Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
defaults
meta
tasks
templates
tests
vars
.travis.yml
README.md

README.md

Ansible Role: Teleport

Ansible Galaxy Build Status

An Ansible Role that installs Teleport on RHEL/CentOS, Debian/Ubuntu, SUSE.

Teleport is an SSH for Clusters and Teams

Install

ansible-galaxy install woohgit.teleport

Requirements

You will need to provide your own SSL certificate and key files. You can generate a self-signed certificate with a command like openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt. If no SSL certs/keys are given, teleport will automatically generate one for you.

Role Variables

Available variables are listed below, along with default values (see defaults/main.yml):

teleport_version: "2.3.5"
teleport_url: "https://github.com/gravitational/teleport/releases/download/v{{ teleport_version }}/teleport-v{{ teleport_version }}-linux-amd64-bin.tar.gz"
teleport_ssl_cert_path: "/etc/teleport"
teleport_config_path: "/etc/teleport.yaml"
teleport_nodename: "teleport"
teleport_auth_servers:
    - 127.0.0.1:3025
teleport_data_dir: "/var/lib/teleport"

Teleport stores the data locally under the teleport_data_dir.

teleport_log_level: 'WARN'
teleport_storage_type: 'bolt'
teleport_pidfile: '/var/run/teleport.pid'

teleport_default_address: '0.0.0.0'

This sets the default address used in the various *_listen_address variables below. The default of '0.0.0.0' means to listen on all IPv4 interfaces. Setting it to '::' would listen on all IPv6 (and IPv4, if your hosts have the appropriate networking option enabled) addresses. (Note that Teleport's IPv6 support is not yet official; use this at your own risk.)

teleport_auth_enabled: true
teleport_auth_listen_address: '{{ teleport_default_address | ipwrap }}:3025'
teleport_auth_cluster_name: 'main'


teleport_auth_tokens_node: []
teleport_auth_tokens_proxy: []
teleport_auth_tokens_auth: []

You probably want to have multiple nodes joined to our cluster. You can do that with temporary tokens or you can automate the process and use static tokens. The 3 well known roles - auth, proxy, node - can have 3 different tokens.

teleport_auth_trusted_clusters: []
teleport_auth_oidc_connectors: []


teleport_ssh_enabled: true

If you don't want to login to this server using Teleport, only via the standard SSH way, disable the SSH service by setting this value to false.

teleport_ssh_listen_address: '{{ teleport_default_address | ipwrap }}:3022'
teleport_commands: []

teleport_proxy_enabled: true

If you want to disable the WebUI (proxy), set this setting to false.

teleport_proxy_listen_address: '{{ teleport_default_address | ipwrap }}:3023'
teleport_proxy_web_listen_address: '{{ teleport_default_address | ipwrap }}:3080'
teleport_proxy_tunnel_listen_address: '{{ teleport_default_address | ipwrap }}:3024'
teleport_proxy_https_key_file: ''
teleport_proxy_https_cert_file: ''

For full reference see the official teleport documentation by gravitational.

Dependencies

  • Ansible 2.4 or newer
  • Python netaddr package (available on Debian/EPEL as python-netaddr)

Core Concepts

There are three types of services (roles) in a Teleport cluster.

  • Proxy service accepts inbound connections from the clients and routes them to the appropriate nodes. The proxy also serves the Web UI.
  • Auth service provides authentication and authorization service to proxies and nodes. It is the certificate authority (CA) of a cluster and the storage for audit logs. It is the only stateful component of a Teleport cluster.
  • Node role provides the SSH access to a node. Typically every machine in a cluster runs teleport with this role. It is stateless and lightweight.

For more details about teleport architecture, please refer to the official documentation.

Example Playbook for setting up a Teleport proxy and auth server without node role.

- hosts: teleport_proxies
  vars_files:
    - vars/main.yml
  roles:
    - { role: woohgit.teleport }

Inside vars/main.yml

teleport_ssh_enabled: false
teleport_auth_tokens_node:
  - xxxx-yyyy-xxxx

If you want to be able to login to the proxy host too using teleport, set teleport_ssh_enabled to true.

Example Playbook for setting up a Teleport node.

You can automatically connect a node to the proxy server by providing same same auth_token.

- hosts: teleport_nodes
  vars_files:
    - vars/main.yml
  roles:
    - { role: woohgit.teleport }

Inside vars/main.yml:

teleport_ssh_enabled: true
teleport_auth_enabled: false
teleport_proxy_enabled: false
teleport_auth_servers:
  - ip_of_the_proxy_server
teleport_auth_token: xxxx-yyyy-xxxx

License

MIT / BSD

Author Information

This role was created in 2016 by Adam Papai.