opnsense: Automate opnsense firewallsopnsense::client::firewall: Use exported resources to collect firewall configurations from clients.opnsense::client::haproxy: Use exported resources to collect haproxy configurations from clients.
opnsense_device: Manage an OPNsense device access.opnsense_firewall_alias: Manage opnsense firewall aliases.opnsense_firewall_rule: Manage opnsense firewall rulesopnsense_haproxy_backend: Manage opnsense haproxy backendsopnsense_haproxy_frontend: Manage opnsense haproxy frontendsopnsense_haproxy_server: Manage opnsense haproxy serversopnsense_nodeexporter_config: Manage opnsense prometheus nodeexporter configopnsense_plugin: Manage installed opnsense pluginsopnsense_route_static: Manage opnsense static routesopnsense_syslog_destination: Manage opnsense syslog destination
Automate opnsense firewalls
class { 'opnsense':
devices => {
"localhost" => {
"url" => 'https://127.0.0.1/api',
"api_key" => '3T7LyQbZSXC/WN56qL0LyvLweNICeiTOzZ2JifNAvlrL+BW8Yvx7WSAUS4xvmLM/BE7xVVtv0Mv2QwNm',
"api_secret" => '2mxXt++o5Mmte3sfNJsYxlm18M2t/wAGIAHwmWoe8qc15T5wUrejJQUd/sfXSGnAG2Xk2gqMf8FzHpT2',
"ssl_verify" => true,
"timeout" => 60,
"ca" => '~/.opn-cli/ca.pem',
"plugins" => {
"os-helloworld" => {}
},
nodeexporter => {
enabled => false,
listen_address => '0.0.0.0',
listen_port => '9100',
cpu => true,
exec => true,
filesystem => true,
loadavg => true,
meminfo => true,
netdev => true,
time => true,
devstat => true,
interrupts => false,
ntp => false,
zfs => false,
},
ensure => "present"
}
},
syslog => {
destinations => {
'syslogger 1' => {
devices => ['localhost'],
enabled => true,
transport => 'tcp4',
program => 'ntp,ntpdate',
level => ['crit', 'alert', 'emerg'],
facility => ['ntp'],
hostname => 'syslog.example.com',
certificate => '',
port => '514',
rfc5424 => true,
ensure => present,
},
},
},
route => {
static => {
'static route 1' => {
network => '10.0.0.98/24',
gateway => 'WAN_DHCP',
disabled => false,
ensure => 'present',
devices => ['opnsense.remote.com'],
ensure => absent,
},
},
},
firewall => {
aliases => {
"my_http_ports_local" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
},
haproxy => {
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}
}The following parameters are available in the opnsense class:
devicesapi_manager_prefixmanage_resourcesrequired_pluginssyslogroutefirewallhaproxymanage_caca_contentca_fileuse_system_casystem_ca_fileopncli_configdir
Data type: Hash
The devices that wil be managed by this class
Data type: String
Prefix that will be added to the description fields for non exported resource items
Data type: Boolean
When true, it will export resources to something like puppetdb. When set to true, you'll need to configure 'storeconfigs' to make this happen. Default is set to false, as not everyone has this enabled.
Data type: Hash
The required opnsense plugins to support all features.
Data type: Hash
Configure opnsense syslog.
Data type: Hash
Configure opnsense routing.
Data type: Hash
Configure the opnsense firewall.
Data type: Hash
Configured the opnsense haproxy loadbalancer.
Data type: Boolean
When true, the CA file used by opn-cli will be managed to ensure that the communication to the OPNsense API is possible.
Data type: Optional[String]
A string containing a CA certificate that should be written to the
file specified in $ca_file.
Data type: Stdlib::Absolutepath
The absolute path to the CA file that should be used by opn-cli.
Data type: Boolean
This instructs opn-cli to use the system-wide installed CA certificates when verifying the connection to the OPNsense API.
Data type: Stdlib::Absolutepath
The absolute path to the system-wide CA certificate file.
Data type: Stdlib::Absolutepath
The config directory used by opn-cli.
This will create resources for firewall configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
class { 'opnsense::client::firewall':
aliases => {
"my_http_ports_from_client" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
}The following parameters are available in the opnsense::client::firewall class:
Data type: Hash
Firewall aliases that are associated with this client.
Data type: Hash
Firewall rules that are associated with this client.
This will create resources for haproxy configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
class { 'opnsense::client::haproxy':
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}The following parameters are available in the opnsense::client::haproxy class:
Data type: Hash
HaProxy servers that are associated with this client.
Data type: Hash
HaProxy backends that are associated with this client.
Data type: Hash
Firewall rules that are associated with this client.
This type provides Puppet with the capabilities to manage OPNSense device access data.
opnsense_device { 'opnsense.example.com':
url => 'https://opnsense.example.com/api',
api_key => 'your_api_key',
api_secret => Sensitive('your_api_secret'),
timeout => 60,
ssl_verify => true,
ca => '/path/to/ca.pem',
ensure => 'present',
}The following properties are available in the opnsense_device type.
Data type: String
The api key from the generated key/secret pair.
Data type: Sensitive[String]
The api secret from the generated key/secret pair.
Data type: Optional[String]
The path to the ca bundle file for ssl verification.
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Boolean
The timeout for API calls in seconds.
Default value: true
Data type: Integer
The timeout for API calls in seconds.
Default value: 60
Data type: String
The api url of the OPNsense device.
The following parameters are available in the opnsense_device type.
namevar
Data type: Pattern[/\A[0-9A-Za-z.-]+/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The name of the OPNsense device you want to manage.
This type provides Puppet with the capabilities to manage opnsense firewall aliases.
opnsense_firewall_alias { 'hosts_alias':
device => 'opnsense-test.device.com',
type => 'host',
content => ['10.0.0.1', '!10.0.0.5'],
description => 'Some hosts',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'network_alias':
device => 'opnsense-test.device.com',
type => 'network',
content => ['192.168.1.0/24', '!192.168.1.128/25'],
description => 'Some networks',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'ports_alias':
device => 'opnsense-test.device.com',
type => 'port',
content => ['80', '443'],
description => 'Some ports',
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_alias':
device => 'opnsense-test.device.com',
type => 'url',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'spamhaus fetched once.',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_table_alias':
device => 'opnsense-test.device.com',
type => 'urltable',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'Spamhaus block list',
updatefreq => 0.5,
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'geoip_alias':
device => 'opnsense-test.device.com',
type => 'geoip',
content => ['DE', 'GR'],
description => 'Only german and greek IPv4 and IPV6 addresses',
proto => "IPv4,IPv6",
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'networkgroup_alias':
device => 'opnsense-test.device.com',
type => 'networkgroup',
content => ['hosts_alias', 'network_alias'],
description => 'Combine different network aliases into one',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'mac_alias':
device => 'opnsense-test.device.com',
type => 'mac',
content => ['f4:90:ea', '0c:4d:e9:b1:05:f0'],
description => 'MAC address or partial mac addresses',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'external_alias':
device => 'opnsense-test.device.com',
type => 'external',
description => 'Externally managed alias, this only handles the placeholder.',
proto => "IPv4",
counters => true,
enabled => true,
ensure => 'present',
}The following properties are available in the opnsense_firewall_alias type.
Data type: Array[String]
The content of the firewall alias.
Default value: []
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable pfTable statistics for the firewall alias.
Data type: String
The description of the firewall alias.
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable the firewall alias.
Default value: true
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Optional[Enum["", "IPv4", "IPv6", "IPv4,IPv6"]]
The ip protocol which should be used by the firewall alias.
Default value: ''
Data type: Enum["host", "network", "port", "url", "urltable", "geoip", "networkgroup", "mac", "external"]
The type of the firewall alias.
Data type: Variant[Enum[""], Numeric]
How often should the alias be updated in days.
Default value: 0
The following parameters are available in the opnsense_firewall_alias type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
namevar
Data type: String
The name of the firewall alias you want to manage.
@see: https://docs.opnsense.org/manual/firewall.html This type provides Puppet with the capabilities to manage opnsense firewall rules.
opnsense_firewall_rule { 'minimal example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '1',
action => 'pass',
interface => ['lan', 'wan'],
ensure => 'present',
}
opnsense_firewall_rule { 'full example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '2',
action => 'pass',
direction => 'in',
ipprotocol => 'inet',
interface => ['lan', 'wan'],
source_net => 'any',
source_port => '',
source_not => false,
protocol => 'any',
destination_net => 'any',
destination_port => '',
destination_not => false,
gateway => '',
quick => true,
log => false,
enabled => true,
ensure => 'present',
}The following properties are available in the opnsense_firewall_rule type.
Data type: Enum["pass", "block", "reject"]
Choose what to do with packets that match the criteria specified.
Data type: String
The destination eg. any, ip address, network or alias.
Default value: any
Data type: Boolean
Use this option to invert the sense of the match for the destination.
Data type: String
Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
Data type: Enum["in", "out"]
Direction of the traffic.
Default value: in
Data type: Boolean
Enable or disable this rule.
Default value: true
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: String
Leave as default to use the system routing table. Or choose a gateway to utilize policy based routing.
Default value: ''
Data type: Array[String]
The network interface(s).
Data type: Enum["inet", "inet6"]
IP Version
Default value: inet
Data type: Boolean
Log packets that are handled by this rule.
Data type: Enum[ 'any', 'ICMP', 'IGMP', 'GGP', 'IPENCAP', 'ST2', 'TCP', 'CBT', 'EGP', 'IGP', 'BBN-RCC', 'NVP', 'PUP', 'ARGUS', 'EMCON', 'XNET', 'CHAOS', 'UDP', 'MUX', 'DCN', 'HMP', 'PRM', 'XNS-IDP', 'TRUNK-1', 'TRUNK-2', 'LEAF-1', 'LEAF-2', 'RDP', 'IRTP', 'ISO-TP4', 'NETBLT', 'MFE-NSP', 'MERIT-INP', 'DCCP', '3PC', 'IDPR', 'XTP', 'DDP', 'IDPR-CMTP', 'TP++', 'IL', 'IPV6', 'SDRP', 'IDRP', 'RSVP', 'GRE', 'DSR', 'BNA', 'ESP', 'AH', 'I-NLSP', 'SWIPE', 'NARP', 'MOBILE', 'TLSP', 'SKIP', 'IPV6-ICMP', 'CFTP', 'SAT-EXPAK', 'KRYPTOLAN', 'RVD', 'IPPC', 'SAT-MON', 'VISA', 'IPCV', 'CPNX', 'CPHB', 'WSN', 'PVP', 'BR-SAT-MON', 'SUN-ND', 'WB-MON', 'WB-EXPAK', 'ISO-IP', 'VMTP', 'SECURE-VMTP', 'VINES', 'TTP', 'NSFNET-IGP', 'DGP', 'TCF', 'EIGRP', 'OSPF', 'SPRITE-RPC', 'LARP', 'MTP', 'AX.25', 'IPIP', 'MICP', 'SCC-SP', 'ETHERIP', 'ENCAP', 'GMTP', 'IFMP', 'PNNI', 'PIM', 'ARIS', 'SCPS', 'QNX', 'A/N', 'IPCOMP', 'SNP', 'COMPAQ-PEER', 'IPX-IN-IP', 'CARP', 'PGM', 'L2TP', 'DDX', 'IATP', 'STP', 'SRP', 'UTI', 'SMP', 'SM', 'PTP', 'ISIS', 'CRTP', 'CRUDP', 'SPS', 'PIPE', 'SCTP', 'FC', 'RSVP-E2E-IGNORE', 'UDPLITE', 'MPLS-IN-IP', 'MANET', 'HIP', 'SHIM6', 'WESP', 'ROHC', 'PFSYNC', 'DIVERT' ]
The Protocol that is used.
Default value: any
Data type: Boolean
If a packet matches a rule specifying quick, then that rule is considered the last matching rule.
Default value: true
Data type: String
The sequence number of this rule.
Data type: String
The source eg. any, ip address, network or alias.
Default value: any
Data type: Boolean
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Data type: String
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
Data type: Optional[String]
The uuid of the rule.
The following parameters are available in the opnsense_firewall_rule type.
namevar
Data type: String
The rule description.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
This type provides Puppet with the capabilities to manage haproxy backends
opnsense_haproxy_backend { 'webserver_pool':
device => 'opnsense-test.device.com',
enabled => true,
description => 'backend for webserver',
mode => 'http',
algorithm => 'source',
random_draws => '2',
proxy_protocol => '',
linked_servers => [],
linked_resolver => '',
resolver_opts => [],
resolve_prefer => '',
source => '',
health_check_enabled => true,
health_check => '',
health_check_log_status => false,
check_interval => '',
check_down_interval => '',
health_check_fall => '',
health_check_rise => '',
linked_mailer => '',
http2_enabled => false,
http2_enabled_nontls => false,
ba_advertised_protocols => ['h2', 'http11'],
persistence => 'sticktable',
persistence_cookiemode => 'piggyback',
persistence_cookiename => 'SRVCOOKIE',
persistence_stripquotes => false,
stickiness_pattern => 'sourceipv4',
stickiness_data_types => [],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_cookiename => '',
stickiness_cookielength => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
basic_auth_enabled => false,
basic_auth_users => [],
basic_auth_groups => [],
tuning_timeout_connect => '',
tuning_timeout_check => '',
tuning_timeout_server => '',
tuning_retries => '',
custom_options => '',
tuning_defaultserver => '',
tuning_noport => false,
tuning_httpreuse => 'safe',
tuning_caching => false,
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}The following properties are available in the opnsense_haproxy_backend type.
Data type: Enum['source', 'roundrobin', 'static-rr', 'leastconn', 'uri', 'random']
Define the load balancing algorithm to be used in a backend pool.
Default value: source
Data type: Array[String]
Enable support for HTTP/2 even if TLS is not enabled.
Default value: ["h2"]
Data type: Boolean
Enable HTTP basic authentication.
Data type: Array[String]
Specify the uuids of the basic auth groups for this backend.
Default value: []
Data type: Array[String]
Specify the uuids of the basic auth users for this backend.
Default value: []
Data type: Optional[String]
Sets the interval (in ms) for running health checks on a configured server when the server state is DOWN
Data type: Optional[String]
Sets the interval (in ms) for running health checks on all configured servers.
Data type: Optional[String]
These lines will be added to the HAProxy backend configuration.
Data type: String
The backend description.
Data type: Boolean
Enable or disable this backend.
Default value: true
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Optional[String]
Specify the uuid of the health check for servers in this backend.
Data type: Boolean
Enable or disable health checking.
Default value: true
Data type: Optional[String]
The number of consecutive unsuccessful health checks before a server is considered as unavailable.
Data type: Boolean
Enable to log health check status updates.
Data type: Optional[String]
The number of consecutive successful health checks before a server is considered as available.
Data type: Boolean
Enable support for end-to-end HTTP/2 communication.
Data type: Boolean
Enable support for HTTP/2 even if TLS is not enabled.
Data type: Array[String]
Specify the uuids of the rules to be included in this backend.
Default value: []
Data type: Array[String]
Specify the uuids of the error messages to be included in this backend.
Default value: []
Data type: Optional[String]
Specify the uuid of the e-mail alert configuration linked to this backend.
Data type: Optional[String]
Specify the uuid of the custom resolver configuration that should be used for all servers in this backend.
Data type: Array[String]
Specify the uuids of the servers linked to this backend.
Default value: []
Data type: Enum['http', 'tcp']
Set the running mode or protocol of the backend pool.
Default value: http
Data type: Enum['', 'sticktable', 'cookie']
Choose how HAProxy should track user-to-server mappings.
Default value: sticktable
Data type: Enum['piggyback', 'new']
Cookie mode to use for persistence.
Default value: piggyback
Data type: String
Cookie name to use for persistence.
Default value: SRVCOOKIE
Data type: Boolean
Enable to automatically strip quotes from the cookie value.
Default value: true
Data type: Enum['', 'v1', 'v2']
Enforces use of the PROXY protocol over any connection established to the configured servers.
Default value: ''
Data type: String
When using the Random Balancing Algorithm, this value indicates the number of draws.
Default value: 2
Data type: Enum['', 'ipv4', 'ipv6']
When DNS resolution is enabled and multiple IP addresses from different families are returned use this.
Default value: ''
Data type: Array[String]
Add resolver options.
Default value: []
Data type: Optional[String]
Sets the source address which will be used when connecting to the server(s).
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: Optional[String]
The maximum number of characters that will be stored in the stick table.
Data type: Optional[String]
Cookie name to use for stick table.
Data type: Array[Enum[ '', 'conn_cnt', 'conn_cur', 'conn_rate', 'sess_cnt', 'sess_rate', 'http_req_cnt', 'http_req_rate', 'http_err_cnt', 'http_err_rate', 'bytes_in_cnt', 'bytes_in_rate', 'bytes_out_cnt', 'bytes_out_rate' ]]
This is used to store additional information in the stick-table.
Default value: []
Data type: String
The maximum duration of an entry in the stick table. Valid suffixes d, h, m, s, ms.
Default value: 30m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: Enum['', 'sourceipv4', 'sourceipv6', 'cookievalue', 'rdpcookie']
Choose a request pattern to associate a user to a server.
Default value: sourceipv4
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: String
The maximum number of entries that can fit in the stick table. Valid suffixes k, m, g.
Default value: 50k
Data type: Boolean
Enable caching of responses from this backend.
Data type: Optional[String]
Default option for all server entries.
Data type: Enum['', 'never', 'safe', 'aggressive', 'always']
Choose a request pattern to associate a user to a server.
Default value: safe
Data type: Boolean
Don't use port on server, use the same port as frontend receive.
Data type: Optional[String]
Set the number of retries to perform on a server after a connection failure.
Data type: Optional[String]
Sets an additional read timeout for running health checks on a server. Valid suffixes d, h, m, s, ms, us
Data type: Optional[String]
Set the maximum time to wait for a connection attempt to a server to succeed. Valid suffixes d, h, m, s, ms, us
Data type: Optional[String]
Set the maximum inactivity time on the server side. Valid suffixes d, h, m, s, ms, us
Data type: Optional[String]
The uuid of the backend.
The following parameters are available in the opnsense_haproxy_backend type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
namevar
Data type: String
The name of the resource you want to manage.
This type provides Puppet with the capabilities to manage opnsense haproxy frontends.
opnsense_haproxy_frontend { 'webserver_frontend':
device => 'opnsense-test.device.com',
enabled => true,
description => 'frontend for webserver',
bind => '127.0.0.1:8080',
bind_options => '',
mode => 'http',
default_backend => '',
ssl_enabled => true,
ssl_certificates => ['60cc4641eb577', '5eba6f0f352e3'],
ssl_default_certificate => '60cc4641eb577',
ssl_custom_options => '',
ssl_advanced_enabled => true,
ssl_bind_options => ['prefer-client-ciphers'],
ssl_min_version => 'TLSv1.2',
ssl_max_version => '',
ssl_cipher_list => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256',
ssl_cipher_suites => 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256',
ssl_hsts_enabled => false,
ssl_hsts_include_sub_domains => false,
ssl_hsts_preload => false,
ssl_hsts_max_age => '15768000',
ssl_client_auth_enabled => false,
ssl_client_auth_verify => 'required',
ssl_client_auth_cas => [],
ssl_client_auth_crls => [],
basic_auth_enabled => false,
basic_auth_users => [],
basic_auth_groups => [],
tuning_max_connections => '',
tuning_timeout_client => '',
tuning_timeout_http_req => '',
tuning_timeout_http_keep_alive => '',
linked_cpu_affinity_rules => [],
logging_dont_log_null => false,
logging_dont_log_normal => false,
logging_log_separate_errors => false,
logging_detailed_log => true,
logging_socket_stats => false,
stickiness_pattern => '',
stickiness_data_types => [''],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_counter => true,
stickiness_counter_key => 'src',
stickiness_length => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
http2_enabled => false,
http2_enabled_nontls => false,
advertised_protocols => ['h2', 'http11'],
forward_for => false,
connection_behaviour => 'http-keep-alive',
custom_options => '',
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}The following properties are available in the opnsense_haproxy_frontend type.
Data type: Array[Enum['', 'h2', 'http11', 'http10']]
When using the TLS ALPN extension, HAProxy advertises the specified protocol list as supported on top of ALPN.
Default value: ["h2"]
Data type: Boolean
Enable HTTP Basic Authentication.
Data type: Array[String]
Specify the uuids of the basic auth groups for this frontend.
Default value: []
Data type: Array[String]
Specify the uuids of the basic auth users for this frontend.
Default value: []
Data type: String
Configure listen addresses for this public service, i.e. 127.0.0.1:8080.
Data type: Optional[String]
A list of parameters that will be appended to every Listen Address line e.g. accept-proxy npn http/1.1.
Data type: Enum['http-keep-alive', 'httpclose', 'http-server-close']
The HaProxy connection behaviour.
Default value: http-keep-alive
Data type: String
These lines will be added to the HAProxy frontend configuration.
Default value: ''
Data type: String
Set the default backend pool to use for this public service.
Default value: ''
Data type: String
The backend description.
Data type: Boolean
Enable or disable this frontend.
Default value: true
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Boolean
Enable insertion of the X-Forwarded-For header to requests sent to servers.
Data type: Boolean
Enable support for HTTP/2.
Data type: Boolean
Enable support for HTTP/2 even if TLS (SSL offloading) is not enabled.
Data type: Array[String]
Choose uuid of rules to be included in this public service.
Default value: []
Data type: Array[String]
Choose CPU affinity rules that should be applied to this public service.
Default value: []
Data type: Array[String]
Choose uuid of error messages to be included in this public service.
Default value: []
Data type: Boolean
Enable or disable verbose logging. Each log line turns into a much richer format.
Data type: Boolean
Enable or disable logging of normal, successful connections.
Data type: Boolean
Enable or disable logging of connections with no data.
Data type: Boolean
Allow HAProxy to automatically raise log level for non-completely successful connections to aid debugging.
Data type: Boolean
Enable or disable collecting & providing separate statistics for each socket.
Data type: Enum['http', 'ssl', 'tcp']
Set the running mode or protocol for this public service.
Default value: http
Data type: Boolean
Enable or disable advanced SSL settings.
Data type: Array[Enum[ '', 'no-sslv3', 'no-tlsv10', 'no-tlsv11', 'no-tlsv12', 'no-tlsv13', 'no-tls-tickets', 'force-sslv3', 'force-tlsv10', 'force-tlsv11', 'force-tlsv12', 'force-tlsv13', 'prefer-client-ciphers', 'strict-sni' ]]
Used to enforce or disable certain SSL options.
Default value: ["prefer-client-ciphers"]
Data type: Array[String]
Select certificates to use for SSL offloading.
Default value: []
Data type: String
The default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake up to TLSv1.2.
Default value: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256
Data type: String
The default string describing the list of cipher algorithms ("cipher suite") that are negotiated during the SSL/TLS handshake for TLSv1.3.
Default value: TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256
Data type: Array[String]
Select CA certificates to use for client certificate authentication.
Default value: []
Data type: Array[String]
Select CRLs to use for client certificate authentication.
Default value: []
Data type: Boolean
Enable client certificate authentication.
Data type: Enum['', 'none', 'optional', 'required']
If set to 'optional' or 'required', client certificate is requested.
Default value: required
Data type: String
Pass additional SSL parameters to the HAProxy configuration.
Default value: ''
Data type: String
This certificate will be presented if no SNI is provided by the client if the client provides an SNI hostname which does not match any certificate.
Default value: ''
Data type: Boolean
Enable SSL offloading.
Data type: Boolean
Enable HTTP Strict Transport Security.
Default value: true
Data type: Boolean
Enable or disable if all present and future subdomains will be HTTPS.
Data type: String
Future requests to the domain should use only HTTPS for the specified time (in seconds).
Default value: 15768000
Data type: Boolean
Enable if you like this domain to be included in the HSTS preload list.
Data type: Enum['', 'SSLv3', 'TLSv1.0', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
Used to enforce or disable certain SSL options.
Default value: ''
Data type: Enum['', 'SSLv3', 'TLSv1.0', 'TLSv1.1', 'TLSv1.2', 'TLSv1.3']
Used to enforce or disable certain SSL options.
Default value: TLSv1.2
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: Boolean
Enable to be able to retrieve values from sticky counters.
Default value: true
Data type: String
Describes what elements of the incoming request or connection will be analyzed, extracted, combined, and used to select which table entry to update the counters.
Default value: src
Data type: Array[Enum[ '', 'conn_cnt', 'conn_cur', 'conn_rate', 'sess_cnt', 'sess_rate', 'http_req_cnt', 'http_req_rate', 'http_err_cnt', 'http_err_rate', 'bytes_in_cnt', 'bytes_in_rate', 'bytes_out_cnt', 'bytes_out_rate' ]]
This is used to store additional information in the stick-table.
Default value: []
Data type: String
This configures the maximum duration of an entry in the stick-table since it was last created, refreshed or matched. Valid suffixes d, h, m, s, ms.
Default value: 30m
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: String
Specify the maximum length for a value in the stick-table.
Default value: ''
Data type: Enum['', 'ipv4', 'ipv6', 'integer', 'string', 'binary']
Choose the type of data that should be stored in this stick-table.
Default value: ''
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
Data type: String
This configures the maximum number of entries that can fit in the table. Valid suffixes k, m, g.
Default value: 50k
Data type: String
Set the maximum number of concurrent connections for this public service.
Default value: ''
Data type: String
Creates the specified number of listeners for every IP:port combination and evenly distributes them among available threads.
Default value: ''
Data type: String
Set the maximum inactivity time on the client side. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
Data type: String
Set the maximum allowed time to wait for a new HTTP request to appear. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
Data type: String
Set the maximum allowed time to wait for a complete HTTP request. Defaults to milliseconds. Valid suffixes d, h, m, s, ms, us
Default value: ''
Data type: Optional[String]
The uuid of the frontend.
The following parameters are available in the opnsense_haproxy_frontend type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
namevar
Data type: String
The name of the resource you want to manage.
This type provides Puppet with the capabilities to manage opnsense haproxy server
opnsense_haproxy_server { 'webserver1':
device => 'opnsense-test.device.com',
enabled => true,
description => 'primary webserver',
address => 'webserver1.example.com',
port => '443',
checkport => '80',
mode => 'active',
type => 'static',
service_name => '',
linked_resolver => '',
resolver_opts => ['allow-dup-ip','ignore-weight','prevent-dup-ip'],
resolve_prefer => 'ipv4',
ssl => false,
ssl_verify => true,
ssl_ca => [],
ssl_crl => [],
ssl_client_certificate => '5eba6f0f352e3',
weight => '10',
check_interval => '100',
check_down_interval => '200',
source => '10.0.0.1',
advanced => 'send-proxy',
ensure => 'present',
}The following properties are available in the opnsense_haproxy_server type.
Data type: String
The FQDN or the IP address of this server.
Data type: Optional[String]
list of parameters that will be appended to the server line in every backend where this server will be used.
Data type: Optional[String]
Sets the interval (in milliseconds) for running health checks on the server when the server state is DOWN.
Data type: Optional[String]
Sets the interval (in milliseconds) for running health checks on this server.
Data type: Optional[String]
Provide the TCP communication port to use during check.
Data type: String
The server description.
Data type: Boolean
Enable or disable this server.
Default value: true
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Optional[String]
Specify the uuid of the resolver to discover available services via DNS.
Data type: Enum['', 'active', 'backup', 'disabled']
Sets the operation mode to use for this server.
Default value: active
Data type: Optional[String]
The number of servers this template initializes, i.e. 5 or 1-5.
Data type: String
Provide the TCP or UDP communication port for this server.
Data type: Enum['', 'ipv4', 'ipv6']
When DNS resolution is enabled and multiple IP addresses from different families are returned use this.
Default value: ''
Data type: Optional[Array[String]]
Add resolver options.
Default value: []
Data type: Optional[String]
FQDN for all the servers this template initializes or a service name to discover via DNS SRV records.
Data type: Optional[String]
Sets the source address which will be used when connecting to the server.
Data type: Boolean
Enable or disable SSL communication with this server.
Data type: Optional[Array[String]]
These CA Ids will be used to verify server's certificate.
Default value: []
Data type: Optional[String]
This certificate will be sent if the server send a client certificate request.
Data type: Optional[Array[String]]
This certificate revocation list Ids will be used to verify server's certificate.
Default value: []
Data type: Boolean
Enable or disable server ssl certificate verification.
Default value: true
Data type: Enum['static', 'template']
Sets the operation mode to use for this server.
Default value: static
Data type: Optional[String]
The uuid of the server.
Data type: Optional[String]
Adjust the server's weight relative to other servers.
The following parameters are available in the opnsense_haproxy_server type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
namevar
Data type: String
The name of the resource you want to manage.
This type provides Puppet with the capabilities to manage opnsense nodeexporter config.
opnsense_nodeexporter_config { 'opnsense.example.com':
device => 'opnsense.example.com',
enabled => false,
listen_address => '0.0.0.0',
listen_port => '9100',
cpu => true,
exec => true,
filesystem => true,
loadavg => true,
meminfo => true,
netdev => true,
time => true,
devstat => true,
interrupts => false,
ntp => false,
zfs => false,
ensure => 'present',
}The following properties are available in the opnsense_nodeexporter_config type.
Data type: Boolean
Enable or disable the cpu collector.
Data type: Boolean
Enable or disable the devstat collector.
Data type: Boolean
Enable or disable the node_exporter plugin.
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Boolean
Enable or disable the exec collector.
Data type: Boolean
Enable or disable the filesystem collector.
Data type: Boolean
Enable or disable the interrupts collector.
Data type: String
Set node_exporter's listen address. By default, node_exporter will listen on 0.0.0.0 (all interfaces).
Data type: String
Set node_exporter's listen port. By default, node_exporter will listen on port 9100.
Data type: Boolean
Enable or disable the loadavg collector.
Data type: Boolean
Enable or disable the meminfo collector.
Data type: Boolean
Enable or disable the netdev collector.
Data type: Boolean
Enable or disable the ntp collector.
Data type: Boolean
Enable or disable the time collector.
Data type: Boolean
Enable or disable the zfs collector.
The following parameters are available in the opnsense_nodeexporter_config type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
This type provides Puppet with the capabilities to manage opnsense plugins.
opnsense_plugin { 'os-acme-client':
device => 'opnsense.example.com',
ensure => 'present',
}The following properties are available in the opnsense_plugin type.
Data type: Enum[present, absent]
Whether this plugin should be present or absent on the opnsense device.
Default value: present
The following parameters are available in the opnsense_plugin type.
namevar
Data type: String
The name of the opnsense_device type you want to manage.
namevar
Data type: String
The name of the plugin you want to manage.
This type provides Puppet with the capabilities to manage opnsense static routes.
opnsense_route_static { 'example route static':
device => 'opnsense-test.device.com',
network => '10.0.0.98/24',
gateway => 'WAN_DHCP',
disabled => false,
ensure => 'present',
}The following properties are available in the opnsense_route_static type.
Data type: Boolean
Set this option to disable this static route without removing it from the list.
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: String
Choose which gateway this route applies to eg. Null4 for 127.0.01, Null6 for ::1 or see opn-cli route gateway status.
Data type: String
Destination network for this static route
Data type: Optional[String]
The uuid of the rule.
The following parameters are available in the opnsense_route_static type.
namevar
Data type: String
You may enter a description here for your reference (not parsed).
namevar
Data type: String
The name of the opnsense_device type you want to manage.
This type provides Puppet with the capabilities to manage opnsense syslog destination.
opnsense_syslog_destination { 'example syslog destination':
device => 'opnsense-test.device.com',
enabled => true,
transport => 'tls4',
program => 'ntp,ntpdate,ntpd',
level => ['info', 'notice', 'warn', 'err', 'crit', 'alert', 'emerg'],
facility => ['ntp', 'security', 'console'],
hostname => '10.0.0.2',
certificate => '60cc4641eb577',
port => '514',
rfc5424 => true,
ensure => 'present',
}The following properties are available in the opnsense_syslog_destination type.
Data type: String
Transport certificate to use, please make sure to check the general system log when experiencing issues. Error messages can be a bit cryptic from time to time, in which case "https://support.oneidentity.com/kb/263658/common-issues-of-tls-encrypted-message-transfer this is a good resource for tracking common issues.
Data type: Boolean
Set this option to enable this destination.
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
Data type: Array[ Enum[ '', 'kern', 'user', 'mail', 'daemon', 'auth', 'syslog', 'lpr', 'news', 'uucp', 'cron', 'authpriv', 'ftp', 'ntp', 'security', 'console', 'local0', 'local1', 'local2', 'local3', 'local4', 'local5', 'local6', 'local7' ] ]
Choose which facilities to include, omit to select all.
Data type: String
The hostname or ip address of the syslog destination.
Data type: Array[ Enum['', 'debug', 'info', 'notice', 'warn', 'err', 'crit', 'alert', 'emerg'] ]
Choose which levels to include, omit to select all.
Data type: String
The port of the syslog destination.
Data type: String
Choose which applications should be forwarded to the specified target, omit to select all.
Data type: Boolean
Use rfc5424 formated messages for this destination.
Data type: Enum['udp4', 'tcp4', 'udp6', 'tcp6', 'tls4', 'tls6']
Transport protocol
Data type: Optional[String]
The uuid of the rule.
The following parameters are available in the opnsense_syslog_destination type.
namevar
Data type: String
You may enter a description here for your reference.
namevar
Data type: String
The name of the opnsense_device type you want to manage.