colin/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #153825 from ymatsiuk/ymatsiuk/teleport-module-test-init

Browse Source 
nixos/teleport: init + tests
This commit is contained in:
Aaron Andersen 2022-01-11 07:29:22 -05:00 committed by GitHub
commit ee7e31edb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 214 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
nixos/doc/manual/from_md/release-notes/rl-2205.section.xml
View File

@ -119,6 +119,15 @@
<link xlink:href="options.html#opt-services.archisteamfarm.enable">services.archisteamfarm</link>.
</para>
</listitem>
<listitem>
<para>
<link xlink:href="https://goteleport.com">teleport</link>,
allows engineers and security professionals to unify access
for SSH servers, Kubernetes clusters, web applications, and
databases across all environments. Available at
<link linkend="opt-services.teleport.enable">services.teleport</link>.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="sec-release-22.05-incompatibilities">

2
nixos/doc/manual/release-notes/rl-2205.section.md
View File

@ -37,6 +37,8 @@ In addition to numerous new and upgraded packages, this release has the followin
- [ArchiSteamFarm](https://github.com/JustArchiNET/ArchiSteamFarm), a C# application with primary purpose of idling Steam cards from multiple accounts simultaneously. Available as [services.archisteamfarm](options.html#opt-services.archisteamfarm.enable).
- [teleport](https://goteleport.com), allows engineers and security professionals to unify access for SSH servers, Kubernetes clusters, web applications, and databases across all environments. Available at [services.teleport](#opt-services.teleport.enable).
## Backward Incompatibilities {#sec-release-22.05-incompatibilities}
- `pkgs.ghc` now refers to `pkgs.targetPackages.haskellPackages.ghc`.

1
nixos/modules/module-list.nix
View File

@ -891,6 +891,7 @@
./services/networking/tcpcrypt.nix
./services/networking/teamspeak3.nix
./services/networking/tedicross.nix
./services/networking/teleport.nix
./services/networking/thelounge.nix
./services/networking/tinc.nix
./services/networking/tinydns.nix

99
nixos/modules/services/networking/teleport.nix Normal file
View File

@ -0,0 +1,99 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.services.teleport;
settingsYaml = pkgs.formats.yaml { };
in
{
options = {
services.teleport = with lib.types; {
enable = mkEnableOption "the Teleport service";
settings = mkOption {
type = settingsYaml.type;
default = { };
example = literalExpression ''
{
teleport = {
nodename = "client";
advertise_ip = "192.168.1.2";
auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
auth_servers = [ "192.168.1.1:3025" ];
log.severity = "DEBUG";
};
ssh_service = {
enabled = true;
labels = {
role = "client";
};
};
proxy_service.enabled = false;
auth_service.enabled = false;
}
'';
description = ''
Contents of the <literal>teleport.yaml</literal> config file.
The <literal>--config</literal> arguments will only be passed if this set is not empty.
See <link xlink:href="https://goteleport.com/docs/setup/reference/config/"/>.
'';
};
insecure.enable = mkEnableOption ''
starting teleport in insecure mode.
This is dangerous!
Sensitive information will be logged to console and certificates will not be verified.
Proceed with caution!
Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
'';
diag = {
enable = mkEnableOption ''
endpoints for monitoring purposes.
See <link xlink:href="https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/"/>
'';
addr = mkOption {
type = str;
default = "127.0.0.1";
description = "Metrics and diagnostics address.";
};
port = mkOption {
type = int;
default = 3000;
description = "Metrics and diagnostics port.";
};
};
};
};
config = mkIf config.services.teleport.enable {
environment.systemPackages = [ pkgs.teleport ];
systemd.services.teleport = {
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
ExecStart = ''
${pkgs.teleport}/bin/teleport start \
${optionalString cfg.insecure.enable "--insecure"} \
${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
'';
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
LimitNOFILE = 65536;
Restart = "always";
RestartSec = "5s";
RuntimeDirectory = "teleport";
Type = "simple";
};
};
};
}

1
nixos/tests/all-tests.nix
View File

@ -471,6 +471,7 @@ in
systemd-unit-path = handleTest ./systemd-unit-path.nix {};
taskserver = handleTest ./taskserver.nix {};
telegraf = handleTest ./telegraf.nix {};
teleport = handleTest ./teleport.nix {};
tiddlywiki = handleTest ./tiddlywiki.nix {};
tigervnc = handleTest ./tigervnc.nix {};
timezone = handleTest ./timezone.nix {};

99
nixos/tests/teleport.nix Normal file
View File

@ -0,0 +1,99 @@
{ system ? builtins.currentSystem
, config ? { }
, pkgs ? import ../.. { inherit system config; }
}:
with import ../lib/testing-python.nix { inherit system pkgs; };
let
minimal = { config, ... }: {
services.teleport.enable = true;
};
client = { config, ... }: {
services.teleport = {
enable = true;
settings = {
teleport = {
nodename = "client";
advertise_ip = "192.168.1.20";
auth_token = "8d1957b2-2ded-40e6-8297-d48156a898a9";
auth_servers = [ "192.168.1.10:3025" ];
log.severity = "DEBUG";
};
ssh_service = {
enabled = true;
labels = {
role = "client";
};
};
proxy_service.enabled = false;
auth_service.enabled = false;
};
};
networking.interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.20";
prefixLength = 24;
}];
};
server = { config, ... }: {
services.teleport = {
enable = true;
settings = {
teleport = {
nodename = "server";
advertise_ip = "192.168.1.10";
};
ssh_service.enabled = true;
proxy_service.enabled = true;
auth_service = {
enabled = true;
tokens = [ "node:8d1957b2-2ded-40e6-8297-d48156a898a9" ];
};
};
diag.enable = true;
insecure.enable = true;
};
networking = {
firewall.allowedTCPPorts = [ 3025 ];
interfaces.eth1.ipv4.addresses = [{
address = "192.168.1.10";
prefixLength = 24;
}];
};
};
in
{
minimal = makeTest {
# minimal setup should always work
name = "teleport-minimal-setup";
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
nodes = { inherit minimal; };
testScript = ''
minimal.wait_for_open_port("3025")
minimal.wait_for_open_port("3080")
minimal.wait_for_open_port("3022")
'';
};
basic = makeTest {
# basic server and client test
name = "teleport-server-client";
meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ];
nodes = { inherit server client; };
testScript = ''
with subtest("teleport ready"):
server.wait_for_open_port("3025")
client.wait_for_open_port("3022")
with subtest("check applied configuration"):
server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'")
server.wait_for_open_port("3000")
client.succeed("journalctl -u teleport.service --grep='DEBU'")
server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'")
'';
};
}

3
pkgs/servers/teleport/default.nix
View File

@ -6,6 +6,7 @@
, protobuf
, stdenv
, xdg-utils
, nixosTests
, withRoleTester ? true
}:
@ -95,6 +96,8 @@ buildGo117Module rec {
$out/bin/teleport version | grep ${version} > /dev/null
'';
passthru.tests = nixosTests.teleport;
meta = with lib; {
description = "Certificate authority and access plane for SSH, Kubernetes, web applications, and databases";
homepage = "https://goteleport.com/";