Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x, 2019.7.x, 2019.5.x, 2019.4.x, 2019.3.x, 2019.2.x, 2019.1.x, 2019.0.x
- Puppet >= 6.0.0 < 8.0.0
- , ,
Start using this module
Add this module to your Puppetfile:
mod 'andeman-opnsense', '2.3.0'Learn more about managing modules with a PuppetfileDocumentation
opnsense
Table of Contents
- opnsense
Module description
The opnsense module configures OPNsense firewalls.
It allows administrators to manage an OPNsense firewall directly via the sysutils/puppet-agent opnsense plugin and/or manage multiple firewalls from a bastion host running a puppet-agent with opn-cli installed.
The main target of module is to enable GitOps for your network security policies. Developers could submit pull request for new firewall rules and loadbalancer configurations and the network or ops team could review it and deploy it to a pre production environment for testing and verification. If everything passes, you could deploy it to production.
You can automate the following with the module:
- plugins
- firewall aliases
- firewall rules
- haproxy servers
- haproxy backends
- haproxy frontends
- prometheus nodeexporter
- syslog destinations
- static routes
Setup
OPNsense firewall
If you want to manage your firewall directly with a puppet-agent running on the device.
Requirements
OPNsense plugins:
- sysutils/puppet-agent
- os-firewall for managing firewall rules
- os-haproxy for managing haproxy rules
Install requirements
Menu->Firmware->Plugins
Install plugin: sysutils/puppet-agent
Bastion host
If you want a bastion hosts running a puppet-agent which could manage multiple firewalls via https API calls.
Requirements
- opn-cli >= 1.6.0
Install requirements
$packages = [
'python3',
'python3-pip',
]
$pip_packages = [
'opn-cli',
]
package { $packages:
ensure => present,
}
-> package { $pip_packages:
ensure => latest,
provider => 'pip3',
}
Access to the OPNsense api
If you want to manage an OPNsense firewall, you need to supply credentials and connection information for the device.
To create an api_key and api_secret see: https://docs.opnsense.org/development/how-tos/api.html#creating-keys.
If you want to use ssl verification (recommended):`
To download the default self-signed cert, open the OPNsense web gui and go to System->Trust->Certificates. Search for the name: "Web GUI SSL certificate" and press the "export user cert" button.
If you use a ca signed certificate, go to System->Trust->Authorities and press the "export CA cert" button to download the ca.
Save the cert or ca and make sure the puppet agent is able to read it.
Usage
Install and enable opnsense
include opnsense
Configure OPNsense firewall(s)
You can manage multiple opnsense firewalls with this module.
In the following example a single OPNsense firewall running a puppet agent is manged which allows clients to export configuration via exported resources (manage_resources => true):
# node: opnsense.example.com
class { 'opnsense':
manage_resources => true,
devices => {
'opnsense.example.com' => {
'url' => 'https://127.0.0.1/api',
'api_key' => 'your_api_key',
'api_secret' => 'your_api_secret',
'ssl_verify' => true,
'timeout' => 60,
'ca' => '~/.opn-cli/ca.pem',
'plugins' => {
'os-helloworld' => {}
},
nodeexporter => {
enabled => true,
listen_address => '192.168.1.1',
listen_port => '9200',
cpu => false,
exec => false,
filesystem => false,
loadavg => false,
meminfo => false,
netdev => false,
time => false,
devstat => false,
interrupts => true,
ntp => true,
zfs => true,
},
"ensure" => "present"
}
},
firewall => {
aliases => {
'my_http_ports_local' => {
'devices' => ['opnsense.example.com'],
'type' => 'port',
'content' => ['80', '443'],
'description' => 'example local http ports',
'enabled' => true,
'ensure' => present
},
},
rules => {
'allow all from lan' => {
'devices' => ['opnsense.example.com'],
'sequence' => '1',
'action' => 'pass',
'interface' => ['lan']
}
}
},
syslog => {
destinations => {
'syslogger 1' => {
devices => ['opnsense.example.com'],
enabled => true,
transport => 'tcp4',
program => 'ntp,ntpdate',
level => ['crit', 'alert', 'emerg'],
facility => ['ntp'],
hostname => 'syslog.example.com',
certificate => '',
port => '10514',
rfc5424 => true,
ensure => present,
},
},
},
route => {
static => {
'static route 1' => {
devices => ['opnsense.example.com'],
network => '10.0.0.98/24',
gateway => 'WAN_DHCP',
disabled => false,
ensure => 'present',
},
},
},
haproxy => {
servers => {
"server1" => {
"devices" => ["opnsense.example.com"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["opnsense.example.com"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["opnsense.example.com"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["opnsense.example.com"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => false,
"default_backend" => "localhost_backend",
}
},
},
}
Configure a client to export firewall aliases and rules
This feature use exported resources. You need to enable catalog storage and searching (storeconfigs) on your primary puppet server.
Here the client (client1.example.com) is exporting it´s security configuration to the firewall (opnsense.example.com) defined above:
# node: client1.example.com
class { 'opnsense::client::firewall':
aliases => {
'client1_example_com' => {
'devices' => ['opnsense.example.com'],
'type' => 'host',
'content' => ['client1.example.com'],
'description' => 'client.example.com alias',
'enabled' => true,
'ensure' => present
},
},
rules => {
'allow https from lan to client1.example.com' => {
'devices' => ['opnsense.example.com'],
'sequence' => '100',
'action' => 'pass',
'interface' => ['lan'],
'protocol' => 'TCP',
'destination_net' => 'client1_example_com',
'destination_port' => 'https',
'ensure' => present
},
}
}
Configure a client to export haproxy server, backends and frontends
This feature use exported resources. You need to enable catalog storage and searching (storeconfigs) on your primary puppet server.
Here the client (client1.example.com) is exporting it´s haproxy configuration to the firewall (opnsense.example.com) defined above:
# node: client1.example.com
class { 'opnsense::client::haproxy':
servers => {
"client1.example.com" => {
"devices" => ["opnsense.example.com"],
"description" => "client test server",
"address" => "client1.example.com",
"port" => "443",
"enabled" => ture,
},
},
backends => {
"web_backend" => {
"devices" => ["opnsense.example.com"],
"description" => "test backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
"enabled" => false,
}
},
frontends => {
"web_frontend" => {
"devices" => ["opnsense.example.com"],
"description" => "test frontend",
"bind" => "127.0.0.1:9000",
"ssl_enabled" => false,
"default_backend" => "localhost_backend",
"enabled" => true,
}
},
}
Dealing with self-signed certificates
When connecting to the OPNsense API, this module will tell opn-cli to use the system-wide installed CA certificates to verify the SSL connection. However, this will only work when using a valid certificate for the OPNsense WebUI.
If the OPNsense WebUI still uses the pre-installed self-signed certificate, then it is possible to use the OPNsense CA certificate for SSL verification:
class { 'opnsense':
use_system_ca => false,
ca_file => '/root/.opn-cli/ca.pem',
ca_content => '-----BEGIN CERTIFICATE-----
AAAAAABBBBBBBBBCCCCCCCCCCDDDDDDDDDDDEEEEEEEEEEEFFFFFFFFFGGGGGGGG
-----END CERTIFICATE-----'
}
The OPNsense CA certificate can be downloaded from System: Trust: Authorities on the OPNsense firewall.
More examples
You find more examples in the examples folder.
Reference
Types and providers are documented in REFERENCE.md.
Limitations
For an extensive list of supported operating systems, see metadata.json
CI/CD
CI/CD is done via Github Actions.
Development
You need to install the following requirements to setup the local development environment:
Create the local development environment
scripts/create_test_env
Running unit tests
Unit testing uses pdk
scripts/unit_tests
Running acceptance tests
Acceptance testing uses puppet litmus.
scripts/acceptance_tests
Teardown
scripts/remove_test_env
Release module to Puppet Forge
Prepare
First prepare the release with:
./scripts/release_prep
This will set the version in metadata.json, create REFERENCE.md and CHANGELOG.md.
Commit and push
Then commit the changes and push them to the repository.
configure github actions secrets
https://github.com/andeman/puppet-opnsense/settings/secrets/actions
Ensure that the following secrets are set in the github repository:
- FORGE_API_KEY (your puppet forge api key)
Contributing
Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
All contributions must pass all existing tests, new features should provide additional unit/acceptance tests.
Release Notes
See Changelog.
Reference
Table of Contents
Classes
opnsense: Automate opnsense firewallsopnsense::client::firewall: Use exported resources to collect firewall configurations from clients.opnsense::client::haproxy: Use exported resources to collect haproxy configurations from clients.
Resource types
opnsense_device: Manage an OPNsense device access.opnsense_firewall_alias: Manage opnsense firewall aliases.opnsense_firewall_rule: Manage opnsense firewall rulesopnsense_haproxy_backend: Manage opnsense haproxy backendsopnsense_haproxy_frontend: Manage opnsense haproxy frontendsopnsense_haproxy_server: Manage opnsense haproxy serversopnsense_nodeexporter_config: Manage opnsense prometheus nodeexporter configopnsense_plugin: Manage installed opnsense pluginsopnsense_route_static: Manage opnsense static routesopnsense_syslog_destination: Manage opnsense syslog destination
Classes
opnsense
Automate opnsense firewalls
Examples
class { 'opnsense':
devices => {
"localhost" => {
"url" => 'https://127.0.0.1/api',
"api_key" => '3T7LyQbZSXC/WN56qL0LyvLweNICeiTOzZ2JifNAvlrL+BW8Yvx7WSAUS4xvmLM/BE7xVVtv0Mv2QwNm',
"api_secret" => '2mxXt++o5Mmte3sfNJsYxlm18M2t/wAGIAHwmWoe8qc15T5wUrejJQUd/sfXSGnAG2Xk2gqMf8FzHpT2',
"ssl_verify" => true,
"timeout" => 60,
"ca" => '~/.opn-cli/ca.pem',
"plugins" => {
"os-helloworld" => {}
},
nodeexporter => {
enabled => false,
listen_address => '0.0.0.0',
listen_port => '9100',
cpu => true,
exec => true,
filesystem => true,
loadavg => true,
meminfo => true,
netdev => true,
time => true,
devstat => true,
interrupts => false,
ntp => false,
zfs => false,
},
ensure => "present"
}
},
syslog => {
destinations => {
'syslogger 1' => {
devices => ['localhost'],
enabled => true,
transport => 'tcp4',
program => 'ntp,ntpdate',
level => ['crit', 'alert', 'emerg'],
facility => ['ntp'],
hostname => 'syslog.example.com',
certificate => '',
port => '514',
rfc5424 => true,
ensure => present,
},
},
},
route => {
static => {
'static route 1' => {
network => '10.0.0.98/24',
gateway => 'WAN_DHCP',
disabled => false,
ensure => 'present',
devices => ['opnsense.remote.com'],
ensure => absent,
},
},
},
firewall => {
aliases => {
"my_http_ports_local" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
},
haproxy => {
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}
}
Parameters
The following parameters are available in the opnsense class:
devicesapi_manager_prefixmanage_resourcesrequired_pluginssyslogroutefirewallhaproxymanage_caca_contentca_fileuse_system_casystem_ca_fileopncli_configdir
devices
Data type: Hash
The devices that wil be managed by this class
api_manager_prefix
Data type: String
Prefix that will be added to the description fields for non exported resource items
manage_resources
Data type: Boolean
When true, it will export resources to something like puppetdb. When set to true, you'll need to configure 'storeconfigs' to make this happen. Default is set to false, as not everyone has this enabled.
required_plugins
Data type: Hash
The required opnsense plugins to support all features.
syslog
Data type: Hash
Configure opnsense syslog.
route
Data type: Hash
Configure opnsense routing.
firewall
Data type: Hash
Configure the opnsense firewall.
haproxy
Data type: Hash
Configured the opnsense haproxy loadbalancer.
manage_ca
Data type: Boolean
When true, the CA file used by opn-cli will be managed to ensure that the communication to the OPNsense API is possible.
ca_content
Data type: Optional[String]
A string containing a CA certificate that should be written to the
file specified in $ca_file.
ca_file
Data type: Stdlib::Absolutepath
The absolute path to the CA file that should be used by opn-cli.
use_system_ca
Data type: Boolean
This instructs opn-cli to use the system-wide installed CA certificates when verifying the connection to the OPNsense API.
system_ca_file
Data type: Stdlib::Absolutepath
The absolute path to the system-wide CA certificate file.
opncli_configdir
Data type: Stdlib::Absolutepath
The config directory used by opn-cli.
opnsense::client::firewall
This will create resources for firewall configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
Examples
class { 'opnsense::client::firewall':
aliases => {
"my_http_ports_from_client" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
}
Parameters
The following parameters are available in the opnsense::client::firewall class:
aliases
Data type: Hash
Firewall aliases that are associated with this client.
rules
Data type: Hash
Firewall rules that are associated with this client.
opnsense::client::haproxy
This will create resources for haproxy configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
Examples
class { 'opnsense::client::haproxy':
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}
Parameters
The following parameters are available in the opnsense::client::haproxy class:
servers
Data type: Hash
HaProxy servers that are associated with this client.
backends
Data type: Hash
HaProxy backends that are associated with this client.
frontends
Data type: Hash
Firewall rules that are associated with this client.
Resource types
opnsense_device
This type provides Puppet with the capabilities to manage OPNSense device access data.
Examples
opnsense_device { 'opnsense.example.com':
url => 'https://opnsense.example.com/api',
api_key => 'your_api_key',
api_secret => Sensitive('your_api_secret'),
timeout => 60,
ssl_verify => true,
ca => '/path/to/ca.pem',
ensure => 'present',
}
Properties
The following properties are available in the opnsense_device type.
api_key
Data type: String
The api key from the generated key/secret pair.
api_secret
Data type: Sensitive[String]
The api secret from the generated key/secret pair.
ca
Data type: Optional[String]
The path to the ca bundle file for ssl verification.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
ssl_verify
Data type: Boolean
The timeout for API calls in seconds.
Default value: true
timeout
Data type: Integer
The timeout for API calls in seconds.
Default value: 60
url
Data type: String
The api url of the OPNsense device.
Parameters
The following parameters are available in the opnsense_device type.
name
namevar
Data type: Pattern[/\A[0-9A-Za-z.-]+/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The name of the OPNsense device you want to manage.
opnsense_firewall_alias
This type provides Puppet with the capabilities to manage opnsense firewall aliases.
Examples
opnsense_firewall_alias { 'hosts_alias':
device => 'opnsense-test.device.com',
type => 'host',
content => ['10.0.0.1', '!10.0.0.5'],
description => 'Some hosts',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'network_alias':
device => 'opnsense-test.device.com',
type => 'network',
content => ['192.168.1.0/24', '!192.168.1.128/25'],
description => 'Some networks',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'ports_alias':
device => 'opnsense-test.device.com',
type => 'port',
content => ['80', '443'],
description => 'Some ports',
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_alias':
device => 'opnsense-test.device.com',
type => 'url',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'spamhaus fetched once.',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_table_alias':
device => 'opnsense-test.device.com',
type => 'urltable',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'Spamhaus block list',
updatefreq => 0.5,
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'geoip_alias':
device => 'opnsense-test.device.com',
type => 'geoip',
content => ['DE', 'GR'],
description => 'Only german and greek IPv4 and IPV6 addresses',
proto => "IPv4,IPv6",
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'networkgroup_alias':
device => 'opnsense-test.device.com',
type => 'networkgroup',
content => ['hosts_alias', 'network_alias'],
description => 'Combine different network aliases into one',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'mac_alias':
device => 'opnsense-test.device.com',
type => 'mac',
content => ['f4:90:ea', '0c:4d:e9:b1:05:f0'],
description => 'MAC address or partial mac addresses',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'external_alias':
device => 'opnsense-test.device.com',
type => 'external',
description => 'Externally managed alias, this only handles the placeholder.',
proto => "IPv4",
counters => true,
enabled => true,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_firewall_alias type.
content
Data type: Array[String]
The content of the firewall alias.
Default value: []
counters
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable pfTable statistics for the firewall alias.
description
Data type: String
The description of the firewall alias.
enabled
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable the firewall alias.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
proto
Data type: Optional[Enum["", "IPv4", "IPv6", "IPv4,IPv6"]]
The ip protocol which should be used by the firewall alias.
Default value: ''
type
Data type: Enum["host", "network", "port", "url", "urltable", "geoip", "networkgroup", "mac", "external"]
The type of the firewall alias.
updatefreq
Data type: Variant[Enum[""], Numeric]
How often should the alias be updated in days.
Default value: 0
Parameters
The following parameters are available in the opnsense_firewall_alias type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the firewall alias you want to manage.
opnsense_firewall_rule
@see: https://docs.opnsense.org/manual/firewall.html This type provides Puppet with the capabilities to manage opnsense firewall rules.
Examples
opnsense_firewall_rule { 'minimal example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '1',
action => 'pass',
interface => ['lan', 'wan'],
ensure => 'present',
}
opnsense_firewall_rule { 'full example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '2',
action => 'pass',
direction => 'in',
ipprotocol => 'inet',
interface => ['lan', 'wan'],
source_net => 'any',
source_port => '',
source_not => false,
protocol => 'any',
destination_net => 'any',
destination_port => '',
destination_not => false,
gateway => '',
quick => true,
log => false,
enabled => true,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_firewall_rule type.
action
Data type: Enum["pass", "block", "reject"]
Choose what to do with packets that match the criteria specified.
destination_net
Data type: String
The destination eg. any, ip address, network or alias.
Default value: any
destination_not
Data type: Boolean
Use this option to invert the sense of the match for the destination.
destination_port
Data type: String
Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
direction
Data type: Enum["in", "out"]
Direction of the traffic.
Default value: in
enabled
Data type: Boolean
Enable or disable this rule.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
gateway
Data type: String
Leave as default to use the system routing table. Or choose a gateway to utilize policy based routing.
Default value: ''
interface
Data type: Array[String]
The network interface(s).
ipprotocol
Data type: Enum["inet", "inet6"]
IP Version
Default value: inet
log
Data type: Boolean
Log packets that are handled by this rule.
protocol
Data type: Enum[ 'any', 'ICMP', 'IGMP', 'GGP', 'IPENCAP', 'ST2', 'TCP', 'CBT', 'EGP', 'IGP', 'BBN-RCC', 'NVP', 'PUP', 'ARGUS', 'EMCON', 'XNET', 'CHAOS', 'UDP', 'MUX', 'DCN', 'HMP', 'PRM', 'XNS-IDP', 'TRUNK-1', 'TRUNK-2', 'LEAF-1', 'LEAF-2', 'RDP', 'IRTP', 'ISO-TP4', 'NETBLT', 'MFE-NSP', 'MERIT-INP', 'DCCP', '3PC', 'IDPR', 'XTP', 'DDP', 'IDPR-CMTP', 'TP++', 'IL', 'IPV6', 'SDRP', 'IDRP', 'RSVP', 'GRE', 'DSR', 'BNA', 'ESP', 'AH', 'I-NLSP', 'SWIPE', 'NARP', 'MOBILE', 'TLSP', 'SKIP', 'IPV6-ICMP', 'CFTP', 'SAT-EXPAK', 'KRYPTOLAN', 'RVD', 'IPPC', 'SAT-MON', 'VISA', 'IPCV', 'CPNX', 'CPHB', 'WSN', 'PVP', 'BR-SAT-MON', 'SUN-ND', 'WB-MON', 'WB-EXPAK', 'ISO-IP', 'VMTP', 'SECURE-VMTP', 'VINES', 'TTP', 'NSFNET-IGP', 'DGP', 'TCF', 'EIGRP', 'OSPF', 'SPRITE-RPC', 'LARP', 'MTP', 'AX.25', 'IPIP', 'MICP', 'SCC-SP', 'ETHERIP', 'ENCAP', 'GMTP', 'IFMP', 'PNNI', 'PIM', 'ARIS', 'SCPS', 'QNX', 'A/N', 'IPCOMP', 'SNP', 'COMPAQ-PEER', 'IPX-IN-IP', 'CARP', 'PGM', 'L2TP', 'DDX', 'IATP', 'STP', 'SRP', 'UTI', 'SMP', 'SM', 'PTP', 'ISIS', 'CRTP', 'CRUDP', 'SPS', 'PIPE', 'SCTP', 'FC', 'RSVP-E2E-IGNORE', 'UDPLITE', 'MPLS-IN-IP', 'MANET', 'HIP', 'SHIM6', 'WESP', 'ROHC', 'PFSYNC', 'DIVERT' ]
The Protocol that is used.
Default value: any
quick
Data type: Boolean
If a packet matches a rule specifying quick, then that rule is considered the last matching rule.
Default value: true
sequence
Data type: String
The sequence number of this rule.
source_net
Data type: String
The source eg. any, ip address, network or alias.
Default value: any
source_not
Data type: Boolean
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
source_port
Data type: String
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
uuid
Data type: Optional[String]
The uuid of the rule.
Parameters
The following parameters are available in the opnsense_firewall_rule type.
description
namevar
Data type: String
The rule description.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
opnsense_haproxy_backend
This type provides Puppet with the capabilities to manage haproxy backends
Examples
opnsense_haproxy_backend { 'webserver_pool':
device => 'opnsense-test.device.com',
enabled => true,
description => 'backend for webserver',
mode => 'http',
algorithm => 'source',
random_draws => '2',
proxy_protocol => '',
linked_servers => [],
linked_resolver => '',
resolver_opts => [],
resolve_prefer => '',
source => '',
health_check_enabled => true,
health_check => '',
health_check_log_status => false,
check_interval => '',
check_down_interval => '',
health_check_fall => '',
health_check_rise => '',
linked_mailer => '',
http2_enabled => false,
http2_enabled_nontls => false,
ba_advertised_protocols => ['h2', 'http11'],
persistence => 'sticktable',
persistence_cookiemode => 'piggyback',
persistence_cookiename => 'SRVCOOKIE',
persistence_stripquotes => false,
stickiness_pattern => 'sourceipv4',
stickiness_data_types => [],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_cookiename => '',
stickiness_cookielength => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
basic_auth_enabled => false,
basic_auth_users => [],
basic_auth_groups => [],
tuning_timeout_connect => '',
tuning_timeout_check => '',
tuning_timeout_server => '',
tuning_retries => '',
custom_options => '',
tuning_defaultserver => '',
tuning_noport => false,
tuning_httpreuse => 'safe',
tuning_caching => false,
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}
Properties
The following properties are available in the opnsense_haproxy_backend type.
algorithm
Data type: Enum['source', 'roundrobin', 'static-rr', 'leastconn', 'uri', 'random']
Define the load balancing algorithm to be used in a backend pool.
Default value: source
ba_advertised_protocols
Data type: Array[String]
Enable support for HTTP/2 even if TLS is not enabled.
Default value: ["h2"]
basic_auth_enabled
Data type: Boolean
Enable HTTP basic authentication.
basic_auth_groups
Data type: Array[String]
Specify the uuids of the basic auth groups for this backend.
Default value: []
basic_auth_users
Data type: Array[String]
Specify the uuids of the basic auth users for this backend.
Default value: []
check_down_interval
Data type: Optional[String]
Sets the interval (in ms) for running health checks on a configured server when the server state is DOWN
check_interval
Data type: Optional[String]
Sets the interval (in ms) for running health checks on all configured servers.
custom_options
Data type: Optional[String]
These lines will be added to the HAProxy backend configuration.
description
Data type: String
The backend description.
enabled
Data type: Boolean
Enable or disable this backend.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
health_check
Data type: Optional[String]
Specify the uuid of the health check for servers in this backend.
health_check_enabled
Data type: Boolean
Enable or disable health checking.
Default value: true
health_check_fall
Data type: Optional[String]
The number of consecutive unsuccessful health checks before a server is considered as unavailable.
health_check_log_status
Data type: Boolean
Enable to log health check status updates.
health_check_rise
Data type: Optional[String]
The number of consecutive successful health checks before a server is considered as available.
http2_enabled
Data type: Boolean
Enable support for end-to-end HTTP/2 communication.
http2_enabled_nontls
Data type: Boolean
Enable support for HTTP/2 even if TLS is not enabled.
linked_actions
Data type: Array[String]
Specify the uuids of the rules to be included in this backend.
Default value: []
linked_errorfiles
Data type: Array[String]
Specify the uuids of the error messages to be included in this backend.
Default value: []
linked_mailer
Data type: Optional[String]
Specify the uuid of the e-mail alert configuration linked to this backend.
linked_resolver
Data type: Optional[String]
Specify the uuid of the custom resolver configuration that should be used for all servers in this backend.
linked_servers
Data type: Array[String]
Specify the uuids of the servers linked to this backend.
Default value: []
mode
Data type: Enum['http', 'tcp']
Set the running mode or protocol of the backend pool.
Default value: http
persistence
Data type: Enum['', 'sticktable', 'cookie']
Choose how HAProxy should track user-to-server mappings.
Default value: sticktable
persistence_cookiemode
Data type: Enum['piggyback', 'new']
Cookie mode to use for persistence.
Default value: piggyback
persistence_cookiename
Data type: String
Cookie name to use for persistence.
Default value: SRVCOOKIE
persistence_stripquotes
Data type: Boolean
Enable to automatically strip quotes from the cookie value.
Default value: true
proxy_protocol
Data type: Enum['', 'v1', 'v2']
Enforces use of the PROXY protocol over any connection established to the configured servers.
Default value: ''
random_draws
Data type: String
When using the Random Balancing Algorithm, this value indicates the number of draws.
Default value: 2
resolve_prefer
Data type: Enum['', 'ipv4', 'ipv6']
When DNS resolution is enabled and multiple IP addresses from different families are returned use this.
Default value: ''
resolver_opts
Data type: Array[String]
Add resolver options.
Default value: []
source
Data type: Optional[String]
Sets the source address which will be used when connecting to the server(s).
stickiness_bytes_in_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_bytes_out_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_conn_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_cookielength
Data type: Optional[String]
The maximum number of characters that will be stored in the stick table.
stickiness_cookiename
Data type: Optional[String]
Cookie name to use for stick table.
stickiness_data_types
Data type: Array[Enum[ '', 'conn_cnt', 'conn_cur', 'conn_rate', 'sess_cnt', 'sess_rate', 'http_req_cnt', 'http_req_rate', 'http_err_cnt', 'http_err_rate', 'bytes_in_cnt', 'bytes_in_rate', 'bytes_out_cnt', 'bytes_out_rate' ]]
This is used to store additional information in the stick-table.
Default value: []
stickiness_expire
Data type: String
The maximum duration of an entry in the stick table. Valid suffixes d, h, m, s, ms.
Default value: 30m
stickiness_http_err_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_http_req_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_pattern
Data type: Enum['', 'sourceipv4', 'sourceipv6', 'cookievalue', 'rdpcookie']
Choose a request pattern to associate a user to a server.
Default value: sourceipv4
stickiness_sess_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_size
Data type: String
The maximum number of entries that can fit in the stick table. Valid suffixes k, m, g.
Default value: 50k
tuning_caching
Data type: Boolean
Enable caching of responses from this backend.
tuning_defaultserver
Data type: Optional[String]
Default option for all server entries.
tuning_httpreuse
Data type: Enum['', 'never', 'safe', 'aggressive', 'always']
Choose a request pattern to associate a user to a server.
Default value: safe
tuning_noport
Data type: Boolean
Don't use port on server, use the same port as frontend receive.
tuning_retries
Data type: Optional[String]
Set the number of retries to perform on a server after a connection failure.
tuning_timeout_check
Data type: Optional[String]
Sets an additional read timeout for running health checks on a server. Valid suffixes d, h, m, s, ms, us
tuning_timeout_connect
Data type: Optional[String]
Set the maximum time to wait for a connection attempt to a server to succeed. Valid suffixes d, h, m, s, ms, us
tuning_timeout_server
Data type: Optional[String]
Set the maximum inactivity time on the server side. Valid suffixes d, h, m, s, ms, us
uuid
Data type: Optional[String]
The uuid of the backend.
Parameters
The following parameters are available in the opnsense_haproxy_backend type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the resource you want to manage.
opnsense_haproxy_frontend
This type provides Puppet with the capabilities to manage opnsense haproxy frontends.
Examples
opnsense_haproxy_frontend { 'webserver_frontend':
device => 'opnsense-test.device.com',
enabled => true,
description => 'frontend for webserver',
bind => '127.0.0.1:8080',
bind_options => '',
mode => 'http',
default_backend => '',
ssl_enabled => true,
ssl_certificates => ['60cc4641eb577', '5eba6f0f352e3'],
ssl_default_certificate => '60cc4641eb577',
ssl_custom_options => '',
ssl_advanced_enabled => true,
ssl_bind_options => ['prefer-client-ciphers'],
ssl_min_version => 'TLSv1.2',
ssl_max_version => '',
ssl_cipher_list => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256',
ssl_cipher_suites => 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
ssl_hsts_enabled => false,
ssl_hsts_include_sub_domains => false,
ssl_hsts_preload => false,
ssl_hsts_max_age => '15768000',
ssl_client_auth_enabled => false,
ssl_client_auth_verify => 'required',
ssl_client_auth_cas => [],
ssl_client_auth_crls => [],
basic_auth_enabled => false,
basic_auth_users => [],
basic_auth_groups => [],
tuning_max_connections => '',
tuning_timeout_client => '',
tuning_timeout_http_req => '',
tuning_timeout_http_keep_alive => '',
linked_cpu_affinity_rules => [],
logging_dont_log_null => false,
logging_dont_log_normal => false,
logging_log_separate_errors => false,
logging_detailed_log => true,
logging_socket_stats => false,
stickiness_pattern => '',
stickiness_data_types => [''],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_counter => true,
stickiness_counter_key => 'src',
stickiness_length => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
http2_enabled => false,
http2_enabled_nontls => false,
advertised_protocols => ['h2', 'http11'],
forward_for => false,
connection_behaviour => 'http-keep-alive',
custom_options => '',
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}
Properties
The following properties are available in the opnsense_haproxy_frontend type.
advertised_protocols
Data type: Array[Enum['', 'h2', 'http11', 'http10']]
When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN.
Default value: ["h2"]
basic_auth_enabled
Data type: Boolean
Enable HTTP Basic Authentication.
basic_auth_groups
Data type: Array[String]
Specify the uuids of the basic auth groups for this frontend.
Default value: []
basic_auth_users
Data type: Array[String]
Specify the uuids of the basic auth users for this frontend.
Default value: []
bind
Data type: String
Configure listen addresses for this public service, i.e. 127.0.0.1:8080.
bind_options
Data type: Optional[String]
A list of parameters that will be appended to every Listen Address line e.g. accept-proxy npn http/1.1.
connection_behaviour
Data type: Enum['http-keep-alive', 'httpclose', 'http-server-close']
The HaProxy connection behaviour.
Default value: http-keep-alive
custom_options
Data type: String
These lines will be added to the HAProxy frontend configuration.
Default value: ''
default_backend
Data type: String
Set the default backend pool to use for this public service.
Default value: ''
description
Data type: String
The backend description.
enabled
Data type: Boolean
Enable or disable this frontend.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
forward_for
Data type: Boolean
Enable insertion of the X-Forwarded-For header to requests sent to servers.
http2_enabled
Data type: Boolean
Enable support for HTTP/2.
http2_enabled_nontls
Data type: Boolean
Enable support for HTTP/2 even if TLS (SSL offloading) is not enabled.
linked_actions
Data type: Array[String]
Choose uuid of rules to be included in this public service.
Default value: []
linked_cpu_affinity_rules
Data type: Array[String]
Choose CPU affinity rules that should be applied to this public service.
Default value: []
linked_errorfiles
Data type: Array[String]
Choose uuid of error messages to be included in this public service.
Default value: []
logging_detailed_log
Data type: Boolean
Enable or disable verbose logging. Each log line turns into a much richer format.
logging_dont_log_normal
Data type: Boolean
Enable or disable logging of normal, successful connections.
logging_dont_log_null
Data type: Boolean
Enable or disable logging of connections with no data.
logging_log_separate_errors
Data type: Boolean
Allow HAProxy to automatically raise log level for non-completely successful connections to aid debugging.
logging_socket_stats
Data type: Boolean
Enable or disable collecting & providing separate statistics for each socket.
mode
Data type: Enum['http', 'ssl', 'tcp']
Set the running mode or protocol for this public service.
Default value: http
ssl_advanced_enabled
Data type: Boolean
Enable or disable advanced SSL settings.
ssl_bind_options
Data type: Array[Enum[ '', 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'no-tlsv13', 'no-tls-tickets', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', 'force-tlsv13', 'prefer-client-ciphers', 'strict-sni' ]]
Used to enforce or disable certain SSL options.
Default value: ["prefer-client-ciphers"]
ssl_certificates
Data type: Array[String]
Select certificates to use for SSL offloading.
Default value: []
ssl_cipher_list
Data type: String
The default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.
Default value: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
ssl_cipher_suites
Data type: String
The default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.
Default value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
ssl_client_auth_cas
Data type: Array[String]
Select CA certificates to use for client certificate authentication.
Default value: []
ssl_client_auth_crls
Data type: Array[String]
Select CRLs to use for client certificate authentication.
Default value: []
ssl_client_auth_enabled
Data type: Boolean
Enable client certificate authentication.
ssl_client_auth_verify
Data type: Enum['', 'none', 'optional', 'required']
If set to 'optional' or 'required', client certificate is requested.
Default value: required
ssl_custom_options
Data type: String
Pass additional SSL parameters to the HAProxy configuration.
Default value: ''
ssl_default_certificate
Data type: String
This certificate will be presented if no SNI is provided by the client if the client provides an SNI hostname which does not match any certificate.
Default value: ''
ssl_enabled
Data type: Boolean
Enable SSL offloading.
ssl_hsts_enabled
Data type: Boolean
Enable HTTP Strict Transport Security.
Default value: true
ssl_hsts_include_sub_domains
Data type: Boolean
Enable or disable if all present and future subdomains will be HTTPS.
ssl_hsts_max_age
Data type: String
Future requests to the domain should use only HTTPS for the specified time (in seconds).
Default value: 15768000
ssl_hsts_preload
Data type: Boolean
Enable if you like this domain to be included in the HSTS preload list.
ssl_max_version
Data type: Enum['', 'SSLv3', 'TLSv1.0', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
Used to enforce or disable certain SSL options.
Default value: ''
ssl_min_version
Data type: Enum['', 'SSLv3', 'TLSv1.0', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
Used to enforce or disable certain SSL options.
Default value: TLSv1.2
stickiness_bytes_in_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_bytes_out_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_conn_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_counter
Data type: Boolean
Enable to be able to retrieve values from sticky counters.
Default value: true
stickiness_counter_key
Data type: String
Describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters.
Default value: src
stickiness_data_types
Data type: Array[Enum[ '', 'conn_cnt', 'conn_cur', 'conn_rate', 'sess_cnt', 'sess_rate', 'http_req_cnt', 'http_req_rate', 'http_err_cnt', 'http_err_rate', 'bytes_in_cnt', 'bytes_in_rate', 'bytes_out_cnt', 'bytes_out_rate' ]]
This is used to store additional information in the stick-table.
Default value: []
stickiness_expire
Data type: String
This configures the maximum duration of an entry in the stick-table since it was last created, refreshed or matched. Valid suffixes d, h, m, s, ms.
Default value: 30m
stickiness_http_err_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_http_req_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_length
Data type: String
Specify the maximum length for a value in the stick-table.
Default value: ''
stickiness_pattern
Data type: Enum['', 'ipv4', 'ipv6', 'integer', 'string', 'binary']
Choose the type of data that should be stored in this stick-table.
Default value: ''
stickiness_sess_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_size
Data type: String
This configures the maximum number of entries that can fit in the table. Valid suffixes k, m, g.
Default value: 50k
tuning_max_connections
Data type: String
Set the maximum number of concurrent connections for this public service.
Default value: ''
tuning_shards
Data type: String
Creates the specified number of listeners for every IP:port combination and evenly distributes them among available threads.
Default value: ''
tuning_timeout_client
Data type: String
Set the maximum inactivity time on the client side. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
tuning_timeout_http_keep_alive
Data type: String
Set the maximum allowed time to wait for a new HTTP request to appear. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
tuning_timeout_http_req
Data type: String
Set the maximum allowed time to wait for a complete HTTP request. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
uuid
Data type: Optional[String]
The uuid of the frontend.
Parameters
The following parameters are available in the opnsense_haproxy_frontend type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the resource you want to manage.
opnsense_haproxy_server
This type provides Puppet with the capabilities to manage opnsense haproxy server
Examples
opnsense_haproxy_server { 'webserver1':
device => 'opnsense-test.device.com',
enabled => true,
description => 'primary webserver',
address => 'webserver1.example.com',
port => '443',
checkport => '80',
mode => 'active',
type => 'static',
service_name => '',
linked_resolver => '',
resolver_opts => ['allow-dup-ip','ignore-weight','prevent-dup-ip'],
resolve_prefer => 'ipv4',
ssl => false,
ssl_verify => true,
ssl_ca => [],
ssl_crl => [],
ssl_client_certificate => '5eba6f0f352e3',
weight => '10',
check_interval => '100',
check_down_interval => '200',
source => '10.0.0.1',
advanced => 'send-proxy',
ensure => 'present',
}
Properties
The following properties are available in the opnsense_haproxy_server type.
address
Data type: String
The FQDN or the IP address of this server.
advanced
Data type: Optional[String]
list of parameters that will be appended to the server line in every backend where this server will be used.
check_down_interval
Data type: Optional[String]
Sets the interval (in milliseconds) for running health checks on the server when the server state is DOWN.
check_interval
Data type: Optional[String]
Sets the interval (in milliseconds) for running health checks on this server.
checkport
Data type: Optional[String]
Provide the TCP communication port to use during check.
description
Data type: String
The server description.
enabled
Data type: Boolean
Enable or disable this server.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
linked_resolver
Data type: Optional[String]
Specify the uuid of the resolver to discover available services via DNS.
mode
Data type: Enum['', 'active', 'backup', 'disabled']
Sets the operation mode to use for this server.
Default value: active
number
Data type: Optional[String]
The number of servers this template initializes, i.e. 5 or 1-5.
port
Data type: String
Provide the TCP or UDP communication port for this server.
resolve_prefer
Data type: Enum['', 'ipv4', 'ipv6']
When DNS resolution is enabled and multiple IP addresses from different families are returned use this.
Default value: ''
resolver_opts
Data type: Optional[Array[String]]
Add resolver options.
Default value: []
service_name
Data type: Optional[String]
FQDN for all the servers this template initializes or a service name to discover via DNS SRV records.
source
Data type: Optional[String]
Sets the source address which will be used when connecting to the server.
ssl
Data type: Boolean
Enable or disable SSL communication with this server.
ssl_ca
Data type: Optional[Array[String]]
These CA Ids will be used to verify server's certificate.
Default value: []
ssl_client_certificate
Data type: Optional[String]
This certificate will be sent if the server send a client certificate request.
ssl_crl
Data type: Optional[Array[String]]
This certificate revocation list Ids will be used to verify server's certificate.
Default value: []
ssl_verify
Data type: Boolean
Enable or disable server ssl certificate verification.
Default value: true
type
Data type: Enum['static', 'template']
Sets the operation mode to use for this server.
Default value: static
uuid
Data type: Optional[String]
The uuid of the server.
weight
Data type: Optional[String]
Adjust the server's weight relative to other servers.
Parameters
The following parameters are available in the opnsense_haproxy_server type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the resource you want to manage.
opnsense_nodeexporter_config
This type provides Puppet with the capabilities to manage opnsense nodeexporter config.
Examples
opnsense_nodeexporter_config { 'opnsense.example.com':
device => 'opnsense.example.com',
enabled => false,
listen_address => '0.0.0.0',
listen_port => '9100',
cpu => true,
exec => true,
filesystem => true,
loadavg => true,
meminfo => true,
netdev => true,
time => true,
devstat => true,
interrupts => false,
ntp => false,
zfs => false,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_nodeexporter_config type.
cpu
Data type: Boolean
Enable or disable the cpu collector.
devstat
Data type: Boolean
Enable or disable the devstat collector.
enabled
Data type: Boolean
Enable or disable the node_exporter plugin.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
exec
Data type: Boolean
Enable or disable the exec collector.
filesystem
Data type: Boolean
Enable or disable the filesystem collector.
interrupts
Data type: Boolean
Enable or disable the interrupts collector.
listen_address
Data type: String
Set node_exporter\'s listen address. By default, node_exporter will listen on 0.0.0.0 (all interfaces).
listen_port
Data type: String
Set node_exporter\'s listen port. By default, node_exporter will listen on port 9100.
loadavg
Data type: Boolean
Enable or disable the loadavg collector.
meminfo
Data type: Boolean
Enable or disable the meminfo collector.
netdev
Data type: Boolean
Enable or disable the netdev collector.
ntp
Data type: Boolean
Enable or disable the ntp collector.
time
Data type: Boolean
Enable or disable the time collector.
zfs
Data type: Boolean
Enable or disable the zfs collector.
Parameters
The following parameters are available in the opnsense_nodeexporter_config type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
opnsense_plugin
This type provides Puppet with the capabilities to manage opnsense plugins.
Examples
opnsense_plugin { 'os-acme-client':
device => 'opnsense.example.com',
ensure => 'present',
}
Properties
The following properties are available in the opnsense_plugin type.
ensure
Data type: Enum[present, absent]
Whether this plugin should be present or absent on the opnsense device.
Default value: present
Parameters
The following parameters are available in the opnsense_plugin type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the plugin you want to manage.
opnsense_route_static
This type provides Puppet with the capabilities to manage opnsense static routes.
Examples
opnsense_route_static { 'example route static':
device => 'opnsense-test.device.com',
network => '10.0.0.98/24',
gateway => 'WAN_DHCP',
disabled => false,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_route_static type.
disabled
Data type: Boolean
Set this option to disable this static route without removing it from the list.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
gateway
Data type: String
Choose which gateway this route applies to eg. Null4 for 127.0.01, Null6 for ::1 or see opn-cli route gateway status.
network
Data type: String
Destination network for this static route
uuid
Data type: Optional[String]
The uuid of the rule.
Parameters
The following parameters are available in the opnsense_route_static type.
descr
namevar
Data type: String
You may enter a description here for your reference (not parsed).
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
opnsense_syslog_destination
This type provides Puppet with the capabilities to manage opnsense syslog destination.
Examples
opnsense_syslog_destination { 'example syslog destination':
device => 'opnsense-test.device.com',
enabled => true,
transport => 'tls4',
program => 'ntp,ntpdate,ntpd',
level => ['info', 'notice', 'warn', 'err', 'crit', 'alert', 'emerg'],
facility => ['ntp', 'security', 'console'],
hostname => '10.0.0.2',
certificate => '60cc4641eb577',
port => '514',
rfc5424 => true,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_syslog_destination type.
certificate
Data type: String
Transport certificate to use, please make sure to check the general system log when experiencing issues. Error messages can be a bit cryptic from time to time, in which case "https://support.oneidentity.com/kb/263658/common-issues-of-tls-encrypted-message-transfer this is a good resource for tracking common issues.
enabled
Data type: Boolean
Set this option to enable this destination.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
facility
Data type: Array[ Enum[ '', 'kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp', 'ntp', 'security', 'console', 'local0', 'local1', 'local2', 'local3', 'local4', 'local5', 'local6', 'local7' ] ]
Choose which facilities to include, omit to select all.
hostname
Data type: String
The hostname or ip address of the syslog destination.
level
Data type: Array[ Enum['', 'debug', 'info', 'notice', 'warn', 'err', 'crit', 'alert', 'emerg'] ]
Choose which levels to include, omit to select all.
port
Data type: String
The port of the syslog destination.
program
Data type: String
Choose which applications should be forwarded to the specified target, omit to select all.
rfc5424
Data type: Boolean
Use rfc5424 formated messages for this destination.
transport
Data type: Enum['udp4', 'tcp4', 'udp6', 'tcp6', 'tls4', 'tls6']
Transport protocol
uuid
Data type: Optional[String]
The uuid of the rule.
Parameters
The following parameters are available in the opnsense_syslog_destination type.
description
namevar
Data type: String
You may enter a description here for your reference.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v2.3.0 (2023-04-18)
Added
v2.2.0 (2023-03-31)
Added
Fixed
v2.1.0 (2023-01-30)
Added
Fixed
- Fix puppet strings generation #21 (andeman)
- change data type + default value of updatefreq to Numeric #14 (fraenki)
v2.0.0 (2021-11-04)
Added
v1.5.0 (2021-08-24)
Added
- add parameters to manage opn-cli CA file #11 (fraenki)
- show error message when opn-cli command fails #10 (andeman)
Fixed
v1.4.0 (2021-08-13)
Added
Fixed
v1.3.0 (2021-08-04)
Added
v1.2.0 (2021-07-23)
Added
v1.1.1 (2021-07-08)
Fixed
v1.1.0 (2021-07-07)
Added
v1.0.0 (2021-06-17)
Added
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs-stdlib (>= 6.0.0 < 9.0.0)
BSD 2-Clause License Copyright (c) 2021, Andreas Stürz All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.