[gentoo-commits] repo/gentoo:master commit in: sys-cluster/teleport/files/, sys-cluster/teleport/

["Michał Górny" <mgorny@gentoo.org>]

commit:     3a6cc61bfeee218f02161b3881bcf5efeb8a2624
Author:     Graeme Lawes <graemelawes <AT> gmail <DOT> com>
AuthorDate: Mon May 29 17:28:38 2017 +0000
Commit:     Michał Górny <mgorny <AT> gentoo <DOT> org>
CommitDate: Wed Jun 14 07:48:31 2017 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3a6cc61b

sys-cluster/teleport: new package, #620054

Multi-region SSH for teams managing distributed server clusters.

Closes: https://github.com/gentoo/gentoo/pull/4802
Package-Manager: Portage-2.3.5, Repoman-2.3.1

 sys-cluster/teleport/Manifest                    |   1 +
 sys-cluster/teleport/files/teleport.conf.d       |  17 +++
 sys-cluster/teleport/files/teleport.init.d       |  29 +++++
 sys-cluster/teleport/files/teleport.service      |  11 ++
 sys-cluster/teleport/files/teleport.service.conf |   3 +
 sys-cluster/teleport/files/teleport.yaml         | 142 +++++++++++++++++++++++
 sys-cluster/teleport/metadata.xml                |  17 +++
 sys-cluster/teleport/teleport-2.2.0.ebuild       |  51 ++++++++
 sys-cluster/teleport/teleport-9999.ebuild        |  51 ++++++++
 9 files changed, 322 insertions(+)

diff --git a/sys-cluster/teleport/Manifest b/sys-cluster/teleport/Manifest
new file mode 100644
index 00000000000..c1a217ba386
--- /dev/null
+++ b/sys-cluster/teleport/Manifest
@@ -0,0 +1 @@
+DIST teleport-2.2.0.tar.gz 7229371 SHA256 b12bea0474a0ce5f4df10729607661b1afbecd5e95083835ccee7b54493c9452 SHA512 bec288983371bd3807b7ce994b1533a5e869d903251f8a8ce6315768a1d3ae95d72f832037345c36c9cd4789fbc449c54b86359988b1e74d4f46f9e0db6b3239 WHIRLPOOL 5b128fda80b1ce4afe60e10e6d5d9e83f621f6a405e713af7d1b988562038aa927c9f7c733a927a3aa724c261d058dba1fa75526dd2eb9051b1e6fe4c984004c

diff --git a/sys-cluster/teleport/files/teleport.conf.d b/sys-cluster/teleport/files/teleport.conf.d
new file mode 100644
index 00000000000..e4b2cbb1a7e
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.conf.d
@@ -0,0 +1,17 @@
+# /etc/conf.d/teleport: config file for /etc/init.d/teleport
+
+# Where is your teleport.yaml file stored?
+TELEPORT_CONFDIR="/etc/teleport"
+
+# Any random options you want to pass to teleport.
+TELEPORT_OPTS=""
+
+# Pid file to use (needs to be absolute path).
+#TELEPORT_PIDFILE="/var/run/teleport.pid"
+
+# Path to log file
+#TELEPORT_LOGFILE="/var/log/teleport.log"
+
+# Startup dependency
+# Un-comment when using etcd storage backend
+#rc_need="etcd"

diff --git a/sys-cluster/teleport/files/teleport.init.d b/sys-cluster/teleport/files/teleport.init.d
new file mode 100644
index 00000000000..a5d08b7f3f6
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.init.d
@@ -0,0 +1,29 @@
+#!/sbin/openrc-run
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+: ${TELEPORT_CONFDIR:=/etc/teleport}
+: ${TELEPORT_PIDFILE:=/var/run/${SVCNAME}.pid}
+: ${TELEPORT_BINARY:=/usr/bin/teleport}
+: ${TELEPORT_LOGFILE:=/var/log/teleport.log}
+
+depend() {
+	need net
+}
+
+start() {
+	ebegin "Starting Teleport SSH Service"
+		start-stop-daemon --start --exec /usr/bin/teleport \
+		--background --make-pidfile --pidfile "${TELEPORT_PIDFILE}" \
+		--stderr "${TELEPORT_LOGFILE}" \
+		-- start --config="${TELEPORT_CONFDIR}/teleport.yaml" \
+		${TELEPORT_OPTS}
+		eend $?
+}
+
+stop() {
+	ebegin "Stopping Teleport SSH Service"
+		start-stop-daemon --stop --exec /usr/bin/teleport \
+		--pidfile "${TELEPORT_PIDFILE}"
+	eend $?
+}

diff --git a/sys-cluster/teleport/files/teleport.service b/sys-cluster/teleport/files/teleport.service
new file mode 100644
index 00000000000..b74734bbf9e
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Teleport SSH Service
+After=network.target 
+
+[Service]
+Type=simple
+Restart=always
+ExecStart=/usr/bin/teleport start --config=/etc/teleport/teleport.yaml
+
+[Install]
+WantedBy=multi-user.target

diff --git a/sys-cluster/teleport/files/teleport.service.conf b/sys-cluster/teleport/files/teleport.service.conf
new file mode 100644
index 00000000000..2ff7ffbf3a4
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.service.conf
@@ -0,0 +1,3 @@
+# Uncomment the following when using the etcd storage backend
+#[Unit]
+#Wants=etcd.service

diff --git a/sys-cluster/teleport/files/teleport.yaml b/sys-cluster/teleport/files/teleport.yaml
new file mode 100644
index 00000000000..e297bb89b57
--- /dev/null
+++ b/sys-cluster/teleport/files/teleport.yaml
@@ -0,0 +1,142 @@
+# By default, this file should be stored in /etc/teleport.yaml
+
+# This section of the configuration file applies to all teleport
+# services.
+teleport:
+    # nodename allows to assign an alternative name this node can be reached by.
+    # by default it's equal to hostname
+    # nodename: graviton
+
+    # Data directory where Teleport keeps its data, like keys/users for 
+    # authentication (if using the default BoltDB back-end)
+    data_dir: /var/lib/teleport
+
+    # one-time invitation token used to join a cluster. it is not used on 
+    # subsequent starts
+    auth_token: xxxx-token-xxxx
+
+    # when running in multi-homed or NATed environments Teleport nodes need 
+    # to know which IP it will be reachable at by other nodes
+    # advertise_ip: 10.1.0.5
+
+    # list of auth servers in a cluster. you will have more than one auth server
+    # if you configure teleport auth to run in HA configuration
+    auth_servers: 
+        - localhost:3025
+
+    # Teleport throttles all connections to avoid abuse. These settings allow
+    # you to adjust the default limits
+    connection_limits:
+        max_connections: 1000
+        max_users: 250
+
+    # Logging configuration. Possible output values are 'stdout', 'stderr' and 
+    # 'syslog'. Possible severity values are INFO, WARN and ERROR (default).
+    log:
+        output: stderr
+        severity: ERROR
+
+    # Type of storage used for keys. You need to configure this to use etcd
+    # backend if you want to run Teleport in HA configuration.
+    storage:
+        type: bolt
+
+# This section configures the 'auth service':
+auth_service:
+    # Turns 'auth' role on. Default is 'yes'
+    enabled: yes
+
+    # Turns on dynamic configuration. Dynamic configuration defines the source
+    # for configuration information, configuration files on disk or what's
+    # stored in the backend. Default is false if no backend is specified,
+    # otherwise if backend is specified, it is assumed to be true.
+    dynamic_config: false
+
+    # defines the types and second factors the auth server supports
+    authentication:
+        # type can be local or oidc
+        type: local
+        # second_factor can be off, otp, or u2f
+        second_factor: otp
+
+        # this section is only used if using u2f
+        u2f:
+            # app_id should point to the Web UI.
+            app_id: https://localhost:3080
+
+            # facets should list all proxy servers.
+            facets:
+            - https://localhost
+            - https://localhost:3080
+
+    # IP and the port to bind to. Other Teleport nodes will be connecting to
+    # this port (AKA "Auth API" or "Cluster API") to validate client 
+    # certificates 
+    listen_addr: 0.0.0.0:3025
+
+    # Pre-defined tokens for adding new nodes to a cluster. Each token specifies
+    # the role a new node will be allowed to assume. The more secure way to 
+    # add nodes is to use `ttl node add --ttl` command to generate auto-expiring 
+    # tokens. 
+    #
+    # We recommend to use tools like `pwgen` to generate sufficiently random
+    # tokens of 32+ byte length.
+    tokens:
+        - "proxy,node:xxxxx"
+        - "auth:yyyy"
+
+    # Optional "cluster name" is needed when configuring trust between multiple
+    # auth servers. A cluster name is used as part of a signature in certificates
+    # generated by this CA.
+    # 
+    # By default an automatically generated GUID is used.
+    #
+    # IMPORTANT: if you change cluster_name, it will invalidate all generated 
+    # certificates and keys (may need to wipe out /var/lib/teleport directory)
+    cluster_name: "main"
+
+# This section configures the 'node service':
+ssh_service:
+    # Turns 'ssh' role on. Default is 'yes'
+    enabled: yes
+
+    # IP and the port for SSH service to bind to. 
+    listen_addr: 0.0.0.0:3022
+    # See explanation of labels in "Labeling Nodes" section below
+    labels:
+        role: master
+        type: postgres
+    # List (YAML array) of commands to periodically execute and use
+    # their output as labels. 
+    # See explanation of how this works in "Labeling Nodes" section below
+    commands:
+    - name: hostname
+      command: [/usr/bin/hostname]
+      period: 1m0s
+    - name: arch
+      command: [/usr/bin/uname, -p]
+      period: 1h0m0s
+
+# This section configures the 'proxy servie'
+proxy_service:
+    # Turns 'proxy' role on. Default is 'yes'
+    enabled: yes
+
+    # SSH forwarding/proxy address. Command line (CLI) clients always begin their
+    # SSH sessions by connecting to this port
+    listen_addr: 0.0.0.0:3023
+
+    # Reverse tunnel listening address. An auth server (CA) can establish an 
+    # outbound (from behind the firewall) connection to this address. 
+    # This will allow users of the outside CA to connect to behind-the-firewall 
+    # nodes.
+    tunnel_listen_addr: 0.0.0.0:3024
+
+    # The HTTPS listen address to serve the Web UI and also to authenticate the 
+    # command line (CLI) users via password+HOTP
+    web_listen_addr: 0.0.0.0:3080
+
+    # TLS certificate for the HTTPS connection. Configuring these properly is 
+    # critical for Teleport security.
+    https_key_file: /etc/teleport/teleport.key
+    https_cert_file: /etc/teleport/teleport.crt

diff --git a/sys-cluster/teleport/metadata.xml b/sys-cluster/teleport/metadata.xml
new file mode 100644
index 00000000000..224f5639f02
--- /dev/null
+++ b/sys-cluster/teleport/metadata.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<pkgmetadata>
+	<maintainer type="person">
+		<name>Graeme Lawes</name>
+		<email>graemelawes@gmail.com</email>
+	</maintainer>
+	<maintainer type="project">
+		<name>Gentoo Proxy Maintainers Project</name>
+		<email>proxy-maint@gentoo.org</email>
+	</maintainer>
+	<upstream>
+		<changelog>https://github.com/gravitational/teleport/blob/master/CHANGELOG.md</changelog>
+		<bugs-to>https://github.com/gravitational/teleport/issues</bugs-to>
+		<remote-id type="github">gravitational/teleport</remote-id>
+	</upstream>
+</pkgmetadata>

diff --git a/sys-cluster/teleport/teleport-2.2.0.ebuild b/sys-cluster/teleport/teleport-2.2.0.ebuild
new file mode 100644
index 00000000000..50aac8796fe
--- /dev/null
+++ b/sys-cluster/teleport/teleport-2.2.0.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit eutils golang-build systemd user
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [ ${PV} == "9999" ] ; then
+	inherit git-r3 golang-vcs
+	EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+	inherit golang-vcs-snapshot
+	SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE=""
+
+DEPEND="
+	app-arch/zip
+	>=dev-lang/go-1.8.3"
+RDEPEND=""
+
+src_compile() {
+	GOPATH="${S}" emake -C src/${EGO_PN%/*}
+	pushd src/${EGO_PN%/*}/web/dist >/dev/null || die
+	zip -qr "${S}/src/${EGO_PN%/*}/build/webassets.zip" . || die
+	popd >/dev/null || die
+	cat "${S}/src/${EGO_PN%/*}/build/webassets.zip" >> "src/${EGO_PN%/*}/build/${PN}" || die
+	zip -q -A "${S}/src/${EGO_PN%/*}/build/${PN}" || die
+}
+
+src_install() {
+	dodir /var/lib/${PN} /etc/${PN}
+	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+	insinto /etc/${PN}
+	doins "${FILESDIR}"/${PN}.yaml
+
+	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+	systemd_dounit "${FILESDIR}"/${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}

diff --git a/sys-cluster/teleport/teleport-9999.ebuild b/sys-cluster/teleport/teleport-9999.ebuild
new file mode 100644
index 00000000000..87502805344
--- /dev/null
+++ b/sys-cluster/teleport/teleport-9999.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2017 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+inherit eutils golang-build systemd user
+
+DESCRIPTION="Modern SSH server for teams managing distributed infrastructure"
+HOMEPAGE="https://gravitational.com/teleport"
+
+EGO_PN="github.com/gravitational/${PN}/..."
+
+if [ ${PV} == "9999" ] ; then
+	inherit git-r3 golang-vcs
+	EGIT_REPO_URI="https://github.com/gravitational/${PN}.git"
+else
+	inherit golang-vcs-snapshot
+	SRC_URI="https://github.com/gravitational/${PN}/archive/v${PV}.tar.gz -> ${P}.tar.gz"
+	KEYWORDS="~amd64"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE=""
+
+DEPEND="
+	app-arch/zip
+	>=dev-lang/go-1.7"
+RDEPEND=""
+
+src_compile() {
+	GOPATH="${S}" emake -C src/${EGO_PN%/*}
+	pushd src/${EGO_PN%/*}/web/dist >/dev/null || die
+	zip -qr "${S}/src/${EGO_PN%/*}/build/webassets.zip" . || die
+	popd >/dev/null || die
+	cat "${S}/src/${EGO_PN%/*}/build/webassets.zip" >> "src/${EGO_PN%/*}/build/${PN}" || die
+	zip -q -A "${S}/src/${EGO_PN%/*}/build/${PN}" || die
+}
+
+src_install() {
+	dodir /var/lib/${PN} /etc/${PN}
+	dobin src/${EGO_PN%/*}/build/{tsh,tctl,teleport}
+
+	insinto /etc/${PN}
+	doins "${FILESDIR}"/${PN}.yaml
+
+	newinitd "${FILESDIR}"/${PN}.init.d ${PN}
+	newconfd "${FILESDIR}"/${PN}.conf.d ${PN}
+
+	systemd_dounit "${FILESDIR}"/${PN}.service
+	systemd_install_serviced "${FILESDIR}"/${PN}.service.conf ${PN}.service
+}