From 857636b0327ad7e092ec6cbd71a7735c885cbebd Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Sat, 18 Feb 2023 18:43:38 +0200 Subject: [PATCH 1/4] teleport: 11.3.4 -> 12.0.2 --- nixos/doc/manual/release-notes/rl-2305.section.md | 2 +- pkgs/servers/teleport/default.nix | 10 +++++----- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index d50438ddb611..fee0e51184f1 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded to major version 11. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and [release notes](https://goteleport.com/docs/changelog/#1100). +- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version. It is recommended to first upgrade to an intermediate 11.x version using an overlay before upgrading to version 12. - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/pkgs/servers/teleport/default.nix b/pkgs/servers/teleport/default.nix index 52c21cb63674..5a714480db3b 100644 --- a/pkgs/servers/teleport/default.nix +++ b/pkgs/servers/teleport/default.nix @@ -27,13 +27,13 @@ let owner = "gravitational"; repo = "teleport"; rev = "v${version}"; - hash = "sha256-jJfOgcwKkNFO/5XHxMoapZxM8Tb0kEgKVA7SrMU7uW4="; + hash = "sha256-9RD4ETQEXnj3d5YID3f3BghwitdqfcDgNhsk8ixWTW4="; }; - version = "11.3.4"; + version = "12.0.2"; rdpClient = rustPlatform.buildRustPackage rec { pname = "teleport-rdpclient"; - cargoHash = "sha256-TSIwLCY01ygCWT73LR/Ch7NwPQA3a3r0PyL3hUzBNr4="; + cargoHash = "sha256-1ScU5ywq8vz1sWHW2idBsWcB1Xs+aylukBm96dKrwL4="; inherit version src; buildAndTestSubdir = "lib/srv/desktop/rdp/rdpclient"; @@ -56,7 +56,7 @@ let yarnOfflineCache = fetchYarnDeps { yarnLock = "${src}/yarn.lock"; - hash = "sha256-MAGeWzA366yzpjdCY0+X6RV5MKcsHa/xD5CJu6ce1FU="; + hash = "sha256-ItRi5EkYrwNB1MIf9l3yyK1BX6vNpL2+H1BlN3Evibg="; }; webassets = stdenv.mkDerivation { @@ -95,7 +95,7 @@ buildGoModule rec { pname = "teleport"; inherit src version; - vendorHash = "sha256-NkiFLEHBNjxUOSuAlVugAV14yCCo3z6yhX7LZQFKhvA="; + vendorHash = "sha256-2sOELuMyg7w/rhnWvnwDiUOsjUfb56JdAbrTGKvGnjs="; proxyVendor = true; subPackages = [ "tool/tbot" "tool/tctl" "tool/teleport" "tool/tsh" ]; From 6f1c82c7f84c97fd94630d3e8a60f3de6f4460cb Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Thu, 23 Feb 2023 20:14:50 +0200 Subject: [PATCH 2/4] teleport_11: init at 11.3.5 --- pkgs/servers/teleport/11.nix | 8 ++++++++ pkgs/servers/teleport/12.nix | 8 ++++++++ .../teleport/{default.nix => generic.nix} | 16 +++++++++++----- pkgs/top-level/all-packages.nix | 6 +++++- 4 files changed, 32 insertions(+), 6 deletions(-) create mode 100644 pkgs/servers/teleport/11.nix create mode 100644 pkgs/servers/teleport/12.nix rename pkgs/servers/teleport/{default.nix => generic.nix} (92%) diff --git a/pkgs/servers/teleport/11.nix b/pkgs/servers/teleport/11.nix new file mode 100644 index 000000000000..ee6758053cc9 --- /dev/null +++ b/pkgs/servers/teleport/11.nix @@ -0,0 +1,8 @@ +{ callPackage, ... }@args: +callPackage ./generic.nix ({ + version = "11.3.5"; + hash = "sha256-/InWly0jCiPBlgM/qgS6ErMv7Hhg5PW9sldda1oaUIg="; + vendorHash = "sha256-NkiFLEHBNjxUOSuAlVugAV14yCCo3z6yhX7LZQFKhvA="; + cargoHash = "sha256-02qo6i6GuRAYKDKA7k2hDq2O6ayEQbeGhFS2g3b9Wuo="; + yarnHash = "sha256-kvnVmDZ/jISaaS97KM0WbPJU7Y8XWOeHrDLT0iXRyfc="; +} // builtins.removeAttrs args [ "callPackage" ]) diff --git a/pkgs/servers/teleport/12.nix b/pkgs/servers/teleport/12.nix new file mode 100644 index 000000000000..1182df971481 --- /dev/null +++ b/pkgs/servers/teleport/12.nix @@ -0,0 +1,8 @@ +{ callPackage, ... }@args: +callPackage ./generic.nix ({ + version = "12.0.2"; + hash = "sha256-9RD4ETQEXnj3d5YID3f3BghwitdqfcDgNhsk8ixWTW4="; + vendorHash = "sha256-2sOELuMyg7w/rhnWvnwDiUOsjUfb56JdAbrTGKvGnjs="; + cargoHash = "sha256-1ScU5ywq8vz1sWHW2idBsWcB1Xs+aylukBm96dKrwL4="; + yarnHash = "sha256-ItRi5EkYrwNB1MIf9l3yyK1BX6vNpL2+H1BlN3Evibg="; +} // builtins.removeAttrs args [ "callPackage" ]) diff --git a/pkgs/servers/teleport/default.nix b/pkgs/servers/teleport/generic.nix similarity index 92% rename from pkgs/servers/teleport/default.nix rename to pkgs/servers/teleport/generic.nix index 5a714480db3b..a811204e09ab 100644 --- a/pkgs/servers/teleport/default.nix +++ b/pkgs/servers/teleport/generic.nix @@ -20,6 +20,12 @@ , nixosTests , withRdpClient ? true + +, version +, hash +, vendorHash +, cargoHash +, yarnHash }: let # This repo has a private submodule "e" which fetchgit cannot handle without failing. @@ -27,13 +33,13 @@ let owner = "gravitational"; repo = "teleport"; rev = "v${version}"; - hash = "sha256-9RD4ETQEXnj3d5YID3f3BghwitdqfcDgNhsk8ixWTW4="; + inherit hash; }; - version = "12.0.2"; + inherit version; rdpClient = rustPlatform.buildRustPackage rec { pname = "teleport-rdpclient"; - cargoHash = "sha256-1ScU5ywq8vz1sWHW2idBsWcB1Xs+aylukBm96dKrwL4="; + inherit cargoHash; inherit version src; buildAndTestSubdir = "lib/srv/desktop/rdp/rdpclient"; @@ -56,7 +62,7 @@ let yarnOfflineCache = fetchYarnDeps { yarnLock = "${src}/yarn.lock"; - hash = "sha256-ItRi5EkYrwNB1MIf9l3yyK1BX6vNpL2+H1BlN3Evibg="; + hash = yarnHash; }; webassets = stdenv.mkDerivation { @@ -95,7 +101,7 @@ buildGoModule rec { pname = "teleport"; inherit src version; - vendorHash = "sha256-2sOELuMyg7w/rhnWvnwDiUOsjUfb56JdAbrTGKvGnjs="; + inherit vendorHash; proxyVendor = true; subPackages = [ "tool/tbot" "tool/tctl" "tool/teleport" "tool/tsh" ]; diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix index e10d2ee250f5..631da35aff00 100644 --- a/pkgs/top-level/all-packages.nix +++ b/pkgs/top-level/all-packages.nix @@ -12515,9 +12515,13 @@ with pkgs; telegraf = callPackage ../servers/monitoring/telegraf { }; - teleport = callPackage ../servers/teleport { + teleport_11 = callPackage ../servers/teleport/11.nix { inherit (darwin.apple_sdk.frameworks) CoreFoundation Security AppKit; }; + teleport_12 = callPackage ../servers/teleport/12.nix { + inherit (darwin.apple_sdk.frameworks) CoreFoundation Security AppKit; + }; + teleport = teleport_12; telepresence = callPackage ../tools/networking/telepresence { pythonPackages = python3Packages; From 31b5597cbdf327340b361704f02768650de57f38 Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Thu, 23 Feb 2023 20:15:12 +0200 Subject: [PATCH 3/4] nixos/teleport: add "package" option --- .../manual/release-notes/rl-2305.section.md | 2 +- .../modules/services/networking/teleport.nix | 12 ++- nixos/tests/teleport.nix | 82 +++++++++++-------- 3 files changed, 60 insertions(+), 36 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index fee0e51184f1..b02065e97221 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version. It is recommended to first upgrade to an intermediate 11.x version using an overlay before upgrading to version 12. +- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12). - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix index 6433554f87da..399af711c0e1 100644 --- a/nixos/modules/services/networking/teleport.nix +++ b/nixos/modules/services/networking/teleport.nix @@ -11,6 +11,14 @@ in services.teleport = with lib.types; { enable = mkEnableOption (lib.mdDoc "the Teleport service"); + package = mkOption { + type = types.package; + default = pkgs.teleport; + defaultText = lib.literalMD "pkgs.teleport"; + example = lib.literalMD "pkgs.teleport_11"; + description = lib.mdDoc "The teleport package to use"; + }; + settings = mkOption { type = settingsYaml.type; default = { }; @@ -74,14 +82,14 @@ in }; config = mkIf config.services.teleport.enable { - environment.systemPackages = [ pkgs.teleport ]; + environment.systemPackages = [ cfg.package ]; systemd.services.teleport = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.teleport}/bin/teleport start \ + ${cfg.package}/bin/teleport start \ ${optionalString cfg.insecure.enable "--insecure"} \ ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 34bf1bc0c70d..49adb2dd4a41 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -1,18 +1,28 @@ { system ? builtins.currentSystem , config ? { } , pkgs ? import ../.. { inherit system config; } +, lib ? pkgs.lib }: with import ../lib/testing-python.nix { inherit system pkgs; }; let - minimal = { config, ... }: { - services.teleport.enable = true; + packages = with pkgs; { + "default" = teleport; + "11" = teleport_11; }; - client = { config, ... }: { + minimal = package: { services.teleport = { enable = true; + inherit package; + }; + }; + + client = package: { + services.teleport = { + enable = true; + inherit package; settings = { teleport = { nodename = "client"; @@ -37,9 +47,10 @@ let }]; }; - server = { config, ... }: { + server = package: { services.teleport = { enable = true; + inherit package; settings = { teleport = { nodename = "server"; @@ -64,36 +75,41 @@ let }; }; in -{ - minimal = makeTest { - # minimal setup should always work - name = "teleport-minimal-setup"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit minimal; }; +lib.concatMapAttrs + (name: package: { + "minimal_${name}" = makeTest { + # minimal setup should always work + name = "teleport-minimal-setup"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes.minimal = minimal package; - testScript = '' - minimal.wait_for_open_port(3025) - minimal.wait_for_open_port(3080) - minimal.wait_for_open_port(3022) - ''; - }; + testScript = '' + minimal.wait_for_open_port(3025) + minimal.wait_for_open_port(3080) + minimal.wait_for_open_port(3022) + ''; + }; - basic = makeTest { - # basic server and client test - name = "teleport-server-client"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit server client; }; + "basic_${name}" = makeTest { + # basic server and client test + name = "teleport-server-client"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes = { + server = server package; + client = client package; + }; - testScript = '' - with subtest("teleport ready"): - server.wait_for_open_port(3025) - client.wait_for_open_port(3022) + testScript = '' + with subtest("teleport ready"): + server.wait_for_open_port(3025) + client.wait_for_open_port(3022) - with subtest("check applied configuration"): - server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") - server.wait_for_open_port(3000) - client.succeed("journalctl -u teleport.service --grep='DEBU'") - server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") - ''; - }; -} + with subtest("check applied configuration"): + server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") + server.wait_for_open_port(3000) + client.succeed("journalctl -u teleport.service --grep='DEBU'") + server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") + ''; + }; + }) + packages From e831a3da9883a3bd813d1ab2accaa9a85841461c Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Tue, 28 Feb 2023 13:08:24 +0200 Subject: [PATCH 4/4] nixos/tests/teleport: make justinas the maintainer --- nixos/tests/teleport.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 49adb2dd4a41..cdf762b12844 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -80,7 +80,7 @@ lib.concatMapAttrs "minimal_${name}" = makeTest { # minimal setup should always work name = "teleport-minimal-setup"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + meta.maintainers = with pkgs.lib.maintainers; [ justinas ]; nodes.minimal = minimal package; testScript = '' @@ -93,7 +93,7 @@ lib.concatMapAttrs "basic_${name}" = makeTest { # basic server and client test name = "teleport-server-client"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + meta.maintainers = with pkgs.lib.maintainers; [ justinas ]; nodes = { server = server package; client = client package;