├── handlers └── main.yml ├── tasks ├── config.yml ├── setup-RedHat.yml ├── main.yml └── setup-Debian.yml ├── .yamllint.yaml ├── templates ├── default_teleport.yaml.j2 └── ec2_teleport.yaml.j2 ├── defaults └── main.yml ├── meta └── main.yml ├── LICENSE └── README.md /handlers/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: reload teleport 3 | ansible.builtin.service: name=teleport state=reloaded 4 | 5 | - name: restart teleport 6 | ansible.builtin.service: name=teleport state=restarted 7 | -------------------------------------------------------------------------------- /tasks/config.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Copy Teleport configuration. 3 | ansible.builtin.template: 4 | src: "{{ teleport_config_template }}" 5 | dest: "{{ teleport_config_path }}" 6 | owner: root 7 | group: root 8 | mode: 0600 9 | backup: "{{ teleport_backup_config }}" 10 | notify: restart teleport 11 | -------------------------------------------------------------------------------- /.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | extends: default 3 | 4 | rules: 5 | truthy: 6 | allowed-values: ["yes", "no", "True", "false", "False", "true"] 7 | line-length: 8 | max: 200 9 | level: warning 10 | indentation: disable 11 | braces: disable 12 | comments: 13 | require-starting-space: true 14 | ignore-shebangs: true 15 | min-spaces-from-content: 1 16 | -------------------------------------------------------------------------------- /templates/default_teleport.yaml.j2: -------------------------------------------------------------------------------- 1 | teleport: 2 | auth_token: "{{ teleport_auth_token }}" 3 | ca_pin: "{{ teleport_ca_pin }}" 4 | auth_servers: 5 | {% for auth_server in teleport_auth_servers %} 6 | - "{{ auth_server }}" 7 | {% endfor %} 8 | ssh_service: 9 | enabled: "yes" 10 | commands: 11 | - name: uptime 12 | command: [uptime, -p] 13 | period: 5m0s 14 | proxy_service: 15 | enabled: "no" 16 | auth_service: 17 | enabled: "no" 18 | -------------------------------------------------------------------------------- /defaults/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | teleport_version: 9.0.1 3 | teleport_package: teleport 4 | teleport_package_state: present 5 | teleport_create_config: true 6 | teleport_auth_token: "" 7 | teleport_ec2_join_token: ec2-teleport-join-token 8 | teleport_ca_pin: "" 9 | teleport_auth_servers: 10 | - "https://auth.example.com" 11 | - "127.0.0.1:3025" 12 | teleport_config_path: "/etc/teleport.yaml" 13 | teleport_config_template: "default_teleport.yaml.j2" 14 | teleport_backup_config: true 15 | -------------------------------------------------------------------------------- /tasks/setup-RedHat.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Add Teleport GPG key. 3 | ansible.builtin.rpm_key: 4 | key: https://rpm.releases.teleport.dev/RPM-GPG-KEY-teleport 5 | state: present 6 | 7 | - name: Add Teleport repository. 8 | ansible.builtin.yum_repository: 9 | name: teleport 10 | description: Gravitational Teleport packages 11 | baseurl: https://rpm.releases.teleport.dev/ 12 | enabled: true 13 | gpgcheck: true 14 | gpgkey: https://rpm.releases.teleport.dev/RPM-GPG-KEY-teleport 15 | -------------------------------------------------------------------------------- /tasks/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - include_tasks: setup-RedHat.yml 3 | when: ansible_os_family == 'RedHat' 4 | 5 | - include_tasks: setup-Debian.yml 6 | when: ansible_os_family == 'Debian' 7 | 8 | - name: Install Teleport. 9 | ansible.builtin.package: 10 | name: "{{ teleport_package }}" 11 | state: "{{ teleport_package_state }}" 12 | 13 | - include_tasks: config.yml 14 | when: teleport_create_config | bool 15 | 16 | - name: Ensure Teleport is started and enabled at boot. 17 | ansible.builtin.service: 18 | name: teleport 19 | state: started 20 | enabled: true 21 | -------------------------------------------------------------------------------- /tasks/setup-Debian.yml: -------------------------------------------------------------------------------- 1 | --- 2 | - name: Ensure required dependencies are present. 3 | ansible.builtin.apt: 4 | name: 5 | - apt-transport-https 6 | - gnupg2 7 | state: present 8 | 9 | - name: Add Teleport apt key. 10 | ansible.builtin.apt_key: 11 | url: https://deb.releases.teleport.dev/teleport-pubkey.asc 12 | id: 0C5E8BA5658E320D1B031179C87ED53A6282C411 13 | state: present 14 | 15 | - name: Add Teleport repository. 16 | ansible.builtin.apt_repository: 17 | repo: 'deb https://deb.releases.teleport.dev/ stable main' 18 | state: present 19 | update_cache: true 20 | -------------------------------------------------------------------------------- /meta/main.yml: -------------------------------------------------------------------------------- 1 | --- 2 | galaxy_info: 3 | role_name: teleport 4 | author: zen 5 | description: Teleport node service for Linux. 6 | company: "Zen Systems" 7 | 8 | license: MIT 9 | 10 | min_ansible_version: 2.4 11 | 12 | platforms: 13 | - name: EL 14 | versions: 15 | - 7 16 | - 8 17 | - name: Debian 18 | versions: 19 | - jessie 20 | - stretch 21 | - name: Ubuntu 22 | versions: 23 | - trusty 24 | - xenial 25 | - bionic 26 | 27 | galaxy_tags: 28 | - system 29 | - teleport 30 | - ssh 31 | - cluster 32 | - ubuntu 33 | dependencies: [] 34 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2021 Matthew Draws 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy of 6 | this software and associated documentation files (the "Software"), to deal in 7 | the Software without restriction, including without limitation the rights to 8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of 9 | the Software, and to permit persons to whom the Software is furnished to do so, 10 | subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS 17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR 18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER 19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN 20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -------------------------------------------------------------------------------- /templates/ec2_teleport.yaml.j2: -------------------------------------------------------------------------------- 1 | #jinja2:lstrip_blocks: True 2 | # Managed by Ansible 3 | # teleport configuration for EC2 instances 4 | # using EC2 join method: 5 | # /etc/teleport.yaml 6 | teleport: 7 | join_params: 8 | token_name: {{ teleport_ec2_join_token }} 9 | method: ec2 10 | auth_servers: 11 | {% for auth_server in teleport_auth_servers %} 12 | - {{ auth_server }} 13 | {% endfor %} 14 | ssh_service: 15 | enabled: yes 16 | {% if teleport_host_labels is defined and teleport_host_labels|length %} 17 | labels: 18 | {% for label, value in teleport_host_labels.items() %} 19 | {% if value|length %} 20 | {{ label }}: {{ value }} 21 | {% endif %} 22 | {% endfor %} 23 | {% else %} 24 | {% endif %} 25 | 26 | commands: 27 | - name: aws_instance_type 28 | command: 29 | [ 30 | "/bin/sh", 31 | "-c", 32 | "curl -s http://169.254.169.254/latest/dynamic/instance-identity/document | jq -r .instanceType", 33 | ] 34 | period: 24h0m0s 35 | - name: aws_hostname_int 36 | command: 37 | [ 38 | "/bin/sh", 39 | "-c", 40 | "curl -s http://169.254.169.254/latest/meta-data/hostname", 41 | ] 42 | period: 24h0m0s 43 | - name: aws_hostname_pub 44 | command: 45 | [ 46 | "/bin/sh", 47 | "-c", 48 | "curl -s http://169.254.169.254/latest/meta-data/public-hostname", 49 | ] 50 | period: 24h0m0s 51 | auth_service: 52 | enabled: no 53 | proxy_service: 54 | enabled: no 55 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Ansible Role: Teleport Node Service 2 | 3 | An ansible role to install or update the teleport node service and teleport config using native packages (RPM and DEB). 4 | 5 | If you add your own teleport config file template you can run any node services you want (ssh, app, database, kubernetes) 6 | 7 | ## Requirements 8 | 9 | A running teleport cluster so that you can provide the following information: 10 | 11 | - auth token (dynamic or static) and CA pin or 12 | - EC2 join token (see: [documentation](https://goteleport.com/docs/setup/guides/joining-nodes-aws/)) 13 | - address of the authentication server 14 | 15 | ## Role Variables 16 | 17 | Variables with their default values as defined in `defaults/main.yml` 18 | 19 | ```sh 20 | teleport_config_template: "default_teleport.yaml.j2" 21 | ``` 22 | 23 | The template to use for the teleport configuration file. The default is `templates/default_teleport.yaml.j2`. It contains a basic configuration that will enable the SSH service and add a command label showing node uptime. 24 | 25 | There are many [options available](https://goteleport.com/docs/setup/reference/config/) and you can substitute in your own template and add any variables you want. We also ship template `templates/ec2_teleport.yaml.j2` using automatic node join with [ec2 tokens](https://goteleport.com/docs/setup/guides/joining-nodes-aws/). 26 | 27 | ```sh 28 | teleport_ca_pin: '' 29 | ``` 30 | 31 | The CA pin to use for the teleport configuration. This is optional, but [recommended](https://goteleport.com/docs/setup/admin/adding-nodes/#untrusted-auth-servers). 32 | 33 | ```sh 34 | teleport_config_path: "/etc/teleport.yaml" 35 | ``` 36 | 37 | The path to the teleport configuration file. 38 | 39 | ```sh 40 | teleport_auth_servers 41 | ``` 42 | 43 | The list of authentication servers to use for the teleport configuration. Examples are shown as defaults above. 44 | 45 | ```sh 46 | teleport_backup_config: true 47 | 48 | ``` 49 | 50 | Runs a backup of the teleport configuration file before overwriting it. 51 | 52 | ## Dependencies 53 | 54 | None 55 | 56 | ## Example Playbook 57 | 58 | For example to install teleport using EC2 join method: 59 | 60 | ```yaml 61 | - hosts: all 62 | roles: 63 | - zen.teleport 64 | ``` 65 | 66 | *Inside `group_vars/all.yaml`* 67 | 68 | ```yaml 69 | teleport_config_template: ec2_teleport.yaml.j2 70 | teleport_auth_servers: 71 | - https://teleport.company.cc:443 72 | teleport_ec2_join_token: ec2-teleport-join-token 73 | teleport_host_labels: 74 | owner: zen 75 | type: standalone 76 | ``` 77 | 78 | ## License 79 | 80 | MIT / BSD 81 | 82 | ## Author Information 83 | 84 | This role was created in 2021 by Matthew Draws, forked, completely rewritten and adapted for EL based systems and using packages by Tomasz 'Zen' Napierala in 2022. 85 | --------------------------------------------------------------------------------