Merge pull request #153825 from ymatsiuk/ymatsiuk/teleport-module-test-init
nixos/teleport: init + tests
This commit is contained in:
commit
ee7e31edb4
@ -119,6 +119,15 @@
|
|||||||
<link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>.
|
<link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>.
|
||||||
</para>
|
</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
<listitem>
|
||||||
|
<para>
|
||||||
|
<link xlink:href="https://goteleport.com">teleport</link>,
|
||||||
|
allows engineers and security professionals to unify access
|
||||||
|
for SSH servers, Kubernetes clusters, web applications, and
|
||||||
|
databases across all environments. Available at
|
||||||
|
<link linkend="opt-services.teleport.enable">services.teleport</link>.
|
||||||
|
</para>
|
||||||
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
</section>
|
</section>
|
||||||
<section xml:id="sec-release-22.05-incompatibilities">
|
<section xml:id="sec-release-22.05-incompatibilities">
|
||||||
|
@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin
|
|||||||
|
|
||||||
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
|
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
|
||||||
|
|
||||||
|
- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
|
||||||
|
|
||||||
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
|
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
|
||||||
|
|
||||||
- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
|
- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.
|
||||||
|
@ -891,6 +891,7 @@
|
|||||||
./services/networking/tcpcrypt.nix
|
./services/networking/tcpcrypt.nix
|
||||||
./services/networking/teamspeak3.nix
|
./services/networking/teamspeak3.nix
|
||||||
./services/networking/tedicross.nix
|
./services/networking/tedicross.nix
|
||||||
|
./services/networking/teleport.nix
|
||||||
./services/networking/thelounge.nix
|
./services/networking/thelounge.nix
|
||||||
./services/networking/tinc.nix
|
./services/networking/tinc.nix
|
||||||
./services/networking/tinydns.nix
|
./services/networking/tinydns.nix
|
||||||
|
99
nixos/modules/services/networking/teleport.nix
Normal file
99
nixos/modules/services/networking/teleport.nix
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
|
with lib;
|
||||||
|
|
||||||
|
let
|
||||||
|
cfg = config.services.teleport;
|
||||||
|
settingsYaml = pkgs.formats.yaml { };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
services.teleport = with lib.types; {
|
||||||
|
enable = mkEnableOption "the Teleport service";
|
||||||
|
|
||||||
|
settings = mkOption {
|
||||||
|
type = settingsYaml.type;
|
||||||
|
default = { };
|
||||||
|
example = literalExpression ''
|
||||||
|
{
|
||||||
|
teleport = {
|
||||||
|
nodename = "client";
|
||||||
|
advertise_ip = "192.168.1.2";
|
||||||
|
auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
|
||||||
|
auth_servers = [ "192.168.1.1:3025" ];
|
||||||
|
log.severity = "DEBUG";
|
||||||
|
};
|
||||||
|
ssh_service = {
|
||||||
|
enabled = true;
|
||||||
|
labels = {
|
||||||
|
role = "client";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
proxy_service.enabled = false;
|
||||||
|
auth_service.enabled = false;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
description = ''
|
||||||
|
Contents of the <literal>teleport.yaml</literal> config file.
|
||||||
|
The <literal>--config</literal> arguments will only be passed if this set is not empty.
|
||||||
|
|
||||||
|
See <link xlink:href="https://goteleport.com/docs/setup/reference/config/"/>.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
insecure.enable = mkEnableOption ''
|
||||||
|
starting teleport in insecure mode.
|
||||||
|
|
||||||
|
This is dangerous!
|
||||||
|
Sensitive information will be logged to console and certificates will not be verified.
|
||||||
|
Proceed with caution!
|
||||||
|
|
||||||
|
Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
|
||||||
|
'';
|
||||||
|
|
||||||
|
diag = {
|
||||||
|
enable = mkEnableOption ''
|
||||||
|
endpoints for monitoring purposes.
|
||||||
|
|
||||||
|
See <link xlink:href="https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/"/>
|
||||||
|
'';
|
||||||
|
|
||||||
|
addr = mkOption {
|
||||||
|
type = str;
|
||||||
|
default = "127.0.0.1";
|
||||||
|
description = "Metrics and diagnostics address.";
|
||||||
|
};
|
||||||
|
|
||||||
|
port = mkOption {
|
||||||
|
type = int;
|
||||||
|
default = 3000;
|
||||||
|
description = "Metrics and diagnostics port.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf config.services.teleport.enable {
|
||||||
|
environment.systemPackages = [ pkgs.teleport ];
|
||||||
|
|
||||||
|
systemd.services.teleport = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "network.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
ExecStart = ''
|
||||||
|
${pkgs.teleport}/bin/teleport start \
|
||||||
|
${optionalString cfg.insecure.enable "--insecure"} \
|
||||||
|
${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
|
||||||
|
${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
|
||||||
|
'';
|
||||||
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
||||||
|
LimitNOFILE = 65536;
|
||||||
|
Restart = "always";
|
||||||
|
RestartSec = "5s";
|
||||||
|
RuntimeDirectory = "teleport";
|
||||||
|
Type = "simple";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -471,6 +471,7 @@ in
|
|||||||
systemd-unit-path = handleTest ./systemd-unit-path.nix {};
|
systemd-unit-path = handleTest ./systemd-unit-path.nix {};
|
||||||
taskserver = handleTest ./taskserver.nix {};
|
taskserver = handleTest ./taskserver.nix {};
|
||||||
telegraf = handleTest ./telegraf.nix {};
|
telegraf = handleTest ./telegraf.nix {};
|
||||||
|
teleport = handleTest ./teleport.nix {};
|
||||||
tiddlywiki = handleTest ./tiddlywiki.nix {};
|
tiddlywiki = handleTest ./tiddlywiki.nix {};
|
||||||
tigervnc = handleTest ./tigervnc.nix {};
|
tigervnc = handleTest ./tigervnc.nix {};
|
||||||
timezone = handleTest ./timezone.nix {};
|
timezone = handleTest ./timezone.nix {};
|
||||||
|
99
nixos/tests/teleport.nix
Normal file
99
nixos/tests/teleport.nix
Normal file
@ -0,0 +1,99 @@
|
|||||||
|
{ system ? builtins.currentSystem
|
||||||
|
, config ? { }
|
||||||
|
, pkgs ? import ../.. { inherit system config; }
|
||||||
|
}:
|
||||||
|
|
||||||
|
with import ../lib/testing-python.nix { inherit system pkgs; };
|
||||||
|
|
||||||
|
let
|
||||||
|
minimal = { config, ... }: {
|
||||||
|
services.teleport.enable = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
client = { config, ... }: {
|
||||||
|
services.teleport = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
teleport = {
|
||||||
|
nodename = "client";
|
||||||
|
advertise_ip = "192.168.1.20";
|
||||||
|
auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
|
||||||
|
auth_servers = [ "192.168.1.10:3025" ];
|
||||||
|
log.severity = "DEBUG";
|
||||||
|
};
|
||||||
|
ssh_service = {
|
||||||
|
enabled = true;
|
||||||
|
labels = {
|
||||||
|
role = "client";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
proxy_service.enabled = false;
|
||||||
|
auth_service.enabled = false;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
networking.interfaces.eth1.ipv4.addresses = [{
|
||||||
|
address = "192.168.1.20";
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
server = { config, ... }: {
|
||||||
|
services.teleport = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
teleport = {
|
||||||
|
nodename = "server";
|
||||||
|
advertise_ip = "192.168.1.10";
|
||||||
|
};
|
||||||
|
ssh_service.enabled = true;
|
||||||
|
proxy_service.enabled = true;
|
||||||
|
auth_service = {
|
||||||
|
enabled = true;
|
||||||
|
tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
diag.enable = true;
|
||||||
|
insecure.enable = true;
|
||||||
|
};
|
||||||
|
networking = {
|
||||||
|
firewall.allowedTCPPorts = [ 3025 ];
|
||||||
|
interfaces.eth1.ipv4.addresses = [{
|
||||||
|
address = "192.168.1.10";
|
||||||
|
prefixLength = 24;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
minimal = makeTest {
|
||||||
|
# minimal setup should always work
|
||||||
|
name = "teleport-minimal-setup";
|
||||||
|
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
|
||||||
|
nodes = { inherit minimal; };
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
minimal.wait_for_open_port("3025")
|
||||||
|
minimal.wait_for_open_port("3080")
|
||||||
|
minimal.wait_for_open_port("3022")
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
basic = makeTest {
|
||||||
|
# basic server and client test
|
||||||
|
name = "teleport-server-client";
|
||||||
|
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
|
||||||
|
nodes = { inherit server client; };
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
with subtest("teleport ready"):
|
||||||
|
server.wait_for_open_port("3025")
|
||||||
|
client.wait_for_open_port("3022")
|
||||||
|
|
||||||
|
with subtest("check applied configuration"):
|
||||||
|
server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
|
||||||
|
server.wait_for_open_port("3000")
|
||||||
|
client.succeed("journalctl -u teleport.service --grep='DEBU'")
|
||||||
|
server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
@ -6,6 +6,7 @@
|
|||||||
, protobuf
|
, protobuf
|
||||||
, stdenv
|
, stdenv
|
||||||
, xdg-utils
|
, xdg-utils
|
||||||
|
, nixosTests
|
||||||
|
|
||||||
, withRoleTester ? true
|
, withRoleTester ? true
|
||||||
}:
|
}:
|
||||||
@ -95,6 +96,8 @@ buildGo117Module rec {
|
|||||||
$out/bin/teleport version | grep ${version} > /dev/null
|
$out/bin/teleport version | grep ${version} > /dev/null
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
passthru.tests = nixosTests.teleport;
|
||||||
|
|
||||||
meta = with lib; {
|
meta = with lib; {
|
||||||
description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases";
|
description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases";
|
||||||
homepage = "https://goteleport.com/";
|
homepage = "https://goteleport.com/";
|
||||||
|
Loading…
Reference in New Issue
Block a user