1 |
commit: e56f33fdbeffc8937b2afa7e7a138a8d62632c65 |
2 |
Author: Graeme Lawes <graemelawes <AT> gmail <DOT> com> |
3 |
AuthorDate: Sun Aug 5 03:42:50 2018 +0000 |
4 |
Commit: Patrice Clement <monsieurp <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Aug 5 21:47:23 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e56f33fd |
7 |
|
8 |
sys-cluster/teleport: rename configuration file. |
9 |
|
10 |
Teleport 2.5 (removed) had different configuration options, revert back |
11 |
to using standard teleport.yaml filename as config file source |
12 |
|
13 |
sys-cluster/teleport/files/teleport-2.6.yaml | 130 --------------------------- |
14 |
sys-cluster/teleport/files/teleport.yaml | 18 +--- |
15 |
sys-cluster/teleport/teleport-2.6.7.ebuild | 2 +- |
16 |
3 files changed, 4 insertions(+), 146 deletions(-) |
17 |
|
18 |
diff --git a/sys-cluster/teleport/files/teleport-2.6.yaml b/sys-cluster/teleport/files/teleport-2.6.yaml |
19 |
deleted file mode 100644 |
20 |
index 384dea937c9..00000000000 |
21 |
--- a/sys-cluster/teleport/files/teleport-2.6.yaml |
22 |
+++ /dev/null |
23 |
@@ -1,130 +0,0 @@ |
24 |
-# By default, this file should be stored in /etc/teleport.yaml |
25 |
-## IMPORTANT ## |
26 |
-#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters |
27 |
-# This section of the configuration file applies to all teleport |
28 |
-# services. |
29 |
-teleport: |
30 |
- # nodename allows to assign an alternative name this node can be reached by. |
31 |
- # by default it's equal to hostname |
32 |
- # nodename: graviton |
33 |
- |
34 |
- # Data directory where Teleport keeps its data, like keys/users for |
35 |
- # authentication (if using the default BoltDB back-end) |
36 |
- data_dir: /var/lib/teleport |
37 |
- |
38 |
- # one-time invitation token used to join a cluster. it is not used on |
39 |
- # subsequent starts |
40 |
- auth_token: xxxx-token-xxxx |
41 |
- |
42 |
- # when running in multi-homed or NATed environments Teleport nodes need |
43 |
- # to know which IP it will be reachable at by other nodes |
44 |
- # public_addr: 10.1.0.5 |
45 |
- |
46 |
- # list of auth servers in a cluster. you will have more than one auth server |
47 |
- # if you configure teleport auth to run in HA configuration |
48 |
- auth_servers: |
49 |
- - localhost:3025 |
50 |
- |
51 |
- # Teleport throttles all connections to avoid abuse. These settings allow |
52 |
- # you to adjust the default limits |
53 |
- connection_limits: |
54 |
- max_connections: 1000 |
55 |
- max_users: 250 |
56 |
- |
57 |
- # Logging configuration. Possible output values are 'stdout', 'stderr' and |
58 |
- # 'syslog'. Possible severity values are INFO, WARN and ERROR (default). |
59 |
- log: |
60 |
- output: stderr |
61 |
- severity: ERROR |
62 |
- |
63 |
- # Type of storage used for keys. You need to configure this to use etcd |
64 |
- # backend if you want to run Teleport in HA configuration. |
65 |
- storage: |
66 |
- type: bolt |
67 |
- |
68 |
-# This section configures the 'auth service': |
69 |
-auth_service: |
70 |
- enabled: yes |
71 |
- |
72 |
- # defines the types and second factors the auth server supports |
73 |
- authentication: |
74 |
- # second_factor can be off, otp, or u2f |
75 |
- second_factor: otp |
76 |
- |
77 |
- # this section is only used if using u2f |
78 |
- u2f: |
79 |
- # app_id should point to the Web UI. |
80 |
- app_id: https://localhost:3080 |
81 |
- |
82 |
- # facets should list all proxy servers. |
83 |
- facets: |
84 |
- - https://localhost |
85 |
- - https://localhost:3080 |
86 |
- |
87 |
- # IP and the port to bind to. Other Teleport nodes will be connecting to |
88 |
- # this port (AKA "Auth API" or "Cluster API") to validate client |
89 |
- # certificates |
90 |
- listen_addr: 0.0.0.0:3025 |
91 |
- |
92 |
- # Pre-defined tokens for adding new nodes to a cluster. Each token specifies |
93 |
- # the role a new node will be allowed to assume. The more secure way to |
94 |
- # add nodes is to use `ttl node add --ttl` command to generate auto-expiring |
95 |
- # tokens. |
96 |
- # |
97 |
- # We recommend to use tools like `pwgen` to generate sufficiently random |
98 |
- # tokens of 32+ byte length. |
99 |
- tokens: |
100 |
- - "proxy,node:xxxxx" |
101 |
- - "auth:yyyy" |
102 |
- |
103 |
- # Optional "cluster name" is needed when configuring trust between multiple |
104 |
- # auth servers. A cluster name is used as part of a signature in certificates |
105 |
- # generated by this CA. |
106 |
- # |
107 |
- # By default an automatically generated GUID is used. |
108 |
- # |
109 |
- # IMPORTANT: if you change cluster_name, it will invalidate all generated |
110 |
- # certificates and keys (may need to wipe out /var/lib/teleport directory) |
111 |
- cluster_name: "main" |
112 |
- |
113 |
-# This section configures the 'node service': |
114 |
-ssh_service: |
115 |
- enabled: yes |
116 |
- # IP and the port for SSH service to bind to. |
117 |
- listen_addr: 0.0.0.0:3022 |
118 |
- # See explanation of labels in "Labeling Nodes" section below |
119 |
- labels: |
120 |
- role: master |
121 |
- type: postgres |
122 |
- # List (YAML array) of commands to periodically execute and use |
123 |
- # their output as labels. |
124 |
- # See explanation of how this works in "Labeling Nodes" section below |
125 |
- commands: |
126 |
- - name: hostname |
127 |
- command: [/usr/bin/hostname] |
128 |
- period: 1m0s |
129 |
- - name: arch |
130 |
- command: [/usr/bin/uname, -p] |
131 |
- period: 1h0m0s |
132 |
- |
133 |
-# This section configures the 'proxy servie' |
134 |
-proxy_service: |
135 |
- enabled: yes |
136 |
- # SSH forwarding/proxy address. Command line (CLI) clients always begin their |
137 |
- # SSH sessions by connecting to this port |
138 |
- listen_addr: 0.0.0.0:3023 |
139 |
- |
140 |
- # Reverse tunnel listening address. An auth server (CA) can establish an |
141 |
- # outbound (from behind the firewall) connection to this address. |
142 |
- # This will allow users of the outside CA to connect to behind-the-firewall |
143 |
- # nodes. |
144 |
- tunnel_listen_addr: 0.0.0.0:3024 |
145 |
- |
146 |
- # The HTTPS listen address to serve the Web UI and also to authenticate the |
147 |
- # command line (CLI) users via password+HOTP |
148 |
- web_listen_addr: 0.0.0.0:3080 |
149 |
- |
150 |
- # TLS certificate for the HTTPS connection. Configuring these properly is |
151 |
- # critical for Teleport security. |
152 |
- https_key_file: /etc/teleport/teleport.key |
153 |
- https_cert_file: /etc/teleport/teleport.crt |
154 |
|
155 |
diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml |
156 |
index e297bb89b57..384dea937c9 100644 |
157 |
--- a/sys-cluster/teleport/files/teleport.yaml |
158 |
+++ b/sys-cluster/teleport/files/teleport.yaml |
159 |
@@ -1,5 +1,6 @@ |
160 |
# By default, this file should be stored in /etc/teleport.yaml |
161 |
- |
162 |
+## IMPORTANT ## |
163 |
+#When editing YAML configuration, please pay attention to how your editor handles white space. YAML requires consistent handling of tab characters |
164 |
# This section of the configuration file applies to all teleport |
165 |
# services. |
166 |
teleport: |
167 |
@@ -17,7 +18,7 @@ teleport: |
168 |
|
169 |
# when running in multi-homed or NATed environments Teleport nodes need |
170 |
# to know which IP it will be reachable at by other nodes |
171 |
- # advertise_ip: 10.1.0.5 |
172 |
+ # public_addr: 10.1.0.5 |
173 |
|
174 |
# list of auth servers in a cluster. you will have more than one auth server |
175 |
# if you configure teleport auth to run in HA configuration |
176 |
@@ -43,19 +44,10 @@ teleport: |
177 |
|
178 |
# This section configures the 'auth service': |
179 |
auth_service: |
180 |
- # Turns 'auth' role on. Default is 'yes' |
181 |
enabled: yes |
182 |
|
183 |
- # Turns on dynamic configuration. Dynamic configuration defines the source |
184 |
- # for configuration information, configuration files on disk or what's |
185 |
- # stored in the backend. Default is false if no backend is specified, |
186 |
- # otherwise if backend is specified, it is assumed to be true. |
187 |
- dynamic_config: false |
188 |
- |
189 |
# defines the types and second factors the auth server supports |
190 |
authentication: |
191 |
- # type can be local or oidc |
192 |
- type: local |
193 |
# second_factor can be off, otp, or u2f |
194 |
second_factor: otp |
195 |
|
196 |
@@ -97,9 +89,7 @@ auth_service: |
197 |
|
198 |
# This section configures the 'node service': |
199 |
ssh_service: |
200 |
- # Turns 'ssh' role on. Default is 'yes' |
201 |
enabled: yes |
202 |
- |
203 |
# IP and the port for SSH service to bind to. |
204 |
listen_addr: 0.0.0.0:3022 |
205 |
# See explanation of labels in "Labeling Nodes" section below |
206 |
@@ -119,9 +109,7 @@ ssh_service: |
207 |
|
208 |
# This section configures the 'proxy servie' |
209 |
proxy_service: |
210 |
- # Turns 'proxy' role on. Default is 'yes' |
211 |
enabled: yes |
212 |
- |
213 |
# SSH forwarding/proxy address. Command line (CLI) clients always begin their |
214 |
# SSH sessions by connecting to this port |
215 |
listen_addr: 0.0.0.0:3023 |
216 |
|
217 |
diff --git a/sys-cluster/teleport/teleport-2.6.7.ebuild b/sys-cluster/teleport/teleport-2.6.7.ebuild |
218 |
index a187d11ee22..4a7a27e42a4 100644 |
219 |
--- a/sys-cluster/teleport/teleport-2.6.7.ebuild |
220 |
+++ b/sys-cluster/teleport/teleport-2.6.7.ebuild |
221 |
@@ -35,7 +35,7 @@ src_install() { |
222 |
dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport} |
223 |
|
224 |
insinto /etc/${PN} |
225 |
- newins "${FILESDIR}"/${PN}-2.6.yaml ${PN}.yaml |
226 |
+ newins "${FILESDIR}"/${PN}.yaml ${PN}.yaml |
227 |
|
228 |
newinitd "${FILESDIR}"/${PN}.init.d ${PN} |
229 |
newconfd "${FILESDIR}"/${PN}.conf.d ${PN} |