GridexX/README.md

## README.md

      
    Raw
  

              README.md
            
          
    This repository contains the Dockerfile and the necessary files to provision a Debian VM with Terraform into Openstack, install Teleport and Caddy, and configure the latter to act as a reverse proxy for the former.
Requirements


Cloudflare account
Openstack cluster
Terraform CLI

Installation and usage

Clone the repository and navigate to the terraform directory. Edit the variables.tf file to match your environment.
Here are the commands to run:
git clone https://github.com/GridexX/teleport-openstack-caddy
cd ./teleport-openstack-caddy/terraform

# Edit the variables in the `variables.tf` file
terraform init
terraform plan
terraform apply
Configuration

Create the DNS records

Once the VM is provisioned, you need to configure the docker-compose.yml file with the Teleport URL and the Cloudflare API token.
First, retrieve the floating IP address with the following command:
terraform output -json | jq '.instance_fip_address.value' | sed -e 's/"//g'
Inside Cloudflare, create the DNS record for the Teleport instance.
Note
Teleport use the wildcard DNS record *.example.com to create subdomains for each user. So you need to create a wildcard DNS record for the domain name you want to use. Also, you need to create a DNS record for the Teleport instance itself.

Create the Cloudflare API token

We will link the Openstack VM to a Cloudflare DNS record, so we need to create a Cloudflare API token with the following permissions:

Zone > DNS > Edit
Zone Resources > Specific Zone > example.com
Client IP Address Filtering is In 

Once created, save the API token in a variable called CLOUDFLARE_API_TOKEN.
Connect into the VM with SSH and run the following commands:
cd ~/compose-teleport
export TELEPORT_URL="your-teleport-url"
envsubst < tmp-docker-compose.yml > docker-compose.yml
export CLOUDFLARE_API_TOKEN="your-api-token"
Important
Replace your-api-token with the Cloudflare API token and your-teleport-url with the URL of the Teleport instance. The exportation of the Cloudflare api token is done after the envsubst command to avoid saving it in the docker-compose.yml file.

This repository use a custom Caddy image with the Cloudflare DNS plugin. Also, it uses the Docker-proxy to allows configuring Caddy from the labels of the Docker containers.
You can modify the Docker Image to match your needs.
Launch the Docker containers

Once the docker-compose.yml file is created, run the following command to start the Caddy and Teleport containers:
docker-compose up -d
Access the Teleport web interface

The Teleport web interface is now accessible at https://teleport.example.com. Replace example.com with your domain name.
License

This project is licensed under the MIT License - see the LICENSE file for details.
Author

Made by GridexX during February 2024 🏰

  
## docker-compose.yml
version: "3.8"
services:
  teleport:
    image: public.ecr.aws/gravitational/teleport-distroless:15.0.0
    volumes:
      - ./teleport/config:/etc/teleport
      - ./teleport/data:/var/lib/teleport
    networks:
      - caddy
    labels:
      caddy: "${TELEPORT_URL}, *.${TELEPORT_URL}"
      caddy.reverse_proxy: "{{upstreams https 3080}}"
      caddy.tls.dns: cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
      caddy.reverse_proxy.transport: http
      caddy.reverse_proxy.transport.tls: ""
      caddy.reverse_proxy.transport.tls_insecure_skip_verify: ""

  caddy:
    image: gridexx/caddy-docker-cloudflare:1.0.0
    ports:
      - 80:80
      - 443:443
    environment:
      - CADDY_INGRESS_NETWORKS=caddy
      - CLOUDFLARE_AUTH_TOKEN=${CLOUDFLARE_AUTH_TOKEN}
    networks:
      - caddy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - caddy_data:/data
    restart: unless-stopped

networks:
  caddy:
    external: true

volumes:
  caddy_data: {}

## teleport.yaml
version: v3
teleport:
  nodename: teleport
  data_dir: /var/lib/teleport
  log:
    output: stderr
    severity: INFO
    format:
      output: text
  ca_pin: ""
  diag_addr: ""
auth_service:
  enabled: "yes"
  listen_addr: 0.0.0.0:3025
  cluster_name: ${TELEPORT_URL}
  proxy_listener_mode: multiplex
ssh_service:
  enabled: "no"
proxy_service:
  enabled: "yes"
  https_keypairs: []
  public_addr: ${TELEPORT_URL}:443
  web_listen_addr: 0.0.0.0:3080
  https_keypairs_reload_interval: 0s
  acme: {}
  trust_x_forwarded_for: true
	version: "3.8"
	services:
	teleport:
	image: public.ecr.aws/gravitational/teleport-distroless:15.0.0
	volumes:
	- ./teleport/config:/etc/teleport
	- ./teleport/data:/var/lib/teleport
	networks:
	- caddy
	labels:
	caddy: "${TELEPORT_URL}, *.${TELEPORT_URL}"
	caddy.reverse_proxy: "{{upstreams https 3080}}"
	caddy.tls.dns: cloudflare {env.CLOUDFLARE_AUTH_TOKEN}
	caddy.reverse_proxy.transport: http
	caddy.reverse_proxy.transport.tls: ""
	caddy.reverse_proxy.transport.tls_insecure_skip_verify: ""

	caddy:
	image: gridexx/caddy-docker-cloudflare:1.0.0
	ports:
	- 80:80
	- 443:443
	environment:
	- CADDY_INGRESS_NETWORKS=caddy
	- CLOUDFLARE_AUTH_TOKEN=${CLOUDFLARE_AUTH_TOKEN}
	networks:
	- caddy
	volumes:
	- /var/run/docker.sock:/var/run/docker.sock
	- caddy_data:/data
	restart: unless-stopped

	networks:
	caddy:
	external: true

	volumes:
	caddy_data: {}
	version: v3
	teleport:
	nodename: teleport
	data_dir: /var/lib/teleport
	log:
	output: stderr
	severity: INFO
	format:
	output: text
	ca_pin: ""
	diag_addr: ""
	auth_service:
	enabled: "yes"
	listen_addr: 0.0.0.0:3025
	cluster_name: ${TELEPORT_URL}
	proxy_listener_mode: multiplex
	ssh_service:
	enabled: "no"
	proxy_service:
	enabled: "yes"
	https_keypairs: []
	public_addr: ${TELEPORT_URL}:443
	web_listen_addr: 0.0.0.0:3080
	https_keypairs_reload_interval: 0s
	acme: {}
	trust_x_forwarded_for: true