This module allows you to configure the administration system settings under System -> Settings -> Administration
Minimum Viable Product (MVP)
module: system_settings_administration
short_description: Configure general administrative settings for the OPNsense.
description:
- Module to configure general administrative settings. You can change administrative settings for the Webgui, secure shell the console as well as authentication here.
options:
webgui_protocol:
description: "Protocol to use for the Webgui"
required: true
choices:
- HTTP
- HTTPS
type: list
elements: str
webgui_ssl_certificate:
description: "Select the ssl certificate to be used for the Webgui."
required: true
choices:
- <uploaded certificates in the SSL certificate manager>
type: list
elements: str
webgui_ssl_ciphers:
description: "Possibility to limit SSL cipher selection for the Webgui"
default: System defaults
type: list
elements: str
webgui_http_strict_transport_security:
description: "Enable HTTP Strict Transport Security (HSTS)"
default: false
type: bool
webgui_tcp_port:
description: "Listen port for webgui, changes will take effect imediately."
default: 443
required: true
type: int
webgui_http_redirect:
description: "When disabled, access to the web gui is always permitted even on port 80, regardless of the listening port configured. If set to true, an automatic redirect rule to the listening port will be added."
default: false
type: bool
webgui_disable_login_messages:
description: " When set to true, successful logins to the web GUI will not be logged."
default: false
type: bool
webgui_session_timeout:
description: "Time in minutes to expire idle management sessions."
default: 240
type: int
webgui_disable_dns_rebind_check:
description: "When set to false the system is protected against DNS Rebinding attacks. This blocks private IP responses from your configured DNS servers. "
type: bool
webgui_alternate_hostnames:
description: "Alternate Hostnames for DNS Rebinding and HTTP_REFERER Checks"
type: str
webgui_http_compression:
description: " Enable compression of HTTP pages and dynamic content."
default: Off
choices:
- Off
- Low
- Medium
- High
type: list
elements: str
webgui_access_log:
description: " Enable access logging on the web GUI for debugging and analysis purposes."
default: false
type: bool
webgui_listen_interfaces:
description: " Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care."
default: All (recommended)
type: list
secure_shell_enable_server:
description: "Whether or not to enable secure shell server"
default: true
type: bool
secure_shell_login_group:
description: " Select the allowed groups for remote login. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will."
default: wheel, admins
type: list
secure_shell_permit_root_login:
description: "Permit root user Login. Root login is generally discouraged. It is advised to log in via another user and switch to root afterwards. "
default: true
type: bool
secure_shell_permit_password_login:
description: "Permit password login. When disabled, authorized keys need to be configured for each that has been granted secure shell access."
default: true
type: bool
secure_shell_ssh_port:
description: "Default listening port for ssh server"
default: 22
type: int
secure_shell_listen_interfaces:
description: " Only accept connections from the selected interfaces. Leave empty to listen globally. Use with care. "
default: All (recommended)
type: list
console_driver:
description: "Use the virtual terminal driver (vt) "
default: true
type: bool
console_primary_console:
description: " Select the primary console. This preferred console will show boot script output. All consoles display OS boot messages, console messages, and the console menu."
default: Serial Console
type: list
choices:
- VGA Console
- Serial Console
- EFI Console
- Mute Console
elements: str
console_secondary_console:
description: "Select the secondary console if multiple consoles are present. All consoles display OS boot messages, console messages, and the console menu. "
default: VGA Console
type: list
choices:
- VGA Console
- Serial Console
- EFI Console
- Mute Console
elements: str
console_serial_speed:
description: "The first example option.: V(firewall)"
default: 115200
type: list
choices:
- 1500000
- 115200
- 57600
- 38400
- 19200
- 14400
- 9600
elements: int
console_usb_based_serial:
description: "Use USB-based serial ports"
default: false
type: bool
console_menu_password_protect:
description: "Password protect the console menu"
default: true
type: bool
shell_inactivity_timeout:
description: "When set, defines the number of minutes an ssh or console session might idle before being logged out automatically, only available on [t]csh type shells"
type: str
authentication_server:
description: " Select one or more authentication servers to validate user credentials against. Multiple servers can make sense with remote authentication methods to provide a fallback during connectivity issues. When nothing is specified the default of "Local Database" is used."
type: list
choices:
- <depends on configured server access (see System -> Access -> Server)>
elements: string
authentication_sudo:
description: " Permit sudo usage for administrators with shell access. "
default: disallow
type: list
choices:
- Disallow
- Ask password
- No password
elements: str
authentication_sudo_group:
description: " Select the allowed groups for sudo usage. The "wheel" group is always set for recovery purposes and an additional local group can be selected at will."
type: list
elements: str
authentication_user_otp_seed:
description: " Permit users to generate their own OTP seed in the password page."
default: <>
type: list
choices:
- <local groups>
elements: str
deployment_type:
description: " Set the deployment type of this OPNsense instance."
required: true
default: Production
type: list
choices:
- Production
- Development
elements: str
Examples
Change the TCP Port for the Webgui
---
- name: Update the tcp port for the webgui
puzzle.opnsense.system_settings_administration:
webgui_tcp_port: 8443
Activate the secure shell server and disallow root user login and password login
---
- name: Activate secure shell server and disallow root user login and pw login
puzzle.opnsense.system_settings_administration:
secure_shell_enable_server: true
secure_shell_permit_root_login: false
secure_shell_permit_password_login: false
Additional Notes (Optional)
webgui_ssl_certificate requires you to upload certificates to the Sytem Trust (via SSL Certificate Manager -> system_certmanager.php) before you can select the certificate.
webgui_ssl_ciphers has fix list of Ciphers you can select, for ease of use they are not all listed in the mocked module.
webgui_listen_interfaces selection in the list depends on the interfaces you have configured.
secure_shell_login_group updates depending on existing local groups
secure_shell_listen_interfaces selection in the list depends on the interfaces you have configured.
authentication_server selection depends on configured authentication servers ( System -> access -> servers)
authentication_sudo_group list depends on existing local groups
webgui_protocol: when selecting HTTPS the options will (webgui_ssl_certificate and webgui_ssl_ciphers) will not be available
Module Description
This module allows you to configure the administration system settings under System -> Settings -> Administration
Minimum Viable Product (MVP)
Examples
Change the TCP Port for the Webgui
Activate the secure shell server and disallow root user login and password login
Additional Notes (Optional)
webgui_ssl_certificate
requires you to upload certificates to the Sytem Trust (via SSL Certificate Manager -> system_certmanager.php) before you can select the certificate.webgui_ssl_ciphers
has fix list of Ciphers you can select, for ease of use they are not all listed in the mocked module.webgui_listen_interfaces
selection in the list depends on the interfaces you have configured.secure_shell_login_group
updates depending on existing local groupssecure_shell_listen_interfaces
selection in the list depends on the interfaces you have configured.authentication_server
selection depends on configured authentication servers ( System -> access -> servers)authentication_sudo_group
list depends on existing local groupswebgui_protocol
: when selecting HTTPS the options will (webgui_ssl_certificate
andwebgui_ssl_ciphers
) will not be available