mirror of https://github.com/zulip/zulip.git
42 lines
1.3 KiB
Plaintext
42 lines
1.3 KiB
Plaintext
|
# See https://goteleport.com/docs/config-reference/ and
|
||
|
# https://goteleport.com/docs/database-access/guides/postgres-self-hosted/
|
||
|
#
|
||
|
# This establishes a reverse proxy back to the central auth server,
|
||
|
# allowing that to connect to the postgres server running on
|
||
|
# localhost:5432. Auth is checked using role-based access control,
|
||
|
# which determines which hosts, databases, and database users the
|
||
|
# remote user is allowed to connect to.
|
||
|
teleport:
|
||
|
ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
|
||
|
auth_servers:
|
||
|
# Use the proxy address, to support running the db_service, which requires
|
||
|
# a reverse tunnel.
|
||
|
- teleport.zulipchat.net:443
|
||
|
|
||
|
ssh_service:
|
||
|
enabled: no
|
||
|
app_service:
|
||
|
enabled: no
|
||
|
proxy_service:
|
||
|
enabled: no
|
||
|
auth_service:
|
||
|
enabled: no
|
||
|
|
||
|
db_service:
|
||
|
enabled: yes
|
||
|
databases:
|
||
|
- name: "<%= @hostname %>"
|
||
|
protocol: "postgres"
|
||
|
uri: "localhost:5432"
|
||
|
ca_cert_file: /etc/ssl/certs/teleport-ca.crt
|
||
|
static_labels:
|
||
|
hostname: "<%= @hostname %>"
|
||
|
dynamic_labels:
|
||
|
# Every hour, refresh the label that describes if this
|
||
|
# instance is a replica; this allows access to be granted only
|
||
|
# to replicas.
|
||
|
- name: "is_replica"
|
||
|
command:
|
||
|
["sudo", "-u", "zulip", "psql", "-tc", "select pg_is_in_recovery()"]
|
||
|
period: 1h
|