--- title: "RMU Build: Teleport Setup" slug: rmu-build-teleport description: Provision the Teleport container on the Gen-1.5 RMU, install the Teleport software, share RMU services through Teleport, and reference notes on roles, tokens, and upgrades. tags: - node-provider - rmu - gen-1 - teleport - networking - hardening - runbook date: 2026-05-04 related: - node-provider-documentation - gen-1-to-gen-1-5-rmu-build - rmu-build-proxmox - rmu-build-maas --- This page covers section III of the [Gen-1 to Gen-1.5 RMU build runbook](/wiki/gen-1-to-gen-1-5-rmu-build/). Teleport provides secure remote access to all of the services installed on the RMU. Complete the [Proxmox setup](/wiki/rmu-build-proxmox/) before starting. ## A. Create Teleport CT 1. From the main Proxmox page, click **Create CT** (top right) to open the **Create: LXC Container** dialog. 2. Tick **Advanced** and configure: - **CT ID**: `122` - **Hostname**: `-teleport` - Set a non-trivial password for `root` and store it in your password manager under ` Teleport`. Optionally add your SSH public key. Click **Next**. 3. Select the `ubuntu-22.04-standard` template. Click **Next**. 4. Accept the default disk size. Click **Next**. 5. Set **Cores** to `4`. Click **Next**. 6. Set **Memory** and **Swap** to `2048`. Click **Next**. 7. Configure the network: - **Bridge**: `vmbr1` (`LAN`) - Uncheck **Firewall**. - **IPv4**: `Static`, IP `10.10.100.22/24` (CIDR is required) - **Gateway**: `10.10.100.1` - **IPv6**: `SLAAC` Click **Next**. 8. No changes are required on the **DNS** tab. Click **Next**. 9. Tick **Start after created** and click **Finish**. 10. When complete, close the dialog window. 11. After the container starts, ensure Proxmox has it set to **Start at boot**. Select the VM in the left navigation, click **Options**, double-click **Start at Boot**, tick the box, and click **OK**. 12. Select **Network** from the left navigation menu and click **Add**. 13. Configure the second interface: - **Name**: `eth1` - **Bridge**: `vmbr2` - Uncheck **Firewall**. - Leave **IPv4** as `Static` with the IP information blank. - **IPv6**: `SLAAC` Click **Add**. 14. Open the **Console** tab and run the following in the shell (you may need to log in to the Teleport CT again). Capture the IPv6 address: ```bash ip address show eth1 ``` ## B. Install Teleport software 1. Update the Teleport host. From **RMU** > **122 (teleport)** > **Console**, log in with `root` and the password you set when creating the container, then run: ```bash apt update apt upgrade -y reboot ``` 2. Log back in to the Teleport server, then create a non-root administrator account (replace `admin` with the username you prefer): ```bash useradd -u1000 -U -m -c "Admin" -s /bin/bash admin ``` 3. Install Teleport. Browse to [github.com/gravitational/teleport/releases](https://github.com/gravitational/teleport/releases) and find the most recent version tagged **Latest**. Substitute the version number into the install command: ```bash apt install curl net-tools -y curl https://goteleport.com/static/install.sh | bash -s ``` 4. Configure Teleport. Edit the email address and cluster name to your own. The `cluster-name` should match the `teleport.` DNS record you created in [Prerequisites](/wiki/rmu-build-prerequisites/#domain-name): ```bash teleport configure -o file \ --acme --acme-email= \ --cluster-name=teleport. ``` 5. Open `/etc/teleport.yaml` in your editor and adjust: - Under `ssh_service:`, add a `labels:` section: ```yaml labels: dc: "" login: "" ``` - Remove the `commands:` section: ```yaml commands: - name: hostname command: [hostname] period: 1m0s ``` - Save and quit the file. 6. Start the Teleport service: ```bash systemctl enable teleport systemctl start teleport ``` 7. Create a `teleport` directory in `root`'s home: ```bash mkdir teleport ``` 8. Create a YAML role file in `/root/teleport/` (you can name the file freely; if you change it, also change `metadata.name` to match). Replace `` in `logins:` with your administrator username. `/root/teleport/team.yaml`: ```yaml kind: role version: v7 metadata: name: team spec: allow: # List of logins to try for ssh logins: [root, ubuntu, , '{{internal.logins}}'] # Allow PFOps access to all nodes (ssh) node_labels: '*': '*' # Automatic sudoers entry upon login host_sudoers: - 'ALL=(ALL) NOPASSWD: ALL' # Allow PFOps to access all Apps (web, etc) app_labels: '*': '*' # Future K8S stuff kubernetes_groups: ['{{internal.kubernetes_groups}}'] kubernetes_labels: '*': '*' kubernetes_resources: - kind: '*' namespace: '*' name: '*' verbs: ['*'] ``` 9. Import the role into the Teleport server: ```bash tctl create -f /root/teleport/team.yaml ``` 10. Create users (invitation links are valid for 24 hours). Use this exact syntax: ```bash for USER in ; do tctl users add --roles=team --ttl=24h ${USER} done ``` The command produces a URL for every user listed. Each user clicks their link, sets a password, and configures multi-factor authentication by scanning the QR code with an MFA app. 11. Once a user completes setup they are taken to the Teleport home screen. ## C. Share RMU services via Teleport Reference video: [Sharing services via Teleport](https://www.youtube.com/watch?v=cvW4b96aPL0). > [!TIP] > Use Proxmox to open separate shell windows for the Teleport server > and the RMU server — it makes copy/paste between them easier. ### On the Teleport server 1. Create a short-lived token to "invite" the Proxmox application. Edit `` for your data center code: ```bash sudo tctl tokens add \ --type=app,node \ --app-name=-proxmox-webui \ --app-uri=https://localhost:8006 ``` Take note of the `token` and `ca_pin` values. ### On the RMU server 1. Install pre-requisite packages: ```bash apt update -y && apt upgrade -y && apt install sudo -y ``` 2. Install the Teleport agent. Use the same Teleport version you installed earlier: ```bash sudo curl https://goteleport.com/static/install.sh | bash -s ``` 3. Create the Teleport application config. Point `--proxy` at your Teleport domain name and set `--app-name` to match your data center code (for example `tp1`, `bu1`, `dl1`): ```bash sudo teleport configure --output=file \ --proxy=teleport.:443 \ --token=/var/lib/teleport/token \ --roles=app,node \ --app-name=-proxmox-webui \ --app-uri=https://localhost:8006 ``` 4. Save the token generated on the Teleport server: ```bash sudo vi /var/lib/teleport/token ``` 5. Save the `ca_pin` generated on the Teleport server: ```bash sudo vi /var/lib/teleport/ca_pin ``` 6. Edit `/etc/teleport.yaml` to update the `ca_pin` resource and labels: ```bash sudo vi /etc/teleport.yaml ``` - Set the `ca_pin` resource path to `/var/lib/teleport/ca_pin`. - Under `ssh_service:`, at the same indentation as `enabled: "yes"`, add: ```yaml labels: dc: "" login: "root" ``` - Remove the `commands:` section: ```yaml commands: - name: hostname command: [hostname] period: 1m0s ``` - Under `name: -proxmox-webui`, at the same indentation as `insecure_skip_verify:`, change `insecure_skip_verify:` to `true` and add: ```yaml labels: dc: "" ``` Sample `/etc/teleport.yaml`: ```yaml version: v3 teleport: nodename: rmu data_dir: /var/lib/teleport join_params: token_name: /var/lib/teleport/token method: token proxy_server: teleport..:443 log: output: stderr severity: INFO format: output: text ca_pin: /var/lib/teleport/ca_pin diag_addr: "" auth_service: enabled: "no" ssh_service: enabled: "yes" labels: dc: "" login: "root" proxy_service: enabled: "no" https_keypairs: [] https_keypairs_reload_interval: 0s acme: {} app_service: enabled: "yes" debug_app: false apps: - name: -proxmox-webui uri: https://localhost:8006 public_addr: "" insecure_skip_verify: true labels: dc: "" ``` 7. Add Teleport to `/etc/hosts`: ```bash sudo vi /etc/hosts ``` Add an entry of: ```text 10.10.100.22 teleport. ``` This matches the entry created in [Prerequisites — Domain Name](/wiki/rmu-build-prerequisites/#domain-name). Save and quit. 8. Start the Teleport agent: ```bash sudo systemctl enable teleport sudo systemctl start teleport ``` ## D. Teleport notes These reference notes cover Teleport upkeep and access control. ### Fat clients [Download and install Teleport Community Edition](https://goteleport.com/download/#install-links). ### Reference doc for access controls [Access Controls Reference Documentation](https://goteleport.com/docs/access-controls/reference/). ### Notes - To see all apps and SSH connections, a user must have the `access` role. - If you ever lock yourself out with a bad role update, run `tctl edit user/username` as `root` on the Teleport server. ### Process for version upgrades [Upgrading the Teleport Binary](https://goteleport.com/docs/management/admin/upgrading-the-teleport-binary/). - Visit [github.com/gravitational/teleport/releases](https://github.com/gravitational/teleport/releases) to find the latest *release* version to feed to the `curl | bash` command. ### Teleport token types [Join Services with a Secure Token](https://goteleport.com/docs/agents/join-services-to-your-cluster/join-token/#supported-token-types). ### Teleport signal reference [Teleport Signals Reference](https://goteleport.com/docs/reference/signals/). ### Adding additional user attributes and traits User traits and roles can be imported via a YAML resource: ```yaml kind: user version: v2 metadata: name: showard spec: roles: ['admin','pfops'] traits: logins: ['maas'] kubernetes_groups: ['edit'] --- ``` ## Continue Proceed to [Create Proxmox CT for MaaS](/wiki/rmu-build-maas/#a-create-proxmox-ct). ## Related - [RMU build — Gen-1.5](/wiki/gen-1-to-gen-1-5-rmu-build/) — the parent runbook index. - [RMU Build: Proxmox Setup](/wiki/rmu-build-proxmox/) — the previous section. - [RMU Build: MaaS Setup](/wiki/rmu-build-maas/) — the next section.