Teleport SSH/PKI Cluster Module: Init #93836
Conversation
Church-
changed the title
ofborg
bot
added
10.rebuild-darwin: 0
10.rebuild-linux: 1-10
10.rebuild-linux: 1
labels
| Directory to store Teleport Service data. | ||
| ''; | ||
| }; | ||
| configText = mkOption { |
There was a problem hiding this comment.
Having a single settings option to represent this file might be worth looking into and match upstream more closely. What were aiming for by splitting this file into multiple? I'm not familiar with this program so don't know the pros and cons of doing so.
There was a problem hiding this comment.
I'm not certain what lines you're referring to here? Where am I splitting the file into multiple?
There was a problem hiding this comment.
I was mentioning the note you made above:
# This becomes the main config file
# To be used in the future when I add seperate option sections for each part of teleport
# Rather then writing a single yaml file directly into your nix file.
Since the file format is yaml this maps nicely to a nix attribute set. Very shortly nix will have even nicer support for this, see #75584 if interested.
There was a problem hiding this comment.
Ah my apologies, to be clear what I actually meant, was what you implied. Having sub services as attr sets that can be written to the yaml config file.
Rather then just encoding a flat yaml file directly in your nix expression when you enable this service.
Have some scaffolding in place now, and planning to commit the meat of it tomorrow afternoon once I'm off work.
Seems to be working so far from what I have.
There was a problem hiding this comment.
This should now make more sense, with the changes I've made to define the service config file in nix expr lang.
|
Revamped the teleport module so that one can now describe your config file in nix expr lang. Still need descriptions and default values for each option however. Also missing some options still I'm realizing. |
|
Hmm, failing. I'll add the defaults next. I assume that might be throwing it off. Since it works on my setup. |
Just needs examples and descriptions.
|
@aanderse Interesting, just pushed the changes I had for my module. Just needs examples and descriptions. Your fork is interesting, I'll admit. Will have to look over it and mull some more. |
|
Looking over some more I do admit I do like the idea of having a user just set the attr set by them selves completely. The only upper hand that my version has is:
And have the ssh service already enabled by default. |
|
Aware the change isn't evaling as well, seems I really need those descriptions and examples still. 😛 |
|
@aanderse Any thoughts? |
|
@Church- the bot is saying |
|
Yep I'm aware! Just wanted your thoughts on the general structure of the module now. |
|
@aanderse Yeah as I thought and you confirmed that was the issue. So, what do you think of the general structure now? Any complaints or worthy to merge down? |
|
I would actually hold off on reviewing this PR again until I push some new changes. Somewhat funnily I've decided to end up going with an approach like yours @aanderse after talking with infinisil about his settings PR. |
|
I marked this as stale due to inactivity. → More info |
stale
bot
added
the
2.status: stale
| serviceConfig = { | ||
| Type = "simple"; | ||
| ExecStart = "${pkgs.teleport}/bin/teleport start ${cmdlineArgs}"; | ||
| ExecReload = "/run/current-system/sw/bin/kill -HUP $MAINPID"; |
There was a problem hiding this comment.
${pkgs.coreutils}/bin/kill maybe? 😉
stale
bot
removed
the
2.status: stale
| }; | ||
|
|
||
| config = mkIf cfg.enable { | ||
| systemd.services.teleport = { |
There was a problem hiding this comment.
To join teleport node to the cluster we have to run teleport as root and it's ok to run auth and proxy as less privileged user. AFAICS we run always as root with this implementation, don't we?
|
I found some time to finish the work started here in #153825 |
Motivation for this change
Just a basic module for the clustered ssh daemon teleport since none existed.
Planning on a more nuanced module with a config section for each service that teleport offers/works with.
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)I assume there's a doc that I'm missing, but where would I look to ensure documentation for the module is added to nixos.org?