1 { config, pkgs, lib, ... }:
6 cfg = config.services.teleport;
7 settingsYaml = pkgs.formats.yaml { };
11 services.teleport = with lib.types; {
12 enable = mkEnableOption "the Teleport service";
14 package = mkPackageOption pkgs "teleport" {
15 example = "teleport_11";
19 type = settingsYaml.type;
21 example = literalExpression ''
25 advertise_ip = "192.168.1.2";
26 auth_token = "60bdc117-8ff4-478d-95e4-9914597847eb";
27 auth_servers = [ "192.168.1.1:3025" ];
28 log.severity = "DEBUG";
36 proxy_service.enabled = false;
37 auth_service.enabled = false;
41 Contents of the `teleport.yaml` config file.
42 The `--config` arguments will only be passed if this set is not empty.
44 See <https://goteleport.com/docs/setup/reference/config/>.
48 insecure.enable = mkEnableOption ''
49 starting teleport in insecure mode.
52 Sensitive information will be logged to console and certificates will not be verified.
55 Teleport starts with disabled certificate validation on Proxy Service, validation still occurs on Auth Service
59 enable = mkEnableOption ''
60 endpoints for monitoring purposes.
62 See <https://goteleport.com/docs/setup/admin/troubleshooting/#troubleshooting/>
67 default = "127.0.0.1";
68 description = "Metrics and diagnostics address.";
74 description = "Metrics and diagnostics port.";
80 config = mkIf config.services.teleport.enable {
81 environment.systemPackages = [ cfg.package ];
83 systemd.services.teleport = {
84 wantedBy = [ "multi-user.target" ];
85 after = [ "network.target" ];
88 ${cfg.package}/bin/teleport start \
89 ${optionalString cfg.insecure.enable "--insecure"} \
90 ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \
91 ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"}
93 ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
97 RuntimeDirectory = "teleport";