ansible-opnsense icon indicating copy to clipboard operation
ansible-opnsense copied to clipboard

Published 20 hours ago verified publisher icon naturalis

Latest Supported OPNSense Version

Open rvalle opened this issue 4 years ago • 18 comments

I would like to setup some kind of Continuos Integration / testing of this roles, unfortunately I still have had no chance and not having access to a virtual appliance does not help.

Meanwhile, can we track in the Readme.md what is the latest version of OPNSense known to be compatible with the role?

rvalle avatar Oct 14 '20 07:10 rvalle

@zerwes which versions are you using?

rvalle avatar Oct 14 '20 07:10 rvalle

We have here 4 devices running 20.7.2 fully deployed via ansible using our own fork (we hardly try to bother the upstream authors with PRs) Rosa-Luxemburgstiftung-Berlin/ansible-opnsense

zerwes avatar Oct 14 '20 07:10 zerwes

I just noticed all your PRs, I managed to contribute last year, but I think @rudibroekhuizen moved one.

I have interested in setting a CD/CI system with this ansible roles and to do a bit of rewriting as described in #19

I would be happy to contribute to a fork... perhaps makes sense. However we are not too many people here, so @rudibroekhuizen what do you say?

rvalle avatar Oct 14 '20 08:10 rvalle

My intentions in not to maintain a fork on my own. I would rather try to join resources ... We have identified your statements in https://github.com/naturalis/ansible-opnsense/issues/19#issue-522868302 regarding the non - merging lists and the not really handsome key/value pairs as problematic too. First one is IMHO a real problem, the second one is rater a aesthetic issue, not affecting the functionality. Our workaround for merging lists is to re-write the yaml files using jinja2 templates ... it works, but it is just a workaround ... So using dicts instead of lists would be a real improvement ... but this means breaking backwards compatibility :-1: Another issue from my point of view is the slow and resource consuming xml parsing (it is rater a ansible issue, but it hurts here). So, if you, @rudibroekhuizen and/or others have plans to re-write this, I would be glad to contribute ... But I am afraid that I have not sufficient resources for a big contribution (if I speak here in plural it might me misleading ... we are a small team and the networking stuff is a lazy one man show ...)

zerwes avatar Oct 14 '20 08:10 zerwes

I am happy to keep working on list-based v2 branch, and start a dict-based v3. I want to, at least, give it a try, might not be so hard. I also acknowledge that breaking backward compatibility is an issue :( I also reached out to OPNSense to see if they would be willing to help with setting CD/CI, that would be a good improvement.

But the main thing here is that we are only 3 and whatever we do better to join forces...

rvalle avatar Oct 14 '20 09:10 rvalle

Give me a hint if there is a public accessible dict-based branch ... if you like I can create a fork of our fork and give you access to it .... If I find the time I would be happy to contribute. Using dicts might speed up the xml build process as one can use xml xpath set_children for all values on a item in one run. This means probably only ¼ of iterations ...

zerwes avatar Oct 14 '20 09:10 zerwes

actually it might be even possible to provide backward compatibility, because the way in which lists are used is compatible with list2items function...

I think we should decide if we fork this repo and join forces... We could also ask OPNSense to host the repo, and give access to the 3 of us... to kind of ensure that maintainers don't become unresponsive.

rvalle avatar Oct 14 '20 09:10 rvalle

@rudibroekhuizen @fpieters what do you say?

rvalle avatar Oct 14 '20 09:10 rvalle

@zerwes @rudibroekhuizen @fpieters I am talking to OPNSense on Wednesday, in case anybody wants to join. I will ask that hey host a repo to ensure that push requests can progress in the future. Since we are only a handful of contributors with not much time for this, I propose we all manage that repo collectively. We can start by taking @zerwes fork which seems to be the most recent/advanced at the moment. What do you think?

rvalle avatar Oct 19 '20 08:10 rvalle

Regarding Wednesday: what time and what medium? If I find some time, I can try to join ... In fact I will be @ work. I will try to convince my boss to donate some time to the project ... Greetings to all from Berlin Klaus

zerwes avatar Oct 19 '20 13:10 zerwes

@zerwes we are talking at 9, I will organize a zoom call or something. Send me an email to [email protected] and we take it from there. You are already putting time on this, I don't aim to increase what we contribute but rather to better coordinate our effort.

rvalle avatar Oct 19 '20 17:10 rvalle

Oh sorry. At 09:00 AM I already have a fixed appointment with an external company. :-( Maybe the next time.

zerwes avatar Oct 19 '20 17:10 zerwes

I'm very close to finishing a fork of this module that runs from the config presented in yaml format.

you can directly use http://beautifytools.com/xml-to-yaml-converter.php to generate the file needed for this from an existing config export.

you then have the option of applying the entire config or individual compoents

mutl3y avatar Nov 25 '20 18:11 mutl3y

@mutl3y that's an interesting approach. Please share once you are ready

rvalle avatar Nov 26 '20 12:11 rvalle

I have recently stumbled on this project due to an OPNsense based implementation that i am currently part of. I have looked at the OPNsense API as an alternative, but after reading the docs and some discussions in their git, its clear that their API implementation is neither extensive nor accessible, and will likely never be.

I gave this project a go, and even though its not immediately clear how to define the vars for some roles, i eventually got the gist of it. Then i ran into issues with the ipsecphase2.yml tasks, and realized the whole list/dict inconsistencies thing.

So, the IPsec task set is broken (at least in my configuration) and i will have to fix it somehow to get the implementation going. I have next to 0 experience with XML and XMLPath, but i have a couple of years with Ansible.

Now the question(s):

  • Is there any update to the way that this project is moving forward?
  • What would be the preferred way to rewrite the tasks, since my intention is to push the changes/fixes upstream?

Jonybat avatar Jul 13 '22 08:07 Jonybat

Hello @Jonybat Glad to hear that you give the project here a try. Regarding the ipsec issue: there is a PR open since some time (#53) We are currently using and developing the role on our fork at https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense. Here all PR from us are already applied. We are deploying predefined IPSec profiles with this. (example var defs https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense/blob/main/tasks/ipsec.yml#L5:L49; if you need a real live example, I can try to provide one ...) Maybe you can give this a try. If you still have some problems, please feel free to file a bug report in our repo. Greetings and good luck

zerwes avatar Jul 13 '22 09:07 zerwes

Hey @zerwes Thats awesome. Honestly, i hate github's UI, so i get lost quite often. I have seen your fork before, but never noticed the changes. It seems to work perfectly for what we need right now. I have already added #68, and will probably push some tweaks to your fork as well, since they are not merged here yet.

Thanks a bunch

Jonybat avatar Jul 13 '22 13:07 Jonybat

Glad to here I could help, @Jonybat. Regarding PR: always welcome! If you open some here against the original repo here, I can include them in our fork like the https://github.com/naturalis/ansible-opnsense/pull/68 -> https://github.com/Rosa-Luxemburgstiftung-Berlin/ansible-opnsense/pull/18, so we have no need to wait until they are merged here ...

zerwes avatar Jul 13 '22 14:07 zerwes