#!/bin/bash
set -o nounset
set -o errexit

# Setup teleport auth server config file
LOCAL_IP=`curl http://169.254.169.254/latest/meta-data/local-ipv4`
LOCAL_HOSTNAME=`curl http://169.254.169.254/latest/meta-data/local-hostname`
LOCAL_HOSTNAME=${LOCAL_HOSTNAME//./-}

# Source variables set up by cloudformation template
. /etc/teleport.d/conf

# Set host UUID so auth server picks it up, as each auth server's
# logs are stored in individual folder /var/lib/teleport/log/<host_uuid>/
# and it will be easy to log forwarders to locate them on every auth server
# note though, that host_uuid MUST be unique, otherwise all sorts of unintended
# things will happen.
echo ${LOCAL_HOSTNAME} > /var/lib/teleport/host_uuid
chown -R teleport:adm /var/lib/teleport

if [ "${TELEPORT_ROLE}" = "auth" ]; then
    # Teleport Auth server is using DynamoDB as a backend
    # On AWS, see dynamodb.tf for details
    cat >/etc/teleport.yaml <<EOF
teleport:
  nodename: ${LOCAL_HOSTNAME}
  advertise_ip: ${LOCAL_IP}
  log:
    output: syslog
    severity: INFO

  data_dir: /var/lib/teleport
  storage:
    type: dynamodb
    region: ${EC2_REGION}
    table_name: ${TELEPORT_TABLE_NAME}
    audit_table_name: ${TELEPORT_EVENTS_TABLE_NAME}
    audit_sessions_uri: s3://${TELEPORT_S3_BUCKET}/records

auth_service:
  enabled: yes
  listen_addr: 0.0.0.0:3025

  authentication:
    second_factor: otp
    type: saml

  cluster_name: ${TELEPORT_CLUSTER_NAME}

ssh_service:
  enabled: no

proxy_service:
  enabled: no
EOF

elif [ "${TELEPORT_ROLE}" = "proxy" ]; then
    # Teleport proxy proxies and optionally records
    # SSH sessions
    cat >/etc/teleport.yaml <<EOF
teleport:
  auth_token: /var/lib/teleport/token
  nodename: ${LOCAL_HOSTNAME}
  advertise_ip: ${LOCAL_IP}
  log:
    output: syslog
    severity: INFO

  data_dir: /var/lib/teleport
  storage:
    type: dir
    path: /var/lib/teleport/backend
  auth_servers:
    - ${TELEPORT_AUTH_SERVER_LB}:3025

auth_service:
  enabled: no

ssh_service:
  enabled: no

proxy_service:
  enabled: yes
  listen_addr: 0.0.0.0:3023
  tunnel_listen_addr: 0.0.0.0:3080
  web_listen_addr: 0.0.0.0:3080
  public_addr: ${TELEPORT_DOMAIN_NAME}:443
  https_cert_file: /var/lib/teleport/fullchain.pem
  https_key_file: /var/lib/teleport/privkey.pem
EOF

elif [ "${TELEPORT_ROLE}" = "node" ]; then
    # Teleport proxy proxies and optionally records
    # SSH sessions
    cat >/etc/teleport.yaml <<EOF
teleport:
  auth_token: /var/lib/teleport/token
  nodename: ${LOCAL_HOSTNAME}
  advertise_ip: ${LOCAL_IP}
  log:
    output: syslog
    severity: INFO

  data_dir: /var/lib/teleport
  storage:
    type: dir
    path: /var/lib/teleport/backend
  auth_servers:
    - ${TELEPORT_AUTH_SERVER_LB}:3025

auth_service:
  enabled: no

ssh_service:
  enabled: yes
  listen_addr: 0.0.0.0:3022

proxy_service:
  enabled: no
EOF
    
else
    echo "Unsupported Teleport Role: ${TELEPORT_ROLE}"
    exit 1;
fi
