Add opnsense config role (#155)

* Init opnsense_configure role

* Init system settings tasks in opnsense_config

* Add system setting logging to opnsense_config role

* Add firewall_aliases to role

* Add firewall rules to config role

* Simplify role

* Add firewall rules var to default vars of role

* Add user config to configure role

* Add interfaces assignments to role

* Refactor role variable structure

* Add system HA to config role

* Add conditionals to configurations in role

* Cleanup role

* Document config rule

* Add changelog fragment for new role

* Lint role meta.yml

* Fix changelog fragment file name typo

* Use clearer variable wording in role README

Author: DonGiovanni83

changelogs/fragments/155-add-opnsense-config-role.yml

@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - puzzle.opnsense.opnsense_configure - Addition of an ansible role to the collection

molecule/opnsense_config/converge.yml

@@ -0,0 +1,64 @@
+---
+- name: converge
+  hosts: all
+  become: true
+  vars:
+    system:
+      access:
+        users:
+          - username: simple_user
+            password: pass1234
+      high_availability:
+        synchronize_interface: LAN
+        synchronize_config_to_ip: 224.0.0.240
+        synchronize_peer_ip: 224.0.0.241
+        disable_preempt: true
+        disconnect_dialup_interfaces: true
+        synchronize_states: true
+        remote_system_username: opnsense
+        remote_system_password: v3rys3cure
+        services_to_synchronize:
+          - aliases
+          - rules
+          - ipsec
+      settings:
+        general:
+          hostname: "firewall01"
+          domain: "test.local"
+          timezone: "Europe/Zurich"
+        logging:
+          preserve_logs: 10
+    interfaces:
+      assignments:
+        - device: em0
+          identifier: opt2
+          description: VAGRANT
+        - device: em1
+          identifier: lan
+          description: LAN
+        - device: em2
+          identifier: wan
+          description: WAN
+        - device: em3
+          identifier: opt1
+          description: DMZ
+    firewall:
+      aliases:
+        - name: TestAliasTypeHost
+          type: host
+          statistics: false
+          description: Test Alias with type Host
+          content: 10.0.0.1
+        - name: TestAliasTypeNetwork
+          type: network
+          statistics: false
+          description: Test Alias with type Network
+          content: 10.0.0.0/24
+      rules:
+        - interface: lan
+          description: Block SSH on LAN
+          destination:
+            port: 22
+          action: block
+  roles:
+    - role: puzzle.opnsense.opnsense_configure

molecule/opnsense_config/molecule.yml

@@ -0,0 +1,77 @@
+---
+scenario:
+    name: opnsense_config
+    test_sequence:
+        # - dependency not relevant unless we have requirements
+        - destroy
+        - syntax
+        - create
+        - converge
+        - idempotence
+        - verify
+        - destroy
+
+driver:
+    name: vagrant
+    parallel: true
+
+platforms:
+    - name: "22.7"
+      hostname: false
+      box: puzzle/opnsense
+      box_version: "22.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "23.1"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "23.1"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "23.7"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "23.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "24.1"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "24.1"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+    - name: "24.7"
+      box: puzzle/opnsense
+      hostname: false
+      box_version: "24.7"
+      memory: 1024
+      cpus: 2
+      instance_raw_config_args:
+          - 'vm.guest = :freebsd'
+          - 'ssh.sudo_command = "%c"'
+          - 'ssh.shell = "/bin/sh"'
+
+provisioner:
+    name: ansible
+    env:
+        ANSIBLE_VERBOSITY: 3
+verifier:
+    name: ansible
+    options:
+        become: true

molecule/opnsense_config/verify.yml

@@ -0,0 +1,6 @@
+---
+- name: Verify connectivity to server
+  hosts: all
+  tasks:
+    - name: Ping the server
+      ansible.builtin.ping:

roles/opnsense_configure/README.md

@@ -0,0 +1,116 @@
+opnsense_configure - OPNsense configuration role
+=========
+
+This role provides a generic approach to configure OPNsense instances by populating host variables
+according to this roles defaults specification.
+
+Role Variables
+--------------
+
+The variables must be structured in a way that each puzzle.opnsense module has its own variable section . Each module related variable section
+is then structured just like the corresponding module parameters as documented in the modules themselves.
+The top level structure must be structured as follows:
+```yaml
+---
+system:
+  access:
+    users: [] # list of users, where the users follows the system_access_users module parameter structure
+  high_availability:
+    # system_high_availability_settings module parameters
+  settings:
+    general:
+      # system_settings_general module parameters
+    logging:
+      # system_settings_logging module parameters
+    
+interfaces:
+  assignments: [] # list of interface assignments, where the users follows the interfaces_assignments module parameter structure
+
+firewall:
+  aliases: [] # list of aliases, where the users follows the firewall_alias module parameter structure
+  rules: [] # list of rules, where the users follows the firewall_rules module parameter structure
+```
+
+
+Example Playbook
+----------------
+
+The usage of the role is straight forward, however the main thought should go into the building of the
+host variables. An example execution could look like this:
+
+```yaml
+---
+- name: converge
+  hosts: all
+  become: true
+  vars:
+    system:
+      access:
+        users:
+          - username: simple_user
+            password: pass1234
+      high_availability:
+        synchronize_interface: LAN
+        synchronize_config_to_ip: 224.0.0.240
+        synchronize_peer_ip: 224.0.0.241
+        disable_preempt: true
+        disconnect_dialup_interfaces: true
+        synchronize_states: true
+        remote_system_username: opnsense
+        remote_system_password: v3rys3cure
+        services_to_synchronize:
+          - aliases
+          - rules
+          - ipsec
+      settings:
+        general:
+          hostname: "firewall01"
+          domain: "test.local"
+          timezone: "Europe/Zurich"
+        logging:
+          preserve_logs: 10
+    interfaces:
+      assignments:
+        - device: em0
+          identifier: opt2
+          description: VAGRANT
+        - device: em1
+          identifier: lan
+          description: LAN
+        - device: em2
+          identifier: wan
+          description: WAN
+        - device: em3
+          identifier: opt1
+          description: DMZ
+    firewall:
+      aliases:
+        - name: TestAliasTypeHost
+          type: host
+          statistics: false
+          description: Test Alias with type Host
+          content: 10.0.0.1
+        - name: TestAliasTypeNetwork
+          type: network
+          statistics: false
+          description: Test Alias with type Network
+          content: 10.0.0.0/24
+      rules:
+        - interface: lan
+          description: Block SSH on LAN
+          destination:
+            port: 22
+          action: block
+  roles:
+    - role: puzzle.opnsense.opnsense_configure
+
+```
+
+License
+-------
+
+GPLv3
+
+Author Information
+------------------
+ - Fabio Bertagna (github.com/dongiovanni83)

roles/opnsense_configure/defaults/main.yml

@@ -0,0 +1,45 @@
+---
+# defaults file for opnsense_configure
+
+#
+# System variables should be provided in this structure
+#
+# system:
+#   access:
+#     users: [] # see system_access_users task args for user entry structure
+#   high_availability:
+#     disable_preempt:
+#     disconnect_dialup_interfaces:
+#     synchronize_states:
+#     synchronize_interface:
+#     sync_compatibility:
+#     synchronize_peer_ip:
+#     synchronize_config_to_ip:
+#     remote_system_username:
+#     remote_system_password:
+#     services_to_synchronize:
+#   settings:
+#     general:
+#       hostname:
+#       domain:
+#       timezone:
+#     logging:
+#       max_log_file_size_mb:
+#       preserve_logs:
+
+system:
+  settings:
+  access:
+# Interface related variables:
+#
+# interfaces:
+#   assignments: []
+interfaces:
+
+#
+# Firewall related variables should be provided in this structure
+#
+# firewall:
+#   aliases: []
+#   rules: []
+firewall:

roles/opnsense_configure/meta/main.yml

@@ -0,0 +1,9 @@
+galaxy_info:
+  author: Fabio Bertagna <bertagna@puzzle.ch>
+  company: Puzzle ITC
+  license: GPL-3.0-only
+  min_ansible_version: 2.1
+  galaxy_tags:
+    - opnsense
+
+dependencies: [ ]