mirror of
https://github.com/Expand-sys/ansibleteleportsetup
synced 2025-12-15 13:32:20 +11:00
185 lines
No EOL
5.5 KiB
YAML
185 lines
No EOL
5.5 KiB
YAML
---
|
|
- hosts: "hostnode"
|
|
name: Teleport setup
|
|
vars:
|
|
become: true
|
|
pre_tasks:
|
|
- name: Load variables
|
|
ansible.builtin.include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- "vars/default.yml"
|
|
tasks:
|
|
- name: Check if teleport is installed.
|
|
ansible.builtin.shell: "teleport version"
|
|
register: teleport_bin
|
|
ignore_errors: true
|
|
|
|
- name: Ensure teleport is stopped.
|
|
ansible.builtin.service:
|
|
name: 'teleport'
|
|
state: 'stopped'
|
|
|
|
- name: install teleport
|
|
ansible.builtin.shell:
|
|
cmd: 'curl https://goteleport.com/static/install.sh | bash -s {{ TELEPORT_VER }} oss'
|
|
when: not TELEPORT_VER in teleport_bin.stdout
|
|
|
|
- name: create teleport.yaml config
|
|
ansible.builtin.blockinfile:
|
|
content: |
|
|
version: v3
|
|
teleport:
|
|
nodename: {{ SUBDOMAIN }}
|
|
data_dir: /var/lib/teleport
|
|
log:
|
|
output: stderr
|
|
severity: INFO
|
|
format:
|
|
output: text
|
|
ca_pin: ""
|
|
diag_addr: ""
|
|
auth_service:
|
|
proxy_listener_mode: multiplex
|
|
authentication:
|
|
type: local
|
|
second_factor: "on"
|
|
webauthn:
|
|
rp_id: t.duboiss.com
|
|
device_trust:
|
|
mode: off
|
|
ssh_service:
|
|
enabled: "yes"
|
|
commands:
|
|
- name: hostname
|
|
command: [hostname]
|
|
period: 1m0s
|
|
proxy_service:
|
|
enabled: yes
|
|
proxy_protocol: off
|
|
listen_addr: 0.0.0.0:3023
|
|
tunnel_listen_addr: 0.0.0.0:3024
|
|
web_listen_addr: 0.0.0.0:3080
|
|
public_addr: {{ SUBDOMAIN }}:3080
|
|
ssh_public_addr: {{ SUBDOMAIN }}:3023
|
|
tunnel_public_addr: {{ SUBDOMAIN }}:3024
|
|
https_keypairs:
|
|
- key_file: /var/lib/teleport/webproxy_key.pem
|
|
cert_file: /var/lib/teleport/webproxy_cert.pem
|
|
https_keypairs_reload_interval: 0
|
|
ui:
|
|
scrollback_lines: 1000
|
|
trust_x_forwarded_for: true
|
|
path: /etc/teleport.yaml
|
|
create: true
|
|
|
|
- name: make teleport directory
|
|
ansible.builtin.file:
|
|
path: /var/lib/teleport
|
|
state: directory
|
|
|
|
- name: Generate self signed ssl cert
|
|
ansible.builtin.shell: openssl req -x509 -newkey rsa:4096 -keyout /var/lib/teleport/webproxy_key.pem -out /var/lib/teleport/webproxy_cert.pem -sha256 -days 3650 -nodes -subj '/C=XX/ST=StateName/L=CityName/O=CompanyName/OU=CompanySectionName/CN={{ SUBDOMAIN }}' -addext 'subjectAltName=DNS:{{ SUBDOMAIN }}'
|
|
|
|
- name: Ensure teleport has selected state and enabled on boot.
|
|
ansible.builtin.service:
|
|
name: 'teleport'
|
|
state: 'started'
|
|
enabled: yes
|
|
|
|
- name: sleep for 10 secs to wait for teleport to start
|
|
ansible.builtin.wait_for:
|
|
timeout: 10
|
|
|
|
- name: Get teleport token
|
|
ansible.builtin.shell:
|
|
cmd: 'tctl tokens add --type=node --format=text --insecure'
|
|
executable: /bin/bash
|
|
register: token
|
|
|
|
- name: "Add K8S Token and Hash to dummy host"
|
|
add_host:
|
|
name: "TELE_TOKEN_HOLDER"
|
|
token_c: "{{ token.stdout }}"
|
|
|
|
|
|
- debug:
|
|
msg: '{{ token.stdout }}'
|
|
|
|
- hosts: "clients"
|
|
name: Client setup
|
|
vars:
|
|
token_clients: "{{ hostvars['TELE_TOKEN_HOLDER']['token_c'] }}"
|
|
become: true
|
|
pre_tasks:
|
|
- name: Load variables
|
|
ansible.builtin.include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- "vars/default.yml"
|
|
|
|
tasks:
|
|
- name: Check if teleport is installed.
|
|
ansible.builtin.shell: "teleport version"
|
|
register: teleport_bin_clients
|
|
ignore_errors: true
|
|
|
|
- name: install teleport
|
|
ansible.builtin.shell:
|
|
cmd: 'curl https://goteleport.com/static/install.sh | bash -s {{ TELEPORT_VER }}'
|
|
when: not TELEPORT_VER in teleport_bin_clients.stdout
|
|
|
|
- name: Ensure teleport is stopped.
|
|
service:
|
|
name: 'teleport'
|
|
state: 'stopped'
|
|
when: teleport_bin_clients
|
|
|
|
- name: remove existing config if exists
|
|
ansible.builtin.file:
|
|
path: /etc/teleport.yaml
|
|
state: absent
|
|
|
|
- name: Create teleport config
|
|
ansible.builtin.shell:
|
|
cmd: '/usr/local/bin/teleport node configure --output=file:///etc/teleport.yaml --token={{ token_clients }} --auth-server={{ SUBDOMAIN }}:3025'
|
|
executable: /bin/bash
|
|
|
|
- name: Ensure teleport has selected state and enabled on boot.
|
|
ansible.builtin.service:
|
|
name: 'teleport'
|
|
state: 'started'
|
|
enabled: yes
|
|
|
|
- name: open ports for teleport - ubuntu OS
|
|
ansible.builtin.shell:
|
|
cmd: 'ufw allow 3022/tcp'
|
|
when: ansible_facts['distribution'] == "Ubuntu"
|
|
|
|
- name: Install python3 firewall for rhel
|
|
ansible.builtin.dnf:
|
|
name: python3-firewall
|
|
state: present
|
|
when: ansible_facts['os_family'] == "RedHat"
|
|
|
|
- name: open ports for teleport RHEL
|
|
ansible.builtin.firewalld:
|
|
permanent: true
|
|
port: 3022/tcp
|
|
state: enabled
|
|
immediate: true
|
|
when: ansible_facts['os_family'] == "RedHat"
|
|
|
|
- hosts: "reverseproxy"
|
|
name: reverse proxy setup
|
|
vars:
|
|
become: true
|
|
gather_facts: false
|
|
pre_tasks:
|
|
- name: Load variables
|
|
ansible.builtin.include_vars: '{{ item }}'
|
|
with_first_found:
|
|
- "vars/default.yml"
|
|
tasks:
|
|
- name: set up reverse proxy
|
|
include_tasks: reverseproxy.ansible.yml
|
|
when: REVERSE_PROXY
|
|
|