diff options
Diffstat (limited to 'sys-cluster/teleport/files')
-rw-r--r-- | sys-cluster/teleport/files/teleport-2.5.init.d | 37 | ||||
-rw-r--r-- | sys-cluster/teleport/files/teleport-2.5.service | 13 | ||||
-rw-r--r-- | sys-cluster/teleport/files/teleport-2.6.yaml | 130 | ||||
-rw-r--r-- | sys-cluster/teleport/files/teleport.init.d | 10 | ||||
-rw-r--r-- | sys-cluster/teleport/files/teleport.service | 8 |
5 files changed, 144 insertions, 54 deletions
diff --git a/sys-cluster/teleport/files/teleport-2.5.init.d b/sys-cluster/teleport/files/teleport-2.5.init.d deleted file mode 100644 index a951ec5318a0..000000000000 --- a/sys-cluster/teleport/files/teleport-2.5.init.d +++ /dev/null @@ -1,37 +0,0 @@ -#!/sbin/openrc-run -# Copyright 1999-2017 Gentoo Foundation -# Distributed under the terms of the GNU General Public License v2 - -: ${TELEPORT_CONFDIR:=/etc/teleport} -: ${TELEPORT_PIDFILE:=/var/run/${SVCNAME}.pid} -: ${TELEPORT_BINARY:=/usr/bin/teleport} -: ${TELEPORT_LOGFILE:=/var/log/teleport.log} - -depend() { - need net -} - -start() { - ebegin "Starting Teleport SSH Service" - start-stop-daemon --start --exec /usr/bin/teleport \ - --background --make-pidfile --pidfile "${TELEPORT_PIDFILE}" \ - --stderr "${TELEPORT_LOGFILE}" \ - -- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \ - ${TELEPORT_OPTS} - eend $? -} - -stop() { - ebegin "Stopping Teleport SSH Service" - start-stop-daemon --stop --exec /usr/bin/teleport \ - --pidfile "${TELEPORT_PIDFILE}" - eend $? -} - -reload() { - checkconfig || return 1 - ebegin "Reloading ${SVCNAME}" - start-stop-daemon --signal HUP \ - --exec "${TELEPORT_BINARY}" --pidfile "${TELEPORT_PIDFILE}" - eend $? -} diff --git a/sys-cluster/teleport/files/teleport-2.5.service b/sys-cluster/teleport/files/teleport-2.5.service deleted file mode 100644 index 37b38210aff4..000000000000 --- a/sys-cluster/teleport/files/teleport-2.5.service +++ /dev/null @@ -1,13 +0,0 @@ -[Unit] -Description=Teleport SSH Service -After=network.target - -[Service] -Type=simple -Restart=on-failure -ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml --pid-file=/var/run/teleport.pid -ExecReload=/bin/kill -HUP $MAINPID -PIDFile=/var/run/teleport.pid - -[Install] -WantedBy=multi-user.target diff --git a/sys-cluster/teleport/files/teleport-2.6.yaml b/sys-cluster/teleport/files/teleport-2.6.yaml new file mode 100644 index 000000000000..384dea937c97 --- /dev/null +++ b/sys-cluster/teleport/files/teleport-2.6.yaml @@ -0,0 +1,130 @@ +# By default, this file should be stored in /etc/teleport.yaml +## IMPORTANT ## +#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters +# This section of the configuration file applies to all teleport +# services. +teleport: + # nodename allows to assign an alternative name this node can be reached by. + # by default it's equal to hostname + # nodename: graviton + + # Data directory where Teleport keeps its data, like keys/users for + # authentication (if using the default BoltDB back-end) + data_dir: /var/lib/teleport + + # one-time invitation token used to join a cluster. it is not used on + # subsequent starts + auth_token: xxxx-token-xxxx + + # when running in multi-homed or NATed environments Teleport nodes need + # to know which IP it will be reachable at by other nodes + # public_addr: 10.1.0.5 + + # list of auth servers in a cluster. you will have more than one auth server + # if you configure teleport auth to run in HA configuration + auth_servers: + - localhost:3025 + + # Teleport throttles all connections to avoid abuse. These settings allow + # you to adjust the default limits + connection_limits: + max_connections: 1000 + max_users: 250 + + # Logging configuration. Possible output values are 'stdout', 'stderr' and + # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). + log: + output: stderr + severity: ERROR + + # Type of storage used for keys. You need to configure this to use etcd + # backend if you want to run Teleport in HA configuration. + storage: + type: bolt + +# This section configures the 'auth service': +auth_service: + enabled: yes + + # defines the types and second factors the auth server supports + authentication: + # second_factor can be off, otp, or u2f + second_factor: otp + + # this section is only used if using u2f + u2f: + # app_id should point to the Web UI. + app_id: https://localhost:3080 + + # facets should list all proxy servers. + facets: + - https://localhost + - https://localhost:3080 + + # IP and the port to bind to. Other Teleport nodes will be connecting to + # this port (AKA "Auth API" or "Cluster API") to validate client + # certificates + listen_addr: 0.0.0.0:3025 + + # Pre-defined tokens for adding new nodes to a cluster. Each token specifies + # the role a new node will be allowed to assume. The more secure way to + # add nodes is to use `ttl node add --ttl` command to generate auto-expiring + # tokens. + # + # We recommend to use tools like `pwgen` to generate sufficiently random + # tokens of 32+ byte length. + tokens: + - "proxy,node:xxxxx" + - "auth:yyyy" + + # Optional "cluster name" is needed when configuring trust between multiple + # auth servers. A cluster name is used as part of a signature in certificates + # generated by this CA. + # + # By default an automatically generated GUID is used. + # + # IMPORTANT: if you change cluster_name, it will invalidate all generated + # certificates and keys (may need to wipe out /var/lib/teleport directory) + cluster_name: "main" + +# This section configures the 'node service': +ssh_service: + enabled: yes + # IP and the port for SSH service to bind to. + listen_addr: 0.0.0.0:3022 + # See explanation of labels in "Labeling Nodes" section below + labels: + role: master + type: postgres + # List (YAML array) of commands to periodically execute and use + # their output as labels. + # See explanation of how this works in "Labeling Nodes" section below + commands: + - name: hostname + command: [/usr/bin/hostname] + period: 1m0s + - name: arch + command: [/usr/bin/uname, -p] + period: 1h0m0s + +# This section configures the 'proxy servie' +proxy_service: + enabled: yes + # SSH forwarding/proxy address. Command line (CLI) clients always begin their + # SSH sessions by connecting to this port + listen_addr: 0.0.0.0:3023 + + # Reverse tunnel listening address. An auth server (CA) can establish an + # outbound (from behind the firewall) connection to this address. + # This will allow users of the outside CA to connect to behind-the-firewall + # nodes. + tunnel_listen_addr: 0.0.0.0:3024 + + # The HTTPS listen address to serve the Web UI and also to authenticate the + # command line (CLI) users via password+HOTP + web_listen_addr: 0.0.0.0:3080 + + # TLS certificate for the HTTPS connection. Configuring these properly is + # critical for Teleport security. + https_key_file: /etc/teleport/teleport.key + https_cert_file: /etc/teleport/teleport.crt diff --git a/sys-cluster/teleport/files/teleport.init.d b/sys-cluster/teleport/files/teleport.init.d index a5d08b7f3f69..a951ec5318a0 100644 --- a/sys-cluster/teleport/files/teleport.init.d +++ b/sys-cluster/teleport/files/teleport.init.d @@ -18,7 +18,7 @@ start() { --stderr "${TELEPORT_LOGFILE}" \ -- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \ ${TELEPORT_OPTS} - eend $? + eend $? } stop() { @@ -27,3 +27,11 @@ stop() { --pidfile "${TELEPORT_PIDFILE}" eend $? } + +reload() { + checkconfig || return 1 + ebegin "Reloading ${SVCNAME}" + start-stop-daemon --signal HUP \ + --exec "${TELEPORT_BINARY}" --pidfile "${TELEPORT_PIDFILE}" + eend $? +} diff --git a/sys-cluster/teleport/files/teleport.service b/sys-cluster/teleport/files/teleport.service index b74734bbf9ef..37b38210aff4 100644 --- a/sys-cluster/teleport/files/teleport.service +++ b/sys-cluster/teleport/files/teleport.service @@ -1,11 +1,13 @@ [Unit] Description=Teleport SSH Service -After=network.target +After=network.target [Service] Type=simple -Restart=always -ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml +Restart=on-failure +ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml --pid-file=/var/run/teleport.pid +ExecReload=/bin/kill -HUP $MAINPID +PIDFile=/var/run/teleport.pid [Install] WantedBy=multi-user.target |