# See https://goteleport.com/docs/config-reference/ and # https://goteleport.com/docs/database-access/guides/postgres-self-hosted/ # # This establishes a reverse proxy back to the central auth server, # allowing that to connect to the postgres server running on # localhost:5432. Auth is checked using role-based access control, # which determines which hosts, databases, and database users the # remote user is allowed to connect to. teleport: ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6" auth_servers: # Use the proxy address, to support running the db_service, which requires # a reverse tunnel. - teleport.zulipchat.net:443 <% if @is_ec2 -%> join_params: method: iam token_name: iam-token <% else -%> join_params: method: token token_name: <%= @join_token %> <% end %> ssh_service: enabled: no app_service: enabled: no proxy_service: enabled: no auth_service: enabled: no db_service: enabled: yes databases: - name: "<%= @hostname %>" protocol: "postgres" uri: "<%= @fqdn %>:5432" ca_cert_file: /etc/ssl/certs/teleport-ca.crt static_labels: hostname: "<%= @hostname %>" dynamic_labels: # Every hour, refresh the label that describes if this # instance is a replica; this allows access to be granted only # to replicas. - name: "is_replica" command: ["sudo", "-u", "zulip", "psql", "-tc", "select pg_is_in_recovery()"] period: 1h