I’ve built a central dashboard to orchestrate thousands of OPNsense firewalls. Current features include:
- Scheduled updates (target version control)
- Automated backups
- Change diffs
- Metrics (status, versions, etc.)
Lifecycle management works well, but I’m missing a clean declarative approach for configuration at scale.
Use case:
- Group-based config (e.g. 50 firewalls get ruleset A, 100 get specific aliases, etc.)
- Desired-state model, similar to Kubernetes / IaC
What I tried:
Ansible + ansibleguy.opnsense collection. Works, but:
- API-only
- Many features not covered
- No full config control
Current idea:
Use Ansible to push config via shell (e.g. templating config.xml or using backend scripts/CLI).
Questions:
- Is "config.xml templating via shell" viable or a dead end?
- Any better tools or frameworks?
- How are you handling grouping / roles / reuse?
- Full config push vs. incremental changes?
Goals:
- Idempotency
- GitOps-style versioning
- Clear separation of desired state vs rollout
Curious how others are solving this at scale.