New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Teleport SSH/PKI Cluster Module: Init #93836
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have left a few questions and comments.
Directory to store Teleport Service data. | ||
''; | ||
}; | ||
configText = mkOption { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Having a single settings
option to represent this file might be worth looking into and match upstream more closely. What were aiming for by splitting this file into multiple? I'm not familiar with this program so don't know the pros and cons of doing so.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not certain what lines you're referring to here? Where am I splitting the file into multiple?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was mentioning the note you made above:
# This becomes the main config file
# To be used in the future when I add seperate option sections for each part of teleport
# Rather then writing a single yaml file directly into your nix file.
Since the file format is yaml
this maps nicely to a nix
attribute set. Very shortly nix
will have even nicer support for this, see #75584 if interested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah my apologies, to be clear what I actually meant, was what you implied. Having sub services as attr sets that can be written to the yaml config file.
Rather then just encoding a flat yaml file directly in your nix expression when you enable this service.
Have some scaffolding in place now, and planning to commit the meat of it tomorrow afternoon once I'm off work.
Seems to be working so far from what I have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should now make more sense, with the changes I've made to define the service config file in nix expr lang.
Revamped the teleport module so that one can now describe your config file in nix expr lang. Still need descriptions and default values for each option however. Also missing some options still I'm realizing. |
Hmm, failing. I'll add the defaults next. I assume that might be throwing it off. Since it works on my setup. |
Just needs examples and descriptions.
@aanderse Interesting, just pushed the changes I had for my module. Just needs examples and descriptions. Your fork is interesting, I'll admit. Will have to look over it and mull some more. |
Looking over some more I do admit I do like the idea of having a user just set the attr set by them selves completely. The only upper hand that my version has is:
And have the ssh service already enabled by default. |
Aware the change isn't evaling as well, seems I really need those descriptions and examples still. 😛 |
@aanderse Any thoughts? |
@Church- the bot is saying |
Yep I'm aware! Just wanted your thoughts on the general structure of the module now. |
@aanderse Yeah as I thought and you confirmed that was the issue. So, what do you think of the general structure now? Any complaints or worthy to merge down? |
I would actually hold off on reviewing this PR again until I push some new changes. Somewhat funnily I've decided to end up going with an approach like yours @aanderse after talking with infinisil about his settings PR. |
I marked this as stale due to inactivity. → More info |
serviceConfig = { | ||
Type = "simple"; | ||
ExecStart = "${pkgs.teleport}/bin/teleport start ${cmdlineArgs}"; | ||
ExecReload = "/run/current-system/sw/bin/kill -HUP $MAINPID"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
${pkgs.coreutils}/bin/kill
maybe? 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for putting the effort into creating this module!
}; | ||
|
||
config = mkIf cfg.enable { | ||
systemd.services.teleport = { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To join teleport node to the cluster we have to run teleport
as root
and it's ok to run auth
and proxy
as less privileged user. AFAICS we run always as root with this implementation, don't we?
I found some time to finish the work started here in #153825 |
Motivation for this change
Just a basic module for the clustered ssh daemon teleport since none existed.
Planning on a more nuanced module with a config section for each service that teleport offers/works with.
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)I assume there's a doc that I'm missing, but where would I look to ensure documentation for the module is added to nixos.org?