Added opensense_manage playbook with built in task/tags

2026-04-23 16:48:13 -07:00
parent 6828b364e1
commit 46eca701a5
2 changed files with 82 additions and 0 deletions
--- a/inventories/client_royal_pizza/group_vars/firewalls.yml
+++ b/inventories/client_royal_pizza/group_vars/firewalls.yml
--- a/playbooks/opensense_manage.yml
+++ b/playbooks/opensense_manage.yml
@@ -0,0 +1,82 @@
 ---
 - name: OPNsense Advanced MSP Management
  hosts: firewalls
  gather_facts: false
  vars:
    # Managed via Semaphore Environment Variables or group_vars
    admin_accounts:
      - { name: "msp_admin", pwd: "{{ vault_msp_admin_password }}", groups: ["admins"], state: "present" }
      - { name: "decommissioned_user", state: "absent" } # Auto-purges old accounts
    critical_services: ["unbound", "dhcpd", "configd"]
    expected_interfaces:
      - { device: "wan", speed: "1000" }
      - { device: "lan", speed: "1000" }
  tasks:
    # --- TASK: BACKUP ---
    - name: Export configuration
      ansibleguy.opnsense.system_backup:
        destination: "./backups/{{ inventory_hostname }}.xml"
      tags: backup
    # --- TASK: UPDATES ---
    - name: Check firmware status
      ansibleguy.opnsense.firmware_info:
      register: fw_info
      tags: upgrade_check
    - name: Apply updates if reboot is required
      ansibleguy.opnsense.firmware:
        upgrade: true
        reboot: true
      when: fw_info.needs_reboot | default(false)
      tags: upgrade_apply
    # --- TASK: MONITORING ---
    - name: Audit critical services
      ansibleguy.opnsense.service:
        name: "{{ item }}"
        state: started
      loop: "{{ critical_services }}"
      tags: monitoring
    - name: Audit SSL certificates
      ansibleguy.opnsense.certificate_info:
      register: cert_info
      tags: monitoring
    - name: Alert on expiring certs
      debug:
        msg: "CERT WARNING: {{ item.descr }} expires in {{ item.enddate_days }} days"
      loop: "{{ cert_info.certificates }}"
      when: item.enddate_days | int < 30
      tags: monitoring
    # --- TASK: AUDIT ---
    - name: Verify interface link state
      ansibleguy.opnsense.interface_info:
      register: int_info
      tags: audit
    - name: Fail if interface is DOWN
      assert:
        that: "int_info.interfaces[item.device].status == 'up'"
        fail_msg: "ALERT: Interface {{ item.device }} is DOWN!"
      loop: "{{ expected_interfaces }}"
      tags: audit
    # --- TASK: USER/SETTINGS MANAGEMENT ---
    - name: Manage Admin Accounts
      ansibleguy.opnsense.user:
        name: "{{ item.name }}"
        password: "{{ item.pwd | default(omit) }}"
        groups: "{{ item.groups | default(omit) }}"
        state: "{{ item.state | default('present') }}"
      loop: "{{ admin_accounts }}"
      tags: users
    - name: Apply Granular Settings
      ansibleguy.opnsense.system_settings:
        settings: "{{ opnsense_custom_settings }}"
      tags: settings