teleport
enix.teleport
A role for deploying and configuring teleport and extensions on unix hosts using Ansible.
[!WARNING] This Ansible Role is no longer maintained and the project now read only. Thank You.
Requirements
Supported targets:
- Ubuntu 18.04 "Bionic"
- Ubuntu 20.04 "Focal"
- Ubuntu 22.04 "Jammy"
- Debian 7 "Wheezy"
- Debian 8 "Jessie"
- Debian 9 "Stretch"
- Debian 10 "Buster"
- Debian 11 "Bullseye"
- Debian 12 "Bookworm"
Role Variables
This roles comes preloaded with almost every available default. You can override each one in your hosts/group vars, in your inventory, or in your play. See the annotated defaults in defaults/main.yml
for help in configuration. All provided variables start with teleport__
.
teleport__version: 10
- Major Version / branch of the binary to install and hold, default install repo version 8. Available now: 8, 9, 10, 11.teleport__agent: false
- Configure and Enable the teleport agent software.teleport__bind_addr: 0.0.0.0
- Bind address used to default all other bind address configurationteleport__nodename
- Name the teleport agent reports to its connected proxy. If undefined, no nodename will be configured and Teleport will default to the machine's hostname.teleport__diag: false
- Enable teleport HTTP monitoring endpoint.teleport__diag_addr: "127.0.0.1"
- Bind address for HTTP monitoring endpoint.teleport__diag_port: 3000
- Port to bind for HTTP monitoring endpoint.teleport__node: false
- Configure and Enable teleport node role.teleport__node_token: ""
- Token used to join the proxy.teleport__node_server: ""
- Proxy server url.teleport__proxy: false
- Enable the proxy mode in teleport.teleport__proxy_public_addr: ""
- Public address the proxy expose.teleport__proxy_acme: false
- Enable ACME protocol for public certificate. When disabled, Teleport will look for certificate in/etc/letsencrypt/live/{{ teleport__proxy_public_addr }}
teleport__proxy_acme_email: ""
- Email for the ACME request.teleport__auth: false
- Enable teleport auth role.teleport__auth_cluster_name: ""
- Teleport auth cluster name.teleport__auth_u2f: false
- Enable U2F (old-style non-webauthn configuration)teleport__auth_addr: {{ teleport__bind_addr }}
- Bind address for auth teleport serviceteleport__auth_port: 3025
- Port to bind for auth teleport serviceteleport__ssh_addr: {{ teleport__bind_addr }}
- Bind address for ssh teleport serviceteleport__ssh_port: 3022
- Port to bind for ssh teleport serviceteleport__ssh: false
- Enable teleport ssh module.teleport__ssh_labels: ''
- Add labels to the ssh module (yaml format).teleport__ssh_pam_enabled: true
- Enable PAM.teleport__ssh_pam_service: 'sshd'
- PAM service name.teleport__app: false
- Enable teleport app moduleteleport_applications: []
- List of applications, defined as a dict with the following keys:name
- Name of the applicationuri
- URI to reverse-proxifyskip_verify: false
- Whether or not to skip certificate verification on the target URI
teleport__web_addr: {{ teleport__bind_addr }}
- Bind address for web teleport serviceteleport__web_port: 443
- Port to bind for web teleport serviceteleport__tunnel_addr: {{ teleport__bind_addr }}
- Bind address for tunnel serviceteleport__tunnel_port: 3024
- Port to bind for tunnel teleport serviceteleport__binary_compat: false
- If true will deploy a binary version beside the package with more glibc compatibility. (Automatically done on debian pre buster (10) releases)teleport__install_repo: true
- Set to false if you want to prevent repo installation (usefull for airgap environnement - install manually then use this role to configure everything)
Dependencies
- None
Usage
Use Ansible galaxy requirements.yml
# teleport from enix
# private role
- src: git+ssh://[email protected]/ansible/ansible-teleport.git
name: enix.teleport
And add it to your play's roles:
# Node example
- hosts: all
roles:
- role enix.teleport:
teleport__agent: true
teleport__version: 9
teleport__nodename: "test.node"
teleport__node: true
teleport__node_token: "gjlksfdjglkfsdjlkgfds9423"
teleport__node_server: "https://toto.tp.com:3025"
teleport__ssh: true
teleport__ssh_labels:
tenant: toto.com
# Proxy example
- hosts: all
roles:
- role enix.teleport:
teleport__agent: true
teleport__version: 10
teleport__nodename: "toto.proxy"
teleport__proxy: true
teleport__proxy_public_addr: "toto.tp.com"
teleport__proxy_acme: false
teleport__proxy_acme_email: "[email protected]"
teleport__auth: true
teleport__auth_cluster_name: "toto.tp.com"
teleport__ssh: true
teleport__ssh_labels:
tenant: toto.com
Changelog
1.9.1
Add support for PAM
1.9.0
Fix issue with package UnHold
Change default version to 10
Added molecule
tests
1.8.2
Support VyOS
Allow overwriting ansible_distribution
in the APT repository URL
1.8.1
Add config
Ansible tag
1.8.0
Make nodename optional (Teleport will default to the hostname)
1.7.1
Fix error message when target is not debian-like Use new package signature check method when applicable, and cleanup repository management
1.7.0
Add support for U2F old-style (non-webauthn) configuration
1.6.1
Fix duplicate diag config
1.6.0
Add support for diag HTTP endpoint
1.5.2
Fix YAML linting error
1.5.1
Cosmetic change in teleport.yaml template to avoid unnecessary diff
1.5.0
Support app service
1.4.0
Support LE certificates generated from outside teleport (ACME disabled)
1.3.1
Fix missing tailing slash on legacy debian repository
1.3.0
Add support for teleport upgrade using teleport (handler will wait for connection to be alive)
Force removal of legacy apt repository
Automatically upgrade teleport package if newer version available
1.2.0
Add proxy bindaddr support
1.1.0
Fallback to teleport debian repository with major versions.
1.0.0
Use Enix debian repo by default
0.9.2
Update compat binary to version 8.3.8
0.9.1
Add centos 6 binary compat (debian 8 jessie)
0.9.0
Initial version.
License
GPLv2
Author Information
Laurent Corbes laurent.corbes@enix.fr - http://www.enix.io