From 52099ea364b552c18e923482c6cfb54d28060e4c Mon Sep 17 00:00:00 2001
From: Copilot <198982749+Copilot@users.noreply.github.com>
Date: Sat, 27 Sep 2025 18:49:43 +0200
Subject: [PATCH] Add trusted_domains variable to code-server module for link
 protection (#1)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Initial plan

* Add trusted_domains variable to code-server module for link protection

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

* Remove temporary plan files from commit

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

* Refactor TRUSTED_DOMAINS_ARG to match EXTENSION_ARG pattern

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

* Remove trusted domains tests as requested

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

* Fix trusted domains to use multiple flag instances instead of comma-separated values

Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>

* Update registry/coder/modules/code-server/run.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update registry/coder/modules/code-server/run.sh

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Foorack <5008081+Foorack@users.noreply.github.com>
Co-authored-by: Foorack / Max Faxälv <max@foorack.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 registry/coder/modules/code-server/main.tf |  7 +++++++
 registry/coder/modules/code-server/run.sh  | 14 +++++++++++++-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/registry/coder/modules/code-server/main.tf b/registry/coder/modules/code-server/main.tf
index 650829f68..38f257189 100644
--- a/registry/coder/modules/code-server/main.tf
+++ b/registry/coder/modules/code-server/main.tf
@@ -148,6 +148,12 @@ variable "open_in" {
   }
 }
 
+variable "trusted_domains" {
+  type        = list(string)
+  description = "A list of trusted domains for link protection. These domains will be added to the --link-protection-trusted-domains option."
+  default     = []
+}
+
 resource "coder_script" "code-server" {
   agent_id     = var.agent_id
   display_name = "code-server"
@@ -168,6 +174,7 @@ resource "coder_script" "code-server" {
     EXTENSIONS_DIR : var.extensions_dir,
     FOLDER : var.folder,
     AUTO_INSTALL_EXTENSIONS : var.auto_install_extensions,
+    TRUSTED_DOMAINS : join(",", var.trusted_domains),
   })
   run_on_start = true
 
diff --git a/registry/coder/modules/code-server/run.sh b/registry/coder/modules/code-server/run.sh
index 73bcd6899..75a9e366e 100644
--- a/registry/coder/modules/code-server/run.sh
+++ b/registry/coder/modules/code-server/run.sh
@@ -13,10 +13,22 @@ if [ -n "${EXTENSIONS_DIR}" ]; then
   mkdir -p "${EXTENSIONS_DIR}"
 fi
 
+# Set trusted domains argument
+TRUSTED_DOMAINS_ARG=""
+if [ -n "${TRUSTED_DOMAINS}" ]; then
+  # Split comma-separated domains and create multiple --link-protection-trusted-domains arguments
+  IFS=',' read -r -a DOMAINS_ARRAY <<< "${TRUSTED_DOMAINS}"
+  for domain in "${DOMAINS_ARRAY[@]}"; do
+    if [ -n "$domain" ]; then
+      TRUSTED_DOMAINS_ARG="$TRUSTED_DOMAINS_ARG --link-protection-trusted-domains=${domain}"
+    fi
+  done
+fi
+
 function run_code_server() {
   echo "👷 Running code-server in the background..."
   echo "Check logs at ${LOG_PATH}!"
-  $CODE_SERVER "$EXTENSION_ARG" --auth none --port "${PORT}" --app-name "${APP_NAME}" > "${LOG_PATH}" 2>&1 &
+  $CODE_SERVER $EXTENSION_ARG $TRUSTED_DOMAINS_ARG --auth none --port "${PORT}" --app-name "${APP_NAME}" > "${LOG_PATH}" 2>&1 &
 }
 
 # Check if the settings file exists...