms-python.python" ]]; then
+  # We use grep as ms-python.python may have dependency extensions that change.
+  if ! echo "$installed_extensions" | grep -q "ms-python.python"; then
     echo "Unexpected output from listing extensions:"
     echo "$installed_extensions"
     exit 1

ci/container/Dockerfile

@@ -1,53 +0,0 @@
-FROM debian:8
-
-RUN apt-get update
-
-# Needed for debian repositories added below.
-RUN apt-get install -y curl gnupg
-
-# Installs node.
-RUN curl -fsSL https://deb.nodesource.com/setup_14.x | bash - && \
-    apt-get install -y nodejs
-
-# Installs yarn.
-RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
-    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
-    apt-get update && apt-get install -y yarn
-
-# Installs VS Code build deps.
-RUN apt-get install -y build-essential \
-                   libsecret-1-dev \
-                   libx11-dev \
-                   libxkbfile-dev
-
-# Installs envsubst.
-RUN apt-get install -y gettext-base
-
-# Misc build dependencies.
-RUN apt-get install -y git rsync unzip
-
-# We need latest jq from debian buster for date support.
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/libo/libonig/libonig5_6.9.1-1_$ARCH.deb && \
-    dpkg -i libonig*.deb && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/j/jq/libjq1_1.5+dfsg-2+b1_$ARCH.deb && \
-    dpkg -i libjq*.deb && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/j/jq/jq_1.5+dfsg-2+b1_$ARCH.deb && \
-    dpkg -i jq*.deb && rm *.deb
-
-# Installs shellcheck.
-# Unfortunately coredumps on debian:8 so disabled for now.
-#RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.7.1/shellcheck-v0.7.1.linux.$(uname -m).tar.xz | \
-#    tar -xJ && \
-#    mv shellcheck*/shellcheck /usr/local/bin && \
-#    rm -R shellcheck*
-
-# Install Go dependencies
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSL "https://dl.google.com/go/go1.14.3.linux-$ARCH.tar.gz" | tar -C /usr/local -xz
-ENV PATH=/usr/local/go/bin:/root/go/bin:$PATH
-ENV GO111MODULE=on
-RUN go get mvdan.cc/sh/v3/cmd/shfmt
-RUN go get github.com/goreleaser/nfpm/cmd/nfpm
-
-RUN curl -fsSL https://get.docker.com | sh

ci/container/arm64/Dockerfile

@@ -1,53 +0,0 @@
-FROM debian:9
-
-RUN apt-get update
-
-# Needed for debian repositories added below.
-RUN apt-get install -y curl gnupg
-
-# Installs node.
-RUN curl -fsSL https://deb.nodesource.com/setup_14.x | bash - && \
-    apt-get install -y nodejs
-
-# Installs yarn.
-RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
-    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
-    apt-get update && apt-get install -y yarn
-
-# Installs VS Code build deps.
-RUN apt-get install -y build-essential \
-                   libsecret-1-dev \
-                   libx11-dev \
-                   libxkbfile-dev
-
-# Installs envsubst.
-RUN apt-get install -y gettext-base
-
-# Misc build dependencies.
-RUN apt-get install -y git rsync unzip
-
-# We need latest jq from debian buster for date support.
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/libo/libonig/libonig5_6.9.1-1_$ARCH.deb && \
-    dpkg -i libonig*.deb && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/j/jq/libjq1_1.5+dfsg-2+b1_$ARCH.deb && \
-    dpkg -i libjq*.deb && \
-    curl -fsSOL http://http.us.debian.org/debian/pool/main/j/jq/jq_1.5+dfsg-2+b1_$ARCH.deb && \
-    dpkg -i jq*.deb && rm *.deb
-
-# Installs shellcheck.
-# Unfortunately coredumps on debian:8 so disabled for now.
-#RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.7.1/shellcheck-v0.7.1.linux.$(uname -m).tar.xz | \
-#    tar -xJ && \
-#    mv shellcheck*/shellcheck /usr/local/bin && \
-#    rm -R shellcheck*
-
-# Install Go dependencies
-RUN ARCH="$(dpkg --print-architecture)" && \
-    curl -fsSL "https://dl.google.com/go/go1.14.3.linux-$ARCH.tar.gz" | tar -C /usr/local -xz
-ENV PATH=/usr/local/go/bin:/root/go/bin:$PATH
-ENV GO111MODULE=on
-RUN go get mvdan.cc/sh/v3/cmd/shfmt
-RUN go get github.com/goreleaser/nfpm/cmd/nfpm
-
-RUN curl -fsSL https://get.docker.com | sh

ci/container/arm64/README.md

@@ -1,6 +0,0 @@
-# arm64
-
-Unfortunately there is no arm64 build of `debian:8` so
-we need to use `debian:9` instead.
-
-This is just an exact copy of [../Dockerfile](../Dockerfile) with the base image change.

ci/dev/container/Dockerfile

@@ -1,13 +0,0 @@
-FROM node:12
-
-RUN apt-get update && apt-get install -y \
-    curl \
-    iproute2 \
-    vim \
-    iptables \
-    net-tools \
-    libsecret-1-dev \
-    libx11-dev \
-    libxkbfile-dev
-
-CMD ["/bin/bash"]

ci/dev/container/exec.sh

@@ -1,48 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# Opens an interactive bash session inside of a docker container
-# for improved isolation during development.
-# If the container exists it is restarted if necessary, then reused.
-
-main() {
-  cd "$(dirname "${0}")/../../.."
-
-  local container_name=code-server-dev
-
-  if docker inspect $container_name &> /dev/null; then
-    echo "-- Starting container"
-    docker start "$container_name" > /dev/null
-
-    enter
-    exit 0
-  fi
-
-  build
-  run
-  enter
-}
-
-enter() {
-  echo "--- Entering $container_name"
-  docker exec -it "$container_name" /bin/bash
-}
-
-run() {
-  echo "--- Spawning $container_name"
-  docker run \
-    -it \
-    --name $container_name \
-    "-v=$PWD:/code-server" \
-    "-w=/code-server" \
-    "-p=127.0.0.1:8080:8080" \
-    $(if [[ -t 0 ]]; then echo -it; fi) \
-    "$container_name"
-}
-
-build() {
-  echo "--- Building $container_name"
-  docker build -t $container_name ./ci/dev/container > /dev/null
-}
-
-main "$@"

ci/dev/diff-vscode.sh

@@ -6,7 +6,7 @@ main() {
 
   cd ./lib/vscode
   git add -A
-  git diff HEAD > ../../ci/dev/vscode.patch
+  git diff HEAD --full-index > ../../ci/dev/vscode.patch
 }
 
 main "$@"

ci/dev/fmt.sh

@@ -4,7 +4,7 @@ set -euo pipefail
 main() {
   cd "$(dirname "$0")/../.."
 
-  shfmt -i 2 -w -s -sr $(git ls-files "*.sh")
+  shfmt -i 2 -w -sr $(git ls-files "*.sh")
 
   local prettierExts
   prettierExts=(
@@ -19,11 +19,16 @@ main() {
     "*.yaml"
     "*.yml"
   )
-  prettier --write --loglevel=warn $(git ls-files "${prettierExts[@]}")
+  prettier --write --loglevel=warn $(
+    git ls-files "${prettierExts[@]}" | grep -v 'helm-chart'
+  )
 
   doctoc --title '# FAQ' doc/FAQ.md > /dev/null
   doctoc --title '# Setup Guide' doc/guide.md > /dev/null
   doctoc --title '# Install' doc/install.md > /dev/null
+  doctoc --title '# npm Install Requirements' doc/npm.md > /dev/null
+  doctoc --title '# Contributing' doc/CONTRIBUTING.md > /dev/null
+  doctoc --title '# iPad' doc/ipad.md > /dev/null
 
   if [[ ${CI-} && $(git ls-files --other --modified --exclude-standard) ]]; then
     echo "Files need generation or are formatted incorrectly:"

ci/dev/image/run.sh

@@ -0,0 +1,31 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+main() {
+  cd "$(dirname "$0")/../../.."
+  source ./ci/lib.sh
+  mkdir -p .home
+
+  docker run \
+    -it \
+    --rm \
+    -v "$PWD:/src" \
+    -e HOME="/src/.home" \
+    -e USER="coder" \
+    -e GITHUB_TOKEN \
+    -e KEEP_MODULES \
+    -e MINIFY \
+    -w /src \
+    -p 127.0.0.1:8080:8080 \
+    -u "$(id -u):$(id -g)" \
+    -e CI \
+    "$(docker_build ./ci/images/"${IMAGE-debian10}")" \
+    "$@"
+}
+
+docker_build() {
+  docker build "$@" >&2
+  docker build -q "$@"
+}
+
+main "$@"

ci/dev/lint.sh

@@ -7,9 +7,9 @@ main() {
   eslint --max-warnings=0 --fix $(git ls-files "*.ts" "*.tsx" "*.js")
   stylelint $(git ls-files "*.css")
   tsc --noEmit
-  # See comment in ./ci/container/Dockerfile
-  if [[ ! ${CI-} ]]; then
-    shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090 $(git ls-files "*.sh")
+  shellcheck -e SC2046,SC2164,SC2154,SC1091,SC1090,SC2002 $(git ls-files "*.sh")
+  if command -v helm && helm kubeval --help > /dev/null; then
+    helm kubeval ci/helm-chart
   fi
 }
 

ci/dev/test.sh

@@ -4,7 +4,10 @@ set -euo pipefail
 main() {
   cd "$(dirname "$0")/../.."
 
-  mocha -r ts-node/register ./test/*.test.ts
+  cd test/test-plugin
+  make -s out/index.js
+  cd "$OLDPWD"
+  mocha -r ts-node/register ./test/*.test.ts "$@"
 }
 
 main "$@"

ci/dev/watch.ts

@@ -37,6 +37,9 @@ class Watcher {
 
     const vscode = cp.spawn("yarn", ["watch"], { cwd: this.vscodeSourcePath })
     const tsc = cp.spawn("tsc", ["--watch", "--pretty", "--preserveWatchOutput"], { cwd: this.rootPath })
+    const plugin = process.env.PLUGIN_DIR
+      ? cp.spawn("yarn", ["build", "--watch"], { cwd: process.env.PLUGIN_DIR })
+      : undefined
     const bundler = this.createBundler()
 
     const cleanup = (code?: number | null): void => {
@@ -48,6 +51,12 @@ class Watcher {
       tsc.removeAllListeners()
       tsc.kill()
 
+      if (plugin) {
+        Watcher.log("killing plugin")
+        plugin.removeAllListeners()
+        plugin.kill()
+      }
+
       if (server) {
         Watcher.log("killing server")
         server.removeAllListeners()
@@ -69,6 +78,12 @@ class Watcher {
       Watcher.log("tsc terminated unexpectedly")
       cleanup(code)
     })
+    if (plugin) {
+      plugin.on("exit", (code) => {
+        Watcher.log("plugin terminated unexpectedly")
+        cleanup(code)
+      })
+    }
     const bundle = bundler.bundle().catch(() => {
       Watcher.log("parcel watcher terminated unexpectedly")
       cleanup(1)
@@ -82,6 +97,9 @@ class Watcher {
 
     vscode.stderr.on("data", (d) => process.stderr.write(d))
     tsc.stderr.on("data", (d) => process.stderr.write(d))
+    if (plugin) {
+      plugin.stderr.on("data", (d) => process.stderr.write(d))
+    }
 
     // From https://github.com/chalk/ansi-regex
     const pattern = [
@@ -140,21 +158,34 @@ class Watcher {
         bundle.then(restartServer)
       }
     })
+
+    if (plugin) {
+      onLine(plugin, (line, original) => {
+        // tsc outputs blank lines; skip them.
+        if (line !== "") {
+          console.log("[plugin]", original)
+        }
+        if (line.includes("Watching for file changes")) {
+          bundle.then(restartServer)
+        }
+      })
+    }
   }
 
   private createBundler(out = "dist"): Bundler {
     return new Bundler(
       [
-        path.join(this.rootPath, "src/browser/pages/app.ts"),
         path.join(this.rootPath, "src/browser/register.ts"),
         path.join(this.rootPath, "src/browser/serviceWorker.ts"),
+        path.join(this.rootPath, "src/browser/pages/login.ts"),
+        path.join(this.rootPath, "src/browser/pages/vscode.ts"),
       ],
       {
         outDir: path.join(this.rootPath, out),
         cacheDir: path.join(this.rootPath, ".cache"),
         minify: !!process.env.MINIFY,
         logLevel: 1,
-        publicUrl: "/static/development/dist",
+        publicUrl: ".",
       },
     )
   }

ci/helm-chart/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

ci/helm-chart/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: code-server
+description: A Helm chart for cdr/code-server
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 1.0.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+appVersion: 3.7.0

ci/helm-chart/README.md

@@ -0,0 +1,117 @@
+# code-server
+
+![Version: 1.0.0](https://img.shields.io/badge/Version-1.0.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: 3.7.0](https://img.shields.io/badge/AppVersion-3.7.0-informational?style=flat-square)
+
+[code-server](https://github.com/cdr/code-server) code-server is VS Code running
+on a remote server, accessible through the browser.
+
+This chart is community maintained by [@Matthew-Beckett](https://github.com/Matthew-Beckett) and [@alexgorbatchev](https://github.com/alexgorbatchev)
+
+## TL;DR;
+
+```console
+$ git clone https://github.com/cdr/code-server
+$ cd code-server
+$ helm upgrade --install code-server ci/helm-chart
+```
+
+## Introduction
+
+This chart bootstraps a code-server deployment on a
+[Kubernetes](http://kubernetes.io) cluster using the [Helm](https://helm.sh)
+package manager.
+
+## Prerequisites
+
+  - Kubernetes 1.6+
+
+## Installing the Chart
+
+To install the chart with the release name `code-server`:
+
+```console
+$ git clone https://github.com/cdr/code-server
+$ cd code-server
+$ helm upgrade --install code-server ci/helm-chart
+```
+
+The command deploys code-server on the Kubernetes cluster in the default
+configuration. The [configuration](#configuration) section lists the parameters
+that can be configured during installation.
+
+> **Tip**: List all releases using `helm list`
+
+## Uninstalling the Chart
+
+To uninstall/delete the `code-server` deployment:
+
+```console
+$ helm delete code-server
+```
+
+The command removes all the Kubernetes components associated with the chart and
+deletes the release.
+
+## Configuration
+
+The following table lists the configurable parameters of the code-server chart
+and their default values.
+
+## Values
+
+| Key | Type | Default | Description |
+|-----|------|---------|-------------|
+| affinity | object | `{}` |  |
+| extraArgs | list | `[]` |  |
+| extraConfigmapMounts | list | `[]` |  |
+| extraContainers | string | `""` |  |
+| extraSecretMounts | list | `[]` |  |
+| extraVars | list | `[]` |  |
+| extraVolumeMounts | list | `[]` |  |
+| fullnameOverride | string | `""` |  |
+| hostnameOverride | string | `""` |  |
+| image.pullPolicy | string | `"Always"` |  |
+| image.repository | string | `"codercom/code-server"` |  |
+| image.tag | string | `"3.7.0"` |  |
+| imagePullSecrets | list | `[]` |  |
+| ingress.enabled | bool | `false` |  |
+| nameOverride | string | `""` |  |
+| nodeSelector | object | `{}` |  |
+| persistence.accessMode | string | `"ReadWriteOnce"` |  |
+| persistence.annotations | object | `{}` |  |
+| persistence.enabled | bool | `true` |  |
+| persistence.size | string | `"1Gi"` |  |
+| podAnnotations | object | `{}` |  |
+| podSecurityContext | object | `{}` |  |
+| replicaCount | int | `1` |  |
+| resources | object | `{}` |  |
+| securityContext.enabled | bool | `true` |  |
+| securityContext.fsGroup | int | `1000` |  |
+| securityContext.runAsUser | int | `1000` |  |
+| service.port | int | `8443` |  |
+| service.type | string | `"ClusterIP"` |  |
+| serviceAccount.create | bool | `true` |  |
+| serviceAccount.name | string | `nil` |  |
+| tolerations | list | `[]` |  |
+| volumePermissions.enabled | bool | `true` |  |
+| volumePermissions.securityContext.runAsUser | int | `0` |  |
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm
+install`. For example,
+
+```console
+$ helm upgrade --install code-server \
+    ci/helm-chart \
+    --set persistence.enabled=false
+```
+
+The above command sets the the persistence storage to false.
+
+Alternatively, a YAML file that specifies the values for the above parameters
+can be provided while installing the chart. For example,
+
+```console
+$ helm upgrade --install code-server ci/helm-chart -f values.yaml
+```
+
+> **Tip**: You can use the default [values.yaml](values.yaml)

ci/helm-chart/templates/NOTES.txt

@@ -0,0 +1,25 @@
+1. Get the application URL by running these commands:
+{{- if .Values.ingress.enabled }}
+{{- range $host := .Values.ingress.hosts }}
+  {{- range .paths }}
+  http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
+  {{- end }}
+{{- end }}
+{{- else if contains "NodePort" .Values.service.type }}
+  export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "code-server.fullname" . }})
+  export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
+  echo http://$NODE_IP:$NODE_PORT
+{{- else if contains "LoadBalancer" .Values.service.type }}
+     NOTE: It may take a few minutes for the LoadBalancer IP to be available.
+           You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "code-server.fullname" . }}'
+  export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "code-server.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
+  echo http://$SERVICE_IP:{{ .Values.service.port }}
+{{- else if contains "ClusterIP" .Values.service.type }}
+  export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "code-server.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
+  echo "Visit http://127.0.0.1:8080 to use your application"
+  kubectl port-forward $POD_NAME 8080:80
+{{- end }}
+
+Administrator credentials:
+
+  Password: echo $(kubectl get secret --namespace {{ .Release.Namespace }} {{ template "code-server.fullname" . }} -o jsonpath="{.data.password}" | base64 --decode)

ci/helm-chart/templates/_helpers.tpl

@@ -0,0 +1,63 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "code-server.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "code-server.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "code-server.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Common labels
+*/}}
+{{- define "code-server.labels" -}}
+helm.sh/chart: {{ include "code-server.chart" . }}
+{{ include "code-server.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "code-server.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "code-server.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "code-server.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "code-server.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}

ci/helm-chart/templates/deployment.yaml

@@ -0,0 +1,152 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "code-server.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "code-server.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: {{ include "code-server.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+    spec:
+      {{- if .Values.hostnameOverride }}
+      hostname: {{ .Values.hostnameOverride }}
+      {{- end }}
+      {{- if .Values.securityContext.enabled }}
+      securityContext:
+        fsGroup: {{ .Values.securityContext.fsGroup }}
+      {{- end }}
+      {{- if and .Values.volumePermissions.enabled .Values.persistence.enabled }}
+      initContainers:
+      - name: init-chmod-data
+        image: busybox:latest
+        imagePullPolicy: IfNotPresent
+        command:
+          - sh
+          - -c
+          - |
+            chown -R {{ .Values.securityContext.runAsUser }}:{{ .Values.securityContext.fsGroup }} /home/coder
+        securityContext:
+          runAsUser: {{ .Values.volumePermissions.securityContext.runAsUser }}
+        volumeMounts:
+        - name: data
+          mountPath: /home/coder
+      {{- end }}
+      containers:
+{{- if .Values.extraContainers }}
+{{ toYaml .Values.extraContainers | indent 8}}
+{{- end }}
+        - name: {{ .Chart.Name }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          {{- if .Values.securityContext.enabled }}
+          securityContext:
+            runAsUser: {{ .Values.securityContext.runAsUser }}
+          {{- end }}
+          env:
+        {{- if .Values.extraVars }}
+{{ toYaml .Values.extraVars | indent 10 }}
+        {{- end }}
+          - name: PASSWORD
+            valueFrom:
+              secretKeyRef:
+              {{- if .Values.existingSecret }}
+                name: {{ .Values.existingSecret }}
+              {{- else }}
+                name: {{ template "code-server.fullname" . }}
+              {{- end }}
+                key: password
+        {{- if .Values.extraArgs }}
+          args:
+{{ toYaml .Values.extraArgs | indent 10 }}
+        {{- end }}
+          volumeMounts:
+          - name: data
+            mountPath: /home/coder
+          {{- range .Values.extraConfigmapMounts }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            subPath: {{ .subPath | default "" }}
+            readOnly: {{ .readOnly }}
+          {{- end }}
+          {{- range .Values.extraSecretMounts }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            readOnly: {{ .readOnly }}
+          {{- end }}
+          {{- range .Values.extraVolumeMounts }}
+          - name: {{ .name }}
+            mountPath: {{ .mountPath }}
+            subPath: {{ .subPath | default "" }}
+            readOnly: {{ .readOnly }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+    {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+      serviceAccountName: {{ template "code-server.serviceAccountName" . }}
+      volumes:
+      - name: data
+      {{- if .Values.persistence.enabled }}
+        {{- if not .Values.persistence.hostPath }}
+        persistentVolumeClaim:
+          claimName: {{ .Values.persistence.existingClaim | default (include "code-server.fullname" .) }}
+        {{- else }}
+        hostPath:
+          path: {{ .Values.persistence.hostPath }}
+          type: Directory
+        {{- end -}}
+      {{- else }}
+        emptyDir: {}
+      {{- end -}}
+      {{- range .Values.extraSecretMounts }}
+      - name: {{ .name }}
+        secret:
+          secretName: {{ .secretName }}
+          defaultMode: {{ .defaultMode }}
+      {{- end }}
+      {{- range .Values.extraVolumeMounts }}
+      - name: {{ .name }}
+        {{- if .existingClaim }}
+        persistentVolumeClaim:
+          claimName: {{ .existingClaim }}
+        {{- else }}
+        hostPath:
+          path: {{ .hostPath }}
+          type: Directory
+        {{- end }}
+      {{- end }}

ci/helm-chart/templates/ingress.yaml

@@ -0,0 +1,41 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "code-server.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "code-server.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .paths }}
+          - path: {{ . }}
+            backend:
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+          {{- end }}
+    {{- end }}
+  {{- end }}

ci/helm-chart/templates/pvc.yaml

@@ -0,0 +1,29 @@
+{{- if and (and .Values.persistence.enabled (not .Values.persistence.existingClaim)) (not .Values.persistence.hostPath) }}
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ include "code-server.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+{{- with .Values.persistence.annotations  }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  accessModes:
+    - {{ .Values.persistence.accessMode | quote }}
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size | quote }}
+{{- if .Values.persistence.storageClass }}
+{{- if (eq "-" .Values.persistence.storageClass) }}
+  storageClassName: ""
+{{- else }}
+  storageClassName: "{{ .Values.persistence.storageClass }}"
+{{- end }}
+{{- end }}
+{{- end }}

ci/helm-chart/templates/secrets.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "code-server.fullname" . }}
+  annotations:
+    "helm.sh/hook": "pre-install"
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+type: Opaque
+data:
+  {{ if .Values.password }}
+  password: "{{ .Values.password | b64enc }}"
+  {{ else }}
+  password: "{{ randAlphaNum 24 | b64enc }}"
+  {{ end }}

ci/helm-chart/templates/service.yaml

@@ -0,0 +1,19 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "code-server.fullname" . }}
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}

ci/helm-chart/templates/serviceaccount.yaml

@@ -0,0 +1,11 @@
+{{- if or .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  name: {{ template "code-server.serviceAccountName" . }}
+{{- end -}}

ci/helm-chart/templates/tests/test-connection.yaml

@@ -0,0 +1,18 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "code-server.fullname" . }}-test-connection"
+  labels:
+    app.kubernetes.io/name: {{ include "code-server.name" . }}
+    helm.sh/chart: {{ include "code-server.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+  annotations:
+    "helm.sh/hook": test-success
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args:  ['{{ include "code-server.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

ci/helm-chart/values.yaml

@@ -0,0 +1,163 @@
+# Default values for code-server.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: codercom/code-server
+  tag: '3.7.0'
+  pullPolicy: Always
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+hostnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 8080
+
+ingress:
+  enabled: false
+  #annotations:
+  #  kubernetes.io/ingress.class: nginx
+  #  kubernetes.io/tls-acme: "true"
+  #hosts:
+  #  - host: code-server.example.loc
+  #    paths:
+  #      - /
+
+  #tls:
+  #  - secretName: code-server
+  #    hosts:
+  #      - code-server.example.loc
+
+# Optional additional arguments
+extraArgs: []
+#  - --allow-http
+#  - --no-auth
+
+# Optional additional environment variables
+extraVars: []
+#  - name: DISABLE_TELEMETRY
+#    value: true
+
+##
+## Init containers parameters:
+## volumePermissions: Change the owner of the persist volume mountpoint to RunAsUser:fsGroup
+##
+volumePermissions:
+  enabled: true
+  securityContext:
+    runAsUser: 0
+
+## Pod Security Context
+## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+##
+securityContext:
+  enabled: true
+  fsGroup: 1000
+  runAsUser: 1000
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #  cpu: 100m
+  #  memory: 1000Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+## Persist data to a persistent volume
+persistence:
+  enabled: true
+  ## code-server data Persistent Volume Storage Class
+  ## If defined, storageClassName: <storageClass>
+  ## If set to "-", storageClassName: "", which disables dynamic provisioning
+  ## If undefined (the default) or set to null, no storageClassName spec is
+  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
+  ##   GKE, AWS & OpenStack)
+  ##
+  # storageClass: "-"
+  accessMode: ReadWriteOnce
+  size: 10Gi
+  annotations: {}
+  # existingClaim: ""
+  # hostPath: /data
+
+serviceAccount:
+  create: true
+  name:
+
+## Enable an Specify container in extraContainers.
+## This is meant to allow adding code-server dependencies, like docker-dind.
+extraContainers: |
+#- name: docker-dind
+#  image: docker:19.03-dind
+#  imagePullPolicy: IfNotPresent
+#  resources:
+#    requests:
+#      cpu: 250m
+#      memory: 256M
+#  securityContext:
+#    privileged: true
+#    procMount: Default
+#  env:
+#  - name: DOCKER_TLS_CERTDIR
+#    value: ""
+#  - name: DOCKER_DRIVER
+#    value: "overlay2"
+
+## Additional code-server secret mounts
+extraSecretMounts: []
+  # - name: secret-files
+  #   mountPath: /etc/secrets
+  #   secretName: code-server-secret-files
+  #   readOnly: true
+
+## Additional code-server volume mounts
+extraVolumeMounts: []
+  # - name: extra-volume
+  #   mountPath: /mnt/volume
+  #   readOnly: true
+  #   existingClaim: volume-claim
+  #   hostPath: ""
+
+extraConfigmapMounts: []
+  # - name: certs-configmap
+  #   mountPath: /etc/code-server/ssl/
+  #   subPath: certificates.crt # (optional)
+  #   configMap: certs-configmap
+  #   readOnly: true

ci/images/centos7/Dockerfile

@@ -0,0 +1,32 @@
+FROM centos:7
+
+ARG NODE_VERSION=v12.18.4
+RUN ARCH="$(uname -m | sed 's/86_64/64/; s/aarch64/arm64/')" && \
+    curl -fsSL "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-linux-$ARCH.tar.xz" | tar -C /usr/local -xJ && \
+    mv "/usr/local/node-$NODE_VERSION-linux-$ARCH" "/usr/local/node-$NODE_VERSION"
+ENV PATH=/usr/local/node-$NODE_VERSION/bin:$PATH
+RUN npm install -g yarn
+
+RUN yum groupinstall -y 'Development Tools'
+RUN yum install -y python2 libsecret-devel libX11-devel libxkbfile-devel
+
+RUN npm config set python python2
+
+RUN yum install -y epel-release && yum install -y jq
+RUN yum install -y rsync
+
+# Copied from ../debian10/Dockerfile
+# Install Go.
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/; s/aarch64/arm64/')" && \
+    curl -fsSL "https://dl.google.com/go/go1.14.3.linux-$ARCH.tar.gz" | tar -C /usr/local -xz
+ENV GOPATH=/gopath
+# Ensures running this image as another user works.
+RUN mkdir -p $GOPATH && chmod -R 777 $GOPATH
+ENV PATH=/usr/local/go/bin:$GOPATH/bin:$PATH
+
+# Install Go dependencies
+ENV GO111MODULE=on
+RUN go get mvdan.cc/sh/v3/cmd/shfmt
+RUN go get github.com/goreleaser/nfpm/cmd/nfpm
+
+RUN curl -fsSL https://get.docker.com | sh

ci/images/debian10/Dockerfile

@@ -0,0 +1,54 @@
+FROM debian:10
+
+RUN apt-get update
+
+# Needed for debian repositories added below.
+RUN apt-get install -y curl gnupg
+
+# Installs node.
+RUN curl -fsSL https://deb.nodesource.com/setup_12.x | bash - && \
+    apt-get install -y nodejs
+
+# Installs yarn.
+RUN curl -fsSL https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
+    echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list && \
+    apt-get update && apt-get install -y yarn
+
+# Installs VS Code build deps.
+RUN apt-get install -y build-essential \
+                   libsecret-1-dev \
+                   libx11-dev \
+                   libxkbfile-dev
+
+# Installs envsubst.
+RUN apt-get install -y gettext-base
+
+# Misc build dependencies.
+RUN apt-get install -y git rsync unzip jq
+
+# Installs shellcheck.
+RUN curl -fsSL https://github.com/koalaman/shellcheck/releases/download/v0.7.1/shellcheck-v0.7.1.linux.$(uname -m).tar.xz | \
+    tar -xJ && \
+    mv shellcheck*/shellcheck /usr/local/bin && \
+    rm -R shellcheck*
+
+# Install Go.
+RUN ARCH="$(uname -m | sed 's/x86_64/amd64/; s/aarch64/arm64/')" && \
+    curl -fsSL "https://dl.google.com/go/go1.14.3.linux-$ARCH.tar.gz" | tar -C /usr/local -xz
+ENV GOPATH=/gopath
+# Ensures running this image as another user works.
+RUN mkdir -p $GOPATH && chmod -R 777 $GOPATH
+ENV PATH=/usr/local/go/bin:$GOPATH/bin:$PATH
+
+# Install Go dependencies
+ENV GO111MODULE=on
+RUN go get mvdan.cc/sh/v3/cmd/shfmt
+RUN go get github.com/goreleaser/nfpm/cmd/nfpm
+
+RUN VERSION="$(curl -fsSL https://storage.googleapis.com/kubernetes-release/release/stable.txt)" && \
+    curl -fsSL "https://storage.googleapis.com/kubernetes-release/release/$VERSION/bin/linux/amd64/kubectl" > /usr/local/bin/kubectl \
+    && chmod +x /usr/local/bin/kubectl
+RUN curl -fsSL https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
+RUN helm plugin install https://github.com/instrumenta/helm-kubeval
+
+RUN curl -fsSL https://get.docker.com | sh

ci/release-image/Dockerfile

@@ -35,9 +35,14 @@ RUN ARCH="$(dpkg --print-architecture)" && \
     printf "user: coder\ngroup: coder\n" > /etc/fixuid/config.yml
 
 COPY release-packages/code-server*.deb /tmp/
+COPY ci/release-image/entrypoint.sh /usr/bin/entrypoint.sh
 RUN dpkg -i /tmp/code-server*$(dpkg --print-architecture).deb && rm /tmp/code-server*.deb
 
 EXPOSE 8080
-USER coder
+# This way, if someone sets $DOCKER_USER, docker-exec will still work as
+# the uid will remain the same. note: only relevant if -u isn't passed to
+# docker-run.
+USER 1000
+ENV USER=coder
 WORKDIR /home/coder
-ENTRYPOINT ["dumb-init", "fixuid", "-q", "/usr/bin/code-server", "--bind-addr", "0.0.0.0:8080", "."]
+ENTRYPOINT ["/usr/bin/entrypoint.sh", "--bind-addr", "0.0.0.0:8080", "."]

ci/release-image/build.sh

@@ -5,7 +5,7 @@ main() {
   cd "$(dirname "$0")/../.."
   source ./ci/lib.sh
 
-  docker build -t "codercom/code-server-$ARCH:$VERSION" -f ./ci/release-container/Dockerfile .
+  docker build -t "codercom/code-server-$ARCH:$VERSION" -f ./ci/release-image/Dockerfile .
 }
 
 main "$@"

ci/release-image/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+set -eu
+
+# We do this first to ensure sudo works below when renaming the user.
+# Otherwise the current container UID may not exist in the passwd database.
+eval "$(fixuid -q)"
+
+if [ "${DOCKER_USER-}" ]; then
+  echo "$DOCKER_USER ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoers.d/nopasswd > /dev/null
+  # Unfortunately we cannot change $HOME as we cannot move any bind mounts
+  # nor can we bind mount $HOME into a new home as that requires a privileged container.
+  sudo usermod --login "$DOCKER_USER" coder
+  sudo groupmod -n "$DOCKER_USER" coder
+
+  USER="$DOCKER_USER"
+
+  sudo sed -i "/coder/d" /etc/sudoers.d/nopasswd
+fi
+
+dumb-init /usr/bin/code-server "$@"

ci/steps/build-docker-image.sh

@@ -5,7 +5,7 @@ main() {
   cd "$(dirname "$0")/../.."
   source ./ci/lib.sh
 
-  ./ci/release-container/build.sh
+  ./ci/release-image/build.sh
 
   mkdir -p release-images
   docker save "codercom/code-server-$ARCH:$VERSION" > "release-images/code-server-$ARCH-$VERSION.tar"

ci/steps/release-packages.sh

@@ -4,6 +4,12 @@ set -euo pipefail
 main() {
   cd "$(dirname "$0")/../.."
 
+  NODE_VERSION=v12.18.4
+  NODE_OS="$(uname | tr '[:upper:]' '[:lower:]')"
+  NODE_ARCH="$(uname -m | sed 's/86_64/64/; s/aarch64/arm64/')"
+  curl -L "https://nodejs.org/dist/$NODE_VERSION/node-$NODE_VERSION-$NODE_OS-$NODE_ARCH.tar.gz" | tar -xz
+  PATH="$PWD/node-$NODE_VERSION-$NODE_OS-$NODE_ARCH/bin:$PATH"
+
   # https://github.com/actions/upload-artifact/issues/38
   tar -xzf release-npm-package/package.tar.gz
 

doc/CONTRIBUTING.md

@@ -1,17 +1,41 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # Contributing
 
+- [Pull Requests](#pull-requests)
+- [Requirements](#requirements)
+- [Development Workflow](#development-workflow)
+- [Build](#build)
+- [Structure](#structure)
+  - [VS Code Patch](#vs-code-patch)
+  - [Currently Known Issues](#currently-known-issues)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 - [Detailed CI and build process docs](../ci)
 
+## Pull Requests
+
+Please create a [GitHub Issue](https://github.com/cdr/code-server/issues) for each issue
+you'd like to address unless the proposed fix is minor.
+
+In your Pull Requests (PR), link to the issue that the PR solves.
+
+Please ensure that the base of your PR is the **master** branch. (Note: The default
+GitHub branch is the latest release branch, though you should point all of your changes to be merged into
+master).
+
 ## Requirements
 
-Please refer to [VS Code's prerequisites](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
+The prerequisites for contributing to code-server are almost the same as those for
+[VS Code](https://github.com/Microsoft/vscode/wiki/How-to-Contribute#prerequisites).
+There are several differences, however. You must:
 
-Differences:
+- Use Node.js version 12.x (or greater)
+- Have [nfpm](https://github.com/goreleaser/nfpm) (which is used to build `.deb` and `.rpm` packages and [jq](https://stedolan.github.io/jq/) (used to build code-server releases) installed
 
-- We require a minimum of node v12 but later versions should work.
-- We use [fnpm](https://github.com/goreleaser/nfpm) to build `.deb` and `.rpm` packages.
-- We use [jq](https://stedolan.github.io/jq/) to build code-server releases.
-- The [CI container](../ci/container/Dockerfile) is a useful reference for all our dependencies.
+The [CI container](../ci/images/debian8/Dockerfile) is a useful reference for all
+of the dependencies code-server uses.
 
 ## Development Workflow
 
@@ -19,100 +43,120 @@ Differences:
 yarn
 yarn vscode
 yarn watch
-# Visit http://localhost:8080 once the build completed.
+# Visit http://localhost:8080 once the build is completed.
 ```
 
-To develop inside of an isolated docker container:
+To develop inside an isolated Docker container:
 
 ```shell
-./ci/dev/container/exec.sh
-
-root@12345:/code-server# yarn
-root@12345:/code-server# yarn vscode
-root@12345:/code-server# yarn watch
+./ci/dev/image/run.sh yarn
+./ci/dev/image/run.sh yarn vscode
+./ci/dev/image/run.sh yarn watch
 ```
 
-Any changes made to the source will be live reloaded.
+`yarn watch` will live reload changes to the source.
 
-If changes are made to the patch and you've built previously you must manually
-reset VS Code then run `yarn vscode:patch`.
+If you introduce changes to the patch and you've previously built, you
+must (1) manually reset VS Code and (2) run `yarn vscode:patch`.
 
 ## Build
 
+You can build using:
+
+```shell
+./ci/dev/image/run.sh ./ci/steps/release.sh
+```
+
+Run your build with:
+
+```shell
+cd release
+yarn --production
+# Runs the built JavaScript with Node.
+node .
+```
+
+Build the release packages (make sure that you run `./ci/steps/release.sh` first):
+
+```shell
+IMAGE=centos7 ./ci/dev/image/run.sh ./ci/steps/release-packages.sh
+# The standalone release is in ./release-standalone
+# .deb, .rpm and the standalone archive are in ./release-packages
+```
+
+The `release.sh` script is equal to running:
+
 ```shell
 yarn
 yarn vscode
 yarn build
 yarn build:vscode
 yarn release
-cd release
-yarn --production
-# Runs the built JavaScript with Node.
-node .
 ```
 
-Now you can build release packages with:
+And `release-packages.sh` is equal to:
 
-```
+```shell
 yarn release:standalone
-# The standalone release is in ./release-standalone
 yarn test:standalone-release
 yarn package
-# .deb, .rpm and the standalone archive are in ./release-packages
+```
+
+For a faster release build, you can run instead:
+
+```shell
+KEEP_MODULES=1 ./ci/steps/release.sh
+node ./release
 ```
 
 ## Structure
 
-The `code-server` script serves an HTTP API to login and start a remote VS Code process.
+The `code-server` script serves an HTTP API for login and starting a remote VS Code process.
 
 The CLI code is in [./src/node](./src/node) and the HTTP routes are implemented in
 [./src/node/app](./src/node/app).
 
-Most of the meaty parts are in our VS Code patch which is described next.
+Most of the meaty parts are in the VS Code patch, which we described next.
 
 ### VS Code Patch
 
-Back in v1 of code-server, we had an extensive patch of VS Code that split the codebase
-into a frontend and server. The frontend consisted of all UI code and the server ran
-the extensions and exposed an API to the frontend for file access and everything else
-that the UI needed.
+In v1 of code-server, we had a patch of VS Code that split the codebase into a front-end
+and a server. The front-end consisted of all UI code, while the server ran the extensions
+and exposed an API to the front-end for file access and all UI needs.
 
-This worked but eventually Microsoft added support to VS Code to run it in the web.
-They have open sourced the frontend but have kept the server closed source.
-
-So in interest of piggy backing off their work, v2 and beyond use the VS Code
-web frontend and fill in the server. This is contained in our
+Over time, Microsoft added support to VS Code to run it on the web. They have made
+the front-end open source, but not the server. As such, code-server v2 (and later) uses
+the VS Code front-end and implements the server. You can find this in
 [./ci/dev/vscode.patch](../ci/dev/vscode.patch) under the path `src/vs/server`.
 
 Other notable changes in our patch include:
 
-- Add our own build file which includes our code and VS Code's web code.
-- Allow multiple extension directories (both user and built-in).
-- Modify the loader, websocket, webview, service worker, and asset requests to
-  use the URL of the page as a base (and TLS if necessary for the websocket).
-- Send client-side telemetry through the server.
-- Allow modification of the display language.
-- Make it possible for us to load code on the client.
-- Make extensions work in the browser.
-- Make it possible to install extensions of any kind.
-- Fix getting permanently disconnected when you sleep or hibernate for a while.
-- Add connection type to web socket query parameters.
+- Adding our build file, which includes our code and VS Code's web code
+- Allowing multiple extension directories (both user and built-in)
+- Modifying the loader, websocket, webview, service worker, and asset requests to
+  use the URL of the page as a base (and TLS, if necessary for the websocket)
+- Sending client-side telemetry through the server
+- Allowing modification of the display language
+- Making it possible for us to load code on the client
+- Making extensions work in the browser
+- Making it possible to install extensions of any kind
+- Fixing issue with getting disconnected when your machine sleeps or hibernates
+- Adding connection type to web socket query parameters
 
-Some known issues presently:
-
-- Creating custom VS Code extensions and debugging them doesn't work.
-- Extension profiling and tips are currently disabled.
-
-As the web portion of VS Code matures, we'll be able to shrink and maybe even entirely
-eliminate our patch. In the meantime, however, upgrading the VS Code version requires
-ensuring that the patch still applies and has the intended effects.
-
-To generate a new patch run `yarn vscode:diff`.
-
-**note**: We have extension docs on the CI and build system at [./ci/README.md](../ci/README.md)
-
-If functionality doesn't depend on code from VS Code then it should be moved
-into code-server otherwise it should be in the patch.
-
-In the future we'd like to run VS Code unit tests against our builds to ensure features
+As the web portion of VS Code matures, we'll be able to shrink and possibly
+eliminate our patch. In the meantime, upgrading the VS Code version requires
+us to ensure that the patch is applied and works as intended. In the future,
+we'd like to run VS Code unit tests against our builds to ensure that features
 work as expected.
+
+To generate a new patch, run `yarn vscode:diff`
+
+**Note**: We have [extension docs](../ci/README.md) on the CI and build system.
+
+If the functionality you're working on does NOT depend on code from VS Code, please
+move it out and into code-server.
+
+### Currently Known Issues
+
+- Creating custom VS Code extensions and debugging them doesn't work
+- Extension profiling and tips are currently disabled

doc/FAQ.md

@@ -3,7 +3,11 @@
 # FAQ
 
 - [Questions?](#questions)
-- [What's the deal with extensions?](#whats-the-deal-with-extensions)
+- [iPad Status?](#ipad-status)
+- [How can I reuse my VS Code configuration?](#how-can-i-reuse-my-vs-code-configuration)
+- [Differences compared to VS Code?](#differences-compared-to-vs-code)
+- [How can I request a missing extension?](#how-can-i-request-a-missing-extension)
+- [How do I configure the marketplace URL?](#how-do-i-configure-the-marketplace-url)
 - [Where are extensions stored?](#where-are-extensions-stored)
 - [How is this different from VS Code Codespaces?](#how-is-this-different-from-vs-code-codespaces)
 - [How should I expose code-server to the internet?](#how-should-i-expose-code-server-to-the-internet)
@@ -12,46 +16,66 @@
   - [Sub-domains](#sub-domains)
 - [Multi-tenancy](#multi-tenancy)
 - [Docker in code-server container?](#docker-in-code-server-container)
-- [Collaboration](#collaboration)
 - [How can I disable telemetry?](#how-can-i-disable-telemetry)
 - [How does code-server decide what workspace or folder to open?](#how-does-code-server-decide-what-workspace-or-folder-to-open)
 - [How do I debug issues with code-server?](#how-do-i-debug-issues-with-code-server)
 - [Heartbeat File](#heartbeat-file)
+- [Healthz endpoint](#healthz-endpoint)
 - [How does the config file work?](#how-does-the-config-file-work)
-- [Blank screen on iPad?](#blank-screen-on-ipad)
 - [Isn't an install script piped into sh insecure?](#isnt-an-install-script-piped-into-sh-insecure)
 - [How do I make my keyboard shortcuts work?](#how-do-i-make-my-keyboard-shortcuts-work)
-- [Why can't I use VS Code's Remote extensions?](#why-cant-i-use-vs-codes-remote-extensions)
+- [Differences compared to Theia?](#differences-compared-to-theia)
 - [Enterprise](#enterprise)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
 ## Questions?
 
-Please file all questions and support requests at https://www.reddit.com/r/codeserver/.
+Please file all questions and support requests at https://github.com/cdr/code-server/discussions.
 
-The issue tracker is **only** for bugs.
+## iPad Status?
 
-## What's the deal with extensions?
+Please see [./ipad.md](./ipad.md).
 
-Unfortunately, the Microsoft VS Code Marketplace license prohibits use with any non Microsoft
-product.
+## How can I reuse my VS Code configuration?
 
-See https://cdn.vsassets.io/v/M146_20190123.39/_content/Microsoft-Visual-Studio-Marketplace-Terms-of-Use.pdf
+The very popular [Settings Sync](https://marketplace.visualstudio.com/items?itemName=Shan.code-settings-sync) extension works.
+
+You can also pass `--user-data-dir ~/.vscode` to reuse your existing VS Code extensions and configuration.
+
+Or copy `~/.vscode` into `~/.local/share/code-server`.
+
+## Differences compared to VS Code?
+
+`code-server` takes the open source core of VS Code and allows you to run it in the browser.
+However, it is not entirely equivalent to Microsoft's VS Code.
+
+While the core of VS Code is open source, the marketplace and many published Microsoft extensions are not.
+
+Furthermore, Microsoft prohibits the use of any non-Microsoft VS Code from accessing their marketplace.
+
+See the [TOS](https://cdn.vsassets.io/v/M146_20190123.39/_content/Microsoft-Visual-Studio-Marketplace-Terms-of-Use.pdf).
 
 > Marketplace Offerings are intended for use only with Visual Studio Products and Services
 > and you may only install and use Marketplace Offerings with Visual Studio Products and Services.
 
-As a result, we have created our own marketplace for open source extensions.
+As a result, we cannot offer any extensions on the Microsoft marketplace. Instead,
+we have created our own marketplace for open source extensions.
 It works by scraping GitHub for VS Code extensions and building them. It's not perfect but getting
 better by the day with more and more extensions.
 
-Issue [#1299](https://github.com/cdr/code-server/issues/1299) is a big one in making the experience here
-better by allowing the community to submit extensions and repos to avoid waiting until the scraper finds
-an extension.
+These are the closed source extensions presently unavailable:
 
-To request an extension for the code-server marketplace, please open a new issue
-and select the `Extension request` template.
+1. [Live Share](https://visualstudio.microsoft.com/services/live-share)
+   - We may implement something similar, see [#33](https://github.com/cdr/code-server/issues/33)
+1. [Remote Extensions (SSH, Containers, WSL)](https://github.com/microsoft/vscode-remote-release)
+   - We may reimplement these at some point, see [#1315](https://github.com/cdr/code-server/issues/1315)
+
+For more about the closed source parts of VS Code, see [vscodium/vscodium](https://github.com/VSCodium/vscodium#why-does-this-exist).
+
+## How can I request a missing extension?
+
+Please open a new issue and select the `Extension request` template.
 
 If an extension is not available or does not work, you can grab its VSIX from its Github releases or
 build it yourself. Then run the `Extensions: Install from VSIX` command in the Command Palette and
@@ -59,8 +83,26 @@ point to the .vsix file.
 
 See below for installing an extension from the cli.
 
-If you have your own custom marketplace, it is possible to point code-server to it by setting
-`$SERVICE_URL` and `$ITEM_URL` to point to it.
+## How do I configure the marketplace URL?
+
+If you have your own marketplace that implements the VS Code Extension Gallery API, it is possible to
+point code-server to it by setting `$SERVICE_URL` and `$ITEM_URL`. These correspond directly
+to `serviceUrl` and `itemUrl` in VS Code's `product.json`.
+
+e.g. to use [open-vsx.org](https://open-vsx.org):
+
+```bash
+export SERVICE_URL=https://open-vsx.org/vscode/gallery
+export ITEM_URL=https://open-vsx.org/vscode/item
+```
+
+While you can technically use Microsoft's marketplace with these, please do not do so as it
+is against their terms of use. See [above](#differences-compared-to-vs-code) and this
+discussion regarding the use of the Microsoft URLs in forks:
+
+https://github.com/microsoft/vscode/issues/31168#issue-244533026
+
+These variables are most valuable to our enterprise customers for whom we have a self hosted marketplace product.
 
 ## Where are extensions stored?
 
@@ -84,11 +126,11 @@ code-server --install-extension downloaded-ms-python.python.vsix
 VS Code Codespaces is a closed source and paid service by Microsoft. It also allows you to access
 VS Code via the browser.
 
-However, code-server is free, open source and can be ran on any machine without any limitations.
+However, code-server is free, open source and can be run on any machine without any limitations.
 
-While you can self host environments with VS Code Codespaces, you still need to an Azure billing
-account and you access VS Code via the Codespaces web dashboard instead of directly connecting to
-your instance.
+While you can self host environments with VS Code Codespaces, you still need an Azure billing
+account and you have to access VS Code via the Codespaces web dashboard instead of directly
+connecting to your instance.
 
 ## How should I expose code-server to the internet?
 
@@ -106,6 +148,9 @@ For HTTPS, you can use a self signed certificate by passing in just `--cert` or
 pass in an existing certificate by providing the path to `--cert` and the path to
 the key with `--cert-key`.
 
+The self signed certificate will be generated into
+`~/.local/share/code-server/self-signed.crt`.
+
 If `code-server` has been passed a certificate it will also respond to HTTPS
 requests and will redirect all HTTP requests to HTTPS.
 
@@ -160,12 +205,6 @@ You can even make volume mounts work. Lets say you want to run a container and m
 the docker daemon's `/home/coder/myproject` is the same as the one mounted inside the `code-server`
 container and the mount will just work.
 
-## Collaboration
-
-We understand the high demand but the team is swamped right now.
-
-You can subscribe to [#33](https://github.com/cdr/code-server/issues/33) for updates.
-
 ## How can I disable telemetry?
 
 Use the `--disable-telemetry` flag to completely disable telemetry. We use the
@@ -211,6 +250,20 @@ older than X minutes, kill `code-server`.
 
 [#1636](https://github.com/cdr/code-server/issues/1636) will make the experience here better.
 
+## Healthz endpoint
+
+`code-server` exposes an endpoint at `/healthz` which can be used to check
+whether `code-server` is up without triggering a heartbeat. The response will
+include a status (`alive` or `expired`) and a timestamp for the last heartbeat
+(defaults to `0`). This endpoint does not require authentication.
+
+```json
+{
+  "status": "alive",
+  "lastHeartbeat": 1599166210566
+}
+```
+
 ## How does the config file work?
 
 When `code-server` starts up, it creates a default config file in `~/.config/code-server/config.yaml` that looks
@@ -233,15 +286,6 @@ The `--config` flag or `$CODE_SERVER_CONFIG` can be used to change the config fi
 
 The default location also respects `$XDG_CONFIG_HOME`.
 
-## Blank screen on iPad?
-
-Unfortunately at the moment self signed certificates cause a blank screen on iPadOS
-
-There does seem to a way to get it to work if you create your own CA and create a
-certificate using the CA and then import the CA onto your iPad.
-
-See [#1566](https://github.com/cdr/code-server/issues/1566#issuecomment-623159434).
-
 ## Isn't an install script piped into sh insecure?
 
 Please give
@@ -259,15 +303,18 @@ This will install a Chrome PWA and now all keybindings will work!
 
 For other browsers you'll have to remap keybindings unfortunately.
 
-## Why can't I use VS Code's Remote extensions?
+## Differences compared to Theia?
 
-Unfortunately, Microsoft has opted to make [VS Code's Remote SSH and Container
-extensions closed source](https://github.com/microsoft/vscode-remote-release) and
-it is against their TOS to use the published extensions so we are unable to
-add them to our marketplace.
+[Theia](https://github.com/eclipse-theia/theia) is a browser IDE loosely based on VS Code. It uses the same
+text editor library named [Monaco](https://github.com/Microsoft/monaco-editor) and the same
+extension API but everything else is very different. It also uses [open-vsx.org](https://open-vsx.org)
+for extensions which has an order of magnitude less extensions than our marketplace.
+See [#1473](https://github.com/cdr/code-server/issues/1473).
 
-We may reimplement them at some point.
-You can subscribe to [#1315](https://github.com/cdr/code-server/issues/1315) for updates.
+You can't just use your VS Code config in Theia like you can with code-server.
+
+To summarize, code-server is a patched fork of VS Code to run in the browser whereas
+Theia takes some parts of VS Code but is an entirely different editor.
 
 ## Enterprise
 

doc/guide.md

@@ -9,6 +9,7 @@
 - [3. Expose code-server](#3-expose-code-server)
   - [SSH forwarding](#ssh-forwarding)
   - [Let's Encrypt](#lets-encrypt)
+    - [NGINX](#nginx)
   - [Self Signed Certificate](#self-signed-certificate)
   - [Change the password?](#change-the-password)
   - [How do I securely access development web services?](#how-do-i-securely-access-development-web-services)
@@ -25,6 +26,8 @@ Further docs are at:
 - [FAQ](./FAQ.md) for common questions.
 - [CONTRIBUTING](../doc/CONTRIBUTING.md) for development docs
 
+We highly recommend reading the [FAQ](./FAQ.md) on the [Differences compared to VS Code](./FAQ.md#differences-compared-to-vs-code) before beginning.
+
 We'll walk you through acquiring a remote machine to run `code-server` on
 and then exposing `code-server` so you can securely access it.
 
@@ -78,7 +81,7 @@ to avoid the slow dashboard.
 
 ## 2. Install code-server
 
-We have a [script](../install.sh) to install `code-server` for Linux and macOS.
+We have a [script](../install.sh) to install `code-server` for Linux, macOS and FreeBSD.
 
 It tries to use the system package manager if possible.
 
@@ -128,16 +131,16 @@ sed -i.bak 's/auth: password/auth: none/' ~/.config/code-server/config.yaml
 Restart `code-server` with (assuming you followed the guide):
 
 ```bash
-systemctl --user restart code-server
+sudo systemctl restart code-server@$USER
 ```
 
-Now forward local port 8080 to `127.0.0.1:8080` on the remote instance.
+Now forward local port 8080 to `127.0.0.1:8080` on the remote instance by running the following command on your local machine.
 
 Recommended reading: https://help.ubuntu.com/community/SSH/OpenSSH/PortForwarding.
 
 ```bash
 # -N disables executing a remote shell
-ssh -N -L 8080:127.0.0.1:8080 <instance-ip>
+ssh -N -L 8080:127.0.0.1:8080 [user]@<instance-ip>
 ```
 
 Now if you access http://127.0.0.1:8080 locally, you should see `code-server`!
@@ -191,6 +194,8 @@ mydomain.com
 reverse_proxy 127.0.0.1:8080
 ```
 
+Remember to replace `mydomain.com` with your domain name!
+
 5. Reload caddy with:
 
 ```bash
@@ -202,10 +207,51 @@ Visit `https://<your-domain-name>` to access `code-server`. Congratulations!
 In a future release we plan to integrate Let's Encrypt directly with `code-server` to avoid
 the dependency on caddy.
 
+#### NGINX
+
+If you prefer to use NGINX instead of Caddy then please follow steps 1-2 above and then:
+
+3. Install `nginx`:
+
+```bash
+sudo apt update
+sudo apt install -y nginx certbot python-certbot-nginx
+```
+
+4. Put the following config into `/etc/nginx/sites-available/code-server` with sudo:
+
+```nginx
+server {
+    listen 80;
+    listen [::]:80;
+    server_name mydomain.com;
+
+    location / {
+      proxy_pass http://localhost:8080/;
+      proxy_set_header Host $host;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection upgrade;
+      proxy_set_header Accept-Encoding gzip;
+    }
+}
+```
+
+Remember to replace `mydomain.com` with your domain name!
+
+5. Enable the config:
+
+```bash
+sudo ln -s ../sites-available/code-server /etc/nginx/sites-enabled/code-server
+sudo certbot --non-interactive --redirect --agree-tos --nginx -d mydomain.com -m me@example.com
+```
+
+Make sure to substitute `me@example.com` with your actual email.
+
+Visit `https://<your-domain-name>` to access `code-server`. Congratulations!
+
 ### Self Signed Certificate
 
-**note:** Self signed certificates do not work with iPad and will cause a blank page. You'll
-have to use [Let's Encrypt](#lets-encrypt) instead. See the [FAQ](./FAQ.md#blank-screen-on-ipad).
+**note:** Self signed certificates do not work with iPad normally. See [./ipad.md](./ipad.md) for details.
 
 Recommended reading: https://security.stackexchange.com/a/8112.
 
@@ -230,7 +276,7 @@ sudo setcap cap_net_bind_service=+ep /usr/lib/code-server/lib/node
 Assuming you have been following the guide, restart `code-server` with:
 
 ```bash
-systemctl --user restart code-server
+sudo systemctl restart code-server@$USER
 ```
 
 Edit your instance and checkmark the allow HTTPS traffic option.
@@ -248,7 +294,7 @@ Edit the `password` field in the `code-server` config file at `~/.config/code-se
 and then restart `code-server` with:
 
 ```bash
-systemctl --user restart code-server
+sudo systemctl restart code-server@$USER
 ```
 
 ### How do I securely access development web services?

doc/install.md

@@ -4,7 +4,7 @@
 
 - [install.sh](#installsh)
   - [Flags](#flags)
-  - [Detect Reference](#detect-reference)
+  - [Detection Reference](#detection-reference)
 - [Debian, Ubuntu](#debian-ubuntu)
 - [Fedora, CentOS, RHEL, SUSE](#fedora-centos-rhel-suse)
 - [Arch Linux](#arch-linux)
@@ -12,6 +12,7 @@
 - [macOS](#macos)
 - [Standalone Releases](#standalone-releases)
 - [Docker](#docker)
+- [helm](#helm)
 
 <!-- END doctoc generated TOC please keep comment here to allow auto update -->
 
@@ -20,7 +21,7 @@ various distros and operating systems.
 
 ## install.sh
 
-We have a [script](../install.sh) to install code-server for Linux and macOS.
+We have a [script](../install.sh) to install code-server for Linux, macOS and FreeBSD.
 
 It tries to use the system package manager if possible.
 
@@ -42,7 +43,7 @@ If you believe an install script used with `curl | sh` is insecure, please give
 [this wonderful blogpost](https://sandstorm.io/news/2015-09-24-is-curl-bash-insecure-pgp-verified-install) by
 [sandstorm.io](https://sandstorm.io) a read.
 
-If you'd still prefer manual installation despite the below [detect reference](#detect-reference) and `--dry-run`
+If you'd still prefer manual installation despite the below [detection reference](#detection-reference) and `--dry-run`
 then continue on for docs on manual installation. The [`install.sh`](../install.sh) script runs the _exact_ same
 commands presented in the rest of this document.
 
@@ -56,7 +57,7 @@ commands presented in the rest of this document.
 - `--version=X.X.X` to install version `X.X.X` instead of latest.
 - `--help` to see full usage docs.
 
-### Detect Reference
+### Detection Reference
 
 - For Debian, Ubuntu and Raspbian it will install the latest deb package.
 - For Fedora, CentOS, RHEL and openSUSE it will install the latest rpm package.
@@ -70,6 +71,8 @@ commands presented in the rest of this document.
   - If Homebrew is not installed it will install the latest standalone release into `~/.local`.
   - Add `~/.local/bin` to your `$PATH` to run code-server.
 
+- For FreeBSD, it will install the [npm package](#yarn-npm) with `yarn` or `npm`.
+
 - If ran on an architecture with no releases, it will install the [npm package](#yarn-npm) with `yarn` or `npm`.
   - We only have releases for amd64 and arm64 presently.
   - The [npm package](#yarn-npm) builds the native modules on postinstall.
@@ -77,18 +80,18 @@ commands presented in the rest of this document.
 ## Debian, Ubuntu
 
 ```bash
-curl -fOL https://github.com/cdr/code-server/releases/download/v3.4.0/code-server_3.4.0_amd64.deb
-sudo dpkg -i code-server_3.4.0_amd64.deb
-systemctl --user enable --now code-server
+curl -fOL https://github.com/cdr/code-server/releases/download/v3.7.0/code-server_3.7.0_amd64.deb
+sudo dpkg -i code-server_3.7.0_amd64.deb
+sudo systemctl enable --now code-server@$USER
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
 
 ## Fedora, CentOS, RHEL, SUSE
 
 ```bash
-curl -fOL https://github.com/cdr/code-server/releases/download/v3.4.0/code-server-3.4.0-amd64.rpm
-sudo rpm -i code-server-3.4.0-amd64.rpm
-systemctl --user enable --now code-server
+curl -fOL https://github.com/cdr/code-server/releases/download/v3.7.0/code-server-3.7.0-amd64.rpm
+sudo rpm -i code-server-3.7.0-amd64.rpm
+sudo systemctl enable --now code-server@$USER
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
 
@@ -97,7 +100,7 @@ systemctl --user enable --now code-server
 ```bash
 # Installs code-server from the AUR using yay.
 yay -S code-server
-systemctl --user enable --now code-server
+sudo systemctl enable --now code-server@$USER
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
 
@@ -106,7 +109,7 @@ systemctl --user enable --now code-server
 git clone https://aur.archlinux.org/code-server.git
 cd code-server
 makepkg -si
-systemctl --user enable --now code-server
+sudo systemctl enable --now code-server@$USER
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
 ```
 
@@ -115,7 +118,7 @@ systemctl --user enable --now code-server
 We recommend installing with `yarn` or `npm` when:
 
 1. You aren't on `amd64` or `arm64`.
-2. If you're on Linux with glibc < v2.17
+2. If you're on Linux with glibc < v2.17 or glibcxx < v3.4.18
 
 **note:** Installing via `yarn` or `npm` builds native modules on install and so requires C dependencies.
 See [./npm.md](./npm.md) for installing these dependencies.
@@ -143,7 +146,7 @@ We publish self contained `.tar.gz` archives for every release on [github](https
 They bundle the node binary and `node_modules`.
 
 These are created from the [npm package](#yarn-npm) and the rest of the releases are created from these.
-Only requirement is glibc >= 2.17 on Linux and for macOS there is no minimum system requirement.
+Only requirement is glibc >= 2.17 && glibcxx >= v3.4.18 on Linux and for macOS there is no minimum system requirement.
 
 1. Download the latest release archive for your system from [github](https://github.com/cdr/code-server/releases).
 2. Unpack the release.
@@ -156,10 +159,10 @@ Here is an example script for installing and using a standalone `code-server` re
 
 ```bash
 mkdir -p ~/.local/lib ~/.local/bin
-curl -fL https://github.com/cdr/code-server/releases/download/v3.4.0/code-server-3.4.0-linux-amd64.tar.gz \
+curl -fL https://github.com/cdr/code-server/releases/download/v3.7.0/code-server-3.7.0-linux-amd64.tar.gz \
   | tar -C ~/.local/lib -xz
-mv ~/.local/lib/code-server-3.4.0-linux-amd64 ~/.local/lib/code-server-3.4.0
-ln -s ~/.local/lib/code-server-3.4.0/bin/code-server ~/.local/bin/code-server
+mv ~/.local/lib/code-server-3.7.0-linux-amd64 ~/.local/lib/code-server-3.7.0
+ln -s ~/.local/lib/code-server-3.7.0/bin/code-server ~/.local/bin/code-server
 PATH="~/.local/bin:$PATH"
 code-server
 # Now visit http://127.0.0.1:8080. Your password is in ~/.config/code-server/config.yaml
@@ -172,9 +175,16 @@ code-server
 # It will also mount your current directory into the container as `/home/coder/project`
 # and forward your UID/GID so that all file system operations occur as your user outside
 # the container.
-docker run -it -p 127.0.0.1:8080:8080 \
+#
+# Your $HOME/.config is mounted at $HOME/.config within the container to ensure you can
+# easily access/modify your code-server config in $HOME/.config/code-server/config.json
+# outside the container.
+mkdir -p ~/.config
+docker run -it --name code-server -p 127.0.0.1:8080:8080 \
+  -v "$HOME/.config:/home/coder/.config" \
   -v "$PWD:/home/coder/project" \
   -u "$(id -u):$(id -g)" \
+  -e "DOCKER_USER=$USER" \
   codercom/code-server:latest
 ```
 
@@ -183,3 +193,7 @@ Our official image supports `amd64` and `arm64`.
 For `arm32` support there is a popular community maintained alternative:
 
 https://hub.docker.com/r/linuxserver/code-server
+
+## helm
+
+See [the chart](../ci/helm-chart).

doc/ipad.md

@@ -0,0 +1,56 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
+# iPad
+
+- [iPad](#ipad)
+  - [Known Issues](#known-issues)
+  - [How to access code-server with a self signed certificate on iPad?](#how-to-access-code-server-with-a-self-signed-certificate-on-ipad)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
+# iPad
+
+## Known Issues
+
+- Getting self signed certificates certificates to work is involved, see below.
+- Keyboard may disappear sometimes [#1313](https://github.com/cdr/code-server/issues/1313), [#979](https://github.com/cdr/code-server/issues/979)
+- Trackpad scrolling does not work [#1455](https://github.com/cdr/code-server/issues/1455)
+- See [issues tagged with the iPad label](https://github.com/cdr/code-server/issues?q=is%3Aopen+is%3Aissue+label%3AiPad) for more.
+
+## How to access code-server with a self signed certificate on iPad?
+
+Accessing a self signed certificate on iPad isn't as easy as accepting through all
+the security warnings. Safari will prevent WebSocket connections unless the certificate
+is installed as a profile on the device.
+
+The below assumes you are using the self signed certificate that code-server
+generates for you. If not, that's fine but you'll have to make sure your certificate
+abides by the following guidelines from Apple: https://support.apple.com/en-us/HT210176
+
+**note**: Another undocumented requirement we noticed is that the certificate has to have `basicConstraints=CA:true`.
+
+The following instructions assume you have code-server installed and running
+with a self signed certificate. If not, please first go through [./guide.md](./guide.md)!
+
+**warning**: Your iPad must access code-server via a domain name. It could be local
+DNS like `mymacbookpro.local` but it must be a domain name. Otherwise Safari will
+refuse to allow WebSockets to connect.
+
+1. Your certificate **must** have a subject alt name that matches the hostname
+   at which you will access code-server from your iPad. You can pass this to code-server
+   so that it generates the certificate correctly with `--cert-host`.
+2. Share your self signed certificate with the iPad.
+   - code-server will print the location of the certificate it has generated in the logs.
+
+```
+[2020-10-30T08:55:45.139Z] info    - Using generated certificate and key for HTTPS: ~/.local/share/code-server/mymbp_local.crt
+```
+
+- You can mail it to yourself or if you have a Mac, it's easiest to just Airdrop to the iPad.
+
+3. When opening the `*.crt` file, you'll be prompted to go into settings to install.
+4. Go to `Settings -> General -> Profile`, select the profile and then hit `Install`.
+   - It should say the profile is verified.
+5. Go to `Settings -> About -> Certificate Trust Settings` and enable full trust for
+   the certificate.
+6. Now you can access code-server! 🍻

doc/npm.md

@@ -1,5 +1,13 @@
+<!-- START doctoc generated TOC please keep comment here to allow auto update -->
+<!-- DON'T EDIT THIS SECTION, INSTEAD RE-RUN doctoc TO UPDATE -->
 # npm Install Requirements
 
+- [Ubuntu, Debian](#ubuntu-debian)
+- [Fedora, CentOS, RHEL](#fedora-centos-rhel)
+- [macOS](#macos)
+
+<!-- END doctoc generated TOC please keep comment here to allow auto update -->
+
 If you're installing the npm module you'll need certain dependencies to build
 the native modules used by VS Code.
 
@@ -13,14 +21,16 @@ sudo apt-get install -y \
   pkg-config \
   libx11-dev \
   libxkbfile-dev \
-  libsecret-1-dev
+  libsecret-1-dev \
+  python3
+npm config set python python3
 ```
 
 ## Fedora, CentOS, RHEL
 
 ```bash
 sudo yum groupinstall -y 'Development Tools'
-sudo yum config-manager --set-enabled PowerTools
+sudo yum config-manager --set-enabled PowerTools # unnecessary on CentOS 7
 sudo yum install -y python2 libsecret-devel libX11-devel libxkbfile-devel
 npm config set python python2
 ```

install.sh

@@ -14,30 +14,40 @@ usage() {
   fi
 
   cath << EOF
-Installs code-server for Linux and macOS.
+Installs code-server for Linux, macOS and FreeBSD.
 It tries to use the system package manager if possible.
 After successful installation it explains how to start using code-server.
+
+Pass in user@host to install code-server on user@host over ssh.
+The remote host must have internet access.
 ${not_curl_usage-}
 Usage:
 
-  $arg0 [--dry-run] [--version X.X.X] [--method detect] [--prefix ~/.local]
+  $arg0 [--dry-run] [--version X.X.X] [--method detect] \
+        [--prefix ~/.local] [--rsh ssh] [user@host]
 
   --dry-run
       Echo the commands for the install process without running them.
+
   --version X.X.X
       Install a specific version instead of the latest.
+
   --method [detect | standalone]
       Choose the installation method. Defaults to detect.
       - detect detects the system package manager and tries to use it.
         Full reference on the process is further below.
       - standalone installs a standalone release archive into ~/.local
         Add ~/.local/bin to your \$PATH to use it.
+
   --prefix <dir>
       Sets the prefix used by standalone release archives. Defaults to ~/.local
       The release is unarchived into ~/.local/lib/code-server-X.X.X
       and the binary symlinked into ~/.local/bin/code-server
       To install system wide pass ---prefix=/usr/local
 
+  --rsh <bin>
+      Specifies the remote shell for remote installation. Defaults to ssh.
+
 - For Debian, Ubuntu and Raspbian it will install the latest deb package.
 - For Fedora, CentOS, RHEL and openSUSE it will install the latest rpm package.
 - For Arch Linux it will install the AUR package.
@@ -48,6 +58,8 @@ Usage:
   - If Homebrew is not installed it will install the latest standalone release
     into ~/.local
 
+- For FreeBSD, it will install the npm package with yarn or npm.
+
 - If ran on an architecture with no releases, it will install the
   npm package with yarn or npm.
   - We only have releases for amd64 and arm64 presently.
@@ -62,7 +74,8 @@ EOF
 echo_latest_version() {
   # https://gist.github.com/lukechilds/a83e1d7127b78fef38c2914c4ececc3c#gistcomment-2758860
   version="$(curl -fsSLI -o /dev/null -w "%{url_effective}" https://github.com/cdr/code-server/releases/latest)"
-  version="${version#https://github.com/cdr/code-server/releases/tag/v}"
+  version="${version#https://github.com/cdr/code-server/releases/tag/}"
+  version="${version#v}"
   echo "$version"
 }
 
@@ -81,7 +94,7 @@ echo_systemd_postinstall() {
   echoh
   cath << EOF
 To have systemd start code-server now and restart on boot:
-  systemctl --user enable --now code-server
+  sudo systemctl enable --now code-server@\$USER
 Or, if you don't want/need a background service you can run:
   code-server
 EOF
@@ -97,9 +110,19 @@ main() {
     METHOD \
     STANDALONE_INSTALL_PREFIX \
     VERSION \
-    OPTIONAL
+    OPTIONAL \
+    ALL_FLAGS \
+    RSH_ARGS \
+    RSH
 
+  ALL_FLAGS=""
   while [ "$#" -gt 0 ]; do
+    case "$1" in
+    -*)
+      ALL_FLAGS="${ALL_FLAGS} $1"
+      ;;
+    esac
+
     case "$1" in
     --dry-run)
       DRY_RUN=1
@@ -125,20 +148,45 @@ main() {
     --version=*)
       VERSION="$(parse_arg "$@")"
       ;;
+    --rsh)
+      RSH="$(parse_arg "$@")"
+      shift
+      ;;
+    --rsh=*)
+      RSH="$(parse_arg "$@")"
+      ;;
     -h | --h | -help | --help)
       usage
       exit 0
       ;;
-    *)
+    --)
+      shift
+      # We remove the -- added above.
+      ALL_FLAGS="${ALL_FLAGS% --}"
+      RSH_ARGS="$*"
+      break
+      ;;
+    -*)
       echoerr "Unknown flag $1"
       echoerr "Run with --help to see usage."
       exit 1
       ;;
+    *)
+      RSH_ARGS="$*"
+      break
+      ;;
     esac
 
     shift
   done
 
+  if [ "${RSH_ARGS-}" ]; then
+    RSH="${RSH-ssh}"
+    echoh "Installing remotely with $RSH $RSH_ARGS"
+    curl -fsSL https://code-server.dev/install.sh | prefix "$RSH_ARGS" "$RSH" "$RSH_ARGS" sh -s -- "$ALL_FLAGS"
+    return
+  fi
+
   VERSION="${VERSION-$(echo_latest_version)}"
   METHOD="${METHOD-detect}"
   if [ "$METHOD" != detect ] && [ "$METHOD" != standalone ]; then
@@ -159,7 +207,7 @@ main() {
   ARCH="$(arch)"
   if [ ! "$ARCH" ]; then
     if [ "$METHOD" = standalone ]; then
-      echoerr "No releases available for the architecture $(uname -m)."
+      echoerr "No precompiled releases for $(uname -m)."
       echoerr 'Please rerun without the "--method standalone" flag to install from npm.'
       exit 1
     fi
@@ -168,8 +216,18 @@ main() {
     return
   fi
 
+  if [ "$OS" = "freebsd" ]; then
+    if [ "$METHOD" = standalone ]; then
+      echoerr "No precompiled releases available for $OS."
+      echoerr 'Please rerun without the "--method standalone" flag to install from npm.'
+      exit 1
+    fi
+    echoh "No precompiled releases available for $OS."
+    install_npm
+    return
+  fi
+
   CACHE_DIR="$(echo_cache_dir)"
-  mkdir -p "$CACHE_DIR"
 
   if [ "$METHOD" = standalone ]; then
     install_standalone
@@ -233,10 +291,11 @@ fetch() {
   FILE="$2"
 
   if [ -e "$FILE" ]; then
-    echoh "+ Reusing $CACHE_DIR/${URL##*/}"
+    echoh "+ Reusing $FILE"
     return
   fi
 
+  sh_c mkdir -p "$CACHE_DIR"
   sh_c curl \
     -#fL \
     -o "$FILE.incomplete" \
@@ -298,7 +357,7 @@ install_aur() {
 }
 
 install_standalone() {
-  echoh "Installing standalone release archive v$VERSION"
+  echoh "Installing standalone release archive v$VERSION from GitHub releases."
   echoh
 
   fetch "https://github.com/cdr/code-server/releases/download/v$VERSION/code-server-$VERSION-$OS-$ARCH.tar.gz" \
@@ -359,6 +418,9 @@ os() {
   Darwin)
     echo macos
     ;;
+  FreeBSD)
+    echo freebsd
+    ;;
   esac
 }
 
@@ -370,11 +432,12 @@ os() {
 # - centos, fedora, rhel, opensuse
 # - alpine
 # - arch
+# - freebsd
 #
 # Inspired by https://github.com/docker/docker-install/blob/26ff363bcf3b3f5a00498ac43694bf1c7d9ce16c/install.sh#L111-L120.
 distro() {
-  if [ "$(uname)" = "Darwin" ]; then
-    echo "macos"
+  if [ "$OS" = "macos" ] || [ "$OS" = "freebsd" ]; then
+    echo "$OS"
     return
   fi
 
@@ -421,11 +484,14 @@ arch() {
   x86_64)
     echo amd64
     ;;
+  amd64) # FreeBSD.
+    echo amd64
+    ;;
   esac
 }
 
 command_exists() {
-  command -v "$@" > /dev/null 2>&1
+  command -v "$@" > /dev/null
 }
 
 sh_c() {
@@ -479,4 +545,15 @@ humanpath() {
   sed "s# $HOME# ~#g; s#\"$HOME#\"\$HOME#g"
 }
 
+# We need to make sure we exit with a non zero exit if the command fails.
+# /bin/sh does not support -o pipefail unfortunately.
+prefix() {
+  PREFIX="$1"
+  shift
+  fifo="$(mktemp -d)/fifo"
+  mkfifo "$fifo"
+  sed -e "s#^#$PREFIX: #" "$fifo" &
+  "$@" > "$fifo" 2>&1
+}
+
 main "$@"

package.json

@@ -1,7 +1,7 @@
 {
   "name": "code-server",
   "license": "MIT",
-  "version": "3.4.0",
+  "version": "3.7.0",
   "description": "Run VS Code on a remote server.",
   "homepage": "https://github.com/cdr/code-server",
   "bugs": {
@@ -26,38 +26,43 @@
     "lint": "./ci/dev/lint.sh",
     "test": "./ci/dev/test.sh",
     "ci": "./ci/dev/ci.sh",
-    "watch": "NODE_OPTIONS=--max_old_space_size=32384 ts-node ./ci/dev/watch.ts"
+    "watch": "VSCODE_IPC_HOOK_CLI= NODE_OPTIONS=--max_old_space_size=32384 ts-node ./ci/dev/watch.ts"
   },
   "main": "out/node/entry.js",
   "devDependencies": {
-    "@types/adm-zip": "^0.4.32",
+    "@types/body-parser": "^1.19.0",
+    "@types/cookie-parser": "^1.4.2",
+    "@types/express": "^4.17.8",
     "@types/fs-extra": "^8.0.1",
     "@types/http-proxy": "^1.17.4",
     "@types/js-yaml": "^3.12.3",
-    "@types/mocha": "^5.2.7",
+    "@types/mocha": "^8.0.3",
     "@types/node": "^12.12.7",
     "@types/parcel-bundler": "^1.12.1",
     "@types/pem": "^1.9.5",
     "@types/safe-compare": "^1.1.0",
     "@types/semver": "^7.1.0",
-    "@types/tar-fs": "^1.16.2",
-    "@types/tar-stream": "^1.6.1",
-    "@types/ws": "^6.0.4",
-    "@typescript-eslint/eslint-plugin": "^2.0.0",
-    "@typescript-eslint/parser": "^2.0.0",
+    "@types/split2": "^2.1.6",
+    "@types/supertest": "^2.0.10",
+    "@types/tar-fs": "^2.0.0",
+    "@types/tar-stream": "^2.1.0",
+    "@types/ws": "^7.2.6",
+    "@typescript-eslint/eslint-plugin": "^4.7.0",
+    "@typescript-eslint/parser": "^4.7.0",
     "doctoc": "^1.4.0",
-    "eslint": "^6.2.0",
+    "eslint": "^7.7.0",
     "eslint-config-prettier": "^6.0.0",
     "eslint-plugin-import": "^2.18.2",
     "eslint-plugin-prettier": "^3.1.0",
     "leaked-handles": "^5.2.0",
-    "mocha": "^6.2.0",
+    "mocha": "^8.1.2",
     "parcel-bundler": "^1.12.4",
     "prettier": "^2.0.5",
     "stylelint": "^13.0.0",
     "stylelint-config-recommended": "^3.0.0",
-    "ts-node": "^8.4.1",
-    "typescript": "3.7.2"
+    "supertest": "^6.0.1",
+    "ts-node": "^9.0.0",
+    "typescript": "4.0.2"
   },
   "resolutions": {
     "@types/node": "^12.12.7",
@@ -65,17 +70,23 @@
     "vfile-message": "^2.0.2"
   },
   "dependencies": {
-    "@coder/logger": "1.1.11",
-    "adm-zip": "^0.4.14",
+    "@coder/logger": "1.1.16",
+    "body-parser": "^1.19.0",
+    "cookie-parser": "^1.4.5",
     "env-paths": "^2.2.0",
-    "fs-extra": "^8.1.0",
+    "express": "^5.0.0-alpha.8",
+    "fs-extra": "^9.0.1",
     "http-proxy": "^1.18.0",
     "httpolyglot": "^0.1.2",
     "js-yaml": "^3.13.1",
     "limiter": "^1.1.5",
     "pem": "^1.14.2",
+    "qs": "6.7.0",
+    "rotating-file-stream": "^2.1.1",
+    "safe-buffer": "^5.1.1",
     "safe-compare": "^1.1.4",
     "semver": "^7.1.3",
+    "split2": "^3.2.2",
     "tar": "^6.0.1",
     "tar-fs": "^2.0.0",
     "ws": "^7.2.0",

src/browser/media/manifest.json

@@ -7,32 +7,32 @@
   "description": "Run editors on a remote server.",
   "icons": [
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-96.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-96.png",
       "type": "image/png",
       "sizes": "96x96"
     },
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-128.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-128.png",
       "type": "image/png",
       "sizes": "128x128"
     },
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-192.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-192.png",
       "type": "image/png",
       "sizes": "192x192"
     },
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-256.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-256.png",
       "type": "image/png",
       "sizes": "256x256"
     },
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png",
       "type": "image/png",
       "sizes": "384x384"
     },
     {
-      "src": "{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-512.png",
+      "src": "{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-512.png",
       "type": "image/png",
       "sizes": "512x512"
     }

src/browser/pages/app.html

@@ -1,28 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta
-      name="viewport"
-      content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
-    />
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="style-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
-    />
-    <title>code-server</title>
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
-    <link href="{{BASE}}/static/{{COMMIT}}/dist/pages/app.css" rel="stylesheet" />
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
-  </head>
-  <body>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/pages/app.js"></script>
-  </body>
-</html>

src/browser/pages/app.ts

@@ -1,37 +0,0 @@
-import { getOptions, normalize } from "../../common/util"
-import { ApiEndpoint } from "../../common/http"
-
-import "./error.css"
-import "./global.css"
-import "./home.css"
-import "./login.css"
-import "./update.css"
-
-const options = getOptions()
-
-const isInput = (el: Element): el is HTMLInputElement => {
-  return !!(el as HTMLInputElement).name
-}
-
-document.querySelectorAll("form").forEach((form) => {
-  if (!form.classList.contains("-x11")) {
-    return
-  }
-  form.addEventListener("submit", (event) => {
-    event.preventDefault()
-    const values: { [key: string]: string } = {}
-    Array.from(form.elements).forEach((element) => {
-      if (isInput(element)) {
-        values[element.name] = element.value
-      }
-    })
-    fetch(normalize(`${options.base}/api/${ApiEndpoint.process}`), {
-      method: "POST",
-      body: JSON.stringify(values),
-    })
-  })
-})
-
-// TEMP: Until we can get the real ready event.
-const event = new CustomEvent("ide-ready")
-window.dispatchEvent(event)

src/browser/pages/error.html

@@ -11,28 +11,22 @@
       content="style-src 'self'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
     />
     <title>{{ERROR_TITLE}} - code-server</title>
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
-    <link href="{{BASE}}/static/{{COMMIT}}/dist/pages/app.css" rel="stylesheet" />
+    <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
+    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
+    <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
+    <link href="{{CS_STATIC_BASE}}/dist/register.css" rel="stylesheet" />
     <meta id="coder-options" data-settings="{{OPTIONS}}" />
   </head>
   <body>
     <div class="center-container">
       <div class="error-display">
         <h2 class="header">{{ERROR_HEADER}}</h2>
-        <div class="body">
-          {{ERROR_BODY}}
-        </div>
+        <div class="body">{{ERROR_BODY}}</div>
         <div class="links">
           <a class="link" href="{{BASE}}{{TO}}">go home</a>
         </div>
       </div>
     </div>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
+    <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/register.js"></script>
   </body>
 </html>

src/browser/pages/home.css

@@ -1,51 +0,0 @@
-.block-row {
-  display: flex;
-}
-
-.block-row > .item {
-  flex: 1;
-  margin: 2px 0;
-}
-
-.block-row > button.item {
-  background: none;
-  border: none;
-  cursor: pointer;
-  text-align: left;
-}
-
-.block-row > .item > .sub {
-  font-size: 0.95em;
-}
-
-.block-row .-link {
-  color: rgb(87, 114, 245);
-  display: block;
-  text-decoration: none;
-}
-
-.block-row .-link:hover {
-  text-decoration: underline;
-}
-
-.block-row > .item > .icon {
-  height: 1rem;
-  margin-right: 5px;
-  vertical-align: top;
-  width: 1rem;
-}
-
-.block-row > .item > .icon.-missing {
-  background-color: rgba(87, 114, 245, 0.2);
-  display: inline-block;
-  text-align: center;
-}
-
-.kill-form {
-  display: inline-block;
-}
-
-.kill-form > .kill {
-  border-radius: 3px;
-  padding: 2px 5px;
-}

src/browser/pages/home.html

@@ -1,59 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta
-      name="viewport"
-      content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
-    />
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="style-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
-    />
-    <title>code-server</title>
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
-    <link href="{{BASE}}/static/{{COMMIT}}/dist/pages/app.css" rel="stylesheet" />
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
-  </head>
-  <body>
-    <div class="center-container">
-      <div class="card-box">
-        <div class="header">
-          <h2 class="main">Editors</h2>
-          <div class="sub">Choose an editor to launch below.</div>
-        </div>
-        <div class="content">
-          {{APP_LIST:EDITORS}}
-        </div>
-      </div>
-
-      <div class="card-box">
-        <div class="header">
-          <h2 class="main">Other</h2>
-          <div class="sub">Choose an application to launch below.</div>
-        </div>
-        <div class="content">
-          {{APP_LIST:OTHER}}
-        </div>
-      </div>
-
-      <div class="card-box">
-        <div class="header">
-          <h2 class="main">Version</h2>
-          <div class="sub">Version information and updates.</div>
-        </div>
-        <div class="content">
-          {{UPDATE:NAME}}
-        </div>
-      </div>
-    </div>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/pages/app.js"></script>
-  </body>
-</html>

src/browser/pages/login.html

@@ -11,14 +11,10 @@
       content="style-src 'self'; script-src 'self' 'unsafe-inline'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
     />
     <title>code-server login</title>
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
-    <link href="{{BASE}}/static/{{COMMIT}}/dist/pages/app.css" rel="stylesheet" />
+    <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
+    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
+    <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
+    <link href="{{CS_STATIC_BASE}}/dist/register.css" rel="stylesheet" />
     <meta id="coder-options" data-settings="{{OPTIONS}}" />
   </head>
   <body>
@@ -50,11 +46,6 @@
       </div>
     </div>
   </body>
-  <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
-  <script>
-    const parts = window.location.pathname.replace(/^\//g, "").split("/")
-    parts[parts.length - 1] = "{{BASE}}"
-    const url = new URL(window.location.origin + "/" + parts.join("/"))
-    document.getElementById("base").value = url.pathname
-  </script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/register.js"></script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/pages/login.js"></script>
 </html>

src/browser/pages/login.ts

@@ -0,0 +1,7 @@
+import { getOptions } from "../../common/util"
+
+const options = getOptions()
+const el = document.getElementById("base") as HTMLInputElement
+if (el) {
+  el.value = options.base
+}

src/browser/pages/update.html

@@ -1,43 +0,0 @@
-<!DOCTYPE html>
-<html lang="en">
-  <head>
-    <meta charset="utf-8" />
-    <meta
-      name="viewport"
-      content="width=device-width, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0, user-scalable=no"
-    />
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="style-src 'self'; manifest-src 'self'; img-src 'self' data:; font-src 'self' data:;"
-    />
-    <title>code-server</title>
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
-    <link href="{{BASE}}/static/{{COMMIT}}/dist/pages/app.css" rel="stylesheet" />
-    <meta id="coder-options" data-settings="{{OPTIONS}}" />
-  </head>
-  <body>
-    <div class="center-container">
-      <div class="card-box">
-        <div class="header">
-          <h1 class="main">Update</h1>
-          <div class="sub">Update code-server.</div>
-        </div>
-        <div class="content">
-          <form class="update-form" action="{{BASE}}/update/apply">
-            {{UPDATE_STATUS}} {{ERROR}}
-            <div class="links">
-              <a class="link" href="{{BASE}}{{TO}}">go home</a>
-            </div>
-          </form>
-        </div>
-      </div>
-    </div>
-    <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
-  </body>
-</html>

src/browser/pages/vscode.html

@@ -2,12 +2,12 @@
 <!DOCTYPE html>
 <html>
   <head>
-    <meta charset="utf-8" />
+    <script>
+      globalThis.MonacoPerformanceMarks = globalThis.MonacoPerformanceMarks || []
+      globalThis.MonacoPerformanceMarks.push("renderer/started", Date.now())
+    </script>
 
-    <meta
-      http-equiv="Content-Security-Policy"
-      content="font-src 'self' data:; connect-src ws: wss: 'self' https:; default-src ws: wss: 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; manifest-src 'self'; img-src 'self' data: https:;"
-    />
+    <meta charset="utf-8" />
 
     <!-- Disable pinch zooming -->
     <meta
@@ -24,21 +24,17 @@
     <meta id="vscode-remote-nls-configuration" data-settings="{{NLS_CONFIGURATION}}" />
 
     <!-- Workbench Icon/Manifest/CSS -->
-    <link rel="icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/favicon.ico" type="image/x-icon" />
-    <link
-      rel="manifest"
-      href="{{BASE}}/static/{{COMMIT}}/src/browser/media/manifest.json"
-      crossorigin="use-credentials"
-    />
+    <link rel="icon" href="{{CS_STATIC_BASE}}/src/browser/media/favicon.ico" type="image/x-icon" />
+    <link rel="manifest" href="{{CS_STATIC_BASE}}/src/browser/media/manifest.json" crossorigin="use-credentials" />
     <!-- PROD_ONLY
-    <link data-name="vs/workbench/workbench.web.api" rel="stylesheet" href="{{BASE}}/static/{{COMMIT}}/lib/vscode/out/vs/workbench/workbench.web.api.css">
+    <link data-name="vs/workbench/workbench.web.api" rel="stylesheet" href="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.css">
     END_PROD_ONLY -->
-    <link rel="apple-touch-icon" href="{{BASE}}/static/{{COMMIT}}/src/browser/media/pwa-icon-384.png" />
+    <link rel="apple-touch-icon" href="{{CS_STATIC_BASE}}/src/browser/media/pwa-icon-384.png" />
     <meta name="apple-mobile-web-app-capable" content="yes" />
 
     <!-- Prefetch to avoid waterfall -->
     <!-- PROD_ONLY
-    <link rel="prefetch" href="{{BASE}}/static/{{COMMIT}}/lib/vscode/node_modules/semver-umd/lib/semver-umd.js">
+    <link rel="prefetch" href="{{CS_STATIC_BASE}}/lib/vscode/node_modules/semver-umd/lib/semver-umd.js">
     END_PROD_ONLY -->
 
     <meta id="coder-options" data-settings="{{OPTIONS}}" />
@@ -47,64 +43,17 @@
   <body aria-label=""></body>
 
   <!-- Startup (do not modify order of script tags!) -->
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/pages/vscode.js"></script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/dist/register.js"></script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/loader.js"></script>
   <script>
-    const parts = window.location.pathname.replace(/^\//g, "").split("/")
-    parts[parts.length - 1] = "{{BASE}}"
-    const url = new URL(window.location.origin + "/" + parts.join("/"))
-    const staticBase = url.href.replace(/\/+$/, "") + "/static/{{COMMIT}}/lib/vscode"
-    let nlsConfig
-    try {
-      nlsConfig = JSON.parse(document.getElementById("vscode-remote-nls-configuration").getAttribute("data-settings"))
-      if (nlsConfig._resolvedLanguagePackCoreLocation) {
-        const bundles = Object.create(null)
-        nlsConfig.loadBundle = (bundle, language, cb) => {
-          let result = bundles[bundle]
-          if (result) {
-            return cb(undefined, result)
-          }
-          // FIXME: Only works if path separators are /.
-          const path = nlsConfig._resolvedLanguagePackCoreLocation + "/" + bundle.replace(/\//g, "!") + ".nls.json"
-          fetch(`${url.href}/resource/?path=${encodeURIComponent(path)}`)
-            .then((response) => response.json())
-            .then((json) => {
-              bundles[bundle] = json
-              cb(undefined, json)
-            })
-            .catch(cb)
-        }
-      }
-    } catch (error) {
-      /* Probably fine. */
-    }
-    self.require = {
-      baseUrl: `${staticBase}/out`,
-      paths: {
-        "vscode-textmate": `${staticBase}/node_modules/vscode-textmate/release/main`,
-        "vscode-oniguruma": `${staticBase}/node_modules/vscode-oniguruma/release/main`,
-        xterm: `${staticBase}/node_modules/xterm/lib/xterm.js`,
-        "xterm-addon-search": `${staticBase}/node_modules/xterm-addon-search/lib/xterm-addon-search.js`,
-        "xterm-addon-unicode11": `${staticBase}/node_modules/xterm-addon-unicode11/lib/xterm-addon-unicode11.js`,
-        "xterm-addon-web-links": `${staticBase}/node_modules/xterm-addon-web-links/lib/xterm-addon-web-links.js`,
-        "xterm-addon-webgl": `${staticBase}/node_modules/xterm-addon-webgl/lib/xterm-addon-webgl.js`,
-        "semver-umd": `${staticBase}/node_modules/semver-umd/lib/semver-umd.js`,
-      },
-      "vs/nls": nlsConfig,
-    }
+    globalThis.MonacoPerformanceMarks.push("willLoadWorkbenchMain", Date.now())
   </script>
-  <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/dist/register.js"></script>
-  <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/lib/vscode/out/vs/loader.js"></script>
   <!-- PROD_ONLY
-  <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/lib/vscode/out/vs/workbench/workbench.web.api.nls.js"></script>
-  <script data-cfasync="false" src="{{BASE}}/static/{{COMMIT}}/lib/vscode/out/vs/workbench/workbench.web.api.js"></script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.nls.js"></script>
+  <script data-cfasync="false" src="{{CS_STATIC_BASE}}/lib/vscode/out/vs/workbench/workbench.web.api.js"></script>
   END_PROD_ONLY -->
   <script>
     require(["vs/code/browser/workbench/workbench"], function () {})
   </script>
-  <script>
-    try {
-      document.body.style.background = JSON.parse(localStorage.getItem("colorThemeData")).colorMap["editor.background"]
-    } catch (error) {
-      // Oh well.
-    }
-  </script>
 </html>

src/browser/pages/vscode.ts

@@ -0,0 +1,56 @@
+import { getOptions } from "../../common/util"
+
+const options = getOptions()
+
+// TODO: Add proper types.
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+let nlsConfig: any
+try {
+  nlsConfig = JSON.parse(document.getElementById("vscode-remote-nls-configuration")!.getAttribute("data-settings")!)
+  if (nlsConfig._resolvedLanguagePackCoreLocation) {
+    const bundles = Object.create(null)
+    nlsConfig.loadBundle = (bundle: any, _language: any, cb: any): void => {
+      const result = bundles[bundle]
+      if (result) {
+        return cb(undefined, result)
+      }
+      // FIXME: Only works if path separators are /.
+      const path = nlsConfig._resolvedLanguagePackCoreLocation + "/" + bundle.replace(/\//g, "!") + ".nls.json"
+      fetch(`${options.base}/vscode/resource/?path=${encodeURIComponent(path)}`)
+        .then((response) => response.json())
+        .then((json) => {
+          bundles[bundle] = json
+          cb(undefined, json)
+        })
+        .catch(cb)
+    }
+  }
+} catch (error) {
+  /* Probably fine. */
+}
+
+;(self.require as any) = {
+  // Without the full URL VS Code will try to load file://.
+  baseUrl: `${window.location.origin}${options.csStaticBase}/lib/vscode/out`,
+  recordStats: true,
+  paths: {
+    "vscode-textmate": `../node_modules/vscode-textmate/release/main`,
+    "vscode-oniguruma": `../node_modules/vscode-oniguruma/release/main`,
+    xterm: `../node_modules/xterm/lib/xterm.js`,
+    "xterm-addon-search": `../node_modules/xterm-addon-search/lib/xterm-addon-search.js`,
+    "xterm-addon-unicode11": `../node_modules/xterm-addon-unicode11/lib/xterm-addon-unicode11.js`,
+    "xterm-addon-webgl": `../node_modules/xterm-addon-webgl/lib/xterm-addon-webgl.js`,
+    "semver-umd": `../node_modules/semver-umd/lib/semver-umd.js`,
+    "tas-client-umd": `../node_modules/tas-client-umd/lib/tas-client-umd.js`,
+    "iconv-lite-umd": `../node_modules/iconv-lite-umd/lib/iconv-lite-umd.js`,
+    jschardet: `../node_modules/jschardet/dist/jschardet.min.js`,
+  },
+  "vs/nls": nlsConfig,
+}
+
+try {
+  document.body.style.background = JSON.parse(localStorage.getItem("colorThemeData")!).colorMap["editor.background"]
+} catch (error) {
+  // Oh well.
+}

src/browser/register.ts

@@ -2,13 +2,17 @@ import { getOptions, normalize } from "../common/util"
 
 const options = getOptions()
 
+import "./pages/error.css"
+import "./pages/global.css"
+import "./pages/login.css"
+
 if ("serviceWorker" in navigator) {
-  const path = normalize(`${options.base}/static/${options.commit}/dist/serviceWorker.js`)
+  const path = normalize(`${options.csStaticBase}/dist/serviceWorker.js`)
   navigator.serviceWorker
     .register(path, {
-      scope: options.base || "/",
+      scope: (options.base ?? "") + "/",
     })
-    .then(function () {
+    .then(() => {
       console.log("[Service Worker] registered")
     })
 }

src/browser/robots.txt

@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /

src/browser/serviceWorker.ts

@@ -8,17 +8,6 @@ self.addEventListener("activate", (event: any) => {
   event.waitUntil((self as any).clients.claim())
 })
 
-self.addEventListener("fetch", (event: any) => {
-  if (!navigator.onLine) {
-    event.respondWith(
-      new Promise((resolve) => {
-        resolve(
-          new Response("OFFLINE", {
-            status: 200,
-            statusText: "OK",
-          }),
-        )
-      }),
-    )
-  }
+self.addEventListener("fetch", () => {
+  // Without this event handler we won't be recognized as a PWA.
 })

src/common/api.ts

@@ -1,60 +0,0 @@
-export interface Application {
-  readonly categories?: string[]
-  readonly comment?: string
-  readonly directory?: string
-  readonly exec?: string
-  readonly genericName?: string
-  readonly icon?: string
-  readonly installed?: boolean
-  readonly name: string
-  /**
-   * Path if this is a browser app (like VS Code).
-   */
-  readonly path?: string
-  /**
-   * PID if this is a process.
-   */
-  readonly pid?: number
-  readonly version?: string
-}
-
-export interface ApplicationsResponse {
-  readonly applications: ReadonlyArray<Application>
-}
-
-export enum SessionError {
-  FailedToStart = 4000,
-  Starting = 4001,
-  InvalidState = 4002,
-  Unknown = 4003,
-}
-
-export interface SessionResponse {
-  /**
-   * Whether the process was spawned or an existing one was returned.
-   */
-  created: boolean
-  pid: number
-}
-
-export interface RecentResponse {
-  readonly paths: string[]
-  readonly workspaces: string[]
-}
-
-export interface HealthRequest {
-  readonly event: "health"
-}
-
-export type ClientMessage = HealthRequest
-
-export interface HealthResponse {
-  readonly event: "health"
-  readonly connections: number
-}
-
-export type ServerMessage = HealthResponse
-
-export interface ReadyMessage {
-  protocol: string
-}

src/common/emitter.ts

@@ -1,19 +1,27 @@
+import { logger } from "@coder/logger"
+
+/**
+ * Event emitter callback. Called with the emitted value and a promise that
+ * resolves when all emitters have finished.
+ */
+export type Callback<T, R = void | Promise<void>> = (t: T, p: Promise<void>) => R
+
 export interface Disposable {
   dispose(): void
 }
 
 export interface Event<T> {
-  (listener: (value: T) => void): Disposable
+  (listener: Callback<T>): Disposable
 }
 
 /**
  * Emitter typecasts for a single event type.
  */
 export class Emitter<T> {
-  private listeners: Array<(value: T) => void> = []
+  private listeners: Array<Callback<T>> = []
 
   public get event(): Event<T> {
-    return (cb: (value: T) => void): Disposable => {
+    return (cb: Callback<T>): Disposable => {
       this.listeners.push(cb)
 
       return {
@@ -30,8 +38,21 @@ export class Emitter<T> {
   /**
    * Emit an event with a value.
    */
-  public emit(value: T): void {
-    this.listeners.forEach((cb) => cb(value))
+  public async emit(value: T): Promise<void> {
+    let resolve: () => void
+    const promise = new Promise<void>((r) => (resolve = r))
+
+    await Promise.all(
+      this.listeners.map(async (cb) => {
+        try {
+          await cb(value, promise)
+        } catch (error) {
+          logger.error(error.message)
+        }
+      }),
+    )
+
+    resolve!()
   }
 
   public dispose(): void {

src/common/http.ts

@@ -8,17 +8,13 @@ export enum HttpCode {
   ServerError = 500,
 }
 
+/**
+ * Represents an error with a message and an HTTP status code. This code will be
+ * used in the HTTP response.
+ */
 export class HttpError extends Error {
-  public constructor(message: string, public readonly code: number) {
+  public constructor(message: string, public readonly status: HttpCode, public readonly details?: object) {
     super(message)
     this.name = this.constructor.name
   }
 }
-
-export enum ApiEndpoint {
-  applications = "/applications",
-  process = "/process",
-  recent = "/recent",
-  run = "/run",
-  status = "/status",
-}

src/common/util.ts

@@ -2,9 +2,8 @@ import { logger, field } from "@coder/logger"
 
 export interface Options {
   base: string
-  commit: string
+  csStaticBase: string
   logLevel: number
-  pid?: number
 }
 
 /**
@@ -16,7 +15,11 @@ export const split = (str: string, delimiter: string): [string, string] => {
   return index !== -1 ? [str.substring(0, index).trim(), str.substring(index + 1)] : [str, ""]
 }
 
-export const plural = (count: number): string => (count === 1 ? "" : "s")
+/**
+ * Appends an 's' to the provided string if count is greater than one;
+ * otherwise the string is returned
+ */
+export const plural = (count: number, str: string): string => (count === 1 ? str : `${str}s`)
 
 export const generateUuid = (length = 24): string => {
   const possible = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
@@ -33,21 +36,35 @@ export const normalize = (url: string, keepTrailing = false): string => {
   return url.replace(/\/\/+/g, "/").replace(/\/+$/, keepTrailing ? "/" : "")
 }
 
+/**
+ * Remove leading and trailing slashes.
+ */
+export const trimSlashes = (url: string): string => {
+  return url.replace(/^\/+|\/+$/g, "")
+}
+
+/**
+ * Resolve a relative base against the window location. This is used for
+ * anything that doesn't work with a relative path.
+ */
+export const resolveBase = (base?: string): string => {
+  // After resolving the base will either start with / or be an empty string.
+  if (!base || base.startsWith("/")) {
+    return base ?? ""
+  }
+  const parts = location.pathname.split("/")
+  parts[parts.length - 1] = base
+  const url = new URL(location.origin + "/" + parts.join("/"))
+  return normalize(url.pathname)
+}
+
 /**
  * Get options embedded in the HTML or query params.
  */
 export const getOptions = <T extends Options>(): T => {
   let options: T
   try {
-    const el = document.getElementById("coder-options")
-    if (!el) {
-      throw new Error("no options element")
-    }
-    const value = el.getAttribute("data-settings")
-    if (!value) {
-      throw new Error("no options value")
-    }
-    options = JSON.parse(value)
+    options = JSON.parse(document.getElementById("coder-options")!.getAttribute("data-settings")!)
   } catch (error) {
     options = {} as T
   }
@@ -61,17 +78,26 @@ export const getOptions = <T extends Options>(): T => {
     }
   }
 
-  if (typeof options.logLevel !== "undefined") {
-    logger.level = options.logLevel
-  }
-  if (options.base) {
-    const parts = location.pathname.replace(/^\//g, "").split("/")
-    parts[parts.length - 1] = options.base
-    const url = new URL(location.origin + "/" + parts.join("/"))
-    options.base = normalize(url.pathname, true)
-  }
+  logger.level = options.logLevel
+
+  options.base = resolveBase(options.base)
+  options.csStaticBase = resolveBase(options.csStaticBase)
 
   logger.debug("got options", field("options", options))
 
   return options
 }
+
+/**
+ * Wrap the value in an array if it's not already an array. If the value is
+ * undefined return an empty array.
+ */
+export const arrayify = <T>(value?: T | T[]): T[] => {
+  if (Array.isArray(value)) {
+    return value
+  }
+  if (typeof value === "undefined") {
+    return []
+  }
+  return [value]
+}

src/node/app.ts

@@ -0,0 +1,61 @@
+import { logger } from "@coder/logger"
+import express, { Express } from "express"
+import { promises as fs } from "fs"
+import http from "http"
+import * as httpolyglot from "httpolyglot"
+import { DefaultedArgs } from "./cli"
+import { handleUpgrade } from "./wsRouter"
+
+/**
+ * Create an Express app and an HTTP/S server to serve it.
+ */
+export const createApp = async (args: DefaultedArgs): Promise<[Express, Express, http.Server]> => {
+  const app = express()
+
+  const server = args.cert
+    ? httpolyglot.createServer(
+        {
+          cert: args.cert && (await fs.readFile(args.cert.value)),
+          key: args["cert-key"] && (await fs.readFile(args["cert-key"])),
+        },
+        app,
+      )
+    : http.createServer(app)
+
+  await new Promise<http.Server>(async (resolve, reject) => {
+    server.on("error", reject)
+    if (args.socket) {
+      try {
+        await fs.unlink(args.socket)
+      } catch (error) {
+        if (error.code !== "ENOENT") {
+          logger.error(error.message)
+        }
+      }
+      server.listen(args.socket, resolve)
+    } else {
+      // [] is the correct format when using :: but Node errors with them.
+      server.listen(args.port, args.host.replace(/^\[|\]$/g, ""), resolve)
+    }
+  })
+
+  const wsApp = express()
+  handleUpgrade(wsApp, server)
+
+  return [app, wsApp, server]
+}
+
+/**
+ * Get the address of a server as a string (protocol *is* included) while
+ * ensuring there is one (will throw if there isn't).
+ */
+export const ensureAddress = (server: http.Server): string => {
+  const addr = server.address()
+  if (!addr) {
+    throw new Error("server has no address")
+  }
+  if (typeof addr !== "string") {
+    return `http://${addr.address}:${addr.port}`
+  }
+  return addr
+}

src/node/app/api.ts

@@ -1,312 +0,0 @@
-import { field, logger } from "@coder/logger"
-import * as cp from "child_process"
-import * as fs from "fs-extra"
-import * as http from "http"
-import * as net from "net"
-import * as path from "path"
-import * as url from "url"
-import * as WebSocket from "ws"
-import {
-  Application,
-  ApplicationsResponse,
-  ClientMessage,
-  RecentResponse,
-  ServerMessage,
-  SessionError,
-  SessionResponse,
-} from "../../common/api"
-import { ApiEndpoint, HttpCode, HttpError } from "../../common/http"
-import { HttpProvider, HttpProviderOptions, HttpResponse, HttpServer, Route } from "../http"
-import { findApplications, findWhitelistedApplications, Vscode } from "./bin"
-import { VscodeHttpProvider } from "./vscode"
-
-interface VsRecents {
-  [key: string]: (string | { configURIPath: string })[]
-}
-
-type VsSettings = [string, string][]
-
-/**
- * API HTTP provider.
- */
-export class ApiHttpProvider extends HttpProvider {
-  private readonly ws = new WebSocket.Server({ noServer: true })
-
-  public constructor(
-    options: HttpProviderOptions,
-    private readonly server: HttpServer,
-    private readonly vscode: VscodeHttpProvider,
-    private readonly dataDir?: string,
-  ) {
-    super(options)
-  }
-
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    this.ensureAuthenticated(request)
-    if (!this.isRoot(route)) {
-      throw new HttpError("Not found", HttpCode.NotFound)
-    }
-
-    switch (route.base) {
-      case ApiEndpoint.applications:
-        this.ensureMethod(request)
-        return {
-          mime: "application/json",
-          content: {
-            applications: await this.applications(),
-          },
-        } as HttpResponse<ApplicationsResponse>
-      case ApiEndpoint.process:
-        return this.process(request)
-      case ApiEndpoint.recent:
-        this.ensureMethod(request)
-        return {
-          mime: "application/json",
-          content: await this.recent(),
-        } as HttpResponse<RecentResponse>
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  public async handleWebSocket(
-    route: Route,
-    request: http.IncomingMessage,
-    socket: net.Socket,
-    head: Buffer,
-  ): Promise<void> {
-    if (!this.authenticated(request)) {
-      throw new Error("not authenticated")
-    }
-    switch (route.base) {
-      case ApiEndpoint.status:
-        return this.handleStatusSocket(request, socket, head)
-      case ApiEndpoint.run:
-        return this.handleRunSocket(route, request, socket, head)
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  private async handleStatusSocket(request: http.IncomingMessage, socket: net.Socket, head: Buffer): Promise<void> {
-    const getMessageResponse = async (event: "health"): Promise<ServerMessage> => {
-      switch (event) {
-        case "health":
-          return { event, connections: await this.server.getConnections() }
-        default:
-          throw new Error("unexpected message")
-      }
-    }
-
-    await new Promise<WebSocket>((resolve) => {
-      this.ws.handleUpgrade(request, socket, head, (ws) => {
-        const send = (event: ServerMessage): void => {
-          ws.send(JSON.stringify(event))
-        }
-        ws.on("message", (data) => {
-          logger.trace("got message", field("message", data))
-          try {
-            const message: ClientMessage = JSON.parse(data.toString())
-            getMessageResponse(message.event).then(send)
-          } catch (error) {
-            logger.error(error.message, field("message", data))
-          }
-        })
-        resolve()
-      })
-    })
-  }
-
-  /**
-   * A socket that connects to the process.
-   */
-  private async handleRunSocket(
-    _route: Route,
-    request: http.IncomingMessage,
-    socket: net.Socket,
-    head: Buffer,
-  ): Promise<void> {
-    logger.debug("connecting to process")
-    const ws = await new Promise<WebSocket>((resolve, reject) => {
-      this.ws.handleUpgrade(request, socket, head, (socket) => {
-        socket.binaryType = "arraybuffer"
-
-        socket.on("error", (error) => {
-          socket.close(SessionError.FailedToStart)
-          logger.error("got error while connecting socket", field("error", error))
-          reject(error)
-        })
-
-        resolve(socket as WebSocket)
-      })
-    })
-
-    logger.debug("connected to process")
-
-    // Send ready message.
-    ws.send(
-      Buffer.from(
-        JSON.stringify({
-          protocol: "TODO",
-        }),
-      ),
-    )
-  }
-
-  /**
-   * Return whitelisted applications.
-   */
-  public async applications(): Promise<ReadonlyArray<Application>> {
-    return findWhitelistedApplications()
-  }
-
-  /**
-   * Return installed applications.
-   */
-  public async installedApplications(): Promise<ReadonlyArray<Application>> {
-    return findApplications()
-  }
-
-  /**
-   * Handle /process endpoint.
-   */
-  private async process(request: http.IncomingMessage): Promise<HttpResponse> {
-    this.ensureMethod(request, ["DELETE", "POST"])
-
-    const data = await this.getData(request)
-    if (!data) {
-      throw new HttpError("No data was provided", HttpCode.BadRequest)
-    }
-
-    const parsed: Application = JSON.parse(data)
-
-    switch (request.method) {
-      case "DELETE":
-        if (parsed.pid) {
-          await this.killProcess(parsed.pid)
-        } else if (parsed.path) {
-          await this.killProcess(parsed.path)
-        } else {
-          throw new Error("No pid or path was provided")
-        }
-        return {
-          mime: "application/json",
-          code: HttpCode.Ok,
-        }
-      case "POST": {
-        if (!parsed.exec) {
-          throw new Error("No exec was provided")
-        }
-        return {
-          mime: "application/json",
-          content: {
-            created: true,
-            pid: await this.spawnProcess(parsed.exec),
-          },
-        } as HttpResponse<SessionResponse>
-      }
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  /**
-   * Kill a process identified by pid or path if a web app.
-   */
-  public async killProcess(pid: number | string): Promise<void> {
-    if (typeof pid === "string") {
-      switch (pid) {
-        case Vscode.path:
-          await this.vscode.dispose()
-          break
-        default:
-          throw new Error(`Process "${pid}" does not exist`)
-      }
-    } else {
-      process.kill(pid)
-    }
-  }
-
-  /**
-   * Spawn a process and return the pid.
-   */
-  public async spawnProcess(exec: string): Promise<number> {
-    const proc = cp.spawn(exec, {
-      shell: process.env.SHELL || true,
-      env: {
-        ...process.env,
-      },
-    })
-
-    proc.on("error", (error) => logger.error("process errored", field("pid", proc.pid), field("error", error)))
-    proc.on("exit", () => logger.debug("process exited", field("pid", proc.pid)))
-
-    logger.debug("started process", field("pid", proc.pid))
-
-    return proc.pid
-  }
-
-  /**
-   * Return VS Code's recent paths.
-   */
-  public async recent(): Promise<RecentResponse> {
-    try {
-      if (!this.dataDir) {
-        throw new Error("data directory is not set")
-      }
-
-      const state: VsSettings = JSON.parse(await fs.readFile(path.join(this.dataDir, "User/state/global.json"), "utf8"))
-      const setting = Array.isArray(state) && state.find((item) => item[0] === "recently.opened")
-      if (!setting) {
-        return { paths: [], workspaces: [] }
-      }
-
-      const pathPromises: { [key: string]: Promise<string> } = {}
-      const workspacePromises: { [key: string]: Promise<string> } = {}
-      Object.values(JSON.parse(setting[1]) as VsRecents).forEach((recents) => {
-        recents.forEach((recent) => {
-          try {
-            const target = typeof recent === "string" ? pathPromises : workspacePromises
-            const pathname = url.parse(typeof recent === "string" ? recent : recent.configURIPath).pathname
-            if (pathname && !target[pathname]) {
-              target[pathname] = new Promise<string>((resolve) => {
-                fs.stat(pathname)
-                  .then(() => resolve(pathname))
-                  .catch(() => resolve())
-              })
-            }
-          } catch (error) {
-            logger.debug("invalid path", field("path", recent))
-          }
-        })
-      })
-
-      const [paths, workspaces] = await Promise.all([
-        Promise.all(Object.values(pathPromises)),
-        Promise.all(Object.values(workspacePromises)),
-      ])
-
-      return {
-        paths: paths.filter((p) => !!p),
-        workspaces: workspaces.filter((p) => !!p),
-      }
-    } catch (error) {
-      if (error.code !== "ENOENT") {
-        throw error
-      }
-    }
-
-    return { paths: [], workspaces: [] }
-  }
-
-  /**
-   * For these, just return the error message since they'll be requested as
-   * JSON.
-   */
-  public async getErrorRoot(_route: Route, _title: string, _header: string, error: string): Promise<HttpResponse> {
-    return {
-      mime: "application/json",
-      content: JSON.stringify({ error }),
-    }
-  }
-}

src/node/app/bin.ts

@@ -1,30 +0,0 @@
-import * as fs from "fs"
-import * as path from "path"
-import { Application } from "../../common/api"
-
-const getVscodeVersion = (): string => {
-  try {
-    return require(path.resolve(__dirname, "../../../lib/vscode/package.json")).version
-  } catch (error) {
-    return "unknown"
-  }
-}
-
-export const Vscode: Application = {
-  categories: ["Editor"],
-  icon: fs.readFileSync(path.resolve(__dirname, "../../../lib/vscode/resources/linux/code.png")).toString("base64"),
-  installed: true,
-  name: "VS Code",
-  path: "/",
-  version: getVscodeVersion(),
-}
-
-export const findApplications = async (): Promise<ReadonlyArray<Application>> => {
-  const apps: Application[] = [Vscode]
-
-  return apps.sort((a, b): number => a.name.localeCompare(b.name))
-}
-
-export const findWhitelistedApplications = async (): Promise<ReadonlyArray<Application>> => {
-  return [Vscode]
-}

src/node/app/dashboard.ts

@@ -1,147 +0,0 @@
-import * as http from "http"
-import * as querystring from "querystring"
-import { Application } from "../../common/api"
-import { HttpCode, HttpError } from "../../common/http"
-import { normalize } from "../../common/util"
-import { HttpProvider, HttpProviderOptions, HttpResponse, Route } from "../http"
-import { ApiHttpProvider } from "./api"
-import { UpdateHttpProvider } from "./update"
-
-/**
- * Dashboard HTTP provider.
- */
-export class DashboardHttpProvider extends HttpProvider {
-  public constructor(
-    options: HttpProviderOptions,
-    private readonly api: ApiHttpProvider,
-    private readonly update: UpdateHttpProvider,
-  ) {
-    super(options)
-  }
-
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    if (!this.isRoot(route)) {
-      throw new HttpError("Not found", HttpCode.NotFound)
-    }
-
-    switch (route.base) {
-      case "/spawn": {
-        this.ensureAuthenticated(request)
-        this.ensureMethod(request, "POST")
-        const data = await this.getData(request)
-        const app = data ? querystring.parse(data) : {}
-        if (app.path) {
-          return { redirect: Array.isArray(app.path) ? app.path[0] : app.path }
-        }
-        if (!app.exec) {
-          throw new Error("No exec was provided")
-        }
-        this.api.spawnProcess(Array.isArray(app.exec) ? app.exec[0] : app.exec)
-        return { redirect: this.options.base }
-      }
-      case "/app":
-      case "/": {
-        this.ensureMethod(request)
-        if (!this.authenticated(request)) {
-          return { redirect: "/login", query: { to: this.options.base } }
-        }
-        return route.base === "/" ? this.getRoot(route) : this.getAppRoot(route)
-      }
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  public async getRoot(route: Route): Promise<HttpResponse> {
-    const base = this.base(route)
-    const apps = await this.api.installedApplications()
-    const response = await this.getUtf8Resource(this.rootPath, "src/browser/pages/home.html")
-    response.content = response.content
-      .replace(/{{UPDATE:NAME}}/, await this.getUpdate(base))
-      .replace(
-        /{{APP_LIST:EDITORS}}/,
-        this.getAppRows(
-          base,
-          apps.filter((app) => app.categories && app.categories.includes("Editor")),
-        ),
-      )
-      .replace(
-        /{{APP_LIST:OTHER}}/,
-        this.getAppRows(
-          base,
-          apps.filter((app) => !app.categories || !app.categories.includes("Editor")),
-        ),
-      )
-    return this.replaceTemplates(route, response)
-  }
-
-  public async getAppRoot(route: Route): Promise<HttpResponse> {
-    const response = await this.getUtf8Resource(this.rootPath, "src/browser/pages/app.html")
-    return this.replaceTemplates(route, response)
-  }
-
-  private getAppRows(base: string, apps: ReadonlyArray<Application>): string {
-    return apps.length > 0
-      ? apps.map((app) => this.getAppRow(base, app)).join("\n")
-      : `<div class="none">No applications found.</div>`
-  }
-
-  private getAppRow(base: string, app: Application): string {
-    return `<form class="block-row${app.exec ? " -x11" : ""}" method="post" action="${normalize(
-      `${base}${this.options.base}/spawn`,
-    )}">
-      <button class="item -row -link">
-        <input type="hidden" name="path" value="${app.path || ""}">
-        <input type="hidden" name="exec" value="${app.exec || ""}">
-        ${
-          app.icon
-            ? `<img class="icon" src="data:image/png;base64,${app.icon}"></img>`
-            : `<span class="icon -missing"></span>`
-        }
-        <span class="name">${app.name}</span>
-      </button>
-    </form>`
-  }
-
-  private async getUpdate(base: string): Promise<string> {
-    if (!this.update.enabled) {
-      return `<div class="block-row"><div class="item"><div class="sub">Updates are disabled</div></div></div>`
-    }
-
-    const humanize = (time: number): string => {
-      const d = new Date(time)
-      const pad = (t: number): string => (t < 10 ? "0" : "") + t
-      return (
-        `${d.getFullYear()}-${pad(d.getMonth() + 1)}-${pad(d.getDate())}` +
-        ` ${pad(d.getHours())}:${pad(d.getMinutes())}`
-      )
-    }
-
-    const update = await this.update.getUpdate()
-    if (this.update.isLatestVersion(update)) {
-      return `<div class="block-row">
-        <div class="item">
-          Latest: ${update.version}
-          <div class="sub">Up to date</div>
-        </div>
-        <div class="item">
-          ${humanize(update.checked)}
-          <a class="sub -link" href="${base}/update/check?to=${this.options.base}">Check now</a>
-        </div>
-        <div class="item" >Current: ${this.update.currentVersion}</div>
-      </div>`
-    }
-
-    return `<div class="block-row">
-      <div class="item">
-        Latest: ${update.version}
-        <div class="sub">Out of date</div>
-      </div>
-      <div class="item">
-        ${humanize(update.checked)}
-        <a class="sub -link" href="${base}/update?to=${this.options.base}">Update now</a>
-      </div>
-      <div class="item" >Current: ${this.update.currentVersion}</div>
-    </div>`
-  }
-}

src/node/app/login.ts

@@ -1,144 +0,0 @@
-import * as http from "http"
-import * as limiter from "limiter"
-import * as querystring from "querystring"
-import { HttpCode, HttpError } from "../../common/http"
-import { AuthType, HttpProvider, HttpProviderOptions, HttpResponse, Route } from "../http"
-import { hash, humanPath } from "../util"
-
-interface LoginPayload {
-  password?: string
-  /**
-   * Since we must set a cookie with an absolute path, we need to know the full
-   * base path.
-   */
-  base?: string
-}
-
-/**
- * Login HTTP provider.
- */
-export class LoginHttpProvider extends HttpProvider {
-  public constructor(
-    options: HttpProviderOptions,
-    private readonly configFile: string,
-    private readonly envPassword: boolean,
-  ) {
-    super(options)
-  }
-
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    if (this.options.auth !== AuthType.Password || !this.isRoot(route)) {
-      throw new HttpError("Not found", HttpCode.NotFound)
-    }
-    switch (route.base) {
-      case "/":
-        switch (request.method) {
-          case "POST":
-            this.ensureMethod(request, ["GET", "POST"])
-            return this.tryLogin(route, request)
-          default:
-            this.ensureMethod(request)
-            if (this.authenticated(request)) {
-              return {
-                redirect: (Array.isArray(route.query.to) ? route.query.to[0] : route.query.to) || "/",
-                query: { to: undefined },
-              }
-            }
-            return this.getRoot(route)
-        }
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  public async getRoot(route: Route, error?: Error): Promise<HttpResponse> {
-    const response = await this.getUtf8Resource(this.rootPath, "src/browser/pages/login.html")
-    response.content = response.content.replace(/{{ERROR}}/, error ? `<div class="error">${error.message}</div>` : "")
-    let passwordMsg = `Check the config file at ${humanPath(this.configFile)} for the password.`
-    if (this.envPassword) {
-      passwordMsg = "Password was set from $PASSWORD."
-    }
-    response.content = response.content.replace(/{{PASSWORD_MSG}}/g, passwordMsg)
-    return this.replaceTemplates(route, response)
-  }
-
-  private readonly limiter = new RateLimiter()
-
-  /**
-   * Try logging in. On failure, show the login page with an error.
-   */
-  private async tryLogin(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    // Already authenticated via cookies?
-    const providedPassword = this.authenticated(request)
-    if (providedPassword) {
-      return { code: HttpCode.Ok }
-    }
-
-    try {
-      if (!this.limiter.try()) {
-        throw new Error("Login rate limited!")
-      }
-
-      const data = await this.getData(request)
-      const payload = data ? querystring.parse(data) : {}
-      return await this.login(payload, route, request)
-    } catch (error) {
-      return this.getRoot(route, error)
-    }
-  }
-
-  /**
-   * Return a cookie if the user is authenticated otherwise throw an error.
-   */
-  private async login(payload: LoginPayload, route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    const password = this.authenticated(request, {
-      key: typeof payload.password === "string" ? [hash(payload.password)] : undefined,
-    })
-
-    if (password) {
-      return {
-        redirect: (Array.isArray(route.query.to) ? route.query.to[0] : route.query.to) || "/",
-        query: { to: undefined },
-        cookie:
-          typeof password === "string"
-            ? {
-                key: "key",
-                value: password,
-                path: payload.base,
-              }
-            : undefined,
-      }
-    }
-
-    // Only log if it was an actual login attempt.
-    if (payload && payload.password) {
-      console.error(
-        "Failed login attempt",
-        JSON.stringify({
-          xForwardedFor: request.headers["x-forwarded-for"],
-          remoteAddress: request.connection.remoteAddress,
-          userAgent: request.headers["user-agent"],
-          timestamp: Math.floor(new Date().getTime() / 1000),
-        }),
-      )
-
-      throw new Error("Incorrect password")
-    }
-
-    throw new Error("Missing password")
-  }
-}
-
-// RateLimiter wraps around the limiter library for logins.
-// It allows 2 logins every minute and 12 logins every hour.
-class RateLimiter {
-  private readonly minuteLimiter = new limiter.RateLimiter(2, "minute")
-  private readonly hourLimiter = new limiter.RateLimiter(12, "hour")
-
-  public try(): boolean {
-    if (this.minuteLimiter.tryRemoveTokens(1)) {
-      return true
-    }
-    return this.hourLimiter.tryRemoveTokens(1)
-  }
-}

src/node/app/proxy.ts

@@ -1,43 +0,0 @@
-import * as http from "http"
-import { HttpCode, HttpError } from "../../common/http"
-import { HttpProvider, HttpResponse, Route, WsResponse } from "../http"
-
-/**
- * Proxy HTTP provider.
- */
-export class ProxyHttpProvider extends HttpProvider {
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    if (!this.authenticated(request)) {
-      if (this.isRoot(route)) {
-        return { redirect: "/login", query: { to: route.fullPath } }
-      }
-      throw new HttpError("Unauthorized", HttpCode.Unauthorized)
-    }
-
-    // Ensure there is a trailing slash so relative paths work correctly.
-    if (this.isRoot(route) && !route.fullPath.endsWith("/")) {
-      return {
-        redirect: `${route.fullPath}/`,
-      }
-    }
-
-    const port = route.base.replace(/^\//, "")
-    return {
-      proxy: {
-        base: `${this.options.base}/${port}`,
-        port,
-      },
-    }
-  }
-
-  public async handleWebSocket(route: Route, request: http.IncomingMessage): Promise<WsResponse> {
-    this.ensureAuthenticated(request)
-    const port = route.base.replace(/^\//, "")
-    return {
-      proxy: {
-        base: `${this.options.base}/${port}`,
-        port,
-      },
-    }
-  }
-}

src/node/app/static.ts

@@ -1,66 +0,0 @@
-import { field, logger } from "@coder/logger"
-import * as http from "http"
-import * as path from "path"
-import { Readable } from "stream"
-import * as tarFs from "tar-fs"
-import * as zlib from "zlib"
-import { HttpProvider, HttpResponse, Route } from "../http"
-import { pathToFsPath } from "../util"
-
-/**
- * Static file HTTP provider. Regular static requests (the path is the request
- * itself) do not require authentication and they only allow access to resources
- * within the application. Requests for tars (the path is in a query parameter)
- * do require permissions and can access any directory.
- */
-export class StaticHttpProvider extends HttpProvider {
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    this.ensureMethod(request)
-
-    if (typeof route.query.tar === "string") {
-      this.ensureAuthenticated(request)
-      return this.getTarredResource(request, pathToFsPath(route.query.tar))
-    }
-
-    const response = await this.getReplacedResource(route)
-    if (!this.isDev) {
-      response.cache = true
-    }
-    return response
-  }
-
-  /**
-   * Return a resource with variables replaced where necessary.
-   */
-  protected async getReplacedResource(route: Route): Promise<HttpResponse> {
-    // The first part is always the commit (for caching purposes).
-    const split = route.requestPath.split("/").slice(1)
-
-    switch (split[split.length - 1]) {
-      case "manifest.json": {
-        const response = await this.getUtf8Resource(this.rootPath, ...split)
-        return this.replaceTemplates(route, response)
-      }
-    }
-    return this.getResource(this.rootPath, ...split)
-  }
-
-  /**
-   * Tar up and stream a directory.
-   */
-  private async getTarredResource(request: http.IncomingMessage, ...parts: string[]): Promise<HttpResponse> {
-    const filePath = path.join(...parts)
-    let stream: Readable = tarFs.pack(filePath)
-    const headers: http.OutgoingHttpHeaders = {}
-    if (request.headers["accept-encoding"] && request.headers["accept-encoding"].includes("gzip")) {
-      logger.debug("gzipping tar", field("filePath", filePath))
-      const compress = zlib.createGzip()
-      stream.pipe(compress)
-      stream.on("error", (error) => compress.destroy(error))
-      stream.on("close", () => compress.end())
-      stream = compress
-      headers["content-encoding"] = "gzip"
-    }
-    return { stream, filePath, mime: "application/x-tar", cache: true, headers }
-  }
-}

src/node/app/update.ts

@@ -1,384 +0,0 @@
-import { field, logger } from "@coder/logger"
-import zip from "adm-zip"
-import * as cp from "child_process"
-import * as fs from "fs-extra"
-import * as http from "http"
-import * as https from "https"
-import * as os from "os"
-import * as path from "path"
-import * as semver from "semver"
-import { Readable, Writable } from "stream"
-import * as tar from "tar-fs"
-import * as url from "url"
-import * as util from "util"
-import * as zlib from "zlib"
-import { HttpCode, HttpError } from "../../common/http"
-import { HttpProvider, HttpProviderOptions, HttpResponse, Route } from "../http"
-import { settings as globalSettings, SettingsProvider, UpdateSettings } from "../settings"
-import { tmpdir } from "../util"
-import { ipcMain } from "../wrapper"
-
-export interface Update {
-  checked: number
-  version: string
-}
-
-export interface LatestResponse {
-  name: string
-}
-
-/**
- * Update HTTP provider.
- */
-export class UpdateHttpProvider extends HttpProvider {
-  private update?: Promise<Update>
-  private updateInterval = 1000 * 60 * 60 * 24 // Milliseconds between update checks.
-
-  public constructor(
-    options: HttpProviderOptions,
-    public readonly enabled: boolean,
-    /**
-     * The URL for getting the latest version of code-server. Should return JSON
-     * that fulfills `LatestResponse`.
-     */
-    private readonly latestUrl = "https://api.github.com/repos/cdr/code-server/releases/latest",
-    /**
-     * The URL for downloading a version of code-server. {{VERSION}} and
-     * {{RELEASE_NAME}} will be replaced (for example 2.1.0 and
-     * code-server-2.1.0-linux-x86_64.tar.gz).
-     */
-    private readonly downloadUrl = "https://github.com/cdr/code-server/releases/download/{{VERSION}}/{{RELEASE_NAME}}",
-    /**
-     * Update information will be stored here. If not provided, the global
-     * settings will be used.
-     */
-    private readonly settings: SettingsProvider<UpdateSettings> = globalSettings,
-  ) {
-    super(options)
-  }
-
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    this.ensureAuthenticated(request)
-    this.ensureMethod(request)
-
-    if (!this.isRoot(route)) {
-      throw new HttpError("Not found", HttpCode.NotFound)
-    }
-
-    switch (route.base) {
-      case "/check":
-        this.getUpdate(true)
-        if (route.query && route.query.to) {
-          return {
-            redirect: Array.isArray(route.query.to) ? route.query.to[0] : route.query.to,
-            query: { to: undefined },
-          }
-        }
-        return this.getRoot(route, request)
-      case "/apply":
-        return this.tryUpdate(route, request)
-      case "/":
-        return this.getRoot(route, request)
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  public async getRoot(
-    route: Route,
-    request: http.IncomingMessage,
-    errorOrUpdate?: Update | Error,
-  ): Promise<HttpResponse> {
-    if (request.headers["content-type"] === "application/json") {
-      if (!this.enabled) {
-        return {
-          content: {
-            isLatest: true,
-          },
-        }
-      }
-      const update = await this.getUpdate()
-      return {
-        content: {
-          ...update,
-          isLatest: this.isLatestVersion(update),
-        },
-      }
-    }
-    const response = await this.getUtf8Resource(this.rootPath, "src/browser/pages/update.html")
-    response.content = response.content
-      .replace(
-        /{{UPDATE_STATUS}}/,
-        errorOrUpdate && !(errorOrUpdate instanceof Error)
-          ? `Updated to ${errorOrUpdate.version}`
-          : await this.getUpdateHtml(),
-      )
-      .replace(/{{ERROR}}/, errorOrUpdate instanceof Error ? `<div class="error">${errorOrUpdate.message}</div>` : "")
-    return this.replaceTemplates(route, response)
-  }
-
-  /**
-   * Query for and return the latest update.
-   */
-  public async getUpdate(force?: boolean): Promise<Update> {
-    if (!this.enabled) {
-      throw new Error("updates are not enabled")
-    }
-
-    // Don't run multiple requests at a time.
-    if (!this.update) {
-      this.update = this._getUpdate(force)
-      this.update.then(() => (this.update = undefined))
-    }
-
-    return this.update
-  }
-
-  private async _getUpdate(force?: boolean): Promise<Update> {
-    const now = Date.now()
-    try {
-      let { update } = !force ? await this.settings.read() : { update: undefined }
-      if (!update || update.checked + this.updateInterval < now) {
-        const buffer = await this.request(this.latestUrl)
-        const data = JSON.parse(buffer.toString()) as LatestResponse
-        update = { checked: now, version: data.name }
-        await this.settings.write({ update })
-      }
-      logger.debug("got latest version", field("latest", update.version))
-      return update
-    } catch (error) {
-      logger.error("Failed to get latest version", field("error", error.message))
-      return {
-        checked: now,
-        version: "unknown",
-      }
-    }
-  }
-
-  public get currentVersion(): string {
-    return require(path.resolve(__dirname, "../../../package.json")).version
-  }
-
-  /**
-   * Return true if the currently installed version is the latest.
-   */
-  public isLatestVersion(latest: Update): boolean {
-    const version = this.currentVersion
-    logger.debug("comparing versions", field("current", version), field("latest", latest.version))
-    try {
-      return latest.version === version || semver.lt(latest.version, version)
-    } catch (error) {
-      return true
-    }
-  }
-
-  private async getUpdateHtml(): Promise<string> {
-    if (!this.enabled) {
-      return "Updates are disabled"
-    }
-
-    const update = await this.getUpdate()
-    if (this.isLatestVersion(update)) {
-      return "No update available"
-    }
-
-    return `<button type="submit" class="apply -button">Update to ${update.version}</button>`
-  }
-
-  public async tryUpdate(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    try {
-      const update = await this.getUpdate()
-      if (!this.isLatestVersion(update)) {
-        await this.downloadAndApplyUpdate(update)
-        return this.getRoot(route, request, update)
-      }
-      return this.getRoot(route, request)
-    } catch (error) {
-      // For JSON requests propagate the error. Otherwise catch it so we can
-      // show the error inline with the update button instead of an error page.
-      if (request.headers["content-type"] === "application/json") {
-        throw error
-      }
-      return this.getRoot(route, error)
-    }
-  }
-
-  public async downloadAndApplyUpdate(update: Update, targetPath?: string): Promise<void> {
-    const releaseName = await this.getReleaseName(update)
-    const url = this.downloadUrl.replace("{{VERSION}}", update.version).replace("{{RELEASE_NAME}}", releaseName)
-
-    let downloadPath = path.join(tmpdir, "updates", releaseName)
-    fs.mkdirp(path.dirname(downloadPath))
-
-    const response = await this.requestResponse(url)
-
-    try {
-      if (downloadPath.endsWith(".tar.gz")) {
-        downloadPath = await this.extractTar(response, downloadPath)
-      } else {
-        downloadPath = await this.extractZip(response, downloadPath)
-      }
-      logger.debug("Downloaded update", field("path", downloadPath))
-
-      // The archive should have a directory inside at the top level with the
-      // same name as the archive.
-      const directoryPath = path.join(downloadPath, path.basename(downloadPath))
-      await fs.stat(directoryPath)
-
-      if (!targetPath) {
-        // eslint-disable-next-line @typescript-eslint/no-explicit-any
-        targetPath = path.resolve(__dirname, "../../../")
-      }
-
-      // Move the old directory to prevent potential data loss.
-      const backupPath = path.resolve(targetPath, `../${path.basename(targetPath)}.${Date.now().toString()}`)
-      logger.debug("Replacing files", field("target", targetPath), field("backup", backupPath))
-      await fs.move(targetPath, backupPath)
-
-      // Move the new directory.
-      await fs.move(directoryPath, targetPath)
-
-      await fs.remove(downloadPath)
-
-      if (process.send) {
-        ipcMain().relaunch(update.version)
-      }
-    } catch (error) {
-      response.destroy(error)
-      throw error
-    }
-  }
-
-  private async extractTar(response: Readable, downloadPath: string): Promise<string> {
-    downloadPath = downloadPath.replace(/\.tar\.gz$/, "")
-    logger.debug("Extracting tar", field("path", downloadPath))
-
-    response.pause()
-    await fs.remove(downloadPath)
-
-    const decompress = zlib.createGunzip()
-    response.pipe(decompress as Writable)
-    response.on("error", (error) => decompress.destroy(error))
-    response.on("close", () => decompress.end())
-
-    const destination = tar.extract(downloadPath)
-    decompress.pipe(destination)
-    decompress.on("error", (error) => destination.destroy(error))
-    decompress.on("close", () => destination.end())
-
-    await new Promise((resolve, reject) => {
-      destination.on("finish", resolve)
-      destination.on("error", reject)
-      response.resume()
-    })
-
-    return downloadPath
-  }
-
-  private async extractZip(response: Readable, downloadPath: string): Promise<string> {
-    logger.debug("Downloading zip", field("path", downloadPath))
-
-    response.pause()
-    await fs.remove(downloadPath)
-
-    const write = fs.createWriteStream(downloadPath)
-    response.pipe(write)
-    response.on("error", (error) => write.destroy(error))
-    response.on("close", () => write.end())
-
-    await new Promise((resolve, reject) => {
-      write.on("error", reject)
-      write.on("close", resolve)
-      response.resume
-    })
-
-    const zipPath = downloadPath
-    downloadPath = downloadPath.replace(/\.zip$/, "")
-    await fs.remove(downloadPath)
-
-    logger.debug("Extracting zip", field("path", zipPath))
-
-    await new Promise((resolve, reject) => {
-      new zip(zipPath).extractAllToAsync(downloadPath, true, (error) => {
-        return error ? reject(error) : resolve()
-      })
-    })
-
-    await fs.remove(zipPath)
-
-    return downloadPath
-  }
-
-  /**
-   * Given an update return the name for the packaged archived.
-   */
-  public async getReleaseName(update: Update): Promise<string> {
-    let target: string = os.platform()
-    if (target === "linux") {
-      const result = await util
-        .promisify(cp.exec)("ldd --version")
-        .catch((error) => ({
-          stderr: error.message,
-          stdout: "",
-        }))
-      if (/musl/.test(result.stderr) || /musl/.test(result.stdout)) {
-        target = "alpine"
-      }
-    }
-    let arch = os.arch()
-    if (arch === "x64") {
-      arch = "x86_64"
-    }
-    return `code-server-${update.version}-${target}-${arch}.${target === "darwin" ? "zip" : "tar.gz"}`
-  }
-
-  private async request(uri: string): Promise<Buffer> {
-    const response = await this.requestResponse(uri)
-    return new Promise((resolve, reject) => {
-      const chunks: Buffer[] = []
-      let bufferLength = 0
-      response.on("data", (chunk) => {
-        bufferLength += chunk.length
-        chunks.push(chunk)
-      })
-      response.on("error", reject)
-      response.on("end", () => {
-        resolve(Buffer.concat(chunks, bufferLength))
-      })
-    })
-  }
-
-  private async requestResponse(uri: string): Promise<http.IncomingMessage> {
-    let redirects = 0
-    const maxRedirects = 10
-    return new Promise((resolve, reject) => {
-      const request = (uri: string): void => {
-        logger.debug("Making request", field("uri", uri))
-        const httpx = uri.startsWith("https") ? https : http
-        const client = httpx.get(uri, { headers: { "User-Agent": "code-server" } }, (response) => {
-          if (
-            response.statusCode &&
-            response.statusCode >= 300 &&
-            response.statusCode < 400 &&
-            response.headers.location
-          ) {
-            ++redirects
-            if (redirects > maxRedirects) {
-              return reject(new Error("reached max redirects"))
-            }
-            response.destroy()
-            return request(url.resolve(uri, response.headers.location))
-          }
-
-          if (!response.statusCode || response.statusCode < 200 || response.statusCode >= 400) {
-            return reject(new Error(`${uri}: ${response.statusCode || "500"}`))
-          }
-
-          resolve(response)
-        })
-        client.on("error", reject)
-      }
-      request(uri)
-    })
-  }
-}

src/node/app/vscode.ts

@@ -1,241 +0,0 @@
-import { field, logger } from "@coder/logger"
-import * as cp from "child_process"
-import * as crypto from "crypto"
-import * as fs from "fs-extra"
-import * as http from "http"
-import * as net from "net"
-import * as path from "path"
-import {
-  CodeServerMessage,
-  Options,
-  StartPath,
-  VscodeMessage,
-  VscodeOptions,
-  WorkbenchOptions,
-} from "../../../lib/vscode/src/vs/server/ipc"
-import { HttpCode, HttpError } from "../../common/http"
-import { generateUuid } from "../../common/util"
-import { Args } from "../cli"
-import { HttpProvider, HttpProviderOptions, HttpResponse, Route } from "../http"
-import { settings } from "../settings"
-import { pathToFsPath } from "../util"
-
-export class VscodeHttpProvider extends HttpProvider {
-  private readonly serverRootPath: string
-  private readonly vsRootPath: string
-  private _vscode?: Promise<cp.ChildProcess>
-
-  public constructor(options: HttpProviderOptions, private readonly args: Args) {
-    super(options)
-    this.vsRootPath = path.resolve(this.rootPath, "lib/vscode")
-    this.serverRootPath = path.join(this.vsRootPath, "out/vs/server")
-  }
-
-  public get running(): boolean {
-    return !!this._vscode
-  }
-
-  public async dispose(): Promise<void> {
-    if (this._vscode) {
-      const vscode = await this._vscode
-      vscode.removeAllListeners()
-      this._vscode = undefined
-      vscode.kill()
-    }
-  }
-
-  private async initialize(options: VscodeOptions): Promise<WorkbenchOptions> {
-    const id = generateUuid()
-    const vscode = await this.fork()
-
-    logger.debug("setting up vs code...")
-    return new Promise<WorkbenchOptions>((resolve, reject) => {
-      vscode.once("message", (message: VscodeMessage) => {
-        logger.debug("got message from vs code", field("message", message))
-        return message.type === "options" && message.id === id
-          ? resolve(message.options)
-          : reject(new Error("Unexpected response during initialization"))
-      })
-      vscode.once("error", reject)
-      vscode.once("exit", (code) => reject(new Error(`VS Code exited unexpectedly with code ${code}`)))
-      this.send({ type: "init", id, options }, vscode)
-    })
-  }
-
-  private fork(): Promise<cp.ChildProcess> {
-    if (!this._vscode) {
-      logger.debug("forking vs code...")
-      const vscode = cp.fork(path.join(this.serverRootPath, "fork"))
-      vscode.on("error", (error) => {
-        logger.error(error.message)
-        this._vscode = undefined
-      })
-      vscode.on("exit", (code) => {
-        logger.error(`VS Code exited unexpectedly with code ${code}`)
-        this._vscode = undefined
-      })
-
-      this._vscode = new Promise((resolve, reject) => {
-        vscode.once("message", (message: VscodeMessage) => {
-          logger.debug("got message from vs code", field("message", message))
-          return message.type === "ready"
-            ? resolve(vscode)
-            : reject(new Error("Unexpected response waiting for ready response"))
-        })
-        vscode.once("error", reject)
-        vscode.once("exit", (code) => reject(new Error(`VS Code exited unexpectedly with code ${code}`)))
-      })
-    }
-
-    return this._vscode
-  }
-
-  public async handleWebSocket(route: Route, request: http.IncomingMessage, socket: net.Socket): Promise<void> {
-    if (!this.authenticated(request)) {
-      throw new Error("not authenticated")
-    }
-
-    // VS Code expects a raw socket. It will handle all the web socket frames.
-    // We just need to handle the initial upgrade.
-    // This magic value is specified by the websocket spec.
-    const magic = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
-    const reply = crypto
-      .createHash("sha1")
-      .update(request.headers["sec-websocket-key"] + magic)
-      .digest("base64")
-    socket.write(
-      [
-        "HTTP/1.1 101 Switching Protocols",
-        "Upgrade: websocket",
-        "Connection: Upgrade",
-        `Sec-WebSocket-Accept: ${reply}`,
-      ].join("\r\n") + "\r\n\r\n",
-    )
-
-    const vscode = await this._vscode
-    this.send({ type: "socket", query: route.query }, vscode, socket)
-  }
-
-  private send(message: CodeServerMessage, vscode?: cp.ChildProcess, socket?: net.Socket): void {
-    if (!vscode || vscode.killed) {
-      throw new Error("vscode is not running")
-    }
-    vscode.send(message, socket)
-  }
-
-  public async handleRequest(route: Route, request: http.IncomingMessage): Promise<HttpResponse> {
-    this.ensureMethod(request)
-
-    switch (route.base) {
-      case "/":
-        if (!this.isRoot(route)) {
-          throw new HttpError("Not found", HttpCode.NotFound)
-        } else if (!this.authenticated(request)) {
-          return { redirect: "/login", query: { to: this.options.base } }
-        }
-        try {
-          return await this.getRoot(request, route)
-        } catch (error) {
-          const message = `<div>VS Code failed to load.</div> ${
-            this.isDev
-              ? `<div>It might not have finished compiling.</div>` +
-                `Check for <code>Finished <span class="success">compilation</span></code> in the output.`
-              : ""
-          } <br><br>${error}`
-          return this.getErrorRoot(route, "VS Code failed to load", "500", message)
-        }
-    }
-
-    this.ensureAuthenticated(request)
-
-    switch (route.base) {
-      case "/resource":
-      case "/vscode-remote-resource":
-        if (typeof route.query.path === "string") {
-          return this.getResource(pathToFsPath(route.query.path))
-        }
-        break
-      case "/webview":
-        if (/^\/vscode-resource/.test(route.requestPath)) {
-          return this.getResource(route.requestPath.replace(/^\/vscode-resource(\/file)?/, ""))
-        }
-        return this.getResource(this.vsRootPath, "out/vs/workbench/contrib/webview/browser/pre", route.requestPath)
-    }
-
-    throw new HttpError("Not found", HttpCode.NotFound)
-  }
-
-  private async getRoot(request: http.IncomingMessage, route: Route): Promise<HttpResponse> {
-    const remoteAuthority = request.headers.host as string
-    const { lastVisited } = await settings.read()
-    const startPath = await this.getFirstPath([
-      { url: route.query.workspace, workspace: true },
-      { url: route.query.folder, workspace: false },
-      this.args._ && this.args._.length > 0 ? { url: path.resolve(this.args._[this.args._.length - 1]) } : undefined,
-      lastVisited,
-    ])
-    const [response, options] = await Promise.all([
-      await this.getUtf8Resource(this.rootPath, "src/browser/pages/vscode.html"),
-      this.initialize({
-        args: this.args,
-        remoteAuthority,
-        startPath,
-      }),
-    ])
-
-    if (startPath) {
-      settings.write({
-        lastVisited: startPath,
-      })
-    }
-
-    if (!this.isDev) {
-      response.content = response.content.replace(/<!-- PROD_ONLY/g, "").replace(/END_PROD_ONLY -->/g, "")
-    }
-
-    options.productConfiguration.codeServerVersion = require("../../../package.json").version
-
-    response.content = response.content
-      .replace(`"{{REMOTE_USER_DATA_URI}}"`, `'${JSON.stringify(options.remoteUserDataUri)}'`)
-      .replace(`"{{PRODUCT_CONFIGURATION}}"`, `'${JSON.stringify(options.productConfiguration)}'`)
-      .replace(`"{{WORKBENCH_WEB_CONFIGURATION}}"`, `'${JSON.stringify(options.workbenchWebConfiguration)}'`)
-      .replace(`"{{NLS_CONFIGURATION}}"`, `'${JSON.stringify(options.nlsConfiguration)}'`)
-    return this.replaceTemplates<Options>(route, response, {
-      base: this.base(route),
-      commit: this.options.commit,
-      disableTelemetry: !!this.args["disable-telemetry"],
-    })
-  }
-
-  /**
-   * Choose the first non-empty path.
-   */
-  private async getFirstPath(
-    startPaths: Array<{ url?: string | string[]; workspace?: boolean } | undefined>,
-  ): Promise<StartPath | undefined> {
-    const isFile = async (path: string): Promise<boolean> => {
-      try {
-        const stat = await fs.stat(path)
-        return stat.isFile()
-      } catch (error) {
-        logger.warn(error.message)
-        return false
-      }
-    }
-    for (let i = 0; i < startPaths.length; ++i) {
-      const startPath = startPaths[i]
-      const url =
-        startPath && (typeof startPath.url === "string" ? [startPath.url] : startPath.url || []).find((p) => !!p)
-      if (startPath && url) {
-        return {
-          url,
-          // The only time `workspace` is undefined is for the command-line
-          // argument, in which case it's a path (not a URL) so we can stat it
-          // without having to parse it.
-          workspace: typeof startPath.workspace !== "undefined" ? startPath.workspace : await isFile(url),
-        }
-      }
-    }
-    return undefined
-  }
-}

src/node/cli.ts

@@ -4,8 +4,12 @@ import yaml from "js-yaml"
 import * as os from "os"
 import * as path from "path"
 import { Args as VsArgs } from "../../lib/vscode/src/vs/server/ipc"
-import { AuthType } from "./http"
-import { generatePassword, humanPath, paths } from "./util"
+import { canConnect, generateCertificate, generatePassword, humanPath, paths } from "./util"
+
+export enum AuthType {
+  Password = "password",
+  None = "none",
+}
 
 export class Optional<T> {
   public constructor(public readonly value?: T) {}
@@ -22,29 +26,34 @@ export enum LogLevel {
 export class OptionalString extends Optional<string> {}
 
 export interface Args extends VsArgs {
-  readonly config?: string
-  readonly auth?: AuthType
-  readonly password?: string
-  readonly cert?: OptionalString
-  readonly "cert-key"?: string
-  readonly "disable-telemetry"?: boolean
-  readonly help?: boolean
-  readonly host?: string
-  readonly json?: boolean
+  config?: string
+  auth?: AuthType
+  password?: string
+  cert?: OptionalString
+  "cert-host"?: string
+  "cert-key"?: string
+  "disable-telemetry"?: boolean
+  help?: boolean
+  host?: string
+  json?: boolean
   log?: LogLevel
-  readonly open?: boolean
-  readonly port?: number
-  readonly "bind-addr"?: string
-  readonly socket?: string
-  readonly version?: boolean
-  readonly force?: boolean
-  readonly "list-extensions"?: boolean
-  readonly "install-extension"?: string[]
-  readonly "show-versions"?: boolean
-  readonly "uninstall-extension"?: string[]
-  readonly "proxy-domain"?: string[]
-  readonly locale?: string
-  readonly _: string[]
+  open?: boolean
+  port?: number
+  "bind-addr"?: string
+  socket?: string
+  version?: boolean
+  force?: boolean
+  "list-extensions"?: boolean
+  "install-extension"?: string[]
+  "show-versions"?: boolean
+  "uninstall-extension"?: string[]
+  "proxy-domain"?: string[]
+  locale?: string
+  _: string[]
+  "reuse-window"?: boolean
+  "new-window"?: boolean
+
+  link?: OptionalString
 }
 
 interface Option<T> {
@@ -61,6 +70,11 @@ interface Option<T> {
    * Description of the option. Leave blank to hide the option.
    */
   description?: string
+
+  /**
+   * If marked as beta, the option is not printed unless $CS_BETA is set.
+   */
+  beta?: boolean
 }
 
 type OptionType<T> = T extends boolean
@@ -92,7 +106,11 @@ const options: Options<Required<Args>> = {
   cert: {
     type: OptionalString,
     path: true,
-    description: "Path to certificate. Generated if no path is provided.",
+    description: "Path to certificate. A self signed certificate is generated if none is provided.",
+  },
+  "cert-host": {
+    type: "string",
+    description: "Hostname to use when generating a self signed certificate.",
   },
   "cert-key": { type: "string", path: true, description: "Path to certificate key when using non-generated cert." },
   "disable-telemetry": { type: "boolean", description: "Disable telemetry." },
@@ -125,14 +143,47 @@ const options: Options<Required<Args>> = {
   "extra-builtin-extensions-dir": { type: "string[]", path: true },
   "list-extensions": { type: "boolean", description: "List installed VS Code extensions." },
   force: { type: "boolean", description: "Avoid prompts when installing VS Code extensions." },
-  "install-extension": { type: "string[]", description: "Install or update a VS Code extension by id or vsix." },
+  "install-extension": {
+    type: "string[]",
+    description:
+      "Install or update a VS Code extension by id or vsix. The identifier of an extension is `${publisher}.${name}`.\n" +
+      "To install a specific version provide `@${version}`. For example: 'vscode.csharp@1.2.3'.",
+  },
+  "enable-proposed-api": {
+    type: "string[]",
+    description:
+      "Enable proposed API features for extensions. Can receive one or more extension IDs to enable individually.",
+  },
   "uninstall-extension": { type: "string[]", description: "Uninstall a VS Code extension by id." },
   "show-versions": { type: "boolean", description: "Show VS Code extension versions." },
   "proxy-domain": { type: "string[]", description: "Domain used for proxying ports." },
 
+  "new-window": {
+    type: "boolean",
+    short: "n",
+    description: "Force to open a new window.",
+  },
+  "reuse-window": {
+    type: "boolean",
+    short: "r",
+    description: "Force to open a file or folder in an already opened window.",
+  },
+
   locale: { type: "string" },
   log: { type: LogLevel },
   verbose: { type: "boolean", short: "vvv", description: "Enable verbose logging." },
+
+  link: {
+    type: OptionalString,
+    description: `
+      Securely bind code-server via Coder Cloud with the passed name. You'll get a URL like
+      https://myname.coder-cloud.com at which you can easily access your code-server instance.
+      Authorization is done via GitHub.
+      This is presently beta and requires being accepted for testing.
+      See https://github.com/cdr/code-server/discussions/2137
+    `,
+    beta: true,
+  },
 }
 
 export const optionDescriptions = (): string[] => {
@@ -144,12 +195,32 @@ export const optionDescriptions = (): string[] => {
     }),
     { short: 0, long: 0 },
   )
-  return entries.map(
-    ([k, v]) =>
-      `${" ".repeat(widths.short - (v.short ? v.short.length : 0))}${v.short ? `-${v.short}` : " "} --${k}${" ".repeat(
-        widths.long - k.length,
-      )} ${v.description}${typeof v.type === "object" ? ` [${Object.values(v.type).join(", ")}]` : ""}`,
-  )
+  return entries
+    .filter(([, v]) => {
+      // If CS_BETA is set, we show beta options but if not, then we do not want
+      // to show beta options.
+      return process.env.CS_BETA || !v.beta
+    })
+    .map(([k, v]) => {
+      const help = `${" ".repeat(widths.short - (v.short ? v.short.length : 0))}${
+        v.short ? `-${v.short}` : " "
+      } --${k} `
+      return (
+        help +
+        v.description
+          ?.trim()
+          .split(/\n/)
+          .map((line, i) => {
+            line = line.trim()
+            if (i === 0) {
+              return " ".repeat(widths.long - k.length) + line
+            }
+            return " ".repeat(widths.long + widths.short + 6) + line
+          })
+          .join("\n") +
+        (typeof v.type === "object" ? ` [${Object.values(v.type).join(", ")}]` : "")
+      )
+    })
 }
 
 export const parse = (
@@ -172,7 +243,7 @@ export const parse = (
     const arg = argv[i]
 
     // -- signals the end of option parsing.
-    if (!ended && arg == "--") {
+    if (!ended && arg === "--") {
       ended = true
       continue
     }
@@ -220,7 +291,7 @@ export const parse = (
         throw error(`--${key} requires a value`)
       }
 
-      if (option.type == OptionalString && value == "false") {
+      if (option.type === OptionalString && value === "false") {
         continue
       }
 
@@ -263,7 +334,46 @@ export const parse = (
     args._.push(arg)
   }
 
-  logger.debug("parsed command line", field("args", args))
+  // If a cert was provided a key must also be provided.
+  if (args.cert && args.cert.value && !args["cert-key"]) {
+    throw new Error("--cert-key is missing")
+  }
+
+  logger.debug(() => ["parsed command line", field("args", { ...args, password: undefined })])
+
+  return args
+}
+
+export interface DefaultedArgs extends ConfigArgs {
+  auth: AuthType
+  cert?: {
+    value: string
+  }
+  host: string
+  port: number
+  "proxy-domain": string[]
+  verbose: boolean
+  usingEnvPassword: boolean
+  "extensions-dir": string
+  "user-data-dir": string
+}
+
+/**
+ * Take CLI and config arguments (optional) and return a single set of arguments
+ * with the defaults set. Arguments from the CLI are prioritized over config
+ * arguments.
+ */
+export async function setDefaults(cliArgs: Args, configArgs?: ConfigArgs): Promise<DefaultedArgs> {
+  const args = Object.assign({}, configArgs || {}, cliArgs)
+
+  if (!args["user-data-dir"]) {
+    await copyOldMacOSDataDir()
+    args["user-data-dir"] = paths.data
+  }
+
+  if (!args["extensions-dir"]) {
+    args["extensions-dir"] = path.join(args["user-data-dir"], "extensions")
+  }
 
   // --verbose takes priority over --log and --log takes priority over the
   // environment variable.
@@ -304,22 +414,49 @@ export const parse = (
       break
   }
 
-  return args
-}
-
-export async function setDefaults(args: Args): Promise<Args> {
-  args = { ...args }
-
-  if (!args["user-data-dir"]) {
-    await copyOldMacOSDataDir()
-    args["user-data-dir"] = paths.data
+  // Default to using a password.
+  if (!args.auth) {
+    args.auth = AuthType.Password
   }
 
-  if (!args["extensions-dir"]) {
-    args["extensions-dir"] = path.join(args["user-data-dir"], "extensions")
+  const addr = bindAddrFromAllSources(configArgs || { _: [] }, cliArgs)
+  args.host = addr.host
+  args.port = addr.port
+
+  // If we're being exposed to the cloud, we listen on a random address and
+  // disable auth.
+  if (args.link) {
+    args.host = "localhost"
+    args.port = 0
+    args.socket = undefined
+    args.cert = undefined
+    args.auth = AuthType.None
   }
 
-  return args
+  if (args.cert && !args.cert.value) {
+    const { cert, certKey } = await generateCertificate(args["cert-host"] || "localhost")
+    args.cert = {
+      value: cert,
+    }
+    args["cert-key"] = certKey
+  }
+
+  const usingEnvPassword = !!process.env.PASSWORD
+  if (process.env.PASSWORD) {
+    args.password = process.env.PASSWORD
+  }
+
+  // Ensure it's not readable by child processes.
+  delete process.env.PASSWORD
+
+  // Filter duplicate proxy domains and remove any leading `*.`.
+  const proxyDomains = new Set((args["proxy-domain"] || []).map((d) => d.replace(/^\*\./, "")))
+  args["proxy-domain"] = Array.from(proxyDomains)
+
+  return {
+    ...args,
+    usingEnvPassword,
+  } as DefaultedArgs // TODO: Technically no guarantee this is fulfilled.
 }
 
 async function defaultConfigFile(): Promise<string> {
@@ -330,12 +467,16 @@ cert: false
 `
 }
 
+interface ConfigArgs extends Args {
+  config: string
+}
+
 /**
  * Reads the code-server yaml config file and returns it as Args.
  *
  * @param configPath Read the config from configPath instead of $CODE_SERVER_CONFIG or the default.
  */
-export async function readConfigFile(configPath?: string): Promise<Args> {
+export async function readConfigFile(configPath?: string): Promise<ConfigArgs> {
   if (!configPath) {
     configPath = process.env.CODE_SERVER_CONFIG
     if (!configPath) {
@@ -348,12 +489,13 @@ export async function readConfigFile(configPath?: string): Promise<Args> {
     logger.info(`Wrote default config file to ${humanPath(configPath)}`)
   }
 
-  logger.info(`Using config file ${humanPath(configPath)}`)
-
   const configFile = await fs.readFile(configPath)
   const config = yaml.safeLoad(configFile.toString(), {
     filename: configPath,
   })
+  if (!config || typeof config === "string") {
+    throw new Error(`invalid config: ${config}`)
+  }
 
   // We convert the config file into a set of flags.
   // This is a temporary measure until we add a proper CLI library.
@@ -372,9 +514,15 @@ export async function readConfigFile(configPath?: string): Promise<Args> {
   }
 }
 
-function parseBindAddr(bindAddr: string): [string, number] {
+function parseBindAddr(bindAddr: string): Addr {
   const u = new URL(`http://${bindAddr}`)
-  return [u.hostname, parseInt(u.port, 10)]
+  return {
+    host: u.hostname,
+    // With the http scheme 80 will be dropped so assume it's 80 if missing.
+    // This means --bind-addr <addr> without a port will default to 80 as well
+    // and not the code-server default.
+    port: u.port ? parseInt(u.port, 10) : 80,
+  }
 }
 
 interface Addr {
@@ -385,7 +533,7 @@ interface Addr {
 function bindAddrFromArgs(addr: Addr, args: Args): Addr {
   addr = { ...addr }
   if (args["bind-addr"]) {
-    ;[addr.host, addr.port] = parseBindAddr(args["bind-addr"])
+    addr = parseBindAddr(args["bind-addr"])
   }
   if (args.host) {
     addr.host = args.host
@@ -400,16 +548,17 @@ function bindAddrFromArgs(addr: Addr, args: Args): Addr {
   return addr
 }
 
-export function bindAddrFromAllSources(cliArgs: Args, configArgs: Args): [string, number] {
+function bindAddrFromAllSources(...argsConfig: Args[]): Addr {
   let addr: Addr = {
     host: "localhost",
     port: 8080,
   }
 
-  addr = bindAddrFromArgs(addr, configArgs)
-  addr = bindAddrFromArgs(addr, cliArgs)
+  for (const args of argsConfig) {
+    addr = bindAddrFromArgs(addr, args)
+  }
 
-  return [addr.host, addr.port]
+  return addr
 }
 
 async function copyOldMacOSDataDir(): Promise<void> {
@@ -426,3 +575,52 @@ async function copyOldMacOSDataDir(): Promise<void> {
     await fs.copy(oldDataDir, paths.data)
   }
 }
+
+export const shouldRunVsCodeCli = (args: Args): boolean => {
+  return !!args["list-extensions"] || !!args["install-extension"] || !!args["uninstall-extension"]
+}
+
+/**
+ * Determine if it looks like the user is trying to open a file or folder in an
+ * existing instance. The arguments here should be the arguments the user
+ * explicitly passed on the command line, not defaults or the configuration.
+ */
+export const shouldOpenInExistingInstance = async (args: Args): Promise<string | undefined> => {
+  // Always use the existing instance if we're running from VS Code's terminal.
+  if (process.env.VSCODE_IPC_HOOK_CLI) {
+    return process.env.VSCODE_IPC_HOOK_CLI
+  }
+
+  const readSocketPath = async (): Promise<string | undefined> => {
+    try {
+      return await fs.readFile(path.join(os.tmpdir(), "vscode-ipc"), "utf8")
+    } catch (error) {
+      if (error.code !== "ENOENT") {
+        throw error
+      }
+    }
+    return undefined
+  }
+
+  // If these flags are set then assume the user is trying to open in an
+  // existing instance since these flags have no effect otherwise.
+  const openInFlagCount = ["reuse-window", "new-window"].reduce((prev, cur) => {
+    return args[cur as keyof Args] ? prev + 1 : prev
+  }, 0)
+  if (openInFlagCount > 0) {
+    return readSocketPath()
+  }
+
+  // It's possible the user is trying to spawn another instance of code-server.
+  // Check if any unrelated flags are set (check against one because `_` always
+  // exists), that a file or directory was passed, and that the socket is
+  // active.
+  if (Object.keys(args).length === 1 && args._.length > 0) {
+    const socketPath = await readSocketPath()
+    if (socketPath && (await canConnect(socketPath))) {
+      return socketPath
+    }
+  }
+
+  return undefined
+}

src/node/coder-cloud.ts

@@ -0,0 +1,43 @@
+import { logger } from "@coder/logger"
+import { spawn } from "child_process"
+import path from "path"
+import split2 from "split2"
+
+// https://github.com/cdr/coder-cloud
+const coderCloudAgent = path.resolve(__dirname, "../../lib/coder-cloud-agent")
+
+function runAgent(...args: string[]): Promise<void> {
+  logger.debug(`running agent with ${args}`)
+
+  const agent = spawn(coderCloudAgent, args, {
+    stdio: ["inherit", "inherit", "pipe"],
+  })
+
+  agent.stderr.pipe(split2()).on("data", (line) => {
+    line = line.replace(/^[0-9-]+ [0-9:]+ [^ ]+\t/, "")
+    logger.info(line)
+  })
+
+  return new Promise((res, rej) => {
+    agent.on("error", rej)
+
+    agent.on("close", (code) => {
+      if (code !== 0) {
+        rej({
+          message: `coder cloud agent exited with ${code}`,
+        })
+        return
+      }
+      res()
+    })
+  })
+}
+
+export function coderCloudBind(csAddr: string, serverName = ""): Promise<void> {
+  logger.info("Remember --link is a beta feature and requires being accepted for testing")
+  logger.info("See https://github.com/cdr/code-server/discussions/2137")
+  // addr needs to be in host:port format.
+  // So we trim the protocol.
+  csAddr = csAddr.replace(/^https?:\/\//, "")
+  return runAgent("bind", `--code-server-addr=${csAddr}`, serverName)
+}

src/node/constants.ts

@@ -0,0 +1,13 @@
+import { logger } from "@coder/logger"
+import * as path from "path"
+
+let pkg: { version?: string; commit?: string } = {}
+try {
+  pkg = require("../../package.json")
+} catch (error) {
+  logger.warn(error.message)
+}
+
+export const version = pkg.version || "development"
+export const commit = pkg.commit || "development"
+export const rootPath = path.resolve(__dirname, "../..")

src/node/entry.ts

@@ -1,144 +1,172 @@
 import { field, logger } from "@coder/logger"
 import * as cp from "child_process"
+import http from "http"
 import * as path from "path"
-import { CliMessage } from "../../lib/vscode/src/vs/server/ipc"
-import { ApiHttpProvider } from "./app/api"
-import { DashboardHttpProvider } from "./app/dashboard"
-import { LoginHttpProvider } from "./app/login"
-import { ProxyHttpProvider } from "./app/proxy"
-import { StaticHttpProvider } from "./app/static"
-import { UpdateHttpProvider } from "./app/update"
-import { VscodeHttpProvider } from "./app/vscode"
-import { Args, bindAddrFromAllSources, optionDescriptions, parse, readConfigFile, setDefaults } from "./cli"
-import { AuthType, HttpServer, HttpServerOptions } from "./http"
-import { generateCertificate, hash, open, humanPath } from "./util"
-import { ipcMain, wrap } from "./wrapper"
+import { CliMessage, OpenCommandPipeArgs } from "../../lib/vscode/src/vs/server/ipc"
+import { plural } from "../common/util"
+import { createApp, ensureAddress } from "./app"
+import {
+  AuthType,
+  DefaultedArgs,
+  optionDescriptions,
+  parse,
+  readConfigFile,
+  setDefaults,
+  shouldOpenInExistingInstance,
+  shouldRunVsCodeCli,
+} from "./cli"
+import { coderCloudBind } from "./coder-cloud"
+import { commit, version } from "./constants"
+import { register } from "./routes"
+import { humanPath, isFile, open } from "./util"
+import { ipcMain, WrapperProcess } from "./wrapper"
 
-process.on("uncaughtException", (error) => {
-  logger.error(`Uncaught exception: ${error.message}`)
-  if (typeof error.stack !== "undefined") {
-    logger.error(error.stack)
-  }
-})
-
-let pkg: { version?: string; commit?: string } = {}
-try {
-  pkg = require("../../package.json")
-} catch (error) {
-  logger.warn(error.message)
+export const runVsCodeCli = (args: DefaultedArgs): void => {
+  logger.debug("forking vs code cli...")
+  const vscode = cp.fork(path.resolve(__dirname, "../../lib/vscode/out/vs/server/fork"), [], {
+    env: {
+      ...process.env,
+      CODE_SERVER_PARENT_PID: process.pid.toString(),
+    },
+  })
+  vscode.once("message", (message: any) => {
+    logger.debug("got message from VS Code", field("message", message))
+    if (message.type !== "ready") {
+      logger.error("Unexpected response waiting for ready response", field("type", message.type))
+      process.exit(1)
+    }
+    const send: CliMessage = { type: "cli", args }
+    vscode.send(send)
+  })
+  vscode.once("error", (error) => {
+    logger.error("Got error from VS Code", field("error", error))
+    process.exit(1)
+  })
+  vscode.on("exit", (code) => process.exit(code || 0))
 }
 
-const version = pkg.version || "development"
-const commit = pkg.commit || "development"
+export const openInExistingInstance = async (args: DefaultedArgs, socketPath: string): Promise<void> => {
+  const pipeArgs: OpenCommandPipeArgs & { fileURIs: string[] } = {
+    type: "open",
+    folderURIs: [],
+    fileURIs: [],
+    forceReuseWindow: args["reuse-window"],
+    forceNewWindow: args["new-window"],
+  }
 
-const main = async (cliArgs: Args): Promise<void> => {
-  const configArgs = await readConfigFile(cliArgs.config)
-  // This prioritizes the flags set in args over the ones in the config file.
-  let args = Object.assign(configArgs, cliArgs)
-
-  if (!args.auth) {
-    args = {
-      ...args,
-      auth: AuthType.Password,
+  for (let i = 0; i < args._.length; i++) {
+    const fp = path.resolve(args._[i])
+    if (await isFile(fp)) {
+      pipeArgs.fileURIs.push(fp)
+    } else {
+      pipeArgs.folderURIs.push(fp)
     }
   }
 
-  logger.info(`Using user-data-dir ${humanPath(args["user-data-dir"])}`)
+  if (pipeArgs.forceNewWindow && pipeArgs.fileURIs.length > 0) {
+    logger.error("--new-window can only be used with folder paths")
+    process.exit(1)
+  }
 
+  if (pipeArgs.folderURIs.length === 0 && pipeArgs.fileURIs.length === 0) {
+    logger.error("Please specify at least one file or folder")
+    process.exit(1)
+  }
+
+  const vscode = http.request(
+    {
+      path: "/",
+      method: "POST",
+      socketPath,
+    },
+    (response) => {
+      response.on("data", (message) => {
+        logger.debug("got message from VS Code", field("message", message.toString()))
+      })
+    },
+  )
+  vscode.on("error", (error: unknown) => {
+    logger.error("got error from VS Code", field("error", error))
+  })
+  vscode.write(JSON.stringify(pipeArgs))
+  vscode.end()
+}
+
+const main = async (args: DefaultedArgs): Promise<void> => {
+  logger.info(`code-server ${version} ${commit}`)
+
+  logger.info(`Using user-data-dir ${humanPath(args["user-data-dir"])}`)
   logger.trace(`Using extensions-dir ${humanPath(args["extensions-dir"])}`)
 
-  const envPassword = !!process.env.PASSWORD
-  const password = args.auth === AuthType.Password && (process.env.PASSWORD || args.password)
-  if (args.auth === AuthType.Password && !password) {
+  if (args.auth === AuthType.Password && !args.password) {
     throw new Error("Please pass in a password via the config file or $PASSWORD")
   }
-  const [host, port] = bindAddrFromAllSources(cliArgs, configArgs)
 
-  // Spawn the main HTTP server.
-  const options: HttpServerOptions = {
-    auth: args.auth,
-    commit,
-    host: host,
-    // The hash does not add any actual security but we do it for obfuscation purposes.
-    password: password ? hash(password) : undefined,
-    port: port,
-    proxyDomains: args["proxy-domain"],
-    socket: args.socket,
-    ...(args.cert && !args.cert.value
-      ? await generateCertificate()
-      : {
-          cert: args.cert && args.cert.value,
-          certKey: args["cert-key"],
-        }),
-  }
+  const [app, wsApp, server] = await createApp(args)
+  const serverAddress = ensureAddress(server)
+  await register(app, wsApp, server, args)
 
-  if (options.cert && !options.certKey) {
-    throw new Error("--cert-key is missing")
-  }
-
-  const httpServer = new HttpServer(options)
-  const vscode = httpServer.registerHttpProvider("/", VscodeHttpProvider, args)
-  const api = httpServer.registerHttpProvider("/api", ApiHttpProvider, httpServer, vscode, args["user-data-dir"])
-  const update = httpServer.registerHttpProvider("/update", UpdateHttpProvider, false)
-  httpServer.registerHttpProvider("/proxy", ProxyHttpProvider)
-  httpServer.registerHttpProvider("/login", LoginHttpProvider, args.config!, envPassword)
-  httpServer.registerHttpProvider("/static", StaticHttpProvider)
-  httpServer.registerHttpProvider("/dashboard", DashboardHttpProvider, api, update)
-
-  ipcMain().onDispose(() => httpServer.dispose())
-
-  logger.info(`code-server ${version} ${commit}`)
-  const serverAddress = await httpServer.listen()
-  logger.info(`HTTP server listening on ${serverAddress}`)
+  logger.info(`Using config file ${humanPath(args.config)}`)
+  logger.info(`HTTP server listening on ${serverAddress} ${args.link ? "(randomized by --link)" : ""}`)
 
   if (args.auth === AuthType.Password) {
-    if (envPassword) {
+    logger.info("  - Authentication is enabled")
+    if (args.usingEnvPassword) {
       logger.info("    - Using password from $PASSWORD")
     } else {
       logger.info(`    - Using password from ${humanPath(args.config)}`)
     }
-    logger.info("    - To disable use `--auth none`")
   } else {
-    logger.info("  - No authentication")
+    logger.info(`  - Authentication is disabled ${args.link ? "(disabled by --link)" : ""}`)
   }
-  delete process.env.PASSWORD
 
-  if (httpServer.protocol === "https") {
-    logger.info(
-      args.cert && args.cert.value
-        ? `  - Using provided certificate and key for HTTPS`
-        : `  - Using generated certificate and key for HTTPS`,
-    )
+  if (args.cert) {
+    logger.info("  - Using certificate for HTTPS: ${humanPath(args.cert.value)}")
   } else {
     logger.info("  - Not serving HTTPS")
   }
 
-  if (httpServer.proxyDomains.size > 0) {
-    logger.info(`  - Proxying the following domain${httpServer.proxyDomains.size === 1 ? "" : "s"}:`)
-    httpServer.proxyDomains.forEach((domain) => logger.info(`    - *.${domain}`))
+  if (args["proxy-domain"].length > 0) {
+    logger.info(`  - ${plural(args["proxy-domain"].length, "Proxying the following domain")}:`)
+    args["proxy-domain"].forEach((domain) => logger.info(`    - *.${domain}`))
   }
 
-  if (serverAddress && !options.socket && args.open) {
+  if (args.link) {
+    try {
+      await coderCloudBind(serverAddress.replace(/^https?:\/\//, ""), args.link.value)
+      logger.info("  - Connected to cloud agent")
+    } catch (err) {
+      logger.error(err.message)
+      ipcMain.exit(1)
+    }
+  }
+
+  if (!args.socket && args.open) {
     // The web socket doesn't seem to work if browsing with 0.0.0.0.
-    const openAddress = serverAddress.replace(/:\/\/0.0.0.0/, "://localhost")
-    await open(openAddress).catch(console.error)
-    logger.info(`Opened ${openAddress}`)
+    const openAddress = serverAddress.replace("://0.0.0.0", "://localhost")
+    try {
+      await open(openAddress)
+      logger.info(`Opened ${openAddress}`)
+    } catch (error) {
+      logger.error("Failed to open", field("address", openAddress), field("error", error))
+    }
   }
 }
 
 async function entry(): Promise<void> {
-  const tryParse = async (): Promise<Args> => {
-    try {
-      let args = parse(process.argv.slice(2))
-      args = await setDefaults(args)
-      return args
-    } catch (error) {
-      console.error(error.message)
-      process.exit(1)
-    }
+  const cliArgs = parse(process.argv.slice(2))
+  const configArgs = await readConfigFile(cliArgs.config)
+  const args = await setDefaults(cliArgs, configArgs)
+
+  // There's no need to check flags like --help or to spawn in an existing
+  // instance for the child process because these would have already happened in
+  // the parent and the child wouldn't have been spawned.
+  if (ipcMain.isChild) {
+    await ipcMain.handshake()
+    ipcMain.preventExit()
+    return main(args)
   }
 
-  const args = await tryParse()
   if (args.help) {
     console.log("code-server", version, commit)
     console.log("")
@@ -148,7 +176,10 @@ async function entry(): Promise<void> {
     optionDescriptions().forEach((description) => {
       console.log("", description)
     })
-  } else if (args.version) {
+    return
+  }
+
+  if (args.version) {
     if (args.json) {
       console.log({
         codeServer: version,
@@ -158,32 +189,23 @@ async function entry(): Promise<void> {
     } else {
       console.log(version, commit)
     }
-    process.exit(0)
-  } else if (args["list-extensions"] || args["install-extension"] || args["uninstall-extension"]) {
-    logger.debug("forking vs code cli...")
-    const vscode = cp.fork(path.resolve(__dirname, "../../lib/vscode/out/vs/server/fork"), [], {
-      env: {
-        ...process.env,
-        CODE_SERVER_PARENT_PID: process.pid.toString(),
-      },
-    })
-    vscode.once("message", (message) => {
-      logger.debug("Got message from VS Code", field("message", message))
-      if (message.type !== "ready") {
-        logger.error("Unexpected response waiting for ready response")
-        process.exit(1)
-      }
-      const send: CliMessage = { type: "cli", args }
-      vscode.send(send)
-    })
-    vscode.once("error", (error) => {
-      logger.error(error.message)
-      process.exit(1)
-    })
-    vscode.on("exit", (code) => process.exit(code || 0))
-  } else {
-    wrap(() => main(args))
+    return
   }
+
+  if (shouldRunVsCodeCli(args)) {
+    return runVsCodeCli(args)
+  }
+
+  const socketPath = await shouldOpenInExistingInstance(cliArgs)
+  if (socketPath) {
+    return openInExistingInstance(args, socketPath)
+  }
+
+  const wrapper = new WrapperProcess(require("../../package.json").version)
+  return wrapper.start()
 }
 
-entry()
+entry().catch((error) => {
+  logger.error(error.message)
+  ipcMain.exit(error)
+})

src/node/heart.ts

@@ -0,0 +1,48 @@
+import { logger } from "@coder/logger"
+import { promises as fs } from "fs"
+
+/**
+ * Provides a heartbeat using a local file to indicate activity.
+ */
+export class Heart {
+  private heartbeatTimer?: NodeJS.Timeout
+  private heartbeatInterval = 60000
+  public lastHeartbeat = 0
+
+  public constructor(private readonly heartbeatPath: string, private readonly isActive: () => Promise<boolean>) {}
+
+  public alive(): boolean {
+    const now = Date.now()
+    return now - this.lastHeartbeat < this.heartbeatInterval
+  }
+  /**
+   * Write to the heartbeat file if we haven't already done so within the
+   * timeout and start or reset a timer that keeps running as long as there is
+   * activity. Failures are logged as warnings.
+   */
+  public beat(): void {
+    if (this.alive()) {
+      return
+    }
+
+    logger.trace("heartbeat")
+    fs.writeFile(this.heartbeatPath, "").catch((error) => {
+      logger.warn(error.message)
+    })
+    this.lastHeartbeat = Date.now()
+    if (typeof this.heartbeatTimer !== "undefined") {
+      clearTimeout(this.heartbeatTimer)
+    }
+    this.heartbeatTimer = setTimeout(() => {
+      this.isActive()
+        .then((active) => {
+          if (active) {
+            this.beat()
+          }
+        })
+        .catch((error) => {
+          logger.warn(error.message)
+        })
+    }, this.heartbeatInterval)
+  }
+}