Version information
This version is compatible with:
- Puppet Enterprise 2023.2.x, 2023.1.x, 2023.0.x, 2021.7.x, 2021.6.x, 2021.5.x, 2021.4.x, 2021.3.x, 2021.2.x, 2021.1.x, 2021.0.x, 2019.8.x
- Puppet >= 6.21.0 < 8.0.0
- , , ,
Start using this module
Add this module to your Puppetfile:
mod 'andeman-opnsense', '2.0.0'Learn more about managing modules with a PuppetfileDocumentation
opnsense
Table of Contents
- opnsense
Module description
The opnsense module configures OPNsense firewalls.
It allows administrators to manage an OPNsense firewall directly via the sysutils/puppet-agent opnsense plugin and/or manage multiple firewalls from a bastion host running a puppet-agent with opn-cli installed.
The main target of module is to enable GitOps for your network security policies. Developers could submit pull request for new firewall rules and loadbalancer configurations and the network or ops team could review it and deploy it to a pre production environment for testing and verification. If everything passes, you could deploy it to production.
You can automate the following with the module:
- plugins
- firewall aliases
- firewall rules
- haproxy servers
- haproxy backends
- haproxy frontends
Setup
OPNsense firewall
If you want to manage your firewall directly with a puppet-agent running on the device.
Requirements
OPNsense plugins:
- sysutils/puppet-agent
- os-firewall for managing firewall rules
- os-haproxy for managing haproxy rules
Install requirements
Menu->Firmware->Plugins
Install plugin: sysutils/puppet-agent
Bastion host
If you want a bastion hosts running a puppet-agent which could manage multiple firewalls via https API calls.
Requirements
- opn-cli
- puppetlabs/resource_api (puppet < 6.0)
Install requirements
$packages = [
'python3',
'python3-pip',
]
$pip_packages = [
'opn-cli',
]
package { $packages:
ensure => present,
}
-> package { $pip_packages:
ensure => latest,
provider => 'pip3',
}
Access to the OPNsense api
If you want to manage an OPNsense firewall, you need to supply credentials and connection information for the device.
To create an api_key and api_secret see: https://docs.opnsense.org/development/how-tos/api.html#creating-keys.
If you want to use ssl verification (recommended):`
To download the default self-signed cert, open the OPNsense web gui and go to System->Trust->Certificates. Search for the name: "Web GUI SSL certificate" and press the "export user cert" button.
If you use a ca signed certificate, go to System->Trust->Authorities and press the "export CA cert" button to download the ca.
Save the cert or ca and make sure the puppet agent is able to read it.
Usage
Install and enable opnsense
include opnsense
Configure OPNsense firewall(s)
You can manage multiple opnsense firewalls with this module.
In the following example a single OPNsense firewall running a puppet agent is manged which allows clients to export configuration via exported resources (manage_resources => true):
# node: opnsense.example.com
class { 'opnsense':
manage_resources => true,
devices => {
'opnsense.example.com' => {
'url' => 'https://127.0.0.1/api',
'api_key' => 'your_api_key',
'api_secret' => 'your_api_secret',
'ssl_verify' => true,
'timeout' => 60,
'ca' => '~/.opn-cli/ca.pem',
'plugins' => {
'os-helloworld' => {}
}
}
},
firewall => {
aliases => {
'my_http_ports_local' => {
'devices' => ['opnsense.example.com'],
'type' => 'port',
'content' => ['80', '443'],
'description' => 'example local http ports',
'enabled' => true,
'ensure' => present
},
},
rules => {
'allow all from lan' => {
'devices' => ['opnsense.example.com'],
'sequence' => '1',
'action' => 'pass',
'interface' => ['lan']
}
}
},
haproxy => {
servers => {
"server1" => {
"devices" => ["opnsense.example.com"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["opnsense.example.com"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["opnsense.example.com"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["opnsense.example.com"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => false,
"default_backend" => "localhost_backend",
}
},
},
}
Configure a client to export firewall aliases and rules
This feature use exported resources. You need to enable catalog storage and searching (storeconfigs) on your primary puppet server.
Here the client (client1.example.com) is exporting it´s security configuration to the firewall (opnsense.example.com) defined above:
# node: client1.example.com
class { 'opnsense::client::firewall':
aliases => {
'client1_example_com' => {
'devices' => ['opnsense.example.com'],
'type' => 'host',
'content' => ['client1.example.com'],
'description' => 'client.example.com alias',
'enabled' => true,
'ensure' => present
},
},
rules => {
'allow https from lan to client1.example.com' => {
'devices' => ['opnsense.example.com'],
'sequence' => '100',
'action' => 'pass',
'interface' => ['lan'],
'protocol' => 'TCP',
'destination_net' => 'client1_example_com',
'destination_port' => 'https',
'ensure' => present
},
}
}
Configure a client to export haproxy server, backends and frontends
This feature use exported resources. You need to enable catalog storage and searching (storeconfigs) on your primary puppet server.
Here the client (client1.example.com) is exporting it´s haproxy configuration to the firewall (opnsense.example.com) defined above:
# node: client1.example.com
class { 'opnsense::client::haproxy':
servers => {
"client1.example.com" => {
"devices" => ["opnsense.example.com"],
"description" => "client test server",
"address" => "client1.example.com",
"port" => "443",
"enabled" => ture,
},
},
backends => {
"web_backend" => {
"devices" => ["opnsense.example.com"],
"description" => "test backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
"enabled" => false,
}
},
frontends => {
"web_frontend" => {
"devices" => ["opnsense.example.com"],
"description" => "test frontend",
"bind" => "127.0.0.1:9000",
"ssl_enabled" => false,
"default_backend" => "localhost_backend",
"enabled" => true,
}
},
}
Dealing with self-signed certificates
When connecting to the OPNsense API, this module will tell opn-cli to use the system-wide installed CA certificates to verify the SSL connection. However, this will only work when using a valid certificate for the OPNsense WebUI.
If the OPNsense WebUI still uses the pre-installed self-signed certificate, then it is possible to use the OPNsense CA certificate for SSL verification:
class { 'opnsense':
use_system_ca => false,
ca_file => '/root/.opn-cli/ca.pem',
ca_content => '-----BEGIN CERTIFICATE-----
AAAAAABBBBBBBBBCCCCCCCCCCDDDDDDDDDDDEEEEEEEEEEEFFFFFFFFFGGGGGGGG
-----END CERTIFICATE-----'
}
The OPNsense CA certificate can be downloaded from System: Trust: Authorities on the OPNsense firewall.
More examples
You find more examples in the examples folder.
Reference
Types and providers are documented in REFERENCE.md.
Limitations
For an extensive list of supported operating systems, see metadata.json
CI/CD
CI/CD is done via Github Actions.
Development
You need to install the following requirements to setup the local development environment:
Create the local development environment
scripts/create_test_env
Running unit tests
Unit testing uses pdk
scripts/unit_tests
Running acceptance tests
Acceptance testing uses puppet litmus.
scripts/acceptance_tests
Teardown
scripts/remove_test_env
Contributing
Please use the GitHub issues functionality to report any bugs or requests for new features. Feel free to fork and submit pull requests for potential contributions.
All contributions must pass all existing tests, new features should provide additional unit/acceptance tests.
Release Notes
See Changelog.
Reference
Table of Contents
Classes
opnsense: Automate opnsense firewallsopnsense::client::firewall: Use exported resources to collect firewall configurations from clients.opnsense::client::haproxy: Use exported resources to collect haproxy configurations from clients.
Resource types
opnsense_device: Manage an OPNsense device access.opnsense_firewall_alias: Manage opnsense firewall aliases.opnsense_firewall_rule: Manage opnsense firewall rulesopnsense_haproxy_backend: Manage opnsense haproxy backendsopnsense_plugin: Manage installed opnsense plugins
Classes
opnsense
Automate opnsense firewalls
Examples
class { 'opnsense':
devices => {
"localhost" => {
"url" => 'https://127.0.0.1/api',
"api_key" => '3T7LyQbZSXC/WN56qL0LyvLweNICeiTOzZ2JifNAvlrL+BW8Yvx7WSAUS4xvmLM/BE7xVVtv0Mv2QwNm',
"api_secret" => '2mxXt++o5Mmte3sfNJsYxlm18M2t/wAGIAHwmWoe8qc15T5wUrejJQUd/sfXSGnAG2Xk2gqMf8FzHpT2',
"ssl_verify" => true,
"timeout" => 60,
"ca" => '~/.opn-cli/ca.pem',
"plugins" => {
"os-helloworld" => {}
}
}
},
firewall => {
aliases => {
"my_http_ports_local" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
},
haproxy => {
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}
}
Parameters
The following parameters are available in the opnsense class:
devicesapi_manager_prefixmanage_resourcesrequired_pluginsfirewallhaproxymanage_caca_contentca_fileuse_system_casystem_ca_fileopncli_configdir
devices
Data type: Hash
The devices that wil be managed by this class
api_manager_prefix
Data type: String
Prefix that will be added to the description fields for non exported resource items
manage_resources
Data type: Boolean
When true, it will export resources to something like puppetdb. When set to true, you'll need to configure 'storeconfigs' to make this happen. Default is set to false, as not everyone has this enabled.
required_plugins
Data type: Hash
The required opnsense plugins to support all features.
firewall
Data type: Hash
Configured the opnsense firewall.
haproxy
Data type: Hash
Configured the opnsense haproxy loadbalancer.
manage_ca
Data type: Boolean
When true, the CA file used by opn-cli will be managed to ensure that the communication to the OPNsense API is possible.
ca_content
Data type: Optional[String]
A string containing a CA certificate that should be written to the
file specified in $ca_file.
ca_file
Data type: Stdlib::Absolutepath
The absolute path to the CA file that should be used by opn-cli.
use_system_ca
Data type: Boolean
This instructs opn-cli to use the system-wide installed CA certificates when verifying the connection to the OPNsense API.
system_ca_file
Data type: Stdlib::Absolutepath
The absolute path to the system-wide CA certificate file.
opncli_configdir
Data type: Stdlib::Absolutepath
The config directory used by opn-cli.
opnsense::client::firewall
This will create resources for firewall configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
Examples
class { 'opnsense::client::firewall':
aliases => {
"my_http_ports_from_client" => {
"devices" => ["localhost"],
"type" => "port",
"content" => ["80", "443"],
"description" => "example local http ports",
"enabled" => true,
"ensure" => present
},
},
rules => {
"allow all from lan and wan" => {
"devices" => ["localhost"],
"sequence" => "1",
"action" => "pass",
"interface" => ["lan", "wan"],
"ensure" => present
}
}
}
Parameters
The following parameters are available in the opnsense::client::firewall class:
aliases
Data type: Hash
Firewall aliases that are associated with this client.
rules
Data type: Hash
Firewall rules that are associated with this client.
opnsense::client::haproxy
This will create resources for haproxy configurations into puppetdb for automatically configuring them on one or more opnsense firewall.
Examples
class { 'opnsense::client::haproxy':
servers => {
"server1" => {
"devices" => ["localhost"],
"description" => "first local server",
"address" => "127.0.0.1",
"port" => "8091",
},
"server2" => {
"devices" => ["localhost"],
"description" => "second local server",
"address" => "127.0.0.1",
"port" => "8092",
},
},
backends => {
"localhost_backend" => {
"devices" => ["localhost"],
"description" => "local server backend",
"mode" => "http",
"linked_servers" => ["server1", "server2"],
}
},
frontends => {
"localhost_frontend" => {
"devices" => ["localhost"],
"description" => "local frontend",
"bind" => "127.0.0.1:8090",
"ssl_enabled" => true,
"ssl_certificates" => ["60cc4641eb577"],
"default_backend" => "localhost_backend",
}
},
}
Parameters
The following parameters are available in the opnsense::client::haproxy class:
servers
Data type: Hash
HaProxy servers that are associated with this client.
backends
Data type: Hash
HaProxy backends that are associated with this client.
frontends
Data type: Hash
Firewall rules that are associated with this client.
Resource types
opnsense_device
This type provides Puppet with the capabilities to manage OPNSense device access data.
Examples
opnsense_device { 'opnsense.example.com':
url => 'https://opnsense.example.com/api',
api_key => 'your_api_key',
api_secret => Sensitive('your_api_secret'),
timeout => 60,
ssl_verify => true,
ca => '/path/to/ca.pem',
ensure => 'present',
}
Properties
The following properties are available in the opnsense_device type.
api_key
Data type: String
The api key from the generated key/secret pair.
api_secret
Data type: Sensitive[String]
The api secret from the generated key/secret pair.
ca
Data type: Optional[String]
The path to the ca bundle file for ssl verification.
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
ssl_verify
Data type: Boolean
The timeout for API calls in seconds.
Default value: true
timeout
Data type: Integer
The timeout for API calls in seconds.
Default value: 60
url
Data type: String
The api url of the OPNsense device.
Parameters
The following parameters are available in the opnsense_device type.
name
namevar
Data type: Pattern[/\A[0-9A-Za-z.-]+/]
*this data type contains a regex that may not be accurately reflected in generated documentation
The name of the OPNsense device you want to manage.
opnsense_firewall_alias
This type provides Puppet with the capabilities to manage opnsense firewall aliases.
Examples
opnsense_firewall_alias { 'hosts_alias':
device => 'opnsense-test.device.com',
type => 'host',
content => ['10.0.0.1', '!10.0.0.5'],
description => 'Some hosts',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'network_alias':
device => 'opnsense-test.device.com',
type => 'network',
content => ['192.168.1.0/24', '!192.168.1.128/25'],
description => 'Some networks',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'ports_alias':
device => 'opnsense-test.device.com',
type => 'port',
content => ['80', '443'],
description => 'Some ports',
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_alias':
device => 'opnsense-test.device.com',
type => 'url',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'spamhaus fetched once.',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'url_table_alias':
device => 'opnsense-test.device.com',
type => 'urltable',
content => ['https://www.spamhaus.org/drop/drop.txt', 'https://www.spamhaus.org/drop/edrop.txt'],
description => 'Spamhaus block list',
updatefreq => 0.5,
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'geoip_alias':
device => 'opnsense-test.device.com',
type => 'geoip',
content => ['DE', 'GR'],
description => 'Only german and greek IPv4 and IPV6 addresses',
proto => "IPv4,IPv6",
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'networkgroup_alias':
device => 'opnsense-test.device.com',
type => 'networkgroup',
content => ['hosts_alias', 'network_alias'],
description => 'Combine different network aliases into one',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'mac_alias':
device => 'opnsense-test.device.com',
type => 'mac',
content => ['f4:90:ea', '0c:4d:e9:b1:05:f0'],
description => 'MAC address or partial mac addresses',
counters => true,
enabled => true,
ensure => 'present',
}
opnsense_firewall_alias { 'external_alias':
device => 'opnsense-test.device.com',
type => 'external',
description => 'Externally managed alias, this only handles the placeholder.',
proto => "IPv4",
counters => true,
enabled => true,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_firewall_alias type.
content
Data type: Array[String]
The content of the firewall alias.
Default value: []
counters
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable pfTable statistics for the firewall alias.
description
Data type: String
The description of the firewall alias.
enabled
Data type: Optional[Variant[Enum[""], Boolean]]
Enable or disable the firewall alias.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
proto
Data type: Optional[Enum["", "IPv4", "IPv6", "IPv4,IPv6"]]
The ip protocol which should be used by the firewall alias.
Default value: ''
type
Data type: Enum["host", "network", "port", "url", "urltable", "geoip", "networkgroup", "mac", "external"]
The type of the firewall alias.
updatefreq
Data type: Variant[Enum[""], Float]
How often should the alias be updated in days.
Default value: ''
Parameters
The following parameters are available in the opnsense_firewall_alias type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the firewall alias you want to manage.
opnsense_firewall_rule
@see: https://docs.opnsense.org/manual/firewall.html This type provides Puppet with the capabilities to manage opnsense firewall rules.
Examples
opnsense_firewall_rule { 'minimal example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '1',
action => 'pass',
interface => ['lan', 'wan'],
ensure => 'present',
}
opnsense_firewall_rule { 'full example - use description as resource title':
device => 'opnsense-test.device.com',
sequence => '2',
action => 'pass',
direction => 'in',
ipprotocol => 'inet',
interface => ['lan', 'wan'],
source_net => 'any',
source_port => '',
source_not => false,
protocol => 'any',
destination_net => 'any',
destination_port => '',
destination_not => false,
description => 'allow any from any to lan and wan',
gateway => '',
quick => true,
log => false,
enabled => true,
ensure => 'present',
}
Properties
The following properties are available in the opnsense_firewall_rule type.
action
Data type: Enum["pass", "block", "reject"]
Choose what to do with packets that match the criteria specified.
destination_net
Data type: String
The destination eg. any, ip address, network or alias.
Default value: any
destination_not
Data type: Boolean
Use this option to invert the sense of the match for the destination.
destination_port
Data type: String
Destination port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
direction
Data type: Enum["in", "out"]
Direction of the traffic.
Default value: in
enabled
Data type: Boolean
Enable or disable this rule.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
gateway
Data type: String
Leave as default to use the system routing table. Or choose a gateway to utilize policy based routing.
Default value: ''
interface
Data type: Array[String]
The network interface(s).
ipprotocol
Data type: Enum["inet", "inet6"]
IP Version
Default value: inet
log
Data type: Boolean
Log packets that are handled by this rule.
protocol
Data type: Enum[ 'any', 'ICMP', 'IGMP', 'GGP', 'IPENCAP', 'ST2', 'TCP', 'CBT', 'EGP', 'IGP', 'BBN-RCC', 'NVP', 'PUP', 'ARGUS', 'EMCON', 'XNET', 'CHAOS', 'UDP', 'MUX', 'DCN', 'HMP', 'PRM', 'XNS-IDP', 'TRUNK-1', 'TRUNK-2', 'LEAF-1', 'LEAF-2', 'RDP', 'IRTP', 'ISO-TP4', 'NETBLT', 'MFE-NSP', 'MERIT-INP', 'DCCP', '3PC', 'IDPR', 'XTP', 'DDP', 'IDPR-CMTP', 'TP++', 'IL', 'IPV6', 'SDRP', 'IDRP', 'RSVP', 'GRE', 'DSR', 'BNA', 'ESP', 'AH', 'I-NLSP', 'SWIPE', 'NARP', 'MOBILE', 'TLSP', 'SKIP', 'IPV6-ICMP', 'CFTP', 'SAT-EXPAK', 'KRYPTOLAN', 'RVD', 'IPPC', 'SAT-MON', 'VISA', 'IPCV', 'CPNX', 'CPHB', 'WSN', 'PVP', 'BR-SAT-MON', 'SUN-ND', 'WB-MON', 'WB-EXPAK', 'ISO-IP', 'VMTP', 'SECURE-VMTP', 'VINES', 'TTP', 'NSFNET-IGP', 'DGP', 'TCF', 'EIGRP', 'OSPF', 'SPRITE-RPC', 'LARP', 'MTP', 'AX.25', 'IPIP', 'MICP', 'SCC-SP', 'ETHERIP', 'ENCAP', 'GMTP', 'IFMP', 'PNNI', 'PIM', 'ARIS', 'SCPS', 'QNX', 'A/N', 'IPCOMP', 'SNP', 'COMPAQ-PEER', 'IPX-IN-IP', 'CARP', 'PGM', 'L2TP', 'DDX', 'IATP', 'STP', 'SRP', 'UTI', 'SMP', 'SM', 'PTP', 'ISIS', 'CRTP', 'CRUDP', 'SPS', 'PIPE', 'SCTP', 'FC', 'RSVP-E2E-IGNORE', 'UDPLITE', 'MPLS-IN-IP', 'MANET', 'HIP', 'SHIM6', 'WESP', 'ROHC', 'PFSYNC', 'DIVERT' ]
The Protocol that is used.
Default value: any
quick
Data type: Boolean
If a packet matches a rule specifying quick, then that rule is considered the last matching rule.
Default value: true
sequence
Data type: String
The sequence number of this rule.
source_net
Data type: String
The source eg. any, ip address, network or alias.
Default value: any
source_not
Data type: Boolean
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
source_port
Data type: String
Source port number or well known name (imap, imaps, http, https, ...), for ranges use a dash.
Default value: ''
uuid
Data type: Optional[String]
The uuid of the rule.
Parameters
The following parameters are available in the opnsense_firewall_rule type.
description
namevar
Data type: String
The rule description.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
opnsense_haproxy_backend
This type provides Puppet with the capabilities to manage haproxy backends
Examples
opnsense_haproxy_backend { 'webserver_pool':
device => 'opnsense-test.device.com',
enabled => true,
description => 'backend for webserver',
mode => 'http',
algorithm => 'source',
random_draws => '2',
proxy_protocol => '',
linked_servers => [],
linked_resolver => '',
resolver_opts => [],
resolve_prefer => '',
source => '',
health_check_enabled => true,
health_check => '',
health_check_log_status => true,
check_interval => '',
check_down_interval => '',
health_check_fall => '',
health_check_rise => '',
linked_mailer => '',
http2_enabled => true,
http2_enabled_nontls => true,
ba_advertised_protocols => ['h2', 'http11'],
persistence => 'sticktable',
persistence_cookiemode => 'piggyback',
persistence_cookiename => 'SRVCOOKIE',
persistence_stripquotes => true,
stickiness_pattern => 'sourceipv4',
stickiness_data_types => [],
stickiness_expire => '30m',
stickiness_size => '50k',
stickiness_cookiename => '',
stickiness_cookielength => '',
stickiness_conn_rate_period => '10s',
stickiness_sess_rate_period => '10s',
stickiness_http_req_rate_period => '10s',
stickiness_http_err_rate_period => '10s',
stickiness_bytes_in_rate_period => '1m',
stickiness_bytes_out_rate_period => '1m',
basic_auth_enabled => true,
basic_auth_users => [],
basic_auth_groups => [],
tuning_timeout_connect => '',
tuning_timeout_check => '',
tuning_timeout_server => '',
tuning_retries => '',
custom_options => '',
tuning_defaultserver => '',
tuning_noport => true,
tuning_httpreuse => 'safe',
tuning_caching => true,
linked_actions => [],
linked_errorfiles => [],
ensure => 'present',
}
Properties
The following properties are available in the opnsense_haproxy_backend type.
algorithm
Data type: Enum['source', 'roundrobin', 'static-rr', 'leastconn', 'uri', 'random']
Define the load balancing algorithm to be used in a backend pool.
Default value: source
ba_advertised_protocols
Data type: Array[String]
Enable support for HTTP/2 even if TLS is not enabled.
Default value: ["h2"]
basic_auth_enabled
Data type: Boolean
Enable HTTP basic authentication.
Default value: true
basic_auth_groups
Data type: Array[String]
Specify the uuids of the basic auth groups for this backend.
Default value: []
basic_auth_users
Data type: Array[String]
Specify the uuids of the basic auth users for this backend.
Default value: []
check_down_interval
Data type: Optional[String]
Sets the interval (in ms) for running health checks on a configured server when the server state is DOWN
check_interval
Data type: Optional[String]
Sets the interval (in ms) for running health checks on all configured servers.
custom_options
Data type: Optional[String]
These lines will be added to the HAProxy backend configuration.
description
Data type: String
The backend description.
enabled
Data type: Boolean
Enable or disable this backend.
Default value: true
ensure
Data type: Enum[present, absent]
Whether this resource should be present or absent on the target system.
Default value: present
health_check
Data type: Optional[String]
Specify the uuid of the health check for servers in this backend.
health_check_enabled
Data type: Boolean
Enable or disable health checking.
Default value: true
health_check_fall
Data type: Optional[String]
The number of consecutive unsuccessful health checks before a server is considered as unavailable.
health_check_log_status
Data type: Boolean
Enable to log health check status updates.
Default value: true
health_check_rise
Data type: Optional[String]
The number of consecutive successful health checks before a server is considered as available.
http2_enabled
Data type: Boolean
Enable support for end-to-end HTTP/2 communication.
Default value: true
http2_enabled_nontls
Data type: Boolean
Enable support for HTTP/2 even if TLS is not enabled.
Default value: true
linked_actions
Data type: Array[String]
Specify the uuids of the rules to be included in this backend.
Default value: []
linked_errorfiles
Data type: Array[String]
Specify the uuids of the error messages to be included in this backend.
Default value: []
linked_mailer
Data type: Optional[String]
Specify the uuid of the e-mail alert configuration linked to this backend.
linked_resolver
Data type: Optional[String]
Specify the uuid of the custom resolver configuration that should be used for all servers in this backend.
linked_servers
Data type: Array[String]
Specify the uuids of the servers linked to this backend.
Default value: []
mode
Data type: Enum['http', 'tcp']
Set the running mode or protocol of the backend pool.
Default value: http
persistence
Data type: Enum['', 'sticktable', 'cookie']
Choose how HAProxy should track user-to-server mappings.
Default value: sticktable
persistence_cookiemode
Data type: Enum['piggyback', 'new']
Cookie mode to use for persistence.
Default value: piggyback
persistence_cookiename
Data type: String
Cookie name to use for persistence.
Default value: SRVCOOKIE
persistence_stripquotes
Data type: Boolean
Enable to automatically strip quotes from the cookie value.
Default value: true
proxy_protocol
Data type: Enum['', 'v1', 'v2']
Enforces use of the PROXY protocol over any connection established to the configured servers.
Default value: ''
random_draws
Data type: String
When using the Random Balancing Algorithm, this value indicates the number of draws.
Default value: 2
resolve_prefer
Data type: Enum['', 'ipv4', 'ipv6']
When DNS resolution is enabled and multiple IP addresses from different families are returned use this.
Default value: ''
resolver_opts
Data type: Array[String]
Add resolver options.
Default value: []
source
Data type: Optional[String]
Sets the source address which will be used when connecting to the server(s).
stickiness_bytes_in_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_bytes_out_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 1m
stickiness_conn_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_cookielength
Data type: Optional[String]
The maximum number of characters that will be stored in the stick table.
stickiness_cookiename
Data type: Optional[String]
Cookie name to use for stick table.
stickiness_data_types
Data type: Array[Enum[ '', 'conn_cnt', 'conn_cur', 'conn_rate', 'sess_cnt', 'sess_rate', 'http_req_cnt', 'http_req_rate', 'http_err_cnt', 'http_err_rate', 'bytes_in_cnt', 'bytes_in_rate', 'bytes_out_cnt', 'bytes_out_rate' ]]
This is used to store additional information in the stick-table.
Default value: []
stickiness_expire
Data type: String
The maximum duration of an entry in the stick table. Valid suffixes d, h, m, s, ms.
Default value: 30m
stickiness_http_err_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_http_req_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_pattern
Data type: Enum['', 'sourceipv4', 'sourceipv6', 'cookievalue', 'rdpcookie']
Choose a request pattern to associate a user to a server.
Default value: sourceipv4
stickiness_sess_rate_period
Data type: String
The length of the period over which the average is measured. Valid suffixes d, h, m, s, ms, us
Default value: 10s
stickiness_size
Data type: String
The maximum number of entries that can fit in the stick table. Valid suffixes k, m, g.
Default value: 50k
tuning_caching
Data type: Boolean
Enable caching of responses from this backend.
Default value: true
tuning_defaultserver
Data type: Optional[String]
Default option for all server entries.
tuning_httpreuse
Data type: Enum['', 'never', 'safe', 'aggressive', 'always']
Choose a request pattern to associate a user to a server.
Default value: safe
tuning_noport
Data type: Boolean
Don't use port on server, use the same port as frontend receive.
Default value: true
tuning_retries
Data type: Optional[String]
Set the number of retries to perform on a server after a connection failure.
tuning_timeout_check
Data type: Optional[String]
Sets an additional read timeout for running health checks on a server. Valid suffixes d, h, m, s, ms, us
tuning_timeout_connect
Data type: Optional[String]
Set the maximum time to wait for a connection attempt to a server to succeed. Valid suffixes d, h, m, s, ms, us
tuning_timeout_server
Data type: Optional[String]
Set the maximum inactivity time on the server side. Valid suffixes d, h, m, s, ms, us
uuid
Data type: Optional[String]
The uuid of the backend.
Parameters
The following parameters are available in the opnsense_haproxy_backend type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the resource you want to manage.
opnsense_plugin
This type provides Puppet with the capabilities to manage opnsense plugins.
Examples
opnsense_plugin { 'os-acme-client':
device => 'opnsense.example.com'
ensure => 'present',
}
Properties
The following properties are available in the opnsense_plugin type.
ensure
Data type: Enum[present, absent]
Whether this plugin should be present or absent on the opnsense device.
Default value: present
Parameters
The following parameters are available in the opnsense_plugin type.
device
namevar
Data type: String
The name of the opnsense_device type you want to manage.
name
namevar
Data type: String
The name of the plugin you want to manage.
Change log
All notable changes to this project will be documented in this file. The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v2.0.0 (2021-11-04)
Added
v1.5.0 (2021-08-24)
Added
- add parameters to manage opn-cli CA file #11 (fraenki)
- show error message when opn-cli command fails #10 (andeman)
Fixed
v1.4.0 (2021-08-13)
Added
Fixed
v1.3.0 (2021-08-04)
Added
v1.2.0 (2021-07-23)
Added
v1.1.1 (2021-07-08)
Fixed
v1.1.0 (2021-07-07)
Added
v1.0.0 (2021-06-17)
Added
* This Changelog was automatically generated by github_changelog_generator
Dependencies
- puppetlabs/resource_api (>= 1.0.0 < 2.0.0)
- puppetlabs-stdlib (>= 5.1.0 < 8.0.0)
BSD 2-Clause License Copyright (c) 2021, Andreas Stürz All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.