diff options
author | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2022-01-10 13:48:56 +0100 |
---|---|---|
committer | Yurii Matsiuk <ymatsiuk@users.noreply.github.com> | 2022-01-11 10:11:17 +0100 |
commit | d811a6ea7312dd22ca9cbeb176aca3146fac8574 (patch) | |
tree | 338df6f34bc32ba50dfe2923053b577ee71520dc /nixos/modules/services/networking/teleport.nix | |
parent | 793bbe6c69d0ac83ddab3a7a5d824f1ade3b32ef (diff) |
nixos/teleport: init
Diffstat (limited to 'nixos/modules/services/networking/teleport.nix')
-rw-r--r-- | nixos/modules/services/networking/teleport.nix | 98 |
1 files changed, 98 insertions, 0 deletions
diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix new file mode 100644 index 0000000000000..d5f44f5a78232 --- /dev/null +++ b/nixos/modules/services/networking/teleport.nix @@ -0,0 +1,98 @@ +{ config, pkgs, lib, ... }: + +with lib; + +let + cfg = config.services.teleport; + settingsYaml = pkgs.formats.yaml { }; +in +{ + options = { + services.teleport = with lib.types; { + enable = mkEnableOption "the Teleport service"; + + settings = mkOption { + type = settingsYaml.type; + default = { }; + example = literalExpression '' + { + teleport = { + nodename = "client"; + advertise_ip = "192.168.1.2"; + auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb"; + auth_servers = [ "192.168.1.1:3025" ]; + log.severity = "DEBUG"; + ssh_service = { + enabled = true; + labels = { + role = "client"; + }; + }; + proxy_service.enabled = false; + auth_service.enabled = false; + } + ''; + description = '' + Contents of the <literal>teleport.yaml</literal> config file. + The <literal>--config</literal> arguments will only be passed if this set is not empty. + + See <link xlink:href="https://goteleport.com/docs/setup/reference/config/"/>. + ''; + }; + + insecure.enable = mkEnableOption '' + starting teleport in insecure mode. + + This is dangerous! + Sensitive information will be logged to console and certificates will not be verified. + Proceed with caution! + + Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service + ''; + + diag = { + enable = mkEnableOption '' + endpoints for monitoring purposes. + + See <link xlink:href="https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/"/> + ''; + + addr = mkOption { + type = str; + default = "127.0.0.1"; + description = "Metrics and diagnostics address."; + }; + + port = mkOption { + type = int; + default = 3000; + description = "Metrics and diagnostics port."; + }; + }; + }; + }; + + config = mkIf config.services.teleport.enable { + environment.systemPackages = [ pkgs.teleport ]; + + systemd.services.teleport = { + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + serviceConfig = { + ExecStart = '' + ${pkgs.teleport}/bin/teleport start \ + ${optionalString cfg.insecure.enable "--insecure"} \ + ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ + ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + LimitNOFILE = 65536; + Restart = "always"; + RestartSec = "5s"; + RuntimeDirectory = "teleport"; + Type = "simple"; + }; + }; + }; +} + |