zulip/puppet/kandra/templates/teleport_db.yaml.template.erb

51 lines
1.5 KiB
Plaintext

# See https://goteleport.com/docs/config-reference/ and
# https://goteleport.com/docs/database-access/guides/postgres-self-hosted/
#
# This establishes a reverse proxy back to the central auth server,
# allowing that to connect to the postgres server running on
# localhost:5432. Auth is checked using role-based access control,
# which determines which hosts, databases, and database users the
# remote user is allowed to connect to.
teleport:
ca_pin: "sha256:df15ba56d56227e288ce183d7eee77a6bef552aaaa5dc25f0f5ea56494ce14c6"
auth_servers:
# Use the proxy address, to support running the db_service, which requires
# a reverse tunnel.
- teleport.zulipchat.net:443
<% if @is_ec2 -%>
join_params:
method: iam
token_name: iam-token
<% else -%>
join_params:
method: token
token_name: <%= @join_token %>
<% end %>
ssh_service:
enabled: no
app_service:
enabled: no
proxy_service:
enabled: no
auth_service:
enabled: no
db_service:
enabled: yes
databases:
- name: "<%= @hostname %>"
protocol: "postgres"
uri: "<%= @fqdn %>:5432"
ca_cert_file: /etc/ssl/certs/teleport-ca.crt
static_labels:
hostname: "<%= @hostname %>"
dynamic_labels:
# Every hour, refresh the label that describes if this
# instance is a replica; this allows access to be granted only
# to replicas.
- name: "is_replica"
command:
["sudo", "-u", "zulip", "psql", "-tc", "select pg_is_in_recovery()"]
period: 1h