puzzle / puzzle.opnsense

An Ansible Collection to configure an opnsense Firewall
https://puzzle.github.io/puzzle.opnsense/collections/puzzle/opnsense/index.html
GNU General Public License v3.0
24 stars 12 forks source link

Module Request: system_settings_administration #67

Open lukpre opened 7 months ago

lukpre commented 7 months ago

Module Description

This module allows you to configure the administration system settings under System -> Settings -> Administration

Screenshot from 2024-03-21 14-25-21

Minimum Viable Product (MVP)

module: system_settings_administration
short_description: Configure general administrative settings for the OPNsense. 
description:
  - Module to configure general administrative settings. You can change administrative settings for the Webgui, secure shell the console as well as authentication here. 
options:
  webgui_protocol:
    description: "Protocol to use for the Webgui"
    required: true
    choices:
      - HTTP
      - HTTPS
    type: list
    elements: str
  webgui_ssl_certificate:
    description: "Select the ssl certificate to be used for the Webgui."
    required: true
    choices:
      -  <uploaded certificates in the SSL certificate manager> 
    type: list
    elements: str
  webgui_ssl_ciphers:
    description: "Possibility to limit SSL cipher selection for the Webgui"
    default: System defaults 
    type: list
    elements: str
  webgui_http_strict_transport_security:
   description: "Enable HTTP Strict Transport Security (HSTS)"
   default: false
   type: bool
  webgui_tcp_port:
    description: "Listen port for webgui, changes will take effect imediately."  
    default: 443
    required: true
    type: int
  webgui_http_redirect:
    description: "When disabled, access to the web gui is always permitted even on port 80, regardless of the listening port configured. If set to true, an automatic redirect rule to the listening port will be added."
    default: false 
    type: bool
  webgui_disable_login_messages:
    description: " When set to true, successful logins to the web GUI will not be logged."
    default: false 
    type: bool
  webgui_session_timeout:
    description: "Time in minutes to expire idle management sessions."
    default: 240
    type: int
  webgui_disable_dns_rebind_check:
    description: "When set to false the system is protected against DNS Rebinding attacks. This blocks private IP responses from your configured DNS servers. " 
    type: bool
  webgui_alternate_hostnames:
    description: "Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks"
    type: str
  webgui_http_compression:
    description: " Enable compression of HTTP pages and dynamic content."
    default: Off
    choices:
      - Off
      - Low 
      - Medium
      - High
    type: list
    elements: str
  webgui_access_log:
    description: " Enable access logging on the web GUI for debugging and analysis purposes."
    default: false 
    type: bool
  webgui_listen_interfaces:
    description: " Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
    default: All (recommended) 
    type: list
  secure_shell_enable_server:
    description: "Whether or not to enable secure shell server"
    default: true
    type: bool
  secure_shell_login_group:
    description: " Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will."
    default: wheel, admins
    type: list
  secure_shell_permit_root_login:
    description: "Permit root user Login. Root login is generally discouraged. It is advised to log in via another user and switch to root afterwards. "
    default:  true
    type: bool
  secure_shell_permit_password_login:
    description: "Permit password login. When disabled, authorized keys need to be configured for each that has been granted secure shell access."
    default: true
    type: bool
  secure_shell_ssh_port:
    description: "Default listening port for ssh server"
    default: 22 
    type: int
  secure_shell_listen_interfaces:
    description: " Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care. "
    default: All (recommended) 
    type: list
  console_driver:
    description: "Use the virtual terminal driver (vt) "
    default: true 
    type: bool
  console_primary_console:
    description: " Select the primary console. This preferred console will show boot script output. All consoles display OS boot messages, console messages, and the console menu."
    default:  Serial Console 
    type: list
    choices:
      - VGA Console
      - Serial Console
      - EFI Console
      - Mute Console
    elements: str
  console_secondary_console:
    description: "Select the secondary console if multiple consoles are present. All consoles display OS boot messages, console messages, and the console menu. "
    default:  VGA Console 
    type: list
    choices:
      - VGA Console
      - Serial Console
      - EFI Console
      - Mute Console
    elements: str
  console_serial_speed:
    description: "The first example option.: V(firewall)"
    default:  115200
    type: list
    choices:
      - 1500000
      - 115200
      - 57600
      - 38400
      - 19200
      - 14400
      - 9600
    elements: int
  console_usb_based_serial:
    description: "Use USB-based serial ports"
    default: false
    type: bool
  console_menu_password_protect:
    description: "Password protect the console menu"
    default: true 
    type: bool
  shell_inactivity_timeout:
    description: "When set, defines the number of minutes an ssh or console session might idle before being logged out automatically, only available on [t]csh type shells"
    type: str
  authentication_server:
    description: " Select one or more authentication servers to validate user credentials against. Multiple servers can make sense with remote authentication methods to provide a fallback during connectivity issues. When nothing is specified the default of "Local Database" is used."
    type: list
    choices: 
      - <depends on configured server access (see System -> Access -> Server)>
    elements: string
  authentication_sudo:
    description: " Permit sudo usage for administrators with shell access. "
    default: disallow
    type: list
    choices:
      - Disallow
      - Ask password
      - No password
    elements: str
  authentication_sudo_group:
    description: " Select the allowed groups for sudo usage. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will." 
    type: list
    elements: str
  authentication_user_otp_seed:
    description: " Permit users to generate their own OTP seed in the password page."
    default: <> 
    type: list
    choices:
      - <local groups>
    elements: str
  deployment_type:
    description: " Set the deployment type of this OPNsense instance."
    required: true
    default: Production 
    type: list
    choices:
      - Production
      - Development
    elements: str

Examples

Change the TCP Port for the Webgui

---
- name: Update the tcp port for the webgui
  puzzle.opnsense.system_settings_administration:
    webgui_tcp_port: 8443

Activate the secure shell server and disallow root user login and password login

---
- name: Activate secure shell server and disallow root user login and pw login
  puzzle.opnsense.system_settings_administration:
    secure_shell_enable_server: true
    secure_shell_permit_root_login: false
   secure_shell_permit_password_login: false

Additional Notes (Optional)