From 1cdf14d19541570eab93d246d04fadf2d4a51556 Mon Sep 17 00:00:00 2001
From: Alex Vandiver <alexmv@zulip.com>
Date: Wed, 2 Jun 2021 01:41:02 +0000
Subject: [PATCH] puppet: Add a teleport server.

See https://goteleport.com/docs/architecture/overview/ for the general
architecture of a Teleport cluster.  This commit adds a Teleport auth[1]
and proxy[2] server.  The auth server serves as a CA for granting
time-bounded access to users and authenticating nodes on the cluster;
the proxy provides access and a management UI.

[1] https://goteleport.com/docs/architecture/authentication/
[2] https://goteleport.com/docs/architecture/proxy/
---
 .../supervisor/conf.d/teleport_server.conf    |  8 +++
 puppet/zulip_ops/files/teleport_server.yaml   | 31 +++++++++++
 .../zulip_ops/manifests/profile/teleport.pp   | 31 +++++++++++
 puppet/zulip_ops/manifests/teleport/base.pp   | 12 +++++
 scripts/setup/apt-repos/teleport/bionic.list  |  1 +
 scripts/setup/apt-repos/teleport/focal.list   |  1 +
 .../apt-repos/teleport/teleport-pubkey.asc    | 52 +++++++++++++++++++
 7 files changed, 136 insertions(+)
 create mode 100644 puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
 create mode 100644 puppet/zulip_ops/files/teleport_server.yaml
 create mode 100644 puppet/zulip_ops/manifests/profile/teleport.pp
 create mode 100644 puppet/zulip_ops/manifests/teleport/base.pp
 create mode 100644 scripts/setup/apt-repos/teleport/bionic.list
 create mode 100644 scripts/setup/apt-repos/teleport/focal.list
 create mode 100644 scripts/setup/apt-repos/teleport/teleport-pubkey.asc

diff --git a/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf b/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
new file mode 100644
index 0000000000..8a6c1f8ea6
--- /dev/null
+++ b/puppet/zulip_ops/files/supervisor/conf.d/teleport_server.conf
@@ -0,0 +1,8 @@
+[program:teleport_server]
+command=/usr/local/bin/teleport start --config=/etc/teleport_server.yaml
+priority=10
+autostart=true
+autorestart=true
+user=root
+redirect_stderr=true
+stdout_logfile=/var/log/teleport_server.log
diff --git a/puppet/zulip_ops/files/teleport_server.yaml b/puppet/zulip_ops/files/teleport_server.yaml
new file mode 100644
index 0000000000..52a0878064
--- /dev/null
+++ b/puppet/zulip_ops/files/teleport_server.yaml
@@ -0,0 +1,31 @@
+# See https://goteleport.com/docs/config-reference/ and
+# https://goteleport.com/docs/admin-guide/#configuration
+teleport:
+  ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
+
+auth_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3025
+  cluster_name: teleport.zulipchat.net
+  authentication:
+    type: local
+    second_factor: on
+    u2f:
+      app_id: https://teleport.zulipchat.net
+      facets:
+        - https://teleport.zulipchat.net:443
+        - https://teleport.zulipchat.net
+        - teleport.zulipchat.net:443
+        - teleport.zulipchat.net
+
+proxy_service:
+  enabled: "yes"
+  listen_addr: 0.0.0.0:3023
+  web_listen_addr: 0.0.0.0:443
+  public_addr: teleport.zulipchat.net:443
+  acme:
+    enabled: "yes"
+    email: zulip-ops@zulip.com
+
+ssh_service:
+  enabled: no
diff --git a/puppet/zulip_ops/manifests/profile/teleport.pp b/puppet/zulip_ops/manifests/profile/teleport.pp
new file mode 100644
index 0000000000..299b9d4047
--- /dev/null
+++ b/puppet/zulip_ops/manifests/profile/teleport.pp
@@ -0,0 +1,31 @@
+class zulip_ops::profile::teleport {
+  include zulip_ops::profile::base
+  include zulip_ops::teleport::base
+
+  file { '/etc/teleport_server.yaml':
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0644',
+    source => 'puppet:///modules/zulip_ops/teleport_server.yaml',
+  }
+  file { "${zulip::common::supervisor_conf_dir}/teleport_server.conf":
+    ensure  => file,
+    require => [ Package[supervisor], Package[teleport], File['/etc/teleport_server.yaml'] ],
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0644',
+    source  => 'puppet:///modules/zulip_ops/supervisor/conf.d/teleport_server.conf',
+    notify  => Service[$zulip::common::supervisor_service],
+  }
+
+  # https://goteleport.com/docs/admin-guide/#ports
+  # Port 443 is outward-facing, for UI
+  zulip_ops::firewall_allow { 'teleport_server_ui': port => 443 }
+  # Port 3023 is outward-facing, for teleport clients to connect to.
+  zulip_ops::firewall_allow { 'teleport_server_proxy': port => 3023 }
+  # Port 3034 is outward-facing, for teleport servers outside the
+  # cluster to connect back to establish reverse proxies.
+  zulip_ops::firewall_allow { 'teleport_server_reverse': port => 3024 }
+  # Port 3025 is inward-facing, for other nodes to look up auth information
+  zulip_ops::firewall_allow { 'teleport_server_auth': port => 3025 }
+}
diff --git a/puppet/zulip_ops/manifests/teleport/base.pp b/puppet/zulip_ops/manifests/teleport/base.pp
new file mode 100644
index 0000000000..db46ca6792
--- /dev/null
+++ b/puppet/zulip_ops/manifests/teleport/base.pp
@@ -0,0 +1,12 @@
+class zulip_ops::teleport::base {
+  include zulip::supervisor
+
+  $setup_apt_repo_file = "${::zulip_scripts_path}/lib/setup-apt-repo"
+  exec{ 'setup-apt-repo-teleport':
+    command => "${setup_apt_repo_file} --list teleport",
+    unless  => "${setup_apt_repo_file} --list teleport --verify",
+  }
+  Package { 'teleport':
+    require => Exec['setup-apt-repo-teleport'],
+  }
+}
diff --git a/scripts/setup/apt-repos/teleport/bionic.list b/scripts/setup/apt-repos/teleport/bionic.list
new file mode 100644
index 0000000000..9e00494e3e
--- /dev/null
+++ b/scripts/setup/apt-repos/teleport/bionic.list
@@ -0,0 +1 @@
+deb https://deb.releases.teleport.dev/ stable main
diff --git a/scripts/setup/apt-repos/teleport/focal.list b/scripts/setup/apt-repos/teleport/focal.list
new file mode 100644
index 0000000000..9e00494e3e
--- /dev/null
+++ b/scripts/setup/apt-repos/teleport/focal.list
@@ -0,0 +1 @@
+deb https://deb.releases.teleport.dev/ stable main
diff --git a/scripts/setup/apt-repos/teleport/teleport-pubkey.asc b/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
new file mode 100644
index 0000000000..8f4f80b98a
--- /dev/null
+++ b/scripts/setup/apt-repos/teleport/teleport-pubkey.asc
@@ -0,0 +1,52 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF+R3LYBEADOEO9i3Dm5rEAiXONchX3M54QzZX0yHArSpYQ5aJDdJRQbqzqT
++e2os8NpSjVDZFNz5ul8xkZsnCLX7pgrAYqq+vsXL4bMWDP96S6PjfVIAyV4ylv0
+DBReMdkaAZb/IoPhkSTT+ayw4eGEtUz/k7mxMpQ9ob7qFtGs8aNVT/An5LfFR1Lx
+9WOlFPPIAJKcHVIyRD+4EoCSn1R1c61UHFIRatbAnwOLs3iz4/GU+w9wdbuWbDuk
+nGdG0Lmlzp42HHxeJJFQlOTed97+trktvAiuzA/0lbQHEcWvxfWAy5//cjORp+H3
+RGLp8fJ+fFRAyA4WP6O3wIC4gAAgsEn8WpVT8wZYlLMRf694SeawBtyUSlcsn9i1
+LuOh5akOY3iQtH01+rMBjOaMkCmpT2nQaUH+HS2iZBddBHdAMMQtj2UolMRbUSxH
++GJczes1t9/WH3vbvh5ESMOy0fH14Tjo+9yQYa4EhFNNloAG10DYFLlCj47fWDdS
+o/++vhZsKaS7yLHDGOLPT+x15ComG2gupmRkbATvUddztlsfF+tD97laT9eaLB1W
+zxszqr8+LxP961wmbS2j+ZBbXyrPr1Fln/TdyFAhkIMJ+J5hZB+NcjRUwUoB7nOd
++FbTxtnyJb2iaJNCJHJQVA85IYzUpXA3CDdgUHF810kVBcBPBtLhZC5ybQARAQAB
+tCtHcmF2aXRhdGlvbmFsLCBJbmMgPGluZm9AZ3Jhdml0YXRpb25hbC5jb20+iQJU
+BBMBCAA+FiEEDF6LpWWOMg0bAxF5yH7VOmKCxBEFAl+R3LYCGwMFCRLMAwAFCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQyH7VOmKCxBFfxxAAiXWJm86oZtVdAlp1
+pzpKeV0pwgrnt7Uk8fu5tYpdE/oVMnwcdsDDQucItGtHGfjmzs3Cr8/praekenf1
+9iHSz422OpIGzCI4VfXaFPVfzbV1w7cSOnceY6lPnKUMrRBKKJX5Nw/6LZS40gsQ
+BoeZxe0MXB4tBc4dY30f1MQ44amRYmtTA7wep+ymVRfkPnHNnIrsdYGldbfPsbPO
+PUX8ZnWZiuI0+NgX3oBOl6YY4JehBJj61Ukx1DPHHLhhundHumChYFn+LBIZxD3O
+B9uoRzUzwUIM0N9IUjpGvtkqtm7Vbs6/bDxI4Owgsa7vXpEXZ2qD0AIle7sD0Fjl
+F19o2mXmEeQp9Fl4OrkZCURCQvPq9UCh6Nu0a1+SnbG+qXyyvqszy2tkV4xmcF4w
+Gib0SVT8RR08NeJXkHtBscnecgUA1BTH8J8RnUeQXZhUn51bVJk4JaDnEXp8VEP2
+gNce+oUY2XQtLDVzHysGhexDrWk8ycl/zvwyxKv+kj5QhjXugHkOMnW53mdMe3N/
+gwsV+kJUm6NdtLtTAOkky/GfkIGTWNQPD2/42T+0cA9lTVxihh+wz9tgA1ZbtVOK
+P2DNA10rsCuzGPFn8d6Khymt0o66dgfEloy9Y14leoqUCMPU3ibLP6bYuow2AJUz
+KcvTgmfjP1/ghNXI7E2vgNi8wta5Ag0EX5HctgEQALx4btbP47LwrIqB4loog2sT
+pac7fdbA+YVeqP/9KoLw1ZB+5DeqNKmtUHSau9mRVh8a8g7slpGhH6hxlEHr7ek/
+mA/o91jB4RGo5mfyuWcJQKRyHS4pWciEM/gK+o6lEceTdUwvKI6OrJ4koPd3HZth
+mw+xPyAdGKY3oBmrXeZ6XkuDfME8doRmuwlw/tbmje63/2j97ebiFfQcyWLH32d8
+T+yEpAj+55Qxp6aJZaDOeAuzBtyAopxGRjGsxBUF/VSUwxYb0bmwWgPIhPC77oEk
+AEMPsIsI9LJ8fQY/sOzwhyNNt+b7rgto6AFskz7urezzCuuIwMeupmC78QWGw9jM
+zHFf3R6O1KQ0v8PBYYb6BHkjzho6hTcOZO9Zh+XO4k6uEwlu+Zc0AmyHmQeQ3I8Z
+tAb//LJk9X62yNPE/8wjtEUzXqyzlLpGjRFr6kQv+6nqs8JxyCnS34Q+au2IqOnn
+iFkHj/w79mtmzR4G43wo3x1nGjyz+vTpsurmJ+qFMO0bLcE/HV8aGxs0YeQsByOc
+SU8TK6v+Wkn58LT4cvjIO5G/2UM7kucXl56hqvguvnFTLNqewWtqgS7IRuykcYgK
+HrBYb/iVH+Fb+9Th9VX7bl0ZeoH7O8RbvxKGkd90+DPsurBeIQ7S4zM9w7WnAsAC
+Sgs8owYZpHpyrK8QFD4zABEBAAGJAjwEGAEIACYWIQQMXoulZY4yDRsDEXnIftU6
+YoLEEQUCX5HctgIbDAUJEswDAAAKCRDIftU6YoLEEURID/4oQhZZPindZJHiwQqm
+0a8H1ssgZAz6E8PejoN0gbsblbOrtkGDLU8gvzksvd/9luSLRgPw++m6ut87PeMv
+MKc4UIyRb5oSgh5WE0bW9191Gkfge9DRrIdtUDG8N+oTlIWYHTXC5zlwmfMobtQE
+kFUdPbedhytYx1wgbh8KP8sLXGPXut5VqDy/EgNzqERnI5kLeiDvMsLz0xjdHpGW
+ASfJMNX120GU8Mwqa6gWvP52BB20pU9bC1VQX1qiqD6V1GpxQJ2jACKke6boiqbL
+Bdb0UgmW4XYIp4ZjLC842e0qSyfd8rt3PzYrbK/NPuXAV7f+wAhPSC18v+1Ap5Kh
+KKHRLvyUVGxwaBVedOuuC/OqJwSSLa0cQKytFK+3OJAdTYoHtsh++ScgEL/wOCXs
+gM5xmlI6Pk/6Ev0Hz/kDY5F0w4/VvSEaS/7TSkmf5JvxdueVObf5ry5O+L4J7t7y
+JwdtPhXgHR0PHidnh/02SVn8XIzHdB9OZ2i6Wr12loFZGltWdmJVkQC/cj/HBr5I
+ZizQril+7cXDI/8Hyk04d19rmjSIU49FderpNYYOv38dqaAsosYge6JzYdIzJrJH
+/DIKnSAU/a14sFUrNm+TYJmZto35hSltUxLEzLIWeR9TjpOh6VS1UzdGQh32NP+h
+oq8y1SJMCrfC9Ub5q2/ijiJWUw==
+=+Ne5
+-----END PGP PUBLIC KEY BLOCK-----