networking: # The URL that users will use to access the Coder deployment. # (default: , type: url) accessURL: # Specifies the wildcard hostname to use for workspace applications in the form # "*.example.com". # (default: , type: string) wildcardAccessURL: "" # Specifies the custom docs URL. # (default: https://coder.com/docs, type: url) docsURL: https://coder.com/docs # Specifies whether to redirect requests that do not match the access URL host. # (default: , type: bool) redirectToAccessURL: false http: # HTTP bind address of the server. Unset to disable the HTTP endpoint. # (default: 127.0.0.1:3000, type: string) httpAddress: 127.0.0.1:3000 # Coder configures a Content Security Policy (CSP) to protect against XSS attacks. # This setting allows you to add additional CSP directives, which can open the # attack surface of the deployment. Format matches the CSP directive format, e.g. # --additional-csp-policy="script-src https://example.com". # (default: , type: string-array) additionalCSPPolicy: [] # The maximum lifetime duration users can specify when creating an API token. # (default: 876600h0m0s, type: duration) maxTokenLifetime: 876600h0m0s # The maximum lifetime duration administrators can specify when creating an API # token. # (default: 168h0m0s, type: duration) maxAdminTokenLifetime: 168h0m0s # The token expiry duration for browser sessions. Sessions may last longer if they # are actively making requests, but this functionality can be disabled via # --disable-session-expiry-refresh. # (default: 24h0m0s, type: duration) sessionDuration: 24h0m0s # Disable automatic session expiry bumping due to activity. This forces all # sessions to become invalid after the session expiry duration has been reached. # (default: , type: bool) disableSessionExpiryRefresh: false # Disable password authentication. This is recommended for security purposes in # production deployments that rely on an identity provider. Any user with the # owner role will be able to sign in with their password regardless of this # setting to avoid potential lock out. If you are locked out of your account, you # can use the `coder server create-admin` command to create a new admin user # directly in the database. # (default: , type: bool) disablePasswordAuth: false # The interval in which coderd should be checking the status of workspace proxies. # (default: 1m0s, type: duration) proxyHealthInterval: 1m0s # Configure TLS / HTTPS for your Coder deployment. If you're running # Coder behind a TLS-terminating reverse proxy or are accessing Coder over a # secure link, you can safely ignore these settings. tls: # HTTPS bind address of the server. # (default: 127.0.0.1:3443, type: host:port) address: 127.0.0.1:3443 # Whether TLS will be enabled. # (default: , type: bool) enable: false # Whether HTTP requests will be redirected to the access URL (if it's a https URL # and TLS is enabled). Requests to local IP addresses are never redirected # regardless of this setting. # (default: true, type: bool) redirectHTTP: true # Path to each certificate for TLS. It requires a PEM-encoded file. To configure # the listener to use a CA certificate, concatenate the primary certificate and # the CA certificate together. The primary certificate should appear first in the # combined file. # (default: , type: string-array) certFiles: [] # PEM-encoded Certificate Authority file used for checking the authenticity of # client. # (default: , type: string) clientCAFile: "" # Policy the server will follow for TLS Client Authentication. Accepted values are # "none", "request", "require-any", "verify-if-given", or "require-and-verify". # (default: none, type: string) clientAuth: none # Paths to the private keys for each of the certificates. It requires a # PEM-encoded file. # (default: , type: string-array) keyFiles: [] # Minimum supported version of TLS. Accepted values are "tls10", "tls11", "tls12" # or "tls13". # (default: tls12, type: string) minVersion: tls12 # Path to certificate for client TLS authentication. It requires a PEM-encoded # file. # (default: , type: string) clientCertFile: "" # Path to key for client TLS authentication. It requires a PEM-encoded file. # (default: , type: string) clientKeyFile: "" # Specify specific TLS ciphers that allowed to be used. See # https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L53-L75. # (default: , type: string-array) tlsCiphers: [] # By default, only ciphers marked as 'secure' are allowed to be used. See # https://github.com/golang/go/blob/master/src/crypto/tls/cipher_suites.go#L82-L95. # (default: false, type: bool) tlsAllowInsecureCiphers: false # Controls if the 'Strict-Transport-Security' header is set on all static file # responses. This header should only be set if the server is accessed via HTTPS. # This value is the MaxAge in seconds of the header. # (default: 0, type: int) strictTransportSecurity: 0 # Two optional fields can be set in the Strict-Transport-Security header; # 'includeSubDomains' and 'preload'. The 'strict-transport-security' flag must be # set to a non-zero value for these options to be used. # (default: , type: string-array) strictTransportSecurityOptions: [] # Most Coder deployments never have to think about DERP because all connections # between workspaces and users are peer-to-peer. However, when Coder cannot # establish # a peer to peer connection, Coder uses a distributed relay network backed by # Tailscale and WireGuard. derp: # Whether to enable or disable the embedded DERP relay server. # (default: true, type: bool) enable: true # Region ID to use for the embedded DERP server. # (default: 999, type: int) regionID: 999 # Region code to use for the embedded DERP server. # (default: coder, type: string) regionCode: coder # Region name that for the embedded DERP server. # (default: Coder Embedded Relay, type: string) regionName: Coder Embedded Relay # Addresses for STUN servers to establish P2P connections. It's recommended to # have at least two STUN servers to give users the best chance of connecting P2P # to workspaces. Each STUN server will get it's own DERP region, with region IDs # starting at `--derp-server-region-id + 1`. Use special value 'disable' to turn # off STUN completely. # (default: # stun.l.google.com:19302,stun1.l.google.com:19302,stun2.l.google.com:19302,stun3.l.google.com:19302,stun4.l.google.com:19302, # type: string-array) stunAddresses: - stun.l.google.com:19302 - stun1.l.google.com:19302 - stun2.l.google.com:19302 - stun3.l.google.com:19302 - stun4.l.google.com:19302 # An HTTP URL that is accessible by other replicas to relay DERP traffic. Required # for high availability. # (default: , type: url) relayURL: # Block peer-to-peer (aka. direct) workspace connections. All workspace # connections from the CLI will be proxied through Coder (or custom configured # DERP servers) and will never be peer-to-peer when enabled. Workspaces may still # reach out to STUN servers to get their address until they are restarted after # this change has been made, but new connections will still be proxied regardless. # (default: , type: bool) blockDirect: false # Force clients and agents to always use WebSocket to connect to DERP relay # servers. By default, DERP uses `Upgrade: derp`, which may cause issues with some # reverse proxies. Clients may automatically fallback to WebSocket if they detect # an issue with `Upgrade: derp`, but this does not work in all situations. # (default: , type: bool) forceWebSockets: false # URL to fetch a DERP mapping on startup. See: # https://tailscale.com/kb/1118/custom-derp-servers/. # (default: , type: string) url: "" # Path to read a DERP mapping from. See: # https://tailscale.com/kb/1118/custom-derp-servers/. # (default: , type: string) configPath: "" # Headers to trust for forwarding IP addresses. e.g. Cf-Connecting-Ip, # True-Client-Ip, X-Forwarded-For. # (default: , type: string-array) proxyTrustedHeaders: [] # Origin addresses to respect "proxy-trusted-headers". e.g. 192.168.1.0/24. # (default: , type: string-array) proxyTrustedOrigins: [] # Controls if the 'Secure' property is set on browser session cookies. # (default: , type: bool) secureAuthCookie: false # Controls the 'SameSite' property is set on browser session cookies. # (default: lax, type: enum[lax\|none]) sameSiteAuthCookie: lax # Whether Coder only allows connections to workspaces via the browser. # (default: , type: bool) browserOnly: false # Interval to poll for scheduled workspace builds. # (default: 1m0s, type: duration) autobuildPollInterval: 1m0s # Interval to poll for hung and pending jobs and automatically terminate them. # (default: 1m0s, type: duration) jobHangDetectorInterval: 1m0s introspection: prometheus: # Serve prometheus metrics on the address defined by prometheus address. # (default: , type: bool) enable: false # The bind address to serve prometheus metrics. # (default: 127.0.0.1:2112, type: host:port) address: 127.0.0.1:2112 # Collect agent stats (may increase charges for metrics storage). # (default: , type: bool) collect_agent_stats: false # When collecting agent stats, aggregate metrics by a given set of comma-separated # labels to reduce cardinality. Accepted values are agent_name, template_name, # username, workspace_name. # (default: agent_name,template_name,username,workspace_name, type: string-array) aggregate_agent_stats_by: - agent_name - template_name - username - workspace_name # Collect database query metrics (may increase charges for metrics storage). If # set to false, a reduced set of database metrics are still collected. # (default: false, type: bool) collect_db_metrics: false pprof: # Serve pprof metrics on the address defined by pprof address. # (default: , type: bool) enable: false # The bind address to serve pprof. # (default: 127.0.0.1:6060, type: host:port) address: 127.0.0.1:6060 tracing: # Whether application tracing data is collected. It exports to a backend # configured by environment variables. See: # https://github.com/open-telemetry/opentelemetry-specification/blob/main/specification/protocol/exporter.md. # (default: , type: bool) enable: false # Enables capturing of logs as events in traces. This is useful for debugging, but # may result in a very large amount of events being sent to the tracing backend # which may incur significant costs. # (default: , type: bool) captureLogs: false # Enables sending Go runtime traces to the local DataDog agent. # (default: false, type: bool) dataDog: false logging: # Output debug-level logs. # (default: , type: bool) verbose: false # Filter debug logs by matching against a given regex. Use .* to match all debug # logs. # (default: , type: string-array) filter: [] # Output human-readable logs to a given file. # (default: /dev/stderr, type: string) humanPath: /dev/stderr # Output JSON logs to a given file. # (default: , type: string) jsonPath: "" # Output Stackdriver compatible logs to a given file. # (default: , type: string) stackdriverPath: "" # Allow administrators to enable Terraform debug output. # (default: false, type: bool) enableTerraformDebugMode: false healthcheck: # Refresh interval for healthchecks. # (default: 10m0s, type: duration) refresh: 10m0s # The threshold for the database health check. If the median latency of the # database exceeds this threshold over 5 attempts, the database is considered # unhealthy. The default value is 15ms. # (default: 15ms, type: duration) thresholdDatabase: 15ms oauth2: github: # Client ID for Login with GitHub. # (default: , type: string) clientID: "" # Enable device flow for Login with GitHub. # (default: false, type: bool) deviceFlow: false # Enable the default GitHub OAuth2 provider managed by Coder. # (default: true, type: bool) defaultProviderEnable: true # Organizations the user must be a member of to Login with GitHub. # (default: , type: string-array) allowedOrgs: [] # Teams inside organizations the user must be a member of to Login with GitHub. # Structured as: /. # (default: , type: string-array) allowedTeams: [] # Whether new users can sign up with GitHub. # (default: , type: bool) allowSignups: false # Allow all logins, setting this option means allowed orgs and teams must be # empty. # (default: , type: bool) allowEveryone: false # Base URL of a GitHub Enterprise deployment to use for Login with GitHub. # (default: , type: string) enterpriseBaseURL: "" oidc: # Whether new users can sign up with OIDC. # (default: true, type: bool) allowSignups: true # Client ID to use for Login with OIDC. # (default: , type: string) clientID: "" # Pem encoded RSA private key to use for oauth2 PKI/JWT authorization. This can be # used instead of oidc-client-secret if your IDP supports it. # (default: , type: string) oidcClientKeyFile: "" # Pem encoded certificate file to use for oauth2 PKI/JWT authorization. The public # certificate that accompanies oidc-client-key-file. A standard x509 certificate # is expected. # (default: , type: string) oidcClientCertFile: "" # Email domains that clients logging in with OIDC must match. # (default: , type: string-array) emailDomain: [] # Issuer URL to use for Login with OIDC. # (default: , type: string) issuerURL: "" # Scopes to grant when authenticating with OIDC. # (default: openid,profile,email, type: string-array) scopes: - openid - profile - email # Ignore the email_verified claim from the upstream provider. # (default: , type: bool) ignoreEmailVerified: false # OIDC claim field to use as the username. # (default: preferred_username, type: string) usernameField: preferred_username # OIDC claim field to use as the name. # (default: name, type: string) nameField: name # OIDC claim field to use as the email. # (default: email, type: string) emailField: email # OIDC auth URL parameters to pass to the upstream provider. # (default: {"access_type": "offline"}, type: struct[map[string]string]) authURLParams: access_type: offline # Ignore the userinfo endpoint and only use the ID token for user information. # (default: false, type: bool) ignoreUserInfo: false # Source supplemental user claims from the 'access_token'. This assumes the token # is a jwt signed by the same issuer as the id_token. Using this requires setting # 'oidc-ignore-userinfo' to true. This setting is not compliant with the OIDC # specification and is not recommended. Use at your own risk. # (default: false, type: bool) accessTokenClaims: false # This field must be set if using the organization sync feature. Set to the claim # to be used for organizations. # (default: , type: string) organizationField: "" # If set to true, users will always be added to the default organization. If # organization sync is enabled, then the default org is always added to the user's # set of expectedorganizations. # (default: true, type: bool) organizationAssignDefault: true # A map of OIDC claims and the organizations in Coder it should map to. This is # required because organization IDs must be used within Coder. # (default: {}, type: struct[map[string][]uuid.UUID]) organizationMapping: {} # This field must be set if using the group sync feature and the scope name is not # 'groups'. Set to the claim to be used for groups. # (default: , type: string) groupField: "" # A map of OIDC group IDs and the group in Coder it should map to. This is useful # for when OIDC providers only return group IDs. # (default: {}, type: struct[map[string]string]) groupMapping: {} # Automatically creates missing groups from a user's groups claim. # (default: false, type: bool) enableGroupAutoCreate: false # If provided any group name not matching the regex is ignored. This allows for # filtering out groups that are not needed. This filter is applied after the group # mapping. # (default: .*, type: regexp) groupRegexFilter: .* # If provided any group name not in the list will not be allowed to authenticate. # This allows for restricting access to a specific set of groups. This filter is # applied after the group mapping and before the regex filter. # (default: , type: string-array) groupAllowed: [] # This field must be set if using the user roles sync feature. Set this to the # name of the claim used to store the user's role. The roles should be sent as an # array of strings. # (default: , type: string) userRoleField: "" # A map of the OIDC passed in user roles and the groups in Coder it should map to. # This is useful if the group names do not match. If mapped to the empty string, # the role will ignored. # (default: {}, type: struct[map[string][]string]) userRoleMapping: {} # If user role sync is enabled, these roles are always included for all # authenticated users. The 'member' role is always assigned. # (default: , type: string-array) userRoleDefault: [] # The text to show on the OpenID Connect sign in button. # (default: OpenID Connect, type: string) signInText: OpenID Connect # URL pointing to the icon to use on the OpenID Connect login button. # (default: , type: url) iconURL: # The custom text to show on the error page informing about disabled OIDC signups. # Markdown format is supported. # (default: , type: string) signupsDisabledText: "" # OIDC issuer urls must match in the request, the id_token 'iss' claim, and in the # well-known configuration. This flag disables that requirement, and can lead to # an insecure OIDC configuration. It is not recommended to use this flag. # (default: , type: bool) dangerousSkipIssuerChecks: false # Telemetry is critical to our ability to improve Coder. We strip all personal # information before sending data to our servers. Please only disable telemetry # when required by your organization's security policy. telemetry: # Whether telemetry is enabled or not. Coder collects anonymized usage data to # help improve our product. # (default: false, type: bool) enable: false # URL to send telemetry. # (default: https://telemetry.coder.com, type: url) url: https://telemetry.coder.com # Tune the behavior of the provisioner, which is responsible for creating, # updating, and deleting workspace resources. provisioning: # Number of provisioner daemons to create on start. If builds are stuck in queued # state for a long time, consider increasing this. # (default: 3, type: int) daemons: 3 # The supported job types for the built-in provisioners. By default, this is only # the terraform type. Supported types: terraform,echo. # (default: terraform, type: string-array) daemonTypes: - terraform # Deprecated and ignored. # (default: 1s, type: duration) daemonPollInterval: 1s # Deprecated and ignored. # (default: 100ms, type: duration) daemonPollJitter: 100ms # Time to force cancel provisioning tasks that are stuck. # (default: 10m0s, type: duration) forceCancelInterval: 10m0s # Enable one or more experiments. These are not ready for production. Separate # multiple experiments with commas, or enter '*' to opt-in to all available # experiments. # (default: , type: string-array) experiments: [] # Periodically check for new releases of Coder and inform the owner. The check is # performed once per day. # (default: false, type: bool) updateCheck: false # The default lifetime duration for API tokens. This value is used when creating a # token without specifying a duration, such as when authenticating the CLI or an # IDE plugin. # (default: 168h0m0s, type: duration) defaultTokenLifetime: 168h0m0s # Expose the swagger endpoint via /swagger. # (default: , type: bool) enableSwagger: false # The directory to cache temporary files. If unspecified and $CACHE_DIRECTORY is # set, it will be used for compatibility with systemd. This directory is NOT safe # to be configured as a shared directory across coderd/provisionerd replicas. # (default: [cache dir], type: string) cacheDir: [cache dir] # Controls whether Coder data, including built-in Postgres, will be stored in a # temporary directory and deleted when the server is stopped. # (default: , type: bool) ephemeralDeployment: false # Type of auth to use when connecting to postgres. For AWS RDS, using IAM # authentication (awsiamrds) is recommended. # (default: password, type: enum[password\|awsiamrds]) pgAuth: password # A URL to an external Terms of Service that must be accepted by users when # logging in. # (default: , type: string) termsOfServiceURL: "" # The algorithm to use for generating ssh keys. Accepted values are "ed25519", # "ecdsa", or "rsa4096". # (default: ed25519, type: string) sshKeygenAlgorithm: ed25519 # URL to use for agent troubleshooting when not set in the template. # (default: https://coder.com/docs/admin/templates/troubleshooting, type: url) agentFallbackTroubleshootingURL: https://coder.com/docs/admin/templates/troubleshooting # Disable workspace apps that are not served from subdomains. Path-based apps can # make requests to the Coder API and pose a security risk when the workspace # serves malicious JavaScript. This is recommended for security purposes if a # --wildcard-access-url is configured. # (default: , type: bool) disablePathApps: false # Remove the permission for the 'owner' role to have workspace execution on all # workspaces. This prevents the 'owner' from ssh, apps, and terminal access based # on the 'owner' role. They still have their user permissions to access their own # workspaces. # (default: , type: bool) disableOwnerWorkspaceAccess: false # These options change the behavior of how clients interact with the Coder. # Clients include the Coder CLI, Coder Desktop, IDE extensions, and the web UI. client: # The SSH deployment prefix is used in the Host of the ssh config. # (default: coder., type: string) sshHostnamePrefix: coder. # Workspace hostnames use this suffix in SSH config and Coder Connect on Coder # Desktop. By default it is coder, resulting in names like myworkspace.coder. # (default: coder, type: string) workspaceHostnameSuffix: coder # These SSH config options will override the default SSH config options. Provide # options in "key=value" or "key value" format separated by commas.Using this # incorrectly can break SSH to your deployment, use cautiously. # (default: , type: string-array) sshConfigOptions: [] # The upgrade message to display to users when a client/server mismatch is # detected. By default it instructs users to update using 'curl -L # https://coder.com/install.sh | sh'. # (default: , type: string) cliUpgradeMessage: "" # The renderer to use when opening a web terminal. Valid values are 'canvas', # 'webgl', or 'dom'. # (default: canvas, type: string) webTerminalRenderer: canvas # Hide AI tasks from the dashboard. # (default: false, type: bool) hideAITasks: false # Support links to display in the top right drop down menu. # (default: , type: struct[[]codersdk.LinkConfig]) supportLinks: [] # External Authentication providers. # (default: , type: struct[[]codersdk.ExternalAuthConfig]) externalAuthProviders: [] # Hostname of HTTPS server that runs https://github.com/coder/wgtunnel. By # default, this will pick the best available wgtunnel server hosted by Coder. e.g. # "tunnel.example.com". # (default: , type: string) wgtunnelHost: "" # Allow users to set quiet hours schedules each day for workspaces to avoid # workspaces stopping during the day due to template scheduling. userQuietHoursSchedule: # The default daily cron schedule applied to users that haven't set a custom quiet # hours schedule themselves. The quiet hours schedule determines when workspaces # will be force stopped due to the template's autostop requirement, and will round # the max deadline up to be within the user's quiet hours window (or default). The # format is the same as the standard cron format, but the day-of-month, month and # day-of-week must be *. Only one hour and minute can be specified (ranges or # comma separated values are not supported). # (default: CRON_TZ=UTC 0 0 * * *, type: string) defaultQuietHoursSchedule: CRON_TZ=UTC 0 0 * * * # Allow users to set their own quiet hours schedule for workspaces to stop in # (depending on template autostop requirement settings). If false, users can't # change their quiet hours schedule and the site default is always used. # (default: true, type: bool) allowCustomQuietHours: true # DEPRECATED: Allow users to rename their workspaces. Use only for temporary # compatibility reasons, this will be removed in a future release. # (default: false, type: bool) allowWorkspaceRenames: false # Configure how emails are sent. email: # The sender's address to use. # (default: , type: string) from: "" # The intermediary SMTP host through which emails are sent. # (default: , type: string) smarthost: "" # The hostname identifying the SMTP server. # (default: localhost, type: string) hello: localhost # Force a TLS connection to the configured SMTP smarthost. # (default: false, type: bool) forceTLS: false # Configure SMTP authentication options. emailAuth: # Identity to use with PLAIN authentication. # (default: , type: string) identity: "" # Username to use with PLAIN/LOGIN authentication. # (default: , type: string) username: "" # File from which to load password for use with PLAIN/LOGIN authentication. # (default: , type: string) passwordFile: "" # Configure TLS for your SMTP server target. emailTLS: # Enable STARTTLS to upgrade insecure SMTP connections using TLS. # (default: , type: bool) startTLS: false # Server name to verify against the target certificate. # (default: , type: string) serverName: "" # Skip verification of the target server's certificate (insecure). # (default: , type: bool) insecureSkipVerify: false # CA certificate file to use. # (default: , type: string) caCertFile: "" # Certificate file to use. # (default: , type: string) certFile: "" # Certificate key file to use. # (default: , type: string) certKeyFile: "" # Configure how notifications are processed and delivered. notifications: # Which delivery method to use (available options: 'smtp', 'webhook'). # (default: smtp, type: string) method: smtp # How long to wait while a notification is being sent before giving up. # (default: 1m0s, type: duration) dispatchTimeout: 1m0s # Configure how email notifications are sent. email: # The sender's address to use. # (default: , type: string) from: "" # The intermediary SMTP host through which emails are sent. # (default: , type: string) smarthost: "" # The hostname identifying the SMTP server. # (default: , type: string) hello: localhost # Force a TLS connection to the configured SMTP smarthost. # (default: , type: bool) forceTLS: false # Configure SMTP authentication options. emailAuth: # Identity to use with PLAIN authentication. # (default: , type: string) identity: "" # Username to use with PLAIN/LOGIN authentication. # (default: , type: string) username: "" # File from which to load password for use with PLAIN/LOGIN authentication. # (default: , type: string) passwordFile: "" # Configure TLS for your SMTP server target. emailTLS: # Enable STARTTLS to upgrade insecure SMTP connections using TLS. # (default: , type: bool) startTLS: false # Server name to verify against the target certificate. # (default: , type: string) serverName: "" # Skip verification of the target server's certificate (insecure). # (default: , type: bool) insecureSkipVerify: false # CA certificate file to use. # (default: , type: string) caCertFile: "" # Certificate file to use. # (default: , type: string) certFile: "" # Certificate key file to use. # (default: , type: string) certKeyFile: "" webhook: # The endpoint to which to send webhooks. # (default: , type: url) endpoint: inbox: # Enable Coder Inbox. # (default: true, type: bool) enabled: true # The upper limit of attempts to send a notification. # (default: 5, type: int) maxSendAttempts: 5 # The minimum time between retries. # (default: 5m0s, type: duration) retryInterval: 5m0s # The notifications system buffers message updates in memory to ease pressure on # the database. This option controls how often it synchronizes its state with the # database. The shorter this value the lower the change of state inconsistency in # a non-graceful shutdown - but it also increases load on the database. It is # recommended to keep this option at its default value. # (default: 2s, type: duration) storeSyncInterval: 2s # The notifications system buffers message updates in memory to ease pressure on # the database. This option controls how many updates are kept in memory. The # lower this value the lower the change of state inconsistency in a non-graceful # shutdown - but it also increases load on the database. It is recommended to keep # this option at its default value. # (default: 50, type: int) storeSyncBufferSize: 50 # How long a notifier should lease a message. This is effectively how long a # notification is 'owned' by a notifier, and once this period expires it will be # available for lease by another notifier. Leasing is important in order for # multiple running notifiers to not pick the same messages to deliver # concurrently. This lease period will only expire if a notifier shuts down # ungracefully; a dispatch of the notification releases the lease. # (default: 2m0s, type: duration) leasePeriod: 2m0s # How many notifications a notifier should lease per fetch interval. # (default: 20, type: int) leaseCount: 20 # How often to query the database for queued notifications. # (default: 15s, type: duration) fetchInterval: 15s # Configure how workspace prebuilds behave. workspace_prebuilds: # How often to reconcile workspace prebuilds state. # (default: 1m0s, type: duration) reconciliation_interval: 1m0s # Interval to increase reconciliation backoff by when prebuilds fail, after which # a retry attempt is made. # (default: 1m0s, type: duration) reconciliation_backoff_interval: 1m0s # Interval to look back to determine number of failed prebuilds, which influences # backoff. # (default: 1h0m0s, type: duration) reconciliation_backoff_lookback_period: 1h0m0s # Maximum number of consecutive failed prebuilds before a preset hits the hard # limit; disabled when set to zero. # (default: 3, type: int) failure_hard_limit: 3