aaa

inventory

@@ -0,0 +1,8 @@
+hostnode:
+    hosts:
+        10.10.0.209:
+            vars: ansible_ssh_user=root ansible_ssh_common_args='-o StrictHostKeyChecking=no' 
+clients:
+    hosts:
+        10.10.0.209:
+            vars: ansible_ssh_user=root ansible_ssh_common_args='-o StrictHostKeyChecking=no' 

main.ansible.yml

@@ -0,0 +1,93 @@
+---
+- hosts: "hostnode"
+  name: Teleport setup
+  vars:
+  become: true
+  pre_tasks:
+    - name: Load variables
+      ansible.builtin.include_vars: '{{ item }}'
+      with_first_found:
+        - "vars/default.yml"
+  tasks:
+    - name: Check if teleport is installed.
+      ansible.builtin.stat: "path=/usr/local/bin/teleport"
+      register: teleport_bin
+    
+    - debug:
+        msg: "{{ teleport_bin }}"
+
+    - name: install teleport
+      ansible.builtin.shell:
+        cmd: 'curl https://goteleport.com/static/install.sh | bash -s 13.3.8'
+
+
+    - name:
+
+    - name: Ensure teleport has selected state and enabled on boot.
+      service:
+        name: 'teleport'
+        state: 'started'
+        enabled: yes
+
+    - name: Get teleport token
+      ansible.builtin.shell:
+        cmd: '/usr/local/bin/tctl tokens add --type=node --format=text'
+        executable: /bin/bash
+      register: token
+
+    - debug:
+        msg: token.stdout
+
+- hosts: "clients"
+  name: Client setup
+  vars:
+  become: true
+  pre_tasks:
+    - name: Load variables
+      ansible.builtin.include_vars: '{{ item }}'
+      with_first_found:
+        - "vars/default.yml"
+  
+  tasks:
+    - name: Check if teleport is installed.
+      ansible.builtin.stat: "path=/usr/local/bin/teleport"
+      register: teleport_bin_clients
+
+    - name: install teleport
+      ansible.builtin.shell:
+        cmd: 'curl https://goteleport.com/static/install.sh | bash -s 13.3.8'
+      when: teleport_bin_clients.stat.exists == false
+
+    - name: remove existing config if exists
+      ansible.builtin.file:
+        path: /etc/teleport.yaml
+        state: absent
+
+    - name: Create teleport config
+      ansible.builtin.shell:
+        cmd: '/usr/local/bin/teleport node configure --output=file:///etc/teleport.yaml --token={{ token.stdout }} --proxy={{ groups["hostnode"] | map("extract", hostvars, ["inventory_hostname"]) }}:443'
+        executable: /bin/bash
+
+    - name: Ensure teleport has selected state and enabled on boot.
+      service:
+        name: 'teleport'
+        state: 'started'
+        enabled: yes
+
+    - name: open ports for teleport
+      ansible.builtin.shell:
+        cmd: 'ufw allow 3022/tcp && ufw allow 443/tcp'
+
+
+- hosts: "hostnode"
+  name: reverse proxy setup
+  vars:
+  become: true
+  pre_tasks:
+    - name: Load variables
+      ansible.builtin.include_vars: '{{ item }}'
+      with_first_found:
+        - "vars/default.yml"
+  tasks:
+    - include_tasks: reverseproxy.ansible.yml
+      when: {{ REVERSE_PROXY }}

reverseproxy.ansible..yml

@@ -0,0 +1,53 @@
+---
+- name: install caddy from binary
+  ansible.builtin.get_url:
+    url: https://caddyserver.com/api/download?os=linux&arch=amd64&p=github.com%2Fcaddy-dns%2Fcloudflare&idempotency=54951177807414
+    dest: /usr/bin/caddy
+    mode: '0751'
+
+- name: create caddyfile
+  ansible.builtin.blockinfile:
+    block: |
+      {{ SUBDOMAIN }} {
+        reverse_proxy https://{{ ansible_default_ipv4.address }}:3022 {
+                transport http {
+                        tls_insecure_skip_verify
+                }
+        }
+      }
+    path: /etc/caddy/Caddyfile
+    create: true
+
+- name: creat Caddy systemd file
+  ansible.builtin.copy:
+    content: |
+      [Unit]
+      Description=Caddy
+      Documentation=https://caddyserver.com/docs/
+      After=network.target network-online.target
+      Requires=network-online.target
+
+      [Service]
+      Type=notify
+      User=root
+      Group=root
+      ExecStart=/usr/bin/caddy run --environ --config /etc/caddy/Caddyfile
+      ExecReload=/usr/bin/caddy reload --config /etc/caddy/Caddyfile --force
+      TimeoutStopSec=5s
+      LimitNOFILE=1048576
+      LimitNPROC=512
+      PrivateTmp=true
+      ProtectSystem=full
+      AmbientCapabilities=CAP_NET_ADMIN CAP_NET_BIND_SERVICE
+
+      [Install]
+      WantedBy=multi-user.target
+    dest: /etc/caddy/Caddyfile
+
+- name: Start Caddy on startup
+  ansible.builtin.systemd_service:
+    name: 'caddy'
+    state: 'started'
+    enabled: yes
+    daemon_reload: true
+    

vars/default.yml

@@ -0,0 +1,11 @@
+---
+#If you dont enable reverse proxy you will need to set up your certificates after install and restart teleport
+#key file location: /var/lib/teleport/webproxy_key.pem
+#cert file location: /var/lib/teleport/webproxy_cert.pem
+#run this when done("systemctl restart teleport")
+
+#if you do enable reverse proxy make sure your selected domain name is routed to that ip address and port forwarding is set to the teleport host for ports 80 and 443
+REVERSE_PROXY: true
+#subdomain is the subdomain you want tied to teleport for the reverse proxy this should also be your hostname for your teleport hostnode(use {your teleport hostname}.localhost to use an internal certificate)
+SUBDOMAIN: t.localhost
+