diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
index c49cf223383d..a020a52cf7cd 100644
--- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
+++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
@@ -119,6 +119,15 @@
services.archisteamfarm.
+
+
+ teleport,
+ allows engineers and security professionals to unify access
+ for SSH servers, Kubernetes clusters, web applications, and
+ databases across all environments. Available at
+ services.teleport.
+
+
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md
index 4903774ad6e9..768766ad249f 100644
--- a/nixos/doc/manual/release-notes/rl-2205.section.md
+++ b/nixos/doc/manual/release-notes/rl-2205.section.md
@@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
+- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
+
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix
index 12def3d0da87..2bcf6e8dee31 100644
--- a/nixos/modules/module-list.nix
+++ b/nixos/modules/module-list.nix
@@ -891,6 +891,7 @@
./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix
./services/networking/tedicross.nix
+ ./services/networking/teleport.nix
./services/networking/thelounge.nix
./services/networking/tinc.nix
./services/networking/tinydns.nix
diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix
new file mode 100644
index 000000000000..454791621800
--- /dev/null
+++ b/nixos/modules/services/networking/teleport.nix
@@ -0,0 +1,99 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+ cfg = config.services.teleport;
+ settingsYaml = pkgs.formats.yaml { };
+in
+{
+ options = {
+ services.teleport = with lib.types; {
+ enable = mkEnableOption "the Teleport service";
+
+ settings = mkOption {
+ type = settingsYaml.type;
+ default = { };
+ example = literalExpression ''
+ {
+ teleport = {
+ nodename = "client";
+ advertise_ip = "192.168.1.2";
+ auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
+ auth_servers = [ "192.168.1.1:3025" ];
+ log.severity = "DEBUG";
+ };
+ ssh_service = {
+ enabled = true;
+ labels = {
+ role = "client";
+ };
+ };
+ proxy_service.enabled = false;
+ auth_service.enabled = false;
+ }
+ '';
+ description = ''
+ Contents of the teleport.yaml config file.
+ The --config arguments will only be passed if this set is not empty.
+
+ See .
+ '';
+ };
+
+ insecure.enable = mkEnableOption ''
+ starting teleport in insecure mode.
+
+ This is dangerous!
+ Sensitive information will be logged to console and certificates will not be verified.
+ Proceed with caution!
+
+ Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
+ '';
+
+ diag = {
+ enable = mkEnableOption ''
+ endpoints for monitoring purposes.
+
+ See
+ '';
+
+ addr = mkOption {
+ type = str;
+ default = "127.0.0.1";
+ description = "Metrics and diagnostics address.";
+ };
+
+ port = mkOption {
+ type = int;
+ default = 3000;
+ description = "Metrics and diagnostics port.";
+ };
+ };
+ };
+ };
+
+ config = mkIf config.services.teleport.enable {
+ environment.systemPackages = [ pkgs.teleport ];
+
+ systemd.services.teleport = {
+ wantedBy = [ "multi-user.target" ];
+ after = [ "network.target" ];
+ serviceConfig = {
+ ExecStart = ''
+ ${pkgs.teleport}/bin/teleport start \
+ ${optionalString cfg.insecure.enable "--insecure"} \
+ ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
+ ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
+ '';
+ ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+ LimitNOFILE = 65536;
+ Restart = "always";
+ RestartSec = "5s";
+ RuntimeDirectory = "teleport";
+ Type = "simple";
+ };
+ };
+ };
+}
+
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index 4f62980e8e91..5ebe07ad3cb7 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -471,6 +471,7 @@ in
systemd-unit-path = handleTest ./systemd-unit-path.nix {};
taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {};
+ teleport = handleTest ./teleport.nix {};
tiddlywiki = handleTest ./tiddlywiki.nix {};
tigervnc = handleTest ./tigervnc.nix {};
timezone = handleTest ./timezone.nix {};
diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix
new file mode 100644
index 000000000000..15b16e44409d
--- /dev/null
+++ b/nixos/tests/teleport.nix
@@ -0,0 +1,99 @@
+{ system ? builtins.currentSystem
+, config ? { }
+, pkgs ? import ../.. { inherit system config; }
+}:
+
+with import ../lib/testing-python.nix { inherit system pkgs; };
+
+let
+ minimal = { config, ... }: {
+ services.teleport.enable = true;
+ };
+
+ client = { config, ... }: {
+ services.teleport = {
+ enable = true;
+ settings = {
+ teleport = {
+ nodename = "client";
+ advertise_ip = "192.168.1.20";
+ auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
+ auth_servers = [ "192.168.1.10:3025" ];
+ log.severity = "DEBUG";
+ };
+ ssh_service = {
+ enabled = true;
+ labels = {
+ role = "client";
+ };
+ };
+ proxy_service.enabled = false;
+ auth_service.enabled = false;
+ };
+ };
+ networking.interfaces.eth1.ipv4.addresses = [{
+ address = "192.168.1.20";
+ prefixLength = 24;
+ }];
+ };
+
+ server = { config, ... }: {
+ services.teleport = {
+ enable = true;
+ settings = {
+ teleport = {
+ nodename = "server";
+ advertise_ip = "192.168.1.10";
+ };
+ ssh_service.enabled = true;
+ proxy_service.enabled = true;
+ auth_service = {
+ enabled = true;
+ tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
+ };
+ };
+ diag.enable = true;
+ insecure.enable = true;
+ };
+ networking = {
+ firewall.allowedTCPPorts = [ 3025 ];
+ interfaces.eth1.ipv4.addresses = [{
+ address = "192.168.1.10";
+ prefixLength = 24;
+ }];
+ };
+ };
+in
+{
+ minimal = makeTest {
+ # minimal setup should always work
+ name = "teleport-minimal-setup";
+ meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
+ nodes = { inherit minimal; };
+
+ testScript = ''
+ minimal.wait_for_open_port("3025")
+ minimal.wait_for_open_port("3080")
+ minimal.wait_for_open_port("3022")
+ '';
+ };
+
+ basic = makeTest {
+ # basic server and client test
+ name = "teleport-server-client";
+ meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
+ nodes = { inherit server client; };
+
+ testScript = ''
+ with subtest("teleport ready"):
+ server.wait_for_open_port("3025")
+ client.wait_for_open_port("3022")
+
+ with subtest("check applied configuration"):
+ server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
+ server.wait_for_open_port("3000")
+ client.succeed("journalctl -u teleport.service --grep='DEBU'")
+ server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
+ '';
+ };
+}
diff --git a/pkgs/servers/teleport/default.nix b/pkgs/servers/teleport/default.nix
index 2b8cdf37fcee..b69355dfa7b4 100644
--- a/pkgs/servers/teleport/default.nix
+++ b/pkgs/servers/teleport/default.nix
@@ -6,6 +6,7 @@
, protobuf
, stdenv
, xdg-utils
+, nixosTests
, withRoleTester ? true
}:
@@ -95,6 +96,8 @@ buildGo117Module rec {
$out/bin/teleport version | grep ${version} > /dev/null
'';
+ passthru.tests = nixosTests.teleport;
+
meta = with lib; {
description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases";
homepage = "https://goteleport.com/";