VOICE1/ansible-msp-automations
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9a8ddf4f0fae1c872f8f8cd26bde3c7dfa2f19ce
ansible-msp-automations/playbooks/firewall_manage.yml
Ben D. aba01d883c Changed name
2026-04-23 17:06:10 -07:00

82 lines
2.5 KiB
YAML
Raw Blame History

---
- name: OPNsense Advanced MSP Management
hosts: firewalls
gather_facts: false
vars:
# Managed via Semaphore Environment Variables or group_vars
admin_accounts:
- { name: "msp_admin", pwd: "{{ vault_msp_admin_password }}", groups: ["admins"], state: "present" }
- { name: "decommissioned_user", state: "absent" } # Auto-purges old accounts
critical_services: ["unbound", "dhcpd", "configd"]
expected_interfaces:
- { device: "wan", speed: "1000" }
- { device: "lan", speed: "1000" }
tasks:
# --- TASK: BACKUP ---
- name: Export configuration
ansibleguy.opnsense.system_backup:
destination: "./backups/{{ inventory_hostname }}.xml"
tags: backup
# --- TASK: UPDATES ---
- name: Check firmware status
ansibleguy.opnsense.firmware_info:
register: fw_info
tags: upgrade_check
- name: Apply updates if reboot is required
ansibleguy.opnsense.firmware:
upgrade: true
reboot: true
when: fw_info.needs_reboot | default(false)
tags: upgrade_apply
# --- TASK: MONITORING ---
- name: Audit critical services
ansibleguy.opnsense.service:
name: "{{ item }}"
state: started
loop: "{{ critical_services }}"
tags: monitoring
- name: Audit SSL certificates
ansibleguy.opnsense.certificate_info:
register: cert_info
tags: monitoring
- name: Alert on expiring certs
debug:
msg: "CERT WARNING: {{ item.descr }} expires in {{ item.enddate_days }} days"
loop: "{{ cert_info.certificates }}"
when: item.enddate_days | int < 30
tags: monitoring
# --- TASK: AUDIT ---
- name: Verify interface link state
ansibleguy.opnsense.interface_info:
register: int_info
tags: audit
- name: Fail if interface is DOWN
assert:
that: "int_info.interfaces[item.device].status == 'up'"
fail_msg: "ALERT: Interface {{ item.device }} is DOWN!"
loop: "{{ expected_interfaces }}"
tags: audit
# --- TASK: USER/SETTINGS MANAGEMENT ---
- name: Manage Admin Accounts
ansibleguy.opnsense.user:
name: "{{ item.name }}"
password: "{{ item.pwd | default(omit) }}"
groups: "{{ item.groups | default(omit) }}"
state: "{{ item.state | default('present') }}"
loop: "{{ admin_accounts }}"
tags: users
- name: Apply Granular Settings
ansibleguy.opnsense.system_settings:
settings: "{{ opnsense_custom_settings }}"
tags: settings
Reference in New Issue View Git Blame Copy Permalink