From f14bb737f623213056a24a913a1e98353597c91d Mon Sep 17 00:00:00 2001 From: Graeme Lawes Date: Thu, 4 Oct 2018 10:57:45 -0400 Subject: [PATCH] sys-cluster/teleport: add v3.0.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Signed-off-by: Graeme Lawes Signed-off-by: Michał Górny Closes: https://github.com/gentoo/gentoo/pull/10060 --- sys-cluster/teleport/Manifest | 1 + sys-cluster/teleport/files/teleport.yaml | 240 +++++++++++++++++++++ sys-cluster/teleport/teleport-3.0.0.ebuild | 49 +++++ 3 files changed, 290 insertions(+) create mode 100644 sys-cluster/teleport/files/teleport.yaml create mode 100644 sys-cluster/teleport/teleport-3.0.0.ebuild diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest index 4297926a0896..648071ea426e 100644 --- a/sys-cluster/teleport/Manifest +++ b/sys-cluster/teleport/Manifest @@ -1,2 +1,3 @@ DIST teleport-2.6.7.tar.gz 16655508 BLAKE2B a020ab999b7503cb7aec54ed81532baf9d08b98000f2c659f63859d89f7f2b5fb311c41d6fcafb7d9bf72ea1c97eecfc6ac621b7c90d74f5afe2717edb8b0402 SHA512 45002dcf7b99108ca6fffae94d6608188eb9b0bea05cd14068618bfb11c496cad5546e261f349fee70f2acb574e7fc44093683dd991001e01406da6982c5c4c3 DIST teleport-2.7.1.tar.gz 18222601 BLAKE2B 86852a1c7f0b083d8fc46bb2e51e287f0d54ca8bd1a6306e21ad325b6f1487682f853eb313a1f6f6fc4dc4d25d93e909ed65dad6d00eb37f878904d6df30f98c SHA512 703056eb99aa91062c8d9cfa7852e3573c8968ce9dea0ff5b076d5225caf8d67b965948a47785cdc7e4341993ef3ed005677859d37653f7d22c05cb2db51efd7 +DIST teleport-3.0.0.tar.gz 22365657 BLAKE2B a9cfec07ec73970b1050c51819ef4820be95fcd94dce0ffbb62deca38af28a944929c83a9ed2b443a93eb21f55d0cac024b66acf81c5d6939ba8e6b6ba40438a SHA512 8cba0b7471bebe9cdac07b44f17c99b7b323061f310ef0e61a3ebe1c4ea2ca2b1c853177528c4725a83366406e8b1a5aba23ecdd5fba7290bd6cab74ada3340d diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml new file mode 100644 index 000000000000..0ab548c1a46b --- /dev/null +++ b/sys-cluster/teleport/files/teleport.yaml @@ -0,0 +1,240 @@ +# By default, this file should be stored in /etc/teleport.yaml + +# This section of the configuration file applies to all teleport +# services. +teleport: + # nodename allows to assign an alternative name this node can be reached by. + # by default it's equal to hostname + # nodename: graviton + + # Data directory where Teleport daemon keeps its data. + # See "Filesystem Layout" section above for more details. + data_dir: /var/lib/teleport + + # Invitation token used to join a cluster. it is not used on + # subsequent starts + # auth_token: xxxx-token-xxxx + + # When running in multi-homed or NATed environments Teleport nodes need + # to know which IP it will be reachable at by other nodes + # + # This value can be specified as FQDN e.g. host.example.com + # advertise_ip: 10.1.0.5 + + # list of auth servers in a cluster. you will have more than one auth server + # if you configure teleport auth to run in HA configuration + auth_servers: + - localhost:3025 + + # Teleport throttles all connections to avoid abuse. These settings allow + # you to adjust the default limits + connection_limits: + max_connections: 1000 + max_users: 250 + + # Logging configuration. Possible output values are 'stdout', 'stderr' and + # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). + log: + output: stderr + severity: ERROR + + # Type of storage used for keys. You need to configure this to use etcd or + # a DynamoDB backend if you want to run Teleport in HA configuration. + storage: + # By default teleport uses the `data_dir` directory on a local filesystem + type: dir + + # Array of locations where the audit log events will be stored. by + # default they are stored in `/var/lib/teleport/log` + # audit_events_uri: [file:///var/lib/teleport/log, dynamo://events_table_name] + + # Use this setting to configure teleport to store the recorded sessions in + # an AWS S3 bucket. see "Using Amazon S3" chapter for more information. + # audit_sessions_uri: s3://name-of-s3-bucket + + # Cipher algorithms that the server supports. This section only needs to be + # set if you want to override the defaults. + ciphers: + - aes128-ctr + - aes192-ctr + - aes256-ctr + - aes128-gcm@openssh.com + + # Key exchange algorithms that the server supports. This section only needs + # to be set if you want to override the defaults. + kex_algos: + - curve25519-sha256@libssh.org + - ecdh-sha2-nistp256 + - ecdh-sha2-nistp384 + - ecdh-sha2-nistp521 + - diffie-hellman-group14-sha1 + - diffie-hellman-group1-sha1 + + # Message authentication code (MAC) algorithms that the server supports. + # This section only needs to be set if you want to override the defaults. + mac_algos: + - hmac-sha2-256-etm@openssh.com + - hmac-sha2-256 + - hmac-sha1 + - hmac-sha1-96 + + # List of the supported ciphersuites. If this section is not specified, + # only the default ciphersuites are enabled. + ciphersuites: + - tls-rsa-with-aes-128-cbc-sha # default + - tls-rsa-with-aes-256-cbc-sha # default + - tls-rsa-with-aes-128-cbc-sha256 + - tls-rsa-with-aes-128-gcm-sha256 + - tls-rsa-with-aes-256-gcm-sha384 + - tls-ecdhe-ecdsa-with-aes-128-cbc-sha + - tls-ecdhe-ecdsa-with-aes-256-cbc-sha + - tls-ecdhe-rsa-with-aes-128-cbc-sha + - tls-ecdhe-rsa-with-aes-256-cbc-sha + - tls-ecdhe-ecdsa-with-aes-128-cbc-sha256 + - tls-ecdhe-rsa-with-aes-128-cbc-sha256 + - tls-ecdhe-rsa-with-aes-128-gcm-sha256 + - tls-ecdhe-ecdsa-with-aes-128-gcm-sha256 + - tls-ecdhe-rsa-with-aes-256-gcm-sha384 + - tls-ecdhe-ecdsa-with-aes-256-gcm-sha384 + - tls-ecdhe-rsa-with-chacha20-poly1305 + - tls-ecdhe-ecdsa-with-chacha20-poly1305 + + +# This section configures the 'auth service': +auth_service: + # Turns 'auth' role on. Default is 'yes' + enabled: yes + + # A cluster name is used as part of a signature in certificates + # generated by this CA. + # + # We strongly recommend to explicitly set it to something meaningful as it + # becomes important when configuring trust between multiple clusters. + # + # By default an automatically generated name is used (not recommended) + # + # IMPORTANT: if you change cluster_name, it will invalidate all generated + # certificates and keys (may need to wipe out /var/lib/teleport directory) + cluster_name: "main" + + authentication: + # default authentication type. possible values are 'local', 'oidc' and 'saml' + # only local authentication (Teleport's own user DB) is supported in the open + # source version + type: local + # second_factor can be off, otp, or u2f + second_factor: otp + # this section is used if second_factor is set to 'u2f' + u2f: + # app_id must point to the URL of the Teleport Web UI (proxy) accessible + # by the end users + app_id: https://localhost:3080 + # facets must list all proxy servers if there are more than one deployed + facets: + - https://localhost:3080 + + # IP and the port to bind to. Other Teleport nodes will be connecting to + # this port (AKA "Auth API" or "Cluster API") to validate client + # certificates + listen_addr: 0.0.0.0:3025 + + # The optional DNS name the auth server if locataed behind a load balancer. + # (see public_addr section below) + # public_addr: auth.example.com:3025 + + # Pre-defined tokens for adding new nodes to a cluster. Each token specifies + # the role a new node will be allowed to assume. The more secure way to + # add nodes is to use `ttl node add --ttl` command to generate auto-expiring + # tokens. + # + # We recommend to use tools like `pwgen` to generate sufficiently random + # tokens of 32+ byte length. + # tokens: + # - "proxy,node:xxxxx" + # - "auth:yyyy" + + # Optional setting for configuring session recording. Possible values are: + # "node" : sessions will be recorded on the node level (the default) + # "proxy" : recording on the proxy level, see "recording proxy mode" section. + # "off" : session recording is turned off + session_recording: "node" + + # This setting determines if a Teleport proxy performs strict host key checks. + # Only applicable if session_recording=proxy, see "recording proxy mode" for details. + proxy_checks_host_keys: yes + + # Determines if SSH sessions to cluster nodes are forcefully terminated + # after no activity from a client (idle client). + # Examples: "30m", "1h" or "1h30m" + client_idle_timeout: never + + # Determines if the clients will be forcefully disconnected when their + # certificates expire in the middle of an active SSH session. (default is 'no') + disconnect_expired_cert: no + + # If the auth service is deployed outside Kubernetes, but Kubernetes integration + # is required, you have to specify a valid kubeconfig credentials: + # kubeconfig_file: /path/to/kubeconfig + +# This section configures the 'node service': +ssh_service: + # Turns 'ssh' role on. Default is 'yes' + enabled: yes + + # IP and the port for SSH service to bind to. + listen_addr: 0.0.0.0:3022 + + # The optional public address the SSH service. This is useful if administrators + # want to allow users to connect to nodes directly, bypassing a Teleport proxy + # (see public_addr section below) + # public_addr: node.example.com:3022 + + # See explanation of labels in "Labeling Nodes" section below + labels: + role: master + + # List of the commands to periodically execute. Their output will be used as node labels. + # See "Labeling Nodes" section below for more information. + commands: + - name: arch # this command will add a label like 'arch=x86_64' to a node + command: [uname, -p] + period: 1h0m0s + + # enables reading ~/.tsh/environment before creating a session. by default + # set to false, can be set true here or as a command line flag. + permit_user_env: false + + # configures PAM integration. see below for more details. + pam: + enabled: no + service_name: teleport + +# This section configures the 'proxy servie' +proxy_service: + # Turns 'proxy' role on. Default is 'yes' + enabled: yes + + # SSH forwarding/proxy address. Command line (CLI) clients always begin their + # SSH sessions by connecting to this port + listen_addr: 0.0.0.0:3023 + + # Reverse tunnel listening address. An auth server (CA) can establish an + # outbound (from behind the firewall) connection to this address. + # This will allow users of the outside CA to connect to behind-the-firewall + # nodes. + tunnel_listen_addr: 0.0.0.0:3024 + + # The HTTPS listen address to serve the Web UI and also to authenticate the + # command line (CLI) users via password+HOTP + web_listen_addr: 0.0.0.0:3080 + + # The DNS name the proxy server is accessible by cluster users. Defaults to + # the proxy's hostname if not specified. If running multiple proxies behind + # a load balancer, this name must point to the load balancer + # (see public_addr section below) + # public_addr: proxy.example.com:3080 + + # TLS certificate for the HTTPS connection. Configuring these properly is + # critical for Teleport security. + https_key_file: /var/lib/teleport/webproxy_key.pem + https_cert_file: /var/lib/teleport/webproxy_cert.pem diff --git a/sys-cluster/teleport/teleport-3.0.0.ebuild b/sys-cluster/teleport/teleport-3.0.0.ebuild new file mode 100644 index 000000000000..4a7a27e42a48 --- /dev/null +++ b/sys-cluster/teleport/teleport-3.0.0.ebuild @@ -0,0 +1,49 @@ +# Copyright 1999-2018 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit golang-build systemd + +DESCRIPTION="Modern SSH server for teams managing distributed infrastructure" +HOMEPAGE="https://gravitational.com/teleport" + +EGO_PN="github.com/gravitational/${PN}/..." + +if [[ ${PV} == "9999" ]] ; then + inherit git-r3 golang-vcs + EGIT_REPO_URI="https://github.com/gravitational/${PN}.git" +else + inherit golang-vcs-snapshot + SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm" +fi + +IUSE="pam" +LICENSE="Apache-2.0" +RESTRICT="test strip" +SLOT="0" + +DEPEND="app-arch/zip" +RDEPEND="pam? ( sys-libs/pam )" + +src_compile() { + BUILDFLAGS="" GOPATH="${S}" emake -j1 -C src/${EGO_PN%/*} full +} + +src_install() { + keepdir /var/lib/${PN} /etc/${PN} + dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport} + + insinto /etc/${PN} + newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml + + newinitd "${FILESDIR}"/${PN}.init.d ${PN} + newconfd "${FILESDIR}"/${PN}.conf.d ${PN} + + systemd_newunit "${FILESDIR}"/${PN}.service ${PN}.service + systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service +} + +src_test() { + BUILDFLAGS="" GOPATH="${S}" emake -C src/${EGO_PN%/*} test +} -- 2.26.2