puppet: Switch teleport to running under systemd, not supervisord.

There is no reason that the base node access method should be run
under supervisor, which exists primarily to give access to the `zulip`
user to restart its managed services.  This access is unnecessary for
Teleport, and also causes unwanted restarts of Teleport services when
the `supervisor` base configuration changes.  Additionally,
supervisor does not support the in-place upgrade process that Teleport
uses, as it replaces its core process with a new one.

Switch to installing a systemd configuration file (as generated by
`teleport install systemd`) for each part of Teleport, customized to
pass a `--config` path.  As such, we explicitly disable the `teleport`
service provided by the package.

The supervisor process is shut down by dint of no longer installing
the file, which purges it from the managed directory, and reloads
Supervisor to pick up the removed service.

puppet/zulip_ops/files/supervisor/conf.d/teleport_db.conf

@@ -1,8 +0,0 @@
-[program:teleport_db]
-command=/usr/local/bin/teleport start --config=/etc/teleport_db.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_db.log

puppet/zulip_ops/files/supervisor/conf.d/teleport_node.conf

@@ -1,8 +0,0 @@
-[program:teleport_node]
-command=/usr/local/bin/teleport start --config=/etc/teleport_node.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_node.log

puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf

@@ -1,8 +0,0 @@
-[program:teleport_server]
-command=/usr/local/bin/teleport start --config=/etc/teleport_server.yaml
-priority=10
-autostart=true
-autorestart=true
-user=root
-redirect_stderr=true
-stdout_logfile=/var/log/teleport_server.log

puppet/zulip_ops/manifests/profile/teleport.pp

@@ -6,16 +6,9 @@ class zulip_ops::profile::teleport {
     group  => 'root',
     mode   => '0644',
     source => 'puppet:///modules/zulip_ops/teleport_server.yaml',
+    notify => Service['teleport_server'],
   }
-  file { "${zulip::common::supervisor_conf_dir}/teleport_server.conf":
-    ensure  => file,
-    require => [ Package[supervisor], Package[teleport], File['/etc/teleport_server.yaml'] ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_server.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'server': }
 
   # https://goteleport.com/docs/admin-guide/#ports
   # Port 443 is outward-facing, for UI

puppet/zulip_ops/manifests/teleport/base.pp

@@ -6,7 +6,13 @@ class zulip_ops::teleport::base {
     command => "${setup_apt_repo_file} --list teleport",
     unless  => "${setup_apt_repo_file} --list teleport --verify",
   }
-  Package { 'teleport':
+  package { 'teleport':
+    ensure  => installed,
     require => Exec['setup-apt-repo-teleport'],
   }
+  service { 'teleport':
+    ensure  => stopped,
+    enable  => mask,
+    require => Package['teleport'],
+  }
 }

puppet/zulip_ops/manifests/teleport/db.pp

@@ -11,19 +11,8 @@ class zulip_ops::teleport::db {
     group   => 'root',
     mode    => '0644',
     content => template('zulip_ops/teleport_db.yaml.template.erb'),
+    notify  => Service['teleport_db'],
   }
 
-  file { "${zulip::common::supervisor_conf_dir}/teleport_db.conf":
-    ensure  => file,
-    require => [
-      Package[supervisor],
-      Package[teleport],
-      File['/etc/teleport_db.yaml'],
-    ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_db.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'db': }
 }

puppet/zulip_ops/manifests/teleport/node.pp

@@ -10,6 +10,7 @@ class zulip_ops::teleport::node {
     owner  => 'root',
     group  => 'root',
     mode   => '0644',
+    notify => Service['teleport_node'],
   }
   concat::fragment { 'teleport_node_base':
     target => '/etc/teleport_node.yaml',
@@ -17,17 +18,5 @@ class zulip_ops::teleport::node {
     order  => '01',
   }
 
-  file { "${zulip::common::supervisor_conf_dir}/teleport_node.conf":
-    ensure  => file,
-    require => [
-      Package[supervisor],
-      Package[teleport],
-      Concat['/etc/teleport_node.yaml'],
-    ],
-    owner   => 'root',
-    group   => 'root',
-    mode    => '0644',
-    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_node.conf',
-    notify  => Service[$zulip::common::supervisor_service],
-  }
+  zulip_ops::teleport::part { 'node': }
 }

puppet/zulip_ops/manifests/teleport/part.pp

@@ -0,0 +1,21 @@
+# @summary Adds a systemd service named teleport_$name
+#
+define zulip_ops::teleport::part() {
+  $part = $name
+  file { "/etc/systemd/system/teleport_${part}.service":
+    require => [
+      Package[teleport],
+    ],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    content => template('zulip_ops/teleport.service.template.erb'),
+    notify  => Service["teleport_${part}"],
+  }
+
+  service {"teleport_${part}":
+    ensure  => running,
+    enable  => true,
+    require => [Service['supervisor'], Service['teleport']],
+  }
+}

puppet/zulip_ops/templates/teleport.service.template.erb

@@ -0,0 +1,15 @@
+[Unit]
+Description=Teleport <%= @part %> Service
+After=network.target
+
+[Service]
+Type=simple
+Restart=on-failure
+EnvironmentFile=-/etc/default/teleport_<%= @part %>
+ExecStart=/usr/local/bin/teleport start --pid-file=/run/teleport_<%= @part %>.pid --config=/etc/teleport_<%= @part %>.yaml
+ExecReload=/bin/kill -HUP $MAINPID
+PIDFile=/run/teleport_<%= @part %>.pid
+LimitNOFILE=524288
+
+[Install]
+WantedBy=multi-user.target