From c6b2861493099a09d617795d8b00c77d46dda748 Mon Sep 17 00:00:00 2001
From: Ammar Bandukwala <ammar@ammar.io>
Date: Mon, 17 Apr 2023 12:20:26 -0500
Subject: [PATCH] feat: allow disabling stun addresses via env (#7066)

* feat: allow disabling stun addresses via env

Resolves #6791

* Specify a dummy access URL so the tunnel wouldn't start

* Document

---------

Co-authored-by: Kyle Carberry <kyle@carberry.com>
---
 cli/server.go                           | 13 +++++++++++++
 cli/server_test.go                      | 25 +++++++++++++++++++++++++
 cli/testdata/coder_server_--help.golden |  4 ++--
 cli/testdata/server-config.yaml.golden  |  4 ++--
 codersdk/deployment.go                  |  2 +-
 docs/cli/server.md                      |  2 +-
 6 files changed, 44 insertions(+), 6 deletions(-)

diff --git a/cli/server.go b/cli/server.go
index e7fad1ea45..a3b19b88e5 100644
--- a/cli/server.go
+++ b/cli/server.go
@@ -390,6 +390,19 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			if !cfg.DERP.Server.Enable {
 				defaultRegion = nil
 			}
+
+			// HACK: see https://github.com/coder/coder/issues/6791.
+			for _, addr := range cfg.DERP.Server.STUNAddresses {
+				if addr != "disable" {
+					continue
+				}
+				err := cfg.DERP.Server.STUNAddresses.Replace(nil)
+				if err != nil {
+					panic(err)
+				}
+				break
+			}
+
 			derpMap, err := tailnet.NewDERPMap(
 				ctx, defaultRegion, cfg.DERP.Server.STUNAddresses,
 				cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(),
diff --git a/cli/server_test.go b/cli/server_test.go
index 1cece2995c..dca1b3322c 100644
--- a/cli/server_test.go
+++ b/cli/server_test.go
@@ -1491,6 +1491,31 @@ func TestServer(t *testing.T) {
 			w.RequireSuccess()
 		})
 	})
+	t.Run("DisableDERP", func(t *testing.T) {
+		t.Parallel()
+
+		// Make sure that $CODER_DERP_SERVER_STUN_ADDRESSES can be set to
+		// disable STUN.
+
+		inv, cfg := clitest.New(t,
+			"server",
+			"--in-memory",
+			"--http-address", ":0",
+			"--access-url", "https://example.com",
+		)
+		inv.Environ.Set("CODER_DERP_SERVER_STUN_ADDRESSES", "disable")
+		ptytest.New(t).Attach(inv)
+		clitest.Start(t, inv)
+		gotURL := waitAccessURL(t, cfg)
+		client := codersdk.New(gotURL)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		_ = coderdtest.CreateFirstUser(t, client)
+		gotConfig, err := client.DeploymentConfig(ctx)
+		require.NoError(t, err)
+
+		require.Len(t, gotConfig.Values.DERP.Server.STUNAddresses, 0)
+	})
 }
 
 func generateTLSCertificate(t testing.TB, commonName ...string) (certPath, keyPath string) {
diff --git a/cli/testdata/coder_server_--help.golden b/cli/testdata/coder_server_--help.golden
index 446539df00..6e3de2eabf 100644
--- a/cli/testdata/coder_server_--help.golden
+++ b/cli/testdata/coder_server_--help.golden
@@ -168,8 +168,8 @@ backed by Tailscale and WireGuard.
           Region name that for the embedded DERP server.
 
       --derp-server-stun-addresses string-array, $CODER_DERP_SERVER_STUN_ADDRESSES (default: stun.l.google.com:19302)
-          Addresses for STUN servers to establish P2P connections. Set empty to
-          disable P2P connections.
+          Addresses for STUN servers to establish P2P connections. Use special
+          value 'disable' to turn off STUN.
 
 [1mNetworking / HTTP Options[0m 
       --disable-password-auth bool, $CODER_DISABLE_PASSWORD_AUTH
diff --git a/cli/testdata/server-config.yaml.golden b/cli/testdata/server-config.yaml.golden
index 99e22f3dcb..a05cdbfac6 100644
--- a/cli/testdata/server-config.yaml.golden
+++ b/cli/testdata/server-config.yaml.golden
@@ -105,8 +105,8 @@ networking:
     # Region name that for the embedded DERP server.
     # (default: Coder Embedded Relay, type: string)
     regionName: Coder Embedded Relay
-    # Addresses for STUN servers to establish P2P connections. Set empty to disable
-    # P2P connections.
+    # Addresses for STUN servers to establish P2P connections. Use special value
+    # 'disable' to turn off STUN.
     # (default: stun.l.google.com:19302, type: string-array)
     stunAddresses:
       - stun.l.google.com:19302
diff --git a/codersdk/deployment.go b/codersdk/deployment.go
index dee95504e9..d4a61072f0 100644
--- a/codersdk/deployment.go
+++ b/codersdk/deployment.go
@@ -666,7 +666,7 @@ when required by your organization's security policy.`,
 		},
 		{
 			Name:        "DERP Server STUN Addresses",
-			Description: "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.",
+			Description: "Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.",
 			Flag:        "derp-server-stun-addresses",
 			Env:         "CODER_DERP_SERVER_STUN_ADDRESSES",
 			Default:     "stun.l.google.com:19302",
diff --git a/docs/cli/server.md b/docs/cli/server.md
index e9a382dc59..3cbcafe9bb 100644
--- a/docs/cli/server.md
+++ b/docs/cli/server.md
@@ -171,7 +171,7 @@ An HTTP URL that is accessible by other replicas to relay DERP traffic. Required
 | YAML        | <code>networking.derp.stunAddresses</code>     |
 | Default     | <code>stun.l.google.com:19302</code>           |
 
-Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.
+Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.
 
 ### --disable-owner-workspace-access