Tip

Check out the repository on GitHub

Report missing/incorrect information or broken links

2 - Basic

Prerequisites

You need to create API credentials as described in the OPNSense documentation.

Menu: System - Access - Users - Edit {admin user} - Add api key

SSL Certificate

If you use your firewall for non-testing purposes - you should ALWAYS USE SSL VERIFICATION for your connections!

ssl_verify: true

To make a connection trusted you need either:

• a valid public certificate for the DNS-Name your firewall has (LetsEncrypt/ACME)

• an internal certificate authority that is used to create signed certificates

  • you could create such internal certificates using OPNSense. See the OPNSense documentation for self-signed certificates.

  • if you do so - it is important that the IP-address and/or DNS-Name of your firewall is included in the ‘Subject Alternative Name’ (SAN) for it to be valid

After you got a valid certificate - you need to import and activate it:

• Import: ‘System - Trust - Certificates - Import’

• Make sure your DNS-Names are allowed: ‘System - Settings - Administration - Alternate Hostnames’

• Activate: ‘System - Settings - Administration - SSL Certificate’

If you are using an internal CA for your certificates - you have to provide its public key to the modules:

ssl_ca_file: '/path/to/ca.pem'

---

Basics

Defaults

If some parameters will be the same every time - use ‘module_defaults’:

- hosts: localhost
  gather_facts: no
  module_defaults:
    ansibleguy.opnsense.alias:
        firewall: 'opnsense.template.ansibleguy.net'
        api_credential_file: '/home/guy/.secret/opn.key'
        # if you use an internal certificate:
        #   ssl_ca_file: '/etc/ssl/certs/custom/ca.crt'
        # else you COULD (but SHOULD NOT) use:
        #   ssl_verify: false

  tasks:
    - name: Example
      ansibleguy.opnsense.alias:
        name: 'ANSIBLE_TEST1'
        content: ['1.1.1.1']

Inventory

If you are running the modules over hosts in your inventory - you would do it like that:

- hosts: firewalls
  connection: local  # execute modules on controller
  gather_facts: no
  tasks:
    - name: Example
      ansibleguy.opnsense.alias:
        firewall: "{{ ansible_host }}"  # or use a per-host variable to store the FQDN..

Vault

You may want to use ‘ansible-vault’ to encrypt your ‘api_secret’.

Vault-Encryption of the ‘api_credential_file’ is not yet supported.

ansible-vault encrypt_string 'YOUR_API_SECRET'

Then add it as variable to your inventory/config:

firewall:
  key: 'test'
  secret: !vault |
    $ANSIBLE_VAULT;1.1;AES256
    38303736393135366562396233353930366631396531613062366365363234363063626365656263
    6637646636323437333437353336316332663133316435650a366439336665383763376432653736
    32313332363032646436626230646461376532666366663265373663316331316664336134366338
    6531363362613039330a316436386533393636623837653163333564383232313363666361643730
    3132

And refer to it in the module calls or module-defaults:

- hosts: localhost
  gather_facts: no
  module_defaults:
    ansibleguy.opnsense.route:
      firewall: '...'
      api_key: "{{ firewall.key }}"
      api_secret: "{{ firewall.secret }}"

To decrypt those secrets at runtime, you need to supply the ‘ask-vault-pass’ argument:

ansible-playbook -D opnsense.yml --ask-vault-pass

Running

These modules support check-mode and can show you the difference between existing and configured items:

# show difference
ansible-playbook opnsense.yml -D

# run in check-mode (no changes are made)
ansible-playbook opnsense.yml --check