summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'sys-cluster/teleport/files/teleport-2.yaml')
-rw-r--r--sys-cluster/teleport/files/teleport-2.yaml130
1 files changed, 130 insertions, 0 deletions
diff --git a/sys-cluster/teleport/files/teleport-2.yaml b/sys-cluster/teleport/files/teleport-2.yaml
new file mode 100644
index 000000000000..384dea937c97
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport-2.yaml
@@ -0,0 +1,130 @@
+# By default, this file should be stored in /etc/teleport.yaml
+## IMPORTANT ##
+#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters
+# This section of the configuration file applies to all teleport
+# services.
+teleport:
+ # nodename allows to assign an alternative name this node can be reached by.
+ # by default it's equal to hostname
+ # nodename: graviton
+
+ # Data directory where Teleport keeps its data, like keys/users for
+ # authentication (if using the default BoltDB back-end)
+ data_dir: /var/lib/teleport
+
+ # one-time invitation token used to join a cluster. it is not used on
+ # subsequent starts
+ auth_token: xxxx-token-xxxx
+
+ # when running in multi-homed or NATed environments Teleport nodes need
+ # to know which IP it will be reachable at by other nodes
+ # public_addr: 10.1.0.5
+
+ # list of auth servers in a cluster. you will have more than one auth server
+ # if you configure teleport auth to run in HA configuration
+ auth_servers:
+ - localhost:3025
+
+ # Teleport throttles all connections to avoid abuse. These settings allow
+ # you to adjust the default limits
+ connection_limits:
+ max_connections: 1000
+ max_users: 250
+
+ # Logging configuration. Possible output values are 'stdout', 'stderr' and
+ # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
+ log:
+ output: stderr
+ severity: ERROR
+
+ # Type of storage used for keys. You need to configure this to use etcd
+ # backend if you want to run Teleport in HA configuration.
+ storage:
+ type: bolt
+
+# This section configures the 'auth service':
+auth_service:
+ enabled: yes
+
+ # defines the types and second factors the auth server supports
+ authentication:
+ # second_factor can be off, otp, or u2f
+ second_factor: otp
+
+ # this section is only used if using u2f
+ u2f:
+ # app_id should point to the Web UI.
+ app_id: https://localhost:3080
+
+ # facets should list all proxy servers.
+ facets:
+ - https://localhost
+ - https://localhost:3080
+
+ # IP and the port to bind to. Other Teleport nodes will be connecting to
+ # this port (AKA "Auth API" or "Cluster API") to validate client
+ # certificates
+ listen_addr: 0.0.0.0:3025
+
+ # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
+ # the role a new node will be allowed to assume. The more secure way to
+ # add nodes is to use `ttl node add --ttl` command to generate auto-expiring
+ # tokens.
+ #
+ # We recommend to use tools like `pwgen` to generate sufficiently random
+ # tokens of 32+ byte length.
+ tokens:
+ - "proxy,node:xxxxx"
+ - "auth:yyyy"
+
+ # Optional "cluster name" is needed when configuring trust between multiple
+ # auth servers. A cluster name is used as part of a signature in certificates
+ # generated by this CA.
+ #
+ # By default an automatically generated GUID is used.
+ #
+ # IMPORTANT: if you change cluster_name, it will invalidate all generated
+ # certificates and keys (may need to wipe out /var/lib/teleport directory)
+ cluster_name: "main"
+
+# This section configures the 'node service':
+ssh_service:
+ enabled: yes
+ # IP and the port for SSH service to bind to.
+ listen_addr: 0.0.0.0:3022
+ # See explanation of labels in "Labeling Nodes" section below
+ labels:
+ role: master
+ type: postgres
+ # List (YAML array) of commands to periodically execute and use
+ # their output as labels.
+ # See explanation of how this works in "Labeling Nodes" section below
+ commands:
+ - name: hostname
+ command: [/usr/bin/hostname]
+ period: 1m0s
+ - name: arch
+ command: [/usr/bin/uname, -p]
+ period: 1h0m0s
+
+# This section configures the 'proxy servie'
+proxy_service:
+ enabled: yes
+ # SSH forwarding/proxy address. Command line (CLI) clients always begin their
+ # SSH sessions by connecting to this port
+ listen_addr: 0.0.0.0:3023
+
+ # Reverse tunnel listening address. An auth server (CA) can establish an
+ # outbound (from behind the firewall) connection to this address.
+ # This will allow users of the outside CA to connect to behind-the-firewall
+ # nodes.
+ tunnel_listen_addr: 0.0.0.0:3024
+
+ # The HTTPS listen address to serve the Web UI and also to authenticate the
+ # command line (CLI) users via password+HOTP
+ web_listen_addr: 0.0.0.0:3080
+
+ # TLS certificate for the HTTPS connection. Configuring these properly is
+ # critical for Teleport security.
+ https_key_file: /etc/teleport/teleport.key
+ https_cert_file: /etc/teleport/teleport.crt