@@ -269,7 +269,85 @@ Coder on Kubernetes.
269269- For GCP:
270270[ Google Cloud Identity Platform] ( https://cloud.google.com/architecture/identity/single-sign-on )
271271
272- ###Dev Container
272+ ###Air-gapped architecture
273+
274+ The air-gapped deployment model refers to the setup of Coder's development
275+ environment within a restricted network environment that lacks internet
276+ connectivity. This deployment model is often required for organizations with
277+ strict security policies or those operating in isolated environments, such as
278+ government agencies or certain enterprise setups.
279+
280+ The key features of the air-gapped architecture include:
281+
282+ - _ Offline installation_ : Deploy workspaces without relying on an external
283+ internet connection.
284+ - _ Isolated package/plugin repositories_ : Depend on local repositories for
285+ software installation, updates, and security patches.
286+ - _ Secure data transfer_ : Enable encrypted communication channels and robust
287+ access controls to safeguard sensitive information.
288+
289+ Learn more about[ offline deployments] ( ../install/offline.md ) of Coder.
290+
291+ ![ Architecture Diagram] ( ../images/architecture-air-gapped.png )
292+
293+ ####Components
294+
295+ The deployment model includes:
296+
297+ - _ Workspace provisioners_ with direct access to self-hosted package and plugin
298+ repositories and restricted internet access.
299+ - _ Mirror of Terraform Registry_ with multiple versions of Terraform plugins.
300+ - _ Certificate Authority_ with all TLS certificates to build secure
301+ communication channels.
302+
303+ The model is compatible with various infrastructure models, enabling deployment
304+ across multiple regions and diverse cloud platforms.
305+
306+ #####Workload resources
307+
308+ ** Workspace provisioner**
309+
310+ - Includes Terraform binary in the container or system image.
311+ - Checks out Terraform plugins from self-hosted_ Registry_ mirror.
312+ - Deploys workspace images stored in the self-hosted_ Container Registry_ .
313+
314+ ** Coder server**
315+
316+ - Update checks are disabled (` CODER_UPDATE_CHECK=false ` ).
317+ - Telemetry data is not collected (` CODER_TELEMETRY_ENABLE=false ` ).
318+ - Direct connections are not possible, workspace traffic is relayed through
319+ control plane's DERP proxy.
320+
321+ #####Workload supporting resources
322+
323+ ** Self-hosted Database**
324+
325+ - In the air-gapped deployment model,_ Coderd_ instance is unable to download
326+ Postgres binaries from the internet, so external database must be provided.
327+
328+ ** Container Registry**
329+
330+ - Since the_ Registry_ is isolated from the internet, platform engineers are
331+ responsible for maintaining Workspace container images and conducting periodic
332+ updates of base Docker images.
333+ - It is recommended to keep[ Dev Containers] ( ../templates/devcontainers.md ) up
334+ to date with the latest released
335+ [ Envbuilder] ( https://github.com/coder/envbuilder ) runtime.
336+
337+ ** Mirror of Terraform Registry**
338+
339+ - Stores all necessary Terraform plugin dependencies, ensuring successful
340+ workspace provisioning and maintenance without internet access.
341+ - Platform engineers are responsible for periodically updating the mirrored
342+ Terraform plugins, including
343+ [ terraform-provider-coder] ( https://github.com/coder/terraform-provider-coder ) .
344+
345+ ** Certificate Authority**
346+
347+ - Manages and issues TLS certificates to facilitate secure communication
348+ channels within the infrastructure.
349+
350+ ###Dev Containers
273351
274352Note:_ Dev containers_ are at early stage and considered experimental at the
275353moment.
@@ -302,7 +380,7 @@ models, in multiple regions, or across various cloud platforms.
302380
303381#####Workload resources
304382
305- ** Workspace **
383+ ** Coder workspace **
306384
307385- Docker and Kubernetes based templates are supported.
308386- The` docker_container ` resource uses` ghcr.io/coder/envbuilder ` as the base