From 31b5597cbdf327340b361704f02768650de57f38 Mon Sep 17 00:00:00 2001 From: Justinas Stankevicius Date: Thu, 23 Feb 2023 20:15:12 +0200 Subject: [PATCH] nixos/teleport: add "package" option --- .../manual/release-notes/rl-2305.section.md | 2 +- .../modules/services/networking/teleport.nix | 12 ++- nixos/tests/teleport.nix | 82 +++++++++++-------- 3 files changed, 60 insertions(+), 36 deletions(-) diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index fee0e51184f1..b02065e97221 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -105,7 +105,7 @@ In addition to numerous new and upgraded packages, this release has the followin - The EC2 image module previously detected and automatically mounted ext3-formatted instance store devices and partitions in stage-1 (initramfs), storing `/tmp` on the first discovered device. This behaviour, which only catered to very specific use cases and could not be disabled, has been removed. Users relying on this should provide their own implementation, and probably use ext4 and perform the mount in stage-2. -- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version. It is recommended to first upgrade to an intermediate 11.x version using an overlay before upgrading to version 12. +- `teleport` has been upgraded from major version 10 to major version 12. Please see upstream [upgrade instructions](https://goteleport.com/docs/setup/operations/upgrading/) and release notes for versions [11](https://goteleport.com/docs/changelog/#1100) and [12](https://goteleport.com/docs/changelog/#1201). Note that Teleport does not officially support upgrades across more than one major version at a time. If you're running Teleport server components, it is recommended to first upgrade to an intermediate 11.x version by setting `services.teleport.package = pkgs.teleport_11`. Afterwards, this option can be removed to upgrade to the default version (12). - The EC2 image module previously detected and activated swap-formatted instance store devices and partitions in stage-1 (initramfs). This behaviour has been removed. Users relying on this should provide their own implementation. diff --git a/nixos/modules/services/networking/teleport.nix b/nixos/modules/services/networking/teleport.nix index 6433554f87da..399af711c0e1 100644 --- a/nixos/modules/services/networking/teleport.nix +++ b/nixos/modules/services/networking/teleport.nix @@ -11,6 +11,14 @@ in services.teleport = with lib.types; { enable = mkEnableOption (lib.mdDoc "the Teleport service"); + package = mkOption { + type = types.package; + default = pkgs.teleport; + defaultText = lib.literalMD "pkgs.teleport"; + example = lib.literalMD "pkgs.teleport_11"; + description = lib.mdDoc "The teleport package to use"; + }; + settings = mkOption { type = settingsYaml.type; default = { }; @@ -74,14 +82,14 @@ in }; config = mkIf config.services.teleport.enable { - environment.systemPackages = [ pkgs.teleport ]; + environment.systemPackages = [ cfg.package ]; systemd.services.teleport = { wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; serviceConfig = { ExecStart = '' - ${pkgs.teleport}/bin/teleport start \ + ${cfg.package}/bin/teleport start \ ${optionalString cfg.insecure.enable "--insecure"} \ ${optionalString cfg.diag.enable "--diag-addr=${cfg.diag.addr}:${toString cfg.diag.port}"} \ ${optionalString (cfg.settings != { }) "--config=${settingsYaml.generate "teleport.yaml" cfg.settings}"} diff --git a/nixos/tests/teleport.nix b/nixos/tests/teleport.nix index 34bf1bc0c70d..49adb2dd4a41 100644 --- a/nixos/tests/teleport.nix +++ b/nixos/tests/teleport.nix @@ -1,18 +1,28 @@ { system ? builtins.currentSystem , config ? { } , pkgs ? import ../.. { inherit system config; } +, lib ? pkgs.lib }: with import ../lib/testing-python.nix { inherit system pkgs; }; let - minimal = { config, ... }: { - services.teleport.enable = true; + packages = with pkgs; { + "default" = teleport; + "11" = teleport_11; }; - client = { config, ... }: { + minimal = package: { services.teleport = { enable = true; + inherit package; + }; + }; + + client = package: { + services.teleport = { + enable = true; + inherit package; settings = { teleport = { nodename = "client"; @@ -37,9 +47,10 @@ let }]; }; - server = { config, ... }: { + server = package: { services.teleport = { enable = true; + inherit package; settings = { teleport = { nodename = "server"; @@ -64,36 +75,41 @@ let }; }; in -{ - minimal = makeTest { - # minimal setup should always work - name = "teleport-minimal-setup"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit minimal; }; +lib.concatMapAttrs + (name: package: { + "minimal_${name}" = makeTest { + # minimal setup should always work + name = "teleport-minimal-setup"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes.minimal = minimal package; - testScript = '' - minimal.wait_for_open_port(3025) - minimal.wait_for_open_port(3080) - minimal.wait_for_open_port(3022) - ''; - }; + testScript = '' + minimal.wait_for_open_port(3025) + minimal.wait_for_open_port(3080) + minimal.wait_for_open_port(3022) + ''; + }; - basic = makeTest { - # basic server and client test - name = "teleport-server-client"; - meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; - nodes = { inherit server client; }; + "basic_${name}" = makeTest { + # basic server and client test + name = "teleport-server-client"; + meta.maintainers = with pkgs.lib.maintainers; [ ymatsiuk ]; + nodes = { + server = server package; + client = client package; + }; - testScript = '' - with subtest("teleport ready"): - server.wait_for_open_port(3025) - client.wait_for_open_port(3022) + testScript = '' + with subtest("teleport ready"): + server.wait_for_open_port(3025) + client.wait_for_open_port(3022) - with subtest("check applied configuration"): - server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") - server.wait_for_open_port(3000) - client.succeed("journalctl -u teleport.service --grep='DEBU'") - server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") - ''; - }; -} + with subtest("check applied configuration"): + server.wait_until_succeeds("tctl get nodes --format=json | ${pkgs.jq}/bin/jq -e '.[] | select(.spec.hostname==\"client\") | .metadata.labels.role==\"client\"'") + server.wait_for_open_port(3000) + client.succeed("journalctl -u teleport.service --grep='DEBU'") + server.succeed("journalctl -u teleport.service --grep='Starting teleport in insecure mode.'") + ''; + }; + }) + packages