enix.teleport

This is a role for deploying and setting up teleport and its extensions on Unix systems using Ansible.

Warning: This Ansible Role is no longer maintained and is now read-only. Thank you.

Requirements

Supported systems:

• Ubuntu versions: 18.04 "Bionic", 20.04 "Focal", 22.04 "Jammy"
• Debian versions: 7 "Wheezy", 8 "Jessie", 9 "Stretch", 10 "Buster", 11 "Bullseye", 12 "Bookworm"

Role Variables

This role comes with many default settings that can be changed in your hosts/group variables, inventory, or playbook. You can find more about these defaults in defaults/main.yml. All variables start with teleport__.

• teleport__version: 10 - The version of the binary to install. Default is version 8. Available versions: 8, 9, 10, 11.
• teleport__agent: false - Set to true to configure and enable the teleport agent.
• teleport__bind_addr: 0.0.0.0 - Default address for binding other configurations.
• teleport__nodename - The name reported by the teleport agent to its connected proxy. If not set, it will use the machine's hostname.
• teleport__diag: false - Set to true to enable the HTTP monitoring endpoint.
• teleport__diag_addr: "127.0.0.1" - Address for the HTTP monitoring endpoint.
• teleport__diag_port: 3000 - Port for the HTTP monitoring endpoint.
• teleport__node: false - Set to true to enable the teleport node role.
• teleport__node_token: "" - Token used to connect to the proxy.
• teleport__node_server: "" - URL of the proxy server.
• teleport__proxy: false - Set to true to enable proxy mode in teleport.
• teleport__proxy_public_addr: "" - Public address exposed by the proxy.
• teleport__proxy_acme: false - Enable ACME protocol for public certificates.
• teleport__proxy_acme_email: "" - Email for ACME requests.
• teleport__auth: false - Set to true to enable teleport authentication.
• teleport__auth_cluster_name: "" - Name of the teleport authentication cluster.
• teleport__auth_u2f: false - Enable U2F (older configuration).
• teleport__auth_addr: {{ teleport__bind_addr }} - Address for the teleport authentication service.
• teleport__auth_port: 3025 - Port for the teleport authentication service.
• teleport__ssh_addr: {{ teleport__bind_addr }} - Address for the SSH teleport service.
• teleport__ssh_port: 3022 - Port for the SSH teleport service.
• teleport__ssh: false - Set to true to enable the teleport SSH module.
• teleport__ssh_labels: '' - Add labels to the SSH module (YAML format).
• teleport__ssh_pam_enabled: true - Enable PAM authentication.
• teleport__ssh_pam_service: 'sshd' - Name of the PAM service.
• teleport__app: false - Set to true to enable the teleport application module.
• teleport_applications: [] - List of applications with keys:
  • name: Application name
  • uri: URI to reverse-proxy
  • skip_verify: false: Whether to skip certificate verification.
• teleport__web_addr: {{ teleport__bind_addr }} - Address for the web teleport service.
• teleport__web_port: 443 - Port for the web teleport service.
• teleport__tunnel_addr: {{ teleport__bind_addr }} - Address for the tunnel service.
• teleport__tunnel_port: 3024 - Port for the tunnel teleport service.
• teleport__binary_compat: false - If true, deploy a compatible binary version alongside the package.
• teleport__install_repo: true - Set to false to skip repo installation (useful for air-gapped environments).

Dependencies

• None

Usage

To use, add to Ansible Galaxy requirements.yml:

# teleport from enix
# private role
- src: git+ssh://[email protected]/ansible/ansible-teleport.git
  name: enix.teleport

And include it in your playbook:

# Node example
- hosts: all
  roles:
    - role enix.teleport:
        teleport__agent: true
        teleport__version: 9
        teleport__nodename: "test.node"
        teleport__node: true
        teleport__node_token: "gjlksfdjglkfsdjlkgfds9423"
        teleport__node_server: "https://toto.tp.com:3025"
        teleport__ssh: true
        teleport__ssh_labels:
          tenant: toto.com

# Proxy example
- hosts: all
  roles:
    - role enix.teleport:
        teleport__agent: true
        teleport__version: 10
        teleport__nodename: "toto.proxy"
        teleport__proxy: true
        teleport__proxy_public_addr: "toto.tp.com"
        teleport__proxy_acme: false
        teleport__proxy_acme_email: "[email protected]"
        teleport__auth: true
        teleport__auth_cluster_name: "toto.tp.com"
        teleport__ssh: true
        teleport__ssh_labels:
          tenant: toto.com

Changelog

1.9.1

• Added support for PAM

1.9.0

• Fixed package UnHold issue
• Set default version to 10
• Added molecule tests

1.8.2

• Supported VyOS
• Allowed overwriting ansible_distribution in APT repo URL

1.8.1

• Added config Ansible tag

1.8.0

• Made nodename optional (defaults to hostname)

1.7.1

• Fixed error message for non-debian-like targets
• Used new package signature check method when applicable

1.7.0

• Added support for old-style U2F configuration

1.6.1

• Fixed duplicate diagnostic config

1.6.0

• Added support for diagnostic HTTP endpoint

1.5.2

• Fixed YAML linting error

1.5.1

• Cosmetic change in teleport.yaml template

1.5.0

• Supported app service

1.4.0

• Supported external LE certificates (with ACME disabled)

1.3.1

• Fixed missing trailing slash in legacy debian repository

1.3.0

• Added teleport upgrade support (waiting for connection)
• Removed legacy apt repository
• Automatically upgraded teleport package if newer version is available

1.2.0

• Added proxy bind address support

1.1.0

• Fallback to teleport debian repository for major versions.

1.0.0

• Used Enix debian repository by default

0.9.2

• Updated compatible binary to version 8.3.8

0.9.1

• Added CentOS 6 binary compatibility (Debian 8 Jessie)

0.9.0

• Initial version.

License

GPLv2

Author Information

Laurent Corbes laurent.corbes@enix.fr - Enix