Setup
Registration
After installation you need to register the server. At this point, the server generates SSH keys locally and signs its certificates in the Tuna API.
tuna-bastion enroll --key <your_enroll_key>
note
How to get the key for server registration is described here.
If all required keys are not specified, you will see a console menu:
? Enroll Key (--key) 3678287f-93ea-4ebe-8478-4d9e9f28d95d
? Data directory (--data-dir) /var/lib/tuna-bastion/data
? Listen SSH port (--ssh-port) 993
? Advertise Address (--advertise-address) 1.2.3.4:993
? Hostname (--hostname) server-1
? Labels (--labels) env=testing,region=am,service=ssh
Successfully enrolled node: 688fa3e2-035e-40fb-88e6-2869b6025014
- Enroll Key - used only during registration
- Data directory - directory where SSH keys and certificates will be saved (default
/var/lib/tuna-bastion/data) - Listen SSH port - port that the
tuna-bastionserver will listen on locally. By default we suggest using port993(IMAPs) as it is usually open in corporate firewalls by default. - Advertise Address - address that will be registered in the API and for which a certificate will be issued.
- Hostname - server name, will be recorded in the API and certificate, cannot be changed.
- Labels - server labels, labels can be used to configure access roles, they can be overridden in the config file
/etc/tuna-bastion/config.yamlif necessary.
Launch
Start the server
systemctl enable --now --no-block tuna-bastion.service
If everything is fine, you will see that the server is now available on this page. In case of problems, check the server logs.
journalctl -o short -n 100 -f -u tuna-bastion.service