Puppet on pfSense
-
Hi,
this may be interesting for those of you managing a large number of pfSense firewalls. I've put together some stuff to manage pfSense with puppet:
1. Puppet package for pfSense
This is a native pfSense package providing the puppet agent and some GUI components. The merge request is still waiting for approval.
Merge Request: https://github.com/pfsense/pfsense-packages/pull/649
Installation guide: https://cloud.moov.de/blog/2014/07/14/installing-puppet-on-pfsense-firewalls/2. pfSense providers for puppet: user/group management
A growing collection of puppet providers for pfSense. The initial version provides user/group management.
Repository: https://github.com/fraenki/puppet-pfsense
Forge: https://forge.puppetlabs.com/fraenki/pfsense
Usage: https://cloud.moov.de/blog/2014/07/14/pfsense-usergroup-management-with-puppet/3. Puppet module: pfsense_rancid
One of the first two puppet modules for pfSense. Automatically prepares a pfSense appliance for RANCID backups.
Repository: https://github.com/fraenki/puppet-pfsense_rancid
Forge: https://forge.puppetlabs.com/fraenki/pfsense_rancid
Usage: https://cloud.moov.de/blog/2014/07/14/puppet-module-to-prepare-pfsense-for-rancid/4. Puppet module: pfsense_autoupdate
The second puppet module for pfSense: A small hackish script to showcase fully unattended firmware upgrades on pfSense.
Repository: https://github.com/fraenki/puppet-pfsense_autoupdate
Forge: https://forge.puppetlabs.com/fraenki/pfsense_autoupdate
Usage: https://cloud.moov.de/blog/2014/07/14/automatically-update-pfsense-firewalls-with-puppet/Feedback & contributions are very welcome!
Regards
Frank -
Looks like you've put some effort in here. :)
Steve
-
Looks like you've put some effort in here. :)
Steve
Indeed, but it's unlikely to find its way into mainline pfSense. I'm not in-favor of loading Ruby onto the platform.
Post-2.2, we'll be working on a (likely REST) API, and that will be the vehicle for things like this.
-
I agree loading anything like that as part of the default distro would not be a good idea. Minimal attack surface etc.
I don't see an issue with it being a package though with appropriate warnings. Perhaps another reason to split the package repo into 'supported' and 'community' or whatever you felt like naming them?Steve
-
I wholeheartedly support the package repo being split into Supported and Here Be Dragyns
-
I agree loading anything like that as part of the default distro would not be a good idea. Minimal attack surface etc.
I don't see an issue with it being a package though with appropriate warnings.Yes, it's not meant to be included in the default distro. Not everyone uses puppet. But it should be available as a package.
Perhaps another reason to split the package repo into 'supported' and 'community' or whatever you felt like naming them?
I thought this repository https://github.com/pfsense/pfsense-packages actually is the community effort to bring additional (not fully supported) packages to pfSense. With 86 different contributors it just looks like a community effort. Is there a policy regarding contributions to the pfsense-packages repository?
Well, I can't think of any reason not to add a puppet package to this repo. There's already a good number of pfsense-packages for specialized use cases. The puppet package is just one more.
@gonzopancho:
Post-2.2, we'll be working on a (likely REST) API, and that will be the vehicle for things like this.
Good to hear a REST API is on it's way. The approach with puppet is completely different, though. I think it's good if one can choose the method that works best in their environment.
FWIW, there's also a puppet agent for Juniper devices available:
http://www.juniper.net/techpubs/en_US/release-independent/junos-puppet/information-products/pathway-pages/index.htmlRegards
- Frank
-
I thought this repository https://github.com/pfsense/pfsense-packages actually is the community effort to bring additional (not fully supported) packages to pfSense. With 86 different contributors it just looks like a community effort. Is there a policy regarding contributions to the pfsense-packages repository?
Currently there is just that one package repo for all packages and it's coded as the default for all pfSense users. Yes there are many user contributed and supported packages there but some are officially supported. The Squid 2/ Squidguard packages for example I believe are officially maintained and supported as are things like the Shellcmd and Patches packages.
I have not seen any package guidelines. The packages system has developed from a few simple things into what there is today. It has been suggested that more than one repo be used and I'm all for that. Currently all packages appear to all users and that means that inevitably someone will start ticking boxes randomly and when everything breaks will complain loudly that everything should work perfectly because it's in the official package repo. This in turn means that the devs are understandably reluctant to add packages to that repo, especially if they have wide-ranging dependencies.
Having seperate package repos with some sort of check box, 'include unofficial packages', would negate much of this problem. You could have a 'testing' repo for packages such as yours that could then be moved up to 'community' after sufficiently few boxes caught fire. ;)Having a check box etc would require an update to the webgui code but you could do it right now by just setting up another repo and having anyone who wants to use it manually point their box at it.
Steve
-
Thanks for this clarification, Steve. Much appreciated.
Having a check box etc would require an update to the webgui code but you could do it right now by just setting up another repo and having anyone who wants to use it manually point their box at it.
I've already setup an unofficial repo…
https://cloud.moov.de/blog/2014/07/14/installing-puppet-on-pfsense-firewalls/
…but such a repo does not look very secure or trustworthy. ;-) It's unlikely that any company is going to use this, neither my employee would. But obviously things like puppet aim at companies or at least larger environments.Regards
- Frank
-
Hi @fraenki,
Thank you for the effort on this. I have been looking for a way to integrate our pfSense firewalls with our puppet infrastructure for a while now. This will immediately help with quarterly password resets and patching/updates. I look forward to firewall/NAT providers among other things. I realize this is an old post, but I am hoping that the effort/movement is still alive.
Tommy
-
https://blog.pfsense.org/?p=1588
-
Hi,
this may be interesting for those of you managing a large number of pfSense firewalls. I've put together some stuff to manage pfSense with puppet:
1. Puppet package for pfSense
This is a native pfSense package providing the puppet agent and some GUI components. The merge request is still waiting for approval.
Merge Request: https://github.com/pfsense/pfsense-packages/pull/649
Installation guide: https://cloud.moov.de/blog/2014/07/14/installing-puppet-on-pfsense-firewalls/2. pfSense providers for puppet: user/group management
A growing collection of puppet providers for pfSense. The initial version provides user/group management.
Repository: https://github.com/fraenki/puppet-pfsense
Forge: https://forge.puppetlabs.com/fraenki/pfsense
Usage: https://cloud.moov.de/blog/2014/07/14/pfsense-usergroup-management-with-puppet/3. Puppet module: pfsense_rancid
One of the first two puppet modules for pfSense. Automatically prepares a pfSense appliance for RANCID backups.
Repository: https://github.com/fraenki/puppet-pfsense_rancid
Forge: https://forge.puppetlabs.com/fraenki/pfsense_rancid
Usage: https://cloud.moov.de/blog/2014/07/14/puppet-module-to-prepare-pfsense-for-rancid/4. Puppet module: pfsense_autoupdate
The second puppet module for pfSense: A small hackish script to showcase fully unattended firmware upgrades on pfSense.
Repository: https://github.com/fraenki/puppet-pfsense_autoupdate
Forge: https://forge.puppetlabs.com/fraenki/pfsense_autoupdate
Usage: https://cloud.moov.de/blog/2014/07/14/automatically-update-pfsense-firewalls-with-puppet/Feedback & contributions are very welcome!
Regards
FrankThe Hyperlink for the Package in the installation Guide for the Puppet Agent is Down. I need a Puppet Agent on my pfSense for my Project. Can anyone Upload a new Package?
-
The Hyperlink for the Package in the installation Guide for the Puppet Agent is Down. I need a Puppet Agent on my pfSense for my Project. Can anyone Upload a new Package?
If your looking for remote monitoring and administration of pfsense, you might try this:
https://forum.pfsense.org/index.php?topic=120972.0
