Puppet Class: opnsense

Defined in:
manifests/init.pp

Summary

Automate opnsense firewalls

Overview

Automate opnsense firewalls

Examples:

class { 'opnsense':
  devices => {
    "localhost" => {
      "url"        => 'https://127.0.0.1/api',
      "api_key"    => '3T7LyQbZSXC/WN56qL0LyvLweNICeiTOzZ2JifNAvlrL+BW8Yvx7WSAUS4xvmLM/BE7xVVtv0Mv2QwNm',
      "api_secret" => '2mxXt++o5Mmte3sfNJsYxlm18M2t/wAGIAHwmWoe8qc15T5wUrejJQUd/sfXSGnAG2Xk2gqMf8FzHpT2',
      "ssl_verify" => true,
      "timeout"    => 60,
      "ca"         => '~/.opn-cli/ca.pem',
      "plugins"    => {
        "os-helloworld" => {}
      },
      nodeexporter => {
        enabled        => false,
        listen_address => '0.0.0.0',
        listen_port    => '9100',
        cpu            => true,
        exec           => true,
        filesystem     => true,
        loadavg        => true,
        meminfo        => true,
        netdev         => true,
        time           => true,
        devstat        => true,
        interrupts     => false,
        ntp            => false,
        zfs            => false,
      },
      ensure           => "present"
    }
  },
  syslog => {
    destinations => {
      'syslogger 1' => {
        devices     => ['localhost'],
        enabled     => true,
        transport   => 'tcp4',
        program     => 'ntp,ntpdate',
        level       => ['crit', 'alert', 'emerg'],
        facility    => ['ntp'],
        hostname    => 'syslog.example.com',
        certificate => '',
        port        => '514',
        rfc5424     => true,
        ensure      => present,
      },
    },
  },
  route => {
    static => {
      'static route 1' => {
        network   => '10.0.0.98/24',
        gateway   => 'WAN_DHCP',
        disabled  => false,
        ensure    => 'present',
        devices    => ['opnsense.remote.com'],
        ensure     => absent,
      },
    },
  },
  firewall => {
    aliases => {
      "my_http_ports_local" => {
        "devices"     => ["localhost"],
        "type"        => "port",
        "content"     => ["80", "443"],
        "description" => "example local http ports",
        "enabled"     => true,
        "ensure"      => present
      },
    },
    rules  => {
      "allow all from lan and wan" => {
        "devices"   => ["localhost"],
        "sequence"  => "1",
        "action"    => "pass",
        "interface" => ["lan", "wan"],
        "ensure"    => present
      }
    }
  },
  haproxy => {
    servers  => {
      "server1" => {
        "devices"     => ["localhost"],
        "description" => "first local server",
        "address"     => "127.0.0.1",
        "port"        => "8091",
      },
      "server2" => {
        "devices"   => ["localhost"],
        "description" => "second local server",
        "address"     => "127.0.0.1",
        "port"        => "8092",
      },
    },
    backends => {
      "localhost_backend" => {
        "devices"        => ["localhost"],
        "description"    => "local server backend",
        "mode"           => "http",
        "linked_servers" => ["server1", "server2"],
      }
    },
    frontends => {
      "localhost_frontend" => {
        "devices"           => ["localhost"],
        "description"       => "local frontend",
        "bind"              => "127.0.0.1:8090",
        "ssl_enabled"       => true,
        "ssl_certificates"  => ["60cc4641eb577"],
        "default_backend"   => "localhost_backend",
      }
    },
  }
}

Parameters:

  • devices (Hash)

    The devices that wil be managed by this class

  • api_manager_prefix (String)

    Prefix that will be added to the description fields for non exported resource items

  • manage_resources (Boolean)

    When true, it will export resources to something like puppetdb. When set to true, you’ll need to configure ‘storeconfigs’ to make this happen. Default is set to false, as not everyone has this enabled.

  • required_plugins (Hash)

    The required opnsense plugins to support all features.

  • syslog (Hash)

    Configure opnsense syslog.

  • route (Hash)

    Configure opnsense routing.

  • firewall (Hash)

    Configure the opnsense firewall.

  • haproxy (Hash)

    Configured the opnsense haproxy loadbalancer.

  • manage_ca (Boolean)

    When true, the CA file used by opn-cli will be managed to ensure that the communication to the OPNsense API is possible.

  • ca_content (Optional[String])

    A string containing a CA certificate that should be written to the file specified in ‘$ca_file`.

  • ca_file (Stdlib::Absolutepath)

    The absolute path to the CA file that should be used by opn-cli.

  • use_system_ca (Boolean)

    This instructs opn-cli to use the system-wide installed CA certificates when verifying the connection to the OPNsense API.

  • system_ca_file (Stdlib::Absolutepath)

    The absolute path to the system-wide CA certificate file.

  • opncli_configdir (Stdlib::Absolutepath)

    The config directory used by opn-cli.



158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
 
# File 'manifests/init.pp', line 158

class opnsense (
  Hash $devices,
  String $api_manager_prefix,
  Boolean $manage_resources,
  Hash $required_plugins,
  Hash $syslog,
  Hash $route,
  Hash $firewall,
  Hash $haproxy,
  Boolean $manage_ca,
  Stdlib::Absolutepath $ca_file,
  Boolean $use_system_ca,
  Stdlib::Absolutepath $system_ca_file,
  Stdlib::Absolutepath $opncli_configdir,
  Optional[String] $ca_content,
) {
  if $manage_ca {
    file { 'Create opn-cli config directory':
      ensure => directory,
      path   => $opncli_configdir,
    }
    case $use_system_ca {
      true: {
        file { 'Symlink opn-cli CA file to system-wide CA certificates':
          ensure => link,
          path   => $ca_file,
          target => $system_ca_file,
        }
      }
      default: {
        if !empty($ca_content) {
          file { 'Create opn-cli CA file with custom CA content':
            ensure  => file,
            path    => $ca_file,
            content => $ca_content,
          }
        }
      }
    }
  }

  $devices.each |$device_name, $device_conf| {
    # generate devices configurations
    $device_conf_filtered = delete($device_conf, ['plugins', 'nodeexporter'])
    if !empty($device_conf_filtered) {
      opnsense_device { $device_name:
        * => $device_conf_filtered,
      }
    }

    # install required and individual plugins on device
    $device_plugins = if $device_conf['plugins'] { $device_conf['plugins'] } else {{} }
    $plugins_to_install = $device_plugins + $required_plugins
    $plugins_to_install.each |$plugin_name, $plugin_options| {
      opnsense_plugin { $plugin_name:
        device => $device_name,
        *      => $plugin_options,
      }
    }

    # configure nodeexporter on device
    if $device_conf['nodeexporter'] {
      opnsense_nodeexporter_config { $device_name:
        * => $device_conf['nodeexporter'],
      }
    }

    # syslog destinations
    $syslog['destinations'].map |$syslog_dest_name, $syslog_dest_options| {
      if $device_name in $syslog_dest_options['devices'] {
        $syslog_dest_options_filtered = delete($syslog_dest_options, ['devices', 'description'])
        opnsense_syslog_destination { "${syslog_dest_name}@${device_name}":
          description => "${api_manager_prefix}${syslog_dest_name}",
          *           => $syslog_dest_options_filtered,
        }
      }
    }

    # static routes
    $route['static'].map |$route_static_name, $route_static_options| {
      if $device_name in $route_static_options['devices'] {
        $route_static_options_filtered = delete($route_static_options, ['devices', 'descr'])
        opnsense_route_static { "${route_static_name}@${device_name}":
          descr => "${api_manager_prefix}${route_static_name}",
          *     => $route_static_options_filtered,
        }
      }
    }

    # firewall aliases
    $firewall['aliases'].map |$alias_name, $alias_options| {
      if $device_name in $alias_options['devices'] {
        $alias_options_filtered = delete($alias_options, ['devices', 'description'])
        opnsense_firewall_alias { "${alias_name}@${device_name}":
          description => "${api_manager_prefix}${alias_options['description']}",
          *           => $alias_options_filtered,
        }
      }
    }

    # firewall rules
    $firewall['rules'].map |$rule_name, $rule_options| {
      if $device_name in $rule_options['devices'] {
        $rule_options_filtered = delete($rule_options, ['devices'])
        opnsense_firewall_rule { "${api_manager_prefix}${rule_name}@${device_name}":
          * => $rule_options_filtered,
        }
      }
    }

    # haproxy servers
    $haproxy['servers'].map |$server_name, $server_options| {
      if $device_name in $server_options['devices'] {
        $server_options_filtered = delete($server_options, ['devices', 'description'])
        opnsense_haproxy_server { "${server_name}@${device_name}":
          description => "${api_manager_prefix}${server_options['description']}",
          *           => $server_options_filtered,
        }
      }
    }

    # haproxy backends
    $haproxy['backends'].map |$backend_name, $backend_options| {
      if $device_name in $backend_options['devices'] {
        $backend_options_filtered = delete($backend_options, ['devices', 'description'])
        opnsense_haproxy_backend { "${backend_name}@${device_name}":
          description => "${api_manager_prefix}${backend_options['description']}",
          *           => $backend_options_filtered,
        }
      }
    }

    # haproxy frontends
    $haproxy['frontends'].map |$frontend_name, $frontend_options| {
      if $device_name in $frontend_options['devices'] {
        $frontend_options_filtered = delete($frontend_options, ['devices', 'description'])
        opnsense_haproxy_frontend { "${frontend_name}@${device_name}":
          description => "${api_manager_prefix}${frontend_options['description']}",
          *           => $frontend_options_filtered,
        }
      }
    }

    if $manage_resources {
      Opnsense_firewall_alias <<| tag == $device_name |>>
      Opnsense_firewall_rule <<| tag == $device_name |>>
      Opnsense_haproxy_server <<| tag == $device_name |>>
      Opnsense_haproxy_backend <<| tag == $device_name |>>
      Opnsense_haproxy_frontend <<| tag == $device_name |>>
    }
  }
}