From 3a6cc61bfeee218f02161b3881bcf5efeb8a2624 Mon Sep 17 00:00:00 2001 From: Graeme Lawes Date: Mon, 29 May 2017 13:28:38 -0400 Subject: sys-cluster/teleport: new package, #620054 Multi-region SSH for teams managing distributed server clusters. Closes: https://github.com/gentoo/gentoo/pull/4802 Package-Manager: Portage-2.3.5, Repoman-2.3.1 --- sys-cluster/teleport/Manifest | 1 + sys-cluster/teleport/files/teleport.conf.d | 17 +++ sys-cluster/teleport/files/teleport.init.d | 29 +++++ sys-cluster/teleport/files/teleport.service | 11 ++ sys-cluster/teleport/files/teleport.service.conf | 3 + sys-cluster/teleport/files/teleport.yaml | 142 +++++++++++++++++++++++ sys-cluster/teleport/metadata.xml | 17 +++ sys-cluster/teleport/teleport-2.2.0.ebuild | 51 ++++++++ sys-cluster/teleport/teleport-9999.ebuild | 51 ++++++++ 9 files changed, 322 insertions(+) create mode 100644 sys-cluster/teleport/Manifest create mode 100644 sys-cluster/teleport/files/teleport.conf.d create mode 100644 sys-cluster/teleport/files/teleport.init.d create mode 100644 sys-cluster/teleport/files/teleport.service create mode 100644 sys-cluster/teleport/files/teleport.service.conf create mode 100644 sys-cluster/teleport/files/teleport.yaml create mode 100644 sys-cluster/teleport/metadata.xml create mode 100644 sys-cluster/teleport/teleport-2.2.0.ebuild create mode 100644 sys-cluster/teleport/teleport-9999.ebuild (limited to 'sys-cluster/teleport') diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest new file mode 100644 index 000000000000..c1a217ba386c --- /dev/null +++ b/sys-cluster/teleport/Manifest @@ -0,0 +1 @@ +DIST teleport-2.2.0.tar.gz 7229371 SHA256 b12bea0474a0ce5f4df10729607661b1afbecd5e95083835ccee7b54493c9452 SHA512 bec288983371bd3807b7ce994b1533a5e869d903251f8a8ce6315768a1d3ae95d72f832037345c36c9cd4789fbc449c54b86359988b1e74d4f46f9e0db6b3239 WHIRLPOOL 5b128fda80b1ce4afe60e10e6d5d9e83f621f6a405e713af7d1b988562038aa927c9f7c733a927a3aa724c261d058dba1fa75526dd2eb9051b1e6fe4c984004c diff --git a/sys-cluster/teleport/files/teleport.conf.d b/sys-cluster/teleport/files/teleport.conf.d new file mode 100644 index 000000000000..e4b2cbb1a7e8 --- /dev/null +++ b/sys-cluster/teleport/files/teleport.conf.d @@ -0,0 +1,17 @@ +# /etc/conf.d/teleport: config file for /etc/init.d/teleport + +# Where is your teleport.yaml file stored? +TELEPORT_CONFDIR="/etc/teleport" + +# Any random options you want to pass to teleport. +TELEPORT_OPTS="" + +# Pid file to use (needs to be absolute path). +#TELEPORT_PIDFILE="/var/run/teleport.pid" + +# Path to log file +#TELEPORT_LOGFILE="/var/log/teleport.log" + +# Startup dependency +# Un-comment when using etcd storage backend +#rc_need="etcd" diff --git a/sys-cluster/teleport/files/teleport.init.d b/sys-cluster/teleport/files/teleport.init.d new file mode 100644 index 000000000000..a5d08b7f3f69 --- /dev/null +++ b/sys-cluster/teleport/files/teleport.init.d @@ -0,0 +1,29 @@ +#!/sbin/openrc-run +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +: ${TELEPORT_CONFDIR:=/etc/teleport} +: ${TELEPORT_PIDFILE:=/var/run/${SVCNAME}.pid} +: ${TELEPORT_BINARY:=/usr/bin/teleport} +: ${TELEPORT_LOGFILE:=/var/log/teleport.log} + +depend() { + need net +} + +start() { + ebegin "Starting Teleport SSH Service" + start-stop-daemon --start --exec /usr/bin/teleport \ + --background --make-pidfile --pidfile "${TELEPORT_PIDFILE}" \ + --stderr "${TELEPORT_LOGFILE}" \ + -- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \ + ${TELEPORT_OPTS} + eend $? +} + +stop() { + ebegin "Stopping Teleport SSH Service" + start-stop-daemon --stop --exec /usr/bin/teleport \ + --pidfile "${TELEPORT_PIDFILE}" + eend $? +} diff --git a/sys-cluster/teleport/files/teleport.service b/sys-cluster/teleport/files/teleport.service new file mode 100644 index 000000000000..b74734bbf9ef --- /dev/null +++ b/sys-cluster/teleport/files/teleport.service @@ -0,0 +1,11 @@ +[Unit] +Description=Teleport SSH Service +After=network.target + +[Service] +Type=simple +Restart=always +ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml + +[Install] +WantedBy=multi-user.target diff --git a/sys-cluster/teleport/files/teleport.service.conf b/sys-cluster/teleport/files/teleport.service.conf new file mode 100644 index 000000000000..2ff7ffbf3a4e --- /dev/null +++ b/sys-cluster/teleport/files/teleport.service.conf @@ -0,0 +1,3 @@ +# Uncomment the following when using the etcd storage backend +#[Unit] +#Wants=etcd.service diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml new file mode 100644 index 000000000000..e297bb89b571 --- /dev/null +++ b/sys-cluster/teleport/files/teleport.yaml @@ -0,0 +1,142 @@ +# By default, this file should be stored in /etc/teleport.yaml + +# This section of the configuration file applies to all teleport +# services. +teleport: + # nodename allows to assign an alternative name this node can be reached by. + # by default it's equal to hostname + # nodename: graviton + + # Data directory where Teleport keeps its data, like keys/users for + # authentication (if using the default BoltDB back-end) + data_dir: /var/lib/teleport + + # one-time invitation token used to join a cluster. it is not used on + # subsequent starts + auth_token: xxxx-token-xxxx + + # when running in multi-homed or NATed environments Teleport nodes need + # to know which IP it will be reachable at by other nodes + # advertise_ip: 10.1.0.5 + + # list of auth servers in a cluster. you will have more than one auth server + # if you configure teleport auth to run in HA configuration + auth_servers: + - localhost:3025 + + # Teleport throttles all connections to avoid abuse. These settings allow + # you to adjust the default limits + connection_limits: + max_connections: 1000 + max_users: 250 + + # Logging configuration. Possible output values are 'stdout', 'stderr' and + # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). + log: + output: stderr + severity: ERROR + + # Type of storage used for keys. You need to configure this to use etcd + # backend if you want to run Teleport in HA configuration. + storage: + type: bolt + +# This section configures the 'auth service': +auth_service: + # Turns 'auth' role on. Default is 'yes' + enabled: yes + + # Turns on dynamic configuration. Dynamic configuration defines the source + # for configuration information, configuration files on disk or what's + # stored in the backend. Default is false if no backend is specified, + # otherwise if backend is specified, it is assumed to be true. + dynamic_config: false + + # defines the types and second factors the auth server supports + authentication: + # type can be local or oidc + type: local + # second_factor can be off, otp, or u2f + second_factor: otp + + # this section is only used if using u2f + u2f: + # app_id should point to the Web UI. + app_id: https://localhost:3080 + + # facets should list all proxy servers. + facets: + - https://localhost + - https://localhost:3080 + + # IP and the port to bind to. Other Teleport nodes will be connecting to + # this port (AKA "Auth API" or "Cluster API") to validate client + # certificates + listen_addr: 0.0.0.0:3025 + + # Pre-defined tokens for adding new nodes to a cluster. Each token specifies + # the role a new node will be allowed to assume. The more secure way to + # add nodes is to use `ttl node add --ttl` command to generate auto-expiring + # tokens. + # + # We recommend to use tools like `pwgen` to generate sufficiently random + # tokens of 32+ byte length. + tokens: + - "proxy,node:xxxxx" + - "auth:yyyy" + + # Optional "cluster name" is needed when configuring trust between multiple + # auth servers. A cluster name is used as part of a signature in certificates + # generated by this CA. + # + # By default an automatically generated GUID is used. + # + # IMPORTANT: if you change cluster_name, it will invalidate all generated + # certificates and keys (may need to wipe out /var/lib/teleport directory) + cluster_name: "main" + +# This section configures the 'node service': +ssh_service: + # Turns 'ssh' role on. Default is 'yes' + enabled: yes + + # IP and the port for SSH service to bind to. + listen_addr: 0.0.0.0:3022 + # See explanation of labels in "Labeling Nodes" section below + labels: + role: master + type: postgres + # List (YAML array) of commands to periodically execute and use + # their output as labels. + # See explanation of how this works in "Labeling Nodes" section below + commands: + - name: hostname + command: [/usr/bin/hostname] + period: 1m0s + - name: arch + command: [/usr/bin/uname, -p] + period: 1h0m0s + +# This section configures the 'proxy servie' +proxy_service: + # Turns 'proxy' role on. Default is 'yes' + enabled: yes + + # SSH forwarding/proxy address. Command line (CLI) clients always begin their + # SSH sessions by connecting to this port + listen_addr: 0.0.0.0:3023 + + # Reverse tunnel listening address. An auth server (CA) can establish an + # outbound (from behind the firewall) connection to this address. + # This will allow users of the outside CA to connect to behind-the-firewall + # nodes. + tunnel_listen_addr: 0.0.0.0:3024 + + # The HTTPS listen address to serve the Web UI and also to authenticate the + # command line (CLI) users via password+HOTP + web_listen_addr: 0.0.0.0:3080 + + # TLS certificate for the HTTPS connection. Configuring these properly is + # critical for Teleport security. + https_key_file: /etc/teleport/teleport.key + https_cert_file: /etc/teleport/teleport.crt diff --git a/sys-cluster/teleport/metadata.xml b/sys-cluster/teleport/metadata.xml new file mode 100644 index 000000000000..224f5639f024 --- /dev/null +++ b/sys-cluster/teleport/metadata.xml @@ -0,0 +1,17 @@ + + + + + Graeme Lawes + graemelawes@gmail.com + + + Gentoo Proxy Maintainers Project + proxy-maint@gentoo.org + + + https://github.com/gravitational/teleport/blob/master/CHANGELOG.md + https://github.com/gravitational/teleport/issues + gravitational/teleport + + diff --git a/sys-cluster/teleport/teleport-2.2.0.ebuild b/sys-cluster/teleport/teleport-2.2.0.ebuild new file mode 100644 index 000000000000..50aac8796fe3 --- /dev/null +++ b/sys-cluster/teleport/teleport-2.2.0.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit eutils golang-build systemd user + +DESCRIPTION="Modern SSH server for teams managing distributed infrastructure" +HOMEPAGE="https://gravitational.com/teleport" + +EGO_PN="github.com/gravitational/${PN}/..." + +if [ ${PV} == "9999" ] ; then + inherit git-r3 golang-vcs + EGIT_REPO_URI="https://github.com/gravitational/${PN}.git" +else + inherit golang-vcs-snapshot + SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64 ~arm" +fi + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="" + +DEPEND=" + app-arch/zip + >=dev-lang/go-1.8.3" +RDEPEND="" + +src_compile() { + GOPATH="${S}" emake -C src/${EGO_PN%/*} + pushd src/${EGO_PN%/*}/web/dist >/dev/null || die + zip -qr "${S}/src/${EGO_PN%/*}/build/webassets.zip" . || die + popd >/dev/null || die + cat "${S}/src/${EGO_PN%/*}/build/webassets.zip" >> "src/${EGO_PN%/*}/build/${PN}" || die + zip -q -A "${S}/src/${EGO_PN%/*}/build/${PN}" || die +} + +src_install() { + dodir /var/lib/${PN} /etc/${PN} + dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport} + + insinto /etc/${PN} + doins "${FILESDIR}"/${PN}.yaml + + newinitd "${FILESDIR}"/${PN}.init.d ${PN} + newconfd "${FILESDIR}"/${PN}.conf.d ${PN} + + systemd_dounit "${FILESDIR}"/${PN}.service + systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service +} diff --git a/sys-cluster/teleport/teleport-9999.ebuild b/sys-cluster/teleport/teleport-9999.ebuild new file mode 100644 index 000000000000..875028053444 --- /dev/null +++ b/sys-cluster/teleport/teleport-9999.ebuild @@ -0,0 +1,51 @@ +# Copyright 1999-2017 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 + +EAPI=6 +inherit eutils golang-build systemd user + +DESCRIPTION="Modern SSH server for teams managing distributed infrastructure" +HOMEPAGE="https://gravitational.com/teleport" + +EGO_PN="github.com/gravitational/${PN}/..." + +if [ ${PV} == "9999" ] ; then + inherit git-r3 golang-vcs + EGIT_REPO_URI="https://github.com/gravitational/${PN}.git" +else + inherit golang-vcs-snapshot + SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz" + KEYWORDS="~amd64" +fi + +LICENSE="Apache-2.0" +SLOT="0" +IUSE="" + +DEPEND=" + app-arch/zip + >=dev-lang/go-1.7" +RDEPEND="" + +src_compile() { + GOPATH="${S}" emake -C src/${EGO_PN%/*} + pushd src/${EGO_PN%/*}/web/dist >/dev/null || die + zip -qr "${S}/src/${EGO_PN%/*}/build/webassets.zip" . || die + popd >/dev/null || die + cat "${S}/src/${EGO_PN%/*}/build/webassets.zip" >> "src/${EGO_PN%/*}/build/${PN}" || die + zip -q -A "${S}/src/${EGO_PN%/*}/build/${PN}" || die +} + +src_install() { + dodir /var/lib/${PN} /etc/${PN} + dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport} + + insinto /etc/${PN} + doins "${FILESDIR}"/${PN}.yaml + + newinitd "${FILESDIR}"/${PN}.init.d ${PN} + newconfd "${FILESDIR}"/${PN}.conf.d ${PN} + + systemd_dounit "${FILESDIR}"/${PN}.service + systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service +} -- cgit v1.2.3-18-g5258