feat: allow disabling stun addresses via env (#7066)

* feat: allow disabling stun addresses via env

Resolves #6791

* Specify a dummy access URL so the tunnel wouldn't start

* Document

---------

Co-authored-by: Kyle Carberry <kyle@carberry.com>

cli/server.go

@@ -390,6 +390,19 @@ func (r *RootCmd) Server(newAPI func(context.Context, *coderd.Options) (*coderd.
 			if !cfg.DERP.Server.Enable {
 				defaultRegion = nil
 			}
+
+			// HACK: see https://github.com/coder/coder/issues/6791.
+			for _, addr := range cfg.DERP.Server.STUNAddresses {
+				if addr != "disable" {
+					continue
+				}
+				err := cfg.DERP.Server.STUNAddresses.Replace(nil)
+				if err != nil {
+					panic(err)
+				}
+				break
+			}
+
 			derpMap, err := tailnet.NewDERPMap(
 				ctx, defaultRegion, cfg.DERP.Server.STUNAddresses,
 				cfg.DERP.Config.URL.String(), cfg.DERP.Config.Path.String(),

cli/server_test.go

@@ -1491,6 +1491,31 @@ func TestServer(t *testing.T) {
 			w.RequireSuccess()
 		})
 	})
+	t.Run("DisableDERP", func(t *testing.T) {
+		t.Parallel()
+
+		// Make sure that $CODER_DERP_SERVER_STUN_ADDRESSES can be set to
+		// disable STUN.
+
+		inv, cfg := clitest.New(t,
+			"server",
+			"--in-memory",
+			"--http-address", ":0",
+			"--access-url", "https://example.com",
+		)
+		inv.Environ.Set("CODER_DERP_SERVER_STUN_ADDRESSES", "disable")
+		ptytest.New(t).Attach(inv)
+		clitest.Start(t, inv)
+		gotURL := waitAccessURL(t, cfg)
+		client := codersdk.New(gotURL)
+
+		ctx := testutil.Context(t, testutil.WaitMedium)
+		_ = coderdtest.CreateFirstUser(t, client)
+		gotConfig, err := client.DeploymentConfig(ctx)
+		require.NoError(t, err)
+
+		require.Len(t, gotConfig.Values.DERP.Server.STUNAddresses, 0)
+	})
 }
 
 func generateTLSCertificate(t testing.TB, commonName ...string) (certPath, keyPath string) {

cli/testdata/coder_server_--help.golden

@@ -168,8 +168,8 @@ backed by Tailscale and WireGuard.
           Region name that for the embedded DERP server.
 
       --derp-server-stun-addresses string-array, $CODER_DERP_SERVER_STUN_ADDRESSES (default: stun.l.google.com:19302)
-          Addresses for STUN servers to establish P2P connections. Set empty to
+          Addresses for STUN servers to establish P2P connections. Use special
-          disable P2P connections.
+          value 'disable' to turn off STUN.
 
 Networking / HTTP Options 
       --disable-password-auth bool, $CODER_DISABLE_PASSWORD_AUTH

cli/testdata/server-config.yaml.golden

@@ -105,8 +105,8 @@ networking:
     # Region name that for the embedded DERP server.
     # (default: Coder Embedded Relay, type: string)
     regionName: Coder Embedded Relay
-    # Addresses for STUN servers to establish P2P connections. Set empty to disable
+    # Addresses for STUN servers to establish P2P connections. Use special value
-    # P2P connections.
+    # 'disable' to turn off STUN.
     # (default: stun.l.google.com:19302, type: string-array)
     stunAddresses:
       - stun.l.google.com:19302

codersdk/deployment.go

@@ -666,7 +666,7 @@ when required by your organization's security policy.`,
 		},
 		{
 			Name:        "DERP Server STUN Addresses",
-			Description: "Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.",
+			Description: "Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.",
 			Flag:        "derp-server-stun-addresses",
 			Env:         "CODER_DERP_SERVER_STUN_ADDRESSES",
 			Default:     "stun.l.google.com:19302",

docs/cli/server.md

@@ -171,7 +171,7 @@ An HTTP URL that is accessible by other replicas to relay DERP traffic. Required
 | YAML        | <code>networking.derp.stunAddresses</code>     |
 | Default     | <code>stun.l.google.com:19302</code>           |
 
-Addresses for STUN servers to establish P2P connections. Set empty to disable P2P connections.
+Addresses for STUN servers to establish P2P connections. Use special value 'disable' to turn off STUN.
 
 ### --disable-owner-workspace-access