mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-10 19:55:41 +03:00
374e6bcc40
Format all Nix files using the officially approved formatter,
making the CI check introduced in the previous commit succeed:
nix-build ci -A fmt.check
This is the next step of the of the [implementation](https://github.com/NixOS/nixfmt/issues/153)
of the accepted [RFC 166](https://github.com/NixOS/rfcs/pull/166).
This commit will lead to merge conflicts for a number of PRs,
up to an estimated ~1100 (~33%) among the PRs with activity in the past 2
months, but that should be lower than what it would be without the previous
[partial treewide format](https://github.com/NixOS/nixpkgs/pull/322537).
Merge conflicts caused by this commit can now automatically be resolved while rebasing using the
[auto-rebase script](8616af08d9/maintainers/scripts/auto-rebase).
If you run into any problems regarding any of this, please reach out to the
[formatting team](https://nixos.org/community/teams/formatting/) by
pinging @NixOS/nix-formatting.
114 lines
3 KiB
Nix
114 lines
3 KiB
Nix
{
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}:
|
|
|
|
with lib;
|
|
|
|
let
|
|
cfg = config.services.teleport;
|
|
settingsYaml = pkgs.formats.yaml { };
|
|
in
|
|
{
|
|
options = {
|
|
services.teleport = with lib.types; {
|
|
enable = mkEnableOption "the Teleport service";
|
|
|
|
package = mkPackageOption pkgs "teleport" {
|
|
example = "teleport_11";
|
|
};
|
|
|
|
settings = mkOption {
|
|
type = settingsYaml.type;
|
|
default = { };
|
|
example = literalExpression ''
|
|
{
|
|
teleport = {
|
|
nodename = "client";
|
|
advertise_ip = "192.168.1.2";
|
|
auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
|
|
auth_servers = [ "192.168.1.1:3025" ];
|
|
log.severity = "DEBUG";
|
|
};
|
|
ssh_service = {
|
|
enabled = true;
|
|
labels = {
|
|
role = "client";
|
|
};
|
|
};
|
|
proxy_service.enabled = false;
|
|
auth_service.enabled = false;
|
|
}
|
|
'';
|
|
description = ''
|
|
Contents of the `teleport.yaml` config file.
|
|
The `--config` arguments will only be passed if this set is not empty.
|
|
|
|
See <https://goteleport.com/docs/setup/reference/config/>.
|
|
'';
|
|
};
|
|
|
|
insecure.enable = mkEnableOption ''
|
|
starting teleport in insecure mode.
|
|
|
|
This is dangerous!
|
|
Sensitive information will be logged to console and certificates will not be verified.
|
|
Proceed with caution!
|
|
|
|
Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
|
|
'';
|
|
|
|
diag = {
|
|
enable = mkEnableOption ''
|
|
endpoints for monitoring purposes.
|
|
|
|
See <https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/>
|
|
'';
|
|
|
|
addr = mkOption {
|
|
type = str;
|
|
default = "127.0.0.1";
|
|
description = "Metrics and diagnostics address.";
|
|
};
|
|
|
|
port = mkOption {
|
|
type = port;
|
|
default = 3000;
|
|
description = "Metrics and diagnostics port.";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
config = mkIf config.services.teleport.enable {
|
|
environment.systemPackages = [ cfg.package ];
|
|
|
|
systemd.services.teleport = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" ];
|
|
path = with pkgs; [
|
|
getent
|
|
shadow
|
|
sudo
|
|
];
|
|
serviceConfig = {
|
|
ExecStart = ''
|
|
${cfg.package}/bin/teleport start \
|
|
${optionalString cfg.insecure.enable "--insecure"} \
|
|
${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
|
|
${optionalString (
|
|
cfg.settings != { }
|
|
) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
|
|
'';
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
LimitNOFILE = 65536;
|
|
Restart = "always";
|
|
RestartSec = "5s";
|
|
RuntimeDirectory = "teleport";
|
|
Type = "simple";
|
|
};
|
|
};
|
|
};
|
|
}
|