summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-cluster/teleport')
-rw-r--r--sys-cluster/teleport/Manifest1
-rw-r--r--sys-cluster/teleport/files/teleport.yaml240
-rw-r--r--sys-cluster/teleport/teleport-3.0.0.ebuild49
3 files changed, 290 insertions, 0 deletions
diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest
index 4297926a0896..648071ea426e 100644
--- a/sys-cluster/teleport/Manifest
+++ b/sys-cluster/teleport/Manifest
@@ -1,2 +1,3 @@
DIST teleport-2.6.7.tar.gz 16655508 BLAKE2B a020ab999b7503cb7aec54ed81532baf9d08b98000f2c659f63859d89f7f2b5fb311c41d6fcafb7d9bf72ea1c97eecfc6ac621b7c90d74f5afe2717edb8b0402 SHA512 45002dcf7b99108ca6fffae94d6608188eb9b0bea05cd14068618bfb11c496cad5546e261f349fee70f2acb574e7fc44093683dd991001e01406da6982c5c4c3
DIST teleport-2.7.1.tar.gz 18222601 BLAKE2B 86852a1c7f0b083d8fc46bb2e51e287f0d54ca8bd1a6306e21ad325b6f1487682f853eb313a1f6f6fc4dc4d25d93e909ed65dad6d00eb37f878904d6df30f98c SHA512 703056eb99aa91062c8d9cfa7852e3573c8968ce9dea0ff5b076d5225caf8d67b965948a47785cdc7e4341993ef3ed005677859d37653f7d22c05cb2db51efd7
+DIST teleport-3.0.0.tar.gz 22365657 BLAKE2B a9cfec07ec73970b1050c51819ef4820be95fcd94dce0ffbb62deca38af28a944929c83a9ed2b443a93eb21f55d0cac024b66acf81c5d6939ba8e6b6ba40438a SHA512 8cba0b7471bebe9cdac07b44f17c99b7b323061f310ef0e61a3ebe1c4ea2ca2b1c853177528c4725a83366406e8b1a5aba23ecdd5fba7290bd6cab74ada3340d
diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml
new file mode 100644
index 000000000000..0ab548c1a46b
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.yaml
@@ -0,0 +1,240 @@
+# By default, this file should be stored in /etc/teleport.yaml
+
+# This section of the configuration file applies to all teleport
+# services.
+teleport:
+ # nodename allows to assign an alternative name this node can be reached by.
+ # by default it's equal to hostname
+ # nodename: graviton
+
+ # Data directory where Teleport daemon keeps its data.
+ # See "Filesystem Layout" section above for more details.
+ data_dir: /var/lib/teleport
+
+ # Invitation token used to join a cluster. it is not used on
+ # subsequent starts
+ # auth_token: xxxx-token-xxxx
+
+ # When running in multi-homed or NATed environments Teleport nodes need
+ # to know which IP it will be reachable at by other nodes
+ #
+ # This value can be specified as FQDN e.g. host.example.com
+ # advertise_ip: 10.1.0.5
+
+ # list of auth servers in a cluster. you will have more than one auth server
+ # if you configure teleport auth to run in HA configuration
+ auth_servers:
+ - localhost:3025
+
+ # Teleport throttles all connections to avoid abuse. These settings allow
+ # you to adjust the default limits
+ connection_limits:
+ max_connections: 1000
+ max_users: 250
+
+ # Logging configuration. Possible output values are 'stdout', 'stderr' and
+ # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
+ log:
+ output: stderr
+ severity: ERROR
+
+ # Type of storage used for keys. You need to configure this to use etcd or
+ # a DynamoDB backend if you want to run Teleport in HA configuration.
+ storage:
+ # By default teleport uses the `data_dir` directory on a local filesystem
+ type: dir
+
+ # Array of locations where the audit log events will be stored. by
+ # default they are stored in `/var/lib/teleport/log`
+ # audit_events_uri: [file:///var/lib/teleport/log, dynamo://events_table_name]
+
+ # Use this setting to configure teleport to store the recorded sessions in
+ # an AWS S3 bucket. see "Using Amazon S3" chapter for more information.
+ # audit_sessions_uri: s3://name-of-s3-bucket
+
+ # Cipher algorithms that the server supports. This section only needs to be
+ # set if you want to override the defaults.
+ ciphers:
+ - aes128-ctr
+ - aes192-ctr
+ - aes256-ctr
+ - aes128-gcm@openssh.com
+
+ # Key exchange algorithms that the server supports. This section only needs
+ # to be set if you want to override the defaults.
+ kex_algos:
+ - curve25519-sha256@libssh.org
+ - ecdh-sha2-nistp256
+ - ecdh-sha2-nistp384
+ - ecdh-sha2-nistp521
+ - diffie-hellman-group14-sha1
+ - diffie-hellman-group1-sha1
+
+ # Message authentication code (MAC) algorithms that the server supports.
+ # This section only needs to be set if you want to override the defaults.
+ mac_algos:
+ - hmac-sha2-256-etm@openssh.com
+ - hmac-sha2-256
+ - hmac-sha1
+ - hmac-sha1-96
+
+ # List of the supported ciphersuites. If this section is not specified,
+ # only the default ciphersuites are enabled.
+ ciphersuites:
+ - tls-rsa-with-aes-128-cbc-sha # default
+ - tls-rsa-with-aes-256-cbc-sha # default
+ - tls-rsa-with-aes-128-cbc-sha256
+ - tls-rsa-with-aes-128-gcm-sha256
+ - tls-rsa-with-aes-256-gcm-sha384
+ - tls-ecdhe-ecdsa-with-aes-128-cbc-sha
+ - tls-ecdhe-ecdsa-with-aes-256-cbc-sha
+ - tls-ecdhe-rsa-with-aes-128-cbc-sha
+ - tls-ecdhe-rsa-with-aes-256-cbc-sha
+ - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256
+ - tls-ecdhe-rsa-with-aes-128-cbc-sha256
+ - tls-ecdhe-rsa-with-aes-128-gcm-sha256
+ - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256
+ - tls-ecdhe-rsa-with-aes-256-gcm-sha384
+ - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384
+ - tls-ecdhe-rsa-with-chacha20-poly1305
+ - tls-ecdhe-ecdsa-with-chacha20-poly1305
+
+
+# This section configures the 'auth service':
+auth_service:
+ # Turns 'auth' role on. Default is 'yes'
+ enabled: yes
+
+ # A cluster name is used as part of a signature in certificates
+ # generated by this CA.
+ #
+ # We strongly recommend to explicitly set it to something meaningful as it
+ # becomes important when configuring trust between multiple clusters.
+ #
+ # By default an automatically generated name is used (not recommended)
+ #
+ # IMPORTANT: if you change cluster_name, it will invalidate all generated
+ # certificates and keys (may need to wipe out /var/lib/teleport directory)
+ cluster_name: "main"
+
+ authentication:
+ # default authentication type. possible values are 'local', 'oidc' and 'saml'
+ # only local authentication (Teleport's own user DB) is supported in the open
+ # source version
+ type: local
+ # second_factor can be off, otp, or u2f
+ second_factor: otp
+ # this section is used if second_factor is set to 'u2f'
+ u2f:
+ # app_id must point to the URL of the Teleport Web UI (proxy) accessible
+ # by the end users
+ app_id: https://localhost:3080
+ # facets must list all proxy servers if there are more than one deployed
+ facets:
+ - https://localhost:3080
+
+ # IP and the port to bind to. Other Teleport nodes will be connecting to
+ # this port (AKA "Auth API" or "Cluster API") to validate client
+ # certificates
+ listen_addr: 0.0.0.0:3025
+
+ # The optional DNS name the auth server if locataed behind a load balancer.
+ # (see public_addr section below)
+ # public_addr: auth.example.com:3025
+
+ # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
+ # the role a new node will be allowed to assume. The more secure way to
+ # add nodes is to use `ttl node add --ttl` command to generate auto-expiring
+ # tokens.
+ #
+ # We recommend to use tools like `pwgen` to generate sufficiently random
+ # tokens of 32+ byte length.
+ # tokens:
+ # - "proxy,node:xxxxx"
+ # - "auth:yyyy"
+
+ # Optional setting for configuring session recording. Possible values are:
+ # "node" : sessions will be recorded on the node level (the default)
+ # "proxy" : recording on the proxy level, see "recording proxy mode" section.
+ # "off" : session recording is turned off
+ session_recording: "node"
+
+ # This setting determines if a Teleport proxy performs strict host key checks.
+ # Only applicable if session_recording=proxy, see "recording proxy mode" for details.
+ proxy_checks_host_keys: yes
+
+ # Determines if SSH sessions to cluster nodes are forcefully terminated
+ # after no activity from a client (idle client).
+ # Examples: "30m", "1h" or "1h30m"
+ client_idle_timeout: never
+
+ # Determines if the clients will be forcefully disconnected when their
+ # certificates expire in the middle of an active SSH session. (default is 'no')
+ disconnect_expired_cert: no
+
+ # If the auth service is deployed outside Kubernetes, but Kubernetes integration
+ # is required, you have to specify a valid kubeconfig credentials:
+ # kubeconfig_file: /path/to/kubeconfig
+
+# This section configures the 'node service':
+ssh_service:
+ # Turns 'ssh' role on. Default is 'yes'
+ enabled: yes
+
+ # IP and the port for SSH service to bind to.
+ listen_addr: 0.0.0.0:3022
+
+ # The optional public address the SSH service. This is useful if administrators
+ # want to allow users to connect to nodes directly, bypassing a Teleport proxy
+ # (see public_addr section below)
+ # public_addr: node.example.com:3022
+
+ # See explanation of labels in "Labeling Nodes" section below
+ labels:
+ role: master
+
+ # List of the commands to periodically execute. Their output will be used as node labels.
+ # See "Labeling Nodes" section below for more information.
+ commands:
+ - name: arch # this command will add a label like 'arch=x86_64' to a node
+ command: [uname, -p]
+ period: 1h0m0s
+
+ # enables reading ~/.tsh/environment before creating a session. by default
+ # set to false, can be set true here or as a command line flag.
+ permit_user_env: false
+
+ # configures PAM integration. see below for more details.
+ pam:
+ enabled: no
+ service_name: teleport
+
+# This section configures the 'proxy servie'
+proxy_service:
+ # Turns 'proxy' role on. Default is 'yes'
+ enabled: yes
+
+ # SSH forwarding/proxy address. Command line (CLI) clients always begin their
+ # SSH sessions by connecting to this port
+ listen_addr: 0.0.0.0:3023
+
+ # Reverse tunnel listening address. An auth server (CA) can establish an
+ # outbound (from behind the firewall) connection to this address.
+ # This will allow users of the outside CA to connect to behind-the-firewall
+ # nodes.
+ tunnel_listen_addr: 0.0.0.0:3024
+
+ # The HTTPS listen address to serve the Web UI and also to authenticate the
+ # command line (CLI) users via password+HOTP
+ web_listen_addr: 0.0.0.0:3080
+
+ # The DNS name the proxy server is accessible by cluster users. Defaults to
+ # the proxy's hostname if not specified. If running multiple proxies behind
+ # a load balancer, this name must point to the load balancer
+ # (see public_addr section below)
+ # public_addr: proxy.example.com:3080
+
+ # TLS certificate for the HTTPS connection. Configuring these properly is
+ # critical for Teleport security.
+ https_key_file: /var/lib/teleport/webproxy_key.pem
+ https_cert_file: /var/lib/teleport/webproxy_cert.pem
diff --git a/sys-cluster/teleport/teleport-3.0.0.ebuild b/sys-cluster/teleport/teleport-3.0.0.ebuild
new file mode 100644
index 000000000000..4a7a27e42a48
--- /dev/null
+++ b/sys-cluster/teleport/teleport-3.0.0.ebuild
@@ -0,0 +1,49 @@
+# Copyright 1999-2018 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit golang-build systemd
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [[ ${PV} == "9999" ]] ; then
+ inherit git-r3 golang-vcs
+ EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+ inherit golang-vcs-snapshot
+ SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+ KEYWORDS="~amd64 ~arm"
+fi
+
+IUSE="pam"
+LICENSE="Apache-2.0"
+RESTRICT="test strip"
+SLOT="0"
+
+DEPEND="app-arch/zip"
+RDEPEND="pam? ( sys-libs/pam )"
+
+src_compile() {
+ BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full
+}
+
+src_install() {
+ keepdir /var/lib/${PN} /etc/${PN}
+ dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+ insinto /etc/${PN}
+ newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml
+
+ newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+ newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+ systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service
+ systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}
+
+src_test() {
+ BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test
+}