From 8f474132e671d049e56068210aa19cdce77ab807 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Mon, 18 Jan 2021 22:38:02 +0100
Subject: [PATCH 01/15] The Ansible fetch module does not have a backup
 parameter

Ref: https://docs.ansible.com/ansible/latest/collections/ansible/builtin/fetch_module.html
---
 tasks/fetch.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/tasks/fetch.yml b/tasks/fetch.yml
index 9c81177..6c26b1e 100644
--- a/tasks/fetch.yml
+++ b/tasks/fetch.yml
@@ -4,5 +4,4 @@
     src: "{{ config_path }}"
     dest: "{{ local_config_path }}"
     flat: true
-    backup: true
 ...

From 78ad630e398550c087c3c8e275bdfb20ad606521 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Mon, 18 Jan 2021 23:49:05 +0100
Subject: [PATCH 02/15] Add factory OPNsense 20.7 config

---
 templates/conf/config.xml.j2 | 776 +++++++++++++++++++++++++++++++++++
 1 file changed, 776 insertions(+)
 create mode 100644 templates/conf/config.xml.j2

diff --git a/templates/conf/config.xml.j2 b/templates/conf/config.xml.j2
new file mode 100644
index 0000000..86e1791
--- /dev/null
+++ b/templates/conf/config.xml.j2
@@ -0,0 +1,776 @@
+<?xml version="1.0"?>
+<opnsense>
+  <trigger_initial_wizard/>
+  <theme>opnsense</theme>
+  <sysctl>
+    <item>
+      <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
+      <tunable>vfs.read_max</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Set the ephemeral port range to be lower.</descr>
+      <tunable>net.inet.ip.portrange.first</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Drop packets to closed TCP ports without returning a RST</descr>
+      <tunable>net.inet.tcp.blackhole</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Do not send ICMP port unreachable messages for closed UDP ports</descr>
+      <tunable>net.inet.udp.blackhole</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Randomize the ID field in IP packets</descr>
+      <tunable>net.inet.ip.random_id</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
+      <tunable>net.inet.ip.sourceroute</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>
+        Source routing is another way for an attacker to try to reach non-routable addresses behind your box.
+        It can also be used to probe for information about your internal networks. These functions come enabled
+        as part of the standard FreeBSD core system.
+      </descr>
+      <tunable>net.inet.ip.accept_sourceroute</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>
+        This option turns off the logging of redirect packets because there is no limit and this could fill
+        up your logs consuming your whole hard drive.
+      </descr>
+      <tunable>net.inet.icmp.log_redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Drop SYN-FIN packets (breaks RFC1379, but nobody uses it anyway)</descr>
+      <tunable>net.inet.tcp.drop_synfin</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Enable sending IPv6 redirects</descr>
+      <tunable>net.inet6.ip6.redirect</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Enable privacy settings for IPv6 (RFC 4941)</descr>
+      <tunable>net.inet6.ip6.use_tempaddr</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Prefer privacy addresses and use them over the normal addresses</descr>
+      <tunable>net.inet6.ip6.prefer_tempaddr</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Generate SYN cookies for outbound SYN-ACK packets</descr>
+      <tunable>net.inet.tcp.syncookies</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Maximum incoming/outgoing TCP datagram size (receive)</descr>
+      <tunable>net.inet.tcp.recvspace</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Maximum incoming/outgoing TCP datagram size (send)</descr>
+      <tunable>net.inet.tcp.sendspace</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Do not delay ACK to try and piggyback it onto a data packet</descr>
+      <tunable>net.inet.tcp.delayed_ack</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Maximum outgoing UDP datagram size</descr>
+      <tunable>net.inet.udp.maxdgram</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Handling of non-IP packets which are not passed to pfil (see if_bridge(4))</descr>
+      <tunable>net.link.bridge.pfil_onlyip</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Set to 1 to additionally filter on the physical interface for locally destined packets</descr>
+      <tunable>net.link.bridge.pfil_local_phys</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Set to 0 to disable filtering on the incoming and outgoing member interfaces.</descr>
+      <tunable>net.link.bridge.pfil_member</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Set to 1 to enable filtering on the bridge interface</descr>
+      <tunable>net.link.bridge.pfil_bridge</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Allow unprivileged access to tap(4) device nodes</descr>
+      <tunable>net.link.tap.user_open</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Randomize PID's (see src/sys/kern/kern_fork.c: sysctl_kern_randompid())</descr>
+      <tunable>kern.randompid</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Maximum size of the IP input queue</descr>
+      <tunable>net.inet.ip.intr_queue_maxlen</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Disable CTRL+ALT+Delete reboot from keyboard.</descr>
+      <tunable>hw.syscons.kbd_reboot</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Enable TCP extended debugging</descr>
+      <tunable>net.inet.tcp.log_debug</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Set ICMP Limits</descr>
+      <tunable>net.inet.icmp.icmplim</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>TCP Offload Engine</descr>
+      <tunable>net.inet.tcp.tso</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>UDP Checksums</descr>
+      <tunable>net.inet.udp.checksum</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Maximum socket buffer size</descr>
+      <tunable>kern.ipc.maxsockbuf</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Page Table Isolation (Meltdown mitigation, requires reboot.)</descr>
+      <tunable>vm.pmap.pti</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Disable Indirect Branch Restricted Speculation (Spectre V2 mitigation)</descr>
+      <tunable>hw.ibrs_disable</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Hide processes running as other groups</descr>
+      <tunable>security.bsd.see_other_gids</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Hide processes running as other users</descr>
+      <tunable>security.bsd.see_other_uids</tunable>
+      <value>default</value>
+    </item>
+    <item>
+      <descr>Enable/disable sending of ICMP redirects in response to IP packets for which a better,
+        and for the sender directly reachable, route and next hop is known.
+      </descr>
+      <tunable>net.inet.ip.redirect</tunable>
+      <value>0</value>
+    </item>
+    <item>
+      <descr>
+        Redirect attacks are the purposeful mass-issuing of ICMP type 5 packets. In a normal network, redirects
+        to the end stations should not be required. This option enables the NIC to drop all inbound ICMP redirect
+        packets without returning a response.
+      </descr>
+      <tunable>net.inet.icmp.drop_redirect</tunable>
+      <value>1</value>
+    </item>
+    <item>
+      <descr>Maximum outgoing UDP datagram size</descr>
+      <tunable>net.local.dgram.maxdgram</tunable>
+      <value>default</value>
+    </item>
+  </sysctl>
+  <system>
+    <optimization>normal</optimization>
+    <hostname>OPNsense</hostname>
+    <domain>localdomain</domain>
+    <dnsallowoverride/>
+    <group>
+      <name>admins</name>
+      <description>System Administrators</description>
+      <scope>system</scope>
+      <gid>1999</gid>
+      <member>0</member>
+      <priv>page-all</priv>
+    </group>
+    <user>
+      <name>root</name>
+      <descr>System Administrator</descr>
+      <scope>system</scope>
+      <groupname>admins</groupname>
+      <password>$2y$10$CWpKw8H/.PwF2kHcvh5bXuLC1rzq/N9FOOM7kAAnBS0.ksWOI/0bO</password>
+      <uid>0</uid>
+    </user>
+    <nextuid>2000</nextuid>
+    <nextgid>2000</nextgid>
+    <timezone>Etc/UTC</timezone>
+    <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
+    <webgui>
+      <protocol>https</protocol>
+      <ssl-certref>60061767b5b36</ssl-certref>
+    </webgui>
+    <disablenatreflection>yes</disablenatreflection>
+    <usevirtualterminal>1</usevirtualterminal>
+    <disableconsolemenu/>
+    <disablevlanhwfilter>1</disablevlanhwfilter>
+    <disablechecksumoffloading>1</disablechecksumoffloading>
+    <disablesegmentationoffloading>1</disablesegmentationoffloading>
+    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
+    <ipv6allow/>
+    <powerd_ac_mode>hadp</powerd_ac_mode>
+    <powerd_battery_mode>hadp</powerd_battery_mode>
+    <powerd_normal_mode>hadp</powerd_normal_mode>
+    <bogons>
+      <interval>monthly</interval>
+    </bogons>
+    <backupcount>60</backupcount>
+    <crypto_hardware>aesni</crypto_hardware>
+    <pf_share_forward>1</pf_share_forward>
+    <lb_use_sticky>1</lb_use_sticky>
+    <ssh>
+      <group>admins</group>
+    </ssh>
+    <backup>
+      <nextcloud version="1.0.0">
+        <enabled>0</enabled>
+        <url/>
+        <user/>
+        <password/>
+        <password_encryption/>
+        <backupdir>OPNsense-Backup</backupdir>
+      </nextcloud>
+    </backup>
+  </system>
+  <interfaces>
+    <wan>
+      <enable>1</enable>
+      <if>vtnet0</if>
+      <mtu/>
+      <ipaddr>dhcp</ipaddr>
+      <ipaddrv6>dhcp6</ipaddrv6>
+      <subnet/>
+      <gateway/>
+      <blockbogons>1</blockbogons>
+      <dhcphostname/>
+      <media/>
+      <mediaopt/>
+      <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
+    </wan>
+    <lo0>
+      <internal_dynamic>1</internal_dynamic>
+      <descr>Loopback</descr>
+      <enable>1</enable>
+      <if>lo0</if>
+      <ipaddr>127.0.0.1</ipaddr>
+      <ipaddrv6>::1</ipaddrv6>
+      <subnet>8</subnet>
+      <subnetv6>128</subnetv6>
+      <type>none</type>
+      <virtual>1</virtual>
+    </lo0>
+  </interfaces>
+  <dhcpd/>
+  <unbound>
+    <enable>1</enable>
+  </unbound>
+  <snmpd>
+    <syslocation/>
+    <syscontact/>
+    <rocommunity>public</rocommunity>
+  </snmpd>
+  <syslog>
+    <reverse/>
+  </syslog>
+  <filter>
+    <rule>
+      <type>pass</type>
+      <ipprotocol>inet</ipprotocol>
+      <descr>Default allow LAN to any rule</descr>
+      <interface>lan</interface>
+      <source>
+        <network>lan</network>
+      </source>
+      <destination>
+        <any/>
+      </destination>
+    </rule>
+    <rule>
+      <type>pass</type>
+      <ipprotocol>inet6</ipprotocol>
+      <descr>Default allow LAN IPv6 to any rule</descr>
+      <interface>lan</interface>
+      <source>
+        <network>lan</network>
+      </source>
+      <destination>
+        <any/>
+      </destination>
+    </rule>
+  </filter>
+  <rrd>
+    <enable/>
+  </rrd>
+  <load_balancer>
+    <monitor_type>
+      <name>ICMP</name>
+      <type>icmp</type>
+      <descr>ICMP</descr>
+      <options/>
+    </monitor_type>
+    <monitor_type>
+      <name>TCP</name>
+      <type>tcp</type>
+      <descr>Generic TCP</descr>
+      <options/>
+    </monitor_type>
+    <monitor_type>
+      <name>HTTP</name>
+      <type>http</type>
+      <descr>Generic HTTP</descr>
+      <options>
+        <path>/</path>
+        <host/>
+        <code>200</code>
+      </options>
+    </monitor_type>
+    <monitor_type>
+      <name>HTTPS</name>
+      <type>https</type>
+      <descr>Generic HTTPS</descr>
+      <options>
+        <path>/</path>
+        <host/>
+        <code>200</code>
+      </options>
+    </monitor_type>
+    <monitor_type>
+      <name>SMTP</name>
+      <type>send</type>
+      <descr>Generic SMTP</descr>
+      <options>
+        <send/>
+        <expect>220 *</expect>
+      </options>
+    </monitor_type>
+  </load_balancer>
+  <ntpd>
+    <prefer>0.opnsense.pool.ntp.org</prefer>
+  </ntpd>
+  <widgets>
+    <sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
+    <column_count>2</column_count>
+  </widgets>
+  <revision>
+    <username>(system)</username>
+    <time>1611012282.1013</time>
+    <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+  </revision>
+  <OPNsense>
+    <Firewall>
+      <Alias version="1.0.0">
+        <geoip>
+          <url/>
+        </geoip>
+        <aliases/>
+      </Alias>
+    </Firewall>
+    <captiveportal version="1.0.0">
+      <zones/>
+      <templates/>
+    </captiveportal>
+    <cron version="1.0.1">
+      <jobs/>
+    </cron>
+    <Netflow version="1.0.1">
+      <capture>
+        <interfaces/>
+        <egress_only/>
+        <version>v9</version>
+        <targets/>
+      </capture>
+      <collect>
+        <enable>0</enable>
+      </collect>
+      <activeTimeout>1800</activeTimeout>
+      <inactiveTimeout>15</inactiveTimeout>
+    </Netflow>
+    <IDS version="1.0.5">
+      <rules/>
+      <userDefinedRules/>
+      <files/>
+      <fileTags/>
+      <general>
+        <enabled>0</enabled>
+        <ips>0</ips>
+        <promisc>0</promisc>
+        <interfaces>wan</interfaces>
+        <homenet>192.168.0.0/16,10.0.0.0/8,172.16.0.0/12</homenet>
+        <defaultPacketSize/>
+        <UpdateCron/>
+        <AlertLogrotate>W0D23</AlertLogrotate>
+        <AlertSaveLogs>4</AlertSaveLogs>
+        <MPMAlgo>ac</MPMAlgo>
+        <detect>
+          <Profile>medium</Profile>
+          <toclient_groups/>
+          <toserver_groups/>
+        </detect>
+        <syslog>0</syslog>
+        <syslog_eve>0</syslog_eve>
+        <LogPayload>0</LogPayload>
+      </general>
+    </IDS>
+    <Interfaces>
+      <vxlans version="1.0.1"/>
+      <loopbacks version="1.0.0"/>
+    </Interfaces>
+    <monit version="1.0.8">
+      <general>
+        <enabled>0</enabled>
+        <interval>120</interval>
+        <startdelay>120</startdelay>
+        <mailserver>127.0.0.1</mailserver>
+        <port>25</port>
+        <username/>
+        <password/>
+        <ssl>0</ssl>
+        <sslversion>auto</sslversion>
+        <sslverify>1</sslverify>
+        <logfile>syslog facility log_daemon</logfile>
+        <statefile/>
+        <eventqueuePath/>
+        <eventqueueSlots/>
+        <httpdEnabled>0</httpdEnabled>
+        <httpdUsername>root</httpdUsername>
+        <httpdPassword>6yqmPxbENQMwI58QVHa</httpdPassword>
+        <httpdPort>2812</httpdPort>
+        <httpdAllow/>
+        <mmonitUrl/>
+        <mmonitTimeout>5</mmonitTimeout>
+        <mmonitRegisterCredentials>1</mmonitRegisterCredentials>
+      </general>
+      <alert uuid="67fbf140-441a-474e-824c-cf726416548b">
+        <enabled>0</enabled>
+        <recipient>root@localhost.local</recipient>
+        <noton>0</noton>
+        <events/>
+        <format/>
+        <reminder>10</reminder>
+        <description/>
+      </alert>
+      <service uuid="5859ce5d-5c62-4b11-93c2-703fca3113d1">
+        <enabled>1</enabled>
+        <name>$HOST</name>
+        <type>system</type>
+        <pidfile/>
+        <match/>
+        <path/>
+        <timeout>300</timeout>
+        <address/>
+        <interface/>
+        <start/>
+        <stop/>
+        <tests>61e0a048-6e67-49f6-b1e3-b9a5fb0a4b06,bffcec47-86b6-4390-9612-9a979014de13,be36c81f-737b-45ab-9b62-6cd73bf9e1ce,f64a6dca-9e5d-4daa-87e2-e11f9c7c1130</tests>
+        <depends/>
+      </service>
+      <service uuid="3e9e1314-f8ea-409f-b7fd-a4e193c23ad1">
+        <enabled>1</enabled>
+        <name>RootFs</name>
+        <type>filesystem</type>
+        <pidfile/>
+        <match/>
+        <path>/</path>
+        <timeout>300</timeout>
+        <address/>
+        <interface/>
+        <start/>
+        <stop/>
+        <tests>6618d148-bea3-4807-b3a7-390a6f4b4563</tests>
+        <depends/>
+      </service>
+      <service uuid="5a8b0ea5-c9ee-4ac2-8f63-6d10ac5ef884">
+        <enabled>0</enabled>
+        <name>carp_status_change</name>
+        <type>custom</type>
+        <pidfile/>
+        <match/>
+        <path>/usr/local/opnsense/scripts/OPNsense/Monit/carp_status</path>
+        <timeout>300</timeout>
+        <address/>
+        <interface/>
+        <start/>
+        <stop/>
+        <tests>c0aea468-9a0b-4fc4-b1b1-50d60a54a331</tests>
+        <depends/>
+      </service>
+      <service uuid="d3961d69-ec2b-49af-b51d-890a464dd036">
+        <enabled>0</enabled>
+        <name>gateway_alert</name>
+        <type>custom</type>
+        <pidfile/>
+        <match/>
+        <path>/usr/local/opnsense/scripts/OPNsense/Monit/gateway_alert</path>
+        <timeout>300</timeout>
+        <address/>
+        <interface/>
+        <start/>
+        <stop/>
+        <tests>92889cb7-ce7e-4e81-9a7d-7e18bc4c1a56</tests>
+        <depends/>
+      </service>
+      <test uuid="bd581206-c280-4100-af98-60e890d6178c">
+        <name>Ping</name>
+        <type>NetworkPing</type>
+        <condition>failed ping</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="bc0ee325-a16c-494f-a626-019fd0a0caf9">
+        <name>NetworkLink</name>
+        <type>NetworkInterface</type>
+        <condition>failed link</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="dda50f51-16e3-4cf6-9838-3f2205bf6d97">
+        <name>NetworkSaturation</name>
+        <type>NetworkInterface</type>
+        <condition>saturation is greater than 75%</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="61e0a048-6e67-49f6-b1e3-b9a5fb0a4b06">
+        <name>MemoryUsage</name>
+        <type>SystemResource</type>
+        <condition>memory usage is greater than 75%</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="bffcec47-86b6-4390-9612-9a979014de13">
+        <name>CPUUsage</name>
+        <type>SystemResource</type>
+        <condition>cpu usage is greater than 75%</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="be36c81f-737b-45ab-9b62-6cd73bf9e1ce">
+        <name>LoadAvg1</name>
+        <type>SystemResource</type>
+        <condition>loadavg (1min) is greater than 2</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="f64a6dca-9e5d-4daa-87e2-e11f9c7c1130">
+        <name>LoadAvg5</name>
+        <type>SystemResource</type>
+        <condition>loadavg (5min) is greater than 1.5</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="e21ae61c-53af-4d86-9ff5-e707a4b1491d">
+        <name>LoadAvg15</name>
+        <type>SystemResource</type>
+        <condition>loadavg (15min) is greater than 1</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="6618d148-bea3-4807-b3a7-390a6f4b4563">
+        <name>SpaceUsage</name>
+        <type>SpaceUsage</type>
+        <condition>space usage is greater than 75%</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="c0aea468-9a0b-4fc4-b1b1-50d60a54a331">
+        <name>ChangedStatus</name>
+        <type>ProgramStatus</type>
+        <condition>changed status</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+      <test uuid="92889cb7-ce7e-4e81-9a7d-7e18bc4c1a56">
+        <name>NonZeroStatus</name>
+        <type>ProgramStatus</type>
+        <condition>status != 0</condition>
+        <action>alert</action>
+        <path/>
+      </test>
+    </monit>
+    <OpenVPNExport version="0.0.1">
+      <servers/>
+    </OpenVPNExport>
+    <proxy version="1.0.3">
+      <general>
+        <enabled>0</enabled>
+        <error_pages>opnsense</error_pages>
+        <icpPort/>
+        <logging>
+          <enable>
+            <accessLog>1</accessLog>
+            <storeLog>1</storeLog>
+          </enable>
+          <ignoreLogACL/>
+          <target/>
+        </logging>
+        <alternateDNSservers/>
+        <dnsV4First>0</dnsV4First>
+        <forwardedForHandling>on</forwardedForHandling>
+        <uriWhitespaceHandling>strip</uriWhitespaceHandling>
+        <useViaHeader>1</useViaHeader>
+        <suppressVersion>0</suppressVersion>
+        <connecttimeout/>
+        <VisibleEmail>admin@localhost.local</VisibleEmail>
+        <VisibleHostname/>
+        <cache>
+          <local>
+            <enabled>0</enabled>
+            <directory>/var/squid/cache</directory>
+            <cache_mem>256</cache_mem>
+            <maximum_object_size/>
+            <size>100</size>
+            <l1>16</l1>
+            <l2>256</l2>
+            <cache_linux_packages>0</cache_linux_packages>
+            <cache_windows_updates>0</cache_windows_updates>
+          </local>
+        </cache>
+        <traffic>
+          <enabled>0</enabled>
+          <maxDownloadSize>2048</maxDownloadSize>
+          <maxUploadSize>1024</maxUploadSize>
+          <OverallBandwidthTrotteling>1024</OverallBandwidthTrotteling>
+          <perHostTrotteling>256</perHostTrotteling>
+        </traffic>
+        <parentproxy>
+          <enabled>0</enabled>
+          <host/>
+          <enableauth>0</enableauth>
+          <user>username</user>
+          <password>password</password>
+          <port/>
+          <localdomains/>
+          <localips/>
+        </parentproxy>
+      </general>
+      <forward>
+        <interfaces>lan</interfaces>
+        <port>3128</port>
+        <sslbumpport>3129</sslbumpport>
+        <sslbump>0</sslbump>
+        <sslurlonly>0</sslurlonly>
+        <sslcertificate/>
+        <sslnobumpsites/>
+        <ssl_crtd_storage_max_size>4</ssl_crtd_storage_max_size>
+        <sslcrtd_children>5</sslcrtd_children>
+        <snmp_enable>0</snmp_enable>
+        <snmp_port>3401</snmp_port>
+        <snmp_password>public</snmp_password>
+        <ftpInterfaces/>
+        <ftpPort>2121</ftpPort>
+        <ftpTransparentMode>0</ftpTransparentMode>
+        <addACLforInterfaceSubnets>1</addACLforInterfaceSubnets>
+        <transparentMode>0</transparentMode>
+        <acl>
+          <allowedSubnets/>
+          <unrestricted/>
+          <bannedHosts/>
+          <whiteList/>
+          <blackList/>
+          <browser/>
+          <mimeType/>
+          <safePorts>80:http,21:ftp,443:https,70:gopher,210:wais,1025-65535:unregistered ports,280:http-mgmt,488:gss-http,591:filemaker,777:multiling http</safePorts>
+          <sslPorts>443:https</sslPorts>
+          <remoteACLs>
+            <blacklists/>
+            <UpdateCron/>
+          </remoteACLs>
+        </acl>
+        <icap>
+          <enable>0</enable>
+          <RequestURL>icap://[::1]:1344/avscan</RequestURL>
+          <ResponseURL>icap://[::1]:1344/avscan</ResponseURL>
+          <SendClientIP>1</SendClientIP>
+          <SendUsername>0</SendUsername>
+          <EncodeUsername>0</EncodeUsername>
+          <UsernameHeader>X-Username</UsernameHeader>
+          <EnablePreview>1</EnablePreview>
+          <PreviewSize>1024</PreviewSize>
+          <OptionsTTL>60</OptionsTTL>
+          <exclude/>
+        </icap>
+        <authentication>
+          <method/>
+          <authEnforceGroup/>
+          <realm>OPNsense proxy authentication</realm>
+          <credentialsttl>2</credentialsttl>
+          <children>5</children>
+        </authentication>
+      </forward>
+      <pac/>
+      <error_pages>
+        <template/>
+      </error_pages>
+    </proxy>
+    <Syslog version="1.0.0">
+      <general>
+        <enabled>1</enabled>
+      </general>
+      <destinations/>
+    </Syslog>
+    <TrafficShaper version="1.0.3">
+      <pipes/>
+      <queues/>
+      <rules/>
+    </TrafficShaper>
+    <unboundplus>
+      <dnsbl version="0.0.1">
+        <service_enabled/>
+        <enabled>0</enabled>
+        <type/>
+        <lists/>
+        <whitelists/>
+      </dnsbl>
+      <miscellaneous version="0.0.2">
+        <privatedomain/>
+        <dotservers/>
+      </miscellaneous>
+    </unboundplus>
+  </OPNsense>
+  <ca/>
+  <gateways>
+    <gateway_item/>
+  </gateways>
+  <cert>
+    <refid>60061767b5b36</refid>
+    <descr>Web GUI SSL certificate</descr>
+    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdYVENDQkVXZ0F3SUJBZ0lVYm9ZdWRwY0ZqQkkxaVFBcXEvc0cxM25kNUNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RqRUxNQWtHQTFVRUJoTUNUa3d4RlRBVEJnTlZCQWdNREZwMWFXUXRTRzlzYkdGdVpERVZNQk1HQTFVRQpCd3dNVFdsa1pHVnNhR0Z5Ym1sek1SRXdEd1lEVlFRS0RBaFBVRTV6Wlc1elpUQWVGdzB5TVRBeE1UZ3lNekU1Ck1EUmFGdzB5TXpBME1qTXlNekU1TURSYU1FNHhDekFKQmdOVkJBWVRBazVNTVJVd0V3WURWUVFJREF4YWRXbGsKTFVodmJHeGhibVF4RlRBVEJnTlZCQWNNREUxcFpHUmxiR2hoY201cGN6RVJNQThHQTFVRUNnd0lUMUJPYzJWdQpjMlV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRHNUcTFkaHcxQ2RTVnFzZzJwCkYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllL2xKbGkKdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxbGQvMQpNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4aklXcUFMCk1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNTFoS1AKRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsQXd2TQpnYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclU4VWxxCmF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUXNjMFAKK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXOWtaLwpVT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU5jWDJlCmN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTmdqU1AKZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJvNElCTVRDQ0FTMHdDUVlEVlIwVEJBSXdBREFSQmdsZwpoa2dCaHZoQ0FRRUVCQU1DQmtBd05BWUpZSVpJQVliNFFnRU5CQ2NXSlU5UVRuTmxibk5sSUVkbGJtVnlZWFJsClpDQlRaWEoyWlhJZ1EyVnlkR2xtYVdOaGRHVXdIUVlEVlIwT0JCWUVGQ1BHYXNFZy81a3dialNtdnBnODdmZGIKZTBLNU1JR0xCZ05WSFNNRWdZTXdnWUNBRkNQR2FzRWcvNWt3YmpTbXZwZzg3ZmRiZTBLNW9WS2tVREJPTVFzdwpDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXdFd1lEVlFRSERBeE5hV1JrClpXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObGdoUnVoaTUybHdXTUVqV0pBQ3FyK3diWGVkM2sKS1RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSUFnSXdDd1lEVlIwUEJBUURBZ1dnTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ1pOcGlrNE5yZXNJcWoyOXBUZzFaVDRqcDloN1RoVEVidG5kYUoweWJ5ClJDK0FPUlJhVXNPRmF1cDdDcExtNVZoVkN1cXRYZmVGbEIwUDZheHNNZFZ2eXBDdFlMenVJeWs0Z3lhVHBrem4KYVJyNlFQK0xTVGkrVzdtQ3N1ZGV4dWNRU1cvaENEMDdzOWd5MWZmOTRUVlZhTHBpYlhvdG8yWDJSMDlQTXkzUgozVnQ2YnZYUSs0NHl3R3Q5d2ZralV5S0w2RXBWUHBxdURiU2FjVGxpdWtLSVJtbFNjM1huR0k0UjVINXpybWxLCjVOZUdkQmI0NzEwcCt6QXlpMytEVkJWdGtwSWJsaVZBTC9OTEg1WWlIZzNBckVxSWtxK0FUb3BZdU9CVHY2S1IKdFdtTXFkUzlxa2xBRzYwdHpob0lZc2V5V1E0aWd4VmJrSFE4cVpPRG1OU3pISTJ1c0lMYkxIaFIvUFIxTkR1awpIeHRoNHRmbklXaFc4aU1lbk9Wd0FFaXhVZnZ1ZVRNc29hUGRzNVgwY1drbFhhZ04vSTFVdGdRc3k3ZExsS01iCjRDT1FrZVYwVEplcDYxZlBCRFNkbXUxeDRncDh0ZUkzcnFIelI0QWlBNkszR2pLSEwxMk1Rdlg5ZGRmeU9wZjgKckVpN3A4WFlqaWZuMS92RWhJdkwvODVGRklPVThvbThHRDk0ZWZTYy9JSjNIb2xReFk2NFR4VkI0clRCWmlqbApuQTF2QUd5SUlmMDBxTzRGZkY5c3J0cElLV3llYXZ1UzJDc0JIellLSktJR0tmbXNubzZlb3lHc2Y2SVlyNnM2ClRnZm94VVdSZGdXRmlkUjc2SFVUVzRaTHc3WjJQQ1FLVmJsQUt3cEM2M2E4bW5KSkIwWEl3MkZERFJaMXk1UkYKWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
+    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRRHNUcTFkaHcxQ2RTVnEKc2cycEYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllLwpsSmxpdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxCmxkLzFNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4akkKV3FBTE1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNQoxaEtQRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsCkF3dk1nYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclUKOFVscWF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUQpzYzBQK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXCjlrWi9VT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU4KY1gyZWN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTgpnalNQZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJBb0lDQUR4d1d4TUN5YmRuc3V3NUlobFBhWGMvCjNNYjlWblRlcDNVSXZONFE2bHUwcExsWGdJZnd1N3VmNWlTbUFMOHl2Si9HMzc4WTUvOVdSSmhSYjNHN0pMekYKc2FuRWZtZHp3ajR3N0FEVlo4cTR4SEc5VjZKWkNiY3RIdDdYaE4waWduMEJpaUR4WlFrRjh3V0swNzhvOHpXcAppK1ZDdnNvam5nYnBWZmF6eHRWWmF2aXN4cm9FQndmd1V5c0NxV1VVUjhxRjhtWFhDKzZndlB2eGdlR2JTSGpoClVXd2xQeklIdFJTT2ZudjZTKzI3ZFhSNjZyNjNJbHpjTVNzeG9iQTdWTHc4SWliS1ZQMU9SQkhmV052VEd2WnkKemVld0ZkY09lc3JOaTJPWEJaeS9ValRFZ2ZWT1lLU09Xa0hYa3d1UFhzSlNkTzFQU3IwWU5qeDdyUGJmYS9jcgpINFRTekRvdktpUEhiakdHcU9FYmZ6eXlabFJLOGpENmNFUko0SUphQ1BuczNicXF1QWZqL2IvN09uMldaNnBvCktVK1VMQzNkWFpOKzdLbjFaQmxlUFV1aWlGRTRDSDFJTml3Z0dMdGg0VzRGOVh3YjBqVFNWQkhrRVFiN2s4T0MKOVB6cVl4c3ZLUnQ1SisxVEVPZzJtK054MVZVZWZWWStweUxJZDd1RzhRQUN1aDJYNXpobTU5SDcveU9KUDZyNApLSTZnc3NMekIyVmtRamt1WHVMM2VEQ2phWkFmSTYzTWxvYWFnNXlkbXhoRndabkxscGw2TE5uMUFkSDFOT1ZaCmRBR0tHdmt3Tks5VStlRk9uSTJHY1U1YzYzKzJOZ2JoQTJXYis4S1lNRkp5M05KenVUVXNkWVdRbVVnVzczTTcKNEJUd2RxbXZkRkFlN2NLbWw0ZUJBb0lCQVFEOGJCTnRYSHVHVXc1dnJSZDVUblZPS2Fla2ZOWGJ5S29vT2U1SQpFYUxoUXQ4T1dVN1lsbTR2YU4xV2pXd3lVTFVEblBpaXIyMUZreS9pZ0p1Y0JtMFRLZjZCNUY2M0ZhVXF1VndIClZ1bnVlL3pDWTBqL3JuSEZsZWNNL2N3UU1xMmJtZGdqOUFnaWhJUU11bGo1OVo1KzBiTnpmL0Q5SXl3MHF3MVUKYkZBc3lWeis4UjluS2d1MEtONlRNYjNPZm1aZ2o4czJWZWJjTFU4RzRLR3dmYXNkbmJoUml1R21EQmVCM3NHbgpUbDJJU1dFbEhaeEhjUVErb1k4Y04wU0Q3ejBHYVpBZ1FhUmp5b21BcTRPZEMyVzVCeTVOZFA0VU1xcksvbjg2Cm9WbkNZZVZKSHYwdWRGQlJiNGNwRU16U0NTTGFFeGRNeTZvRU5ETHJkVUFoRWEyVEFvSUJBUUR2cUNEQzVNOS8KcFlUTVdLUU5Wc1VCdkIzZWQ2bko3clJYUVFZVXhJWlVCS3Y2YzhRQWhYb1h1RDZqUjZJMHBVYWJvODBDNmNvRQp0dWJmR1FYQ0g3OFpURXZzLzQzcDB4cXNPNk51NFBLWkNRMTVtTTVMVEJSSDEzb214QW9HZUZtZldRWkRHak1WCjNQMEVYc2JLV0lRbkkrR1JxVkFvREN3bTR2dmVqckswZmdsVDQwa2wzZ21tbGhkc2dKNVF1MVBnelVOa2pUVFAKRnllZXRKUVdUWHZ1QjkwUTY2Uy9ValpSZDdpZFYwMzU2ajhVbGxJdUVRZEJjSFhaNzdYTWJ4NUs4bW9QV0pzdgpwbFAwSnZTTzlXTHNrUDMzdjlPck1LajZOUGR5Y0Q3OFo1QmE5cWJldmN1c2dhU3BuUk5zR2xzRE9ZWjZmaTdUCjJYVWgxS0hPaEl4aEFvSUJBUUN2OE9UWnBVeTBJOUE4SnZubG83by84T2pZemVxQ2R5dWpQajNJSGdMWjRESjUKWGVhSE1OTThXR3R1bU1TQmpaK2VGUnQ0eWEzd2dOY3ZtVlRkTzkxckxpb25mM1pGUnVFSkZvbiswNlhhaExGNQpESnNsSEFKUkpsc1Z3eEVwZVNsbys2S2I3TXgrd3I4SDRCdUVucDhLNWorZWtkNzNranlOdVd4aEc5NEdXWlJvClhzajByMm5ZK1dPcVZWRm5UTk12R3dzWnBHWjFzVjhUL0I2M1ZlQ2ZrLytWVnFoUmhMd2QyWlpCZDIzYVFNdGwKZzI0YW5idkhxL1NFUmtHTGRJV2tvby9DNi80WlVHTG5QS1ZRSVZHVjFsdC93YndYZC9sejVFL3FIZXppZ0RuQQo3Y2lyU0lkek83bUo5aHZOaW5Dd2IvNGRtUmU0Tm1vSGxJSk9pblBoQW9JQkFEb09QSUY1OUZvenVvdldIVWV0CjhXT09NcDRsMXRlNEg2L1RiS216UWVjd2lvak5hbm5GMitITEhFRnBwUDJqM0Fyd0QwWFpaTHJubzkzL3JjbHMKNzFvdGhXY1FNVXluZXhxbUI5MWdXT1NCc09YNEFtRnpPS1orcUhTam9Ob1laWDJZajAvS0ZQNEMzcmdrVFh2UApIWlJ0dU1NVWhQcHVtSE9ESVFpMUFNMkFpcm5yb1ZpdkJSOTUxSXJRVFltNUY0U3B0TjJ5NTB3VGkrR0NWUzFoCjc5ZWx5QVBGVWMrWEZ0bDlheGVTZ3EwNzliUURCajFxbXB0YnB2RDRoTTNWVFQxU3BDYTdqRHhxeW9PbXZDKzEKZWhWY3Vtazk2d1RaY05YTDV2V3VBMVFac25xV3JhM2Z4R3N4ckxYNSt5NkE0L05RQ0NlOFVaTzRaZ3VmK3VLUQpjWUVDZ2dFQWNuRERrQXFXdlFCMHBmS2F3dHV4dHk5aklOZlE5R1FiTXNlaFlMbGZRVDV2MGJvZFlta2E0RFRpClJBdEhwMnZoYTdPR005K1B6TlFDL1JVWGdEaGhsNkFHUWdHREhkVGJVTmJGUjFDWk1WZnlJbndxODBVN2hyVmgKRHFQN2U2MkFwbEVpaFhzbUNzdWRReXE1d2xxbEJsakpvVWVDSG9Ycm1HeEU1VzR0dE9oZkxNT3BoeFl2SGE5QQo1Z25GaWtUdmoyMURKN1c0Z3BKQTFBWUY2VnNqYXZmNjJEYW5LSXR3b05MYjRJVVg5SENiYmtqc015bUhxMThlCnoyVjk4NmhJTmlSTDlwSHpQeGRINlJMdTJKWW1QUkdNRnNDWEVQUXF1NTZhZGpuWnQrSFcraytpcUZhZEhDZEMKcXhhYlJYRk56aEJtL294OUY3UjhUcGJCckVNZnJnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
+  </cert>
+  <staticroutes version="1.0.0"/>
+</opnsense>

From 65b0013ff63e7ef3802235e2bc08767a0248e2a4 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Tue, 19 Jan 2021 00:29:59 +0100
Subject: [PATCH 03/15] Initial wizard with default answers

---
 templates/conf/config.xml.j2 | 26 +++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/templates/conf/config.xml.j2 b/templates/conf/config.xml.j2
index 86e1791..2e82a13 100644
--- a/templates/conf/config.xml.j2
+++ b/templates/conf/config.xml.j2
@@ -1,6 +1,5 @@
 <?xml version="1.0"?>
 <opnsense>
-  <trigger_initial_wizard/>
   <theme>opnsense</theme>
   <sysctl>
     <item>
@@ -210,7 +209,7 @@
     <optimization>normal</optimization>
     <hostname>OPNsense</hostname>
     <domain>localdomain</domain>
-    <dnsallowoverride/>
+    <dnsallowoverride>on</dnsallowoverride>
     <group>
       <name>admins</name>
       <description>System Administrators</description>
@@ -266,18 +265,16 @@
         <backupdir>OPNsense-Backup</backupdir>
       </nextcloud>
     </backup>
+    <language>en_US</language>
   </system>
   <interfaces>
     <wan>
       <enable>1</enable>
       <if>vtnet0</if>
-      <mtu/>
       <ipaddr>dhcp</ipaddr>
       <ipaddrv6>dhcp6</ipaddrv6>
-      <subnet/>
       <gateway/>
-      <blockbogons>1</blockbogons>
-      <dhcphostname/>
+      <blockbogons>on</blockbogons>
       <media/>
       <mediaopt/>
       <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
@@ -297,7 +294,7 @@
   </interfaces>
   <dhcpd/>
   <unbound>
-    <enable>1</enable>
+    <enable>on</enable>
   </unbound>
   <snmpd>
     <syslocation/>
@@ -387,9 +384,9 @@
     <column_count>2</column_count>
   </widgets>
   <revision>
-    <username>(system)</username>
-    <time>1611012282.1013</time>
-    <description>/usr/local/opnsense/mvc/script/run_migrations.php made changes</description>
+    <username>root@172.29.1.50</username>
+    <time>1611012531.7594</time>
+    <description>/wizard.php made changes</description>
   </revision>
   <OPNsense>
     <Firewall>
@@ -447,8 +444,8 @@
       </general>
     </IDS>
     <Interfaces>
-      <vxlans version="1.0.1"/>
-      <loopbacks version="1.0.0"/>
+      <vxlans/>
+      <loopbacks/>
     </Interfaces>
     <monit version="1.0.8">
       <general>
@@ -772,5 +769,8 @@
     <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdYVENDQkVXZ0F3SUJBZ0lVYm9ZdWRwY0ZqQkkxaVFBcXEvc0cxM25kNUNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RqRUxNQWtHQTFVRUJoTUNUa3d4RlRBVEJnTlZCQWdNREZwMWFXUXRTRzlzYkdGdVpERVZNQk1HQTFVRQpCd3dNVFdsa1pHVnNhR0Z5Ym1sek1SRXdEd1lEVlFRS0RBaFBVRTV6Wlc1elpUQWVGdzB5TVRBeE1UZ3lNekU1Ck1EUmFGdzB5TXpBME1qTXlNekU1TURSYU1FNHhDekFKQmdOVkJBWVRBazVNTVJVd0V3WURWUVFJREF4YWRXbGsKTFVodmJHeGhibVF4RlRBVEJnTlZCQWNNREUxcFpHUmxiR2hoY201cGN6RVJNQThHQTFVRUNnd0lUMUJPYzJWdQpjMlV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRHNUcTFkaHcxQ2RTVnFzZzJwCkYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllL2xKbGkKdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxbGQvMQpNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4aklXcUFMCk1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNTFoS1AKRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsQXd2TQpnYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclU4VWxxCmF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUXNjMFAKK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXOWtaLwpVT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU5jWDJlCmN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTmdqU1AKZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJvNElCTVRDQ0FTMHdDUVlEVlIwVEJBSXdBREFSQmdsZwpoa2dCaHZoQ0FRRUVCQU1DQmtBd05BWUpZSVpJQVliNFFnRU5CQ2NXSlU5UVRuTmxibk5sSUVkbGJtVnlZWFJsClpDQlRaWEoyWlhJZ1EyVnlkR2xtYVdOaGRHVXdIUVlEVlIwT0JCWUVGQ1BHYXNFZy81a3dialNtdnBnODdmZGIKZTBLNU1JR0xCZ05WSFNNRWdZTXdnWUNBRkNQR2FzRWcvNWt3YmpTbXZwZzg3ZmRiZTBLNW9WS2tVREJPTVFzdwpDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXdFd1lEVlFRSERBeE5hV1JrClpXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObGdoUnVoaTUybHdXTUVqV0pBQ3FyK3diWGVkM2sKS1RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSUFnSXdDd1lEVlIwUEJBUURBZ1dnTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ1pOcGlrNE5yZXNJcWoyOXBUZzFaVDRqcDloN1RoVEVidG5kYUoweWJ5ClJDK0FPUlJhVXNPRmF1cDdDcExtNVZoVkN1cXRYZmVGbEIwUDZheHNNZFZ2eXBDdFlMenVJeWs0Z3lhVHBrem4KYVJyNlFQK0xTVGkrVzdtQ3N1ZGV4dWNRU1cvaENEMDdzOWd5MWZmOTRUVlZhTHBpYlhvdG8yWDJSMDlQTXkzUgozVnQ2YnZYUSs0NHl3R3Q5d2ZralV5S0w2RXBWUHBxdURiU2FjVGxpdWtLSVJtbFNjM1huR0k0UjVINXpybWxLCjVOZUdkQmI0NzEwcCt6QXlpMytEVkJWdGtwSWJsaVZBTC9OTEg1WWlIZzNBckVxSWtxK0FUb3BZdU9CVHY2S1IKdFdtTXFkUzlxa2xBRzYwdHpob0lZc2V5V1E0aWd4VmJrSFE4cVpPRG1OU3pISTJ1c0lMYkxIaFIvUFIxTkR1awpIeHRoNHRmbklXaFc4aU1lbk9Wd0FFaXhVZnZ1ZVRNc29hUGRzNVgwY1drbFhhZ04vSTFVdGdRc3k3ZExsS01iCjRDT1FrZVYwVEplcDYxZlBCRFNkbXUxeDRncDh0ZUkzcnFIelI0QWlBNkszR2pLSEwxMk1Rdlg5ZGRmeU9wZjgKckVpN3A4WFlqaWZuMS92RWhJdkwvODVGRklPVThvbThHRDk0ZWZTYy9JSjNIb2xReFk2NFR4VkI0clRCWmlqbApuQTF2QUd5SUlmMDBxTzRGZkY5c3J0cElLV3llYXZ1UzJDc0JIellLSktJR0tmbXNubzZlb3lHc2Y2SVlyNnM2ClRnZm94VVdSZGdXRmlkUjc2SFVUVzRaTHc3WjJQQ1FLVmJsQUt3cEM2M2E4bW5KSkIwWEl3MkZERFJaMXk1UkYKWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
     <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRRHNUcTFkaHcxQ2RTVnEKc2cycEYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllLwpsSmxpdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxCmxkLzFNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4akkKV3FBTE1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNQoxaEtQRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsCkF3dk1nYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclUKOFVscWF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUQpzYzBQK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXCjlrWi9VT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU4KY1gyZWN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTgpnalNQZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJBb0lDQUR4d1d4TUN5YmRuc3V3NUlobFBhWGMvCjNNYjlWblRlcDNVSXZONFE2bHUwcExsWGdJZnd1N3VmNWlTbUFMOHl2Si9HMzc4WTUvOVdSSmhSYjNHN0pMekYKc2FuRWZtZHp3ajR3N0FEVlo4cTR4SEc5VjZKWkNiY3RIdDdYaE4waWduMEJpaUR4WlFrRjh3V0swNzhvOHpXcAppK1ZDdnNvam5nYnBWZmF6eHRWWmF2aXN4cm9FQndmd1V5c0NxV1VVUjhxRjhtWFhDKzZndlB2eGdlR2JTSGpoClVXd2xQeklIdFJTT2ZudjZTKzI3ZFhSNjZyNjNJbHpjTVNzeG9iQTdWTHc4SWliS1ZQMU9SQkhmV052VEd2WnkKemVld0ZkY09lc3JOaTJPWEJaeS9ValRFZ2ZWT1lLU09Xa0hYa3d1UFhzSlNkTzFQU3IwWU5qeDdyUGJmYS9jcgpINFRTekRvdktpUEhiakdHcU9FYmZ6eXlabFJLOGpENmNFUko0SUphQ1BuczNicXF1QWZqL2IvN09uMldaNnBvCktVK1VMQzNkWFpOKzdLbjFaQmxlUFV1aWlGRTRDSDFJTml3Z0dMdGg0VzRGOVh3YjBqVFNWQkhrRVFiN2s4T0MKOVB6cVl4c3ZLUnQ1SisxVEVPZzJtK054MVZVZWZWWStweUxJZDd1RzhRQUN1aDJYNXpobTU5SDcveU9KUDZyNApLSTZnc3NMekIyVmtRamt1WHVMM2VEQ2phWkFmSTYzTWxvYWFnNXlkbXhoRndabkxscGw2TE5uMUFkSDFOT1ZaCmRBR0tHdmt3Tks5VStlRk9uSTJHY1U1YzYzKzJOZ2JoQTJXYis4S1lNRkp5M05KenVUVXNkWVdRbVVnVzczTTcKNEJUd2RxbXZkRkFlN2NLbWw0ZUJBb0lCQVFEOGJCTnRYSHVHVXc1dnJSZDVUblZPS2Fla2ZOWGJ5S29vT2U1SQpFYUxoUXQ4T1dVN1lsbTR2YU4xV2pXd3lVTFVEblBpaXIyMUZreS9pZ0p1Y0JtMFRLZjZCNUY2M0ZhVXF1VndIClZ1bnVlL3pDWTBqL3JuSEZsZWNNL2N3UU1xMmJtZGdqOUFnaWhJUU11bGo1OVo1KzBiTnpmL0Q5SXl3MHF3MVUKYkZBc3lWeis4UjluS2d1MEtONlRNYjNPZm1aZ2o4czJWZWJjTFU4RzRLR3dmYXNkbmJoUml1R21EQmVCM3NHbgpUbDJJU1dFbEhaeEhjUVErb1k4Y04wU0Q3ejBHYVpBZ1FhUmp5b21BcTRPZEMyVzVCeTVOZFA0VU1xcksvbjg2Cm9WbkNZZVZKSHYwdWRGQlJiNGNwRU16U0NTTGFFeGRNeTZvRU5ETHJkVUFoRWEyVEFvSUJBUUR2cUNEQzVNOS8KcFlUTVdLUU5Wc1VCdkIzZWQ2bko3clJYUVFZVXhJWlVCS3Y2YzhRQWhYb1h1RDZqUjZJMHBVYWJvODBDNmNvRQp0dWJmR1FYQ0g3OFpURXZzLzQzcDB4cXNPNk51NFBLWkNRMTVtTTVMVEJSSDEzb214QW9HZUZtZldRWkRHak1WCjNQMEVYc2JLV0lRbkkrR1JxVkFvREN3bTR2dmVqckswZmdsVDQwa2wzZ21tbGhkc2dKNVF1MVBnelVOa2pUVFAKRnllZXRKUVdUWHZ1QjkwUTY2Uy9ValpSZDdpZFYwMzU2ajhVbGxJdUVRZEJjSFhaNzdYTWJ4NUs4bW9QV0pzdgpwbFAwSnZTTzlXTHNrUDMzdjlPck1LajZOUGR5Y0Q3OFo1QmE5cWJldmN1c2dhU3BuUk5zR2xzRE9ZWjZmaTdUCjJYVWgxS0hPaEl4aEFvSUJBUUN2OE9UWnBVeTBJOUE4SnZubG83by84T2pZemVxQ2R5dWpQajNJSGdMWjRESjUKWGVhSE1OTThXR3R1bU1TQmpaK2VGUnQ0eWEzd2dOY3ZtVlRkTzkxckxpb25mM1pGUnVFSkZvbiswNlhhaExGNQpESnNsSEFKUkpsc1Z3eEVwZVNsbys2S2I3TXgrd3I4SDRCdUVucDhLNWorZWtkNzNranlOdVd4aEc5NEdXWlJvClhzajByMm5ZK1dPcVZWRm5UTk12R3dzWnBHWjFzVjhUL0I2M1ZlQ2ZrLytWVnFoUmhMd2QyWlpCZDIzYVFNdGwKZzI0YW5idkhxL1NFUmtHTGRJV2tvby9DNi80WlVHTG5QS1ZRSVZHVjFsdC93YndYZC9sejVFL3FIZXppZ0RuQQo3Y2lyU0lkek83bUo5aHZOaW5Dd2IvNGRtUmU0Tm1vSGxJSk9pblBoQW9JQkFEb09QSUY1OUZvenVvdldIVWV0CjhXT09NcDRsMXRlNEg2L1RiS216UWVjd2lvak5hbm5GMitITEhFRnBwUDJqM0Fyd0QwWFpaTHJubzkzL3JjbHMKNzFvdGhXY1FNVXluZXhxbUI5MWdXT1NCc09YNEFtRnpPS1orcUhTam9Ob1laWDJZajAvS0ZQNEMzcmdrVFh2UApIWlJ0dU1NVWhQcHVtSE9ESVFpMUFNMkFpcm5yb1ZpdkJSOTUxSXJRVFltNUY0U3B0TjJ5NTB3VGkrR0NWUzFoCjc5ZWx5QVBGVWMrWEZ0bDlheGVTZ3EwNzliUURCajFxbXB0YnB2RDRoTTNWVFQxU3BDYTdqRHhxeW9PbXZDKzEKZWhWY3Vtazk2d1RaY05YTDV2V3VBMVFac25xV3JhM2Z4R3N4ckxYNSt5NkE0L05RQ0NlOFVaTzRaZ3VmK3VLUQpjWUVDZ2dFQWNuRERrQXFXdlFCMHBmS2F3dHV4dHk5aklOZlE5R1FiTXNlaFlMbGZRVDV2MGJvZFlta2E0RFRpClJBdEhwMnZoYTdPR005K1B6TlFDL1JVWGdEaGhsNkFHUWdHREhkVGJVTmJGUjFDWk1WZnlJbndxODBVN2hyVmgKRHFQN2U2MkFwbEVpaFhzbUNzdWRReXE1d2xxbEJsakpvVWVDSG9Ycm1HeEU1VzR0dE9oZkxNT3BoeFl2SGE5QQo1Z25GaWtUdmoyMURKN1c0Z3BKQTFBWUY2VnNqYXZmNjJEYW5LSXR3b05MYjRJVVg5SENiYmtqc015bUhxMThlCnoyVjk4NmhJTmlSTDlwSHpQeGRINlJMdTJKWW1QUkdNRnNDWEVQUXF1NTZhZGpuWnQrSFcraytpcUZhZEhDZEMKcXhhYlJYRk56aEJtL294OUY3UjhUcGJCckVNZnJnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
   </cert>
-  <staticroutes version="1.0.0"/>
+  <staticroutes/>
+  <ppps>
+    <ppp/>
+  </ppps>
 </opnsense>

From 6a0c3556bddbb8f57eed629013adb21a434496ba Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Mon, 25 Jan 2021 23:53:09 +0100
Subject: [PATCH 04/15] Implement faster xml_template mode using NetBox
 inventory. Closes: #40

* A concept how users can make changes to the template and still receive
  updates to it is not clear yet. For now it is expected that you copy
  the template into the git repo where your Ansible inventory lives and
  make changes there.

* Set the device file (fetched) to read only to prevent user edits

  A common way to develop the Jinja2 template is to configure a
  OPNsense, fetch the config and then diff it (using git). Then you
  might copy parts over to the template. When you have multiple files
  (all XML), you might confuse one for the other. Setting all such files
  that are not the template (which is meant to be edited) to read only
  helps to notice such mistakes earlier.

* The file copyright style complies with https://reuse.software/
---
 .gitignore                                    |   9 +
 LICENSES/Apache-2.0.txt                       | 183 ++++++++++++++
 LICENSES/CC0-1.0.txt                          | 121 ++++++++++
 README.md                                     |   6 +-
 defaults/main.yml                             |  18 +-
 docs/netbox_inventory_config.yml              |  28 +++
 lookup_plugins/xmlfile.py                     |  89 +++++++
 tasks/fetch.yml                               |  37 ++-
 tasks/main.yml                                |  55 ++++-
 .../{config.xml.j2 => config_netbox.xml.j2}   | 227 +++++++++++++-----
 10 files changed, 707 insertions(+), 66 deletions(-)
 create mode 100644 LICENSES/Apache-2.0.txt
 create mode 100644 LICENSES/CC0-1.0.txt
 create mode 100644 docs/netbox_inventory_config.yml
 create mode 100644 lookup_plugins/xmlfile.py
 rename templates/conf/{config.xml.j2 => config_netbox.xml.j2} (70%)

diff --git a/.gitignore b/.gitignore
index 26b4155..513fedd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,11 @@
+# SPDX-FileCopyrightText: 2021 Robin Schneider <ypid@riseup.net>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
 .*.swp
 test/cfg/*.xml
diff --git a/LICENSES/Apache-2.0.txt b/LICENSES/Apache-2.0.txt
new file mode 100644
index 0000000..9a4104b
--- /dev/null
+++ b/LICENSES/Apache-2.0.txt
@@ -0,0 +1,183 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+1. Definitions.
+
+"License" shall mean the terms and conditions for use, reproduction, and distribution
+as defined by Sections 1 through 9 of this document.
+
+"Licensor" shall mean the copyright owner or entity authorized by the copyright
+owner that is granting the License.
+
+"Legal Entity" shall mean the union of the acting entity and all other entities
+that control, are controlled by, or are under common control with that entity.
+For the purposes of this definition, "control" means (i) the power, direct
+or indirect, to cause the direction or management of such entity, whether
+by contract or otherwise, or (ii) ownership of fifty percent (50%) or more
+of the outstanding shares, or (iii) beneficial ownership of such entity.
+
+"You" (or "Your") shall mean an individual or Legal Entity exercising permissions
+granted by this License.
+
+"Source" form shall mean the preferred form for making modifications, including
+but not limited to software source code, documentation source, and configuration
+files.
+
+"Object" form shall mean any form resulting from mechanical transformation
+or translation of a Source form, including but not limited to compiled object
+code, generated documentation, and conversions to other media types.
+
+"Work" shall mean the work of authorship, whether in Source or Object form,
+made available under the License, as indicated by a copyright notice that
+is included in or attached to the work (an example is provided in the Appendix
+below).
+
+"Derivative Works" shall mean any work, whether in Source or Object form,
+that is based on (or derived from) the Work and for which the editorial revisions,
+annotations, elaborations, or other modifications represent, as a whole, an
+original work of authorship. For the purposes of this License, Derivative
+Works shall not include works that remain separable from, or merely link (or
+bind by name) to the interfaces of, the Work and Derivative Works thereof.
+
+"Contribution" shall mean any work of authorship, including the original version
+of the Work and any modifications or additions to that Work or Derivative
+Works thereof, that is intentionally submitted to Licensor for inclusion in
+the Work by the copyright owner or by an individual or Legal Entity authorized
+to submit on behalf of the copyright owner. For the purposes of this definition,
+"submitted" means any form of electronic, verbal, or written communication
+sent to the Licensor or its representatives, including but not limited to
+communication on electronic mailing lists, source code control systems, and
+issue tracking systems that are managed by, or on behalf of, the Licensor
+for the purpose of discussing and improving the Work, but excluding communication
+that is conspicuously marked or otherwise designated in writing by the copyright
+owner as "Not a Contribution."
+
+"Contributor" shall mean Licensor and any individual or Legal Entity on behalf
+of whom a Contribution has been received by Licensor and subsequently incorporated
+within the Work.
+
+2. Grant of Copyright License. Subject to the terms and conditions of this
+License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable copyright license to reproduce, prepare
+Derivative Works of, publicly display, publicly perform, sublicense, and distribute
+the Work and such Derivative Works in Source or Object form.
+
+3. Grant of Patent License. Subject to the terms and conditions of this License,
+each Contributor hereby grants to You a perpetual, worldwide, non-exclusive,
+no-charge, royalty-free, irrevocable (except as stated in this section) patent
+license to make, have made, use, offer to sell, sell, import, and otherwise
+transfer the Work, where such license applies only to those patent claims
+licensable by such Contributor that are necessarily infringed by their Contribution(s)
+alone or by combination of their Contribution(s) with the Work to which such
+Contribution(s) was submitted. If You institute patent litigation against
+any entity (including a cross-claim or counterclaim in a lawsuit) alleging
+that the Work or a Contribution incorporated within the Work constitutes direct
+or contributory patent infringement, then any patent licenses granted to You
+under this License for that Work shall terminate as of the date such litigation
+is filed.
+
+4. Redistribution. You may reproduce and distribute copies of the Work or
+Derivative Works thereof in any medium, with or without modifications, and
+in Source or Object form, provided that You meet the following conditions:
+
+(a) You must give any other recipients of the Work or Derivative Works a copy
+of this License; and
+
+(b) You must cause any modified files to carry prominent notices stating that
+You changed the files; and
+
+(c) You must retain, in the Source form of any Derivative Works that You distribute,
+all copyright, patent, trademark, and attribution notices from the Source
+form of the Work, excluding those notices that do not pertain to any part
+of the Derivative Works; and
+
+(d) If the Work includes a "NOTICE" text file as part of its distribution,
+then any Derivative Works that You distribute must include a readable copy
+of the attribution notices contained within such NOTICE file, excluding those
+notices that do not pertain to any part of the Derivative Works, in at least
+one of the following places: within a NOTICE text file distributed as part
+of the Derivative Works; within the Source form or documentation, if provided
+along with the Derivative Works; or, within a display generated by the Derivative
+Works, if and wherever such third-party notices normally appear. The contents
+of the NOTICE file are for informational purposes only and do not modify the
+License. You may add Your own attribution notices within Derivative Works
+that You distribute, alongside or as an addendum to the NOTICE text from the
+Work, provided that such additional attribution notices cannot be construed
+as modifying the License.
+
+You may add Your own copyright statement to Your modifications and may provide
+additional or different license terms and conditions for use, reproduction,
+or distribution of Your modifications, or for any such Derivative Works as
+a whole, provided Your use, reproduction, and distribution of the Work otherwise
+complies with the conditions stated in this License.
+
+5. Submission of Contributions. Unless You explicitly state otherwise, any
+Contribution intentionally submitted for inclusion in the Work by You to the
+Licensor shall be under the terms and conditions of this License, without
+any additional terms or conditions. Notwithstanding the above, nothing herein
+shall supersede or modify the terms of any separate license agreement you
+may have executed with Licensor regarding such Contributions.
+
+6. Trademarks. This License does not grant permission to use the trade names,
+trademarks, service marks, or product names of the Licensor, except as required
+for reasonable and customary use in describing the origin of the Work and
+reproducing the content of the NOTICE file.
+
+7. Disclaimer of Warranty. Unless required by applicable law or agreed to
+in writing, Licensor provides the Work (and each Contributor provides its
+Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+KIND, either express or implied, including, without limitation, any warranties
+or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR
+A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness
+of using or redistributing the Work and assume any risks associated with Your
+exercise of permissions under this License.
+
+8. Limitation of Liability. In no event and under no legal theory, whether
+in tort (including negligence), contract, or otherwise, unless required by
+applicable law (such as deliberate and grossly negligent acts) or agreed to
+in writing, shall any Contributor be liable to You for damages, including
+any direct, indirect, special, incidental, or consequential damages of any
+character arising as a result of this License or out of the use or inability
+to use the Work (including but not limited to damages for loss of goodwill,
+work stoppage, computer failure or malfunction, or any and all other commercial
+damages or losses), even if such Contributor has been advised of the possibility
+of such damages.
+
+9. Accepting Warranty or Additional Liability. While redistributing the Work
+or Derivative Works thereof, You may choose to offer, and charge a fee for,
+acceptance of support, warranty, indemnity, or other liability obligations
+and/or rights consistent with this License. However, in accepting such obligations,
+You may act only on Your own behalf and on Your sole responsibility, not on
+behalf of any other Contributor, and only if You agree to indemnify, defend,
+and hold each Contributor harmless for any liability incurred by, or claims
+asserted against, such Contributor by reason of your accepting any such warranty
+or additional liability.
+
+END OF TERMS AND CONDITIONS
+
+APPENDIX: How to apply the Apache License to your work.
+
+To apply the Apache License to your work, attach the following boilerplate
+notice, with the fields enclosed by brackets "[]" replaced with your own identifying
+information. (Don't include the brackets!)  The text should be enclosed in
+the appropriate comment syntax for the file format. We also recommend that
+a file or class name and description of purpose be included on the same "printed
+page" as the copyright notice for easier identification within third-party
+archives.
+
+Copyright [yyyy] [name of copyright owner]
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
diff --git a/LICENSES/CC0-1.0.txt b/LICENSES/CC0-1.0.txt
new file mode 100644
index 0000000..0e259d4
--- /dev/null
+++ b/LICENSES/CC0-1.0.txt
@@ -0,0 +1,121 @@
+Creative Commons Legal Code
+
+CC0 1.0 Universal
+
+    CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
+    LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
+    ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
+    INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
+    REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
+    PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
+    THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
+    HEREUNDER.
+
+Statement of Purpose
+
+The laws of most jurisdictions throughout the world automatically confer
+exclusive Copyright and Related Rights (defined below) upon the creator
+and subsequent owner(s) (each and all, an "owner") of an original work of
+authorship and/or a database (each, a "Work").
+
+Certain owners wish to permanently relinquish those rights to a Work for
+the purpose of contributing to a commons of creative, cultural and
+scientific works ("Commons") that the public can reliably and without fear
+of later claims of infringement build upon, modify, incorporate in other
+works, reuse and redistribute as freely as possible in any form whatsoever
+and for any purposes, including without limitation commercial purposes.
+These owners may contribute to the Commons to promote the ideal of a free
+culture and the further production of creative, cultural and scientific
+works, or to gain reputation or greater distribution for their Work in
+part through the use and efforts of others.
+
+For these and/or other purposes and motivations, and without any
+expectation of additional consideration or compensation, the person
+associating CC0 with a Work (the "Affirmer"), to the extent that he or she
+is an owner of Copyright and Related Rights in the Work, voluntarily
+elects to apply CC0 to the Work and publicly distribute the Work under its
+terms, with knowledge of his or her Copyright and Related Rights in the
+Work and the meaning and intended legal effect of CC0 on those rights.
+
+1. Copyright and Related Rights. A Work made available under CC0 may be
+protected by copyright and related or neighboring rights ("Copyright and
+Related Rights"). Copyright and Related Rights include, but are not
+limited to, the following:
+
+  i. the right to reproduce, adapt, distribute, perform, display,
+     communicate, and translate a Work;
+ ii. moral rights retained by the original author(s) and/or performer(s);
+iii. publicity and privacy rights pertaining to a person's image or
+     likeness depicted in a Work;
+ iv. rights protecting against unfair competition in regards to a Work,
+     subject to the limitations in paragraph 4(a), below;
+  v. rights protecting the extraction, dissemination, use and reuse of data
+     in a Work;
+ vi. database rights (such as those arising under Directive 96/9/EC of the
+     European Parliament and of the Council of 11 March 1996 on the legal
+     protection of databases, and under any national implementation
+     thereof, including any amended or successor version of such
+     directive); and
+vii. other similar, equivalent or corresponding rights throughout the
+     world based on applicable law or treaty, and any national
+     implementations thereof.
+
+2. Waiver. To the greatest extent permitted by, but not in contravention
+of, applicable law, Affirmer hereby overtly, fully, permanently,
+irrevocably and unconditionally waives, abandons, and surrenders all of
+Affirmer's Copyright and Related Rights and associated claims and causes
+of action, whether now known or unknown (including existing as well as
+future claims and causes of action), in the Work (i) in all territories
+worldwide, (ii) for the maximum duration provided by applicable law or
+treaty (including future time extensions), (iii) in any current or future
+medium and for any number of copies, and (iv) for any purpose whatsoever,
+including without limitation commercial, advertising or promotional
+purposes (the "Waiver"). Affirmer makes the Waiver for the benefit of each
+member of the public at large and to the detriment of Affirmer's heirs and
+successors, fully intending that such Waiver shall not be subject to
+revocation, rescission, cancellation, termination, or any other legal or
+equitable action to disrupt the quiet enjoyment of the Work by the public
+as contemplated by Affirmer's express Statement of Purpose.
+
+3. Public License Fallback. Should any part of the Waiver for any reason
+be judged legally invalid or ineffective under applicable law, then the
+Waiver shall be preserved to the maximum extent permitted taking into
+account Affirmer's express Statement of Purpose. In addition, to the
+extent the Waiver is so judged Affirmer hereby grants to each affected
+person a royalty-free, non transferable, non sublicensable, non exclusive,
+irrevocable and unconditional license to exercise Affirmer's Copyright and
+Related Rights in the Work (i) in all territories worldwide, (ii) for the
+maximum duration provided by applicable law or treaty (including future
+time extensions), (iii) in any current or future medium and for any number
+of copies, and (iv) for any purpose whatsoever, including without
+limitation commercial, advertising or promotional purposes (the
+"License"). The License shall be deemed effective as of the date CC0 was
+applied by Affirmer to the Work. Should any part of the License for any
+reason be judged legally invalid or ineffective under applicable law, such
+partial invalidity or ineffectiveness shall not invalidate the remainder
+of the License, and in such case Affirmer hereby affirms that he or she
+will not (i) exercise any of his or her remaining Copyright and Related
+Rights in the Work or (ii) assert any associated claims and causes of
+action with respect to the Work, in either case contrary to Affirmer's
+express Statement of Purpose.
+
+4. Limitations and Disclaimers.
+
+ a. No trademark or patent rights held by Affirmer are waived, abandoned,
+    surrendered, licensed or otherwise affected by this document.
+ b. Affirmer offers the Work as-is and makes no representations or
+    warranties of any kind concerning the Work, express, implied,
+    statutory or otherwise, including without limitation warranties of
+    title, merchantability, fitness for a particular purpose, non
+    infringement, or the absence of latent or other defects, accuracy, or
+    the present or absence of errors, whether or not discoverable, all to
+    the greatest extent permissible under applicable law.
+ c. Affirmer disclaims responsibility for clearing rights of other persons
+    that may apply to the Work or any use thereof, including without
+    limitation any person's Copyright and Related Rights in the Work.
+    Further, Affirmer disclaims responsibility for obtaining any necessary
+    consents, permissions or other rights required for any use of the
+    Work.
+ d. Affirmer understands and acknowledges that Creative Commons is not a
+    party to this document and has no duty or obligation with respect to
+    this CC0 or use of the Work.
diff --git a/README.md b/README.md
index eaee457..344e8f8 100644
--- a/README.md
+++ b/README.md
@@ -22,11 +22,11 @@ We try to provide some example variable definitions in the coresponding task and
 
 ## Dependencies
 
-    sudo apt install python3-lxml
+    sudo apt install python3-lxml python3-defusedxml
 
 or
 
-    pip install lxml
+    pip install lxml defusedxml
 
 
 ### optional
@@ -79,4 +79,4 @@ Apache 2.0
   * Klaus Zerwes - https://github.com/zerwes
   * Jonybat - https://github.com/Jonybat
   * fnateghi - https://github.com/fnateghi
-
+  * Robin Schneider - https://me.ypid.de/
diff --git a/defaults/main.yml b/defaults/main.yml
index 05d5b62..a15a022 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -1,9 +1,12 @@
 ---
 
-# remote path of the config
+# Remote path of the config.
 config_path: /conf/config.xml
 
-# local path for the config
+# Where the unaltered device config gets fetched to. Not changed within one role run.
+local_config_path_fetch: /tmp/config-{{ inventory_hostname }}.xml
+
+# Local path for the config.
 local_config_path: /tmp/config-{{ inventory_hostname }}.xml
 
 # list of keys per task to sort values
@@ -54,4 +57,15 @@ opn_cron_jobs_defaults:
   who: root
   parameters:
 
+# `xml_patch` and `xml_template` are supported.
+opnsense_mode: 'xml_patch'
+
+# The config.xml template to use when in `xml_template` mode.
+opnsense_template: 'conf/config_netbox.xml.j2'
+
+# In `xml_template` mode you could have the concept of a leader Firewall from
+# which certain config parts are included into generated configuration. See
+# ../templates/conf/config_netbox.xml.j2.
+local_config_path_leader: '{{ (inventory_dir + "/../..") | realpath }}/opnsense/leader-fw.example.net/config_device.xml'
+
 ...
diff --git a/docs/netbox_inventory_config.yml b/docs/netbox_inventory_config.yml
new file mode 100644
index 0000000..69e573a
--- /dev/null
+++ b/docs/netbox_inventory_config.yml
@@ -0,0 +1,28 @@
+---
+# SPDX-FileCopyrightText: 2021 Robin Schneider <ypid@riseup.net>
+#
+# SPDX-License-Identifier: CC0-1.0
+
+# Config that works together with ../templates/conf/config_netbox.xml.j2
+
+plugin: netbox.netbox.nb_inventory
+api_endpoint: https://netbox.example.net
+token: "..."
+interfaces: true
+plurals: false
+strict: true
+config_context: true
+fetch_all: false
+
+# Not needed for now. The device name is the DNS name.
+# dns_name: True
+
+group_by:
+  - site
+  - role
+  - platform
+  - tag
+
+compose:
+  # It is assumed that your sites names match the DNS subdomain used for the site.
+  site_name: site.name
diff --git a/lookup_plugins/xmlfile.py b/lookup_plugins/xmlfile.py
new file mode 100644
index 0000000..ad43113
--- /dev/null
+++ b/lookup_plugins/xmlfile.py
@@ -0,0 +1,89 @@
+# SPDX-FileCopyrightText: 2021 Robin Schneider <ypid@riseup.net>
+#
+# SPDX-License-Identifier: Apache-2.0
+from __future__ import (absolute_import, division, print_function)
+__metaclass__ = type
+
+DOCUMENTATION = """
+    lookup: file
+    author: Robin Schneider <ypid@riseup.net>
+    short_description: read XML file contents
+    description:
+        - This lookup returns the contents from a XML file on the Ansible controller's file system.
+    options:
+      _terms:
+        description: path(s) of XML files to read
+        required: True
+      xpath:
+        description: The XPath to filter the XML file with.
+        type: str
+        required: False
+"""
+
+EXAMPLES = """
+- name: Extract hostname from XML file
+  debug:
+    msg: 'OPNsense hostname: {{ lookup("xmlfile", "path/to/file.xml", xpath="//system/hostname/text()") }}'
+"""
+
+RETURN = """
+  _raw:
+    description:
+      - content of XPath matches. Either as XML or as text depending on what the XPath matched.
+"""
+
+from ansible.errors import AnsibleError, AnsibleParserError
+from ansible.plugins.lookup import LookupBase
+from ansible.module_utils._text import to_text
+from ansible.utils.display import Display
+
+#  from lxml import etree
+import defusedxml.lxml as etree
+
+display = Display()
+
+
+class LookupModule(LookupBase):
+    def _get_xml_matches(self, xml_file, xpath):
+        with open(xml_file, 'r') as fh:
+            tree = etree.parse(fh)
+
+        xml_string_list = []
+        for match in tree.xpath(xpath):
+            if isinstance(match, str):
+                # XPath example: //text()
+                xml_string = match
+            else:
+                # XPath example: //
+                xml_string = etree.tostring(match).decode('utf-8')
+            xml_string_list.append(xml_string.strip())
+
+        return xml_string_list
+
+    def run(self, terms, variables=None, **kwargs):
+
+        ret = []
+
+        for term in terms:
+            display.debug("File lookup term: %s" % term)
+
+            # Find the file in the expected search path.
+            lookupfile = self.find_file_in_search_path(variables, 'files', term)
+            display.vvvv(u"File lookup using %s as file" % lookupfile)
+            try:
+                if lookupfile:
+                    xml_string = '\n'.join(self._get_xml_matches(lookupfile, kwargs.get('xpath')))
+                    display.vvvv(u"Content %s" % xml_string)
+                    ret.append(xml_string)
+                else:
+                    raise AnsibleParserError()
+            except AnsibleParserError:
+                raise AnsibleError("could not locate file in lookup: %s" % term)
+
+        return ret
+
+
+if __name__ == '__main__':
+    import sys
+    xmlfile_lookup = LookupModule()
+    print('\n'.join(xmlfile_lookup._get_xml_matches(sys.argv[1], xpath=sys.argv[2])))
diff --git a/tasks/fetch.yml b/tasks/fetch.yml
index 6c26b1e..3bcd71a 100644
--- a/tasks/fetch.yml
+++ b/tasks/fetch.yml
@@ -1,7 +1,38 @@
 ---
+
+- name: Ensure directory to store local config file exists
+  file:
+    state: 'directory'
+    path: '{{ local_config_path_fetch | dirname }}'
+    mode: '0750'
+  delegate_to: localhost
+
+- name: Ensure local config file writable
+  file:
+    state: 'touch'
+    path: '{{ local_config_path_fetch }}'
+    mode: '0644'
+  changed_when: False
+  delegate_to: localhost
+
 - name: fetch
-  ansible.builtin.fetch:
-    src: "{{ config_path }}"
-    dest: "{{ local_config_path }}"
+  fetch:
+    src: /conf/config.xml
+    dest: "{{ local_config_path_fetch }}"
     flat: true
+
+- name: Set the device file to read only to prevent template authors from accidentally writing the template in their
+  file:
+    path: "{{ local_config_path_fetch }}"
+    mode: '0444'
+  changed_when: False
+  delegate_to: localhost
+
+- name: Copy device config to editable copy for xml_template mode
+  copy:
+    src: "{{ local_config_path_fetch }}"
+    dest: "{{ local_config_path }}"
+  register: config
+  delegate_to: localhost
+  when: opnsense_mode == 'xml_template'
 ...
diff --git a/tasks/main.yml b/tasks/main.yml
index 268f813..fa08e3f 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -24,6 +24,16 @@
       tags:
         - configd
 
+- name: template
+  tags:
+    - template
+  ansible.builtin.template:
+    src: '{{ opnsense_template }}'
+    dest: '{{ local_config_path }}'
+    validate: 'xmllint --noout %s'
+  delegate_to: localhost
+  when: opnsense_mode == 'xml_template'
+
 - name: dnsserver
   tags:
     - always
@@ -33,6 +43,7 @@
       tags:
         - dnsserver
         - dns
+  when: opnsense_mode == 'xml_patch'
 
 - name: dyndns
   tags:
@@ -50,6 +61,7 @@
     file: user.yml
     apply:
       tags: user
+  when: opnsense_mode == 'xml_patch'
 
 - name: group
   tags:
@@ -58,6 +70,7 @@
     file: group.yml
     apply:
       tags: group
+  when: opnsense_mode == 'xml_patch'
 
 - name: general
   tags:
@@ -66,6 +79,7 @@
     file: general.yml
     apply:
       tags: general
+  when: opnsense_mode == 'xml_patch'
 
 - name: sysctl
   tags:
@@ -82,6 +96,7 @@
     file: authservers.yml
     apply:
       tags: authservers
+  when: opnsense_mode == 'xml_patch'
 
 - name: CAs
   tags:
@@ -93,6 +108,7 @@
         - ca
         - cert
         - certificates
+  when: opnsense_mode == 'xml_patch'
 
 - name: OpenVPN
   tags:
@@ -103,6 +119,7 @@
       tags:
         - openvpn
         - vpn
+  when: opnsense_mode == 'xml_patch'
 
 - name: IPSec
   tags:
@@ -124,6 +141,7 @@
         - wireguard
   tags:
     - always
+  when: opnsense_mode == 'xml_patch'
 
 - name: laggs
   tags:
@@ -134,6 +152,7 @@
       tags:
         - laggs
         - lagg
+  when: opnsense_mode == 'xml_patch'
 
 - name: vlans
   tags:
@@ -144,7 +163,7 @@
       tags:
         - vlans
         - vlan
-  when: opn_interfaces_vlan_parent_interface is defined
+  when: opnsense_mode == 'xml_patch' and opn_interfaces_vlan_parent_interface is defined
 
 - name: interfaces
   tags:
@@ -155,6 +174,7 @@
       tags:
         - interfaces
         - interface
+  when: opnsense_mode == 'xml_patch'
 
 - name: bridges
   tags:
@@ -165,6 +185,7 @@
       tags:
         - bridges
         - bridge
+  when: opnsense_mode == 'xml_patch'
 
 - name: virtualip
   tags:
@@ -173,6 +194,7 @@
     file: virtualip.yml
     apply:
       tags: virtualip
+  when: opnsense_mode == 'xml_patch'
 
 - name: alias
   tags:
@@ -181,6 +203,7 @@
     file: alias.yml
     apply:
       tags: alias
+  when: opnsense_mode == 'xml_patch'
 
 - name: filter
   tags:
@@ -189,6 +212,7 @@
     file: filter.yml
     apply:
       tags: filter
+  when: opnsense_mode == 'xml_patch'
 
 - name: gateways
   tags:
@@ -199,6 +223,7 @@
       tags:
         - gateways
         - gateway
+  when: opnsense_mode == 'xml_patch'
 
 - name: hasync
   tags:
@@ -207,6 +232,7 @@
     file: hasync.yml
     apply:
       tags: hasync
+  when: opnsense_mode == 'xml_patch'
 
 - name: dhcpd
   tags:
@@ -217,6 +243,7 @@
       tags:
         - dhcpd
         - dhcp
+  when: opnsense_mode == 'xml_patch'
 
 - name: unbound
   tags:
@@ -225,6 +252,7 @@
     file: unbound.yml
     apply:
       tags: unbound
+  when: opnsense_mode == 'xml_patch'
 
 - name: syslog
   tags:
@@ -233,6 +261,7 @@
     file: syslog.yml
     apply:
       tags: syslog
+  when: opnsense_mode == 'xml_patch'
 
 - name: monit
   tags:
@@ -241,6 +270,7 @@
     file: monit.yml
     apply:
       tags: monit
+  when: opnsense_mode == 'xml_patch'
 
 - name: staticroutes
   tags:
@@ -253,6 +283,7 @@
         - routing
         - routes
         - route
+  when: opnsense_mode == 'xml_patch'
 
 - name: nat
   tags:
@@ -261,6 +292,7 @@
     file: nat.yml
     apply:
       tags: nat
+  when: opnsense_mode == 'xml_patch'
 
 - name: haproxy
   tags:
@@ -269,6 +301,7 @@
     file: haproxy.yml
     apply:
       tags: haproxy
+  when: opnsense_mode == 'xml_patch'
 
 - name: cron
   tags:
@@ -286,6 +319,7 @@
     line: ""
     path: "{{ local_config_path }}"
   changed_when: false
+  when: opnsense_mode == 'xml_patch'
   tags: trim
 
 - name: fix xml start tag
@@ -296,6 +330,7 @@
     insertbefore: BOF
     path: "{{ local_config_path }}"
   changed_when: false
+  when: opnsense_mode == 'xml_patch'
   tags: trim
 
 - name: copy
@@ -351,5 +386,21 @@
     - configctl service reload all
     - configctl webgui restart
   when: config.changed
-  tags: reload
+
+- name: reload wireguard
+  ansible.builtin.command: "{{ item.command }}"
+  when: (item.when|bool)
+  with_items:
+    - command: configctl wireguard restart
+      when: '{{ config is changed and
+                lookup("xmlfile", local_config_path_fetch, xpath="opnsense/OPNsense/wireguard") !=
+                lookup("xmlfile", local_config_path, xpath="opnsense/OPNsense/wireguard") }}'
+
+- name: copy
+  ansible.builtin.copy:
+    src: "{{ local_config_path }}"
+    dest: "{{ local_config_path_fetch }}"
+  register: config
+  delegate_to: localhost
+  tags: copy
 ...
diff --git a/templates/conf/config.xml.j2 b/templates/conf/config_netbox.xml.j2
similarity index 70%
rename from templates/conf/config.xml.j2
rename to templates/conf/config_netbox.xml.j2
index 2e82a13..5006e66 100644
--- a/templates/conf/config.xml.j2
+++ b/templates/conf/config_netbox.xml.j2
@@ -1,6 +1,58 @@
+#jinja2: lstrip_blocks: "True", trim_blocks: "True"
+{# SPDX-FileCopyrightText: 2021 Robin Schneider <ypid@riseup.net>
+ #
+ # SPDX-License-Identifier: Apache-2.0
+ #}
+{# Should this be defined in NetBox instead of deriving it here? #}
+{% set interface_name_to_opnsense_if_name_map = {} %}
+{% set interface_description_to_opnsense_if_name_map = {} %}
+{% set interface_role_to_opnsense_if_names_map = {} %}
+{% set vlans = [] %}
+{% for interface in interfaces|sort(attribute="id") %}
+  {% set interface_vlans = [] %}
+  {% for vlan in [interface.untagged_vlan] if vlan %}
+    {% set _ = vlan.update({'interface': interface, 'mode': 'untagged'}) %}
+    {% set _ = interface_vlans.append(vlan) %}
+  {% endfor %}
+  {% for vlan in interface.tagged_vlans if vlan %}
+    {% set _ = vlan.update({'interface': interface, 'mode': 'tagged'}) %}
+    {% set _ = interface_vlans.append(vlan) %}
+  {% endfor %}
+  {% set _ = vlans.extend(interface_vlans) %}
+  {% if interface_vlans and interface_vlans[0].name.lower() == "users" %}
+    {% set opnsense_if_name = "lan" %}
+  {% endif %}
+  {% if interface.description.lower() == "ext" %}
+    {% set opnsense_if_name = "wan" %}
+  {% endif %}
+  {% if opnsense_if_name is undefined or interface.name in interface_name_to_opnsense_if_name_map %}
+    {% set opnsense_if_name = "opt" + (interface.id|string) %}
+  {% endif %}
+  {% set _ = interface_name_to_opnsense_if_name_map.update({interface.name: opnsense_if_name}) %}
+  {% set _ = interface_description_to_opnsense_if_name_map.update({interface.description: opnsense_if_name}) %}
+  {% set _ = interface_role_to_opnsense_if_names_map.setdefault(interface.description.split('_')[0], []) %}
+  {% set _ = interface_role_to_opnsense_if_names_map[interface.description.split('_')[0]].append(opnsense_if_name) %}
+{% endfor %}
+{% macro print_rule_ansible_managed(descr='') %}
+{% if descr %}
+<descr>{{ descr }} Ansible managed.</descr>
+{% else %}
+<descr>Ansible managed.</descr>
+{% endif %}
+<updated>
+  <username>user@ansible-controller</username>
+  <time>1559503041.8803</time>
+  <description>OPNsense Ansible controller made changes</description>
+</updated>
+<created>
+  <username>user@ansible-controller</username>
+  <time>1559503041.8803</time>
+  <description>OPNsense Ansible controller made changes</description>
+</created>
+{%- endmacro %}
 <?xml version="1.0"?>
 <opnsense>
-  <theme>opnsense</theme>
+  {{ lookup("xmlfile", local_config_path_fetch, local_config_path_fetch, xpath="//opnsense/theme") }}
   <sysctl>
     <item>
       <descr>Increase UFS read-ahead speeds to match the state of hard drives and NCQ.</descr>
@@ -206,9 +258,17 @@
     </item>
   </sysctl>
   <system>
+    <serialspeed>115200</serialspeed>
+    <primaryconsole>serial</primaryconsole>
+    <secondaryconsole>video</secondaryconsole>
+    {% if not is_virtual %}
+    {# Password protect the console access on physical devices. #}
+    {# For VMs it does not make much sense. #}
+    <disableconsolemenu>1</disableconsolemenu>
+    {% endif %}
     <optimization>normal</optimization>
-    <hostname>OPNsense</hostname>
-    <domain>localdomain</domain>
+    <hostname>{{ inventory_hostname_short }}</hostname>
+    <domain>{{ site_name }}</domain>
     <dnsallowoverride>on</dnsallowoverride>
     <group>
       <name>admins</name>
@@ -218,29 +278,17 @@
       <member>0</member>
       <priv>page-all</priv>
     </group>
-    <user>
-      <name>root</name>
-      <descr>System Administrator</descr>
-      <scope>system</scope>
-      <groupname>admins</groupname>
-      <password>$2y$10$CWpKw8H/.PwF2kHcvh5bXuLC1rzq/N9FOOM7kAAnBS0.ksWOI/0bO</password>
-      <uid>0</uid>
-    </user>
+    {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/system/user") }}
     <nextuid>2000</nextuid>
     <nextgid>2000</nextgid>
-    <timezone>Etc/UTC</timezone>
+    <timezone>{{ ntp__timezone }}</timezone>
     <timeservers>0.opnsense.pool.ntp.org 1.opnsense.pool.ntp.org 2.opnsense.pool.ntp.org 3.opnsense.pool.ntp.org</timeservers>
     <webgui>
       <protocol>https</protocol>
-      <ssl-certref>60061767b5b36</ssl-certref>
+      {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/system/webgui/ssl-certref") }}
     </webgui>
     <disablenatreflection>yes</disablenatreflection>
     <usevirtualterminal>1</usevirtualterminal>
-    <disableconsolemenu/>
-    <disablevlanhwfilter>1</disablevlanhwfilter>
-    <disablechecksumoffloading>1</disablechecksumoffloading>
-    <disablesegmentationoffloading>1</disablesegmentationoffloading>
-    <disablelargereceiveoffloading>1</disablelargereceiveoffloading>
     <ipv6allow/>
     <powerd_ac_mode>hadp</powerd_ac_mode>
     <powerd_battery_mode>hadp</powerd_battery_mode>
@@ -248,7 +296,7 @@
     <bogons>
       <interval>monthly</interval>
     </bogons>
-    <backupcount>60</backupcount>
+    {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/system/backupcount") }}
     <crypto_hardware>aesni</crypto_hardware>
     <pf_share_forward>1</pf_share_forward>
     <lb_use_sticky>1</lb_use_sticky>
@@ -266,19 +314,34 @@
       </nextcloud>
     </backup>
     <language>en_US</language>
+    <firmware>
+      {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/system/firmware/plugins") }}
+    </firmware>
+    {% if [ansible_processor|d([])] | flatten | join("\n") | regex_search("AMD") %}
+    <thermal_hardware>amdtemp</thermal_hardware>
+    {% endif %}
   </system>
   <interfaces>
-    <wan>
-      <enable>1</enable>
-      <if>vtnet0</if>
+{% for interface in interfaces|sort(attribute="id") %}
+    <{{ interface_name_to_opnsense_if_name_map[interface.name] }}>
+      <if>{{ interface.name }}</if>
+      <descr>{{ interface.description }}</descr>
+      <enable>{{ 1 if interface.enabled else 0 }}</enable>
+{%     if interface.ip_addresses %}
+      <ipaddr>{{ interface.ip_addresses[0].address | ansible.netcommon.ipaddr('address') }}</ipaddr>
+      <subnet>{{ interface.ip_addresses[0].address | ansible.netcommon.ipaddr('prefix') }}</subnet>
+{%     elif interface.description.startswith("vpn_") %}
+{%     else %}
       <ipaddr>dhcp</ipaddr>
       <ipaddrv6>dhcp6</ipaddrv6>
-      <gateway/>
-      <blockbogons>on</blockbogons>
       <media/>
       <mediaopt/>
       <dhcp6-ia-pd-len>0</dhcp6-ia-pd-len>
-    </wan>
+      <gateway/>
+{%     endif %}
+      <blockbogons>1</blockbogons>
+    </{{ interface_name_to_opnsense_if_name_map[interface.name] }}>
+{% endfor %}
     <lo0>
       <internal_dynamic>1</internal_dynamic>
       <descr>Loopback</descr>
@@ -292,7 +355,38 @@
       <virtual>1</virtual>
     </lo0>
   </interfaces>
-  <dhcpd/>
+  <vlans>
+  {% for vlan in vlans|sort(attribute="vid") if vlan.mode == 'tagged' %}
+    <vlan>
+      <if>{{ vlan.interface.name.split('_')[0] }}</if>
+      <tag>{{ vlan.vid }}</tag>
+      <pcp/>
+      <descr>{{ vlan.name }}</descr>
+      <vlanif>{{ vlan.interface.name }}</vlanif>
+    </vlan>
+  {% endfor %}
+  </vlans>
+  <dhcpd>
+{% for interface in interfaces|sort(attribute="id") %}
+{%   if interface.ip_addresses %}
+    <{{ interface_name_to_opnsense_if_name_map[interface.name] }}>
+      <enable>{{ 1 if interface.enabled else 0 }}</enable>
+      <ddnsdomainalgorithm>hmac-md5</ddnsdomainalgorithm>
+      <numberoptions>
+        <item/>
+      </numberoptions>
+      <range>
+        <from>{{ interface.ip_addresses[0].address | ansible.netcommon.ipaddr( 30) | ansible.netcommon.ipaddr('address') }}</from>
+        <to>{{   interface.ip_addresses[0].address | ansible.netcommon.ipaddr(-11) | ansible.netcommon.ipaddr('address') }}</to>
+      </range>
+      <winsserver/>
+      <dnsserver/>
+      <ntpserver/>
+      {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dhcpd/" + interface_name_to_opnsense_if_name_map[interface.name] + "/staticmap") }}
+    </{{ interface_name_to_opnsense_if_name_map[interface.name] }}>
+  {% endif %}
+{% endfor %}
+  </dhcpd>
   <unbound>
     <enable>on</enable>
   </unbound>
@@ -308,19 +402,7 @@
     <rule>
       <type>pass</type>
       <ipprotocol>inet</ipprotocol>
-      <descr>Default allow LAN to any rule</descr>
-      <interface>lan</interface>
-      <source>
-        <network>lan</network>
-      </source>
-      <destination>
-        <any/>
-      </destination>
-    </rule>
-    <rule>
-      <type>pass</type>
-      <ipprotocol>inet6</ipprotocol>
-      <descr>Default allow LAN IPv6 to any rule</descr>
+      {{ print_rule_ansible_managed("Default allow LAN to any rule.") | indent(6) }}
       <interface>lan</interface>
       <source>
         <network>lan</network>
@@ -329,7 +411,9 @@
         <any/>
       </destination>
     </rule>
+    {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/filter/rule[not(contains(descr, 'Ansible managed.'))]") }}
   </filter>
+  {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/nat") }}
   <rrd>
     <enable/>
   </rrd>
@@ -379,15 +463,8 @@
   <ntpd>
     <prefer>0.opnsense.pool.ntp.org</prefer>
   </ntpd>
-  <widgets>
-    <sequence>system_information-container:00000000-col3:show,services_status-container:00000001-col4:show,gateways-container:00000002-col4:show,interface_list-container:00000003-col4:show</sequence>
-    <column_count>2</column_count>
-  </widgets>
-  <revision>
-    <username>root@172.29.1.50</username>
-    <time>1611012531.7594</time>
-    <description>/wizard.php made changes</description>
-  </revision>
+  {{ lookup("xmlfile", local_config_path_leader, xpath="//opnsense/widgets") }}
+  {{ lookup("xmlfile", local_config_path_leader, xpath="//opnsense/revision") }}
   <OPNsense>
     <Firewall>
       <Alias version="1.0.0">
@@ -758,18 +835,56 @@
         <dotservers/>
       </miscellaneous>
     </unboundplus>
+    <wireguard>
+      <server version="0.0.2">
+      {# Integrate with https://github.com/ypid/ansible-wireguard/tree/prepare-for-debops #}
+      {% if wireguard_remote_directory|d() %}
+        {{ lookup("xmlfile", wireguard_remote_directory + "/" + wireguard_interface + "_server.xml", xpath=".") }}
+      {% endif %}
+      </server>
+      <general version="0.0.1">
+        <enabled>1</enabled>
+      </general>
+      <client version="0.0.5">
+      {% if wireguard_remote_directory|d() %}
+        {{ lookup("xmlfile", wireguard_remote_directory + "/" + wireguard_interface + "_client.xml", xpath=".") }}
+      {% endif %}
+      </client>
+    </wireguard>
   </OPNsense>
-  <ca/>
   <gateways>
     <gateway_item/>
   </gateways>
-  <cert>
-    <refid>60061767b5b36</refid>
-    <descr>Web GUI SSL certificate</descr>
-    <crt>LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUdYVENDQkVXZ0F3SUJBZ0lVYm9ZdWRwY0ZqQkkxaVFBcXEvc0cxM25kNUNrd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1RqRUxNQWtHQTFVRUJoTUNUa3d4RlRBVEJnTlZCQWdNREZwMWFXUXRTRzlzYkdGdVpERVZNQk1HQTFVRQpCd3dNVFdsa1pHVnNhR0Z5Ym1sek1SRXdEd1lEVlFRS0RBaFBVRTV6Wlc1elpUQWVGdzB5TVRBeE1UZ3lNekU1Ck1EUmFGdzB5TXpBME1qTXlNekU1TURSYU1FNHhDekFKQmdOVkJBWVRBazVNTVJVd0V3WURWUVFJREF4YWRXbGsKTFVodmJHeGhibVF4RlRBVEJnTlZCQWNNREUxcFpHUmxiR2hoY201cGN6RVJNQThHQTFVRUNnd0lUMUJPYzJWdQpjMlV3Z2dJaU1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRHNUcTFkaHcxQ2RTVnFzZzJwCkYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllL2xKbGkKdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxbGQvMQpNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4aklXcUFMCk1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNTFoS1AKRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsQXd2TQpnYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclU4VWxxCmF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUXNjMFAKK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXOWtaLwpVT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU5jWDJlCmN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTmdqU1AKZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJvNElCTVRDQ0FTMHdDUVlEVlIwVEJBSXdBREFSQmdsZwpoa2dCaHZoQ0FRRUVCQU1DQmtBd05BWUpZSVpJQVliNFFnRU5CQ2NXSlU5UVRuTmxibk5sSUVkbGJtVnlZWFJsClpDQlRaWEoyWlhJZ1EyVnlkR2xtYVdOaGRHVXdIUVlEVlIwT0JCWUVGQ1BHYXNFZy81a3dialNtdnBnODdmZGIKZTBLNU1JR0xCZ05WSFNNRWdZTXdnWUNBRkNQR2FzRWcvNWt3YmpTbXZwZzg3ZmRiZTBLNW9WS2tVREJPTVFzdwpDUVlEVlFRR0V3Sk9UREVWTUJNR0ExVUVDQXdNV25WcFpDMUliMnhzWVc1a01SVXdFd1lEVlFRSERBeE5hV1JrClpXeG9ZWEp1YVhNeEVUQVBCZ05WQkFvTUNFOVFUbk5sYm5ObGdoUnVoaTUybHdXTUVqV0pBQ3FyK3diWGVkM2sKS1RBZEJnTlZIU1VFRmpBVUJnZ3JCZ0VGQlFjREFRWUlLd1lCQlFVSUFnSXdDd1lEVlIwUEJBUURBZ1dnTUEwRwpDU3FHU0liM0RRRUJDd1VBQTRJQ0FRQ1pOcGlrNE5yZXNJcWoyOXBUZzFaVDRqcDloN1RoVEVidG5kYUoweWJ5ClJDK0FPUlJhVXNPRmF1cDdDcExtNVZoVkN1cXRYZmVGbEIwUDZheHNNZFZ2eXBDdFlMenVJeWs0Z3lhVHBrem4KYVJyNlFQK0xTVGkrVzdtQ3N1ZGV4dWNRU1cvaENEMDdzOWd5MWZmOTRUVlZhTHBpYlhvdG8yWDJSMDlQTXkzUgozVnQ2YnZYUSs0NHl3R3Q5d2ZralV5S0w2RXBWUHBxdURiU2FjVGxpdWtLSVJtbFNjM1huR0k0UjVINXpybWxLCjVOZUdkQmI0NzEwcCt6QXlpMytEVkJWdGtwSWJsaVZBTC9OTEg1WWlIZzNBckVxSWtxK0FUb3BZdU9CVHY2S1IKdFdtTXFkUzlxa2xBRzYwdHpob0lZc2V5V1E0aWd4VmJrSFE4cVpPRG1OU3pISTJ1c0lMYkxIaFIvUFIxTkR1awpIeHRoNHRmbklXaFc4aU1lbk9Wd0FFaXhVZnZ1ZVRNc29hUGRzNVgwY1drbFhhZ04vSTFVdGdRc3k3ZExsS01iCjRDT1FrZVYwVEplcDYxZlBCRFNkbXUxeDRncDh0ZUkzcnFIelI0QWlBNkszR2pLSEwxMk1Rdlg5ZGRmeU9wZjgKckVpN3A4WFlqaWZuMS92RWhJdkwvODVGRklPVThvbThHRDk0ZWZTYy9JSjNIb2xReFk2NFR4VkI0clRCWmlqbApuQTF2QUd5SUlmMDBxTzRGZkY5c3J0cElLV3llYXZ1UzJDc0JIellLSktJR0tmbXNubzZlb3lHc2Y2SVlyNnM2ClRnZm94VVdSZGdXRmlkUjc2SFVUVzRaTHc3WjJQQ1FLVmJsQUt3cEM2M2E4bW5KSkIwWEl3MkZERFJaMXk1UkYKWkE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==</crt>
-    <prv>LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRRHNUcTFkaHcxQ2RTVnEKc2cycEYxa3p5MmJFY0Q3VnRqVWszd0owdGMvZXdHRjRRcDRJWTRMei9YWVEzUHhpS2laWG1LQ2pIeXhEaWllLwpsSmxpdXpnY1FzOG1YZ1ZnQ1c4UDF4cFRpRVdsS3JoWk9ER1p6a1h6cy9rMzUyQkNGeVhHOFJ4NXZ3ZWtpQ3ZxCmxkLzFNcGF3Y090TmVQMlp0Y2NLaDBTVElmV1NHaGN2YnRiMWtLWGNRSThnQWtRNzlKYmdHMUpROTVEbTN4akkKV3FBTE1vWHB1cktIYXQ0czRvS2RtMjRuU3d4ZkRDelc3QnBxZ25IZmFxb2d1ZWw4YlM4QXA1dWNuUEF6MnNGNQoxaEtQRXRQeVoxN2hrNllQeENqVC9Vak9oZDRtL1hMaDFRaXNDVUVqQlNUZkFpNm84OGxwTDV2TzAxQWdUUVpsCkF3dk1nYTF6MzJuQ3FCSFhONFU0VXp5RHl6bkw1WXRNbzJqcTBkVEFwa3EwUUJNNWQyNG0xK3hnR3B2WEhKclUKOFVscWF4SzFObXJVTllZdjFJZGdPYTBTRktoMXM0c2U1MHlSbEJOaFVBK01BVFpiVlFwdUJET1h3WGZ6ejAvUQpzYzBQK3loK2pSZTBWUWpCMWwyUzBVOTRzd1VtMDFua3hRY21Zb2JlWEJDTUhET2NrRWZuS00wa3ZaeHFmSERXCjlrWi9VT2tYWXA2OXpTZkV1K09zQVE5aDlENzRXT0lJeDFPYXg4Zy8xd0laWlBlajVCQjNaanhtcEc1N1RzNU4KY1gyZWN3enVkYkxGaHcrK3lOVUVGMGZNVk9hcmJpTUxTTzVFOWNFdDBZUFdkT0xtMlVpaEdDME8vN2hXeVZxTgpnalNQZzg0dVorYy92T1doV0ZBZDBxdWUvR3Nvc3dJREFRQUJBb0lDQUR4d1d4TUN5YmRuc3V3NUlobFBhWGMvCjNNYjlWblRlcDNVSXZONFE2bHUwcExsWGdJZnd1N3VmNWlTbUFMOHl2Si9HMzc4WTUvOVdSSmhSYjNHN0pMekYKc2FuRWZtZHp3ajR3N0FEVlo4cTR4SEc5VjZKWkNiY3RIdDdYaE4waWduMEJpaUR4WlFrRjh3V0swNzhvOHpXcAppK1ZDdnNvam5nYnBWZmF6eHRWWmF2aXN4cm9FQndmd1V5c0NxV1VVUjhxRjhtWFhDKzZndlB2eGdlR2JTSGpoClVXd2xQeklIdFJTT2ZudjZTKzI3ZFhSNjZyNjNJbHpjTVNzeG9iQTdWTHc4SWliS1ZQMU9SQkhmV052VEd2WnkKemVld0ZkY09lc3JOaTJPWEJaeS9ValRFZ2ZWT1lLU09Xa0hYa3d1UFhzSlNkTzFQU3IwWU5qeDdyUGJmYS9jcgpINFRTekRvdktpUEhiakdHcU9FYmZ6eXlabFJLOGpENmNFUko0SUphQ1BuczNicXF1QWZqL2IvN09uMldaNnBvCktVK1VMQzNkWFpOKzdLbjFaQmxlUFV1aWlGRTRDSDFJTml3Z0dMdGg0VzRGOVh3YjBqVFNWQkhrRVFiN2s4T0MKOVB6cVl4c3ZLUnQ1SisxVEVPZzJtK054MVZVZWZWWStweUxJZDd1RzhRQUN1aDJYNXpobTU5SDcveU9KUDZyNApLSTZnc3NMekIyVmtRamt1WHVMM2VEQ2phWkFmSTYzTWxvYWFnNXlkbXhoRndabkxscGw2TE5uMUFkSDFOT1ZaCmRBR0tHdmt3Tks5VStlRk9uSTJHY1U1YzYzKzJOZ2JoQTJXYis4S1lNRkp5M05KenVUVXNkWVdRbVVnVzczTTcKNEJUd2RxbXZkRkFlN2NLbWw0ZUJBb0lCQVFEOGJCTnRYSHVHVXc1dnJSZDVUblZPS2Fla2ZOWGJ5S29vT2U1SQpFYUxoUXQ4T1dVN1lsbTR2YU4xV2pXd3lVTFVEblBpaXIyMUZreS9pZ0p1Y0JtMFRLZjZCNUY2M0ZhVXF1VndIClZ1bnVlL3pDWTBqL3JuSEZsZWNNL2N3UU1xMmJtZGdqOUFnaWhJUU11bGo1OVo1KzBiTnpmL0Q5SXl3MHF3MVUKYkZBc3lWeis4UjluS2d1MEtONlRNYjNPZm1aZ2o4czJWZWJjTFU4RzRLR3dmYXNkbmJoUml1R21EQmVCM3NHbgpUbDJJU1dFbEhaeEhjUVErb1k4Y04wU0Q3ejBHYVpBZ1FhUmp5b21BcTRPZEMyVzVCeTVOZFA0VU1xcksvbjg2Cm9WbkNZZVZKSHYwdWRGQlJiNGNwRU16U0NTTGFFeGRNeTZvRU5ETHJkVUFoRWEyVEFvSUJBUUR2cUNEQzVNOS8KcFlUTVdLUU5Wc1VCdkIzZWQ2bko3clJYUVFZVXhJWlVCS3Y2YzhRQWhYb1h1RDZqUjZJMHBVYWJvODBDNmNvRQp0dWJmR1FYQ0g3OFpURXZzLzQzcDB4cXNPNk51NFBLWkNRMTVtTTVMVEJSSDEzb214QW9HZUZtZldRWkRHak1WCjNQMEVYc2JLV0lRbkkrR1JxVkFvREN3bTR2dmVqckswZmdsVDQwa2wzZ21tbGhkc2dKNVF1MVBnelVOa2pUVFAKRnllZXRKUVdUWHZ1QjkwUTY2Uy9ValpSZDdpZFYwMzU2ajhVbGxJdUVRZEJjSFhaNzdYTWJ4NUs4bW9QV0pzdgpwbFAwSnZTTzlXTHNrUDMzdjlPck1LajZOUGR5Y0Q3OFo1QmE5cWJldmN1c2dhU3BuUk5zR2xzRE9ZWjZmaTdUCjJYVWgxS0hPaEl4aEFvSUJBUUN2OE9UWnBVeTBJOUE4SnZubG83by84T2pZemVxQ2R5dWpQajNJSGdMWjRESjUKWGVhSE1OTThXR3R1bU1TQmpaK2VGUnQ0eWEzd2dOY3ZtVlRkTzkxckxpb25mM1pGUnVFSkZvbiswNlhhaExGNQpESnNsSEFKUkpsc1Z3eEVwZVNsbys2S2I3TXgrd3I4SDRCdUVucDhLNWorZWtkNzNranlOdVd4aEc5NEdXWlJvClhzajByMm5ZK1dPcVZWRm5UTk12R3dzWnBHWjFzVjhUL0I2M1ZlQ2ZrLytWVnFoUmhMd2QyWlpCZDIzYVFNdGwKZzI0YW5idkhxL1NFUmtHTGRJV2tvby9DNi80WlVHTG5QS1ZRSVZHVjFsdC93YndYZC9sejVFL3FIZXppZ0RuQQo3Y2lyU0lkek83bUo5aHZOaW5Dd2IvNGRtUmU0Tm1vSGxJSk9pblBoQW9JQkFEb09QSUY1OUZvenVvdldIVWV0CjhXT09NcDRsMXRlNEg2L1RiS216UWVjd2lvak5hbm5GMitITEhFRnBwUDJqM0Fyd0QwWFpaTHJubzkzL3JjbHMKNzFvdGhXY1FNVXluZXhxbUI5MWdXT1NCc09YNEFtRnpPS1orcUhTam9Ob1laWDJZajAvS0ZQNEMzcmdrVFh2UApIWlJ0dU1NVWhQcHVtSE9ESVFpMUFNMkFpcm5yb1ZpdkJSOTUxSXJRVFltNUY0U3B0TjJ5NTB3VGkrR0NWUzFoCjc5ZWx5QVBGVWMrWEZ0bDlheGVTZ3EwNzliUURCajFxbXB0YnB2RDRoTTNWVFQxU3BDYTdqRHhxeW9PbXZDKzEKZWhWY3Vtazk2d1RaY05YTDV2V3VBMVFac25xV3JhM2Z4R3N4ckxYNSt5NkE0L05RQ0NlOFVaTzRaZ3VmK3VLUQpjWUVDZ2dFQWNuRERrQXFXdlFCMHBmS2F3dHV4dHk5aklOZlE5R1FiTXNlaFlMbGZRVDV2MGJvZFlta2E0RFRpClJBdEhwMnZoYTdPR005K1B6TlFDL1JVWGdEaGhsNkFHUWdHREhkVGJVTmJGUjFDWk1WZnlJbndxODBVN2hyVmgKRHFQN2U2MkFwbEVpaFhzbUNzdWRReXE1d2xxbEJsakpvVWVDSG9Ycm1HeEU1VzR0dE9oZkxNT3BoeFl2SGE5QQo1Z25GaWtUdmoyMURKN1c0Z3BKQTFBWUY2VnNqYXZmNjJEYW5LSXR3b05MYjRJVVg5SENiYmtqc015bUhxMThlCnoyVjk4NmhJTmlSTDlwSHpQeGRINlJMdTJKWW1QUkdNRnNDWEVQUXF1NTZhZGpuWnQrSFcraytpcUZhZEhDZEMKcXhhYlJYRk56aEJtL294OUY3UjhUcGJCckVNZnJnPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=</prv>
-  </cert>
-  <staticroutes/>
+  {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/ca") }}
+  {{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/cert") }}
+  <staticroutes version="1.0.0">
+    {% if opnsense_blackhole_private_nets|d()|bool %}
+    <route uuid="f9b58ccb-e871-4484-b048-917a954ad31f">
+      <network>192.168.0.0/16</network>
+      <gateway>Null4</gateway>
+      <descr>Blackhole RFC 1918.</descr>
+      <disabled>0</disabled>
+    </route>
+    <route uuid="72a22cc3-3719-4edb-8f05-16322f99b421">
+      <network>172.16.0.0/12</network>
+      <gateway>Null4</gateway>
+      <descr>Blackhole RFC 1918.</descr>
+      <disabled>0</disabled>
+    </route>
+    <route uuid="2825cd5b-f516-41dd-9175-93881dcef9ca">
+      <network>10.0.0.0/8</network>
+      <gateway>Null4</gateway>
+      <descr>Blackhole RFC 1918.</descr>
+      <disabled>0</disabled>
+    </route>
+    <route uuid="6aa58d7b-6c7f-44ec-a52f-af9daad8495b">
+      <network>169.254.0.0/16</network>
+      <gateway>Null4</gateway>
+      <descr>Blackhole private IPv4 ARPA.</descr>
+      <disabled>0</disabled>
+    </route>
+    {% endif %}
+  </staticroutes>
   <ppps>
     <ppp/>
   </ppps>

From fd1e98225534b7470fd88467e032cb3f5e95f7f2 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Thu, 18 Feb 2021 22:23:49 +0100
Subject: [PATCH 05/15] Deploy dnsmasq custom settings to config file for 21.1
 migration

---
 handlers/main.yml                                |  4 ++++
 tasks/dnsmasq.yml                                | 16 ++++++++++++++++
 tasks/main.yml                                   |  9 +++++++++
 .../usr/local/etc/dnsmasq.conf.d/ansible.conf.j2 |  6 ++++++
 4 files changed, 35 insertions(+)
 create mode 100644 tasks/dnsmasq.yml
 create mode 100644 templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2

diff --git a/handlers/main.yml b/handlers/main.yml
index 46683c7..dcd1971 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -195,4 +195,8 @@
   when:
     - config is defined
     - config.changed | bool
+
+# dnsmasq
+- name: Restart dns subsystem
+  ansible.builtin.command: pluginctl dns
 ...
diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml
new file mode 100644
index 0000000..c50a54a
--- /dev/null
+++ b/tasks/dnsmasq.yml
@@ -0,0 +1,16 @@
+---
+
+- name: Configure dnsmasq advanced settings
+  ansible.builtin.template:
+    src: 'usr/local/etc/dnsmasq.conf.d/ansible.conf.j2'
+    dest: '/usr/local/etc/dnsmasq.conf.d/ansible.conf'
+    validate: |-
+      bash -c 'dnsmasq --test --conf-dir "$(dirname "%s")"'
+  when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options") != '')
+
+- name: Remove dnsmasq advanced settings
+  ansible.builtin.file:
+    state: 'absent'
+    path: '/usr/local/etc/dnsmasq.conf.d/ansible.conf'
+  when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options") == '')
+  notify: [ 'Restart dns subsystem' ]
diff --git a/tasks/main.yml b/tasks/main.yml
index fa08e3f..485ff89 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -54,6 +54,15 @@
       tags:
         - dyndns
 
+- name: dnsmasq
+  tags:
+    - always
+  ansible.builtin.include_tasks:
+    file: dnsmasq.yml
+    apply:
+      tags:
+        - dnsmasq
+
 - name: user
   tags:
     - always
diff --git a/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2 b/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2
new file mode 100644
index 0000000..fbf6c9a
--- /dev/null
+++ b/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2
@@ -0,0 +1,6 @@
+{# Copyright (C) 2021 Robin Schneider <ypid@riseup.net>
+ # SPDX-License-Identifier: Apache-2.0
+ #}
+# {{ ansible_managed }}
+
+{{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options/text()") }}

From b86a83bd14269a1f1a90dc6e7b15023fe6bcec4a Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sat, 1 May 2021 10:52:18 +0200
Subject: [PATCH 06/15] fix: Restart dnsmasq when ansible.conf is changed

---
 tasks/dnsmasq.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml
index c50a54a..567bb0f 100644
--- a/tasks/dnsmasq.yml
+++ b/tasks/dnsmasq.yml
@@ -7,6 +7,7 @@
     validate: |-
       bash -c 'dnsmasq --test --conf-dir "$(dirname "%s")"'
   when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options") != '')
+  notify: [ 'Restart dns subsystem' ]
 
 - name: Remove dnsmasq advanced settings
   ansible.builtin.file:

From a42087acdfb5c47439d5fad91b7f9ae8d920cb27 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 21 May 2021 22:36:51 +0200
Subject: [PATCH 07/15] fix: Use gen config.xml for getting dnsmasq options in
 case templated

`//opnsense/dnsmasq/custom_options` might be templated not not contained
in the config pulled from the target.
---
 tasks/dnsmasq.yml                                      | 4 ++--
 templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2 | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml
index 567bb0f..d570b7b 100644
--- a/tasks/dnsmasq.yml
+++ b/tasks/dnsmasq.yml
@@ -6,12 +6,12 @@
     dest: '/usr/local/etc/dnsmasq.conf.d/ansible.conf'
     validate: |-
       bash -c 'dnsmasq --test --conf-dir "$(dirname "%s")"'
-  when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options") != '')
+  when: (lookup("xmlfile", local_config_path, xpath="//opnsense/dnsmasq/custom_options") != '')
   notify: [ 'Restart dns subsystem' ]
 
 - name: Remove dnsmasq advanced settings
   ansible.builtin.file:
     state: 'absent'
     path: '/usr/local/etc/dnsmasq.conf.d/ansible.conf'
-  when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options") == '')
+  when: (lookup("xmlfile", local_config_path, xpath="//opnsense/dnsmasq/custom_options") == '')
   notify: [ 'Restart dns subsystem' ]
diff --git a/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2 b/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2
index fbf6c9a..a7e90cc 100644
--- a/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2
+++ b/templates/usr/local/etc/dnsmasq.conf.d/ansible.conf.j2
@@ -3,4 +3,4 @@
  #}
 # {{ ansible_managed }}
 
-{{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/dnsmasq/custom_options/text()") }}
+{{ lookup("xmlfile", local_config_path, xpath="//opnsense/dnsmasq/custom_options/text()") }}

From 297e3346f000cd1c2292f7d274ba053ae26990c7 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 21 May 2021 22:41:44 +0200
Subject: [PATCH 08/15] enhancement: Use handlers to restart services

---
 handlers/main.yml | 22 ++++++++++++++++++++++
 tasks/main.yml    | 10 ++++++++++
 2 files changed, 32 insertions(+)

diff --git a/handlers/main.yml b/handlers/main.yml
index dcd1971..ee03628 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -199,4 +199,26 @@
 # dnsmasq
 - name: Restart dns subsystem
   ansible.builtin.command: pluginctl dns
+
+- name: restart webgui
+  ansible.builtin.command: configctl webgui restart
+
+- name: sync filter
+  ansible.builtin.command: configctl filter sync
+
+- name: reload all services
+  ansible.builtin.command: configctl service reload all
+
+- name: restart WireGuard
+  ansible.builtin.command: configctl wireguard restart
+  # Needs to be restarted even if it did not change because other service
+  # reloads unset the IP address of the WireGuard interface.
+  when: (lookup("xmlfile", local_config_path, xpath="//opnsense/OPNsense/wireguard") != '')
+
+- name: restart snmpd
+  ansible.builtin.service:
+    name: 'snmpd'
+    state: 'restarted'
+  when: (lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/OPNsense/netsnmp") !=
+         lookup("xmlfile", local_config_path, xpath="//opnsense/OPNsense/netsnmp"))
 ...
diff --git a/tasks/main.yml b/tasks/main.yml
index 485ff89..d6675f6 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -351,6 +351,12 @@
     group: wheel
     mode: "0644"
   register: config
+  notify:
+    - 'restart webgui'
+    - 'sync filter'
+    - 'reload all services'
+    - 'restart WireGuard'
+    - 'restart snmpd'
   tags: copy
 
 - name: clean,safe delete  # noqa no-changed-when
@@ -405,6 +411,10 @@
                 lookup("xmlfile", local_config_path_fetch, xpath="opnsense/OPNsense/wireguard") !=
                 lookup("xmlfile", local_config_path, xpath="opnsense/OPNsense/wireguard") }}'
 
+  # Reload services last as that might kill the ssh connection.
+- name: Execute pending handlers
+  ansible.builtin.meta: 'flush_handlers'
+
 - name: copy
   ansible.builtin.copy:
     src: "{{ local_config_path }}"

From 7a93541d8e09a3fec4eddb48bcad96a56634e97f Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 21 May 2021 22:49:56 +0200
Subject: [PATCH 09/15] fix: Import DebOps secret role to access secrets in the
 config template

---
 tasks/main.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index d6675f6..d4f4725 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -5,6 +5,10 @@
 #     url: https://raw.githubusercontent.com/opnsense/core/master/src/etc/config.xml.sample
 #     dest: /tmp/config.xml
 
+- name: import DebOps secret role
+  ansible.builtin.import_role:
+    name: secret
+
 - name: fetch
   tags:
     - always

From ea7049f668a3e1d6a89b73dd9cd5495e9e9cd402 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 21 May 2021 22:45:56 +0200
Subject: [PATCH 10/15] feat: Install packages listed in config.xml

When restoring the config to a freshly installed system, the packages
are not automatically installed. Instead, packages in the config that
are not installed are shown as missing in the GUI and it is offered to
install them. This commit automates this.
---
 defaults/main.yml  | 6 ++++++
 tasks/main.yml     | 9 +++++++++
 tasks/packages.yml | 6 ++++++
 3 files changed, 21 insertions(+)
 create mode 100644 tasks/packages.yml

diff --git a/defaults/main.yml b/defaults/main.yml
index a15a022..12f87ff 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -63,6 +63,12 @@ opnsense_mode: 'xml_patch'
 # The config.xml template to use when in `xml_template` mode.
 opnsense_template: 'conf/config_netbox.xml.j2'
 
+# Packages to install by default. This list is merged with the packages of the
+# device and included in the config.
+opnsense_packages: []
+
+opnsense_all_packages: '{{ (opnsense_packages + (lookup("xmlfile", local_config_path_leader, xpath="//opnsense/system/firmware/plugins//text()").split(","))) | sort | unique }}'
+
 # In `xml_template` mode you could have the concept of a leader Firewall from
 # which certain config parts are included into generated configuration. See
 # ../templates/conf/config_netbox.xml.j2.
diff --git a/tasks/main.yml b/tasks/main.yml
index d4f4725..f52169b 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -38,6 +38,15 @@
   delegate_to: localhost
   when: opnsense_mode == 'xml_template'
 
+- name: packages
+  tags:
+    - always
+  ansible.builtin.include_tasks:
+    file: packages.yml
+    apply:
+      tags:
+        - packages
+
 - name: dnsserver
   tags:
     - always
diff --git a/tasks/packages.yml b/tasks/packages.yml
new file mode 100644
index 0000000..0c64dbb
--- /dev/null
+++ b/tasks/packages.yml
@@ -0,0 +1,6 @@
+---
+
+- name: package - install
+  ansible.builtin.package:
+    name: '{{ opnsense_all_packages }}'
+    state: 'present'

From 3d6e8a47ca4d352d43303e3754e3c1c06a435e53 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Thu, 10 Jun 2021 22:14:08 +0200
Subject: [PATCH 11/15] feat: SNMP requires reload via API to apply changes
 (does not work)

---
 tasks/main.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/tasks/main.yml b/tasks/main.yml
index f52169b..825111a 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -435,4 +435,20 @@
   register: config
   delegate_to: localhost
   tags: copy
+
+# TODO: Does not work with OPNsense 21.1.5? Returns {"status":"failed"}.
+# - name: Reconfigure and restart SNMP agent
+#   uri:
+#     url: '{{ "https://localhost:" + (config_context.webui_port|d("443")|string) + "/api/netsnmp/service/reconfigure" }}'
+#     validate_certs: False
+#     user: '{{ lookup("xmlfile", local_config_path_fetch, xpath="//opnsense/system/user/apikeys/item/key/text()") }}'
+#     password: '{{ opnsense__api_secret }}'
+#     force_basic_auth: True
+#   register: opnsense__register_uri_snmp_reconfigure
+#   tags: test
+
+# - debug:
+#     var: opnsense__register_uri_snmp_reconfigure
+#   tags: test
+
 ...

From cd1be886b6b33a193d6eb44054daba03922a61d4 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Mon, 1 Apr 2024 16:25:07 +0200
Subject: [PATCH 12/15] fix: do not depend on not installed bash for dnsmasq
 config validation

---
 tasks/dnsmasq.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/tasks/dnsmasq.yml b/tasks/dnsmasq.yml
index d570b7b..33c2526 100644
--- a/tasks/dnsmasq.yml
+++ b/tasks/dnsmasq.yml
@@ -4,8 +4,7 @@
   ansible.builtin.template:
     src: 'usr/local/etc/dnsmasq.conf.d/ansible.conf.j2'
     dest: '/usr/local/etc/dnsmasq.conf.d/ansible.conf'
-    validate: |-
-      bash -c 'dnsmasq --test --conf-dir "$(dirname "%s")"'
+    validate: 'dnsmasq --test --conf-file=%s'
   when: (lookup("xmlfile", local_config_path, xpath="//opnsense/dnsmasq/custom_options") != '')
   notify: [ 'Restart dns subsystem' ]
 

From 63f18f09db29f1a3caa491d1dceee42f176ed524 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 8 Nov 2024 21:12:49 +0100
Subject: [PATCH 13/15] chore: quoted string when running xmlfile as script

Helps with debugging.
---
 lookup_plugins/xmlfile.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lookup_plugins/xmlfile.py b/lookup_plugins/xmlfile.py
index ad43113..84311ec 100644
--- a/lookup_plugins/xmlfile.py
+++ b/lookup_plugins/xmlfile.py
@@ -86,4 +86,4 @@ def run(self, terms, variables=None, **kwargs):
 if __name__ == '__main__':
     import sys
     xmlfile_lookup = LookupModule()
-    print('\n'.join(xmlfile_lookup._get_xml_matches(sys.argv[1], xpath=sys.argv[2])))
+    print('"' + '\n'.join(xmlfile_lookup._get_xml_matches(sys.argv[1], xpath=sys.argv[2])) + '"')

From 851fd3a69de1a0519c556478ca4fbdb21df46d64 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Fri, 8 Nov 2024 21:16:55 +0100
Subject: [PATCH 14/15] chore: [DATALAD RUNCMD] make xmlfile.py fully Python3
 like

=== Do not change lines below ===
{
 "chain": [],
 "cmd": "2to3 --write xmlfile.py",
 "exit": 0,
 "extra_inputs": [],
 "inputs": [],
 "outputs": [],
 "pwd": "lookup_plugins"
}
^^^ Do not change lines above ^^^
---
 lookup_plugins/xmlfile.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lookup_plugins/xmlfile.py b/lookup_plugins/xmlfile.py
index 84311ec..bc9e45b 100644
--- a/lookup_plugins/xmlfile.py
+++ b/lookup_plugins/xmlfile.py
@@ -69,11 +69,11 @@ def run(self, terms, variables=None, **kwargs):
 
             # Find the file in the expected search path.
             lookupfile = self.find_file_in_search_path(variables, 'files', term)
-            display.vvvv(u"File lookup using %s as file" % lookupfile)
+            display.vvvv("File lookup using %s as file" % lookupfile)
             try:
                 if lookupfile:
                     xml_string = '\n'.join(self._get_xml_matches(lookupfile, kwargs.get('xpath')))
-                    display.vvvv(u"Content %s" % xml_string)
+                    display.vvvv("Content %s" % xml_string)
                     ret.append(xml_string)
                 else:
                     raise AnsibleParserError()

From 42aff79f0f694ef68080e4d939b7284fea280f20 Mon Sep 17 00:00:00 2001
From: Robin Schneider <ypid@riseup.net>
Date: Sat, 9 Nov 2024 12:05:23 +0100
Subject: [PATCH 15/15] feature: xmlfile lookup now accepts XML as string as
 well

---
 lookup_plugins/xmlfile.py | 21 ++++++++++++++-------
 1 file changed, 14 insertions(+), 7 deletions(-)

diff --git a/lookup_plugins/xmlfile.py b/lookup_plugins/xmlfile.py
index bc9e45b..639200d 100644
--- a/lookup_plugins/xmlfile.py
+++ b/lookup_plugins/xmlfile.py
@@ -44,9 +44,12 @@
 
 
 class LookupModule(LookupBase):
-    def _get_xml_matches(self, xml_file, xpath):
-        with open(xml_file, 'r') as fh:
-            tree = etree.parse(fh)
+    def _get_xml_matches(self, file_or_string, xpath):
+        if file_or_string.startswith('<?xml'):
+            tree = etree.fromstring(file_or_string)
+        else:
+            with open(file_or_string, 'r') as fh:
+                tree = etree.parse(fh)
 
         xml_string_list = []
         for match in tree.xpath(xpath):
@@ -68,11 +71,15 @@ def run(self, terms, variables=None, **kwargs):
             display.debug("File lookup term: %s" % term)
 
             # Find the file in the expected search path.
-            lookupfile = self.find_file_in_search_path(variables, 'files', term)
-            display.vvvv("File lookup using %s as file" % lookupfile)
+            if term.startswith('<?xml'):
+                display.vvvv("Lookup XML path in provided XML string")
+                file_or_string = term
+            else:
+                file_or_string = self.find_file_in_search_path(variables, 'files', term)
+                display.vvvv("File lookup using %s as file" % file_or_string)
             try:
-                if lookupfile:
-                    xml_string = '\n'.join(self._get_xml_matches(lookupfile, kwargs.get('xpath')))
+                if file_or_string:
+                    xml_string = '\n'.join(self._get_xml_matches(file_or_string, kwargs.get('xpath')))
                     display.vvvv("Content %s" % xml_string)
                     ret.append(xml_string)
                 else: