Merge pull request #153825 from ymatsiuk/ymatsiuk/teleport-module-test-init

nixos/teleport: init + tests
This commit is contained in:
Aaron Andersen 2022-01-11 07:29:22 -05:00 committed by GitHub
commit ee7e31edb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 214 additions and 0 deletions

View File

@ -119,6 +119,15 @@
<link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>. <link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>.
</para> </para>
</listitem> </listitem>
<listitem>
<para>
<link xlink:href="https://goteleport.com">teleport</link>,
allows engineers and security professionals to unify access
for SSH servers, Kubernetes clusters, web applications, and
databases across all environments. Available at
<link linkend="opt-services.teleport.enable">services.teleport</link>.
</para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section xml:id="sec-release-22.05-incompatibilities"> <section xml:id="sec-release-22.05-incompatibilities">

View File

@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable). - [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
## Backward Incompatibilities {#sec-release-22.05-incompatibilities} ## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`. - `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.

View File

@ -891,6 +891,7 @@
./services/networking/tcpcrypt.nix ./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix ./services/networking/teamspeak3.nix
./services/networking/tedicross.nix ./services/networking/tedicross.nix
./services/networking/teleport.nix
./services/networking/thelounge.nix ./services/networking/thelounge.nix
./services/networking/tinc.nix ./services/networking/tinc.nix
./services/networking/tinydns.nix ./services/networking/tinydns.nix

View File

@ -0,0 +1,99 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.teleport;
settingsYaml = pkgs.formats.yaml { };
in
{
options = {
services.teleport = with lib.types; {
enable = mkEnableOption "the Teleport service";
settings = mkOption {
type = settingsYaml.type;
default = { };
example = literalExpression ''
{
teleport = {
nodename = "client";
advertise_ip = "192.168.1.2";
auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
auth_servers = [ "192.168.1.1:3025" ];
log.severity = "DEBUG";
};
ssh_service = {
enabled = true;
labels = {
role = "client";
};
};
proxy_service.enabled = false;
auth_service.enabled = false;
}
'';
description = ''
Contents of the <literal>teleport.yaml</literal> config file.
The <literal>--config</literal> arguments will only be passed if this set is not empty.
See <link xlink:href="https://goteleport.com/docs/setup/reference/config/"/>.
'';
};
insecure.enable = mkEnableOption ''
starting teleport in insecure mode.
This is dangerous!
Sensitive information will be logged to console and certificates will not be verified.
Proceed with caution!
Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
'';
diag = {
enable = mkEnableOption ''
endpoints for monitoring purposes.
See <link xlink:href="https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/"/>
'';
addr = mkOption {
type = str;
default = "127.0.0.1";
description = "Metrics and diagnostics address.";
};
port = mkOption {
type = int;
default = 3000;
description = "Metrics and diagnostics port.";
};
};
};
};
config = mkIf config.services.teleport.enable {
environment.systemPackages = [ pkgs.teleport ];
systemd.services.teleport = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.teleport}/bin/teleport start \
${optionalString cfg.insecure.enable "--insecure"} \
${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitNOFILE = 65536;
Restart = "always";
RestartSec = "5s";
RuntimeDirectory = "teleport";
Type = "simple";
};
};
};
}

View File

@ -471,6 +471,7 @@ in
systemd-unit-path = handleTest ./systemd-unit-path.nix {}; systemd-unit-path = handleTest ./systemd-unit-path.nix {};
taskserver = handleTest ./taskserver.nix {}; taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {}; telegraf = handleTest ./telegraf.nix {};
teleport = handleTest ./teleport.nix {};
tiddlywiki = handleTest ./tiddlywiki.nix {}; tiddlywiki = handleTest ./tiddlywiki.nix {};
tigervnc = handleTest ./tigervnc.nix {}; tigervnc = handleTest ./tigervnc.nix {};
timezone = handleTest ./timezone.nix {}; timezone = handleTest ./timezone.nix {};

99
nixos/tests/teleport.nix Normal file
View File

@ -0,0 +1,99 @@
{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
let
minimal = { config, ... }: {
services.teleport.enable = true;
};
client = { config, ... }: {
services.teleport = {
enable = true;
settings = {
teleport = {
nodename = "client";
advertise_ip = "192.168.1.20";
auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
auth_servers = [ "192.168.1.10:3025" ];
log.severity = "DEBUG";
};
ssh_service = {
enabled = true;
labels = {
role = "client";
};
};
proxy_service.enabled = false;
auth_service.enabled = false;
};
};
networking.interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.20";
prefixLength = 24;
}];
};
server = { config, ... }: {
services.teleport = {
enable = true;
settings = {
teleport = {
nodename = "server";
advertise_ip = "192.168.1.10";
};
ssh_service.enabled = true;
proxy_service.enabled = true;
auth_service = {
enabled = true;
tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
};
};
diag.enable = true;
insecure.enable = true;
};
networking = {
firewall.allowedTCPPorts = [ 3025 ];
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.10";
prefixLength = 24;
}];
};
};
in
{
minimal = makeTest {
# minimal setup should always work
name = "teleport-minimal-setup";
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
nodes = { inherit minimal; };
testScript = ''
minimal.wait_for_open_port("3025")
minimal.wait_for_open_port("3080")
minimal.wait_for_open_port("3022")
'';
};
basic = makeTest {
# basic server and client test
name = "teleport-server-client";
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
nodes = { inherit server client; };
testScript = ''
with subtest("teleport ready"):
server.wait_for_open_port("3025")
client.wait_for_open_port("3022")
with subtest("check applied configuration"):
server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
server.wait_for_open_port("3000")
client.succeed("journalctl -u teleport.service --grep='DEBU'")
server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
'';
};
}

View File

@ -6,6 +6,7 @@
, protobuf , protobuf
, stdenv , stdenv
, xdg-utils , xdg-utils
, nixosTests
, withRoleTester ? true , withRoleTester ? true
}: }:
@ -95,6 +96,8 @@ buildGo117Module rec {
$out/bin/teleport version | grep ${version} > /dev/null $out/bin/teleport version | grep ${version} > /dev/null
''; '';
passthru.tests = nixosTests.teleport;
meta = with lib; { meta = with lib; {
description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases"; description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases";
homepage = "https://goteleport.com/"; homepage = "https://goteleport.com/";