An Ansible Role that installs Teleport on RHEL/CentOS, Debian/Ubuntu, SUSE.
Teleport is an SSH for Clusters and Teams
ansible-galaxy install woohgit.teleport
You will need to provide your own SSL certificate and key files. You can generate a self-signed certificate with a command like openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout example.key -out example.crt
. If no SSL certs/keys are given, teleport will automatically generate one for you.
Available variables are listed below, along with default values (see defaults/main.yml
):
teleport_version: "2.3.5"
teleport_url: "https://github.com/gravitational/teleport/releases/download/v{{ teleport_version }}/teleport-v{{ teleport_version }}-linux-amd64-bin.tar.gz"
teleport_ssl_cert_path: "/etc/teleport"
teleport_config_path: "/etc/teleport.yaml"
teleport_nodename: "teleport"
teleport_auth_servers:
- 127.0.0.1:3025
teleport_data_dir: "/var/lib/teleport"
Teleport stores the data locally under the teleport_data_dir
.
teleport_log_level: 'WARN'
teleport_storage_type: 'bolt'
teleport_pidfile: '/var/run/teleport.pid'
teleport_default_address: '0.0.0.0'
This sets the default address used in the various *_listen_address
variables
below. The default of '0.0.0.0'
means to listen on all IPv4 interfaces.
Setting it to '::'
would listen on all IPv6 (and IPv4, if your hosts have the
appropriate networking option enabled) addresses. (Note that Teleport's IPv6
support is not yet official; use this at your own risk.)
teleport_auth_enabled: true
teleport_auth_listen_address: '{{ teleport_default_address | ipwrap }}:3025'
teleport_auth_cluster_name: 'main'
teleport_auth_tokens_node: []
teleport_auth_tokens_proxy: []
teleport_auth_tokens_auth: []
You probably want to have multiple nodes joined to our cluster. You can do that with temporary tokens or you can automate the process and use static tokens. The 3 well known roles - auth, proxy, node - can have 3 different tokens.
teleport_auth_trusted_clusters: []
teleport_auth_oidc_connectors: []
teleport_ssh_enabled: true
If you don't want to login to this server using Teleport, only via the standard SSH way, disable the SSH service by setting this value to false
.
teleport_ssh_listen_address: '{{ teleport_default_address | ipwrap }}:3022'
teleport_commands: []
teleport_proxy_enabled: true
If you want to disable the WebUI (proxy), set this setting to false
.
teleport_proxy_listen_address: '{{ teleport_default_address | ipwrap }}:3023'
teleport_proxy_web_listen_address: '{{ teleport_default_address | ipwrap }}:3080'
teleport_proxy_tunnel_listen_address: '{{ teleport_default_address | ipwrap }}:3024'
teleport_proxy_https_key_file: ''
teleport_proxy_https_cert_file: ''
For full reference see the official teleport documentation by gravitational.
- Ansible 2.4 or newer
- Python
netaddr
package (available on Debian/EPEL aspython-netaddr
)
There are three types of services (roles) in a Teleport cluster.
- Proxy service accepts inbound connections from the clients and routes them to the appropriate nodes. The proxy also serves the Web UI.
- Auth service provides authentication and authorization service to proxies and nodes. It is the certificate authority (CA) of a cluster and the storage for audit logs. It is the only stateful component of a Teleport cluster.
- Node role provides the SSH access to a node. Typically every machine in a cluster runs teleport with this role. It is stateless and lightweight.
For more details about teleport architecture, please refer to the official documentation.
- hosts: teleport_proxies
vars_files:
- vars/main.yml
roles:
- { role: woohgit.teleport }
Inside vars/main.yml
teleport_ssh_enabled: false
teleport_auth_tokens_node:
- xxxx-yyyy-xxxx
If you want to be able to login to the proxy host too using teleport, set teleport_ssh_enabled
to true
.
You can automatically connect a node to the proxy server by providing same same auth_token.
- hosts: teleport_nodes
vars_files:
- vars/main.yml
roles:
- { role: woohgit.teleport }
Inside vars/main.yml
:
teleport_ssh_enabled: true
teleport_auth_enabled: false
teleport_proxy_enabled: false
teleport_auth_servers:
- ip_of_the_proxy_server
teleport_auth_token: xxxx-yyyy-xxxx
MIT / BSD
This role was created in 2016 by Adam Papai.