5 files changed, 144 insertions, 54 deletions
diff --git a/sys-cluster/teleport/files/teleport-2.5.init.d b/sys-cluster/teleport/files/teleport-2.5.init.d
deleted file mode 100644
index a951ec5318a0..000000000000
--- a/sys-cluster/teleport/files/teleport-2.5.init.d
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/sbin/openrc-run
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-: ${TELEPORT_CONFDIR:=/etc/teleport}
-: ${TELEPORT_PIDFILE:=/var/run/${SVCNAME}.pid}
-: ${TELEPORT_BINARY:=/usr/bin/teleport}
-: ${TELEPORT_LOGFILE:=/var/log/teleport.log}
-
-depend() {
-	need net
-}
-
-start() {
-	ebegin "Starting Teleport SSH Service"
-		start-stop-daemon --start --exec /usr/bin/teleport \
-		--background --make-pidfile --pidfile "${TELEPORT_PIDFILE}" \
-		--stderr "${TELEPORT_LOGFILE}" \
-		-- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \
-		${TELEPORT_OPTS}
-	eend $?
-}
-
-stop() {
-	ebegin "Stopping Teleport SSH Service"
-		start-stop-daemon --stop --exec /usr/bin/teleport \
-		--pidfile "${TELEPORT_PIDFILE}"
-	eend $?
-}
-
-reload() {
-	checkconfig || return 1
-	ebegin "Reloading ${SVCNAME}"
-	start-stop-daemon --signal HUP \
-	    --exec "${TELEPORT_BINARY}" --pidfile "${TELEPORT_PIDFILE}"
-	eend $?
-}
diff --git a/sys-cluster/teleport/files/teleport-2.5.service b/sys-cluster/teleport/files/teleport-2.5.service
deleted file mode 100644
index 37b38210aff4..000000000000
--- a/sys-cluster/teleport/files/teleport-2.5.service
+++ /dev/null
@@ -1,13 +0,0 @@
-[Unit]
-Description=Teleport SSH Service
-After=network.target
-
-[Service]
-Type=simple
-Restart=on-failure
-ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml --pid-file=/var/run/teleport.pid
-ExecReload=/bin/kill -HUP $MAINPID
-PIDFile=/var/run/teleport.pid
-
-[Install]
-WantedBy=multi-user.target
diff --git a/sys-cluster/teleport/files/teleport-2.6.yaml b/sys-cluster/teleport/files/teleport-2.6.yaml
new file mode 100644
index 000000000000..384dea937c97
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport-2.6.yaml
@@ -0,0 +1,130 @@
+# By default, this file should be stored in /etc/teleport.yaml
+## IMPORTANT ##
+#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters
+# This section of the configuration file applies to all teleport
+# services.
+teleport:
+    # nodename allows to assign an alternative name this node can be reached by.
+    # by default it's equal to hostname
+    # nodename: graviton
+
+    # Data directory where Teleport keeps its data, like keys/users for 
+    # authentication (if using the default BoltDB back-end)
+    data_dir: /var/lib/teleport
+
+    # one-time invitation token used to join a cluster. it is not used on 
+    # subsequent starts
+    auth_token: xxxx-token-xxxx
+
+    # when running in multi-homed or NATed environments Teleport nodes need 
+    # to know which IP it will be reachable at by other nodes
+    # public_addr: 10.1.0.5
+
+    # list of auth servers in a cluster. you will have more than one auth server
+    # if you configure teleport auth to run in HA configuration
+    auth_servers: 
+        - localhost:3025
+
+    # Teleport throttles all connections to avoid abuse. These settings allow
+    # you to adjust the default limits
+    connection_limits:
+        max_connections: 1000
+        max_users: 250
+
+    # Logging configuration. Possible output values are 'stdout', 'stderr' and 
+    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
+    log:
+        output: stderr
+        severity: ERROR
+
+    # Type of storage used for keys. You need to configure this to use etcd
+    # backend if you want to run Teleport in HA configuration.
+    storage:
+        type: bolt
+
+# This section configures the 'auth service':
+auth_service:
+    enabled: yes
+
+    # defines the types and second factors the auth server supports
+    authentication:
+        # second_factor can be off, otp, or u2f
+        second_factor: otp
+
+        # this section is only used if using u2f
+        u2f:
+            # app_id should point to the Web UI.
+            app_id: https://localhost:3080
+
+            # facets should list all proxy servers.
+            facets:
+            - https://localhost
+            - https://localhost:3080
+
+    # IP and the port to bind to. Other Teleport nodes will be connecting to
+    # this port (AKA "Auth API" or "Cluster API") to validate client 
+    # certificates 
+    listen_addr: 0.0.0.0:3025
+
+    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
+    # the role a new node will be allowed to assume. The more secure way to 
+    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring 
+    # tokens. 
+    #
+    # We recommend to use tools like `pwgen` to generate sufficiently random
+    # tokens of 32+ byte length.
+    tokens:
+        - "proxy,node:xxxxx"
+        - "auth:yyyy"
+
+    # Optional "cluster name" is needed when configuring trust between multiple
+    # auth servers. A cluster name is used as part of a signature in certificates
+    # generated by this CA.
+    # 
+    # By default an automatically generated GUID is used.
+    #
+    # IMPORTANT: if you change cluster_name, it will invalidate all generated 
+    # certificates and keys (may need to wipe out /var/lib/teleport directory)
+    cluster_name: "main"
+
+# This section configures the 'node service':
+ssh_service:
+    enabled: yes
+    # IP and the port for SSH service to bind to. 
+    listen_addr: 0.0.0.0:3022
+    # See explanation of labels in "Labeling Nodes" section below
+    labels:
+        role: master
+        type: postgres
+    # List (YAML array) of commands to periodically execute and use
+    # their output as labels. 
+    # See explanation of how this works in "Labeling Nodes" section below
+    commands:
+    - name: hostname
+      command: [/usr/bin/hostname]
+      period: 1m0s
+    - name: arch
+      command: [/usr/bin/uname, -p]
+      period: 1h0m0s
+
+# This section configures the 'proxy servie'
+proxy_service:
+    enabled: yes
+    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
+    # SSH sessions by connecting to this port
+    listen_addr: 0.0.0.0:3023
+
+    # Reverse tunnel listening address. An auth server (CA) can establish an 
+    # outbound (from behind the firewall) connection to this address. 
+    # This will allow users of the outside CA to connect to behind-the-firewall 
+    # nodes.
+    tunnel_listen_addr: 0.0.0.0:3024
+
+    # The HTTPS listen address to serve the Web UI and also to authenticate the 
+    # command line (CLI) users via password+HOTP
+    web_listen_addr: 0.0.0.0:3080
+
+    # TLS certificate for the HTTPS connection. Configuring these properly is 
+    # critical for Teleport security.
+    https_key_file: /etc/teleport/teleport.key
+    https_cert_file: /etc/teleport/teleport.crt
diff --git a/sys-cluster/teleport/files/teleport.init.d b/sys-cluster/teleport/files/teleport.init.d
index a5d08b7f3f69..a951ec5318a0 100644
--- a/sys-cluster/teleport/files/teleport.init.d
+++ b/sys-cluster/teleport/files/teleport.init.d
@@ -18,7 +18,7 @@ start() {
 		--stderr "${TELEPORT_LOGFILE}" \
 		-- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \
 		${TELEPORT_OPTS}
-		eend $?
+	eend $?
 }
 
 stop() {
@@ -27,3 +27,11 @@ stop() {
 		--pidfile "${TELEPORT_PIDFILE}"
 	eend $?
 }
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${SVCNAME}"
+	start-stop-daemon --signal HUP \
+	    --exec "${TELEPORT_BINARY}" --pidfile "${TELEPORT_PIDFILE}"
+	eend $?
+}
diff --git a/sys-cluster/teleport/files/teleport.service b/sys-cluster/teleport/files/teleport.service
index b74734bbf9ef..37b38210aff4 100644
--- a/sys-cluster/teleport/files/teleport.service
+++ b/sys-cluster/teleport/files/teleport.service
@@ -1,11 +1,13 @@
 [Unit]
 Description=Teleport SSH Service
-After=network.target 
+After=network.target
 
 [Service]
 Type=simple
-Restart=always
-ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml
+Restart=on-failure
+ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml --pid-file=/var/run/teleport.pid
+ExecReload=/bin/kill -HUP $MAINPID
+PIDFile=/var/run/teleport.pid
 
 [Install]
 WantedBy=multi-user.target