2021-06-07 20:53:13 +02:00
|
|
|
# See https://goteleport.com/docs/config-reference/ and
|
|
|
|
|
# https://goteleport.com/docs/database-access/guides/postgres-self-hosted/
|
|
|
|
|
#
|
|
|
|
|
# This establishes a reverse proxy back to the central auth server,
|
|
|
|
|
# allowing that to connect to the postgres server running on
|
|
|
|
|
# localhost:5432. Auth is checked using role-based access control,
|
|
|
|
|
# which determines which hosts, databases, and database users the
|
|
|
|
|
# remote user is allowed to connect to.
|
|
|
|
|
teleport:
|
|
|
|
|
ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
|
|
|
|
|
auth_servers:
|
|
|
|
|
# Use the proxy address, to support running the db_service, which requires
|
|
|
|
|
# a reverse tunnel.
|
|
|
|
|
- teleport.zulipchat.net:443
|
2024-01-30 20:55:29 +01:00
|
|
|
<% if @is_ec2 -%>
|
|
|
|
|
join_params:
|
|
|
|
|
method: iam
|
|
|
|
|
token_name: iam-token
|
|
|
|
|
<% else -%>
|
|
|
|
|
join_params:
|
|
|
|
|
method: token
|
|
|
|
|
token_name: <%= @join_token %>
|
|
|
|
|
<% end %>
|
2021-06-07 20:53:13 +02:00
|
|
|
|
|
|
|
|
ssh_service:
|
|
|
|
|
enabled: no
|
|
|
|
|
app_service:
|
|
|
|
|
enabled: no
|
|
|
|
|
proxy_service:
|
|
|
|
|
enabled: no
|
|
|
|
|
auth_service:
|
|
|
|
|
enabled: no
|
|
|
|
|
|
|
|
|
|
db_service:
|
|
|
|
|
enabled: yes
|
|
|
|
|
databases:
|
|
|
|
|
- name: "<%= @hostname %>"
|
|
|
|
|
protocol: "postgres"
|
2021-06-14 09:14:46 +02:00
|
|
|
uri: "<%= @fqdn %>:5432"
|
2021-06-07 20:53:13 +02:00
|
|
|
ca_cert_file: /etc/ssl/certs/teleport-ca.crt
|
|
|
|
|
static_labels:
|
|
|
|
|
hostname: "<%= @hostname %>"
|
|
|
|
|
dynamic_labels:
|
|
|
|
|
# Every hour, refresh the label that describes if this
|
|
|
|
|
# instance is a replica; this allows access to be granted only
|
|
|
|
|
# to replicas.
|
|
|
|
|
- name: "is_replica"
|
|
|
|
|
command:
|
|
|
|
|
["sudo", "-u", "zulip", "psql", "-tc", "select pg_is_in_recovery()"]
|
|
|
|
|
period: 1h
|
