Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.21.0 < 8.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'andeman-opnsense', '1.0.0'Learn more about managing modules with a PuppetfileDocumentation
opnsense
Table of Contents
Description
The opnsense module configures OPNsense firewalls with custom types and providers.
It allows administrators to manage an OPNsense firewall directly via the sysutils/puppet-agent opnsense plugin and/or manage multiple firewalls from a bastion host running a puppet-agent with opn-cli installed.
Setup
OPNsense firewall
If you want to manage your firewall directly with a puppet-agent running on the device.
Requirements
- OPNsense plugin: sysutils/puppet-agent
Install requirements
Menu->Firmware->Plugins
Install Plugin: sysutils/puppet-agent
Bastion host
If you want a bastion hosts running a puppet-agent which could manage multiple firewalls via https API calls.
Requirements
- opn-cli
- puppetlabs/resource_api (puppet < 6.0)
Install requirements
$packages = [
'python3',
'python3-pip',
]
$pip_packages = [
'opn-cli',
]
package { $packages:
ensure => present,
}
-> package { $pip_packages:
ensure => latest,
provider => 'pip3',
}
Usage
Creating the device
If you want to manage an OPNsense Firewall, you need to supply credentials and connection information for the device.
For each device you want to mange create an opnsense_device type:
opnsense_device { 'opnsense.example.com':
url => 'https://opnsense.example.com/api',
api_key => 'your_api_key',
api_secret => Sensitive('your_api_secret'),
timeout => 60,
ssl_verify => true,
ca => '/path/to/ca.pem',
ensure => 'present',
}
To create an api_key and api_secret see: https://docs.opnsense.org/development/how-tos/api.html#creating-keys.
If you want to use ssl verification (recommended):
To download the default self-signed cert, open the OPNsense web gui and go to System->Trust->Certificates. Search for the name: "Web GUI SSL certificate" and press the "export user cert" button.
If you use a ca signed certificate, go to System->Trust->Authorities and press the "export CA cert" button to download the ca.
Save the cert or ca and make sure the puppet agent is able to read it.
Configure your OPNsense Firewall
If you have at least one configured opnsense_device, you could start to use other puppet types to manage the device.
In the following example we use the opnsense_plugin type to manage the installed plugins on the opnsense device "opnsense.example.com":
opnsense_plugin { 'os-helloworld':
device => 'opnsense.example.com',
ensure => 'present',
}
See Reference.md for all available puppet types to manage your OPNsense firewall.
Reference
Types and providers are documented in REFERENCE.md.
Limitations
For an extensive list of supported operating systems, see metadata.json
CI/CD
CI/CD is done via Github Actions.
Development
Install the you following requirements if you need alocal development environment:
Create the local development environment
scripts/create_test_env
Running unit tests
Unit testing uses pdk
scripts/unit_tests
Running acceptance tests
Acceptance testing uses puppet litmus.
scripts/acceptance_tests
Teardown
scripts/remove_test_env
Contributing
Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
All contributions must pass all existing tests, new features should provide additional unit/acceptance tests.
Reference
Table of Contents
Resource types
opnsense_device: Manage an OPNsense device access.opnsense_plugin: Manage installed opnsense plugins
Resource types
opnsense_device
This type provides Puppet with the capabilities to manage OPNSense device access data.
Examples
opnsense_device { 'opnsense.example.com':
url => 'https://opnsense.example.com/api',
api_key => 'your_api_key',
api_secret => Sensitive('your_api_secret'),
timeout => 60,
ssl_verify => true,
ca => '/path/to/ca.pem',
ensure => 'present',
}
Properties
The following properties are available in the opnsense_device type.
api_key
Data type: String
The api key from the generated key/secret pair.
api_secret
Data type: Sensitive[String]
The api secret from the generated key/secret pair.
ca
Data type: Optional[String]
The path to the ca bundle file for ssl verification.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
ssl_verify
Data type: Boolean
The timeout for API calls in seconds.
Default value: true
timeout
Data type: Integer
The timeout for API calls in seconds.
Default value: 60
url
Data type: String
The api url of the OPNsense device.
Parameters
The following parameters are available in the opnsense_device type.
name
namevar
Data type: Pattern[/\A[0-9A-Za-z.-]+/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The name of the OPNsense device you want to manage.
opnsense_plugin
This type provides Puppet with the capabilities to manage opnsense plugins.
Examples
opnsense_plugin { 'os-acme-client':
device => 'opnsense.example.com'
ensure => 'present',
}
Properties
The following properties are available in the opnsense_plugin type.
ensure
Data type: Enum[present, absent]
Whether this plugin should be present or absent on the opnsense device.
Default value: present
Parameters
The following parameters are available in the opnsense_plugin type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the plugin you want to manage.
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v1.0.0 (2021-06-17)
Added
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/resource_api (>= 1.0.0 < 2.0.0)
BSD 2-Clause License Copyright (c) 2021, Andreas Stürz All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.