Ansible role for teleport

README.md

@@ -1 +1,123 @@
-# teleport
+## Ansible Role: Teleport
+[Teleport Image](https://github.com/OT-OSM/teleport/blob/teleport/static/teleport.png)
+
+### Version History
+
+|**Date**| **Version**| **Description**| **Changed By** |
+|----------|---------|---------------|-----------------|
+|**June '30'** | v.1.0 | Initial Draft | Pritam Kondapratiwar |
+
+
+## Table of Content
+- [Introduction](#introduction)
+- [Salient Features](#salient-features)
+- [Supported OS](#supported-os)
+- [Dependencies](#dependencies)
+- [Directory Structure](#directory-structure)
+- [Role Variables](#role-variables)
+- [Inventory](#inventory)
+- [References](#references)
+
+
+### Introduction
+Teleport is an open-source access management tool that provides secure, identity-based access to SSH servers, Kubernetes clusters, databases, and internal apps. It replaces VPNs and static credentials with short-lived certificates and integrates with SSO for centralized control. Teleport also offers session recording, auditing, and role-based access control for compliance and security.
+
+### Salient Features
+
+| **Feature**                     | **Description**                                                                 |
+|----------------------------------|-------------------------------------------------------------------------------|
+| **Identity-Based Access**        | Provides secure access using short-lived certificates tied to user identity, integrating with SSO providers like Okta, GitHub, and Google. |
+| **Session Recording**            | Records all SSH, Kubernetes, and database sessions for compliance and auditing purposes. |
+| **Role-Based Access Control (RBAC)** | Enables fine-grained access permissions based on user roles, teams, or environments. |
+| **Unified Access Plane**         | Centralizes access to SSH, Kubernetes, databases, internal apps, and desktops through a single interface. |
+| **Just-in-Time Access Requests** | Allows users to request temporary access with approval workflows to reduce standing privileges. |
+| **Audit Logging**                | Maintains detailed audit logs of all user actions across infrastructure for security and compliance. |
+| **Zero Trust Architecture**      | Eliminates the need for VPNs and static credentials by using identity-based, short-lived access tokens. |
+| **Multi-Protocol Support**       | Supports secure access for SSH, Kubernetes, PostgreSQL, MySQL, MongoDB, Windows RDP, and internal web apps. |
+
+
+
+
+### Supported OS
+------------
+  * Debian 11 and above
+  * RHEL 8.2 and above
+  * macOS (for CLI tools like tsh)
+
+
+
+### Dependencies
+------------
+* Domain should be pointed to the server IP
+* SSL and TLS certicate
+
+### Directory Structure
+
+#### For Teleport
+```
+├── handlers
+│   └── main.yml
+├── meta
+│   └── main.yml
+├── README.md
+├── tasks
+│   ├── config.yml
+│   ├── install.yml
+│   ├── main.yml
+│   └── service.yml
+├── templates
+│   ├── teleport.crt.j2
+│   ├── teleport.key.j2
+│   ├── teleport.service.j2
+│   └── teleport.yaml.j2
+└── vars
+    └── main.yml
+
+```
+
+### Role Variables
+
+| **Variable**                  | **Default Value**                      | **Description**                                                                 |
+|------------------------------|----------------------------------------|---------------------------------------------------------------------------------|
+| `teleport_version`           | `"17.5.2"`                             | The version of Teleport to be installed.                                       |
+| `teleport_email`             | `"[email protected]"`  | Email used for certificate generation or Let's Encrypt integration.            |
+| `teleport_cluster_name`      | `"teleport.opstree.net"`              | Unique identifier for your Teleport cluster.                                   |
+| `teleport_nodename`          | `"ldc-opstree"`                        | The node name that will appear in the Teleport cluster.                        |
+| `teleport_data_dir`          | `"/var/lib/teleport"`                  | Directory where Teleport stores data and logs.                                 |
+| `teleport_cert_file`         | `"/etc/teleport/teleport.crt"`         | Path to the TLS certificate used by Teleport.                                  |
+| `teleport_key_file`          | `"/etc/teleport/teleport.key"`         | Path to the private key corresponding to the TLS certificate.                  |
+| `teleport_config_file`       | `"/etc/teleport.yaml"`                 | Path to the main Teleport configuration file.                                  |
+| `teleport_service_file`      | `"/etc/systemd/system/teleport.service"` | Path to the systemd service file for managing the Teleport service.           |
+
+
+## Inventory
+
+An inventory should look like this:-
+#### For Teleport
+```ini
+[Teleporthost]                 
+13.xxx.xxx.xx    ansible_user=ubuntu   
+
+```
+Example Playbook
+----------------
+
+* Here is an example playbook:-
+#### For Teleport
+```sh
+---
+- hosts: Teleporthost
+  become: yes
+  roles:
+    - Teleport
+
+```
+
+
+**After the successful installation of Teleport, browse through the Teleport url and you would get your login page**
+![teleport](https://github.com/user-attachments/assets/1bdcc1ea-18f5-4409-8825-7a766cfa072a)
+
+
+## References
+----------
+- **[software](https://goteleport.com/docs/linux-demo/)**

ansible.cfg

@@ -0,0 +1,17 @@
+[ssh_connection]
+pipelining=True
+ansible_ssh_args = -o ControlMaster=auto -o ControlPersist=30m -o ConnectionAttempts=100 -o UserKnownHostsFile=/dev/null
+#control_path = ~/.ssh/ansible-%%r@%%h:%%p
+
+[defaults]
+force_valid_group_names = ignore
+host_key_checking=False
+gathering = smart
+fact_caching = jsonfile
+fact_caching_connection = /tmp
+fact_caching_timeout = 86400
+stdout_callback = default
+display_skipped_hosts = no
+callbacks_enabled = profile_tasks,ara_default
+deprecation_warnings=False
+roles_path = roles

inventory/Teleport-agent.ini

@@ -0,0 +1,2 @@
+[Teleporthost]                 
+13.xxx.xxx.xx    ansible_user=ubuntu  

roles/teleport/handlers/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Reload systemd
+  command: systemctl daemon-reexec
+
+- name: Restart Teleport
+  systemd:
+    name: teleport
+    state: restarted
+    enabled: yes

roles/teleport/meta/main.yml

@@ -0,0 +1,34 @@
+galaxy_info:
+  author: Pritam Kondapratiwar
+  description: Ansible role for Teleport
+  company: Opstree Solutions
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Choose a valid license ID from https://spdx.org - some suggested licenses:
+  # - BSD-3-Clause (default)
+  # - MIT
+  # - GPL-2.0-or-later
+  # - GPL-3.0-only
+  # - Apache-2.0
+  # - CC-BY-4.0
+  license: license (GPL-2.0-or-later, MIT, etc)
+
+  min_ansible_version: 2.1
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.

roles/teleport/tasks/config.yml

@@ -0,0 +1,34 @@
+---
+- name: Ensure /etc/teleport directory exists
+  file:
+    path: /etc/teleport
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+
+- name: Create teleport certificate file from template
+  template:
+    src: teleport.crt.j2
+    dest: "{{ teleport_cert_file }}"
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Create teleport key file from template
+  template:
+    src: teleport.key.j2
+    dest: "{{ teleport_key_file }}"
+    owner: root
+    group: root
+    mode: '0600'
+
+- name: Deploy updated teleport.yaml
+  template:
+    src: teleport.yaml.j2
+    dest: "{{ teleport_config_file }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Restart Teleport

roles/teleport/tasks/install.yml

@@ -0,0 +1,11 @@
+---
+- name: Install teleport binary
+  shell: curl https://cdn.teleport.dev/install.sh | bash -s {{ teleport_version }}
+
+- name: Generate initial teleport.yaml
+  shell: >
+    teleport configure -o file
+    --acme --acme-email={{ teleport_email }}
+    --cluster-name={{ teleport_cluster_name }}
+  args:
+    creates: "{{ teleport_config_file }}"

roles/teleport/tasks/main.yml

@@ -0,0 +1,9 @@
+---
+- name: Install Teleport
+  import_tasks: install.yml
+
+- name: Configure Teleport
+  import_tasks: config.yml
+
+- name: Setup Teleport systemd service
+  import_tasks: service.yml

roles/teleport/tasks/service.yml

@@ -0,0 +1,16 @@
+---
+- name: Deploy teleport systemd service unit file
+  template:
+    src: teleport.service.j2
+    dest: "{{ teleport_service_file }}"
+    owner: root
+    group: root
+    mode: '0644'
+  notify:
+    - Reload systemd
+    - Restart Teleport
+
+- name: Enable teleport service at boot
+  systemd:
+    name: teleport
+    enabled: yes

roles/teleport/templates/teleport.crt.j2

@@ -0,0 +1 @@
+

roles/teleport/templates/teleport.key.j2

@@ -0,0 +1 @@
+

roles/teleport/templates/teleport.service.j2

@@ -0,0 +1,13 @@
+[Unit]
+Description=Teleport SSH Service
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/teleport start --config={{ teleport_config_file }}
+Restart=on-failure
+RestartSec=5s
+LimitNOFILE=65536
+
+[Install]
+WantedBy=multi-user.target

roles/teleport/templates/teleport.yaml.j2

@@ -0,0 +1,34 @@
+version: v3
+teleport:
+  nodename: {{ teleport_nodename }}
+  data_dir: {{ teleport_data_dir }}
+  join_params:
+    token_name: ""
+    method: token
+  log:
+    output: stderr
+    severity: INFO
+    format:
+      output: text
+  ca_pin: ""
+  diag_addr: ""
+
+auth_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3025
+  cluster_name: {{ teleport_cluster_name }}
+  proxy_listener_mode: multiplex
+
+ssh_service:
+  enabled: "yes"
+
+proxy_service:
+  enabled: "yes"
+  web_listen_addr: 0.0.0.0:443
+  public_addr: {{ teleport_cluster_name }}:443
+  https_keypairs:
+    - cert_file: {{ teleport_cert_file }}
+      key_file: {{ teleport_key_file }}
+  https_keypairs_reload_interval: 0s
+  acme:
+    enabled: "no"

roles/teleport/vars/main.yml

@@ -0,0 +1,10 @@
+---
+teleport_version: "17.5.2"
+teleport_email: "[email protected]"
+teleport_cluster_name: "teleport.opstree.net"
+teleport_nodename: "ldc-opstree"
+teleport_data_dir: "/var/lib/teleport"
+teleport_cert_file: "/etc/teleport/teleport.crt"
+teleport_key_file: "/etc/teleport/teleport.key"
+teleport_config_file: "/etc/teleport.yaml"
+teleport_service_file: "/etc/systemd/system/teleport.service"