diff --git a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml index c49cf223383d..a020a52cf7cd 100644 --- a/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml +++ b/nixos/doc/manual/from_md/release-notes/rl-2205.section.xml @@ -119,6 +119,15 @@ services.archisteamfarm. + + + teleport, + allows engineers and security professionals to unify access + for SSH servers, Kubernetes clusters, web applications, and + databases across all environments. Available at + services.teleport. + +
diff --git a/nixos/doc/manual/release-notes/rl-2205.section.md b/nixos/doc/manual/release-notes/rl-2205.section.md index 4903774ad6e9..768766ad249f 100644 --- a/nixos/doc/manual/release-notes/rl-2205.section.md +++ b/nixos/doc/manual/release-notes/rl-2205.section.md @@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin - [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). +- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable). + ## Backward Incompatibilities {#sec-release-22.05-incompatibilities} - `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`. diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 12def3d0da87..2bcf6e8dee31 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -891,6 +891,7 @@ ./services/networking/tcpcrypt.nix ./services/networking/teamspeak3.nix ./services/networking/tedicross.nix + ./services/networking/teleport.nix ./services/networking/thelounge.nix ./services/networking/tinc.nix ./services/networking/tinydns.nix diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix new file mode 100644 index 000000000000..454791621800 --- /dev/null +++ b/nixos/modules/services/networking/teleport.nix @@ -0,0 +1,99 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.teleport; + settingsYaml = pkgs.formats.yaml { }; +in +{ + options = { + services.teleport = with lib.types; { + enable = mkEnableOption "the Teleport service"; + + settings = mkOption { + type = settingsYaml.type; + default = { }; + example = literalExpression '' + { + teleport = { + nodename = "client"; + advertise_ip = "192.168.1.2"; + auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb"; + auth_servers = [ "192.168.1.1:3025" ]; + log.severity = "DEBUG"; + }; + ssh_service = { + enabled = true; + labels = { + role = "client"; + }; + }; + proxy_service.enabled = false; + auth_service.enabled = false; + } + ''; + description = '' + Contents of the teleport.yaml config file. + The --config arguments will only be passed if this set is not empty. + + See . + ''; + }; + + insecure.enable = mkEnableOption '' + starting teleport in insecure mode. + + This is dangerous! + Sensitive information will be logged to console and certificates will not be verified. + Proceed with caution! + + Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service + ''; + + diag = { + enable = mkEnableOption '' + endpoints for monitoring purposes. + + See + ''; + + addr = mkOption { + type = str; + default = "127.0.0.1"; + description = "Metrics and diagnostics address."; + }; + + port = mkOption { + type = int; + default = 3000; + description = "Metrics and diagnostics port."; + }; + }; + }; + }; + + config = mkIf config.services.teleport.enable { + environment.systemPackages = [ pkgs.teleport ]; + + systemd.services.teleport = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.teleport}/bin/teleport start \ + ${optionalString cfg.insecure.enable "--insecure"} \ + ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ + ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + LimitNOFILE = 65536; + Restart = "always"; + RestartSec = "5s"; + RuntimeDirectory = "teleport"; + Type = "simple"; + }; + }; + }; +} + diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 4f62980e8e91..5ebe07ad3cb7 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -471,6 +471,7 @@ in systemd-unit-path = handleTest ./systemd-unit-path.nix {}; taskserver = handleTest ./taskserver.nix {}; telegraf = handleTest ./telegraf.nix {}; + teleport = handleTest ./teleport.nix {}; tiddlywiki = handleTest ./tiddlywiki.nix {}; tigervnc = handleTest ./tigervnc.nix {}; timezone = handleTest ./timezone.nix {}; diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix new file mode 100644 index 000000000000..15b16e44409d --- /dev/null +++ b/nixos/tests/teleport.nix @@ -0,0 +1,99 @@ +{ system ? builtins.currentSystem +, config ? { } +, pkgs ? import ../.. { inherit system config; } +}: + +with import ../lib/testing-python.nix { inherit system pkgs; }; + +let + minimal = { config, ... }: { + services.teleport.enable = true; + }; + + client = { config, ... }: { + services.teleport = { + enable = true; + settings = { + teleport = { + nodename = "client"; + advertise_ip = "192.168.1.20"; + auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9"; + auth_servers = [ "192.168.1.10:3025" ]; + log.severity = "DEBUG"; + }; + ssh_service = { + enabled = true; + labels = { + role = "client"; + }; + }; + proxy_service.enabled = false; + auth_service.enabled = false; + }; + }; + networking.interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.20"; + prefixLength = 24; + }]; + }; + + server = { config, ... }: { + services.teleport = { + enable = true; + settings = { + teleport = { + nodename = "server"; + advertise_ip = "192.168.1.10"; + }; + ssh_service.enabled = true; + proxy_service.enabled = true; + auth_service = { + enabled = true; + tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ]; + }; + }; + diag.enable = true; + insecure.enable = true; + }; + networking = { + firewall.allowedTCPPorts = [ 3025 ]; + interfaces.eth1.ipv4.addresses = [{ + address = "192.168.1.10"; + prefixLength = 24; + }]; + }; + }; +in +{ + minimal = makeTest { + # minimal setup should always work + name = "teleport-minimal-setup"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes = { inherit minimal; }; + + testScript = '' + minimal.wait_for_open_port("3025") + minimal.wait_for_open_port("3080") + minimal.wait_for_open_port("3022") + ''; + }; + + basic = makeTest { + # basic server and client test + name = "teleport-server-client"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes = { inherit server client; }; + + testScript = '' + with subtest("teleport ready"): + server.wait_for_open_port("3025") + client.wait_for_open_port("3022") + + with subtest("check applied configuration"): + server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") + server.wait_for_open_port("3000") + client.succeed("journalctl -u teleport.service --grep='DEBU'") + server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") + ''; + }; +} diff --git a/pkgs/servers/teleport/default.nix b/pkgs/servers/teleport/default.nix index 2b8cdf37fcee..b69355dfa7b4 100644 --- a/pkgs/servers/teleport/default.nix +++ b/pkgs/servers/teleport/default.nix @@ -6,6 +6,7 @@ , protobuf , stdenv , xdg-utils +, nixosTests , withRoleTester ? true }: @@ -95,6 +96,8 @@ buildGo117Module rec { $out/bin/teleport version | grep ${version} > /dev/null ''; + passthru.tests = nixosTests.teleport; + meta = with lib; { description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases"; homepage = "https://goteleport.com/";